>> Welcome Nelly and Patricia, great to have you. >> Great to be here. >> Thank you so much for having us. >> You're very welcome. Nelly, why don't you start, and then Patricia you can weigh in. Just tell the audience a little bit about each of your roles at Google Cloud. >> So I'll start, I'm honing a lot of interesting activities in Google and again, security or infrastructure securities that I usually hone, and we're talking about encryption, Antware encryption, and confidential computing is a part of portfolio. In additional areas that I contribute to get with my team to Google and our customers is secure software supply chain. Because you need to trust your software. Is it operating your confidential environment to have end to end story about if you believe that your software and your environment doing what you expect, it's my role. >> Got it, okay. Patricia? >> Well I am a technical director in the office of the CTO, OCTO for short, in Google Cloud. And we are a global team. We include former CTOs like myself and senior technologies from large corporations, institutions, and a lot of success for startups as well. And we have two main goals. First, we work side by side with some of our largest, more strategic or most strategic customers and we help them solve complex engineering technical problems. And second, we are device Google and Google Cloud engineering and product management on emerging trends in technologies to guide the trajectory of our business. We are unique group, I think, because we have created this collaborative culture with our customers. And within OCTO I spend a lot of time collaborating with customers in the industry at large on technologies that can address privacy, security, and sovereignty of data in general. >> Excellent, thank you for that both of you. Let's get into it. So Nelly, what is confidential computing from Google's perspective? How do you define it? >> Confidential computing is a tool. And it's one of the tools in our toolbox. And confidential computing is a way how would help our customers to complete this very interesting end to end lifecycle of their data. And when customers bring in the data to Cloud and want to protect it, as they ingest it to the Cloud, they protect it address when they store data in the Cloud. But what was missing for many, many years is ability for us to continue protecting data and workloads of our customers when they running them. And again, because data is not brought to Cloud to have huge graveyard, we need to ensure that this data is actually indexed. Again there is some insights driven and drawn from this data. You have to process this data and confidential computing here to help. Now we have end to end protection of our customer's data when they bring the workloads and data to Cloud, thanks to confidential computing. >> Thank you for that. Okay, we're going to get into the architecture a bit but before we do Patricia, why do you think this topic of confidential computing is such an important technology? Can you explain, do you think it's transformative for customers and if so, why? >> Yeah, I would maybe like to use one thought, one way, one intuition behind why confidential matters. Because at the end of the day it reduces more and more the customers thrush boundaries and the attack surface, that's about reducing that periphery, the boundary, in which the customer needs to mind about trust and safety. And in a way is a natural progression that you're using encryption to secure and protect data in the same way that we are encrypting data in transit and at rest. Now we are also encrypting data while in use. And among other beneficial I would say one of the most transformative ones is that organizations will be able to collaborate with each other and retain the confidentiality of the data. And that is across industry. Even though it's highly focused on, I wouldn't say highly focused, but very beneficial for highly regulated industries. It applies to all of industries. And if you look at financing for example, where bankers are trying to detect fraud and specifically double finance where you are a customer is actually trying to get a finance on an asset, let's say a boat or a house and then it goes to another bank and gets another finance on that asset. Now bankers would be able to collaborate and detect fraud while preserving confidentiality and privacy of the of the data. >> Interesting, and I want to understand that a little bit more but I'm going to push you a little bit on this, Nelly, if I can, because there's a narrative out there that says confidential computing is a marketing ploy. I talked about this upfront, by Cloud providers that are just trying to placate people that are scared of the Cloud. And I'm presuming you don't agree with that but I'd like you to weigh in here. The argument is confidential computing is just memory encryption, it doesn't address many other problems, it is overhyped by Cloud providers. What do you say to that line of thinking? >> I absolutely disagree as you can imagine, it's a crazy statement. But the most importantly is we mixing multiple concepts I guess. And exactly as Patricia said, we need to look at the end-to-end story not again the mechanism of how confidential computing trying to again execute and protect customer's data, and why it's so critically important. Because what confidential computing was able to do it's in addition to isolate our tenants in multi-tenant environments the Cloud over. To offer additional stronger isolation, we called it cryptographic isolation. It's why customers will have more trust to customers and to other customers, the tenants that's running on the same host but also us, because they don't need to worry about against threats and more malicious attempts to penetrate the environment. So what confidential computing is helping us to offer our customers, stronger isolation between tenants in this multi-tenant environment but also incredibly important, stronger isolation of our customers. So tenants from us, we also writing code, we also software providers will also make mistakes or have some zero days sometimes again us introduced, sometimes introduced by our adversaries. But what I'm trying to say by creating this cryptographic layer of isolation between us and our tenants, and amongst those tenants, they're really providing meaningful security to our customers and eliminate some of the worries that they have running on multi-tenant spaces or even collaborating together this very sensitive data, knowing that this particular protection is available to them. >> Okay, thank you, appreciate that. And I, you know, I think malicious code is often a threat model missed in these narratives. You know, operator access, yeah, could maybe I trust my Clouds provider, but if I can fence off your access even better I'll sleep better at night. Separating a code from the data, everybody's arm Intel, AM, Invidia, others, they're all doing it. I wonder if Nell, if we could stay with you and bring up the slide on the architecture. What's architecturally different with confidential computing versus how operating systems and VMs have worked traditionally? We're showing a slide here with some VMs, maybe you could take us through that. >> Absolutely, and Dave, the whole idea for Google and industry way of dealing with confidential computing is to ensure as it's three main property is actually preserved. Customers don't need to change the code. They can operate in those VMs exactly as they would with normal non-confidential VMs. But to give them this opportunity of lift and shift or no changing their apps and performing and having very, very, very low latency and scale as any Cloud can, something that Google actually pioneered in confidential computing. I think we need to open and explain how this magic was actually done. And as I said, it's again the whole entire system have to change to be able to provide this magic. And I would start with we have this concept of root of trust and root of trust where we will ensure that this machine, the whole entire post has integrity guarantee, means nobody changing my code on the most low level of system. And we introduce this in 2017 code Titan. Those our specific ASIC specific, again inch by inch system on every single motherboard that we have, that ensures that your low level former, your actually system code, your kernel, the most powerful system, is actually proper configured and not changed, not tempered. We do it for everybody, confidential computing concluded. But for confidential computing what we have to change we bring in a MD again, future silicon vendors, and we have to trust their former, their way to deal with our confidential environments. And that's why we have obligation to validate integrity not only our software and our firmware but also firmware and software of our vendors, silicon vendors. So we actually, when we booting this machine as you can see, we validate that integrity of all of this system is in place. It means nobody touching, nobody changing, nobody modifying it. But then we have this concept of the secure processor. It's special Asics best, specific things that generate a key for every single VM that our customers will run or every single node in Kubernetes, or every single worker thread in our Spark capability. We offer all of that, and those keys are not available to us. It's the best keys ever in encryption space. Because when we are talking about encryption the first question that I'm receiving all the time, where's the key, who will have access to the key? Because if you have access to the key then it doesn't matter if you encrypt it enough. But the case in confidential computing quite so revolutionary technology, ask Cloud providers who don't have access to the keys. They're sitting in the hardware and they fed to memory controller. And it means when Hypervisors that also know about these wonderful things, saying I need to get access to the memories that this particular VM I'm trying to get access to. They do not encrypt the data, they don't have access to the key. Because those keys are random, ephemeral and VM, but the most importantly in hardware not exportable. And it means now you will be able to have this very interesting role that customers all Cloud providers, will not be able to get access to your memory. And what we do, again, as you can see our customers don't need to change their applications. Their VMs are running exactly as it should run. And what you're running in VM you actually see your memory in clear, it's not encrypted. But God forbid is trying somebody to do it outside of my confidential box. No, no, no, no, no, you will not be able to do it. Now you'll see cybernet. And it's exactly what combination of these multiple hardware pieces and software pieces have to do. So OS is also modified, and OS is modified such way to provide integrity. It means even OS that you're running in UVM bucks is not modifiable and you as customer can verify. But the most interesting thing I guess how to ensure the super performance of this environment because you can imagine, Dave, that's increasing it's additional performance, additional time, additional latency. So we're able to mitigate all of that by providing incredibly interesting capability in the OS itself. So our customers will get no changes needed, fantastic performance, and scales as they would expect from Cloud providers like Google. >> Okay, thank you. Excellent, appreciate that explanation. So you know again, the narrative on this is, well you know you've already given me guarantees as a Cloud provider that you don't have access to my data but this gives another level of assurance. Key management as they say is key. Now you're not, humans aren't managing the keys the machines are managing them. So Patricia, my question to you is in addition to, you know, let's go pre-confidential computing days what are the sort of new guarantees that these hardware-based technologies are going to provide to customers? >> So if I am a customer, I am saying I now have full guarantee of confidentiality and integrity of the data and of the code. So if you look at code and data confidentiality the customer cares then they want to know whether their systems are protected from outside or unauthorized access. And that we covered with Nelly that it is. Confidential computing actually ensures that the applications and data antennas remain secret, right? The code is actually looking at the data only the memory is decrypting the data with a key that is ephemeral, and per VM, and generated on demand. Then you have the second point where you have code and data integrity and now customers want to know whether their data was corrupted, tempered, with or impacted by outside actors. And what confidential computing insures is that application internals are not tampered with. So the application, the workload as we call it, that is processing the data it's also it has not been tempered and preserves integrity. I would also say that this is all verifiable. So you have attestation, and this attestation actually generates a log trail and the log trail guarantees that provides a proof that it was preserved. And I think that the offers also a guarantee of what we call ceiling, this idea that the secrets have been preserved and not tempered with. Confidentiality and integrity of code and data. >> Got it, okay, thank you. You know, Nelly, you mentioned, I think I heard you say that the applications, it's transparent,you don't have to change the application it just comes for free essentially. And I'm, we showed some various parts of the stack before. I'm curious as to what's affected but really more importantly what is specifically Google's value add? You know, how do partners, you know, participate in this? The ecosystem or maybe said another way how does Google ensure the compatibility of confidential computing with existing systems and applications? >> And a fantastic question by the way. And it's very difficult and definitely complicated world because to be able to provide these guarantees actually a lot of works was done by community. Google is very much operate and open. So again, our operating system we working in this operating system repository OS vendors to ensure that all capabilities that we need is part of their kernels, are part of their releases, and it's available for customers to understand and even explore if they have fun to explore a lot of code. We have also modified together with our silicon vendors, kernel, host kernel, to support this capability and it means working this community to ensure that all of those patches are there. We also worked with every single silicon vendor as you've seen, and that's what I probably feel that Google contributed quite a bit in this role. We moved our industry, our community, our vendors to understand the value of easy to use confidential computing or removing barriers. And now I don't know if you noticed Intel is pulling the lead and also announcing the trusted domain extension very similar architecture and no surprise, it's again a lot of work done with our partners to again, convince, work with them, and make this capability available. The same with ARM this year, actually last year, ARM unknowns are future design for confidential computing. It's called confidential computing architecture. And it's also influenced very heavily with similar ideas by Google and industry overall. So it's a lot of work in confidential computing consortiums that we are doing. For example, simply to mention to ensure interop, as you mentioned, between different confidential environments of Cloud providers. We want to ensure that they can attest to each other. Because when you're communicating with different environments, you need to trust them. And if it's running on different Cloud providers you need to ensure that you can trust your receiver when you are sharing your sensitive data workloads or secret with them. So we coming as a community and we have this at the station, the community based systems that we want to build and influence and work with ARM and every other Cloud providers to ensure that they can interrupt. And it means it doesn't matter where confidential workloads will be hosted but they can exchange the data in secure, verifiable, and controlled by customers way. And to do it, we need to continue what we are doing. Working open again and contribute with our ideas and ideas of our partners to this role to become what we see confidential computing has to become, it has to become utility. It doesn't need to be so special but it's what what we've wanted to become. >> Let's talk about, thank you for that explanation. Let talk about data sovereignty, because when you think about data sharing you think about data sharing across, you know, the ecosystem and different regions and then of course data sovereignty comes up. Typically public policy lags, you know, the technology industry and sometimes is problematic. I know, you know, there's a lot of discussions about exceptions, but Patricia, we have a graphic on data sovereignty. I'm interested in how confidential computing ensures that data sovereignty and privacy edicts are adhered to even if they're out of alignment maybe with the pace of technology. One of the frequent examples is when you you know, when you delete data, can you actually prove the data is deleted with a hundred percent certainty? You got to prove that and a lot of other issues. So looking at this slide, maybe you could take us through your thinking on data sovereignty. >> Perfect, so for us, data sovereignty is only one of the three pillars of digital sovereignty. And I don't want to give the impression that confidential computing addresses at all. That's why we want to step back and say, hey, digital sovereignty includes data sovereignty where we are giving you full control and ownership of the location, encryption, and access to your data. Operational sovereignty where the goal is to give our Google Cloud customers full visibility and control over the provider operations, right? So if there are any updates on hardware, software, stack, any operations, that is full transparency, full visibility. And then the third pillar is around software sovereignty where the customer wants to ensure that they can run their workloads without dependency on the provider's software. So they have sometimes is often referred as survivability that you can actually survive if you are untethered to the Cloud and that you can use open source. Now let's take a deep dive on data sovereignty, which by the way is one of my favorite topics. And we typically focus on saying, hey, we need to care about data residency. We care where the data resides because where the data is at rest or in processing it typically abides to the jurisdiction, the regulations of the jurisdiction where the data resides. And others say, hey, let's focus on data protection. We want to ensure the confidentiality and integrity and availability of the data which confidential computing is at the heart of that data protection. But it is yet another element that people typically don't talk about when talking about data sovereignty, which is the element of user control. And here Dave, is about what happens to the data when I give you access to my data. And this reminds me of security two decades ago, even a decade ago, where we started the security movement by putting firewall protections and login accesses. But once you were in, you were able to do everything you wanted with the data, an insider had access to all the infrastructure, the data, and the code. And that's similar because with data sovereignty we care about whether it resides, who is operating on the data. But the moment that the data is being processed, I need to trust that the processing of the data will abide by user control, by the policies that I put in place of how my data is going to be used. And if you look at a lot of the regulation today and a lot of the initiatives around the International Data Space Association, IDSA, and Gaia X, there is a movement of saying the two parties, the provider of the data and the receiver of the data going to agree on a contract that describes what my data can be used for. The challenge is to ensure that once the data crosses boundaries, that the data will be used for the purposes that it was intended and specified in the contract. And if you actually bring together, and this is the exciting part, confidential computing together with policy enforcement. Now the policy enforcement can guarantee that the data is only processed within the confines of a confidential computing environment. That the workload is cryptographically verified that there is the workload that was meant to process the data and that the data will be only used when abiding to the confidentiality and integrity, safety of the confidential computing environment. And that's why we believe confidential computing is one, necessary and essential technology that will allow us to ensure data sovereignty especially when it comes to user control. >> Thank you for that. I mean it was a deep dive, I mean brief, but really detailed, so I appreciate that, especially the verification of the enforcement. Last question, I met you two because as part of my year end prediction post you guys sent in some predictions, and I wasn't able to get to them in the predictions post. So I'm thrilled that you were able to make the time to come on the program. How widespread do you think the adoption of confidential computing will be in '23 and what's the maturity curve look like, you know, this decade in, in your opinion? Maybe each of you could give us a brief answer. >> So my prediction in five, seven years as I started, it'll become utility. It'll become TLS. As of, again, 10 years ago we couldn't believe that websites will have certificates and we will support encrypted traffic. Now we do, and it's become ubiquity. It's exactly where our confidential computing is heading and heading, I don't know if we are there yet yet. It'll take a few years of maturity for us, but we'll do that. >> Thank you, and Patricia, what's your prediction? >> I would double that and say, hey, in the future, in the very near future you will not be able to afford not having it. I believe as digital sovereignty becomes ever more top of mind with sovereign states and also for multinational organizations and for organizations that want to collaborate with each other, confidential computing will become the norm. It'll become the default, If I say mode of operation, I like to compare that, today is inconceivable if we talk to the young technologists. It's inconceivable to think that at some point in history and I happen to be alive that we had data at address that was not encrypted. Data in transit, that was not encrypted. And I think that we will be inconceivable at some point in the near future that to have unencrypted data while we use. >> You know, and plus, I think the beauty of the this industry is because there's so much competition this essentially comes for free. I want to thank you both for spending some time on Breaking Analysis. There's so much more we could cover. I hope you'll come back to share the progress that you're making in this area and we can double click on some of these topics. Really appreciate your time. >> Anytime. >> Thank you so much.

>> From theCUBE Studios in Palo Alto in Boston, bringing you data-driven insights from theCUBE and ETR. This is Breaking Analysis with Dave Vellante. >> Confidential computing is a technology that aims to enhance data privacy and security, by providing encrypted computation on sensitive data and isolating data, and apps that are fenced off enclave during processing. The concept of, I got to start over. I fucked that up, I'm sorry. That's not right, what I said was not right. On Dave in five, four, three. Confidential computing is a technology that aims to enhance data privacy and security by providing encrypted computation on sensitive data, isolating data from apps and a fenced off enclave during processing. The concept of confidential computing is gaining popularity, especially in the cloud computing space, where sensitive data is often stored and of course processed. However, there are some who view confidential computing as an unnecessary technology in a marketing ploy by cloud providers aimed at calming customers who are cloud phobic. Hello and welcome to this week's Wikibon Cube Insights powered by ETR. In this Breaking Analysis, we revisit the notion of confidential computing, and to do so, we'll invite two Google experts to the show. But before we get there, let's summarize briefly. There's not a ton of ETR data on the topic of confidential computing, I mean, it's a technology that's deeply embedded into silicon and computing architectures. But at the highest level, security remains the number one priority being addressed by IT decision makers in the coming year as shown here. And this data is pretty much across the board by industry, by region, by size of company. I mean we dug into it and the only slight deviation from the mean is in financial services. The second and third most cited priorities, cloud migration and analytics are noticeably closer to cybersecurity in financial services than in other sectors, likely because financial services has always been hyper security conscious, but security is still a clear number one priority in that sector. The idea behind confidential computing is to better address threat models for data in execution. Protecting data at rest and data in transit have long been a focus of security approaches, but more recently, silicon manufacturers have introduced architectures that separate data and applications from the host system, ARM, Intel, AMD, Nvidia and other suppliers are all on board, as are the big cloud players. Now, the argument against confidential computing is that it narrowly focuses on memory encryption and it doesn't solve the biggest problems in security. Multiple system images, updates, different services and the entire code flow aren't directly addressed by memory encryption. Rather to truly attack these problems, many believe that OSs need to be re-engineered with the attacker and hacker in mind. There are so many variables and at the end of the day, critics say the emphasis on confidential computing made by cloud providers is overstated and largely hype. This tweet from security researcher Rodrigo Bronco, sums up the sentiment of many skeptics. He says, "Confidential computing is mostly a marketing campaign from memory encryption. It's not driving the industry towards the hard open problems. It is selling an illusion." Okay. Nonetheless, encrypting data in use and fencing off key components of the system isn't a bad thing, especially if it comes with the package essentially for free. There has been a lack of standardization and interoperability between different confidential computing approaches. But the confidential computing consortium was established in 2019 ostensibly to accelerate the market and influence standards. Notably, AWS is not part of the consortium, likely because the politics of the consortium were probably a conundrum for AWS because the base technology defined by the consortium is seen as limiting by AWS. This is my guess, not AWS' words. But I think joining the consortium would validate a definition which AWS isn't aligned with. And two, it's got to lead with this Annapurna acquisition. It was way ahead with ARM integration, and so it's probably doesn't feel the need to validate its competitors. Anyway, one of the premier members of the confidential computing consortium is Google, along with many high profile names, including Aem, Intel, Meta, Red Hat, Microsoft, and others. And we're pleased to welcome two experts on confidential computing from Google to unpack the topic. Nelly Porter is Head of Product for GCP Confidential Computing and Encryption and Dr. Patricia Florissi is the Technical Director for the Office of the CTO at Google Cloud. Welcome Nelly and Patricia, great to have you. >> Great to be here. >> Thank you so much for having us. >> You're very welcome. Nelly, why don't you start and then Patricia, you can weigh in. Just tell the audience a little bit about each of your roles at Google Cloud. >> So I'll start, I'm owning a lot of interesting activities in Google and again, security or infrastructure securities that I usually own. And we are talking about encryption, end-to-end encryption, and confidential computing is a part of portfolio. Additional areas that I contribute to get with my team to Google and our customers is secure software supply chain because you need to trust your software. Is it operate in your confidential environment to have end-to-end security, about if you believe that your software and your environment doing what you expect, it's my role. >> Got it. Okay, Patricia? >> Well, I am a Technical Director in the Office of the CTO, OCTO for short in Google Cloud. And we are a global team, we include former CTOs like myself and senior technologies from large corporations, institutions and a lot of success for startups as well. And we have two main goals, first, we walk side by side with some of our largest, more strategic or most strategical customers and we help them solve complex engineering technical problems. And second, we advice Google and Google Cloud Engineering, product management on emerging trends and technologies to guide the trajectory of our business. We are unique group, I think, because we have created this collaborative culture with our customers. And within OCTO I spend a lot of time collaborating with customers in the industry at large on technologies that can address privacy, security, and sovereignty of data in general. >> Excellent. Thank you for that both of you. Let's get into it. So Nelly, what is confidential computing from Google's perspective? How do you define it? >> Confidential computing is a tool and one of the tools in our toolbox. And confidential computing is a way how we would help our customers to complete this very interesting end-to-end lifecycle of the data. And when customers bring in the data to cloud and want to protect it as they ingest it to the cloud, they protect it at rest when they store data in the cloud. But what was missing for many, many years is ability for us to continue protecting data and workloads of our customers when they run them. And again, because data is not brought to cloud to have huge graveyard, we need to ensure that this data is actually indexed. Again, there is some insights driven and drawn from this data. You have to process this data and confidential computing here to help. Now we have end-to-end protection of our customer's data when they bring the workloads and data to cloud thanks to confidential computing. >> Thank you for that. Okay, we're going to get into the architecture a bit, but before we do Patricia, why do you think this topic of confidential computing is such an important technology? Can you explain? Do you think it's transformative for customers and if so, why? >> Yeah, I would maybe like to use one thought, one way, one intuition behind why confidential computing matters because at the end of the day, it reduces more and more the customer's thrush boundaries and the attack surface. That's about reducing that periphery, the boundary in which the customer needs to mind about trust and safety. And in a way is a natural progression that you're using encryption to secure and protect data in the same way that we are encrypting data in transit and at rest. Now, we are also encrypting data while in the use. And among other beneficials, I would say one of the most transformative ones is that organizations will be able to collaborate with each other and retain the confidentiality of the data. And that is across industry, even though it's highly focused on, I wouldn't say highly focused but very beneficial for highly regulated industries, it applies to all of industries. And if you look at financing for example, where bankers are trying to detect fraud and specifically double finance where a customer is actually trying to get a finance on an asset, let's say a boat or a house, and then it goes to another bank and gets another finance on that asset. Now bankers would be able to collaborate and detect fraud while preserving confidentiality and privacy of the data. >> Interesting and I want to understand that a little bit more but I got to push you a little bit on this, Nellie if I can, because there's a narrative out there that says confidential computing is a marketing ploy I talked about this up front, by cloud providers that are just trying to placate people that are scared of the cloud. And I'm presuming you don't agree with that, but I'd like you to weigh in here. The argument is confidential computing is just memory encryption, it doesn't address many other problems. It is over hyped by cloud providers. What do you say to that line of thinking? >> I absolutely disagree as you can imagine Dave, with this statement. But the most importantly is we mixing a multiple concepts I guess, and exactly as Patricia said, we need to look at the end-to-end story, not again, is a mechanism. How confidential computing trying to execute and protect customer's data and why it's so critically important. Because what confidential computing was able to do, it's in addition to isolate our tenants in multi-tenant environments the cloud offering to offer additional stronger isolation, they called it cryptographic isolation. It's why customers will have more trust to customers and to other customers, the tenants running on the same host but also us because they don't need to worry about against rats and more malicious attempts to penetrate the environment. So what confidential computing is helping us to offer our customers stronger isolation between tenants in this multi-tenant environment, but also incredibly important, stronger isolation of our customers to tenants from us. We also writing code, we also software providers, we also make mistakes or have some zero days. Sometimes again us introduce, sometimes introduced by our adversaries. But what I'm trying to say by creating this cryptographic layer of isolation between us and our tenants and among those tenants, we really providing meaningful security to our customers and eliminate some of the worries that they have running on multi-tenant spaces or even collaborating together with very sensitive data knowing that this particular protection is available to them. >> Okay, thank you. Appreciate that. And I think malicious code is often a threat model missed in these narratives. You know, operator access. Yeah, maybe I trust my cloud's provider, but if I can fence off your access even better, I'll sleep better at night separating a code from the data. Everybody's ARM, Intel, AMD, Nvidia and others, they're all doing it. I wonder if Nell, if we could stay with you and bring up the slide on the architecture. What's architecturally different with confidential computing versus how operating systems and VMs have worked traditionally? We're showing a slide here with some VMs, maybe you could take us through that. >> Absolutely, and Dave, the whole idea for Google and now industry way of dealing with confidential computing is to ensure that three main property is actually preserved. Customers don't need to change the code. They can operate in those VMs exactly as they would with normal non-confidential VMs. But to give them this opportunity of lift and shift though, no changing the apps and performing and having very, very, very low latency and scale as any cloud can, some things that Google actually pioneer in confidential computing. I think we need to open and explain how this magic was actually done, and as I said, it's again the whole entire system have to change to be able to provide this magic. And I would start with we have this concept of root of trust and root of trust where we will ensure that this machine within the whole entire host has integrity guarantee, means nobody changing my code on the most low level of system, and we introduce this in 2017 called Titan. So our specific ASIC, specific inch by inch system on every single motherboard that we have that ensures that your low level former, your actually system code, your kernel, the most powerful system is actually proper configured and not changed, not tempered. We do it for everybody, confidential computing included, but for confidential computing is what we have to change, we bring in AMD or future silicon vendors and we have to trust their former, their way to deal with our confidential environments. And that's why we have obligation to validate intelligent not only our software and our former but also former and software of our vendors, silicon vendors. So we actually, when we booting this machine as you can see, we validate that integrity of all of this system is in place. It means nobody touching, nobody changing, nobody modifying it. But then we have this concept of AMD Secure Processor, it's special ASIC best specific things that generate a key for every single VM that our customers will run or every single node in Kubernetes or every single worker thread in our Hadoop spark capability. We offer all of that and those keys are not available to us. It's the best case ever in encryption space because when we are talking about encryption, the first question that I'm receiving all the time, "Where's the key? Who will have access to the key?" because if you have access to the key then it doesn't matter if you encrypted or not. So, but the case in confidential