>> Narrator: From theCUBE Studios in Palo Alto in Boston, connecting with thought leaders around the globe, these are Cloud Native Insights. >> Hi, I'm Stu Miniman the host of cloud native insights. And when we started this weekly program, we look at Cloud Native and you know, what does that mean? And of course, one of the most important topics in IT coming into 2020 was security. And once the global pandemic hit, security went from the top issue to oh my gosh, it's even more important. I've said a few times on the program while most people are working from home, it did not mean that the bad actors went home, we've actually seen an increase in the need for security. So really happy to be able to dig in and talk about what is Cloud Native security, and what should that mean to users? And to help me dig into this important topic, happy to welcome back to the program one of our CUBE alumni Dan Hubbard, he is the CEO of Lacework. Dan thanks so much for joining us. >> Thanks Stu. Happy to be here. >> Alright, so we don't want to argue too much on the Cloud Native term, I agree with you and your team. It's a term that like cloud before, it doesn't necessarily have a lot of meaning. But when we talk about modernization, we talked about customers leveraging the opportunity in innovation and cloud security of course is super important. You know most of us probably remember back, you go back a few years and it's like, "Oh well I adopt cloud. "It's secure, right? "I mean, it should just be built into my platform. "And I should have to think about that." Well, I don't think there's anybody out there at least hopefully there's not anybody out there that thinks that anything that I go to will just be inherently fully secure. So give us a little bit if you would, you know where you see us here in 2020 security's a complex landscape. What are you seeing? >> Yeah, so you know a lot of people as you said, used to talk about what's called the shared responsibility model, which was the cloud provider is responsible for a bunch of things. Like the physical access to the data center, the network, the hypervisor and you know that the core file system and operating system and then you're responsible for everything else that you could configure. But there's something that's not talked about as much. And that's kind of the shared irresponsibility model that's happening within companies where developers are saying they're not responsible for security saying that they're moving too fast. And so what we are seeing is that you know, as people migrate to the cloud or of course are born in the cloud, this notion of DevSecOps, or you know SecDevOps whatever you want to call it, is really about the architecture and the organization. It's not just about technology, and it's not just about people. And it's more about layer seven and eight, than it is about layer one to three. And so there's a bunch of trends that we're seeing in successful companies and customers and prospects will be seeing the market around how do they get to that level of cooperation between the security and the developers in the operation teams? >> Yeah Dan, first of all fully agree with what you're saying. I know when I go to like serverless.com they've got everybody chanting that security is everyone's responsibility. You know I think back to DevOps as a trend, when I read the Phoenix project it was, oh hey, the security is not something that you do bolt on, we're looking at after it's something that you need to shift into everyone thinking about it. Security is just going to be baked in along the process all the way. So the DevOps fail us when it comes to security, why do we need DevSecOps? You know why are you know as you say seven and eight the you know, political and organizational challenges still so much of an issue you know, decades into this discussion? >> Yeah. You know I think there's a few moving parts here and kind of post COVID is even more interesting is that companies have incredibly strategic initiatives to build applications that are core to their business. And in post COVID it's almost existential to their business. If you think of you know, markets like retail and hospitality and restaurants you know, they have to figure out how to digitize and how to deliver their business without potentially physical you know, access to two locations. So as that speed has happened, some of the safety has been left behind. And it's easy to say you have to kind of you know, one of our mantras is to run with speed and safety. But it's kind of hard to run with scissors you know, and be safe at the same time. So some of it is just speed. And the other is that unfortunately, the security people in many ways and the security products and a lot of the security solutions that are out there, the incumbents if you will, are trying to deliver their current solution in a cloud way. So they're doing sometimes it's called Cloud built or you know what I call Cloud washing and they're delivering a system that's not applicable to the modern infrastructure in the modern way that developers are building. So then you have a clash between the teams of like, "Hey I want to do this." And then I'd be like, "No you can't do that get out of our way. "This is strategic to the business." So a lot of it has just been you know, kind of combination of all those factors. >> Alright so Dan, we'll go back to Cloud Native security, you talked about sometimes people are Cloud washing, or they're just taking what they had putting it in the cloud. Sometimes it's just, oh hey we've got a SaaS model on this. Other times I hear cloud native security, and it just means hey I've got some hooks into Containers or Kubernetes. What does modern security look like? Help us understand a little bit. You mentioned some of the you know, legacy vendors what they're doing. I see lots of new security startups, some in you know