>>Hello, welcome back to the cubes coverage of Monaco, crypto summit presented by digital bits. It's a conference where a lot of the people using digital bits and the industry coming together around the future of crypto in the applicates got a great guest garage, rod cot, founder, and CEO of an innovative company. Love this co I love this company, Luke mogul, Rob, thanks for coming on the queue. Appreciate it. Oh, >>Thank you for having >>Us. Yeah. So I checked out what you guys are doing. You've got the sports metaverse angle going on with super valuable, cuz sports is super entertaining. Uh, people are engaged. There's huge fan base, huge online now, digital convergence going on with the physical, you know, you see all kinds of sports betting going on now everything's going digital. There's a whole nother consumer experience going on with sports and the game is still the same on the, on the field or so to, or the court. That's correct. Yeah. Now it's going to digital take a minute to explain what you guys are working on. >>Yeah, so yes, we are building out a sports ERs where we are bringing athletes, whether they're NBA stars, NFL stars, w N B a many of those athletes into meows giving them the ownership of the entire, um, meows commerce along with gameplay. So that's something from our perspective, this, uh, this is something that we're focused on. We're building out stadiums. Athletes can own stadiums. Athlete can create their own training centers, media hubs. Um, and imagine Lisa, Leslie for example, is building out a woman leadership sports academy, right? We have Michael Cooper building out defensive academy. So those are all the brands. We have 174 NBA w N B stars. And, um, and we are building out this, >>The brand is the brand, is the platform that's correct. That's the trend we're seeing. And it's, it's also an extension of their reach in community. So there's, they can convert their star power and athlete with owner's approval. If they probably write it on to the contracts, he, they can imagine all the complications, but they bring that online and extend that energy and brand equity yep. To fans and social network. Yeah. >>And many of these athletes are tremendous successful in their web two careers, right? Yeah. Um, some are current athletes, some are former athletes, but they have built such a brand persona where people are following them on Instagram. For example, Carlos Boozer. He has like almost 6 million followers between Twitter and Instagram and those kind of brands are looking or how do I give back to the community? How do I engage with my community and web three? And especially with our platform, we are giving that power back to the players. >>So you guys got some big names booers on there. You mentioned Carlos Boozer. You mentioned that Lisa, Leslie others among others, Michael Cooper throw back to the old Lakers, uh, magic. Johnson's kind actually here in crypto. We just saw him in the lobbies and in dinner and the other night, um, at Nobu, um, you got a lot of NBA support. Take a take, take, even explain how you're working this angle. Uh, you got some great traction, uh, momentum. Um, you got great pedigree, riot games in your career. Uh, you kind of get the world, the tech world, the media world, as it comes together. What's the secret sauce here? Is it the NBA relationship combination of the team explained >>It's really focusing on what, uh, we are building on me was focusing on players first, right? So players are literally, we call our platform as, uh, owned by the players, made for the players. Uh, and engagement is really all done through the players, right? So that's our key sauce. And when we worked out with NBA, we, we are part of the NBA BPA acceleration program for 2022 that is funded by a six Z, uh, and, and many others. Um, and our partnership with league is very critical. So it's not only partnered with player association partnered with leagues, whether it's NBA, w N B a NFL. So those are the venues. And this becomes almost a program, especially for athletes to really generate this lifetime engagement and royalty model because some of this famous athletes really want to give back to the communities. So like for example, I use Lisa Leslie a lot, but Lisa, Leslie really wants to empower women leadership, leadership, and really help, um, women in sports, for example. Right? So those are the angles that, um, that really people are excited about. >>Well, for the people watching that might not understand some of the ins and outs of sports and, and rod, your background in your team, it's interesting. The sports teams have been on the big day to train for many, many years. You look at all the stadiums. Now they've got mobile devices, they got wifi under the chairs. They use data and technology to manage the team. Mm-hmm, <affirmative> manage the stadium and venue and operations suppliers, whatnot. And then also the fans. So you, they, they got about a decade or so experience already in the digital world. This is not new to the, to