computing why it's so revolutionary technology, us cloud providers who don't have access to the keys, they're sitting in the hardware and they fed to memory controller. And it means when hypervisors that also know about this wonderful things saying I need to get access to the memories, that this particular VM I'm trying to get access to. They do not decrypt the data, they don't have access to the key because those keys are random, ephemeral and per VM, but most importantly in hardware not exportable. And it means now you will be able to have this very interesting world that customers or cloud providers will not be able to get access to your memory. And what we do, again as you can see, our customers don't need to change their applications. Their VMs are running exactly as it should run. And what you've running in VM, you actually see your memory clear, it's not encrypted. But God forbid is trying somebody to do it outside of my confidential box, no, no, no, no, no, you will now be able to do it. Now, you'll see cyber test and it's exactly what combination of these multiple hardware pieces and software pieces have to do. So OS is also modified and OS is modified such way to provide integrity. It means even OS that you're running in your VM box is not modifiable and you as customer can verify. But the most interesting thing I guess how to ensure the super performance of this environment because you can imagine Dave, that's increasing and it's additional performance, additional time, additional latency. So we're able to mitigate all of that by providing incredibly interesting capability in the OS itself. So our customers will get no changes needed, fantastic performance and scales as they would expect from cloud providers like Google. >> Okay, thank you. Excellent, appreciate that explanation. So you know again, the narrative on this is, well, you've already given me guarantees as a cloud provider that you don't have access to my data, but this gives another level of assurance, key management as they say is key. Now humans aren't managing the keys, the machines are managing them. So Patricia, my question to you is in addition to, let's go pre-confidential computing days, what are the sort of new guarantees that these hardware based technologies are going to provide to customers? >> So if I am a customer, I am saying I now have full guarantee of confidentiality and integrity of the data and of the code. So if you look at code and data confidentiality, the customer cares and they want to know whether their systems are protected from outside or unauthorized access, and that we covered with Nelly that it is. Confidential computing actually ensures that the applications and data antennas remain secret. The code is actually looking at the data, only the memory is decrypting the data with a key that is ephemeral, and per VM, and generated on demand. Then you have the second point where you have code and data integrity and now customers want to know whether their data was corrupted, tempered with or impacted by outside actors. And what confidential computing ensures is that application internals are not tempered with. So the application, the workload as we call it, that is processing the data is also has not been tempered and preserves integrity. I would also say that this is all verifiable, so you have attestation and this attestation actually generates a log trail and the log trail guarantees that provides a proof that it was preserved. And I think that the offers also a guarantee of what we call sealing, this idea that the secrets have been preserved and not tempered with, confidentiality and integrity of code and data. >> Got it. Okay, thank you. Nelly, you mentioned, I think I heard you say that the applications is transparent, you don't have to change the application, it just comes for free essentially. And we showed some various parts of the stack before, I'm curious as to what's affected, but really more importantly, what is specifically Google's value add? How do partners participate in this, the ecosystem or maybe said another way, how does Google ensure the compatibility of confidential computing with existing systems and applications? >> And a fantastic question by the way, and it's very difficult and definitely complicated world because to be able to provide these guarantees, actually a lot of work was done by community. Google is very much operate and open. So again our operating system, we working this operating system repository OS is OS vendors to ensure that all capabilities that we need is part of the kernels are part of the releases and it's available for customers to understand and even explore if they have fun to explore a lot of code. We have also modified together with our silicon vendors kernel, host kernel to support this capability and it means working this community to ensure that all of those pages are there. We also worked with every single silicon vendor as you've seen, and it's what I probably feel that Google contributed quite a bit in this world. We moved our industry, our community, our vendors to understand the value of easy to use confidential computing or removing barriers. And now I don't know if you noticed Intel is following the lead and also announcing a trusted domain extension, very similar architecture and no surprise, it's a lot of work done with our partners to convince work with them and make this capability available. The same with ARM this year, actually last year, ARM announced future design for confidential computing, it's called confidential computing architecture. And it's also influenced very heavily with similar ideas by Google and industry overall. So it's a lot of work in confidential computing consortiums that we are doing, for example, simply to mention, to ensure interop as you mentioned, between different confidential environments of cloud providers. They want to ensure that they can attest to each other because when you're communicating with different environments, you need to trust them. And if it's running on different cloud providers, you need to ensure that you can trust your receiver when you sharing your sensitive data workloads or secret with them. So we coming as a community and we have this at Station Sig, the community-based systems that we want to build, and influence, and work with ARM and every other cloud providers to ensure that they can interop. And it means it doesn't matter where confidential workloads will be hosted, but they can exchange the data in secure, verifiable and controlled by customers really. And to do it, we need to continue what we are doing, working open and contribute with our ideas and ideas of our partners to this role to become what we see confidential computing has to become, it has to become utility. It doesn't need to be so special, but it's what what we've wanted to become. >> Let's talk about, thank you for that explanation. Let's talk about data sovereignty because when you think about data sharing, you think about data sharing across the ecosystem in different regions and then of course data sovereignty comes up, typically public policy, lags, the technology industry and sometimes it's problematic. I know there's a lot of discussions about exceptions but Patricia, we have a graphic on data sovereignty. I'm interested in how confidential computing ensures that data sovereignty and privacy edicts are adhered to, even if they're out of alignment maybe with the pace of technology. One of the frequent examples is when you delete data, can you actually prove the data is deleted with a hundred percent certainty, you got to prove that and a lot of other issues. So looking at this slide, maybe you could take us through your thinking on data sovereignty. >> Perfect. So for us, data sovereignty is only one of the three pillars of digital sovereignty. And I don't want to give the impression that confidential computing addresses it at all, that's why we want to step back and say, hey, digital sovereignty includes data sovereignty where we are giving you full control and ownership of the location, encryption and access to your data. Operational sovereignty where the goal is to give our Google Cloud customers full visibility and control over the provider operations, right? So if there are any updates on hardware, software stack, any operations, there is full transparency, full visibility. And then the third pillar is around software sovereignty, where the customer wants to ensure that they can run their workloads without dependency on the provider's software. So they have sometimes is often referred as survivability that you can actually survive if you are untethered to the cloud and that you can use open source. Now, let's take a deep dive on data sovereignty, which by the way is one of my favorite topics. And we typically focus on saying, hey, we need to care about data residency. We care where the data resides because where the data is at rest or in processing need to typically abides to the jurisdiction, the regulations of the jurisdiction where the data resides. And others say, hey, let's focus on data protection, we want to ensure the confidentiality, and integrity, and availability of the data, which confidential computing is at the heart of that data protection. But it is yet another element that people typically don't talk about when talking about data sovereignty, which is the element of user control. And here Dave, is about what happens to the data when I give you access to my data, and this reminds me of security two decades ago, even a decade ago, where we started the security movement by putting firewall protections and logging accesses. But once you were in, you were able to do everything you wanted with the data. An insider had access to all the infrastructure, the data, and the code. And that's similar because with data sovereignty, we care about whether it resides, who is operating on the data, but the moment that the data is being processed, I need to trust that the processing of the data we abide by user's control, by the policies that I put in place of how my data is going to be used. And if you look at a lot of the regulation today and a lot of the initiatives around the International Data Space Association, IDSA and Gaia-X, there is a movement of saying the two parties, the provider of the data and the receiver of the data going to agree on a contract that describes what my data can be used for. The challenge is to ensure that once the data crosses boundaries, that the data will be used for the purposes that it was intended and specified in the contract. And if you actually bring together, and this is the exciting part, confidential computing together with policy enforcement. Now, the policy enforcement can guarantee that the data is only processed within the confines of a confidential computing environment, that the workload is in cryptographically verified that there is the workload that was meant to process the data and that the data will be only used when abiding to the confidentiality and integrity safety of the confidential computing environment. And that's why we believe confidential computing is one necessary and essential technology that will allow us to ensure data sovereignty, especially when it comes to user's control. >> Thank you for that. I mean it was a deep dive, I mean brief, but really detailed. So I appreciate that, especially the verification of the enforcement. Last question, I met you two because as part of my year-end prediction post, you guys sent in some predictions and I wasn't able to get to them in the predictions post, so I'm thrilled that you were able to make the time to come on the program. How widespread do you think the adoption of confidential computing will be in '23 and what's the maturity curve look like this decade in your opinion? Maybe each of you could give us a brief answer. >> So my prediction in five, seven years as I started, it will become utility, it will become TLS. As of freakin' 10 years ago, we couldn't believe that websites will have certificates and we will support encrypted traffic. Now we do, and it's become ubiquity. It's exactly where our confidential computing is heeding and heading, I don't know we deserve yet. It'll take a few years of maturity for us, but we'll do that. >> Thank you. And Patricia, what's your prediction? >> I would double that and say, hey, in the very near future, you will not be able to afford not having it. I believe as digital sovereignty becomes ever more top of mind with sovereign states and also for multinational organizations, and for organizations that want to collaborate with each other, confidential computing will become the norm, it will become the default, if I say mode of operation. I like to compare that today is inconceivable if we talk to the young technologists, it's inconceivable to think that at some point in history and I happen to be alive, that we had data at rest that was non-encrypted, data in transit that was not encrypted. And I think that we'll be inconceivable at some point in the near future that to have unencrypted data while we use. >> You know, and plus I think the beauty of the this industry is because there's so much competition, this essentially comes for free. I want to thank you both for spending some time on Breaking Analysis, there's so much more we could cover. I hope you'll come back to share the progress that you're making in this area and we can double click on some of these topics. Really appreciate your time. >> Anytime. >> Thank you so much, yeah. >> In summary, while confidential computing is being touted by the cloud players as a promising technology for enhancing data privacy and security, there are also those as we said, who remain skeptical. The truth probably lies somewhere in between and it will depend on the specific implementation and the use case as to how effective confidential computing will be. Look as with any new tech, it's important to carefully evaluate the potential benefits, the drawbacks, and make informed decisions based on the specific requirements in the situation and the constraints of each individual customer. But the bottom line is silicon manufacturers are working with cloud providers and other system companies to include confidential computing into their architectures. Competition in our view will moderate price hikes and at the end of the day, this is under-the-covers technology that essentially will come for free, so we'll take it. I want to thank our guests today, Nelly and Patricia from Google. And thanks to Alex Myerson who's on production and manages the podcast. Ken Schiffman as well out of our Boston studio. Kristin Martin and Cheryl Knight help get the word out on social media and in our newsletters, and Rob Hoof is our editor-in-chief over at siliconangle.com, does some great editing for us. Thank you all. Remember all these episodes are available as podcasts. Wherever you listen, just search Breaking Analysis podcast. I publish each week on wikibon.com and siliconangle.com where you can get all the news. If you want to get in touch, you can email me at david.vellante@siliconangle.com or DM me at D Vellante, and you can also comment on my LinkedIn post. Definitely you want to check out etr.ai for the best survey data in the enterprise tech business. I know we didn't hit on a lot today, but there's some amazing data and it's always being updated, so check that out. This is Dave Vellante for theCUBE Insights powered by ETR. Thanks for watching and we'll see you next time on Breaking Analysis. (subtle music)

>> Hey everyone. Welcome back to theCUBE's coverage day two of CloudNative Security CON 23. Lisa Martin here in studio in Palo Alto with John Furrier. John, we've had some great conversations. I've had a global event. This was a global event. We had Germany on yesterday. We had the Boston Studio. We had folks on the ground in Seattle. Lot of great conversations, a lot of great momentum at this event. What is your number one takeaway with this inaugural event? >> Well, first of all, our coverage with our CUBE alumni experts coming in remotely this remote event for us, I think this event as an inaugural event stood out because one, it was done very carefully and methodically from the CNCF. I think they didn't want to overplay their hand relative to breaking out from CUBE CON So Kubernetes success and CloudNative development has been such a success and that event and ecosystem is booming, right? So that's the big story is they have the breakout event and the question was, was it a good call? Was it successful? Was it going to, would the dog hunt as they say, in this case, I think the big takeaway is that it was successful by all measures. One, people enthusiastic and confident that this has the ability to stand on its own and still contribute without taking away from the benefits and growth of Kubernetes CUBE CON and CloudNative console. So that was the key. Hallway conversations, the sessions all curated and developed properly to be different and focused for that reason. So I think the big takeaway is that the CNCF did a good job on how they rolled this out. Again, it was very intimate event small reminds me of first CUBE CON in Seattle, kind of let's test it out. Let's see how it goes. Again, clearly it was people successful and they understood why they're doing it. And as we commented out in our earlier segments this is not something new. Amazon Web Services has re:Invent and re:Inforce So a lot of parallels there. I see there. So I think good call. CNCF did the right thing. I think this has legs. And then as Dave pointed out, Dave Vellante, on our last keynote analysis was the business model of the hackers is better than the business model of the industry. They're making more money, it costs less so, you know, they're playing offense and the industry playing defense. That has to change. And as Dave pointed out we have to make the cost of hacking and breaches and cybersecurity higher so that the business model crashes. And I think that's the strategic imperative. So I think the combination of the realities of the market globally and open source has to go faster. It's good to kind of decouple and be highly cohesive in the focus. So to me that's the big takeaway. And then the other one is, is that there's a lot more security problems still unresolved. The emphasis on developers productivity is at risk here, if not solved. You saw supply chain software, again, front and center and then down in the weeds outside of Kubernetes, things like BIND and DNS were brought up. You're seeing the Linux kernel. Really important things got to be paid attention to. So I think very good call, very good focus. >> I would love if for us to be able to, as the months go on talk to some of the practitioners that actually got to attend. There were 72 sessions, that's a lot of content for a small event. Obviously to your point, very well curated. We did hear from some folks yesterday who were just excited to get the community back together in person. To your point, having this dedicated focus on CloudNativesecurity is incredibly important. You talked about, you know, the offense defense, the fact that right now the industry needs to be able to pivot from being on defense to being on offense. This is a challenging thing because it is so lucrative for hackers. But this seems to be from what we've heard in the last couple days, the right community with the right focus to be able to make that pivot. >> Yeah, and I think if you look at the success of Kubernetes, 'cause again we were there at theCUBE first one CUBE CON, the end user stories really drove end user participation. Drove the birth of Kubernetes. Left some of these CloudNative early adopters early pioneers that were using cloud hyperscale really set the table for CloudNative CON. I think you're seeing that here with this CloudNative SecurityCON where I think we're see a lot more end user stories because of the security, the hairs on fire as we heard from Madrona Ventures, you know, as they as an investor you have a lot of use cases out there where customers are leaning in with getting the rolling up their sleeves, working with open source. This has to be the driver. So I'm expecting to see the next level of SecurityCON to be end user focused. Much more than vendor focused. Where CUBECON was very end user focused and then attracted all the vendors in that grew the industry. I expect the similar pattern here where end user action will be very high at the beginning and that will essentially be the rising tide for the vendors to be then participating. So I expect almost a similar trajectory to CUBECON. >> That's a good path that it needs to all be about all the end users. One of the things I'm curious if what you heard was what are some of the key factors that are going to move CloudNative Security forward? What did you hear the last two days? >> I heard that there's a lot of security problems and no one wants to kind of brag about this but there's a lot of under the hood stuff that needs to get taken care of. So if automation scales, and we heard that from one of the startups we've just interviewed. If automation and scale continues to happen and with the business model of the hackers still booming, security has to be refactored quickly and there's going to be an opportunity structurally to use the cloud for that. So I think it's a good opportunity now to get dedicated focus on fixing things like the DNS stuff old school under the hood, plumbing, networking protocols. You're going to start to see this super cloud-like environment emerge where data's involved, everything's happening and so security has to be re imagined. And I think there's a do over opportunity for the security industry with CloudNative driving that. And I think this is the big thing that I see as an opportunity to, from a story standpoint from a coverage standpoint is that it's a do-over for security. >> One of the things that we heard yesterday is that there's a lot of it, it's a pretty high percentage of organizations that either don't have a SOCK or have a very primitive SOCK. Which kind of surprised me that at this day and age the risks are there. We talked about that today's focus and the keynote was a lot about the software supply chain and what's going on there. What did you hear in terms of the appetite for organizations through the voice of the practitioner to say, you know what guys, we got to get going because there's going to be the hackers are they're here. >> I didn't hear much about that in the coverage 'cause we weren't in the hallways. But from reading the tea leaves and talking to the folks on the ground, I think there's an implied like there's an unlimited money from customers. So it's a very robust from the data infrastructure stack building we cover with the angel investor Kane you're seeing data infrastructure's going to be part of the solution here 'cause data and security go hand in hand. So everyone's got basically checkbook wide open everyone wants to have the answer. And we commented that the co-founder of Palo Alto you had on our coverage yesterday was saying that you know, there's no real platform, there's a lot of tools out there. People will buy anything. So there's still a huge appetite and spend in security but the answer's not going to more tool sprawling. It's going to more platform auto, something that enables automation, fix some of the underlying mechanisms involved and fix it fast. So to me I think it's going to be a robust monetary opportunity because of the demand on the business side. So I don't see that changing at all and I think it's going to accelerate. >> It's a great point in terms of the demand for the business side because as we know as we said yesterday, the next Log4j is out there. It's not a matter of if this happens again it's when, it's the extent, it's how frequent we know that. So organizations all the way up to the board have to be concerned about brand reputation. Nobody wants to be the next big headline in terms of breaches and customer data being given to hackers and hackers making all this money on that. That has to go all the way up to the board and there needs to be alignment between the board and the executives at the organization in terms of how they're going to deal with security, and now. This is not a conversation that can wait. Yeah, I mean I think the five C's we talked about yesterday the culture of companies, the cloud is an enabler, you've got clusters of servers and capabilities, Kubernetes clusters, you've got code and you've got all kinds of, you know, things going on there. Each one has elements that are at risk for hacking, right? So that to me is something that's super important. I think that's why the focus on security's different and important, but it's not going to fork the main event. So that's why I think the spin out was, spinout, or the new event is a good call by the CNCF. >> One of the things today that struck me they're talking a lot about software supply chain and that's been in the headlines for quite a while now. And a stat that was shared this morning during the keynote just blew my brains that there was a 742% increase in the software supply chain attacks occurring over the last three years. It's during Covid times, that is a massive increase. The threat landscape is just growing so amorphously but organizations need to help dial that down because their success and the health of the individuals and the end users is at risk. Well, Covid is an environment where everyone's kind of working at home. So there was some disruption to infrastructure. Also, when you have change like that, there's opportunities for hackers, they'll arbitrage that big time. But I think general the landscape is changing. There's no perimeter anymore. It's CloudNative, this is where it is and people who are moving from old IT to CloudNative, they're at risk. That's why there's tons of ransomware. That's why there's tons of risk. There's just hygiene, from hygiene to architecture and like Nick said from Palo Alto, the co-founder, there's not a lot of architecture in security. So yeah, people have bulked up their security teams but you're going to start to see much more holistic thinking around redoing security. I think that's the opportunity to propel CloudNative, and I think you'll see a lot more coming out of this. >> Did you hear any specific information on some of the CloudNative projects going on that really excite you in terms of these are the right people going after the right challenges to solve in the right direction? >> Well I saw the sessions and what jumped out to me at the sessions was it's a lot of extensions of what we heard at CUBECON and I think what they want to do is take out the big items and break 'em out in security. Kubescape was one we just covered. They want to get more sandbox type stuff into the security side that's very security focused but also plays well with CUBECON. So we'll hear more about how this plays out when we're in Amsterdam coming up in April for CUBECON to hear how that ecosystem, because I think it'll be kind of a relief to kind of decouple security 'cause that gives more focus to the stakeholders in CUBECON. There's a lot of issues going on there and you know service meshes and whatnot. So it's a lot of good stuff happening. >> A lot of good stuff happening. One of the things that'll be great about CUBECON is that we always get the voice of the customer. We get vendors coming on with the voice of the customer talking about and you know in that case how they're using Kubernetes to drive the business forward. But it'll be great to be able to pull in some of the security conversations that spin out of CloudNative Security CON to understand how those end users are embracing the technology. You brought up I think Nir Zuk from Palo Alto Networks, one of the themes there when Dave and I did their Ignite event in December was, of 22, was really consolidation. There are so many tools out there that organizations have to wrap their heads around and they need to be able to have the right enablement content which this event probably delivered to figure out how do we consolidate security tools effectively, efficiently in a way that helps dial down our risk profile because the risks just seem to keep growing. >> Yeah, and I love the technical nature of all that and I think this is going to be the continued focus. Chris Aniszczyk who's the CTO listed like E and BPF we covered with Liz Rice is one of the most three important points of the conference and it's just, it's very nerdy and that's what's needed. I mean it's technical. And again, there's no real standards bodies anymore. The old days developers I think are super important to be the arbiters here. And again, what I love about the CNCF is that they're developer focused and we heard developer first even in security. So you know, this is a sea change and I think, you know, developers' choice will be the standards bodies. >> Lisa: Yeah, yeah. >> They decide the future. >> Yeah. >> And I think having the sandboxing and bringing this out will hopefully accelerate more developer choice and self-service. >> You've been talking about kind of putting the developers in the driver's seat as really being the key decision makers for a while. Did you hear information over the last couple of days that validates that? >> Yeah, absolutely. It's clearly the fact that they did this was one. The other one is, is that engineering teams and dev teams and script teams, they're blending together. It's not just separate silos and the ones that are changing their team dynamics, again, back to the culture are winning. And I think this has to happen. Security has to be embedded everywhere in making it frictionless and to provide kind of the guardrail so developers don't slow down. And I think where security has become a drag or an anchor or a blocker has been just configuration of how the organization's handling it. So I think when people recognize that the developers are in charge and they're should be driving the application development you got to make sure that's secure. And so that's always going to be friction and I think whoever does it, whoever unlocks that for the developer to go faster will win. >> Right. Oh, that's what I'm sure magic to a developer's ear is the ability to go faster and be able to focus on co-development in a secure fashion. What are some of the things that you're excited about for CUBECON. Here we are in February, 2023 and CUBECON is just around the corner in April. What are some of the things that you're excited about based on the groundswell momentum that this first inaugural CloudNative Security CON is generating from a community, a culture perspective? >> I think this year's going to be very interesting 'cause we have an economic challenge globally. There's all kinds of geopolitical things happening. I think there's going to be very entrepreneurial activity this year more than ever. I think you're going to see a lot more innovative projects ideas hitting the table. I think it's going to be a lot more entrepreneurial just because the cycle we're in. And also I think the acceleration of mainstream deployments of out of the CNCF's main event CUBECON will happen. You'll see a lot more successes, scale, more clarity on where the security holes are or aren't. Where the benefits are. I think containers and microservices are continuing to surge. I think the Cloud scale hyperscale as Amazon, Azure, Google will be more aggressive. I think AI will be a big theme this year. I think you can see how data is going to infect some of the innovation thinking. I'm really excited about the data infrastructure because it powers a lot of things in the Cloud. So I think the Amazon Web Services, Azure next level gen clouds will impact what happens in the CloudNative foundation. >> Did you have any conversations yesterday or today with respect to AI and security? Was that a focus of anybody's? Talk to me about that. >> Well, I didn't hear any sessions on AI but we saw some demos on stage. But they're teasing out that this is an augmentation to their mission, right? So I think a lot of people are looking at AI as, again, like I always said there's the naysayers who think it's kind of a gimmick or nothing to see here, and then some are just going to blown away. I think the people who are alpha geeks and the industry connect the dots and understand that AI is going to be an accelerant to a lot of heavy lifting that was either manual, you know, hard to do things that was boring or muck as they say. I think that's going to be where you'll see the AI stories where it's going to accelerate either ways to make security better or make developers more confident and productive. >> Or both. >> Yeah. So definitely AI will be part of it. Yeah, definitely. One of the things too that I'm wondering if, you know, we talk about CloudNative and the goal of it, the importance of it. Do you think that this event, in terms of what we were able to see, obviously being remote the event going on in Seattle, us being here in Palo Alto and Boston and guests on from Seattle and Germany and all over, did you hear the really the validation for why CloudNative Security why CloudNative is important for organizations whether it's a bank or a hospital or a retailer? Is that validation clear and present? >> Yeah, absolutely. I think it was implied. I don't think there was like anyone's trying to debate that. I think this conference was more of it's assumed and they were really trying to push the ability to make security less defensive, more offensive and more accelerated into the solving the problems with the businesses that are out there. So clearly the CloudNative community understands where the security challenges are and where they're emerging. So having a dedicated event will help address that. And they've got great co-chairs too that put it together. So I think that's very positive. >> Yeah. Do you think, is it possible, I mean, like you said several times today so eloquently the industry's on the defense when it comes to security and the hackers are on the offense. Is it really possible to make that switch or obviously get some balances. As technology advances and industry gets to take advantage of that, so do the hackers, is that balance achievable? >> Absolutely. I mean, I think totally achievable. The question's going to be what's the environment going to be like? And I remember as context to understanding whether it's viable or not, is to look at, just go back 13 years ago, I remember in 2010 Amazon was viewed as an unsecure environment. Everyone's saying, "Oh, the cloud is not secure." And I remember interviewing Steve Schmidt at AWS and we discussed specifically how Amazon Cloud was being leveraged by hackers. They made it more complex for the hackers. And he said, "This is just the beginning." It's kind of like barbed wire on a fence. It's yeah, you're not going to climb it so people can get over it. And so since then what's happened is the Cloud has become more secure than on premises for a lot of either you know, personnel reasons, culture reasons, not updating, you know, from patches to just being insecure to be more insecure. So that to me means that the flip the script can be flipped. >> Yeah. And I think with CloudNative they can build in automation and code to solve some of these problems and make it more complex for the hacker. >> Lisa: Yes. >> And increase the cost. >> Yeah, exactly. Make it more complex. Increase the cost. That'll be in interesting journey to follow. So John, here we are early February, 2023 theCUBE starting out strong as always. What year are we in, 12? Year 12? >> 13th year >> 13! What's next for theCUBE? What's coming up that excites you? >> Well, we're going to do a lot more events. We got the theCUBE in studio that I call theCUBE Center as kind of internal code word, but like, this is more about getting the word out that we can cover events remotely as events are starting to change with hybrid, digital is going to be a big part of that. So I think you're going to see a lot more CUBE on location. We're going to do, still do theCUBE and have theCUBE cover events from the studio to get deeper perspective because we can then bring people in remote through our our studio team. We can bring our CUBE alumni in. We have a corpus of content and experts to bring to table. So I think the coverage will be increased. The expertise and data will be flowing through theCUBE and so Cube Center, CUBE CUBE Studio. >> Lisa: Love it. >> Will be a integral part of our coverage. >> I love that. And we have such great conversations with guests in person, but also virtually, digitally as well. We still get the voices of the practitioners and the customers and the vendors and the partner ecosystem really kind of lauded loud and clear through theCUBE megaphone as I would say. >> And of course getting the clips out there, getting the highlights. >> Yeah. >> Getting more stories. No stories too small for theCUBE. We can make it easy to get the best content. >> The best content. John, it's been fun covering CloudNative security CON with you with you. And Dave and our guests, thank you so much for the opportunity and looking forward to the next event. >> John: All right. We'll see you at Amsterdam. >> Yeah, I'll be there. We want to thank you so much for watching TheCUBES's two day coverage of CloudNative Security CON 23. We're live in Palo Alto. You are live wherever you are and we appreciate your time and your view of this event. For John Furrier, Dave Vellante, I'm Lisa Martin. Thanks for watching guys. We'll see you at the next show.