specifically in that, you know, Kubernetes space. There's already been some acquisitions there. So you know, what do you see out there? You know what's good, what's bad in the trends that you're seeing? >> Yeah so I think the one thing that we really believe is that this is such a large problem that you have to be 100% focused on it. You know if you're doing this, you know, securing your infrastructure and securing your modern applications, and doing other parts of the business whether it's you know securing the endpoints of the laptops of the company and the firewall and authentication and all kinds of other things you have competing interests. So focus is pretty key. And it's obviously a very large addressable problem. What the market is telling us is a few things. The first one is that automation is critical. They may not have as many people to solve the problem. And the problem set is moving at such a scale that it's very, very hard to keep up. So a lot of people ask me you know, what do I worry about? You know, how do I stay awake at night? Or how do I get to sleep? And really the things I'm worried most about in the way where I spend most of my time on the product side is about how fast are builders building? Not necessarily about the bad guys. Now the bad guys are coming and they're doing all kinds of innovative and interesting things. But usually it starts off with the good guys and how they're deploying and how they're building. And you know, the cloud providers literally are releasing API's and new acronyms almost weekly it seems. So like new technology is being created such a scale. So automation the ability to adapt to that is one key message that we hear from the customers. The other is that it has to solve or go across multiple categories. So although things like Kubernetes and Containers are very popular today. The cloud security tackle and challenges is much more complex than that. You've got infrastructure as code, you've got server lists, you've got kind of fragmented workloads, whether some are Containers, some are VMs, maybe some are armies and then some are Kubernetes. So you've got a very fragmented world out there, and all of it needs to be secured. And then the last one is probably the most consistent theme we're hearing is that as DevOps becomes involved, because they know the application and the stack much better than security, it has to fit into your modern workflow of DevOps. So that means you know, deep integrations into Jira and Slack and PagerDuty and New Relic and Datadog are a lot more important in integrating to your you know, Palo Alto firewall and your Cisco IDs system and your endpoint you know antivirus. So those are the real key trends that we're seeing from the customers. >> Yeah Dan, you bring up a really important point, leveraging automation. I'm wondering what you're hearing from customers, because there definitely is a little bit of concern, especially if you take something like security and say, okay well, automation. Is that something that I'm just going to let the system do it? Or is it giving me to getting me to a certain point that then a human makes the final decision and enacts what's going to happen there? Where are we along that journey? >> Yeah, so I think of automation in two lenses. The first lens is efficacy, which is you know do I have to write rules? And do I have to tune train and alter the system over time? Or can it do that on my behalf? Or is there a combination of both? So the notion of people writing rules and building rules is very, very hard in this world because things are moving so quickly. You know, what is the KMS you know threat surface? The threat attacks are just changing. And typically what happens when you write rules is they're either too narrow and you messed up or they're too broad you just get way too much noise. So there's automating the efficacy of the system. That's one that's really critical. The other one that is becoming more important is in the past it was called enforcement. And this is how do I automate a response to your efficacy. And in this scenario it were very, very early days. Some vendors have come out and said you know, we can do full remediation and blocking. And typically what happens is the DevOps team kind of gives the Heisman to the security team it says, "No, you're not doing that." You know this is my production servers, and my infrastructure that's you know running our business, you can't block anything without us knowing about it. So I think we're really early. I believe that you know we're going to move to a world that's more about orchestration and automation, where there's a set of parameters where you can orchestrate certain things or maybe an ops assist mode. You know for example, we have some customers that will send our alerts to Slack, then they have a Slack bot and they say, "Okay, is it okay that Bob just opened "an S3 bucket in this region, yes or no?" No, and then it runs a serverless function and closes it. So there's kind of a what we call driver assist mode versus you know full you know, no one behind the steering wheel today. But I think it's going to mature over time. >> Yeah, Dan one of the other big challenges customer has is that their environments are even more fragmented than they would in the past. So often they're leveraging multiple cloud providers, multiple SaaS providers then they have their hosting providers. And security is something that I need to have holistically across these environments but not have to worry about okay, do I have the skill set and understanding between those environments? Hopefully you know that's something you see out there and want to understand, you know how the security industry in general and maybe Lacework specifically is helping customers, get their arms a little bit more around that multi cloud challenge if you will? >> Yeah. So I totally agree things