the sports world. Yeah. So you guys come to the table kind of at a good time. >>Yeah. Especially the defi of the sports, right? So there's a defi of the finance, but this is the really, uh, a, a decentralization of the sports is something that there's a lot of traction. And there are many companies that are really focusing on that. Our focus obviously is players first, right? How do we give power to the players? Uh, and those are really driving the entire engagement. And also the brands >>How's the NBA feel about this because, you know, you got the NBA and you get the team, you got the owners. I mean, the democratization of the players, which I love by the way that angle kind of brings their power. Now's the new kind of balance of power. How is the NBA handling this? What's some of the conversations you've had with the, the organization. >>Yeah. So obviously there are a lot of things that, uh, people have to be careful about, right? They have existing contracts, existing, digital media rights. Um, so that's something that, uh, we have to be very tactful when we are working with NBA and NPA, uh, on what we can say, we cannot say. So that is obviously they have a lot of existing multimillion or billion dollar contracts that they cannot void with the web because the evolution of web three, >>You know, I love, uh, riffing on the notion of contract compliance when there's major structural change happening. Remember back in baseball, back in the days before the internet, the franchise rights was geographic territory. Mm-hmm <affirmative> well, if you're the New York Yankees, you're doing great. If you're Milwaukee, you're not doing too good, but then comes the internet. That's good. That's no geography. There's no boundaries. That's good. So you're gonna have stadiums have virtual Bo. So again, how do they keep up with the contracts? Yeah. I mean, this is gonna be a fundamental issue. >>That's >>Good. Good. And I think if they don't move, the players are gonna fill that void. >>That's correct. Yeah. And especially with this, this an IL deal, right. That happened for the players, uh, especially college athletes. So we are in process of onboarding 1.5 million college athletes. Uh, and those athletes are looking for not only paying for the tuition for the colleges, but also for engagement and generating this early on, uh, >>More okay. Rod, we're gonna make a prediction here in the cube, 20, 20 we're in Monaco, all the NBA, NHL, the teams they're gonna be run by player Dows. Yeah. What do you think? A very good prediction. Yeah. Very good prediction. Yeah. I mean you, I mean, that's a joke, I'm joking aside. I mean, it's kind of connecting the dots, but you know, whether that happens or not, what this means is if this continues to go down this road, that's correct. Get the players collectively could come together. Yeah. And flip the script. >>Yeah. And that's the entire decentralization, right. So it's like the web three has really disrupted this industry as you know. Um, and, and I know your community knows that too. >>Of course, course we do. We love it. >>Something from sports perspective, we are very excited. >>Well, I love it. Love talking. Let's get to the, to the weeds here on the product, under the hood, tell about the roadmap, obviously NFTs are involved. That's kind of sexy right now. I get the digital asset model on there. Uh, but there's a lot more under the coverage. You gotta have a platform, you gotta have the big data and then ultimately align into connecting other systems together. How do you view the tech roadmap and the product roadmap? What's your vision? >>Yeah. So the, the one thing that you had to be T full, uh, as a company, whether it's LUT, mogul or any other startup, is you have to be really part of the ecosystem. So the reason why we are here at Monaco is that we obviously are looking at partnership with digital bits, um, and those kind of partnership, whether it's fourth centric, centric are very critical for the ecosystem in the community to grow. Um, and that's one thing you cannot build a, another, uh, isolated metaverse right? So that's one thing. Many companies have done it, but obviously not. >>It's a wall garden doesn't work. >>Exactly. So you have to be more open platform. So one things that we did early on in our platform, we have open APIs and SDKs where not only you as an athlete can bring in your, uh, other eCommerce or web, uh, NFTs or anything you want, but you can also bring in other real estate properties. So when we are building out this metaverse, you start with real estate, then you build out obviously stadiums and arenas and academies training academies, but then athletes can bring their, uh, web commerce, right. Where it's NFT wearables shoe line. So >>Not an ecosystem on top of Luke Mo. So you're like, I'm almost like you think about a platform as a service and a cloud computing paradigm. Yeah. Look different, not decentralized, but similarly enabling others, do the heavy lifting on their behalf. Yeah. Is that right? >>So