(upbeat music) >> Hey everyone and welcome to theCUBE's coverage day one of CloudNativeSecurityCon '23. Lisa Martin here with John Furrier and Dave Vellante. Dave and John, great to have you guys on the program. This is interesting. This is the first inaugural CloudNativeSecurityCon. Formally part of KubeCon, now a separate event here happening in Seattle over the next couple of days. John, I wanted to get your take on, your thoughts on this being a standalone event, the community, the impact. >> Well, this inaugural event, which is great, we love it, we want to cover all inaugural events because you never know, there might not be one next year. So we were here if it happens, we're here at creation. But I think this is a good move for the CNCF and the Linux Foundation as security becomes so important and there's so many issues to resolve that will influence many other things. Developers, machine learning, data as code, supply chain codes. So I think KubeCon, Kubernetes conference and CloudNativeCon, is all about cloud native developers. And it's a huge event and there's so much there. There's containers, there's microservices, all that infrastructure's code, the DevSecOps on that side, there's enough there and it's a huge ecosystem. Pulling it as a separate event is a first move for them. And I think there's a toe in the water kind of vibe here. Testing the waters a little bit on, does this have legs? How is it organized? Looks like they took their time, thought it out extremely well about how to craft it. And so I think this is the beginning of what will probably be a seminal event for the open source community. So let's listen to the clip from Priyanka Sharma who's a CUBE alumni and executive director of the CNCF. This is kind of a teaser- >> We will tackle issues of security together here and further on. We'll share our experiences, successes, perhaps more importantly, failures, and help with the collecting of understanding. We'll create solutions. That's right. The practitioners are leading the way. Having conversations that you need to have. That's all of you. This conference today and tomorrow is packed with 72 sessions for all levels of technologists to reflect the bottoms up, developer first nature of the conference. The co-chairs have selected these sessions and they are true blue practitioners. >> And that's a great clip right there. If you read between the lines, what she's saying there, let's unpack this. Solutions, we're going to fail, we're going to get better. Linux, the culture of iterating. But practitioners, the mention of practitioners, that was very key. Global community, 72 sessions, co-chairs, Liz Rice and experts that are crafting this program. It seems like very similar to what AWS has done with re:Invent as their core show. And then they have re:Inforce which is their cloud native security, Amazon security show. There's enough there, so to me, practitioners, that speaks to the urgency of cloud native security. So to me, I think this is the first move, and again, testing the water. I like the vibe. I think the practitioner angle is relevant. It's very nerdy, so I think this is going to have some legs. >> Yeah, the other key phrase Priyanka mentioned is bottoms up. And John, at our predictions breaking analysis, I asked you to make a prediction about events. And I think you've nailed it. You said, "Look, we're going to have many more events, but they're going to be smaller." Most large events are going to get smaller. AWS is obviously the exception, but a lot of events like this, 500, 700, 1,000 people, that is really targeted. So instead of you take a big giant event and there's events within the event, this is going to be really targeted, really intimate and focused. And that's exactly what this is. I think your prediction nailed it. >> Well, Dave, we'll call to see the event operating system really cohesive events connected together, decoupled, and I think the Linux Foundation does an amazing job of stringing these events together to have community as the focus. And I think the key to these events in the future is having, again, targeted content to distinct user groups in these communities so they can be highly cohesive because they got to be productive. And again, if you try to have a broad, big event, no one's happy. Everyone's underserved. So I think there's an industry concept and then there's pieces tied together. And I think this is going to be a very focused event, but I think it's going to grow very fast. >> 72 sessions, that's a lot of content for this small event that the practitioners are going to have a lot of opportunity to learn from. Do you guys, John, start with you and then Dave, do you think it's about time? You mentioned John, they're dipping their toe in the water. We'll see how this goes. Do you think it's about time that we have this dedicated focus out of this community on cloud native security? >> Well, I think it's definitely time, and I'll tell you there's many reasons why. On the front lines of business, there's a business model for security hackers and breaches. The economics are in favor of the hackers. That's a real reality from ransomware to any kind of breach attacks. There's corporate governance issues that's structural challenges for companies. These are real issues operationally for companies in the enterprise. And at the same time, on the tech stack side, it's been very slow movement, like glaciers in terms of security. Things like DNS, Linux kernel, there are a lot of things in the weeds in the details of the bowels of the tech world, protocol levels that just need to be refactored. And I think you're seeing a lot of that here. It was mentioned from Brian from the Linux Foundation, mentioned Dan Kaminsky who recently passed away who found that vulnerability in BIND which is a DNS construct. That was a critical linchpin. They got to fix these things and Liz Rice is talking about the Linux kernel with the extended Berkeley Packet Filtering thing. And so this is where they're going. This is stuff that needs to be paid attention to because if they don't do it, the train of automation and machine learning is going to run wild with all kinds of automation that the infrastructure just won't be set up for. So I think there's going to be root level changes, and I think ultimately a new security stack will probably be very driven by data will be emerging. So to me, I think this is definitely worth being targeted. And I think you're seeing Amazon doing the same thing. I think this is a playbook out of AWS's event focus and I think that's right. >> Dave, what are you thoughts? >> There was a lot of talk in, again, I go back to the progression here in the last decade about what's the right regime for security? Should the CISO report to the CIO or the board, et cetera, et cetera? We're way beyond that now. I think DevSecOps is being asked to do a lot, particularly DevOps. So we hear a lot about shift left, we're hearing about protecting the runtime and the ops getting much more involved and helping them do their jobs because the cloud itself has brought a lot to the table. It's like the first line of defense, but then you've really got a lot to worry about from a software defined perspective. And it's a complicated situation. Yes, there's less hardware, yes, we can rely on the cloud, but culturally you've got a lot more people that have to work together, have to share data. And you want to remove the blockers, to use an Amazon term. And the way you do that is you really, if we talked about it many times on theCUBE. Do over, you got to really rethink the way in which you approach security and it starts with culture and team. >> Well the thing, I would call it the five C's of security. Culture, you mentioned that's a good C. You got cloud, tons of issues involved in cloud. You've got access issues, identity. you've got clusters, you got Kubernetes clusters. And then you've got containers, the fourth C. And then finally is the code itself, supply chain. So all areas of cloud native, if you take out culture, it's cloud, cluster, container, and code all have levels of security risks and new things in there that need to be addressed. So there's plenty of work to get done for sure. And again, this is developer first, bottoms up, but that's where the change comes in, Dave, from a security standpoint, you always point this out. Bottoms up and then middle out for change. But absolutely, the imperative is today the business impact is real and it's urgent and you got to pedal as fast as you can here, so I think this is going to have legs. We'll see how it goes. >> Really curious to understand the cultural impact that we see being made at this event with the focus on it. John, you mentioned the four C's, five with culture. I often think that culture is probably the leading factor. Without that, without getting those teams aligned, is the rest of it set up to be as successful as possible? I think that's a question that's- >> Well to me, Dave asked Pat Gelsinger in 2014, can security be a do-over at VMWorld when he was the CEO of VMware? He said, "Yes, it has to be." And I think you're seeing that now. And Nick from the co-founder of Palo Alto Networks was quoted on theCUBE by saying, "Zero Trust is some structure to give to security, but cloud allows for the ability to do it over and get some scale going on security." So I think the best people are going to come together in this security world and they're going to work on this. So you're going to start to see more focus around these security events and initiatives. >> So I think that when you go to the, you mentioned re:Inforce a couple times. When you go to re:Inforce, there's a lot of great stuff that Amazon puts forth there. Very positive, it's not that negative. Oh, the world is falling, the sky is falling. And so I like that. However, you don't walk away with an understanding of how they're making the CISOs and the DevOps lives easier once they get beyond the cloud. Of course, it's not Amazon's responsibility. And that's where I think the CNCF really comes in and open source, that's where they pick up. Obviously the cloud's involved, but there's a real opportunity to simplify the lives of the DevSecOps teams and that's what's critical in terms of being able to solve, or at least keep up with this never ending problem. >> Yeah, there's a lot of issues involved. I took some notes here from some of the keynote you heard. Security and education, training and team structure. Detection, incidents that are happening, and how do you respond to that architecture. Identity, isolation, supply chain, and governance and compliance. These are all real things. This is not like hand-waving issues. They're mainstream and they're urgent. Literally the houses are on fire here with the enterprise, so this is going to be very, very important. >> Lisa: That's a great point. >> Some of the other things Priyanka mentioned, exposed edges and nodes. So just when you think we're starting to solve the problem, you got IOT, security's not a one and done task. We've been talking about culture. No person is an island. It's $188 billion business. Cloud native is growing at 27% a year, which just underscores the challenges, and bottom line, practitioners are leading the way. >> Last question for you guys. What are you hoping those practitioners get out of this event, this inaugural event, John? >> Well first of all, I think this inaugural event's going to be for them, but also we at theCUBE are going to be doing a lot more security events. RSA's coming up, we're going to be at re:Inforce, we're obviously going to be covering this event. We've got Black Hat, a variety of other events. We'll probably have our own security events really focused on some key areas. So I think the thing that people are going to walk away from this event is that paying attention to these security events are going to be more than just an industry thing. I think you're going to start to see group gatherings or groups convening virtually and physically around core issues. And I think you're going to start to see a community accelerate around cloud native and open source specifically to help teams get faster and better at what they do. So I think the big walkaway for the customers and the practitioners here is that there's a call to arms happening and this is, again, another signal that it's worth breaking out from the core event, but being tied to it, I think that's a good call and I think it's a well good architecture from a CNCF standpoint and a worthy effort, so I give it a thumbs up. We still don't know what it's going to look like. We'll see what day two looks like, but it seems to be experts, practitioners, deep tech, enabling technologies. These are things that tend to be good things to hear when you're at an event. I'll say the business imperative is obvious. >> The purpose of an event like this, and it aligns with theCUBE's mission, is to educate and inspire business technology pros to action. We do it in theCUBE with free content. Obviously this event is a for-pay event, but they are delivering some real value to the community that they can take back to their organizations to make change. And that's what it's all about. >> Yep, that is what it's all about. I'm looking forward to seeing over as the months unfold, the impact that this event has on the community and the impact the community has on this event going forward, and really the adoption of cloud native security. Guys, great to have you during this keynote analysis. Looking forward to hearing the conversations that we have on theCUBE today. Thanks so much for joining. And for my guests, for my co-hosts, John Furrier and Dave Vellante. I'm Lisa Martin. You're watching theCUBE's day one coverage of CloudNativeSecurityCon '23. Stick around, we got great content on theCUBE coming up. (upbeat music)

(upbeat music) >> Hello, everyone, from Palo Alto, Lisa Martin here. This is The Cube's coverage of CloudNativeSecurityCon, the inaugural event. I'm here with John Furrier in studio. In Boston, Dave Vellante joins us, and our guest, Liz Rice, one of our alumni, is joining us from Seattle. Great to have everyone here. Liz is the Chief Open Source officer at Isovalent. She's also the Emeritus Chair Technical Oversight Committee at CNCF, and a co-chair of this new event. Everyone, welcome Liz. Great to have you back on theCUBE. Thanks so much for joining us today. >> Thanks so much for having me, pleasure. >> So CloudNativeSecurityCon. This is the inaugural event, Liz, this used to be part of KubeCon, it's now its own event in its first year. Talk to us about the importance of having it as its own event from a security perspective, what's going on? Give us your opinions there. >> Yeah, I think security was becoming so- at such an important part of the conversation at KubeCon, CloudNativeCon, and the TAG security, who were organizing the co-located Cloud Native Security Day which then turned into a two day event. They were doing this amazing job, and there was so much content and so much activity and so much interest that it made sense to say "Actually this could stand alone as a dedicated event and really dedicate, you know, all the time and resources of running a full conference, just thinking about cloud native security." And I think that's proven to be true. There's plenty of really interesting talks that we're going to see. Things like a capture the flag. There's all sorts of really good things going on this week. >> Liz, great to see you, and Dave, great to see you in Boston Lisa, great intro. Liz, you've been a CUBE alumni. You've been a great contributor to our program, and being part of our team, kind of extracting that signal from the CNCF cloud native world KubeCon. This event really kind of to me is a watershed moment, because it highlights not only security as a standalone discussion event, but it's also synergistic with KubeCon. And, as co-chair, take us through the thought process on the sessions, the experts, it's got a practitioner vibe there. So we heard from Priyanka early on, bottoms up, developer first. You know KubeCon's shift left was big momentum. This seems to be a breakout of very focused security. Can you share the rationale and the thoughts behind how this is emerging, and how you see this developing? I know it's kind of a small event, kind of testing the waters it seems, but this is really a directional shift. Can you share your thoughts? >> Yeah I'm just, there's just so many different angles that you can consider security. You know, we are seeing a lot of conversations about supply chain security, but there's also runtime security. I'm really excited about eBPF tooling. There's also this opportunity to talk about how do we educate people about security, and how do security practitioners get involved in cloud native, and how do cloud native folks learn about the security concepts that they need to keep their deployments secure. So there's lots of different groups of people who I think maybe at a KubeCon, KubeCon is so wide, it's such a diverse range of topics. If you really just want to focus in, drill down on what do I need to do to run Kubernetes and cloud native applications securely, let's have a really focused event, and just drill down into all the different aspects of that. And I think that's great. It brings the right people together, the practitioners, the experts, the vendors to, you know, everyone can be here, and we can find each other at a smaller event. We are not spread out amongst the thousands of people that would attend a KubeCon. >> It's interesting, Dave, you know, when we were talking, you know, we're going to bring you in real quick, because AWS, which I think is the bellweather for, you know, cloud computing, has now two main shows, AWS re:Invent and re:Inforce. Security, again, broken out there. you see the classic security events, RSA, Black Hat, you know, those are the, kind of, the industry kind of mainstream security, very wide. But you're starting to see the cloud native developer first with both security and cloud native, kind of, really growing so fast. This is a major trend for a lot of the ecosystem >> You know, and you hear, when you mention those other conferences, John you hear a lot about, you know, shift left. There's a little bit of lip service there, and you, we heard today way more than lip service. I mean deep practitioner level conversations, and of course the runtime as well. Liz, you spent a lot of time obviously in your keynote on eBPF, and I wonder if you could share with the audience, you know, why you're so excited about that. What makes it a more effective tool compared to other traditional methods? I mean, it sounds like it simplifies things. You talked about instrumenting nodes versus workloads. Can you explain that a little bit more detail? >> Yeah, so with eBPF programs, we can load programs dynamically into the kernel, and we can attach them to all kinds of different events that could be happening anywhere on that virtual machine. And if you have the right knowledge about where to hook into, you can observe network events, you can observe file access events, you can observe pretty much anything that's interesting from a security perspective. And because eBPF programs are living in the kernel, there's only one kernel shared amongst all of the applications that are running on that particular machine. So you don't- you no longer have to instrument each individual application, or each individual pod. There's no more need to inject sidecars. We can apply eBPF based tooling on a per node basis, which just makes things operationally more straightforward, but it's also extremely performant. We can hook these programs into events that typically very lightweight, small programs, kind of, emitting an event, making a decision about whether to drop a packet, making a decision about whether to allow file access, things of that nature. There's super fast, there's no need to transition between kernel space and user space, which is usually quite a costly operation from performance perspective. So eBPF makes it really, you know, it's taking the security tooling, and other forms of tooling, networking and observability. We can take these tools into the kernel, and it's really efficient there. >> So Liz- >> So, if I may, one, just one quick follow up. You gave kind of a space age example (laughs) in your keynote. When, do you think a year from now we'll be able to see, sort of, real world examples in in action? How far away are we? >> Well, some of that is already pretty widely deployed. I mean, in my keynote I was talking about Cilium. Cilium is adopted by hundreds of really big scale deployments. You know, the users file is full of household names who've been using cilium. And as part of that they will be using network policies. And I showed some visualizations this morning of network policy, but again, network policy has been around, pretty much since the early days of Kubernetes. It can be quite fiddly to get it right, but there are plenty of people who are using it at scale today. And then we were also looking at some runtime security detections, seeing things like, in my example, exfiltrating the plans to the Death Star, you know, looking for suspicious executables. And again, that's a little bit, it's a bit newer, but we do have people running that in production today, proving that it really does work, and that eBPF is a scalable technology. It's, I've been fascinated by eBPF for years, and it's really amazing to see it being used in the real world now. >> So Liz, you're a maintainer on the Cilium project. Talk about the use of eBPF in the Cilium project. How is it contributing to cloud native security, and really helping to change the dials on that from an efficiency, from a performance perspective, as well as a, what's in it for me as a business perspective? >> So Cilium is probably best known as a networking plugin for Kubernetes. It, when you are running Kubernetes, you have to make a decision about some networking plugin that you're going to use. And Cilium is, it's an incubating project in the CNCF. It's the most mature of the different CNIs that's in the CNCF at the moment. As I say, very widely deployed. And right from day one, it was based on eBPF. And in fact some of the people who contribute to the eBPF platform within the kernel, are also working on the Cilium project. They've been kind of developed hand in hand for the last six, seven years. So really being able to bring some of that networking capability, it required changes in the kernel that have been put in place several years ago, so that now we can build these amazing tools for Kubernetes operators. So we are using eBPF to make the networking stack for Kubernetes and cloud native really efficient. We can bypass some of the parts of the network stack that aren't necessarily required in a cloud native deployment. We can use it to make these incredibly fast decisions about network policy. And we also have a sub-project called Tetragon, which is a newer part of the Cilium family which uses eBPF to observe these runtime events. The things like people opening a file, or changing the permissions on a file, or making a socket connection. All of these things that as a security engineer you are interested in. Who is running executables who is making network connections, who's accessing files, all of these operations are things that we can observe with Cilium Tetragon. >> I mean it's exciting. We've chatted in the past about that eBPF extended Berkeley Packet Filter, which is about the Linux kernel. And I bring that up Liz, because I think this is the trend I'm trying to understand with this event. It's, I hear bottoms up developer, developer first. It feels like it's an under the hood, infrastructure, security geek fest for practitioners, because Brian, in his keynote, mentioned BIND in reference the late Dan Kaminsky, who was, obviously found that error in BIND at the, in DNS. He mentioned DNS. There's a lot of things that's evolving at the silicone, kernel, kind of root levels of our infrastructure. This seems to be a major shift in focus and rightfully so. Is that something that you guys talk about, or is that coincidence, or am I just overthinking this point in terms of how nerdy it's getting in terms of the importance of, you know, getting down to the low level aspects of protecting everything. And as we heard also the quote was no software secure. (Liz chuckles) So that's up and down the stack of the, kind of the old model. What's your thoughts and reaction to that? >> Yeah, I mean I think a lot of folks who get into security really are interested in these kind of details. You know, you see write-ups of exploits and they, you know, they're quite often really involved, and really require understanding these very deep detailed technical levels. So a lot of us can really geek out about the details of that. The flip side of that is that as an application developer, you know, as- if you are working for a bank, working for a media company, you're writing applications, you shouldn't have to be worried about what's happening at the kernel level. This might be kind of geeky interesting stuff, but really, operationally, it should be taken care of for you. You've got your work cut out building business value in applications. So I think there's this interesting, kind of dual track going on almost, if you like, of the people who really want to get involved in those nitty gritty details, and understand how the underlying, you know, kernel level exploits maybe working. But then how do we make that really easy for people who are running clusters to, I mean like you said, nothing is ever secure, but trying to make things as secure as they can be easily, and make things visual, make things accessible, make things, make it easy to check whether or not you are compliant with whatever regulations you need to be compliant with. That kind of focus on making things usable for the platform team, for the application developers who deliver apps on the platform, that's the important (indistinct)- >> I noticed that the word expert was mentioned, I mentioned earlier with Priyanka. Was there a rationale on the 72 sessions, was there thinking around it or was it kind of like, these are urgent areas, they're obvious low hanging fruit. Was there, take us through the selection process of, or was it just, let's get 72 sessions going to get this (Liz laughs) thing moving? >> No, we did think quite carefully about how we wanted to, what the different focus areas we wanted to include. So we wanted to make sure that we were including things like governance and compliance, and that we talk about not just supply chain, which is clearly a very hot topic at the moment, but also to talk about, you know, threat detection, runtime security. And also really importantly, we wanted to have space to talk about education, to talk about how people can get involved. Because maybe when we talk about all these details, and we get really technical, maybe that's, you know, a bit scary for people who are new into the cloud native security space. We want to make sure that there are tracks and content that are accessible for newcomers to get involved. 'Cause, you know, given time they'll be just as excited about diving into those kind of kernel level details. But everybody needs a place to start, and we wanted to make sure there were conversations about how to get started in security, how to educate other members of your team in your organization about security. So hopefully there's something for everyone. >> That education piece- >> Liz, what's the- >> Oh sorry, Dave. >> What the buzz on on AI? We heard Dan talk about, you know, chatGPT, using it to automate spear phishing. There's always been this tension between security and speed to market, but CISOs are saying, "Hey we're going to a zero trust architecture and that's helping us move faster." Will, in your, is the talk on the floor, AI is going to slow us down a little bit until we figure it out? Or is it actually going to be used as an offensive defensive tool if I can use that angle? >> Yeah, I think all of the above. I actually had an interesting chat this morning. I was talking with Andy Martin from Control Plane, and we were talking about the risk of AI generated code that attempts to replicate what open source libraries already do. So rather than using an existing open source package, an organization might think, "Well, I'll just have my own version, and I'll have an AI write it for me." And I don't, you know, I'm not a lawyer so I dunno what the intellectual property implications of this will be, but imagine companies are just going, "Well you know, write me an SSL library." And that seems terrifying from a security perspective, 'cause there could be all sorts of very slightly different AI generated libraries that pick up the same vulnerabilities that exist in open source code. So, I think we're going to go through a pretty interesting period of vulnerabilities being found in AI generated code that look familiar, and we'll be thinking "Haven't we seen these vulnerabilities before? Yeah, we did, but they were previously in handcrafted code and now we'll see the same things being generated by AI." I mean, in the same way that if you look at an AI generated picture and it's got I don't know, extra fingers, or, you know, extra ears or something that, (Dave laughs) AI does make mistakes. >> So Liz, you talked about the education, the enablement, the 72 sessions, the importance of CloudNativeSecurityCon being its own event this year. What are your hopes and dreams for the practitioners to be able to learn from this event? How do you see the event as really supporting the growth, the development of the cloud native security community as a whole? >> Yeah, I think it's really important that we think of it as a Cloud Native Security community. You know, there are lots of interesting sort of hacker community security related community. Cloud native has been very community focused for a long time, and we really saw, particularly through the tag, the security tag, that there was this growing group of people who were, really wanted to work at that intersection between security and cloud native. And yeah, I think things are going really well this week so far, So I hope this is, you know, the first of many additions of this conference. I think it will also be interesting to see how the balance between a smaller, more focused event, compared to the giant KubeCon and cloud native cons. I, you know, I think there's space for both things, but whether or not there will be other smaller focus areas that want to stand alone and justify being able to stand alone as their own separate conferences, it speaks to the growth of cloud native in general that this is worthwhile doing. >> Yeah. >> It is, and what also speaks to, it reminds me of our tagline here at theCUBE, being able to extract the signal from the noise. Having this event as a standalone, being able to extract the value in it from a security perspective, that those practitioners and the community at large is going to be able to glean from these conversations is something that will be important, that we'll be keeping our eyes on. >> Absolutely. Makes sense for me, yes. >> Yeah, and I think, you know, one of the things, Lisa, that I want to get in, and if you don't mind asking Dave his thoughts, because he just did a breaking analysis on the security landscape. And Dave, you know, as Liz talking about some of these root level things, we talk about silicon advances, powering machine learning, we've been covering a lot of that. You've been covering the general security industry. We got RSA coming up reinforced with AWS, and as you see the cloud native developer first, really driving the standards of the super cloud, the multicloud, you're starting to see a lot more application focus around latency and kind of controlling that, These abstraction layer's starting to see a lot more growth. What's your take, Dave, on what Liz and- is talking about because, you know, you're analyzing the horses on the track, and there's sometimes the old guard security folks, and you got open source continuing to kick butt. And even on the ML side, we've been covering some of these foundation models, you're seeing a real technical growth in open source at all levels and, you know, you still got some proprietary machine learning stuff going on, but security's integrating all that. What's your take and your- what's your breaking analysis on the security piece here? >> I mean, to me the two biggest problems in cyber are just the lack of talent. I mean, it's just really hard to find super, you know, deep expertise and get it quickly. And I think the second is it's just, it's so many tools to deal with. And so the architecture of security is just this mosaic and a mess. That's why I'm excited about initiatives like eBPF because it does simplify things, and developers are being asked to do a lot. And I think one of the other things that's emerging is when you- when we talk about Industry 4.0, and IIoT, you- I'm seeing a lot of tools that are dedicated just to that, you know, slice of the world. And I don't think that's the right approach. I think that there needs to be a more comprehensive view. We're seeing, you know, zero trust architectures come together, and it's going to take some time, but I think that you're going to definitely see, you know, some rethinking of how to architect security. It's a game of whack-a-mole, but I think the industry is just- the technology industry is doing a really really good job of, you know, working hard to solve these problems. And I think the answer is not just another bespoke tool, it's a broader thinking around architectures and consolidating some of those tools, you know, with an end game of really addressing the problem in a more comprehensive fashion. >> Liz, in the last minute or so we have your thoughts on how automation and scale are driving some of these forcing functions around, you know, taking away the toil and the muck around developers, who just want stuff to be code, right? So infrastructure as code. Is that the dynamic here? Is this kind of like new, or is it kind of the same game, different kind of thing? (chuckles) 'Cause you're seeing a lot more machine learning, a lot more automation going on. What's, is that having an impact? What's your thoughts? >> Automation is one of the kind of fundamental underpinnings of cloud native. You know, we're expecting infrastructure to be written as code, We're expecting the platform to be defined in yaml essentially. You know, we are expecting the Kubernetes and surrounding tools to self-heal and to automatically scale and to do things like automated security. If we think about supply chain, you know, automated dependency scanning, think about runtime. Network policy is automated firewalling, if you like, for a cloud native era. So, I think it's all about making that platform predictable. Automation gives us some level of predictability, even if the underlying hardware changes or the scale changes, so that the application developers have something consistent and standardized that they can write to. And you know, at the end of the day, it's all about the business applications that run on top of this infrastructure >> Business applications and the business outcomes. Liz, we so appreciate your time talking to us about this inaugural event, CloudNativeSecurityCon 23. The value in it for those practitioners, all of the content that's going to be discussed and learned, and the growth of the community. Thank you so much, Liz, for sharing your insights with us today. >> Thanks for having me. >> For Liz Rice, John Furrier and Dave Vellante, I'm Lisa Martin. You're watching the Cube's coverage of CloudNativeSecurityCon 23. (electronic music)

>>The cube presents Koon and cloud native con Europe, 2022, brought to you by red hat, the cloud native computing foundation and its ecosystem partners. >>Welcome to Valencia Spain and CubeCon cloud native con Europe, 2022 I'm cube Townsend, along with Paul Gill, senior editor, enterprise architecture at Silicon angle. We are talking to some incredible folks this week, continuing the conversation around enabling developers to do their work. Paul you've said that this conference is about developers. What are you finding key as a theme running throughout the show >>That that developers really need a whole set of special tools. You know, it's not the end user, the end user tools, the end user access controls the authentication it's developers need a need their own to live their in their own environment. They need their own workflow tools, their own collaboration and their own security. And that's where teleport comes in. >>So speaking of teleport, we have Michael fork, chief marking our officer at teleport new world role for you. First, tell me about how long have you been at teleport now >>Going on seven or eight months now, >>Seven or eight months in this fast moving market. I'm I'm going to tell you a painful experience I've had in this new world. We've built applications. We've moved fast audits come in. The auditors have come in and they said, you know what, who authorized this change to the cluster? And we'll go into the change ticket and say, this person authorized the changes and the change ticket. And then they'll ask for trace back. Okay. Show me the change. What do it mean? Show you the changes. It just happened. >>Yeah. Check, check GitHub. >>Yeah, check GI, get, see, we, we, we, we said we were gonna make the changes, the change happen. That's not enough. What are CU, how are you helping customers solve this access control and audit problem? >>Yeah, that's a great question. There're kind of, there're kind of two, two sides to the puzzle. And actually I think that the intro hits it. Well, you you've talked about kind of developer experience needing needing tools to more efficiently do the job as a practitioner. And you're coming at it from kind of a security and compliance angle. And there's a tension between both of those teams. It's like, you know, there's, there's a tension between dev and ops before we created DevOps. There's also a tension between kind of security teams and developers. So we've created dev SecOps. What that means is you need an easy way for developers to get access, access to the resources they needed through their jobs. That's, you know, Linux hosts and databases and Kubernetes clusters and, you know, monitoring dashboards and managing all of those credentials is quite cumbersome. If I need to access a dozen systems, then you know, I'm using SSH keys to access this. >>I have admin credentials for my database. I I'm going through a VPN to access an internal dashboard, teleport, consolidates, all of that access into a single login via your identity provider, Okta active directory, but then on the security and compliance side, we make it really easy for that compliance officer. When they say, show me that change, we have all of the audit logs. That's that show exactly what changes Keith made when he logged into, into that system. And in fact, one of the booths behind here is talking about E B P F a modern way to get that kind of kernel level grade granularity. We build all of that observability into teleport to make the security and compliance teams happy. And the engineering teams a lot more productive. >>Where do the, the access control tools like Okta, you mentioned fall short. I mean, why, why is there a need for your level of, of control at the control plane? >>Yeah. When you, when you start to talk about authorization, authentication, audit at the infrastructure level, each of these technologies has its own way of managing what kind of in, in the jargon often and Ze, right? Authentication authorization. So you have SSH for, for Linux. Kubernetes has its own way of doing authorization. All of the database providers have their own way and it's quite complicated, right? It's, it's much different. So, you know, if I'm gonna access office 365 or I'm gonna a access Salesforce, right. I'm really talking about the HTTP protocol. It's relatively trivial to implement single sign on for web-based applications. But when we start talking about things that are happening at the Linux kernel level, or with Kubernetes, it's quite complicated to build those integrations. And that's where teleport extends what you have with your IDP. So for instance, Okta, lots of our customers use Okta as their identity provider, but then teleport takes those roles and applies them and enforces them at the actual infrastructure level. >>So if I'm a lay developer, I'm looking at this thinking, you know, I, I have service mesh, I've implemented link D SEO or something to that level. And I also have Ansible and Ansible has security, etcetera. What, what role, or how does that integrate to all together from a big picture perspective? >>Yeah. So >>What, one of the, kind of the meta themes at teleport is we, we like to, we like to say that we are fighting complexity cuz as we build new technologies, we tend to run the new tech on top of the old tech. Whereas for instance, when you buy a new car, you typically don't, you know, hook the old car to the back and then pull it around with you. Right? We, we replace old technology with new technology, but in infrastructure that doesn't happen as often. And so you end up with kind of layers of complexity with one protocol sitting on top of another protocol on top of another protocol. And what teleport does is for the access control plane, we, we kind of replace the legacy ways of doing authentication authorization and audit with a new modern experience. But we allow you to continue to use the existing tools. >>So we don't replace, for instance, you know, your configuration management system, you can keep using Ansible or, or salt or Jenkins, but teleport now is gonna give those, those scripts or those pipelines in identity that you can define. What, what should Ansible be able to do? Right? If, cuz people are worried about supply chain attacks, if a, if a vulnerable dependency gets introduced into your supply chain pipeline and your kind of Ansible playbook goes crazy and starts deploying that vulnerability everywhere, that's probably something you wanna limit with teleport. You can limit that with an identity, but you can still use the tools that you're, that you're used to. >>So how do I guarantee something like an ex-employee doesn't come in and, and initiate Ansible script that was sitting in the background just waiting to happen until, you know, they left. >>Yeah. Great question. It's there's kind of the, the, the great resignation that's happening. We did a survey where actually we asked the question kind of, you know, can you guarantee that X employees can no longer access your infrastructure? And shockingly like 89% of companies could not guarantee that it's like, wow, that's like that should, that should be a headline somewhere. And we actually just learned that there are on the dark web, there are people that are targeting current employees of Netflix and Uber and trying to buy credentials of those employees to the infrastructure. So it's a big problem with teleport. We solve this in a really easy, transparent way for developers. Everything that we do is based on short lift certificates. So unlike a SSH key, which exists until you decommission it, shortlist certificates by, by default expire. And if you don't reissue them based on a new login based on the identity, then, then you can't do anything. So even a stolen credential kind of the it's value decreases dramatically over time. >>So that statistic or four out of five companies can't guarantee X employees can't access infrastructure. Why is simply removing the employee from the, you know, from the L app or directory decommissioning their login credentials. Why is that not sufficient? >>Well, it, it depends on if everything is integrated into your identity provider and because of the complexities of accessing infrastructure, we know that developers are creative people. And by, by kind of by definition, they're able to create systems to make their lives easier. So one thing that we see developers doing is kind of copying an SSH key to a local notepad on, on their computer. So they essentially can take that credential out of a vault. They can put it somewhere that's easier for them to access. And if you're not rotating that credential, then I can also, you know, copy it to a, to a personal device as well. Same thing for shared admin credentials. So the, the, the issue is that those credentials are not completely managed in a unified way that enables the developer to not go around the system in order to make their lives easier. >>But rather to actually use the system, there's a, there's a market called privilege access management that a lot of enterprises are using to kind of manage credentials for their developers, but it's notoriously disruptive to developer workflows. And so developers kind of go around the system in order to make their jobs easier. What teleport does is we obviate the need to go around the system, cuz the simplest thing is just to come in in the morning, log in one time to my identity provider. And now I have access to all of my servers, all of my databases, all of my Kubernetes clusters with a short lift certificate, that's completely transparent. And does >>This apply to, to your, both your local and your cloud accounts? >>Yes. Yes, exactly. >>So as a security company, what's driving the increase in security breaches. Is it the lack of developer hygiene? Is it this ex-employee great resignation bill. Is it external intruders? What's driving security breaches today. >>Yes. >>It's you know, it's, it's all of those things. I think if I had to put, give you a one word answer, I would say complexity. The systems that we are building are just massively complex, right? Look at how many vendors there are at this show in order to make Kubernetes easy to use, to do what its promises. It's just, we're building very complex systems. When you build complex systems, there's a lot of back doors, we call it kind of a tax surface. And that's why for every new thing that we introduce, we also need to think about how do we remove old layers of the stack so that we can simplify so that we can consolidate and take advantage of the power of something like Kubernetes without introducing security vulnerabilities. >>One of the problems or challenges with security solutions is, you know, you there's this complexity versus flexibility knob that you, you need to be careful of. What's the deployment experience in integration experience for deploying teleport. >>Yeah, it's it, we built it to be cloud native to feel like any other kind of cloud native or Kubernetes like solution. So you basically, you deploy it using helm chart, you deploy it using containers and we take care of all of the auto configuration and auto update. So that it's just, it's, it's part of your stack and you manage it using the same automation that you use to manage everything else. That's a, that's a big kind of installation and developer experience. Part of it. If it's complex to use, then not only are developers not gonna use it. Operations teams are not gonna want to have to deal with it. And then you're left with doing things the old way, which is very unsatisfactory for everybody. >>How does Kubernetes change the security equation? Are there vulnerabilities? It introduces to the, to the stack that maybe companies aren't aware of >>Almost by definition. Yes. Kind of any new technology is gonna introduce new security vulnerabilities. That's the that's that is the result of the complexity, which is, there are things that you just don't know when you introduce new components. I think kind of all of the supply chain vulnerabilities are our way of looking at that, which is we have, you know, Kubernetes is itself built on a lot of dependencies. Those dependencies themselves could have security vulnerabilities. You might have a package that's maintained by one kind of hobbyist developer, but that's actually deployed across hundreds of thousands of applications across, across the internet. So again, it's about one understanding that that complexity exists and then saying, is there a way that we can kind of layer on a solution that provides a common layer to let us kind of avoid that complexity and say, okay, every critical action needs to be authorized with an identity that way if it's automated or if it's human, I have that level of assurance that a hacked Ansible pipeline is not going to be able to introduce vulnerabilities across my entire infrastructure. >>So one of the challenges for CIOs and CTOs, it's the lack of developer resources and another resulting pain point that compounds that issue is rework due to security audits is teleport a source of truth that when a auditor comes in to audit a, a, a, a C I C D pipeline that the developer or, or operations team can just say, Hey, here's, self-service get what you need. And come back to us with any questions or is there a second set of tools we have to use to get that audit and compliance reporting? >>Yeah, it's teleport can be that single source of truth. We can also integrate with your other systems so you can export all of the, what we call access logs. So every, every behavior that took place, every query that was run on a database, every, you know, curl command that was run on a Lennox, host, teleport is creating a log of that. And so you can go in and you can filter and you can view those, those actions within teleport. But we also integrate with other systems that, that people are using, you have its Splunk or Datadog or whatever other tool chain it's really important that we integrate, but you can also use teleport as that single source. So >>You can work with the observability suites that are now being >>Installed. Yeah, there, the, the wonderful thing about kind of an ecosystem like Kubernetes is there's a lot of standardization. You can pick your preferred tool, but under the hood, the protocols for taking a log and putting it in another system are standardized. And so we can integrate with any of the tools that developers are already using. >>So how big is teleport when I'm thinking about a, from a couple of things big as in what's the footprint and then from a developer operations team overhead, is this kind of a set and forget it, how much care feed and maintenance does it >>Need? So it's very lightweight. We basically have kind of two components. There's the, the access proxy that sits in front of your infrastructure. And that's what enables us to, you know, regardless of the complexity that sits across your multi data center footprint, your traditional applications, running on windows, your, your, your modern applications running on, you know, Linux and Kubernetes, we provide seamless access to all of that. And then there's an agent that runs on all of your hosts. And this is the part that can be deployed using yo helm or any other kind of cloud native deployment methodology that enables us to do the, the granular application level audit. For instance, what queries are actually being run on CockroachDB or on, on Postgres, you know, what, what CIS calls are running on Linnux kernel, very lightweight automation can be used to install, manage, upgrade all of it. And so from an operations perspective, kind of bringing in teleport shouldn't be any more complicated than running any application on a container. That's, that's the design goal and what we built for our customers. >>If I'm in a hybrid environment, I'm transitioning, I'm making the migration to teleport. Is this a team? Is this a solution that sits only on the Kubernetes cloud native side? Or is this something that I can trans transition to initially, and then migrate all of my applications to, as I transition to cloud native? >>Yeah. We, there are kind of, no, there are no cloud native dependencies for teleport. Meaning if you are, you're a hundred percent windows shop, then we support for instance, RDP. That's the way in which windows handles room access. If you have some applications that are running on Linux, we can support that as well. If you've got kind of the, you know, the complete opposite in the spectrum, you're doing everything, cloud native containers, Kubernetes, everything. We also support that. >>Well, Michael, I really appreciate you stopping by and sharing the teleport story. Security is becoming an obvious pain point for cloud native and container management. And teleport has a really good story around ensuring compliance and security from Licia Spain. I'm Keith towns, along with Paul Gillon and you're watching the cue, the, the leader, not the, the leader two, the high take tech coverage.