are you know, I think we have this Silicon Valley, West Coast bias that the world is all you know, great. And it says to utopia Kubernetes, modern infrastructure, everything runs up and down, and it's all you know super easy. The reality is much different. Even in the most sophisticated sets of infrastructure in the most sophisticated customers are very fragmented and diverse. The other challenge that security runs into is security in the past a lot of traditional security mindsets are all about point in time. And they're really all about inventory. So you know, I know used to be able to ask, you know a security person, how many servers do you have? Where are they? What are they doing this? They say, "Oh, you know we have 10 racks with 42 servers in each rack. "And here's our IP addresses." Nowadays, the answer is kind of like, "I don't know what time is it you know, "how busy is a service?" It's very ephemeral. So you have to have a system which can adapt with the ephemeral nature of everything. So you know in the past it was really difficult to spin up, say 10,000 servers in a Asia data center for four hours to do research you know. Security probably know if that's happening, you know they would know through a number of different ways could make big change control window would be really hard they have to ship the units, they bake them in you know, et cetera. Nowadays that's like three lines of code. So the security people have to know and get visibility into the changes and have an engine which can determine those changes and what the risk profile of those in near real time. >> Yeah it's the what we've seen is the monitoring companies out there now talking all about observability. Its real time, it's streamings. You know it reminds me of you know my physics. So you know Heisenberg's uncertainty principle when you try to measure something, you already can't because it's already changed. So what does that mean-- >> Dan: Yeah. >> You know what does security look like in my you know, real time serverless ever changing world? You know, how is it that we are going to be able to stay secure? >> Yeah, so I think there are some really positive trends. The first one is that this is kind of a reboot. So this is kind of a restart. You know there are things we've learned in the past that we can bring forward but it's also an opportunity to kind of clean the slate and think about how we can rebuild the infrastructure. The first kind of key one is that over time security in the traditional data center started understanding less and less about the application over time, what they did was they built this big fortress around it, some called it defense in depth you know, the Security Onion whatever you want to call it you know, the M&M'S. But they were really lacking in the understanding of the application. So now security really has to understand the application because that's the core of what's important. And that allows them to be smarter about what are the changes in their environment, and if those are good, bad or indifferent. The other thing that I think is interesting is that compliance was kind of a dirty word that no one really wanted to talk about. It was kind of this boring thing or auditors would show up once every six months go through a very complex checklist and say you're okay. Now compliance is actually very sophisticated. And the ability to look at your configuration in near real time and understand if you are compliant or following best practices is real. And we do that for our customers all the time. You know we can tell them how they're doing against the compliance standard within a you know, a minute timeframe. And we can tell that they're drifting in and out of that. And the last one and the one that I think most are excited about is really the journey towards least privileges and minimizing the scope of your attack surface within your developers and their access in your infrastructure. Now it's... We're pretty far from there, it's an easy thing to say it's a pretty hard thing to do. But getting towards and driving towards that journey of least privilege I think is where most people are looking to go. >> Alright Dan, I want to go back to something that we talked about early in the conversation, that relationship with the cloud providers themselves, so you know talking AWS, Azure, Google Cloud and the like. How should customers be thinking about how they manage security, dealing with them dealing with companies like Lacework and the ecosystem you mentioned in companies like Datadog and the New Relic? You know how do they sort through and manage how they can maintain those relationships? >> So there's kind of the layer eight relationships, of course which are starting you know in particular with the cloud providers, it's a lot more about bottoms up relationships and very technical understanding of product and features, than it is about being on the golf course, and you know eating steak dinners. And that's very different you know, security and buying IT infrastructure was very relationship driven in the past. Now you really especially with SaaS and subscriptions, you're really proving out your technology every day. You know I say kind of trust is built on consistent positive results over time. So you really have to have trust within your solution and within that service and that trust is built on obviously a lot of that go to market business side. But more often than not it's now being built on the ability for that solution to get better over time because it's a subscription. You know how do you deliver more features and increase value to the customer as you do more things over time? So that's really, really important. The other one is like, how do I integrate the technology together? And I believe it's more important for us to integrate our stack with the cloud provider with the adjacent spaces like APM and