that's correct. Yes. So we are calling ourself as the sports platform as a service, right. So we want to add the word sports because we, uh, in, in many contexts, right. When you're building metaverse, you can get distracted with them, especially we are in Los Angeles. Right. >>Can I get a luxury box for the cube and some of the metaverse islands and the stadiums you're doing? >>We, we are working >>On it. We're >>Definitely working on, especially the, uh, Los Angeles, uh, stadium. Yeah. >>Well, we're looking for some hosts, anyone out there looking for some hosts, uh, for the metaverse bring your avatar. You can host the cube, bro. Thanks for coming on the cube. Really appreciate. What's the, what's next for you guys, obviously, continuing to build momentum. You got your playful, how many people on the team what's going on, give a plug for the company. What are you looking for share with the audience, some of the, some of your goals. Yeah. >>So, uh, the main thing we're looking for is really, um, from a brand perspective, if you are looking at buying properties, this would be an amazing time to buy virtual sports stadium. Um, so we are, obviously we have 175 stadiums in roadmap right now. We started with Los Angeles. Then we are in San Francisco, New York, Qatar, Dubai. So all those sports stadiums, whether they're basketball, football, soccer are all the properties. And, uh, from a community perspective, if you want to get an early access, we are all about giving back to the community. Uh, so you can buy it at a much better presale price right now. Uh, so that's one, the second thing is that if you have any innovative ideas or a player that you want to integrate into, we have an very open platform from a community engagement perspective. If you have something unique from a land sale perspective yeah. Or the NFD perspective plug, contact us at, at Raj lumo.com. >>And I'm assuming virtual team, you in LA area where where's your home. >>So, yeah, so I live in Malibu, um, and our office is in Santa Monica. We have an office in India. Uh, we have few developers also in Europe. So, uh, and then we are team of 34 people right now >>Looking to hire some folks >>We are looking for, what >>Are you, what are you looking for? >>So, uh, we are looking for a passionate sports, uh, fanatics. >>It's a lot, not hard to find. Yeah. >><laugh> who knows how to also code. Right? So from blockchain perspective, we are, uh, chain agnostic. Uh, but obviously right now we are building on polygon, but we are chain agnostic. So if you have any blockchain development experience, uh, that's something we, we are looking for. Yeah. >>RA, thanks for coming out. Luke Mo check him out. I'm John furry with the cube here in Monaco for the mono crypto summit presented by digital bits. We got all the action, a lot of great guests going on, stay with us for more coverage. Um, John furrier, thanks for watching.

(upbeat music) >> Welcome to theCUBE. I'm Dave Nicholson, and this is part of the continuing conversation about Managing Risk in the Digital Supply Chain. I have with me today Vincent Danen, vice president of product security from Red Hat and Luke Hines security engineering lead from the office of the CTO at Red Hat. Gentlemen, welcome to theCUBE. >> Thank you. >> Great to be here. >> So let's just start out and dive right into this, Vincent, what is the software or digital supply chain? What are we talking about? Yeah, that's a good question. Software supply chain is basically the software that an end user would get from a vendor or in our case, we're talking about open source, so upstream. It is the software that comes in that is part of your package, operating system, applications. It could be something that you get from one vendor, multiple vendors. So we look at in the example of Red Hat, we are one part of the customer's software supply chain. >> So it's interesting that it's coming in from different areas. Do we have a sense for the ratio of kind of commercial software versus open source software that makes up an enterprise today? >> I think that's a really hard thing to answer and I think every enterprise or every company would have a little bit different. Depends if you have an open source vendor that you choose, you may get a significant amount of software from them. Certainly you're not going to get it all. As an example, Red Hat provides thousands of open source packages. We certainly can't provide all of them. There are millions that are out there. So when you're looking at a specific application that you're building, chances are, you could be running that on a managed platform or an enterprise supply platform, but there are going to be packages that you're going to be obtaining from other sources in other communities as well in order to power your applications. >> So, Luke, that sounds like a kind of a vague situation we're looking at in terms of where all of our software is coming from. So what do we need to know about our software supply chain in that context? What do