>>To the Seaport in Boston, Massachusetts, everybody's buzzing. The Bruins are playing tonight. They tied it up. The Celtics tied it up last night. We're excited. We don't talk about the red Sox. Red Sox are getting struggles, but you know, we have good distractions. Paul goer is here. He's the president and chief executive officer at red hat and also a Boston fan of great to see, of course, you too. >>Nice to see you guys, you know, it's been a, it's been a while. >><laugh> yeah, we saw you, you know, online and virtually for a couple of years there, but, uh, you know, we've been doing red hat summit for a long, long time. Yeah, of course we were talking earlier. It's just much more intimate, kind of a VIP event, a few more suit jackets here. You know, I got my tie on, so I don't get too much grief. I usually get grief when I wear a tie of red hat summit, but it's a different format this year. Compressed keynotes. Your keynote was great. The new normal, sometimes we call it the new abnormal <laugh>, uh, but you know, how do you feel? >>I, I, I, I feel great. First of all, you know, combination today, virtual audience in, in house audience here today. I think we're gonna see a lot of that in the future. I mean, we designed the event around that and I, I think it, I think it played pretty well. Kudos, kudos to our team. You're right. It's, it's, it's a bit more intimate even the way it was set up, but those are the conversations we like having with our customers and our partners, much more partner centric, uh, as well right now, as well. >>You know, we were talking about, you know, hybrid cloud. It was kind of, you know, it was a good marketing term. And, but now it's, it's, it's become the real thing. I've said many times the, the definition of cloud is changing. It's expanding it's no, the cloud is no longer this remote set of services, you know, somewhere up in the cloud, it's on prem connecting to a cloud across clouds, out to the edge and you need capabilities that work everywhere. And that's what red hat did. The market's just swimming toward you. >>Yeah. I mean, you look at it, you know, I was, uh, you know, if you look at it, you know, the clouds are powerful unto themselves, right? The clouds are powerful unto themselves. They're all different. Right? And that that's, I mean, hardware vendors were, were similar, but different, same thing. You need that connective tissue across, across the whole thing. I mean, as I said, in my keynote today, I remember talking to some of our CIOs and customers 10 years ago and they said, we're going 90% of our apps tomorrow to one cloud. And we knew that wasn't practical because of course the clouds are built from Linux. So we knew it was underneath the hood and, and what's happened. It's taken some time, but as they started to get into that, they started to see, well, maybe one cloud's more suited for one application than the other, these apps. You may have to keep on premise, but you know, what really exploded at the, the, the hybrid thing, the edge. Now they're putting things at the edge, the GM announcement tell you, I know you're gonna talk to Francis. Yeah, yeah. Later. I mean, that's, that's a mini data center in, in every cloud, but that's still under the purview of the CIO, you know? So, so, so that's what hybrid's all about is tying all those pieces together, cuz it got more powerful, but it also more complex. >>You mentioned being the connective tissue, but we don't hear as much talk about multi-cloud seems to me, as we used to this conference has been all about hybrid cloud. You don't really talk about multi-cloud. How important is that to the red hat strategy, being that consistent layer? >>It's probably my mistake or our mistake because multi's more prevalent and more important than just hybrid alone. I mean, hybrid hybrid started from on-premise to one part to any one particular cloud. That was the, the first thought of hybrid. But as I said, as, as, as um, some of the cloud providers became so big, um, every, every CIO I talked to, whether they know whether they know it or not most do are in a multi environment for a whole bunch of reasons, right. You know, one cloud provider might be better in a different part of the world. And another one cloud provider might have a better service than another. Some just don't like to be stuck to one it's it's really hybrid multi. We should, we should train ourselves to every time we say hybrid, say multi, because that's really, that's really what it is. It, I think that happened overnight with, with Microsoft, you know, with Microsoft they've, they've, they've really grown over the last few years, so has Amazon for that matter. But Microsoft really coming up is what really made it a, a high, a multi world. >>Microsoft's remarkable what, what they're doing. But I, I, I have a different thinking on this. I, I heard Chuck Whitten last week at, at the Dell conference he used, he said used the phrase a multicloud, uh, by default versus multi-cloud by design. And I thought that was pretty interesting because I've said that multi-cloud is largely multi-vendor, you know? And so hybrid has implications, right? We, we bring and a shesh came up with a new term today. Metacloud I use Supercloud I like Metacloud better because something's happening, Paul. It feels like there's this layer abstraction layer that the underlying complexity is hidden. Think about OpenShift. Yeah. I could buy, I could get OpenShift for free. Yeah. I mean, I could, and I could cobble together and stitch together at 13, 15 dozens of different services and replicate, but I don't, I don't want that complexity. I want you to hide that complexity. I want, I'd rather spend money on your R and D than my engineering. So something's changing. It feels like >>You buy that. I totally buy that. I mean, you know, I, I, I'm gonna try to not make this sound like a marketing thing because it's not, not fair enough. Right. I mean, I'm engineer at heart, you know that, so, >>Okay. >>I really look to what we're trying to do is we're building a hybrid multi cloud. I mean that we, I look at us as a cloud provider spanning the hybrid multi all the way out to the edge world, but we don't have the data centers in the back. Like the cloud providers do in and by that is you're seeing our products being consumed more like cloud services because that's what our customers are demanding. Our, our products now can be bought out of the various marketplaces, et cetera. You're seeing different business models from us. So, uh, you're seeing, uh, committed spend, for example, like the cloud providers where a customer will buy so much up front and sort of just work it down. You're seeing different models on how they're consumed, consumption, based pricing. These, these are all things that came from the cloud providers and customers buying like that. >>They now want that across their entire environment. They don't wanna buy differently on premise or in one cloud and they don't wanna develop differently. They don't wanna operate differently. They don't wanna have to secure it differently. Security's the biggest thing with, with our, with our customers, because hybrid's powerful, but you no longer have the, you know, your security per perimeter, no longer the walls of your data center. You know, you're, you're responsible as a CIO. You're responsible for every app. Yeah. No matter where it's running, if that's the break in point, you're responsible for that. So that's why we've done things like, you know, we cried stack rocks. We've, we've built it into the container Kubernetes platform that spans those various footprints because you no longer can just do perimeter security because the perimeter is, is very, very, very large right now >>Diffuse. One of the thing on the multi-cloud hyper skills, I, I, red hat's never been defensive about public cloud. You, I think you look at the a hundred billion dollars a year in CapEx spend that's a gift to the industry. Not only the entire it industry, but, but the financial services companies and healthcare companies, they can build their own hybrid clouds. Metacloud super clouds taking advantage of that, but they still need that connective tissue. And that's where >>We products come in. We welcome our customers to go to, to the public cloud. Um, uh, look, it's it's. I said a long time ago, we said a long time it was gonna be a hybrid. Well, I should have said multi anybody said hybrid, then it's gonna be a hybrid world. It is. And it doesn't matter if it's a 20, 80, 80, 20, 40, 60, 60, 40. It's not gonna be a hundred percent anywhere. Yeah. And, and so in that, in that definition, it's a hybrid multi world. >>I wanna change the tune a little bit because I've been covering IBM for 40 years and seen a lot of acquisitions and see how they work. And usually it follows the same path. There's a commitment to leaving the acquire company alone. And then over time that fades, the company just becomes absorbed. Same thing with red hat. It seems like they're very much committed to, to, to leaving you alone. At least they said that upon the acquisition, have they followed through on that promise? >>I have to tell you IBM has followed through on every commitment they've made, made to us. I mean, I, I owe it, I owe a lot of it to Arvin. Um, he was the architect of the deal, right. Um, we've known each other for a long time. Um, he's a great guy. Um, he, uh, he, he believes in it. It's not, he's not just doing it that way because he thinks, um, something bad will happen if he doesn't, he's doing it that way. Cuz he believes in that our ecosystem is what made us. I mean, I mean, even here it's about the partners in the ecosystem. If you look at what made REL people think what made red hat as a company was support, right. Support's really important. Small piece of the value proposition life cycle supports certainly their life cycle a 10 year life cycle just came out of a, a, a customer conference asking about the life cycle and could we extend it to 15 years? You know? Um, the ecosystem is probably the most important part of, of, of, of the, of the overall value proposition. And Arvin knows in IBM knows that, you know, we have to be neutral to be able to do everything the same for all of our ecosystem partners. Some that are IBM's competitors, even. So, >>So we were noticing this morning, I mean, aside from a brief mention of power PC and the IBM logo during, at one point, there was no mention of IBM during the keynote sessions this morning. Is that intentional? Or is that just >>No, no, it it's, it's not intentional. I mean, I think that's part of, we have our strategy to drive and we're, we're driving our, our strategy. We, we, we IBM great partner. We look at them as a partner just as we do our, our many other partners and we won't, you know, we wouldn't, we wouldn't do something with our products, um, for I with IBM that we wouldn't offer to our, our entire ecosystem. >>But there is a difference now, right? I don't know these numbers. Exactly. You would know though, but, but pre 2019 acquisition red hat was just, I think north of 3 billion in revenue growing at maybe 12% a year. Something like that, AR I mean, we hear on the earnings calls, 21% growth. I think he's publicly said you're north of 5 billion or now I don't know how much of that consulting gets thrown in. IBM likes to, you know, IBM math, but still it's a much bigger business. And, and I wonder if you could share with us, obviously you can't dig into the numbers, but have you hired more people? I would imagine. I mean, sure. Like what's been different from that standpoint in terms of the accelerant to your >>Business. Yeah. We've been on the same hiring cycle percentage wise as, as we, we always were. I mean, I think the best way to characterize the relationship and where they've helped is, um, Arvin, Arvin will say, IBM can be opinionated on red hat, but not the other way around <laugh>. So, so what that, what that means is they had a lot of, they had, they had a container based Linux platform. Yeah, right, right. They, they had all their, they were their way of moving to the cloud was that when we came in, they actually stopped that. And they standardized on OpenShift across all of their products. We're now the vehicle that brings the blue software products to the hybrid cloud. We are that vehicle that does it. So I think that's, that's how, that's how they, they look about it. I mean, I know, I mean in IBM consulting, I know, I know they have a great relationship with Microsoft of course. >>Right. And so, so that's, that's how to really look at it. They they're opinionated on us where we not the other way around, but that, but they're a great partner. And even if we're at two separate companies, we'd do be doing all the same things we're doing with them. Now, what they do do for us can do for us is they open a lot of doors in many cases. I mean, IBM's been around for over a hundred years. So in many cases, they're in, in, in the C-suite, we, we may be in the C suite, but we may be one layer down, one, two layers down or something. They, they can, they help us get access. And I think that's been a, a part of the growth as well as is them talking into their, into, into their >>Constituents. Their consulting's one of the FA if not the fastest growing part of their business. So that's kind of the tip of the spear for application modernization, but enough on IBM you said something in your keynote. That was really interesting to me. You said, you, you, you didn't use the word hardware Renaissance, but that my interpretation was you're expecting the next, you know, several years to be a hardware Renaissance. We, we certainly have done relationships with arm. You mentioned Nvidia and Intel. Of course, you've had relationships with Intel for a long time. And we're seeing just the spate of new hardware developments, you know, does hardware matter? I'll ask you, >>Oh, oh, I mean the edge, as I said, you're gonna see hardware innovation out in the edge, software innovation as well. You know, the interesting part about the edge is that, you know, obviously remade red hat. What we did with REL was we did a lot of engineering work to make every hardware architecture when, when it was, when, when the world was just standalone servers, we made every hardware architecture just work out of the box. Right? And we did that in such, because with an open source development model. So embedded in our psyche, in our development processes is working upstream, bringing it downstream 10 years, support all of that kind of thing. So we lit up all that hardware. Now we go out to the edge, it's a whole new, different set of hardware innovation out at the edge. We know how to do that. >>We know how to, we know how to make hardware, innovation safe for the customer. And so we're bringing full circle and you have containers embedded in, in Linux and REL right now as well. So we're actually with the edge, bringing it all full circle back to what we've been doing for 20 plus years. Um, on, on the hardware side, even as a big part of the world, goes to containers and hybrid in, in multi-cloud. So that's why we're so excited about, about, about the edge, you know, opportunity here. That's, that's a big part of where hybrid's going. >>And when you guys talk about edge, I mean, I, I know a lot of companies will talk about edge in the context of your retail location. Okay. That's fine. That's cool. That's edge or telco that that's edge. But when you talk about, um, an in vehicle operating system, right. You know, that's to me the far edge, and that's where it gets really interesting, massive volumes, different architectures, both hardware and software. And a lot of the data may stay. Maybe it doesn't even get persisted. May maybe some comes back to the club, but that's a new >>Ballgame. Well, think about it, right? I mean, you, if you listen, I think you, right. My talk this morning, how many changes are made in the Linux kernel? Right? You're running in a car now, right? From a safety perspective. You wanna update that? I mean, look, Francis talked about it. You'll talk to Francis later as well. I mean, you know, how many, how many in, in your iPhone world Francis talked about this this morning, you know, they can, they can bring you a whole new world with software updates, the same in the car, but you have to do it in such a way that you still stay with the safety protocols. You're able to back things out, things like that. So it's open source, but getting raw upstream, open source and managing itself yourself, I just, I'm sorry. It takes a lot of experience to be able to be able to do those kinds of things. So it's secure, that's insecure. And that's what that's, what's exciting about it. You look at E the telco world look where the telco world came from in the telco world. It was a hardware stack from the hardware firmware operating system, every service, whether it was 9 1, 1 or 4, 1, 1 was its own stack. Yep. In the 4g, 3g, >>4g >>Virtualized. Now, now it's all software. Yeah. Now it's all software all the way out to the cell tower. So now, so, so now you see vendors out there, right? As an application, as a container based application, running out, running in the base of a cell tower, >>Cell tower is gonna be a little mini data >>Center. Yeah, exactly. Because we're in our time here asking quickly, because you've been at red hat a long time. You, you, you, uh, architected a lot of the reason they're successful is, is your responsibility. A lot of companies have tried to duplicate the red hat model, the, the service and support model. Nobody has succeeded. Do you think anybody ever will or will red hat continue to be a unicorn in that respect? >>No, I, I, I think, I think it will. I think open source is making it into all different parts of technology. Now I have to tell you the, the reason why we were able to do it is we stayed. We stayed true to our roots. We made a decision a long time ago that we weren't gonna put a line, say everything below the line was open and above the line was closed. Sometimes it's hard sometimes to get a differentiation with the competition, it can be hard, but we've stayed true to that. And I, to this day, I think that's the thing that's made us is never a confusion on if it's open or not. So that forces us to build our business models around that as well. But >>Do you have a differentiated strategy? Talk about that. What's your what's your differentiation >>Are, are, well, I mean, with the cloud, a differentiation is that common cloud platform across I differentiate strategy from an open source perspective is to, to sort make open source consumable. And, and it's even more important now because as Linux Linux is the base of everything, there's not enough skills out there. So even, even a container platform like open source op like OpenShift, could you build your own? Certainly. Could you keep it updated? Could you keep it updated without breaking all the applications on top? Do you have an ecosystem around it? It's all of those things. It was, it was the support, the, the, the hardening the 10 year to predictability the ecosystem. That was, that was, that is the secret. I mean, we even put the secret out as open. >>Yeah, <laugh> right. Free, like a puppy, as they say. All right, Paul, thanks so much for coming back in the cubes. Great to see you face to face. Nice to see you guys get it. All right. Keep it right there. Dave Valante for Paul Gill, you're watching the cubes coverage of red hat summit, 2022 from Boston. Be right back.

>>Welcome to this cube conversation. I'm Dave Nicholson and we're having this conversation in advance of cube con cloud native con north America, 2021. Uh, we are going to be talking specifically about a subject near and dear to my heart, and that is security. We have a very special guest from red hat, the security lead from the office of the CTO. New kinds. Welcome. Welcome to the cube Luke. >>Oh, it's great to be here. Thank you, David. Really looking forward to this conversation. >>So you have a session, uh, at a CubeCon slash cloud native con this year. And, uh, frankly, I look at the title and based on everything that's going on in the world today, I'm going to accuse you of clickbait because the title of your session is a secure supply chain vision. Sure. What other than supply chain has is in the news today, all of these things going on, but you're talking about the software supply chain. Aren't you tell, tell us about, tell us about this vision, where it came from Phyllis in. >>Yes, very much. So I do agree. It is a bit of a buzzword at the moment, and there is a lot of attention. It is the hot topic, secure supply chains, thanks to things such as the executive order. And we're starting to see an increase in attacks as well. So there's a recent statistic came out that was 620%. I believe increase since last year of supply chain attacks involving the open source ecosystem. So things are certainly ramping up. And so there is a bit of clickbait. You got me there. And um, so supply chains, um, so it's predominantly let's consider what is a supply chain. Okay. And we'll, we'll do this within the context of cloud native technology. Okay. Cause there's many supply chains, you know, many, many different software supply chains. But if we look at a cloud native one predominantly it's a mix of people and machines. >>Okay. So you'll have your developers, uh, they will then write code. They will change code and they'll typically use our, a code revision control system, like get, okay, so they'll make their changes there. Then push those changes up to some sort of repository, typically a get Harbor or get level, something like that. Then another human will then engage and they will review the code. So somebody that's perhaps a maintain will look at the code and they'll improve that a code. And then at the same time, the machine start to get involved. So you have your build servers that run tests and integration tests and they check the code is linted correctly. Okay. And then you have this sort of chain of events that start to happen. These machines, these various actors that start to play their parts in the chain. Okay. So your build system might generate a container image is a very common thing within a cloud native supply chain. >>Okay. And then that image is typically deployed to production or it's hosted on a registry, a container registry, and then somebody else might utilize that container image because it has software that you've packaged within that container. Okay. And then this sort of prolific expansion of use of coasts where people start to rely on other software projects for their own dependencies within their code. Okay. And you've got this kind of a big spaghetti of actors that are dependent on each other and feed him from each other. Okay. And then eventually that is deployed into production. Okay. So these machines are a lot of them non open source code. Okay. Even if there is a commercial vendor that manages that as a service, it's all based on predominantly open source code. Okay. And the security aspects with the supply chain is there's many junctures where you can exploit that supply chain. >>So you can exploit the human, or you could be a net ferrous human in the first place you could steal somebody's identity. Okay. And then there's the build systems themselves where they generate these artifacts and they run jobs. Okay. And then there are the production system, which pulls these down. Okay. And then there's the element of which we touched upon around libraries and dependencies. So if you look at a lot of projects, they will have approximately around a hundred, perhaps 500 dependencies that they all pull in from. Okay. So then you have the supply chains within each one of those, they've got their own set of humans and machines. And so it's a very large spaghetti beast of, of, of sort of dependence and actors and various identities that make up. >>Yeah. You're, you're describing a nightmarish, uh, scenario here. So, uh, so, so I definitely appreciate the setup there. It's a chain of custody nightmare. Yeah. >>Yes. Yeah. But it's also a wonderful thing because it's allowed us to develop in the paradigms that we have now very fast, you know, you can, you can, you can prototype and design and build and ship very fast, thanks to these tools. So they're wonderful. It's not to say that they're, you know, that there is a gift there, but security has arguably been left as a bit of an afterthought essentially. Okay. So security is always trying to it's at the back of the race. It's always trying to catch up with you. See what I mean? So >>Well, so is there a specific reason why this is particularly timely? Um, in, you know, when we, when we talk about deployment of cloud native applications, uh, something like 75% of what we think of is it is still on premesis, but definitely moving in the direction of what we loosely call cloud. Um, is why is this particularly timely? >>I think really because of the rampant adoption that we see. So, I mean, as you rightly say, a lot of, uh, it companies are still running on a, sort of a, more of a legacy model okay. Where deployments are more monolithic and statics. I mean, we've both been around for a while when we started, you would, you know, somebody would rack a server, they plug a network cable and you'd spend a week deploying the app, getting it to run, and then you'd walk away and leave it to a degree. Whereas now obviously that's really been turned on its head. So there is a, an element of not everybody has adopted this new paradigm that we have in development, but it is increasing, there is rapid adoption here. And, and many that aren't many that rather haven't made that change yet to, to migrate to a sort of a cloud type infrastructure. >>They certainly intend to, well, they certainly wished to, I mean, there's challenges there in itself, but it, I would say it's a safe bet to say that the prolific use of cloud technologies is certainly increasing as we see in all the time. So that also means the attack vectors are increasing as we're starting to see different verticals come into this landscape that we have. So it's not just your kind of a sort of web developer that are running some sort of web two.site. We have telcos that are starting to utilize cloud technology with virtual network functions. Uh, we have, um, health banking, FinTech, all of these sort of large verticals are starting to come into cloud and to utilize the cloud infrastructure model that that can save them money, you know, and it can make them, can make their develop more agile and, you know, there's many benefits. So I guess that's the main thing is really, there's a convergence of industries coming into this space, which is starting to increase the security risks as well. Because I mean, the security risks to a telco are a very different group to somebody that's developing a web platform, for example. >>Yeah. Yeah. Now you, you, uh, you mentioned, um, the sort of obvious perspective from the open source perspective, which is that a lot of this code is open source code. Um, and then I also, I assume that it makes a lot of sense for the open source community to attack this problem, because you're talking about so many things in that chain of custody that you described where one individual private enterprise is not likely to be able to come up with something that handles all of it. So, so what's your, what's your vision for how we address this issue? I know I've seen in, um, uh, some of the content that you've produced an allusion to this idea that it's very similar to the concept of a secure HTTP. And, uh, and so, you know, imagine a world where HTTP is not secure at any time. It's something we can't imagine yet. We're living in this parallel world where, where code, which is one of the four CS and cloud security, uh, isn't secure. So what do we do about that? And, and, and as you share that with us, I want to dive in as much as we can on six store explain exactly what that is and, uh, how you came up with this. >>Yes, yes. So, so the HTTP story's incredibly apt for where we are. So around the open source ecosystem. Okay. We are at the HTTP stage. Okay. So a majority of code is pulled in on trusted. I'm not talking about so much here, somebody like a red hat or, or a large sort of distributor that has their own sign-in infrastructure, but more sort of in the, kind of the wide open source ecosystem. Okay. The, um, amount of code that's pulled in on tested is it's the majority. Okay. So, so it is like going to a website, which is HTTP. Okay. And we sort of use this as a vision related to six store and other projects that are operating in this space where what happened effectively was it was very common for sites to run on HTTP. So even the likes of Amazon and some of the e-commerce giants, they used to run on HTTP. >>Okay. And obviously they were some of the first to, to, uh, deploy TLS and to utilize TLS, but many sites got left behind. Okay. Because it was cumbersome to get the TLS certificate. I remember doing this myself, you would have to sort of, you'd have to generate some keys, the certificate signing request, you'd have to work out how to run open SSL. Okay. You would then go to an, uh, a commercial entity and you'd probably have to scan your passport and send it to them. And there'll be this kind of back and forth. Then you'll have to learn how to configure it on your machine. And it was cumbersome. Okay. So a majority just didn't bother. They just, you know, they continue to run their, their websites on protected. What effectively happened was let's encrypt came along. Okay. And they disrupted that whole paradigm okay. >>Where they made it free and easy to generate, procure, and set up TLS certificates. So what happened then was there was a, a very large change that the kind of the zeitgeists changed around TLS and the expectations of TLS. So it became common that most sites would run HTTPS. So that allowed the browsers to sort of ring fence effectively and start to have controls where if you're not running HTTPS, as it stands today, as it is today is kind of socially unacceptable to run a site on HTTP is a bit kind of, if you go to HTTP site, it feels a bit, yeah. You know, it's kind of, am I going to catch a virus here? It's kind of, it's not accepted anymore, you know, and, and it needed that disruptor to make that happen. So we want to kind of replicate that sort of change and movement and perception around software signing where a lot of software and code is, is not signed. And the reason it's not signed is because of the tools. It's the same story. Again, they're incredibly cumbersome to use. And the adoption is very poor as well. >>So SIG stores specifically, where did this, where did this come from? And, uh, and, uh, what's your vision for the future with six? >>Sure. So six door, six doors, a lockdown project. Okay. It started last year, July, 2020 approximately. And, uh, a few people have been looking at secure supply chain. Okay. Around that time, we really started to look at it. So there was various people looking at this. So it's been speaking to people, um, various people at Purdue university in Google and, and other, other sort of people trying to address this space. And I'd had this idea kicking around for quite a while about a transparency log. Okay. Now transparency logs are actually, we're going back to HTTPS again. They're heavily utilized there. Okay. So when somebody signs a HTTPS certificate as a root CA, that's captured in this thing called a transparency log. Okay. And a transparency log is effectively what we call an immutable tamper proof ledger. Okay. So it's, it's kind of like a blockchain, but it's different. >>Okay. And I had this idea of what, if we could leverage this technology okay. For secure supply chain so that we could capture the provenance of code and artifacts and containers, all of these actions, these actors that I described at the beginning in the supply chain, could we utilize that to provide a tamper resistant publicly or DePaul record of the supply chain? Okay. So I worked on a prototype wherever, uh, you know, some, uh, a week or two and got something basic happening. And it was a kind of a typical open source story there. So I wouldn't feel right to take all of the glory here. It was a bit like, kind of, you look at Linux when he created a Linux itself, Linus, Torvalds, he had an idea and he shared it out and then others started to jump in and collaborate. So it's a similar thing. >>I, um, shared it with an engineer from Google's open source security team called Dan Lawrence. Somebody that I know of been prolific in this space as well. And he said, I'd love to contribute to this, you know, so can I work this? And I was like, yeah, sure though, you know, the, the more, the better. And then there was also Santiago professor from Purdue university took an interest. So a small group of people started to work on this technology. So we built this project that's called Rico, and that was effectively the transparency log. So we started to approach projects to see if they would like to, to utilize this technology. Okay. And then we realized there was another problem. Okay. Which was, we now have a storage for signed artifacts. Okay. A signed record, a Providence record, but nobody's signing anything. So how are we going to get people to sign things so that we can then leverage this transparency log to fulfill its purpose of providing a public record? >>So then we had to look at the signing tools. Okay. So that's where we came up with this really sort of clever technology where we've managed to create something called ephemeral keys. Okay. So we're talking about a cryptographic key pair here. Okay. And what we could do we found was that we could utilize other technologies so that somebody wouldn't have to manage the private key and they could generate keys almost point and click. So it was an incredibly simple user experience. So then we realized, okay, now we've got an approach for getting people to sign things. And we've also got this immutable, publicly audited for record of people signing code and containers and artifacts. And that was the birth of six store. Then. So six store was created as this umbrella project of all of these different tools that were catering towards adoption of signing. And then being able to provide guarantees and protections by having this transparency log, this sort of blockchain type technology. So that was where we really sort of hit the killer application there. And things started to really lift off. And the adoption started to really gather steam then. >>So where are we now? And where does this go into the future? One of the, one of the wonderful things about the open source community is there's a sense of freedom in the creativity of coming up with a vision and then collaborating with others. Eventually you run headlong into expectations. So look, is this going to be available for purchase in Q1? What's the, >>Yeah, I, I will, uh, I will fill you in there. Okay. So, so with six door there's, um, there's several different models that are at play. Okay. I'll give you the, the two predominant ones. So one, we plan, we plan to run a public service. Okay. So this will be under the Linux foundation and it'll be very similar to let's encrypt. So you as a developer, if you want to sign your container, okay. And you want to use six door tooling that will be available to you. There'll be non-profit three to use. There's no specialties for anybody. It's, it's there for everybody to use. Okay. And that's to get everybody doing the right thing in signing things. Okay. The, the other model for six stories, this can be run behind a firewall as well. So an enterprise can stand up their own six store infrastructure. >>Okay. So the transparency log or code signing certificates, system, client tools, and then they can sign their own artifacts and secure, better materials, all of these sorts of things and have their own tamper-proof record of everything that's happened. So that if anything, untoward happens such as a key compromise or somebody's identity stolen, then you've got a credible source of truth because you've got that immutable record then. So we're seeing, um, adoption around both models. We've seen a lot of open source projects starting to utilize six store. So predominantly key, um, Kubernetes is a key one to mention here they are now using six store to sign and verify their release images. Okay. And, uh, there's many other open-source projects that are looking to leverage this as well. Okay. And then at the same time, various people are starting to consider six door as being a, sort of an enterprise signing solution. So within red hat, our expectations are that we're going to leverage this in open shift. So open shift customers who wish to sign their images. Okay. Uh, they want to sign their conflicts that they're using to deploy within Kubernetes and OpenShift. Rather they can start to leverage this technology as open shift customers. So we're looking to help the open source ecosystem here and also dog food, this, and make it available and useful to our own customers at red hat. >>Fantastic. You know, um, I noticed the red hat in the background and, uh, and, uh, you know, I just a little little historical note, um, red hat has been there from the beginning of cloud before, before cloud was cloud before there was anything credible from an enterprise perspective in cloud. Uh, I, I remember in the early two thousands, uh, doing work with tree AWS and, uh, there was a team of red hat folks who would work through the night to do kernel level changes for the, you know, for the Linux that was being used at the time. Uh, and so a lot of, a lot of what you and your collaborators do often falls into the category of, uh, toiling in obscurity, uh, to a certain degree. Uh, we hope to shine light on the amazing work that you're doing. And, um, and I, for one appreciate it, uh, I've uh, I've, I've suffered things like identity theft and, you know, we've all had brushes with experiences where compromise insecurity is not a good thing. So, um, this has been a very interesting conversation. And again, X for the work that you do, uh, do you have any other, do you have any other final thoughts or, or, uh, you know, points that we didn't cover on this subject that come to mind, >>There is something that you touched upon that I'd like to illustrate. Okay. You mentioned that, you know, identity theft and these things, well, the supply chain, this is critical infrastructure. Okay. So I like to think of this as you know, there's, sir, they're serving, you know, they're solving technical challenges and, you know, and the kind of that aspect of software development, but with the supply chain, we rely on these systems. When we wake up each morning, we rely on them to stay in touch with our loved ones. You know, we are our emergency services, our military, our police force, they rely on these supply chains, you know, so I sort of see this as there's a, there's a bigger vision here really in protecting the supply chain is, is for the good of our society, because, you know, a supply chain attack can go very much to the heart of our society. You know, it can, it can be an attack against our democracies. So I, you know, I see this as being something that's, there's a humanistic aspect to this as well. So that really gets me fired up to work on this technology., >>it's really important that we always keep that perspective. This isn't just about folks who will be attending CubeCon and, uh, uh, uh, cloud con uh, this is really something that's relevant to all of us. So, so with that, uh, fantastic conversation, Luke, it's been a pleasure to meet you. Pleasure to talk to you, David. I look forward to, uh, hanging out in person at some point, whatever that gets me. Uh, so with that, uh, we will sign off from this cube conversation in anticipation of cloud con cube con 2021, north America. I'm Dave Nicholson. Thanks for joining us.