metrics and monitoring and with open source, because open source really is a core component to this. So how do we have the API's and integrations and the hooks and the visibility into all of those is really, really important for our customers in the market? >> Well Dan as I said at the beginning, security is such an important topic to everyone out there. You know we've seen from practitioners we talked to for the last few years not only is it a top issue it's a board level discussion for pretty much every company out there. So I want to give you the final word as to in today's you know modern era, what advice do you give to users out there to make sure that they are staying as secure as possible? >> Yeah so you know first and foremost, people often say, "Hey you know, when we build our business, "you know, it'd be a good problem to start have to worry "about customers and you know, "all kinds of people using the service. "And you know, we'll worry about security then." And it's easy lip service to say start it as early as possible. The reality is sometimes it's hard to do that. You've got all kinds of competing interests, you're trying to build a business and an application and everything else depending obviously, the maturity of your organization. I would say that this is a great time to kind of crawl, walk, run. And you don't have to think about it. If you're building in the cloud you don't have to think of the end game you know right away, you can kind of stair step into that. So you know my suggestion to people that are moving into the cloud is really think about compliance and configuration best practices first and visibility, and then start thinking of the more complex things like triage alerts and how does that fit into my workflow? How do I look at breaches down the line? Now for the more mature orgs that are taking, you know an application or a new application or Stack and just dropping it in, those are the ones that should really think about how do I fit security into this new world order? And how do I make it as part of the design process? And it's not about how do I take my existing security stack and move it over? That's like taking, you know a centralized application moving to the cloud and calling it cloud. You know if you're going to build in the cloud, you have to secure it the same way that you're building it in a modern way. So really think about you know, modern, you know new generation vendors and solutions and a combination of kind of your provider, maybe some open source and then a service, of course like Lacework. >> Alright well Dan Hubbard, thank you so much for helping us dig into this important topic Cloud Native security, pleasure talking with you. >> Thank you. Have a great day. >> And I'm Stu Miniman your hosts for Cloud Native Insights and looking forward to hearing more of your Cloud Native Insights in the future. (upbeat music)

>> Announcer: Live from Copenhagen, Denmark, it's theCUBE covering KubeCon and CloudNativeCon Europe 2018. Brought to you by the Cloud Native Computing Foundation and its ecosystem partners. >> Hello, everyone, welcome back to theCUBE's exclusive coverage here in Copenhagen, Denmark for coverage of KubeCon 2018, part of the CNCF CloudNative Compute Foundation, part of the Linux Foundation, I'm John Furrier with my cohost, Lauren Cooney, the founder of Spark Labs. We're here with Kelsey Hightower, co-chair of the program as well as a staff engineer, developer, advocate, at Google Cloud Platform, a celebrity in the industry, dynamic, always great to have you on, welcome back. >> Awesome, good to be back. >> How are you feeling, tired? You've got the energy, day two? >> I'm good, I finished my keynote yesterday. My duties are done, so I get to enjoy the conference like most attendees. >> Great. Keynote was phenomenal, got good props. Great content format, very tight, moving things along. A little bit of a jab at some of the cloud providers. Someone said, "Oh, Kelsey took a jab at the cloud guys." What was that about, I mean, there was some good comments on Twitter, but, keeping it real. >> Honestly, so I work at a cloud provider, so I'm part of the cloud guys, right? So I'm at Google Cloud, and what I like to do is, and I was using Amazon's S3 in my presentation, and I was showing people basically like the dream of, in this case, serverless, here's how this stuff actually works together right now. We don't really need anything else from the cloud providers. Here's what you can do right now, so, I like to take a community perspective, When I'm on the stage, so I'm not here only to represent Google and sell for Google. I'm here to say, "Hey, here's what's possible," and my job is to kind of up-level the thinking. So that was kind of the goal of that particular presentation is like, here's all this stuff, let's not lock it all down to one particular provider, 'cause this is what we're here for, KubeCon, CloudNativeCon, is about taking all of that stuff and standardizing it and making it accessible. >> And then obviously, people are talking about the outcome, that that's preferred right now in the future, which is a multi-cloud workload portability. Kubernetes is playing a very key role in obviously the dev ops, people who have been doing it for many many years, have eaten glass, spit nails, custom stuff, have put, reaped the benefits, but now they want to make it easy. They don't want to repeat that, so with Kubernetes nice formation, a lot of people saying here on theCUBE and in the hallways that a de facto standard, the word actually said multiple times here. Interesting. >> Yeah, so you got Kubernetes becoming the de facto standard for computes, but not events, not data, not the way you want to compute those events or data, so the job isn't complete. So I think Kubernetes will solve a large portion of compute needs, thumbs up, we're good to go. Linux has