we need to understand? Before we even get anywhere near the idea of securing it, what are some of the issues that arise from that? >> Yeah, so Vincent's touchpoint is a very wide range in ecosystem, multiple sources when we're talking about open source. So essentially awareness is key really. I think a lot of people are really not aware of the sources that they're drawing from to create their own supply chain. So there's multiple supply chains. You can be somebody like Red Hat that the provide software, and then people will leverage Red Hats for their own supply chain. And then you have the cloud provider and they have their own source of software. So I think that the key thing is the awareness of how much you rely upon that ecosystem before we look at the security of the supply chain. It's really understanding your supply chain. >> And just to follow up on that. So can you... I'm sort of checking my own level of understanding on this subject. When you talk about open source code, you're talking about a code base that is often maintained essentially by volunteers, isn't that correct? >> A mix of volunteers and paid professionals where a company has an interest in the open source project, but predominantly I would say it's... Well, I'm not entirely sure, but volunteers make up a substantial part of the ecosystem that is for sure. So it's a mix really. Some people do it because they enjoy writing software. They want to share software. Other people also enjoy working software, but they're in the position that a company pays for them to work on that software. So it's a mix of both. >> Vincent, give us a reminder of reminder of why this is important from a little bit of a higher level. Step back from the data center view of things, from the IT view of things, just from a societal perspective, Vincent, what happens when we don't secure our digital supply chain? What are the things that are put at risk? >> Okay, well, there's a significant number of things that are placed at risk, the security of the enterprise itself. So your own customer data, your own internal corporate data is place at risk if there were a supply chain breach. But further to that for a software provider, and I think that in a lot of cases, most companies today are software providers or software developers. You actually put your own customers at risk as well, not just their data, but their actual... The things that they're working on, any workloads that they may have, an order that they might place as an example. So there's a number of areas where you want to have the security of that supply chain and the software components that you have figured out. You want to be on top of that because there is that risk that trickles down when it comes to an event. I mean, we've seen that with breaches earlier this year, one company is breached multiple companies end up being breached as a result of that. So it's really important. I think we all have a part to play in that I always view it as it's not just about the company itself. So I mean, speaking from a Red Hat perspective, I don't look at it as we're just securing Red Hat, we're securing our customers, and then we're also doing that for their customers as well, because they're writing software that's running on the software that we're providing to them. So there is this trickle down effect that comes, and so I think that every link in that chain, I mean, it's wonderful that it's called a supply chain. It's only as strong as its weakest link. So our view is how do we strengthen every link in that chain? And we're one part of it, but we're kind of looking a little broader, what can we do upstream and how can we help our customers to ensure the security of their part in that supply chain? >> Yeah, I want to talk about that in a broad sense, but let's see if we can get a little bit more specific in terms of what some of the chains look like because it's not just really one chain when you think about it, there's the idea of inherent flaws that can be caught and then there are the things that bad actors might be doing to leverage those flaws. So you've got all of these different things that are converging. So first and Vincent, if you want to toss this to Luke back and forth, it's up to you guys. What about this issue of inherent flaws in code? We referenced this idea of the maintainer community. What are best practices for locking that down to make sure that there aren't inherent flaws or security risks? >> I'll take a stab at it, and then I'll let Luke follow up with maybe some of the technologies that Red Hat provides. And again, speaking to Red Hat as part of that chain. When we're talking about inherent risk, there's a vulnerability that's present upstream. We pull that software to Red Hat. We package it as a component of one of the pieces of software that we provide to our customers. It's our responsibility to pay attention to those upstream potential vulnerabilities, potential risks, and correct them in our code. So that might be taking a patch from