>>Hello, and welcome. Very excited to see everybody here. DockerCon is going fantastic. Everybody's uh, engaging in the chat. It's awesome to see. My name is Peter McKee. I'm the head of developer relations here at Docker and Taber. Today. We're going to be talking about container first development now and in the future. But before we do that, a couple little housekeeping items, first of all, yes, we are live. So if you're in our session, you can go ahead and chat, ask us questions. We'd love to get all your questions and answer them. Um, if you come to the main page on the website and you do not see the chat, go ahead and click on the blue button and that'll die. Uh, deep dive you into our session and you can interact with the chat there. Okay. Without further ado, let's just jump right into it. Katie, how are you? Welcome. Do you mind telling everybody who you are and a little bit about yourself? >>Absolutely. Hello everyone. My name is Katie and currently I am the eco-system advocate at cloud native computing foundation or CNCF. My responsibility is to lead and represent the end-user community. So these are all the practitioners within the cloud native space that are vendor neutral. So they use cloud native technologies to build their services, but they don't sell it. So this is quite an important characteristic as well. My responsibility is to make sure to close the gap between these practitioners and the project maintainers, to make sure that there is a feedback loop around. Um, I have many roles within the community. I am on the advisory board for KIPP finishes, a sandbox project. I'm working with open UK to make sure that Elton standards are used fairly across data, hardware, and software. And I have been, uh, affiliated way if you'd asked me to make sure that, um, I'm distributing a cloud native fundamental scores to make cloud and they do a few bigger despite everyone. So looking forward to this panel and checking with everyone. >>Awesome. Yeah. Welcome. Glad to have you here. Johanna's how are you? Can you, uh, tell everybody a little bit about yourself and who you are? Yeah, sure. >>So hi everybody. My name is Johannes I'm one of the co-founders at get pot, which in case you don't know is an open-source and container based development platform, which is probably also the reason why you Peter reached out and invited me here. So pleasure to be here, looking forward to the discussion. Um, yeah, though it is already a bit later in Munich. Um, and actually my girlfriend had a remote cocktail class with her colleagues tonight and it took me some stamina to really say no to all the Moscow mules that were prepared just over there in my living room. Oh wow. >>You're way better than me. Yeah. Well welcome. Thanks for joining us. Jerome. How are you? Good to see you. Can you tell everybody who you are and a little bit about yourself? Hi, >>Sure. Yeah, so I'm, I, I used to work at Docker and some, for me would say I'm a container hipster because I was running containers in production before it for hype. Um, I worked at Docker before it was even called Docker. And then since 2018, I'm now a freelancer and doing training and consulting around Docker containers, Kubernetes, all these things. So I used to help folks do stuff with Docker when I was there and now I still have them with containers more generally speaking. So kind of, uh, how do we say same, same team, different company or something like that? Yeah. >>Yeah. Perfect. Yeah. Good to see you. I'm glad you're on. Uh, Jacob, how are you? Good to see you. Thanks for joining us. Good. Yeah. Thanks for having me tell, tell everybody a little bit about yourself who you are. >>Yeah. So, uh, I'm the creator of a tool called mutagen, which is an open source, uh, development tool for doing high performance file synchronization and, uh, network forwarding, uh, to enable remote development. And so I come from like a physics background where I was sort of always doing, uh, remote developments, you know, whether that was on a big central clusters or just like some sort of local machine that was a bit more powerful. And so I, after I graduated, I built this tool called mutagen, uh, for doing remote development. And then to my surprise, people just started using it to use, uh, with Docker containers. And, uh, that's kind of grown into its primary use case now. So I'm, yeah, I've gotten really involved with the Docker community and, uh, talked with a lot of great people and now I'm one of the Docker captains. So I get to talk with even more and, and join these events and yeah, but I'm, I'm kind of focused on doing remote development. Uh, cause I, you know, I like, I like having all my tools available on my local machine, but I also like being able to pull in a little bit more powerful hardware or uh, you know, maybe a software that I can't run locally. And so, uh, that's sort of my interest in, in Docker container. Yeah. Awesome. >>Awesome. We're going to come back to that for sure. But yeah. Thank you again. I really appreciate you all joining me and yeah. So, um, I've been thinking about container first development for a while and you know, what does that actually mean? So maybe, maybe we can define it in our own little way. So I, I just throw it out to the panel. When you think about container first development, what comes to mind? What w what, what are you kind of thinking about? Don't be shy. Go ahead. Jerome. You're never a loss of words >>To me. Like if I go back to the, kind of the first, uh, you know, training engagements we did back at Docker and kind of helping folks, uh, writing Dockerfiles to stop developing in containers. Um, often we were replacing, um, uh, set up with a bunch of Vagrant boxes and another, like the VMs and combinations of local things. And very often they liked it a lot and they were very soon, they wanted to really like develop in containers, like run this microservice. This piece of code is whatever, like run that in containers because that means they didn't have to maintain that thing on their own machine. So that's like five years ago. That's what it meant to me back then. However, today, if you, if you say, okay, you know, developing in containers, um, I'm thinking of course about things like get bought and, uh, I think it's called PR or something like that. >>Like this theme, maybe that thing with the ESCO, that's going to run in a container. And you, you have this vs code thing running in your browser. Well, obviously not in your browser, but in a container that you control from your browser and, and many other things like that, that I, I think that's what we, where we want to go today. Uh, and that's really interesting, um, from all kinds of perspectives, like Chevy pair pairing when we will not next to each other, but actually thousands of miles away, um, or having this little environment that they can put aside and come back to it later, without it having using resource in my machine. Um, I don't know, having this dev service running somewhere in the cloud without needing something like, it's at the rights that are like the, the possibilities are really endless. >>Yeah. Yeah. Perfect. Yeah. I'm, you know, a little while ago I was, I was torn, right. W do I spin up containers? Do I develop inside of my containers? Right. There's foul sinking issues. Um, you know, that we've been working on at Docker for a while, and Jacob is very, very familiar with those, right? Sometimes it, it becomes hard, but, and I, and I love developing in the cloud, but I also have this screaming, you know, fast machine sitting on my desktop that I think I should take advantage of. So I guess another question is, you know, should we be developing inside of containers? Is that a smart thing to do? Uh, I'd love to hear you guys' thoughts around that. >>You know, I think it's one of those things where it's, you know, for me container first development is really about, um, considering containers as sort of a first class citizen in, in terms of your development toolkit, right. I mean, there's not always that silver bullet, that's like the one thing you should use for everything. You know, you shouldn't, you shouldn't use containers if they're not fitting in or adding value to your workflow, but I think there's a lot of scenarios that are like, you know, super on super early on in the development process. Like as soon as you get the server kind of running and working and, you know, you're able to access it, you know, running on your local system. Uh that's I think that's when the value comes in to it to add containers to, you know, what you're doing or to your project. Right. I mean, for me, they're, um, they're more of a orchestrational tool, right? So if I don't have to have six different browser tabs open with like, you know, an API server running at one tab and a web server running in another tab and a database running in another tab, I can just kind of encapsulate those and, and use them as an automation thing. So I think, you know, even if you have a super powerful computer, I think there's still value in, um, using containers as, as a orchestrational mechanism. Yeah. Yeah, >>For sure. I think, I think one of the, one of my original aha moments with Docker was, oh, I can spin up different versions of a database locally and not have to install it and not have to configure it and everything, but, you know, it just ran inside of a container. And that, that was it. Although it's might seem simple to some people that's very, very powerful. Right. So I think being able to spin things up and containers very quickly is one of the super benefits. But yeah, I think, uh, developing in containers is, is hard right now, right. With, um, you know, and how do you do that? Right. Does anybody have any thoughts around, how do you go about that? Right. Should you use a container as just a development environment, so, you know, creating an image and then running it just with your dev tools in it, or do you just, uh, and maybe with an editor all inside of it, and it's just this process, that's almost like a VM. Um, yeah. So I'll just kick it back to the panel. I'd love to hear your thoughts on, you know, how do you set up and configure, uh, containers to develop in any thoughts around that? >>Maybe one step back again, to answer your question, what kind of container first development mean? I think it doesn't mean, um, by default that it has to be in the cloud, right? As you said, um, there are obvious benefits when it comes to the developer experience of containers, such as, I dunno, consistency, we have standardized tools dependencies for the dev side of things, but it also makes their dev environment more similar to all the pipeline that is somehow happening to the right, right. So CIC D all the way to production, it is security, right? Which also somehow comes with standardization. Um, but vulnerability scanning tools like sneak are doing a great job there. And, um, for us, it gets pod. One of the key reasons why we created get pod was literally creating this peace of mind for deaths. So from a developer's point of view, you do not need to take care anymore about all the hassle around setups and things that you will need to install. >>And locally, based on some outdated, REIT me on three operating systems in your company, everybody has something different and leading to these verbs in my machine situations, um, that really slow professional software developers down. Right. Um, back to your point, I mean, with good pod, we obviously have to package everything together in one container because otherwise, exactly the situation happens that you need to have five browser tabs open. So we try and leverage that. And I think a dev environment is not just the editor, right? So a dev environment includes your source code. It includes like a powerful shell. It includes file systems. It includes essentially all the tools you need in order to be productive databases and so on. And, um, yeah, we believe that should be encapsulated, um, um, in a container. >>Yeah. Awesome. Katie, you talked to a lot of end users, right. And you're talking to a lot of developers. What, what's your thoughts around container first development, right? Or, or what's the community out there screaming or screaming. It might be too to, uh, har you know, to, to two grand of the word. Right. But yeah, I love it. I love to hear what your, your thoughts. >>Absolutely. So I think when you're talking about continuing driven development, uh, the first thing that crosses my mind is the awareness of the infrastructure or the platform you're going to run your application on top of, because usually when you develop your application, you'd like to replicate as much as possible the production or even the staging environment to make sure that when you deploy your application, you have us little inconsistencies as possible, but at the same time, you minimize the risk for something to go wrong as well. So when it talking about the, the community, um, again, when you deploy applications and containers and Kubernetes, you have to use, you have awareness about, and probably apply some of the best practices, like introducing liveliness and readiness probes, to make sure that your application can restart in, in case it actually goes down or there's like a you're starving going CPU or something like that. >>So, uh, I think when it comes to deployment and development of an application, the main thing is to actually improve the end developer experience. I think there has been a lot of focus in the community to develop the tool, to actually give you the right tool to run application and production, but that doesn't necessarily, um, go back to how the end developer is actually enabling that application to run into that production system. So I think there has been, uh, this focus for the community identified now, and it's more, more, um, or trying to build momentum on enhancing the developer experience. And we've seen this going through many, uh, where we think production of many tools did what has been one of them, which actually we can have this portable, um, development environment if you choose so, and you can actually replicate them across different teams in different machines, which is actually quite handy. >>But at the same time, we had tools such as local composts has been a great tool to run locally. We have tool such as carefully, which is absolutely great to automatically dynamically upload any changes to how within your code. So I think all of these kinds of tools, they getting more matured. And again, this is going back to again, we need to enhance our developer experience coming back to what is the right way to do so. Um, I think it really depends on the environment you have in production, because there's going to define some of the structures with the tool and you're going to have internally, but at the same time, um, I'd like to say that, uh, it really depends on, on what trucks are developing. Uh, so it's, it's, I would like to personally, I would like to see a bit more diversification in this area because we might have this competitive solutions that is going to push us to towards a new edge. So this is like, what definitely developer experience. If we're talking about development, that's what we need to enhance. And that's what I see the momentum building at the moment. >>Yeah. Yeah. Awesome. Jerome, I saw you shaking your head there in agreement, or maybe not, but what's your thoughts? >>I was, uh, I was just reacting until 82. Uh, it depends thinking that when I, when I do training, that's probably the answer that I gave the most, uh, each time somebody asks, oh, should we do diesel? And I was also looking at some of the questions in the chat about, Hey, the, should we like have a negatory in the, in the container or something like that. And folks can have pretty strong opinions one way or the other, but as a ways, it kind of depends what we do. It also depends of the team that we're working with. Um, you, you could have teams, you know, with like small teams with folks with lots of experience and they all come with their own Feb tools and editorials and plugins. So you know that like you're gonna have PRI iMacs out of my cold dead hands or something like that. >>So of course, if you give them something else, they're going to be extremely unhappy or sad. On the other hand, you can have team with folks who, um, will be less opinionated on that. And even, I don't know, let's say suddenly you start working on some project with maybe a new programming language, or maybe you're targeting some embedded system or whatever, like something really new and different. And you come up with all the tools, even the ADE, the extensions, et cetera, folks will often be extremely happy in that case that you're kind of giving them a Dettol and an ADE, even if that's not what they usually would, uh, would use, um, because it will come with all of the, the, the nice stage, you know, the compression, the, um, the, the, the bigger, the, whatever, all these things. And I think there is also something interesting to do here with development in containers. >>Like, Hey, you're going to start working on this extremely complex target based on whatever. And this is a container that has everything to get started. Okay. Maybe it's not your favorites editor, but it has all the customization and the conserver and whatever. Um, so you can start working right away. And then maybe later you, we want to, you know, do that from the container in a way, and have your own Emacs, atom, sublime, vs code, et cetera, et cetera. Um, but I think it's great for containers here, as well as they reserve or particularly the opportunity. And I think like the, that, that's one thing where I see stuff like get blood being potentially super interesting. Um, it's hard for me to gauge because I confess I was never a huge ID kind of person had some time that gives me this weird feeling, like when I help someone to book some, some code and you know, that like with their super nice IDE and everything is set up, but they feel kind of lost. >>And then at some point I'm like, okay, let's, let's get VI and grep and let's navigate this code base. And that makes me feel a little bit, you know, as this kind of old code for movies where you have the old, like colorful guy who knows going food, but at the end ends up still being obsolete because, um, it's only a going for movies that whole good for masters and the winning right. In real life, we don't have conformance there's anymore mentioned. So, um, but part of me is like, yeah, I like having my old style of editor, but when, when the modern editorial modern ID comes with everything set up and configured, that's just awesome. That's I, um, it's one thing that I'm not very good at sitting up all these little things, but when somebody does it and I can use it, it's, it's just amazing. >>Yeah. Yeah. I agree. I'm I feel the same way too. Right. I like, I like the way I've I have my environment. I like the tools that I use. I like the way they're set up. And, but it's a big issue, right? If you're switching machines, like you said, if you're helping someone else out there, they're not there, your key bindings aren't there, you can't, you can't navigate their system. Right? Yeah. So I think, you know, talking about, uh, dev environments that, that Docker's coming out with, and we're, you know, there's a lot, there, there's a, it's super complex, all these things we're talking about. And I think we're taking the approach of let's do something, uh, well, first, right. And then we can add on to that. Right. Because I think, you know, setting up full, full developed environments is hard, right. Especially in the, the, um, cloud native world nowadays with microservices, do you run them on a repo? >>Do you not have a monitor repo? Maybe that would be interesting to talk about. I think, um, you know, I always start out with the mono repos, right. And you have all your services in there and maybe you're using one Docker file. And then, because that works fine. Cause everything is JavaScript and node. And then you throw a little Python in there and then you throw a little go and now you start breaking things out and then things get too complex there, you know, and you start pulling everything out into different, get repos and now, right. Not everything just fits into these little buckets. Right. So how do you guys think maybe moving forward, how do we attack that night? How do we attack these? Does separate programming languages and environments and kind of bring them all together. You know, we, we, I hesitate, we solve that with compose around about running, right about executing, uh, running your, your containers. But, uh, developing with containers is different than running containers. Right. It's a, it's a different way to think about it. So anyway, sorry, I'm rattling on a little bit, but yeah. Be interesting to look at a more complex, uh, setup right. Of, uh, of, you know, even just 10 microservices that are in different get repos and different languages. Right. Just some thoughts. And, um, I'm not sure we all have this flushed out yet, but I'd love to hear your, your, you guys' thoughts around that. >>Jacob, you, you, you, you look like you're getting ready to jump there. >>I didn't wanna interrupt, but, uh, I mean, I think for me the issue isn't even really like the language boundary or, or, um, you know, a sub repo boundary. I think it's really about, you know, the infrastructure, right? Because you have, you're moving to an era where you have these cloud services, which, you know, some of them like S3, you can, you can mock up locally, uh, or run something locally in a container. But at some point you're going to have like, you know, cloud specific hardware, right? Like you got TPS or something that maybe are forming some critical function in your, in your application. And you just can't really replicate that locally, but you still want to be able to develop against that in some capacity. So, you know, my, my feeling about where it's going to go is you'll end up having parts of your application running locally, but then you also have, uh, you know, containers or some other, uh, element that's sort of cohabitating with, uh, you know, either staging or, or testing or production services that you're, uh, that you're working with. >>So you can actually, um, you know, test against a really or realistic simulation or the actual, uh, surface that you're running against in production. Because I think it's just going to become untenable to keep emulating all of that stuff locally, or to have to like duplicate these, you know, and, you know, I guess you can argue about whether or not it's a good thing that, that everything's moving to these kind of more closed off cloud services, but, you know, the reality of situation is that's where it's going to go. And there's certain hardware that you're going to want in the cloud, especially if you're doing, you know, machine learning oriented stuff that there's just no way you're going to be able to run locally. Right. I mean, if you're, even if you're in a dev team where you have, um, maybe like a central machine where you've got like 10 or 20 GPU's in it, that's not something that you're going to be able to, to, to replicate locally. And so that's how I kind of see that, um, you know, containers easing that boundary between different application components is actually maybe more about co-location, um, or having different parts of your application run in different locations, on different hardware, you know, maybe someone on your laptop, maybe it's someone, you know, AWS or Azure or somewhere. Yeah. It'd be interesting >>To start seeing those boundaries blur right. Working local and working in the cloud. Um, and you might even, you might not even know where something is exactly is running right until you need to, you know, that's when you really care, but yeah. Uh, Johanas, what's your thoughts around that? I mean, I think we've, we've talked previously of, of, um, you know, hybrid kind of environments. Uh, but yeah. What, what's your thoughts around that? >>Um, so essentially, yeah, I think, I mean, we believe that the lines between cloud and local will also potentially blur, and it's actually not really about that distinction. It's just packaging your dev environment in a way and provisioning your dev environment in a way that you are what we call always ready to coat. So that literally, um, you, you have that for the, you described as, um, peace of mind that you can just start to be creative and start to be productive. And if that is a container potentially running locally and containers are at the moment. I think, you know, the vehicle that we use, um, two weeks ago, or one week ago actually stack blitz announced the web containers. So potentially some things, well, it's run in the browser at some point, but currently, you know, Docker, um, is the standard that enables you to do that. And what we think will happen is that these cloud-based or local, um, dev environments will be what we call a femoral. So it will be similar to CIS, um, that we are using right now. And it doesn't literally matter, um, where they are running at the end. It's just, um, to reduce friction as much as possible and decrease and yeah, yeah. Essentially, um, avoid or the hustle that is currently involved in setting up and also managing dev environments, um, going forward, which really slows down specifically larger teams. >>Yeah. Yeah. Um, I'm going to shift gears a little bit here. We have a question from the audience in chat, uh, and it's, I think it's a little bit two parts, but so far as I can see container first, uh, development, have the challenges of where to get safe images. Um, and I was going to answer it, but let me keep it, let me keep going, where to get safe images and instrumentation, um, and knowing where exactly the problem is happening, how do we provide instrument instrumentation to see exactly where a problem might be happening and why? So I think the gist of it is kind of, of everything is in a container and I'm sitting outside, you know, the general thought around containers is isolation, right. Um, so how do I get views into that? Um, whether debugging or, or, or just general problems going on. I think that's maybe a broader question around the, how you, you know, you have your local hosts and then you're running everything containers, and what's the interplay there. W what's your thoughts there? >>I tend to think that containers are underused interactively. I mean, I think in production, you have this mindset that there's sort of this isolated environment, but it's very, actually simple to drop into a shell inside of a container and use it like you would, you know, your terminal. Um, so if you want to install software that way, you know, through, through an image rather than through like Homebrew or something, uh, you can kind of treat containers in that way and you can get a very, um, you know, direct access to the, to the space in which those are running in. So I think, I think that's maybe the step one is just like getting rid of that mindset, that, that these are all, um, you know, these completely encapsulated environments that you can't interact with because it's actually quite easy to just Docker exec into a container and then use it interactively >>Yeah. A hundred percent. And maybe I'll pass, I'm going to pass this question. You drone, but maybe demystify containers a little bit when I talked about this on the last, uh, panel, um, because we have a question in the, in the chat around, what's the, you know, why, why containers now I have VMs, right? And I think there's a misunderstanding in the industry, uh, about what, what containers are, we think they're fair, packaged stuff. And I think Jacob was hitting on that of what's underneath the hood. So maybe drown, sorry, for a long way to set up a question of what, what, what makes up a container, what is a container >>Is a container? Well, I, I think, um, the sharpest and most accurate and most articulate definition, I was from Alice gold first, and I will probably misquote her, but she said something like containers are a bunch of capsulated processes, maybe running on a cookie on welfare system. I'm not sure about the exact definition, but I'm going to try and, uh, reconstitute that like containers are just processes that run on a Unix machine. And we just happen to put a bunch of, um, red tape or whatever around them so that they are kind of contained. Um, but then the beauty of it is that we can contend them as much, or as little as we want. We can go kind of only in and put some actual VM or something like firecracker around that to give some pretty strong angulation, uh, all we can also kind of decontam theorize some aspects, you know, you can have a container that's actually using the, um, the, um, the network namespace of the host. >>So that gives it an entire, you know, wire speed access to the, to the network of the host. Um, and so to me, that's what really interesting, of course there is all the thing about, oh, containers are lightweight and I can pack more of them and they start fast and the images can be small, yada yada, yada. But to me, um, with my background in infrastructure and building resilient, things like that, but I find really exciting is the ability to, you know, put the slider wherever I need it. Um, the, the, the ability to have these very light containers, all very heavily, very secure, very anything, and even the ability to have containers in containers. Uh, even if that sounds a little bit, a little bit gimmicky at first, like, oh, you know, like you, you did the Mimi, like, oh, I heard you like container. >>So I put Docker when you're on Docker. So you can run container for you, run containers. Um, but that's actually extremely convenient because, um, as soon as you stop building, especially something infrastructure related. So you challenge is how do you test that? Like, when we were doing.cloud, we're like, okay, uh, how do we provision? Um, you know, we've been, if you're Amazon, how do you provision the staging for us installed? How do you provision the whole region, Jen, which is actually staging? It kind of makes things complicated. And the fact that we have that we can have containers within containers. Uh, that's actually pretty powerful. Um, we're also moving to things where we have secure containers in containers now. So that's super interesting, like stuff like a SIS box, for instance. Um, when I saw that, that was really excited because, uh, one of the horrible things I did back in the days as Docker was privileged containers, precisely because we wanted to have Docker in Docker. >>And that was kind of opening Pandora's box. That's the right, uh, with the four, because privileged containers can do literally anything. They can completely wreck up the machine. Um, and so, but at the same time, they give you the ability to run VPNs and run Docker in Docker and all these cool things. You can run VM in containers, and then you can list things. So, um, but so when I saw that you could actually have kind of secure containers within containers, like, okay, there is something really powerful and interesting there. And I think for folks, well, precisely when you want to do development in containers, especially when you move that to the cloud, that kind of stuff becomes a really important and interesting because it's one thing to have my little dev thing on my local machine. It's another thing when I want to move that to a swarm or Kubernetes cluster, and then suddenly even like very quickly, I hit the wall, which is, oh, I need to have containers in my containers. Um, and then having a runtime, like that gets really intense. >>Interesting. Yeah, yeah, yeah. And I, and jumping back a bit, um, yeah, uh, like you said, drum at the, at the base of it, it containers just a, a process with, with some, uh, Abra, pardon me, operating constructs wrapped around it and see groups, namespaces those types of things. But I think it's very important to, for our discussion right. Of, uh, developers really understanding that, that this is just the process, just like a normal process when I spin up my local bash in my term. Uh, and I'm just interacting with that. And a lot of the things we talk about are more for production runtimes for securing containers for isolating them locally. I don't, I don't know. I'll throw the question out to the panel. Is that really relevant to us locally? Right. Do we want to pull out all of those restrictions? What are the benefits of containers for development, right. And maybe that's a soft question, but I'd still love to hear your thoughts. Maybe I'll kick it over to you, Katie, would you, would you kick us off a little bit with that? >>I'll try. Um, so I think when, again, I was actually thinking of the previous answers because maybe, maybe I could do a transition here. So, interesting, interesting about containers, a piece of trivia, um, the secrets and namespaces have been within the Linux kernel since 2008, I think, which just like more than 10 years ago, hover containers become popular in the last years. So I think it's, it's the technology, but it's about the organization adopting this technology. So I think why it got more popular now is because it became the business differentiator organizations started to think, how can I deliver value to my customers as quickly as possible? So I think that there should be this kind of two lane, um, kind of progress is the technology, but it's at the same time organization and cultural now are actually essential for us to develop, uh, our applications locally. >>Again, I think when it's a single application, if you have just one component, maybe it's easier for you to kind of run it locally, have a very simple testing environment. Sufficient is a container necessary, probably not. However, I think it's more important when you're thinking to the bigger picture. When we have an architecture that has myriads of microservices at the basis, when it's something that you have to expose, for example, an API, or you have to consume an API, these are kind of things where you might need to think about a lightweight set up within the containers, only local environment to make sure that you have at least a similar, um, environment or a configuration to make sure that you test some of the expected behavior. Um, I think the, the real kind of test you start from the, the dev cluster will like the dev environment. >>And then like for, for you to go to staging and production, you will get more clear into what exactly that, um, um, configuration should be in the end. However, at the same time, again, it's, it's more about, um, kind of understanding why you continue to see this, the thing, like, I don't say that you definitely need containers at all times, but there are situations when you have like, again, multiple services and you need to replicate them. It's just the place to, to, to work with these kind of, um, setups. So, um, yeah, really depends on what you're trying to develop here. Nothing very specific, unfortunately, but get your product and your requirements are going to define what you're going to work with. >>Yeah, no, I think that's a great answer, right. I think one of the best answers in, in software engineering and engineering in general as well, it depends. Right. It's things are very specific when we start getting down to the details, but yeah, generally speaking, you know, um, I think containers are good for development, but yeah, it depends, right. It really depends. Is it helping you then? Great. If it's hindering you then, okay. Maybe think what's, what's the hindrance, right. And are containers the right solution. I agree. 