done this for the virtualization layer, Kubernetes is doing it for the containerization, but we don't quite have that on the serverless side. So it's important for us all to think about where the industry is going and so it's like, hey, where the industry is moving to, where we are now, but it's also important for us to get ahead of it, and also be a part of defining what the next de facto standard should be. >> And you mentioned community, which is important, because I want to just bring this up, there's a lot of startups in the membership of CNCF, and when you have that first piece done, you mentioned the other work to be done, that's an opportunity to differentiate. This is the commercialization opportunity to strike that balance. Your reaction to that, how do you see that playing out? Because it is an opportunity to create some value. >> Honestly I'm wearing a serverless.com T-shirt right now, right, that's the startup in the space. They're trying to make serverless easy to use for everyone, regardless of the platform. I think no matter what side of the field you stand on, we need these groups to be successful. They're independent companies, they're going for ambition, they're trying to fill the gaps in what we're all doing, so if they're successful, they just make a bigger market for everyone else, so this is why not only do we try to celebrate them, we try to give them this feedback, like, "Hey, here's what we're doing, "here's what the opportunities are," so I think we need them to be successful. If they all die out every time they start something, then we may not have people trying anymore. >> And I think there's actually a serverless seg in the CNCF, right? And I think that they're doing a lot of great work to kind of start to figure out what's going on. I mean, are you aware what those guys are up to? >> Exactly, so the keynote yesterday was largely about some of the work they're doing. So you mentioned the serverless seg, and CNCF. So some of the work that they're doing is called cloud events. But they wanted to standardize the way we take these events from the various providers, we're not going to make them all work the same way, but what we can do is capture those events in a standard way, and then help define a way to transport those between different providers if you will, and then how those responses come back. So at least we can start to standardize at least that part of the layer, and if Google offers you value, or Amazon offers you value, you own the data, and that data generates events, you can actually move it wherever you want, so that's the other piece, and I'm glad that they're getting in front of it. >> Well I think goal is, obviously, if I'm using AWS, and then I want to use Asher, and then I want to go to Google Cloud, or I want my development teams are using different components, and features, in all of them, right? You want to be able to have that portability across the cloud-- >> And we say together, so the key part of that demo was, if you're using one cloud provider for a certain service, in this case, I was using Google Translate to translate some data, but maybe your data lives in Amazon, the whole point was that, be notified that your data's in Amazon, so that it can be fired off an event into Google, function runs a translation, and writes the data back to Amazon. There are customers that actually do this today, right? There are different pieces of stacks that they want to be able to access, our goal is to make sure they can actually do that in a standard way, and then, show them how to do it. >> A lot of big buzz too also going on around Kubeflow, that Google co-chaired, or co-founded, and now part of the CNCF, Istio service meshes, again, this points to the dots that are connecting, which is okay, I got Kubernetes, we got containers, now Istio, what's your vision on that, how did that play out? An opportunity certainly to abstract the weights of complexity, what's your thoughts on Istio? >> So I think there's going to be certain things, things like Istio, there are parts of Istio that are very low level, that if done right, you may never see them. That's a good thing, so Istio comes in, and says, "Look, it's one thing to connect applications together, "which Kubernetes can help you do "with this built-in service discovery, "how does one app find the other app," but then it's another thing to lock down security and implement policy, this app can talk to this app under these conditions. Istio comes in, brings that to the playing field. Great, that's a great addition. Most people will probably wrap that in some higher-level platform, and you may never see it! Great! Then you mention Kubeflow, now this is a workflow, or at least an opinionated workflow, for doing machine-learning, or some analytics work. There's too many pieces! So if we start naming every single piece that you have to do, or we can say, "Look, we know there's a way that works, "we'll give it a name, we'll call it Kubeflow," and then what's going to happen there is the community's going to rally around actually more workflow, we have lots of great technology wrapped underneath all of that, but how should people use it? And I think that's what I'm actually happy to see now that we're in like year four or five of this thing, as people are actually talking about how to people leverage all of these things that fall below? >> As the IQ starts to increase with cloud-native, you're seeing enterprises, and there's levels of adoption, the early adopters, you know, the shiny new toy, are pushing the envelope, fast followers coming in, then you got the mainstream coming in, so mainstream, there's a lot of usage and consumption of containers, very comfortable with that, now they're bumping into Kubernetes, "Oh wow, this is great," different positions of the adoption. What's your message to each one, mainstream, fast followers, early adoptives, the early adoptives keep pushing, keep bringing that community together, form the community, fast forward. What's the position, what's the Kelsey Hightower view of each one of those points of the evolution? >> So I think we need a new model. So I think that model is kind of out now. Because if you look at the vendor relationships now, so the enterprise typically buys off the shelf when it's mature and ready to go. But at this point now, a lot of the library is all in the programming languages, if you see a language or library that you need, if it's on GitHub, you look around, it's like, "We're going to use this open-source library, "'cause we got to ship," right? So, they started doing early adoption maybe at the library level. Now you're starting to see it at the service level. So if I go to my partner or my vendor, and they say, "Hey, the new version of our software requires Kubernetes." Now, that's a little bit early for some of these enterprises to adopt, but now you're having the vendor relationship saying, "We will help you with Kubernetes." And also, a lot of these enterprises, it's early? Guess what, they have contributors to these projects. They helped design them. I remember back in the day, when I was in financial services, JPMC came out with their own messaging standard, so banks could communicate with each other. They gave that to Red Hat, and Red Hat turns it into a product, and now there's a new messaging standard. That kicked off ten years ago, and now we're starting to see these same enterprises contribute to Kubernetes. So I think now, there's a new model where, if it's early, enterprises are becoming the contributors, donating to the foundations, becoming members of things like CNCF, and on the flip side, they may still use their product, but they want a say in their future. >> So you can jump in at any level as a company, you don't need to wait for the mainstream, you can have a contributor, and in the front wave, to help shepherd through. >> Yeah, you need more say, I think when people bought typical enterprise software, if there wasn't a feature in there, you waited for the vendor to do it, the vendor comes up with their feature, and tells you it's going to cost another 200 million dollars for this add-on, and you have no say into the progress of it, or the speed of it. And then we moved to a world where there was APIs. Look, here's APIs, you can kind of build your own thing on top, now, the vendor's like, "You know what? "I'm going to help actually build the product that I rely on," so if vendor A is not my best partner right now, I could pick a different vendor and say, "Hey, I want a relationship, around this open-source "ecosystem, you have some features I like right now, "but I may want to able to modify them later." I think that's where we are right now. >> Well I think also the emergence of open-source offices, and things like that, and, you know, enterprises that are more monolithic, have really helped to move things forward with their users and their developers. I'm seeing a lot of folks here that are actually coming from larger companies inside of Europe, and they're actually trying to learn Kubernetes now, and they are here to bring that back into their companies, that they want to know about what's going on, right? >> That's a good observation-- >> It's great. >> That open-source office is replacing the I'm the vendor management person. >> Well you need legal-- >> Exactly. >> And you need all of those folks to just get the checkmarks, and get the approval, so that folks can actually take code in, and if it's under the right license, which is super important, or put code back out. >> And it seemed to be some of the same people that were managing the IBM relationship. The people that were managing the big vendor relationship, right? This thing's going to cost us all this cash, we got to make sure that we're getting the right, we're complying with the licensing model, that we're not using more than we paid for, in case we get an audit, the same group has some of the similar skills needed to shepherd their way through the open-source landscape, and then, in many cases, hiring in some of those core developers, to sit right in the organization, to give back, and to kind of have that first-tier support. >> That's a really good point, Lauren. I think this is why I think CNCF has been so successful is, they've kind of established the guardrails, and kind of the cultural notion of commercializing, while not foregoing the principles of open-source, so the operationalizing of open-source is really huge-- >> I'm kind of laughing over here, because, I started the open-source organization at Cisco, and Cisco was not, was new to open-source, and we had to put open data into the Linux Foundation, and I just remember the months of calls I was on, and the lawyers that I got to know, and-- >> You got scar tissue to prove it, too. >> I do, and I think when we did CNCF, I was talking to Craig years ago when we kind of kicked that off, it was really something that we wanted to do differently, we wanted to fast track it, we had the exact license that we wanted, we had the players that we wanted, and we really wanted to have this be something community-based, which I think, Kelsey, you've said it right there. It's really the communities that are coming together that you're seeing here. What else are you seeing here? What are the interesting projects that you see, that are kind of popping up, we have some, but are there others that you see? >> Well, so now, these same enterprises, now they have the talent, or at least not letting the talent leave, the talent now is like, "Well, we have an idea, and it's not core "to our business, let's open-source it." So, Intuit just inquired this workflow, small little start-up project, Argo, they're Intuit now, and maybe they had a need internally, suck