110% and, >>And everything. I would like absurd this too as well. When we, again, we're talking about the development team and now we have this culture where we have the platform and infrastructure team, and then you have your engineering team separately, especially when the regulations are going to be segregated. So, um, it's quite important to understand that there might be a, uh, a level of up-skilling required. So pushing for someone to use containers, because this is the right way for you to develop your application might be not, uh, might not be the most efficient way to actually develop a product because you need to spend some time to make sure that the, the engineering team has the skills to do so. So I think it's, it's, again, going back to my answers here is like, truly be aware of how you're trying to develop how you actually collaborate and having that awareness of your platform can be quite helpful in developing your, uh, your publication, the more importantly, having less, um, maybe blockers pushing it to a production system. >>Yeah, yeah. A hundred percent. Yeah. The, uh, the cultural issue is, is, um, within the organization, right. Is a very interesting thing. And it, and I would submit that it's very hard from top down, right. Pushing down tools and processes down to the dev team, man, we'll just, we'll just rebel. It usually comes from the bottom up. Right. What's working for us, we're going to do right. And whether we do it in the shadows and don't let it know, or, or we've conformed, right. Yeah. A hundred percent. Um, interesting. I would like to think a little bit in the future, right? Like, let's say, I don't know, two, three years from now, if, if y'all could wave a and I'm from Texas. So I say y'all, uh, if you all could wave a magic wand, what, what, what would that bring about right. What, what would, what would be the best scenario? And, and we just don't have to say containers. Right. But, you know, what's the best development environment and I'm going to kick it over to you, Jacob. Cause I think you hinted at some of that with some hybrid type of stuff, but, uh, yeah. Implies, they need to keep you awake. You're, you're, you're, uh, almost on the other side of the world for me, but yeah, please. >>Um, I think, you know, it's, it's interesting because you have this technology that you've been, that's been brought from production, so it's not, um, necessarily like the right or the normal basis for development. So I think there's going to be some sort of realignment or renormalization in terms of, uh, you know, what the, what the basis and the abstractions that we're using on a daily basis are right. Like images and containers as they exist now are really designed for, um, for production use cases. And, and in terms of like, even even the ergonomics of opening a shell inside a container, I think is something that's, um, you know, not as polished or not as smooth as it could be because they've come from production. And so I think it's important, like not to, not to have people look at, look at the technology as it exists now and say like, okay, this is slightly rough around the edges, or it wasn't designed for this use case and think, oh, there's, you know, there's never any way I could use this for, for my development of workflows. >>I think it's, you know, it's something Docker's exploring now with, uh, with the, uh, dev containers, you know, it's, it's a new, and it's an experimental paradigm and it may not be what the final picture looks like. As, you know, you were saying, there's going to be kind of a baseline and you'll add features to that or iterate on that. Um, but I think that's, what's interesting about it, right? Cause it's, there's not a lot of things as developers that you get to play with that, um, that are sort of the new technology. Like if you're talking about things you're building to ship, you want to kind of use tried and true components that, you know, are gonna, that are going to be reliable. But I think containers are that interesting point where it's like, this is an established technology, but it's also being used in a way now that's completely different than what it was designed for. And, and, you know, as hackers, I think that's kind of an interesting opportunity to play with it, but I think, I think that's, what's going to happen is you're just going to see kind of those production, um, designed, uh, knobs kind of sanded down or redesigned for, for development. So that's kind of where I see it going. >>Yeah. Yeah. And I think that's what I was trying to hint out earlier is like, um, yeah, just because all these things are there, does it actually mean we need them locally? Right. Do they make sense? I, I agree. A hundred percent, uh, anybody else drawn? What are your thoughts around that? And then, and then, uh, I'll probably just ask all of you. I'd love to hear each of your thoughts of the future. >>I had a thought was maybe unrelated, but I was kind of wondering if we would see something on the side of like energy efficiency in some way. Um, and maybe it's just because I've been thinking a lot about like climate change and things like that recently, and trying to reduce like the, uh, the energy use energy use and things like that. Perhaps it's also because I recently got a new laptop, which on paper is super awesome, but in practice, as soon as you try to have like two slack tabs and a zoom call, you know, it's super fast, both for 30 seconds. And after 30 seconds, it blows its thermal budget and it's like slows down to a crawl. And I started to think, Hmm, maybe, you know, like before we, we, we were thinking about, okay, I don't have that much CPU available. So you have to be kind of mindful about that. >>And now I wonder how are we going to get in something similar to that, but where you try to save CPU cycles, not just because you don't have that many CPU cycles, but more because you know, that you can't go super fast for super long when you are on one of these like small laptops or tablets or phones, like you have this demo budget to take into account. And, um, I wonder if, and how like, is there something where goaltenders can do some things here? I guess it can be really interesting if they can do some the equivalent of like Docker top and Docker stats. And if I could see, like how much what's are these containers using, I can already do that with power top on Linux, for instance, like process by process. So I'm thinking I could see what's the power usage of, of some containers. Um, and I wonder if down the line, is this going to be something useful or is this just silly because we can just masquerade CPU usage for, for Watson and forget about it. >>Yeah. Yeah. It was super, super interesting, uh, perspective for sure. I'm going to shut up because I want to, I want to give, make sure I give Johannes and Katie time. W w what are your thoughts of the future around, let's just say, you know, container development in general, right? You want, you want to start absolutely. Oh, honest, Nate. Johns wants more time. I say, I'll try not to. Beneficiate >>Expensive here, but, um, so one of the things that we've we've touched upon earlier in the panel was multicloud strategy. And I was reading one of the data reports from it was about the concept of Kubernetes from gamer Townsville. But what is working for you to see there is that more and more organizations are thinking about multicloud strategy, which means that you need to develop an application or need an infrastructure or a component, which will allow you to run this application bead on a public cloud bead, like locally in a data center and so forth. And here, when it comes to this kind of, uh, maybe problems we come across open standards, this is where we require something, which will allow us to execute our application or to run our platform in different environments. So when you're thinking about the application or development of the application, one of the things that, um, came out in 2019 at was the Oakland. >>Um, I wish it was Kybella, which is a, um, um, an open application model based application, which allows you to describe the way you would like your service to be executed in different environments. It doesn't need to be well developed specifically for communities. However, the open application model is specialized. So specialized tries to cover multiple platforms. You will be able to execute your application anywhere you want it to. So I think that that's actually quite important because it completely obstructs what is happening underneath it, completely obstructs notions, such as containers, uh, or processes is just, I want this application and I want to have this kind of behavior is so example of, to scale in this conditions or to, um, to be exposed for these, uh, end points and so forth. And everything that I would like to mention here is that maybe this transcends again, the, uh, the logistics of the application development, but it definitely will impact the way we run our applications. >>So one of the biggest, well, one of the new trends that is kind of gaining momentum now has been around Plaza. And this is again, something which is trying to present what we have the on containers. Again, it's focusing on the, it's kind of a cyclical, um, uh, action movement that we have here. When we moved from the VMs to containers, it was smaller footprint. We want like better execution, one, this agnosticism of the platforms. We have the same thing happening here with Watson, but again, it consents a new, um, uh, kind of, well, it teaches in you, uh, in new climax here, where again, we shrink the footprint of the cluster. We have a better isolation of all the services. We have a better trend, like portability of how services and so forth. So there is a great potential out there. And again, like why I'm saying this is some of these technologies are gonna define the way we're gonna do our development of the application on our local environment. >>That's why it's important to kind of maybe have an eye there and maybe see if some of those principles of some of those technologies we can bring internally as well. And just this, like a, a final thought here, um, security has been mentioned as well. Um, I think it's something which has been, uh, at the forefront, especially when it comes to containers, uh, especially when it comes to enterprise organizations and those who are regulated, which I feel come very comfortable to run their application within a VM where you have the full isolation, you can do what we have complete control of what's happening inside that compute. So, um, again, security has been at the forefront at the moment. So I know it has mentioned in the panel before. I'd like to mention that we have the security white paper, which has been published. We have the software supply chain, white paper as well, which twice to figure out or define some of these good practices as well, again, which you can already apply from your development environment and then propagate them to production. So I'm just going to leave, uh, all of these. That's all. >>That's awesome. And yeah, well, while is very, very interesting. I saw the other day that, um, and I forget who it was, maybe, maybe all can remember, um, you know, running, running the node, um, engine inside of, you know, in Walzem inside of a browser. Right. And, uh, at first glance I said, well, we already have a JavaScript execution engine. Right. And it's kind of like Docker and Docker. So you have, uh, you know, you have the browser, then, then you have blossom and then you have a node, you know, a JavaScript runtime. And, and I didn't understand was while I was, um, you know, actually executing is JavaScript and it's not, but yeah, it's super interesting, super powerful. I always felt that the browser was, uh, Java's what write once run anywhere kind of solution, right. That never came about, they were thinking of set top, uh, TV boxes and stuff like that, which is interesting. >>I don't know, you'll some of the history of Java, but yeah. Wasm is, is very, I'm not sure how to correctly pronounce it, but yeah, it's extremely interesting because of the isolation in that boxing. Right. And running powerful languages that were used to inside of a more isolated environment. Right. And it's almost, um, yeah, it's kind of, I think I've mentioned it before that the containers inside of containers, right. Um, yeah. So Johannes, hopefully I gave you enough time. I delayed, I delayed as much as I can. My friend, you better, you better just kidding. I'm just kidding, please, please. >>It was by the way, stack let's and they worked together with Google and with Russell, um, developing the web containers, it's called there's, it's quite interesting. The research they're doing there. Yeah. Yeah. I mean, what we believe and I, I also believe is that, um, yeah, probably somebody is doing to death environments, what Docker did to servers and at least that good part. We hope that somebody will be us. Um, so what we mean by that is that, um, we think today we are still somehow emotionally attached to our dev environments. Right. We give them names, we massage them over time, which can also have its benefits, but it's, they're still pets in some way. Right. And, um, we believe that, um, environments in the future, um, will be treated similar like servers today as automated resources that you can just spin up and close down whenever you need them. >>Right. And, um, this trend essentially that you also see in serverless, if you look at what kind of Netlify is doing a bit with preview environments, what were sellers doing? Um, there, um, we believe will also arrive at, um, at Steph environments. It probably won't be there tomorrow. So it will take some time because if there's also, you know, emotion involved into, in that, in that transition, but ultimately really believe that, um, provisioning dev environments also in the cloud allows you to leverage the power of the cloud and to essentially build all that stuff that you need in order to work in advance. Right? So that's literally either command or a button. So either, I don't know, a command that spins up your local views code and SSH into, into a container, or you do it in a browser, um, will be the way that professional development teams will develop in the future. Probably let's see in our direction of document, we say it's 2000 to 23. Let's see if that holds true. >>Okay. Can we, can, we let's know. Okay. Let's just say let's have a friendly bet. I don't know that's going to be closed now, but, um, yeah, I agree. I, you know, it's my thought around is it, it's hard, right? Th these are hard. And what problems do you tackle first, right? Do you tackle the day, one of, uh, you know, of development, right. I joined a team, Hey, here's your machine? And you have Docker installed and there you go, pull, pull down your environment. Right. Is that necessarily just an image? You know, what, what exactly is that sure. Containers are involved. Right. But that's, I mean, you, you've probably all gone through it. You joined a team, new project, even open-source project, right there. There's a huge hurdle just to get everything configured, to get everything installed, to get it up and running, um, you know, set aside all understanding the code base. >>Cause that's a different issue. Right. But just getting everything running locally and to your point earlier, Jacob of around, uh, recreating, local production cues and environments and, you know, GPS or anything like that, right. Is extremely hard. You can't do a lot of that locally. Right. So I think that's one of the things I'd love to see tackled. And I think that's where we're tackling in dev environments, uh, with Docker, but then now how do you become productive? Right. And where do we go from there? And, uh, and I would love to see this kind of hybrid and you guys have been all been talking about it where I can, yes. I have it configured everything locally on my nice, you know, apple notebook. Right. And then, you know, I go with the family and we go on vacation. I don't want to drag this 16 inch, you know, Mac laptop with me. >>And I want to take my nice iPad with the magic keyboard and all the bang stuff. Right. And I just want to fire up and I pick up where I left off. Right. And I keep coding and environment feels, you know, as much as it can that I'm still working at backup my desktop. I think those, those are very interesting to me. And I think reproducing, uh, the production running runtime environments as close as possible, uh, when I develop my, I think that's extremely powerful, extremely powerful. I think that's one of the hardest things, right. It's it's, uh, you know, we used to say, we, you debug in production. Right. We would launch, right. We would do, uh, as much performance testing as possible. But until you flip that switch on a big, on a big site, that's where you really understand what is going to break. >>Right. Well, awesome. I think we're just about at time. I really, really appreciate everybody joining me. Um, it's been a pleasure talking to all of you. We have to do this again. If I, uh, hopefully, you know, I I'm in here in America and we seem to be doing okay with COVID, but I know around the world, others are not. So my heart goes out to them, but I would love to be able to get out of here and come see all of you and meet you in person, maybe break some bread together. But, um, again, it was a pleasure talking to you all, and I really appreciate you taking the time. Have a good evening. Cool. >>Thanks for having us. Thanks for joining us. Yes.

>> From around the globe, It's theCUBE. With digital coverage of IBM Think 2021, brought to you by IBM. >> Hi, welcome back to theCUBE's coverage of IBM Think 2021 virtual. I'm John Furrier host of the CUBE. We got a great guest here. Brian Bouchard is the co-founder president and CEO of Alacrinet. Brian great to see you remoting in all the way from Puerto Rico to Palo Alto. >> That's right. >> Great to see you. >> Thanks for First of all, thanks John, for having me. I really appreciate the opportunity. >> Yeah, great to see you. Thanks for coming on. First of all, before we get into what you guys do and and how this all ties in to Think. What do you guys do at Alacrinet? Why the name? A it's good you're at the top of the list and alphabetically, but tell us the, the, the the secret behind the name and what you guys do. >> So, first of all Alacrinet is based on the root word alacrity which means a prompt and willing, a prompt a joyous prompt to, excuse me, to achieve a common goal. So we ultimately are a network of individuals with the traits of alacrity. So Alacrinet. So that's our name. >> Great. So what's your relationship with IBM and how you guys have been able to leverage the partnership program in the marketplace? Take us through the relationship. >> So, well, first of all Alacrinet is a platinum IBM business partner and it was awarded recently the 2020 IBM North American partner of the year award. And we were selected amongst 1600 other business partners across North America. We've been actually a consulting, an IT consulting company for almost 20 years now. And we were founded in 2002 in Palo Alto and we have focused specifically on cyber security since 2013. And then as part, go ahead. >> What are some of the things that you guys are working on? Because obviously, you know, the business is hot right now. Everyone's kind of looking at COVID saying we're going to double down on the most critical projects and no time for leisurely activities when it comes to IT. And cloud scale projects, you know mission critical stuff's happening what are you guys working on? >> So we're, we're focused on cybersecurity, our security services really compliment IBM's suite of security solutions and cover the full spectrum from our research and penetration testing, which helps identify vulnerabilities before a breach occurs. And we also have managed security services which helps prevent, detect and remediate attacks in real time. And then finally, we also have a security staffing division and a software resell division, which kind of rounds out the full amount of offerings that we have to provide protection for our clients. >> What are some of the biggest challenges you guys have as a business, and how's IBM helping you address those? >> Well, as you know, John, we all know the importance of cybersecurity in today's world, right? So it's increasing in both demand and importance and it's not expected to wane anytime soon. Cyber attacks are on the rise and there's no there's no expected end in sight to this. And in fact, just this week on 60 minutes, Jay Powell, the chairman of the federal reserve board he noted that cyber attacks were the number one threat to the stability of the US economy. Also this week, a public school in Buffalo New York was hacked with ransomware and the school you know, this, the school district is just contemplating you know, paying the ransom to the hackers. So there's literally thousands of these attacks happening every day, whether it's in local school district or a state government, or an enterprise even if you don't hear about them, they're happening In adding to the complexity that the cyber attackers pose is the complexity of the actual cybersecurity tools themselves. There isn't a single solution provider or a single technology, that can ensure a company's security. Our customers need to work with many different companies and disconnected tools and processes to build an individual strategy that can adequately protect their organizations. >> You know, I love this conversation whenever I talk to practitioners on cybersecurity, you know that first of all, they're super smart, usually cyber punks and they also have some kinds of eclectic backgrounds, but more importantly is that there's different approaches in terms of what you hear. Do you, do you put more if you add more firefighters, so to speak to put out the fires and solve the problems? Or do you spend your time preventing the fires from happening in the first place? You know, and you know, the buildings are burning down don't make fire fire, don't make wood make fire resistance, you know, more of a priority. So there's less fires needing firefighters So it's that balance. You throw more firefighters at the problem or do you make the supply or the material the business fireproof, what's your take on that? >> Yeah, well, it kind of works both ways. I mean, we've seen customers want it. They really want choice. They want to, in some cases they want to be the firefighter. And in some cases they want the firefighter to come in and solve their problems. So, the common problem set that we're seeing with our that our customers encounter is that they struggle one, with too many disparate tools. And then they also have too much data being collected by all these disparate tools. And then they have a lack of talent in their environment to manage their environments. So what we've done at Alacrinet is we've taken our cybersecurity practice and we've really specifically tailored our offerings to address these core challenges. So first, to address the too many disparate tools problem, we've been recommending that our clients look at security platforms like the IBM Cloud Pak for security the IBM Cloud Pak for security is built on a security platform that allows interoperability across various security tools using open standards. So our customers have been responding extremely positively to this approach and look at it as a way to future-proof their investments and begin taking advantage of interoperability with, and, tools integration. >> How about where you see your business going with this because, you know, there's not a shortage of need or demand How are you guys flexing with the market? What's the strategy? Are you going to use technology enablement? You're going to more human driven. Brian, how do you see your business unfolding? >> Well, actually really good. We're doing very well. I mean, obviously we made the, the top the business partner for IBM in 2020. They have some significant growth and a lot of interest. I think we really attack the market in a, in a with a good strategy which was to help defragment the market if you will. There's a lot of point solutions and a lot of point vendors that various, you know, they they spent specialized in one piece of the whole problem. And what we've decided to do is find them the highest priority list, every CSO and CIO has a tick list. So that how that, you know, first thing we need we need a SIM, we need an EDR, we need a managed service. We need, what's the third solution that we're doing? So we, we need some new talent in-house. So we actually have added that as well. So we added a security staffing division to help that piece of it as well. So to give you an idea of the cybersecurity market size it was valued at 150 billion in 2019 and that is expected to grow to 300 billion by 2027. And Alacrinet is well-positioned to consolidate the many fragmented aspects of the security marketplace and offer our customers more integrated and easier to manage solutions. And we will continue to help our customers select the best suite of solutions to address all types of cybersecurity, cybersecurity threats. >> You know, it's it's such a really important point you're making because you know, the tools just have piled up in the tool shed. I call it like that. It's like, it's like you don't even know what's in there anymore. And then you've got to support them. Then the world's changed. You get cloud native, the service areas increasing and then the CSOs are also challenged. Do I, how many CLAWs do I build on? Do I optimize my development teams for AWS or Azure? I mean, now that's kind of a factor. So, you have all this tooling going on they're building their own stuff they're building their own core competency. And yet the CSO still needs to be like maintaining kind of like a relevance list. That's almost like a a stock market for the for the products. You're providing that it sounds like you're providing that kind of service as well, right? >> Yeah, well, we, we distill all of the products that are out there. There's thousands of cybersecurity products out there in the marketplace and we kind of do all that distillation for the customer. We find using, you know, using a combination of things. We use Forrester and Gartner and all the market analysts to shortlist our proposed solutions that we offer customers. But then we also use our experience. And so since 2013, we've been deploying these solutions across organizations and corporations across America and we've, we've gained a large body of experience and we can take that experience and knowledge to our customers and help them, you know, make make some good decisions. So they don't have to, you know, make them go through the pitfalls that many companies do when selecting these types of solutions. >> Well congratulations, you've got a great business and you know, that's just a basic search making things easier for the CSO, more so they can be safe and secure in their environment. It's funny, you know, cyber warfare, you know the private companies have to fight their own battles got to build their own armies. Certainly the government's not helping them. And then they're confused even with how to handle all this stuff. So they need, they need your service. I'm just curious as this continues to unfold and you start to see much more of a holistic view, what's the IBM angle in here? How, why are you such a big partner of theirs? Is it because their customers are working with you they're bringing you into business? Is it because you have an affinity towards some of their products? What's the connection with IBM? >> All of the above. (chuckles) So I think it probably started with our affinity to IBM QRadar product. And we have, we have a lot of expertise in that and that solution. So that's, that's where it started. And then I think IBM's leadership in this space has been remarkable, really. So like what's happening now with the IBM Cloud Pak for security you know, building up a security platform to allow all these point solutions to work together. That's the roadmap we want to put our customers on because we believe that's the that's the future for this, this, this marketplace. >> Yeah. And the vision of hybrid cloud having that underpinning be with Red Hat it's a Linux kernel, model of all things >> Yeah. Super NetEase. >> Locked in >> It's portable, multiple, you can run it on Azure. IBM Cloud, AWS. It's portable. I mean, yeah, all this openness, as you probably know cyber security is really a laggard in the security in the information technology space as far as adopting open standards. And IBM is I think leading that charge and you'll be able to have a force multiplier with the open standards in this space. >> Open innovation with open source is incredible. I mean, if you, if, if if open source can embrace a common platform and build that kind of control plane and openness to allow thriving companies to just build out then you have an entire hybrid distributed architecture. >> Yeah. Well, I think companies want to use the best in breed. So when we, when we show these solutions to customers they want the best in breed. They always say, I don't, when it comes to security they don't want second best. They want the best it's out there because they're securing their crown jewels. So that makes sense. So the problem with, you know having all these different disparate solutions that are all top in their category none of them talk to each other. So we need to address that problem because without that being solved, this is just going to be more it's going to compound the complexity of the problems we solve day to day. >> Awesome. Congratulations, Brian, great story. You know entrepreneur built a great business over the years. I think the product's amazing. I think that's exactly what the market needs and just shows you what the ecosystem is all about. This is the power of the ecosystem. You know, a thousand flowers are blooming. You got a great product. IBM is helping as well. Good partnership, network effects built in and and still a lot more to do. Congratulations. >> Absolutely. >> Okay. >> Thank you very much >> Brian Bouchard >> Made my impression. I appreciate that >> Thanks for coming on theCUBE Appreciate it. I'm John Furrier with IBM thinks 2021 virtual coverage. Thanks for watching. (outro music plays)

>>mhm Yes. Hello and welcome back to the cubes coverage of red hat summit 2021 virtual. I'm john for your host of the cube and cube coverage here with matt Hicks. Executive vice president of products and technologies at red hat cuba lum I've been on many times, knows the engineering side now running all the process of technologies matt. Great to see you. Thanks for coming on remote. I wish we were in real real life in person. I RL but doing it remote again. Thanks for coming on. >>Hey, thanks thanks for having me today. >>Hey, so what a year you know, um, I was just talking to a friend and another interview with the red hat colleagues. Chef on your team in 2019 I interviewed Arvin at IBM right before he bought red hat and you smile on his face and he wasn't even ceo then um, he is such a big fan of cloud native and you guys have been the engine underneath the hood if you will of IBM this transformation huge push now and with Covid and now with the visibility of the post Covid, you're seeing cloud Native at scale with modern applications just highly accelerated across the board In almost every industry, every vertical. This is a very key trend. You guys at the, at the center of it always have been, we've been covering you for many years, interesting time and so now you guys are really got the, got the formula at red hat, take us through the key transit you see on this wave for enterprises and how is red hat taking that, taking that through? >>Yeah, no, absolutely. It has been, it's been a great ride actually. I remember a couple years ago standing on stage with Arvin prior to the acquisition. So it's been uh, it's been a world one but I think if we look at Really would emerge in 2020, we've seen three trends that we hope we're gonna carry through in 2021 just in a better and better year for that. That the first is open hybrid cloud is really how customers are looking to adapt to change. They have to use what they have um assets they have today. On premise, we're seeing a lot of public cloud adoption that blend of being hybrid is just, it is a reality for how customers are having to deliver a edge computing I think is another area I would say uh the trend is really not going to be a fad or a new, you know, great texture. Um the capabilities of computing at the edge, whether that is automotive vehicles, radio access network capabilities to five G. It's pretty astounding at this point. So I think we're gonna see a lot of pushing edge computing for computing, getting closer to users. Uh but then also the choice aspect we're seeing with Ceos, we often talk about technology is choice, but I think the model of how they want to consume technology has been another really strong trend in 2020. Uh We look at this really is being able to deliver a cloud managed services in addition to technology that ceos around themselves. But those, those will probably be the three that stand out to me at least in 2020 we've seen, >>so matt take us through in your minds and red hats, perspective the workloads that are going to be highlighted in this cloud native surge that's happening. We're seeing it everywhere. You mentioned edge industrial edge to consumer Edge to lightweight, edge, massive new workloads. So take us through how you see kind of the existing workloads evolving and potentially new workloads that emerging. >>Yeah. So I think um you know first when you talk about edge workloads a big umbrella but if you look at data driven workloads, especially in the machine learning artificial intelligence spectrum of that, that's really critical. And a reason that those workloads are important is five G. Aside for now when you're running something at the edge you have to also be able to make decisions pretty well at the edge. And that that is that's where your data is being generated and the ability to act on that closely. Whether that's executing machine learning models or being able to do more than that with A I. That's going to be a really really critical workload. Uh huh. Coupled to that, we will see I think five G. Change that because you're going to see more blending in terms of what can you draw back to uh closer to your data center to augment that. So five G will shift how that's built but data driven workloads are going to be huge then I think another area will see is how you propagate that data through environment. Some Kafka has been a really popular technology will actually be launching a service in relation to that. But being able to get that data at the edge and bring it back to locations where you might do more traditional processing, that's going to be another really key space. Um and then we'll still have to be honest, there is still a tremendous amount of work loads out there that just aren't going to get rebuilt. And So being able to figure out how can you make them a little more cloud native? You know, the things your companies have run on for the last 20 years, being able to step them closer to cloud native, I think it's going to be another critical focus because he can't just rewrite them all in one phase and you can't leave them there as well. So being able to bridge shadow B T to >>what's interesting if folks following red hat, No, no, you guys certainly at the tech chops you guys have great product engineering staff been doing this for a long time. I mean the common Lennox platform that even the new generation probably have to leave it load limits on the server anymore. You guys have been doing this hybrid environment in I T for I T Sloan for decades. Okay. In the open, so, you know, it's servers, virtualization, you know, private, public cloud infrastructures and it's been around, we've been covering it in depth as you know, but that's been, that's a history. But as you go from a common Lennox platform into things with kubernetes as new technologies and this new abstraction layers, new control plane concept comes to the table. This need for a fully open platform seems to be a hot trend this year. >>How do you >>describe that? Can you take a minute to explain what this is, this is all about this new abstraction, this new control plane or this open hybrid cloud as you're calling? What is this about? What does it mean? >>Yeah, no, I'll do a little journey that she talked about. Yeah. This has been our approach for almost a decade at this point. And it started, if you look at our approach with Lennox and this was before public clouds use migrants existed. We still with Lennox tried to span bare metal and virtualized environments and then eventually private and public cloud infrastructure as well. And our goal there was you want to be able to invest in something, um, and in our world that's something that's also open as in Lennox but be able to run it anywhere. That's expanded quite a bit. That was good for a class of applications that really got it started. That's expanded now to kubernetes, for example, kubernetes is taking that from single machines to cluster wide deployments and it's really giving you that secure, flexible, fast innovation backbone for cloud native computing. And the balance there is just not for cloud native, we've got to be able to run traditional emerging workloads and our goal is let those things run wherever rail can. So you're really, you're based on open technologies, you can run them wherever you have resources to run. And then I think the third part of this for us is uh, having that choice and ability to run anywhere but not being able to manage. It can lead to chaos or sprawl and so our investments in our management portfolio and this is from insights the redhead advanced cluster management to our cluster security capabilities or answerable. Our focus has been securing, managing and monitoring those environments so you can have a lot of them, you can run where you want, but she just sort of treat it as one thing. So you are our vision, how we've executed up to this point has really been centered around that. I think going forward where you'll see us um really try to focus is, you know, first you heard paul announced earlier that we're donating more than half a billion dollars to open. I would cloud research and part of this reason is uh running services. Cloud native services is changing. And that research element of open