in the right people, let the project continue, throw that Intuit logo there, and then sometimes you just see tools that are just being built internally, also be product ties from this open-source perspective, and it's a good way for these companies to stay engaged, and also to say, "Hey, if we're having this problem, "so are other people," so this is new, right? This open-source usually comes from the vendors, maybe a small group of developers, but now you're starting to see the companies say, "You know what, let's open-source our tool as well," and it's really interesting, because also they're pretty mature. They've been banked, they've been used, they're real, someone depends on them, and they're out. Interesting to see where that goes. >> Well yeah, Derek Hondell, from VMware, former Linux early guy, brought the same question. He says, "Don't confuse project with product." And to your point about being involved in the project, you can still productize, and then still have that dual relationship in a positive way, that's really a key point. >> Exactly, we're all learning how to share, and we're learning what to share. >> Okay, well let's do some self awareness here, well, for you, program's great, give you some props on that, you did a great job, you guys are the team, lot of high marks, question marks that are here that we've heard is security. Obviously, love Kubernetes, everyone's high-fiving each other, got to get back to work to reality, security is a conversation. Your thoughts on how that's evolving, obviously, this is front and center conversation, with all this service meshes and all these new services coming up, security is now being fought in the front end of this. What's your view? >> So I think the problem with security from certain people is that they believe that a product will come out that they can buy, to do security. Every time some new platform, oh, virtualization security. Java security. Any buzzword, then someone tries to attach security. >> It's a bolt-on. >> It's, yeah. So, I mean, most people think it's a practice. The last stuff that I seen on security space still applies to the new stack, it's not that the practice changed. Some of the threat models are the same, maybe some new threat models come up, or new threat models are aggravated because of the way people are using these platforms. But I think a lot of companies have never understood that. It's a practice, it will never be solved, there's nothing you can buy or subscribe to-- >> Not a silver bullet. >> Like antivirus, right? I'm only going to buy antivirus, as long as I run it, I should never get a virus. It's like, "No!" That's not how that works. The antivirus will be able to find things it knows about. And then you have to have good behavior to prevent having a problem in the first place. And I think security should be the same way, so I think what people need to do now, is they're being forced back into the practice of security. >> John: Security everywhere, basically. >> It's just a thing you have to do no matter what, and I think what people have to start doing with this conversation is saying, "If I adopt Kubernetes, does my threat model change?" "Does the container change the way I've locked down the VM?" In some cases, no, in some cases, yes. So I think when we start to have these conversations, everyone needs to understand the question you should ask of everyone, "What threat model should I be worried about, "and if it's something that I don't understand or know," that's when you might want to go look for a vendor, or go get some more training to figure out how you can solve it. >> And I think, Tyler Jewell was on from Ballerina, and he was talking about that yesterday, in terms of how they actually won't, they assume that the code is not secure. That is the first thing that they do when they're looking at Ballerina in their programming language, and how they actually accept code into it, is just they assume it's not secure. >> Oh exactly, like at Google we had a thing, we called it BeyondCorp. And there's other aspects to that, if you assume that it's going to be bad if someone was inside of your network, then pretend that someone is already inside your network and act accordingly. >> Yep, exactly, it's almost the reverse of the whitelisting. Alright, so let me ask you a question, you're in a unique position, glad to have you here on theCUBE, thanks for coming on and sharing your insights and perspective, but you also are the co-chair of this progress, so you get to see the landscape, you see the 20 mile stare, you have to have that long view, you also work at Google, which gives a perspective of things like BeyondCorp, and all of the large-scale work at Google, a lot of people want to, they're buying into the cloud-native, no doubt about it, there's still some educational work on the peoples' side, and process, and operationalizing it, with open-source, et cetera, but they want to know where the headroom is, they want to know, as you said, where's the directionally correct vector of the industry. So I got to ask you, in your perspective, where's all this going? For the folks watching who just want to have a navigation, paint the picture, what's coming directionally, shoot the arrow forward, as service meshes, as you start having this service layer, highly valuable, creative freedom to do things, what's the Kelsey vision on-- >> So I think this world of computing, after the mainframe, the mainframe, you want to process census data, you walk up, give it, it spits it back out. To me, that is beautiful. That's like almost the ultimate developer workflow. In, out. Then everyone's like, "I want my own computer, "and I want my own programming language, "and I want to write it in my basement, "without the proper power, or cords, or everything, "and we're all going to learn how "to do computing from scratch." And we all learnt, and we have what we call a legacy. All the mistakes I've made, but I maintain, and that's what we have! But the ultimate goal of computing is like the calculator, I want to be able to have a very simple interface, and the computer should give me an answer back. So where all this is going, Istio, service mesh, Kubernetes, cloud-native, all these patterns. Here's my app, run it for me. Don't ask me about auto scale groups, and all, run it for me. Give me a security certificate by default. Let's encrypt. Makes it super easy for anyone to get a tailored certificate rotated to all the right things. So we're slowly getting to a world where you can ask the question, "Here's my app, run it for me," and they say, "Here's the URL, "and when you hit this URL, we're going to do "everything that we've learned in the past "to make it secure, scalable, work for you." So that may be called open-shift, in its current implementation with Red Hat, Amazon may call it Lambda, Google Cloud may call it GKE plus some services, and we're never going to stop until the experience becomes, "Here's my app, run it for me." >> A resource pool, just programmability. And it's good, I think the enterprises are used to lifting and shifting, I mean, we've been through the evolution of IT, as we build the legacy, okay, consolidation, server consolidation, oh, hello VMs, now you have lift and shift. This is not a lift and shift kind of concept, cloud-native. It is a-- >> It doesn't have to be a lift and shift. So some people are trying to make it a lift and shift thing, where they say, "Look, you can bolt-on some of the stuff "that you're seeing in the new," and some consultants are like, "Hey, we'll sit their and roll up the sleeves, "and give you what we can," and I think that's an independent thing from where we're pushing towards. If you're ready, there's going to be a world, where you give us your code, and we run it, and it's scary for a lot of people, because they're going to be like, "Well, what do I do?" "What knobs do I twist in that world?" So I think that's just, that's where it's going. >> Well, in a world of millions of services coming out on the line, it's in operating, automation's got to be key, these are principles that have to go get bought into. I mean, you got to understand, administration is the exception, not the rule. This is the new world. It's kind of the Google world, and large-scale world, so it could be scary for some. I mean, you just bump into people all the time, "Hey Kelsey, what do I do?" And what do you say to them? You say, "Hey, what do I do?" What's the playbook? >> Often, so, it's early enough. I wasn't born in the mainframe time. So I'm born in this time. And right now when you look at this, it's like, well, this is your actual opportunity to contribute to what it should do. So if you want to sit on the sidelines, 'cause we're in that period now, where that isn't the case. And everyone right now is trying to figure out how to make it the case, so they're going to come up with their ways of doing things, and their standards, and then maybe in about ten years, you'll be asked to just use what we've all produced. Or, since you're actually around early enough, you can participate. That's what I tell people, so if you don't want to participate, then you get the checkpoints along the way. Here's what we offer, here's what they offer, you pick one, and then you stay on this digital transformation to the end of time. Or, you jump in, and realize that you're going to have a little bit more control over the way you operate in this landscape. >> Well, jumping in the deep end of the pool has always been the philosophy, get in and learn, and you'll survive, with a lot of community support, Kelsey, thanks for coming on, final question for you, surprise is, you're no longer going to be the co-chair, you've co-chaired up to this point, you've done a great job, what surprised you about KubeCon, the growth, the people? What are some of the things that have jumped out at you, either good, surprise, what you did expect, not expect, share some commentary on this movement, KubeCon and CloudNative. >> Definitely surprised that it's probably this big this fast, right? I thought people, definitely when I saw the technology earlier on, I was like, "This is definitely a winner," "regardless of who agrees." So, I knew that early on. But to be this big, this fast, and all the cloud providers agreeing to use it and sell it, that is a surprise, I figured one or two would do it. But to have all of them, if you go to their website, and you read the words Kubernetes' strong competitors, well alright, we all agree that Kubernetes is okay. That to me is a surprise that they're here, they have booths, they're celebrating it, they're all innovating on it, and honestly, this is one of those situations that, no matter how fast they move, everyone ends up winning on this particular deal, just the way Kubernetes was set up, and the foundation as a whole, that to me is surprising that it's still true, four years later. >> Yeah, I mean rising tide floats all boats, when you have an enabling, disruptive technology like Kubernetes, that enables people to be successful, there's enough cake to be eating for everybody. >> Awesome. >> Kelsey Hightower, big time influencer here, inside theCUBE cloud, computing influencer, also works at Google as a developer advocate, also co-chair of KubeCon 2018, I wish you luck in the next chapter, stepping down from the co-chair role-- >> Stepping down from the co-chair, but always in the community. >> Always in the community. Great voice, great guy to have on theCUBE, check him out online, his great Twitter feed, check him out on Twitter, Kelsey Hightower, here on theCUBE, I'm joined here by Lauren Cooney, be right back with more coverage here at KubeCon 2018, stay with us, we'll be right back. (bright electronic music)