source is incredibly powerful. We want to make sure that's continuing but we're also going to evolve our portfolio to support this same drive a couple areas. I would call out, we're launching redhead open shift platform plus and I talked about that combination from rail to open shift to being able to manage it. We're really putting that in one package. So you have the advanced management. So if you have a huge suites of cloud native real estate there, you can manage that. And it also pushes security earlier into the application, build workflows. This is tied to some of our technology is bolstered by the stack rocks acquisition that we did. Being able to bring that in one product offering I think is really key to address security and management side. Uh we've also expanded Redhead insights beyond Rehl to include open shift and answerable and this is really targeted it. How do we make this easier? How do we let customers lean on our expertise? Not just for Lennox as a service, but expand that to all of the things you'll use in a hybrid cloud. And then of course we're going to keep pushing Lennox innovation, you'll see this with the latest version of red hat enterprise, like so we're gonna push barriers, lower barriers to entry. Uh But we're also going to be the innovation catalyst for new directions include things like edge computing. So hopefully that sort of helps in terms of where, where we started when it was just Lennox and then all the other pieces were bringing to the table and why and some new areas. Uh We're launching our investment going forward. >>Yeah, great, that's great overview. Thanks for taking the time to do that. I think one of the areas I that's jumping out at me is the uh, advanced cluster management work you guys are doing saw that with the security peace and also red hat insights I think is is another key one and you get to read that edge. But on the inside you mentioned at the top of this interview, data workloads pretty much being, I mean that pretty much everything, much more of an emphasis on data. Um, data in general but also, you know, serve abilities a hot area. You know, you guys run operating system so you know, in operating systems you need to have the data, understand what's being instrumented. You gotta know that you've got to have things instrument and now more than ever having the data is critical. So take us through your vision of insights and how that translates. Because he said mentions in answerable you're seeing a lot more innovations because Okay I got provisions everything that's great. Cloud and hybrid clouds. Good. Okay thumbs up everyone check the box and then all of a sudden day too As they call day two operations stuff starts to, you know, Get getting hairy, they start to break. Maybe some things are happening. So day two is essentially the ongoing operational stability of cloud native. You need insights, you need the data. If you don't have the data, you don't even know what's going on. You can't apply machine learning. It's kind of you if you don't get that flywheel going, you could be in trouble. Take me through your vision of data driven insights. >>Yeah. So I think it's it's two aspects. If you go to these traditional traditional sport models, we don't have a lot of insight until there's an issue and I'm always amazed by what our teams can understand fix, get customers through those and I think that's a lot of the success red hats had at the same note, we want to make that better where if you look at real as an example, if we fixed an issue for any customer on the planet of which we fix a lot in the support area, we can know whether you're going to hit that same issue or not in a lot of cases and so that linkage to be able to understand environments better. We can be very proactive of not just hey apply all the updates but without this one update, you risk a kernel panic, we know your environment, we see it, this is going to keep you out of that area. The second challenge with this is when things go do break or um are failing the ability to get that data. We want that to be the cleanest handshake possible. We don't want to. Those are always stressful times anyway for customers being able to get logs, get access so that our engineering knowledge, we can fix it. That's another key part. Uh when you extend this to environments like open shift things are changing faster than humans can respond in it. And so those traditional flows can really start to get strained or broken broken down with it. So when we have connected open shift clusters, our engineering teams can not only proactively monitor those because we know cooper net is really well. We understand operators really well. Uh we can get ahead of those issues and then use our support teams and capabilities to keep things from breaking. That's really our goals. Finding that balance where uh we're using our expertise in building the software to help customers stay stable instead of just being in a response mode when things break >>awesome. I think it's totally right on the money and data is critical in all this. I think the trust of having that partnership to know that this pattern recognition is gonna be applied from the environment and that's been hurting the cybersecurity market people. That's the biggest discussion I had with my friends and cyber is they don't share the data when they do, things are pretty obvious. Um, so that's good stuff there and then obviously notifications proactive before there's a cause or failure. Uh great stuff. This brings up a point that paul come here, said earlier, I want to get your reaction to this. He said every C. I. O. Is now a cloud operator. >>That's a pretty bold >>statement. I mean, that's simply means that it's all cloud all the time. You know? Again, we've been saying this on the queue for many years, cloud first, whatever people want to call it, >>what does that actually >>mean? Cloud operator, does that just mean everything's hybrid? Everything's multiple. Cloud. Take me through an unpacked what that actually means? >>Yeah. So I think for the C I O for a lot of times it was largely a technology choice. So that was sort of a choice available to them. And especially if you look at what public clouds have introduced, it's not just technology choice. You're not just picking Kafka anymore. For example, you really get to make the choice of do I want to differentiate my business by running it myself or is this just technology I want to consume and I'm going to consume a cloud, native service and other challenges come with that. It's an infrastructure, not in your control, but when you think about a ceo of the the axes they're making decisions on, there are more capabilities now and I think this is really crucial to let the C i O hone in on where they want to specialist, what do they want to consume, what do they really want to understand, differentiate and Ron? Um and to support this actually, so we're in this vein, we're going to be launching three new managed cloud services and our our focus is always going to be hybrid in these uh but we understand the importance of having managed cloud services that red hat is running not the customers in this case. So one of those will be red hat open shift streams for Patrick Kafka. We've talked about that, that data connectivity and the importance of it and really being able to connect apps across clouds across data centers using Kafka without having to push developers to really specialize in running. It is critical because that is your hybrid data, it's going to be generated on prim, it's going to be generated the edge, you need to be able to get access to it. The next challenge for us is once you have that data, what do you do with it? And we're launching a red hat open shift data science cloud service and this is going to be optimized for understanding the data that's brought in by streams. This doesn't matter whether it's an Ai service or business intelligence process and in this case you're going to see us leverage our ecosystem quite a bit because that last mile of AI workloads or models will often be completed with partners. But this is a really foundational service for us to get data in and then bring that into a workflow where you can understand it and then the last one for us is that red hat open shift api management and you can think of this is really the overseer of how apps are going to talk to services and these environments are complex, their dynamic and being able to provide that oversight up. How should my apps be consuming all these a. P. S, how should they be talking? How do I want to control? Um and understand that is really critical. So we're launching these, these three and it fits in that cloud operator use, we want to give three options where you might want to use Kafka and three Scale technologies and open data hub, which was the basis of open shift data sides, but you might not want to specialize in running them so we can run those for you and give you as a C. I. O. That choice of where you want to invest in running versus just using it. >>All right, we're here with matt Hicks whose executive vice president prospect technology at red hat, matt, your leader at red hat now part of IBM and continues to operate um in the red hat spirit, uh innovating out in the open, people are wearing their red hat uh hoodies, which has been great to see. Um I ask every executive this question because I really want to get the industry perspective on this. Um you know, necessity is the mother of invention as the saying goes and, you know, this pandemic was a challenge for many In 2020. And then as we're in 2021, some say that even in the fall we're gonna start to see a light at the end of the tunnel and then maybe back to real life in 2022. This has opened up huge visibility for CSOS and leaders and business in the enterprise to say, Hey, what's working, what do we need? We didn't prepare for everyone to be working at home. These were great challenges in 2020. Um, and and these will fuel the next innovations and achievements going forward. Um again necessity is the mother of all invention. Some projects are gonna be renewed and double down on some probably won't be as hybrid clouds and as open source continues to power through this, there's lessons to be learned, share your view on what um leaders in in business can do coming out of the pandemic to have a growth strategy and what can we learn from this pandemic from innovation and and how open source can power through this adversity. >>Yeah. You know, I think For as many challenging events we had in 2020, I think for myself at least, it it also made me realize what companies including ourselves can accomplish if we're really focused on that if we don't constrain our thinking too much, we saw projects that were supposed to take customers 18 months that they were finishing in weeks on it because that was what was required to survive. So I think part of it is um, 2020 broke a lot of complacency for us. We have to innovate to be able to put ourselves in a growth position. I hope that carries into 2021 that drives that urgency. When we look at open source technologies. I think the flexibility that it provides has been something that a lot of companies have needed in this. And that's whether it could be they're having to contract or expand and really having that moment of did the architectural choices, technology choices, will they let me respond in the way I need? Uh, I'm biased. But first I think open models, open source development Is the best basis to build. That gives you that flexibility. Um, and honestly, I am an optimist, but I look at 2021, I'm like, I'm excited to see what customers build on sort of the next wave of open innovation. I think his life sort of gets back to normal and we keep that driving innovation and people are able to collaborate more. I hope we'll see a explosion of innovation that comes out and I hope customers see the benefit of doing that on a open hybrid cloud model. >>No better time now than before. All the things are really kind of teed up and lined up to provide that innovation. Uh, great to have you on the cube. Take a quick second to explain to the folks watching in the community What is red hat 2021 about this year? And red hat someone, I'll see. We're virtual and we're gonna be back in a real life soon for the next event. What's the big takeaway this year for the red hat community and the community at large for red hat in context of the market? >>You know, I think redhead, you'll keep seeing us push open source based innovation. There's some really exciting spaces, whether that is getting closer and closer towards edge, which opens up incredible opportunities or providing that choice, even down to consumption model like cloud managed services. And it's in that drive to let customers have the tools to build the next incredible innovations for him. So, And that's what summit 2021 is going to be about for us, >>awesome And congratulations to, to the entire team for the donation to the academic community, Open cloud initiative. And these things are doing to promote this next generation of SRS and large cloud scale operators and developers. So congratulations on that props. >>Thanks john. >>Okay. Matt Hicks, executive vice president of products and technology. That red hat here on the Cube Cube coverage of red hat 2021 virtual. I'm John Ferrier. Thanks for watching. Yeah.

>>Hello, everyone. This is not appropriate to lapse of America. I'm going to talk about the motivation. For zero knowledge goes back to the heart off, winding down identity, ownership, community and control. Much of photography exists today to support control communications among individuals in the one world. We also consider devices as extensions of individuals and corporations as communities. Here's hoping you're not fit in this picture. What defines the boundary off an individual is the ability to hold a secret with maybe, it says, attached to the ownership. Off some ethic, we want the ability to use the secret to prove ownership of this asset. However, giving up the secret itself essentially announced ownership since then, anybody else can do the same. Dear Knowledge gives us tools to prove ownership without revealing the secret. The notion of proving ownership off a digital object without revealing it sounds very paradoxical outside the model off. So it gives us a surprise when this motion was formalized and constructed by Goldwasser Miccoli and back off in the late eighties, we'll focus on the non interactive >>version of Siri, a knowledge our music in the >>stock, which was first developed by blow Tillman and Peggy, where the general it can span multiple rounds of communications music only allows a single message to be trusted. No, let's get into some technical details for musics. The objective of for music is to show that an object X, which you can think off as the public footprint, often asset, belonging clan and the language without revealing its witness. W, which you can think off as the Future Analytics team consists off three algorithms, video proof and very. The key generation process is executed by a trusted third party and the very opposite, resulting in a common >>random string, or steers, which is made public. The >>true vendor produces a proof by based on the CIA's X and the very fine with the checks. The proof against X and accepts or rejects music off course has to satisfy some properties. We needed to be correct, which basically says that when everyone follows the protocol correctly on, so we can expect, we need to be thought, which says that a false statement cannot be proven. The channel is a trickier properly to form this. How do we capture the intuition behind saying that the proof there is no knowledge of the witness. One way to capture that is to imagine their tools is the real world where the proof is calculated. Using the witness on there's a simulation worth where the proof is calculated without a witness. To make this possible, the simulator may have some extra information about the CIA's, which is independent off the objectives. The property then requires that it is not possible to effectively distinguish these words Now. It is especially challenging to construct music's compared to encryption signature schemes, in particular in signature schemes. The analog off the Hoover can use a secret, and in any case, the analog off the very fire can use a secret. But in is it's none of the crew layer and the verifier can hold a secret. Yeah, in this talk, I'm going to focus on linear subspace languages. This class is the basis of hardness. >>Assumptions like GH and deliver >>on has proved extremely useful in crypto constructions. This is how we express DD it and dealing as linear software. We will use additive notation on express the spirit logs as the near group actions on coop elements. You think the syntax we can write down Deitch on dealing Jupiter's very naturally a zoo witness sector times a constant electric so we can view the language as being penetrated by a constant language. Metrics really was hard by many groups in our instructions. What does it mean? S while uh, Standard group allows traditions and explain it off by in your group also allows one modification In such groups, we can state various in yourself facing elections. The DDN is the simplest one. It assumes that sampling a one dimensional space is indistinguishable from something full professional. The decisional linear assumption assumes the theme from tours is three dimensional spaces generalizing the sequence of Presumptions. The scaling the resumption asks to distinguish between gay damaged examples and full it and >>examples from a K plus one national space. >>Right, So I came up with a breakthrough. Is the construction in Europe 2008 in particular? There? Music for many years Off Spaces was the first efficient >>construction based on idiots and gear. Structurally, >>it consisted of two parts Our commitment to the witness Andre question proof part and going how the witness actually corresponds to the object. The number of elements in the proof is linear in the number >>of witnesses on the number of elements in the object. >>The question remains to build even shorter visits. The Sierras itself seemed to provide some scoop Rosa Russo fix. See how that works for an entire class of languages? Maybe there's a way to increase proof efficiency on the cost of having had Taylor Sierra's for each year. This is what motivates quality and after six, where we let the solace depend on the language itself. In particular, we didn't require the discrete logs of the language constants to generate this, Yes, but we did require this constant student generated from witness sample distributions. This still turns out to be sufficient for many applications. The construction achieved a perfect knowledge, which was universally in the sense that the simulator was independent. However, soundness is competition. So here's how the construction differed from roots high at a very high level, the language constants are embedded into the CIA s in such a way that the object functions as it's only so we end up not needing any separate commitment in the perfect sense. Our particular construction also needed fewer elements in the question proof, as there On the flip side, the CIA's blows up quadratic instead of constant. Let's get into the detail construction, which is actually present with this script. Let the language apparently trace by Giovanni tricks with the witness changing over time, we sat down and matrices >>D and B with appropriate damages. >>Then we construct the public series into what C. S. D is meant to be used. By the way. On it is constructed by >>multiplying the language matrix with D and being worse, Sierra's V is the part that is meant to be used by the very fair, and it is constructed using details be on be embedded in teaching. >>Now let's say you're asked to computer proof for a candidate X with fitness number we computed simply as a product of the witness with CSP. The verification of the truth is simply taking with the pairing off the candidate and the proof with the Sierras. Seeming threats is equal to zero. If you look carefully. Sierra's V essentially embedded in G to the kernel of the Matrix, owned by the language metrics here and so to speak. This is what is responsible for the correctness. The zero knowledge property is also straightforward, >>given the trapdoor matrices, D and B. Now, >>when corrected journalism relatively simple to prove proving illnesses strictly The central observation is that, given CSP, there is still enough entropy. >>India and me to >>random I seriously in particular Sierra's we Can we expand it to have an additional component with a random sample from the kernel allows it. This transformation is purely statistical. No, we essentially invented idiots are killing their talent in the era of kernel part in this transform sitting within show that an alleged proof on a bad candidate and we used to distinguish whether a subspace sample was used for a full space >>sample was used at the challenge. The need >>to have the kernel of the language in this city. That's the technical >>reason why we need the language to come from a witness. Sample. >>Uh, let's give a simple illustration >>of the system on a standard Diffie Hellman, which g one with the hardness assumption being idiot. >>So the language is defined by G one elements small D, E and F, with pupils off the phone due to the W. After that ugly, the CIA is is generated as follows example D and >>B from random on Compute Sierra speak as due to the day after the being verse and Sierra's V as G to do to do the big on day two of the video. The >>proof of the pupil >>detail that I do after the bill is computed using W. As Sierra Speed race to the party. I know that this is just a single element in the group. The verification is done by bearing the Cooper and the proof with the Sierras VMS and then checking in quality. The >>similar can easily compute the proof using trapdoors demand without knowing that what we are expecting. People leave a Peter's die and reduce the roof size, the constant under a given independent of the number of witnesses and object dimensions. Finally, at Cryptocurrency 14 we optimize the proof toe, one group >>element under the idiots. In both the works, the theorists was reduced to linear sites. The >>number of bearings needed for ratification was also industry in years. This is the crypto Ford in construction in action, the construction skeleton remains more or less the famous VR turkey. But the core observation was that many of the Sierras elements could were anomaly. Comite. While still >>maintaining some of this, these extra random items are depicted in red in this side. >>This round of combination of the Sierras elements resulted in a reduction of boat, Bruce says, as also the number of clearings required for education in Europe in 2015 kills, and we came up with a beautiful >>interpretation of skill sets based on the concept of small predictive hash functions. >>This slide is oversimplified but illustrated, wanting, uh, this system has four collecting >>puzzle pieces. The goodness of the language metrics okay again and a key Haider when >>the hidden version of the key is given publicly in the Sears. Now, when we have a good object, the pieces fit together nicely into detectable. However, when we have a bad object, the pieces no longer fit and it becomes >>infeasible to come up with convincing. Zero knowledge is demonstrable by giving the key to the simulator on observing that the key is independent of the language metrics. >>Through the years, we have extended >>enhanced not mind to be six system, especially with our collaborators, Masayuki Abby Koko Jr. Born on U. >>N. Based on your visits, we were able to construct very efficient, identity based encryption structure, resulting signatures >>public verifiable CCS, secure encryption, nine signatures, group signatures, authorities, key extremes and so on. >>It has also been gratifying to see the community make leaps and bounces ideas and also use queuing visits in practical limits. Before finishing off, I wanted to talk to you a little bit about >>some exciting activities going on Hyper ledger, which is relevant for photographers. Hyper >>Leisure is an open source community for enterprise. Great. It's hosted by the minute formation on enjoys participation from numerous industry groups. Uh, so difficult funded to efforts in Africa, we have versa, which is poised to be the crypto home for all. Blocking it and practice a platform for prospecting transactions are part of the legs on the slide here, >>we would love participation from entity inference. So >>that was a brief history of your analytics. Thanks for giving me the opportunity. And thanks for listening

>>from around the globe. It's the queue >>with coverage of the global dot Next digital experience brought to you by Nutanix I'm stew Minuteman. And this is the Cube's coverage of the Nutanix dot next conference This year it is the global dot next digital experience pulling together the events that they had had dispersed across the globe, bringing to you online and happy to welcome to the program. First time guest but a long time Nutanix engineering person, Nanosys Bhattacharya. He's the senior vice president of engineering at Nutanix. Mono is everyone calls him. Thanks so much for joining us. Thank you. All right. So, you know, you know, we've been doing the Cube since, you know, over 10 years now, I remember the early days of talking to Dheeraj and the team when we first bring him on the Cube. It was about taking some of the things that the hyper scale hours did. And bringing that to the enterprise was actually you know, one of the interesting components there dial back a bunch of flash was new to the enterprise, and we've looked at one of the suppliers that was supplying to some of the very largest companies in the world. Um, and also some of the companies in the enterprise, like fusion io. It was a new flash package. And that was something that in the early days Nutanix used before it kind of went to more, I guess commodity flash. But, you know, develop a lead developer, engineers that I talked to came from, you know, Facebook and Oracle and others. Because understanding that database in that underlying substrate to be able to create what is hyper converged infrastructure that people know, is there. So maybe we could start, Just give the audience a little bit. You know, you've been with Nutanix long time, your background and what it is that you and your team work on into inside the company. >>Yeah. Thank you. So, uh, so I think I come from a distributed systems for a long time. I've been working in Oracle for seven years, building parts of the exit data system, some off the convergence that databases have done with beauty in storage. You could see the same hyper convergence in other platforms like I do where computed storage was brought together. I think the Nutanix story was all about Can we get this hyper convergence work for all types of applications. And that was the vision of the company that whatever black home that these hyper scaler to build this big database companies and built, can this be provided for everybody? For all types of applications? I think that was the main goal. And I think we're inching our way, but surely and safely, I think we will be there pretty much. Every application will run on Nutanix states yet. >>Alright, well, and if you look at kind of the underlying code that enables your capability, one of the challenges always out there is, you know, I build a code base with the technology and the skill sets I have. But things changed. I was talking about flash adoption before a lot of changes that happened in the storage world. Compute has gone through a lot of architect role changes, software and location with clouds and the like. So it's just talk about that code base. You talk about building distributed systems. How does Nutanix make sure that that underlying code doesn't kind of, you know, the window doesn't close on how long it's going to be able to take advantage of new features and functionality. >>Yeah, I think Nutanix from the beginning. One thing that we have made sure is that you know, we could always give continuous innovation the choices that we make get like we actually separated the, you know, the concerns between storage and compute. We always had a controller vm running the storage. We actually made sure we could run all of the storage and user space. And over time, what has happened is, every time we abraded us off where people got, you know, faster performance, they get more secure, They've got more scalable. And that, I think, is the key sauce. It's all software. It's all software defined infrastructure on commodity hardware and in the commodity hardware can be anywhere. I mean, you could pretty much build it on a brand. And now that we see, you know, with the hyper scaler is coming on with bare metal is a service. We see hyper convergence as the platform of the infrastructure on which enterprises are willing to run their applications in the public club. I mean, look at new being vmc Nutanix clusters is getting a lot of traction. Even before I mean, we have just gone out a lot of customer excitement there on that is what I think is the is the true nature of Nutanix being a pure software play and cheating every hardware you know uniform and whether this is available in the public cloud or it's available in your own data center, the black at the storage or the hyper visor or the entire infrastructure software that we have that doesn't cheat. So I think in some ways we're talking about this new eight. See, I call the hybrid Cloud Infrastructure to 88. The hyper converge infrastructure becomes the substrate for the new hybrid cloud infrastructure. >>Yeah, definitely. It was a misconception for a number of years. Is people looked at the Nutanix solution and they thought appliance. So if I got a new generation of hardware, if I needed to choose a different harbor vendor? Nutanix is a software company. As you describe you, got some news announced here at the dot next show. When it comes to some of those underlying storage pieces, bring us through. You know, we always we go around to the events and, you know, companies like Intel and NVIDIA always standing up with next generation. I teased up a little bit that we talked about Flash. What's happening with envy me? Storage class memories. So what is it that's new for the Nutanix platform? >>Yeah, let me start a little bit, you know, on what we have done for the last maybe a year or so before, you know, important details off why we did it. And, you know, what are the advantages that customers might tap? So one thing that was happening, particularly for the last decade or so, is flash was moving on to faster and faster devices. I mean, three d cross point came in memory glass storage was coming in, so one thing that was very apparent Waas You know, this is something that we need to get ready for now. At this point, what has happened is that the price point that you know, these high end devices can be a pain has come where mass consumption can happen. I mean, anybody can actually get a bunch of these obtained drives at a pretty good price point and then put it in their servers and expected performance. I think the important thing is we build some of the architectural pieces that can enable they, uh the, uh enable us to leverage the performance that these devices get. And for that, I think let's start with one of the beginning. Things that we did was make sure that we have things like fine grain metadata so that, you know, you could get things like data locality. So the data that the compute would need but stay in the server that was very important part or one of the key tenets of our platform. And now, as these devices come on, we want to actually access them without going over the next. You know, in the in the very last year, we released a Construct Autonomous Extent store. So which is not only making data local, but also make sure metadata as well, having the ability to actually have hyper convergence where we can actually get data and metadata from the same server. It benefits all of these newer class storage devices because the faster the devices, you wanted to be closer to the compute because the cost of getting to the device actually adds up to the Layton's. He adds up to the application with for the storage in the latest. I would say this the dot Next, What we're announcing is two technologies. One is awful lot store, which is our own user file system. It's a completely user space file system that is available. We're replacing gets before we're all our You know, this drives which will then be in me and beyond on. And we're also announcing SPD K, which is basically a way for accessing these devices from user space. So now, with both of these combine, what we can do is we can actually make an Iot from start to finish all in user space without crossing the Colonel without doing a bunch of memory copies. And that gives us the performance that we need to really get the value out of these. You know, the high end devices and the performance is what our high end applications are looking for. And that is, I think, what the true value that we can add your customs. >>Yes. Oh man, if I If I understand that right, it's really that deconstruction, if you will, of how storage interacts with the application it used to be. It was the scuzzy stack when I used to think about the interface and how far I had to go. And you mentioned that performance and latency is so important here. So I was removing from, you know, what traditionally was disc either externally or internally, moving up to flash, moving up to things like Envy me. I really need to re architect things internally. And therefore, this is this is how you're solving it, creating higher io. Maybe if you could bring us inside. You know, I think high performance Iot and low latency s ap hana was one of the early use cases that that that everyone talked about that we had to re architect. What does this mean for those solutions? Any other kind of key applications that this is especially useful for? >>Yeah, I think all the high end demanding applications talk about smp, Hana allow the healthcare applications. Look at epic meditate. Look at the high end data basis because we already run a bunch of databases, but the highest and databases still are not running on a C. I. I think this technology will enable you know the most demanding oracle or Sequels. Of course, Chris, you know all the analytics applications they will now be running on a CSO. The dream that we had every application, whatever it is, they can run on the C I. A platform that can become a reality. And that is what we're really looking forward to it. So our customers don't have to go to three year for anything. If if if. If it is an application that you want to run a CEO is the best platform for your application that is working what you want. >>Alright, So let me make sure I understand this because while this is a software update, this is leveraging underlying new hardware components that are there. I'm not taking a three year old server on to do this. Can you help understand? You know, what do they need to buy to be able to enable this type of solution? >>So I think the best thing is we already came up with the all envy. Any platform and everything beyond that is software change. Everything that we are is just available on an upgrade. So of course you need a basic platform which actually has the high end devices themselves, which we have hard for a year or so But the good thing about Nutanix is once you upgrade, it's like a Tesla you know you have. But once you get that software upgrade, you get that boosted performance. So you don't need to go and buy new hardware again. As long as you have the required devices, you get the performance just by upgrading it to the new the new version of the air soft. I think that is one of the things that we have done forever. I mean, every time we have upgraded, you will see. Over the years, our performance is increased and very seldom has a pastoral required to change. You know their internal hardware to get the performance. Now, another thing that we have is we support heterogeneous clusters. So on your existing cluster, let's say that you're running on flash and you want to get you all. And maybe you can add nodes, you know, which are all envy me and get the performance on those notes. While these flash can take the non critical pieces which is not requiring you to understand performance but still give you the density off water. VD I are maybe a general server virtualization. While these notes can take into account the highest on databases or highest analytic applications, so the same cluster and slowly expand to actually take this opportunity of applications on >>Yeah, thats this is such an important point We had identified very early on. When you move to HV I. Hopefully, that should be the last time that you need to do a migration any time. Anybody that has dealt with storage moving from one generation to the next or even moving frames can be so challenging. Once you're in that cool, you can upgrade code. You can add new nodes. You can balance things out. So it's such an important point there. UH, you stated earlier. The underlying A OS is now built very much for that hybrid cloud world. You talk about things like clusters that you have now have the announcement with AWS now that they have their bare metal certain service. So do we feel we're getting a balancing out of what's available for customers, whether it's in their own data center in a hosted environment where they have it, or the public cloud to take capabilities like you were talking about with the new storage class? >>Yeah, I think I see most of these public clouds are already providing you, uh, hardware which hasn't being built in which I'm sure in the future we have storage class memory building. So all the enterprise applications that were running on prim with the latency guarantees, you know, with the performance and throughput guarantees can be available in the public cloud, too. And I think that is a very critical thing. Because today, when you lift and shift, one of the biggest problems that all their customers face is when you're in the cloud, you find that enterprise applications are not built for it, so they have to either really protect it or they have to make, you know, using a new cloud native constructs. And in this model, you can use the bare metal service and run the enterprise applications in exactly the same way as you would run in your private data center. And that is a key tell, because now, with this 100 our data mobility framework where we can actually take both storage and applications, you know do lose them a trust public and the private cloud we now have the ability to actually control on application end to end. A customer can choose Now that they want to run it, they don't have to think. Oh, yeah? I have to move to that. Have to be architected. You can choose the cloud and run it in the panel service exactly as you were honoring your private data center. You've been utilizing things like Nutanix clusters. >>Great, well mannered. Last last question I have for you. You know, we really dug down into some of the architectural underpinnings in some of the pieces inside the box. Bring it back up high level, if you would, from a customer standpoint, key things that they should be understanding that Nutanix is giving them with all of these new capabilities. You mentioned the block store and the SPK. >>Yeah, I think for the customer, the biggest advantage is that the platform that they chose for you know, you see, some of virtualization can be used for the most demanding workloads. They're free to use, you know, Nutanix for smp, Hana for high end Oracle databases, Big data validates they can actually use it for all the healthcare apps that I mentioned epic and meditate and at the same time, keep the investment and hardware that they already have. So I think the fact about this Tesla kernel analogy that we always think is so act with Nutanix. I think with the same hardware, uh, investment that they have done with this new architecture. They can actually start leveraging that and utilize it for more and more, you know, demanding workloads. I think that is the key advantages. Without changing your you know, the appliances or your san or your servers, you get the benefit of running the most demanding applications. >>Well, congratulations to you and the team. Thanks so much for sharing all the updates here. Alright. And stay tuned for more coverage from the Nutanix global dot Next digital experience. I'm stew minimum. And as always, Thank you for watching the Cube. >>Yeah, Yeah, yeah, yeah, yeah

>> Narrator: From around the globe, It's the CUBE with digital coverage of next level network experience event. (upbeat music) Brought to you by Infoblox. >> Everyone welcome back to the CUBE's coverage and co-hosting of the Infoblox next level networking experience virtual event. With a pop up event, only a few hours, but four great segments. Officer Stu Miniman helped me kick it off this morning, and Stu, I want to bring you in, Stu Miniman who's the... He host for the CUBE, covering networking with me Stu we do all the cloud native shows. We can, we can smell what's relevant, and I want to get your take on this, because, Infoblox putting out some pretty good content with some great guests. But, next level networking, let's just unpack that, next level networking and next level networking experience. The word experience changes the context of that definition, because going the next level with networking is one thing, having an experience is another, just what's your take, you seen, we talk about this all the time, what's your take? >> Yeah, so John, one of the words that we've talked about so much is, how do we simplify this environment? Networking is known for its complexity. Too often, it's, stuck down in protocols and just the arcane arts that I don't want to think about. Networking at its best, is just going to work. And I don't want to think about it, so, if I'm adopting SaaS models, if I'm going cloud native, it should, tie into everything else we're doing. What I was hearing, the themes, John, and the interviews you discussed, they're talking about SaaS, they're talking about cloud native, things like visibility, moving real time, really changes so much of these environments, so, IP addresses used to be a lot more static. We know now, things just change constantly and that's one of the big challenges. How do I monitor that environment? How do I keep them secure? And that's where modern environments need to go to the next level to be able to keep up with all of those changes. >> The word experience means something to me in a sense, I think contemporary, right? I think something new, relevant and cool, and still we're old enough to remember the '80s and '90s, and I was coming out of college late '80s, and I remember I never had a punch, I never did any program with a punch card. I was kind of the young gun, coming into the workforce with a technical degree, and I remember looking at the mainframe guys going, "who are those old relics?" And they, those guys hung onto their job as long as they could, and the smart ones moved and said, "Hey, I'm going to jump on this mini computer bandwagon, Oh, there's inter networking and local area networking that the PC toys are attaching to, that's interesting." And so you had a migration of systems talent move to the new, the new way. Some didn't, and I look at that and I say, hmm, that's similar to what's going on in networking, if you're the old networking guy or gal, and you're hugging onto the router, or you're hugging onto that old way, you could be extinct, because there is a new experience coming. It's programmable, it's automation, it's different. It's not, the big, old way, similar to the mainframe. So, a lot of psychology in this networking industry right now is, and the young people come in. It's like, why we do it that way? This to me is about next level networking, experience. Your reaction to that. >> Yeah, well, John, it's been interesting here in 2020, you talk about the acceleration of things moving, people that were dipping their toe in cloud and have to move in a matter of weeks, if not, hours and days to get things up and running. So, leveraging software, open source is a big component of what a lot of companies are doing, and of course, cloud and that cloud experience means in the public cloud and edge environments, you talked a bit about IOT in some of these cases, the order of magnitude of networking challenges that are out there are such that I have to have automation, it needs to be simpler because I could not do things the manual old way. John, I lived through so many generations, you work with people in the networking, it's manually done. It was done via CLI, because I knew how to do it. Maybe I did some scripting, but in today's day and era, things change too fast and the amount of work that needs to be done is so much so that that's why automation needs to be front and center. And you see Infoblox, as some of their new solutions, especially leveraging SnapRoute take advantage of the modern way that people need to do things. >> Well, we actually did a deep dive on SnapRoute and it was super impressive, again, I thought it was way too early, but they were doing some stuff with Kubernetes thinking, just thinking like Linux kernel, low level thinking. And I think Stu, this is what I want to get your thoughts on, because in the industry we cover Cisco aggressively. We saw them by open DNS, manage services versus low level, we got automation, you got Amazon out there, I mean, hell I can just have a screen that goes in and manages my DNS in the cloud, I can start thinking differently about how I wire my services together, if I think about Amazon, for instance, or hybrid and multicloud, this a whole new level of thinking. And, these are going to be new solutions, and this is the theme that came up and it's come up across every single major vendor, whether we're talking the Google cause they have a pretty damn good network. You got Cisco, you've got, all these people out there, they got to reinvent themselves. And, new expectations require new solutions. This has been something that's clearly coming out of the COVID, that, you know what I like working from home, I'm more productive. We don't need the real estate costs, wait, why do we even need a VPN? Why we over-provisioned? What are we paying for? Let's just build and secure. So again, all these projects are going to come out of the woodwork, I think that they're going to create a new vendor, a new brand or new opportunity because, these new solutions need to come because of the demand has been highlighted by COVID and other cloud scale. What's your thoughts on that, because this may not be your grandfather's networking company that comes out of the woodwork, It might be a cloud app. >> Yeah, well John, first of all, I think you nailed it. You look at a company like Infoblox, founded back in the .com era, back in 1999 and dominant in their space. So, they're not here saying, oh, we're the tried and trusted company that you work with, and you shouldn't try that new Fangled, Kubernetes piece or anything like that. It's not ready for prime time. As you said, they're getting, they're looking to skate where, to where the pack is going, they're aggressively going after these environments to make sure that they maintain their leadership in this environment. And, you're absolutely right, for the longest time, generally in networking, you were talking about, it was Cisco and everybody else out there, but now the cloud is such a big piece of what's going on, we've seen chip acquisitions by the big Hyperscalers, we've seen how they build their environments, and in many ways there's been consolidation, but there's also been dis-aggregation. So, the fundamental layer, but like what Infoblox has with their DDI stack, is something that customers need, I need to make sure my identity and my IP is something that I can manage wherever I am in all of these environment. >> It's funny Stu, we joke about SD-WAN, and now that's the internet and you think about the internet, one constant in all of it is you got to move packets from point a to point B and store a packet in a storage device, and ultimately you need to have to resolve addresses. And DNS, as old as it is, is fundamentally the standard, and a lot of people take it for granted, so to me, DNS has survived. It's a low level building block, but as things evolve, new abstraction layers come up, and I think we'll see more. I mean, I think there'll be a new naming system on how to deal with different scale across multicloud. And I think, Amazon is talking about it. We hear Ava Trix talking about it, we hear, things going on within Google talking about it, so, I think you're going to start to see new levels of innovation because, that's where the packets are moving, that's what the bad guys are, and you can't cover your footprints if you're trying to get in there. So, huge change is coming will be on it, And the CUBE we'll be monitoring it, as always, we can see the waves coming, Stu, what do you see? What's your future ball, tell you, as we come out of COVID, networking world, cloud collision, multicloud, apps, microservices, all this massive wave, what's your take, What's going to happen? >> Well yeah John, we've talked so much, It's those builders out there, how do I make sure that I can build my application, allow my users to access things wherever they are. The shift we hear for post COVID, it goes from work from home to work from anywhere. So, we were not going to see everybody just go back to the pre COVID era, this will have a lasting impact, and especially from a networking standpoint, we were starting to look at how does 5G and IOT change the way we think of networking? This just accelerates what we Needed to look at. Some networking technologies, take a long time to go through their maturation and standards, but being able to manage my entire environment, be able to spin up my new applications, and as you said John, DNS, like identity is something that is a fundamental piece that I need to make sure is rock solid so that I can get my employees access to the information while still keep things secure. >> Well, when you click on a link, that's malware, that's DNS, so this is where the action is, and people got to preserve it. Stu, We're going to be covering it, we're going to be watching all the waves, and again, this the CUBE on top of the big wave of networking and as networking evolves, I just still, I just still think, it's one big IOT world now, and it's an internet of things. They're all connected, there's no perimeter, it's borderless. This is going to change the game. I think in the next 18 months, we're going to see really different connected experiences and whoever can deliver them, will be the winner. Of course, we'll be watching it, go to siliconangle.com. We have a special report on next gen networking, Rob hope from Paul Gillin are constantly reporting, Stu has been getting a ton of great interviews, and again, we're getting the stories out, during COVID-19, with our remote interviews. Thanks for watching the CUBE, for the special next level networking experience event by Infoblox. (upbeat music)

>> From theCUBE studios in Palo Alto and Boston, connecting with thought-leaders all around the world, this is a Cube Conversation. >> Hi everybody, this is Dave Vellante. Welcome to this Cube Conversation. We're really excited to have Wim Coekaerts in, he is the senior vice-president of software development at Oracle. Wim, it's great to have you on, and, you know I often say I wish we were face-to-face but if we were you'd have to cut off my tie, cause developers and ties just don't go together. >> No, I know, and this is my normal outfit, so this is me wherever I go. Hi again, good to see you. >> Yeah, great to see you. So, of course, you know a lot of people are confused about Oracle, and open-source, they say "Oracle? Open-source? What is that all about?" But I think you're misunderstood. People don't, first of all, realize you as the leader of the software-development community inside of Oracle, I mean, you've been involved in Linux since the early 90s. But you guys have a lot of committers, you do a lot. I want to talk about that. What is up with Oracle, and open-source? >> Ah, well, it's a broad question. So, you know, a couple of things. One is, we have many different areas within the company that are dealing with open-source. So we have the cloud team doing a lot of stuff around cloud SDKs and support for different languages like Python and Go, and of course Java and so forth, so they do a lot around ensuring that the Oracle ecosystem is integrated in the open-source tools that customers use, or developers use, Terraform companies and so forth. And then you have the Java team, and so forth. Java is open-source and then the Graal project, GraalVM which is a polyglot compiler that can run Java, and Python, and Javascript and so forth together in one. VM do really cool optimizations, that's an open-source project, also on GitHub. There's of course MySQL, which is along with Java, they're probably the two most popular and widely used open-source projects out there. There's VirtualBox which is of course also a very popular project that's open-source. There's all the work we do around Linux. And I think one of the things is that, when you have so many different areas, doing things that are for that area, then as a developer or as a customer, you typically just deal with that group. And what you see is, oh you're talking to the Java developers, so you know what's going on around Java. The Java developers might not necessarily say, "Oh well we also do MySQL, and we do Linux and VirtualBox and so forth," and so you get a rather myopic, narrow view of the larger company. When you add all these things up, and there will be one big slide that says "This is Oracle, these are all these open source projects," and there's multiple ways. One is, we have projects that we've open-sourced and all the code came from us and we made it publicly available, we're the main contributor and we get contributions back. There are other projects where we contribute to third-party in terms of enhancing things, like I said with the Cloud Team, and then in general something like Linux where we're part of an external project and we participate in development of that project at large. And so there's these three different ways, when you count up all the developers that we have that deal with open-source on a daily basis. And in terms of contributions, in terms of bug fixes, testing, and so forth, it's thousands, literally, full-time paid developers. And of course, all the projects are all either on GitHub or similar sites that are very popular. So yeah, I think the misunderstood is probably a lack of knowledge of the breadth of what we do. And, you know, our primary goal is to provide services and products to customers, and so the open-source part is sort of embedded in a development methodology. But that's not something we sell or market separately, we just work with customers and products and services, and so in some cases it's not well-understood. >> Yeah. Well, we're talking of course, we're talking about the state of the penguin, I think it's important for people to understand, Oracle got into the Linux game in the 90s, maybe the latter part of the 90s and Oracle, of course, wants to make Linux-- wants to make Oracle, it's applications and database run better on Linux, but as you're pointing out, your Linux distro, full support, end-to-end, thousands of people in your open-source community, and the contributions that you make to Linux, many if not most, they go upstream, everybody can benefit from those, but of course you want an Oracle distro that is going to make Oracle stuff run better, that's always kind of been the Oracle way. >> Well, so, yes, two things though. One is, so everything we do is upstream. So we have no Linux patches that are not contributed upstream; There's no proprietary code in Oracle Linux at all, it's all completely open, publicly available: the source code, the change log, all the commits, it's fully open and public, which sometimes is not well-understood, but it's completely open. And, everything we do in terms of feature development or functionality or bug fixes goes upstream to the Linux kernel mail-list. It's actually, it's the only way to be able to manage a Linux distribution and be a Linux vendor is to live in that eco-system. Otherwise, the cost of maintaining your own fork, so to speak, is very high and it doesn't really solve the problem. Now, the functionality we work on obviously is focused on making Oracle products run better, making Oracle Cloud run better, and so forth. However, again, what's important to understand, though, is an Oracle database is a program running on an operating system. It does IO, it does networking, it deals with memory management, lots of processing. So, for the most part, the things that we work on to improve that helps everyone out, right? It helps every other database run better, or helps every other language run better. So none of these changes are specific to Oracle, they're just things that we found doing performance benchmarks and testing and so forth, where we say "Hey, if Linux did the following, it would make boot-up faster. Now boot-up has nothing to do with the database. But our customers run on 1-terabyte, 4-terabyte, 8-terabyte systems, and so booting up, and Linux starting up, and cleaning up memory takes a long time. So we want to reduce that from an availability point of view. So here, we're now talking about just enterprise for you. So there's this broad set of things we work on that definitely help us, but they're actually really completely generic and help everyone out. >> Yeah, that's great. So I wanted to kind of get that out of the way and help our audience understand that. So let's get into it a little bit; What are you seeing, what's going on in IT, pick your observation space and your vision of what you see happening out there. >> Well, you know, it's very interesting, it's sort of, there's two... there's sort of two worlds, right, there's the cloud world and the move to cloud, and there's the on-premises world, where people run their systems on their own. And, one of the things that we've learned is, when you talk about machine-learning, obviously, is something that's very popular these days, and automation. And so in order to rely on machine-learning well, and have algorithms that are very effective, you need lots of data. And so being a cloud vendor, and having Linux in our cloud on tens of thousands, or hundreds of thousands of servers, or more, allows us to have a view of how an operating system works across an incredibly large scale. So we get lots of data. And so for us to figure out which algorithms work well in terms of how can we do network optimizations, how can we discover anomalies on the storage site, and deal with it and so forth, we can do that at scale. And what's interesting is, how do we then bring that on-prem? Well, if we can get the data and the learning done, the training done, in our cloud directly, then when we provide that service also for people running Oracle Linux on premises then that will work. The alternative is to have point solutions where you provide something to a customer, and he needs to learn something from small amounts of data. That doesn't work so well. So I think having both worlds, on-prem and cloud directly, allows us to kind of benefit from that. And I think that's important, because lots of customers are interested in going to cloud. Many of the enterprises have not yet. You know, they're starting, but there's still a huge on-premises space that's important. And so by being able to get them familiar with how these things work at scale, autonomy is again important, right, Autonomous Database is incredibly popular and so forth, that allows us to then say, "Here, try these things out here, it's a service. We can show you the benefits right away," and then as that improves we bring that, to a certain extent, on-premises as well. And then they can have it in both places. And that, I think, is something, again, that's relatively unique but also very important, is that we want to provide services and products that act similarly on-premises as well as in cloud, because at some point when people move we want to make that transition seamless. And what you have today for the most part is one world that's on-prem, and then the cloud world is completely different. And that is a big barrier of moving, and so we want to reduce that, we can run the same operating system local as well as cloud, you can the same functionality, and then that helps transition people over much easier. >> Yeah, well Oracle actually was one of the -- I think Oracle was the first company to actually market same-same, you actually used that term. Others put forth that concept, but Oracle was the first to announce products like Cloud at Customer, that were same-same, now it took some time to actually get it perfected, and get it to market, but the point is, and we've written about this, is Oracle, because of the ascendancy of cloud, flipped and has a cloud-first mentality, and you just kind of referenced that, you just said, "And you can bring that to on-prem." So I wonder if you could talk about that cloud-first mentality, and the impact on hybrid. >> So yeah, I think the cloud-first part is of course in cloud we work on services moreso than products that we deliver. And there's a number of things that are happening. So one is that we obviously continue to provide products to customers, you can download Oracle Linux, you can download the database and what not, you can install it on your own, you can do the traditional way of working. Then in the cloud-world, what typically happens is "Oh, I use a database service. I'm not installing anything, I push a button and I get an IP address and a SQL that connects extremely quickly to the database." And we take care of everything underneath that is on this database. Now, in order to do that, you need a whole infrastructure in place, you need log-in agents, you need a back-end that captures all that stuff, you need monitoring tools, you need all the automation scripts for bringing the service up and monitor it. And so, that takes a lot of time to do right, and we learn a lot by doing this. And so the cloud-first part of these services means that we get to experience this ourselves with direct access to everything. Now taking that service with all of the additional features like autonomy, and bringing that to an on-premises world, we have to make sure we can package that so that all these pieces around it go along with it. And that takes a little bit more time, so we can do everything at the same time. And so what we've done with Autonomous Database is we created everything in Oracle Cloud, we have the whole system running really well, and then we've been able to sort of package that and shrink it into something that can be installed on-premises, but then connected into Oracle Cloud again. And so that way we can get all the telemetry over the metric, and that allows us to scale. Because part of providing a cloud service that runs on-prem in the customer environment is that we need to be able to remotely manage that similar to how that runs in our own cloud. Right, otherwise it doesn't scale. And so that takes a little bit of time, but we've done all that work, and now with Cloud at Customer Database that's really in place. >> Yeah, you really want to have that same cloud experience, whether with on-prem, in the public cloud, hybrid, et cetera. So, I want to explore a little bit more who is using Oracle Linux, and what's the driver for using it. Can you describe maybe some of the types of customers and why they buy? >> Sure, so we started this fourteen years ago, in 2006, October 25th, 2006. I remember that day very well; Penguins on stage and a big launch for Oracle Linux in San Francisco Moscone Center. So, look, the initial driver for Oracle Linux was to ensure that Oracle database customers or Oracle product customers had a good operating system experience, and the ability to be able to handle critical issues when that occurs, because typically a database runs the company's critical data: the most essential stuff that a company has is typically in a database, an Oracle database. And so when that thing has issues with the operating system, you don't want just to talk to multiple vendors and have finger-pointing, and having to explain to an operating system vendor how the database works. In the Unix world, we had a good relationship with the OS vendors, and the hardware vendors, they were the same. And they knew our products really well, and in the Linux world, that was very different. The OS vendor basically did not want to understand or learn anything about the products living on top. And so while to a certain extent that makes sense, it's an enterprise world where time is of the essence, and downtime needs to be limited absolutely. We can't have these arguments and such. And that was the driver, initially, for doing Oracle Linux. It was to ensure there was a Linux distribution really backed by us, that we could fix, that we could fully support. That was completely the original intent. And so the early customer base was database customers. Database and middleware. Mostly database. But that has then evolved quickly, and so what happened was, people say "Look, I have a thousand servers, a hundred run Oracle, so we'll run Oracle Linux on those hundred, and we'll run something else on those other nine-hundred." Now after a year or so, they realize that our support is really good; We fix all these issues, and so then they're like "Why are we having two Linux distributions? This thing works really well, it runs any application, it's fully compatible, so we'll do a thousand with Oracle Linux." And so the early days, the first few years, was definitely Oracle Database as the core driver, and then it sort of expanded to the rest of the estate. And over the years, we've added lots of features and functionality, like Ksplice, and so forth. We have an attractive pricing model for running on servers, and so now lots of our customers have a very small Oracle percentage running and many other things running. So it's really become a all-or-nothing play in the Linux space, and we're well-known now, so it's actually very good. >> You just mentioned Ksplice. We've been talking about cloud, and on-prem, and hybrid. Let's talk about security, because security really is a differentiator, particularly if you're going to start to put stuff in the cloud. Talk about Ksplice specifically, but generally security and your policy there. >> So, "Security first" is sort of what you hear us say and do, in everything we do. The database obviously security, on the Linux site security matters. Ksplice as a technology is there to do critical bug-fixing and make sure that we can apply security vulnerability fixes without affecting the customer, and not have downtime. And if you look at most of the cases or many of the cases where you have security vulnerabilities and exploits, it tends to be because systems were not patched. Why were they not patched? Well not that our customer doesn't understand that it's important, but it's a whole train of events that needs to happen. You have to, you get notified that there's a security issue in your operating system or application. Then, well, an application typically means it's a multi-layered setup. So if you have to bring your database server down, then you first have to coordinate with the application users to bring the app server down, cause that talks to the database. So to patch one system, you basically have to bring down the whole application stack. You have to negotiate with the DBAs, you have to negotiate with the app admins, you have to negotiate with the user. It takes weeks to do that and find time. Well during that time, you're vulnerable. So the only way, really, to address security in a scalable and reducing that window of time is to do it without affecting the customer. And so Casewise is something that, it's a company we acquired in 2009, and have since evolved in terms of capabilities, and so it allows us to patch the Linux terminal without downtime. We lock the kernel for 8 microseconds. It's literally no downtime. You don't have to bring down applications, the user doesn't see it, there's no hang, there's no delay. And so by doing that, you can run a Linux operating system, or gLinux, and you can be fully patched on a system that hasn't rebooted for 3 years. You don't even know it. And so by doing that type of stuff, it makes customers more secure, and it avoids them-- It saves them a lot of money in terms of dealing with project management and so forth, but it really keeps them secure. And so we do that for the Linux kernel, we do that for some of the libraries on top that are critical like OpenSSL and 2 LVC, and, you know one example-- I can give you two examples. So one example is, Heartbleed was this bug in OpenSSL a number of years ago. And so everyone had to patch their SSH server. And that meant, basically, systems around the world had to reboot. Like a whole IT reboot across the world. With Ksplice today, if Heartbleed were to happen tomorrow, we would be able to patch this online for all the Oracle Linux customers without any downtime. No reboots, no restarting of applications, everything keeps running. The amount of money saved would be massive, and also, of course, the headache. Another example is, and this was in Oracle Cloud, when some of these CPU bugs that happened a few years ago that were rather damaging on the cloud side, where you could basically see memory potentially of other CPUs running, the cloud is incredibly critical. We were basically able to basically patch our entire cloud in four hours. And the customer didn't know, right, a hundred and twenty million patches, or something, that we applied within four hours, all online, without any downtime. And so that technology has been really helpful, both for us to run our cloud, but the exact same patches and same fixes go to customers on-premises as well. But this comes back to the whole, what we do in cloud we also do for customer. And I think that's a unique thing that we have at Oracle which is quite fascinating. The operating system we run for our customers, the operating system that's the host part of VMs, is the exact same binary and source code that we make available, just to be clear, the exact same binaries are the ones that you run as a customer on-premises. So if you run Oracle Linux with KVM, you run VMs, you're actually running the exact same stuff as we run underneath our customer's stuff. Nobody else does that, everyone else has a black box. So I think that helps a little bit with transparency as well. >> Yeah, and that homogeneity just creates an environment, you're talking about that sort of security mindset, it's critical, you're not just bolting it on, it's part of the culture. But you started your career, and then of course you were a Linux person when you came to Oracle, but then I think you spent some time in database, back in the day when there were serious database wars going on, before Oracle became the king of database. So now you've got, obviously, this great portfolio, and a lot of really sharp software developers; What should we expect going forward, from Oracle? What should we look for? >> You know, I was talking to some, I was welcoming some interns to the company, for their summer internship yesterday, and one of the things I mentioned to them was that -- so cloud obviously gives us a lot of opportunities, but there's a number of things. One is, we have such a breadth of applications and software and hardware together. We have the servers, we have the storage, we have the operating systems, we have the database layer and so forth, and we have the cloud side, and one of the great opportunities, and I think we've shown a lot of this happening with the ability to create something like Autonomous Database, is to combine all these things. Right, we have such a broad portfolio of really cool technology that by itself is okay, but if you combine the things it really becomes awesome. You cannot create autonomous database without having autonomous learning. You cannot create those two and make them really safe without also controlling the firmware on the hardware and so forth. So by being able to combine all these layers, and by having a really great relationship across the teams within the company, that opens up a lot of opportunities to do stuff really quickly. And having the scale for that. I think that has been, for the last few years, a really great thing, but I can see that being one of the advantages that we have going forward. We have Oracle Fusion Applications, which is incredibly popular, and has great growth, and then we have that running on Oracle Cloud, that talks to Oracle Autonomous Database, so we bring all these pieces together. And no other SaaS vendor can do that, because they don't have these other pieces. They have one area, we have all of them. And so that's the exciting part for me, it's not so much about making my own world better, and having Linux be better, and Casewise and so forth, which is important, but that becoming part of the bigger picture. And that's the exciting part. >> Well, Oracle's always invested in RND, we've made that point many, many times. Whether it's database, you know Fusion was a painful but worthy effort, the whole public cloud piece, obviously many acquisitions, but the investments that you've made in open-source as well, Wim, you're a great spokesperson, and a great representative of the open-source community generally, and then Oracle specifically, so thanks very much for coming on theCUBE and sharing with us the state of the penguin, and best of luck. >> You're welcome. Thank you, thanks for having me. >> Alright, and thank you for watching, everybody. This is Dave Vellante for theCUBE. We'll see you next time. (cheerful music).