upstream, applying it to our software, might be grabbing the latest version from upstream, whatever the case might be, but it's our responsibility to provide that protection for that software to actually remediate that risk, and then our customers can then install the update and apply the mitigation themselves. If we take a look at it from, when we're looking at multiple suppliers where you'd asked earlier about, what part of it is Red Hat and what part of it is self-service open source? When you look at that, the work that Red Hat's doing there as a commercial provider of open source and end user for that little bit that they're going to grab themselves, that Red Hat doesn't provide, it's going to have to do all of those things as well. They're going to have to pay attention to that risk from upstream. They're going to have to pay attention to any potential vulnerabilities and pull that in to figure out, do I need to patch? Where do I need to patch it? And that's something we didn't really touch on was an inventory of the software that you have in place. I mean, you don't know that you need to fix something. You don't even know that it's running. So, I mean, there's a lot of considerations there where you have to pay attention to a lot of sources. Certainly there's metadata, automation, all of these things that make it easier, but it doesn't absolve us of the responsibility across the board to pay attention to these things, whether you're grabbing it from upstream directly or from the vendor. And it's the vendor's responsibility to then be paying attention to things upstream. >> Yeah, so Luke, I want you to kind of riff on that from the perspective that let's just assume that Vincent was just primarily talking about the idea that, okay, we've established that this code is solid and we've got gold copy of it and we know it's okay. There aren't inherent problems in the code as far as we can tell. Well, that's fine. I'm a developer. I go out to pull code and to use. How do I know if it's not been tampered with? How do I know if it's in fact the code that was validated during this process before? What do you do about that? >> So there's several methods there, but I just like to loop back to that point, because I think this is really interesting around, so if you look at a software supply chain, this is a mix of humans and machines, and both have flaws, probably humans a bit more. And a supply chain, you have developers. You have code reviewers, you have your systems administrators that set up the systems, and then you have your machine actors. So you've got your build systems, the various machines that are part of that supply chain. Now the humans, there's a as an attack factor there 'cause typically they will have some sort of identity, which they leverage for access to the supply chain. So quite often a developer's identity can be compromised. So a lot of the time people will have a corporate account that gives them some sort of single sign on access to multiple systems. So the developers are coming and this could be somebody in the community as well. Their account is compromised, then they're able to easily backdoor systems. So that's one aspect. And then there is machines as well. There's the whole premise of machines software not being up to date. So when the latest nasty vulnerability is released, machines are updated, then the machines have their flaws. They can be exploited. So I would say it's not just a technical problem. There is a humanistic element to this as well around protecting your supply chain. And I would say a really good perspective to carry when you're looking to, how do I secure my supply chain is treat it like you would a production system. So what do I mean by that? When we put something into production and we've got this very long legacy of treating it with a very strict security context around who can access that people, okay. How much it's upgraded and it's patched? And we seem to not have this same perception around our supply chain and our build systems, the integrity of those, the access of those, the policy around the access and so forth. So that's one giveaway that I would say is a real key focus that you should have is treat it like a production system. Be very mindful about what you're bringing in, who can access it because it is the keys to the kingdom, because if somebody compromises your supply chain, your build systems and so forth, they can compromise the whole chain because the chain is only as strong as the weakest link. So that's what I draw upon it. And around the verifications, there is multiple technologies that you can leverage. So Red Hat, we've got a very robust sign in system that we use so that you can be sure that the packages that we get you have non-repudiation that they've been produced by Red Hat. When you update your system, that's automatically looked after. And there are other systems as well, there's other new technologies that are starting to get a foothold around the provenance of aspects of your build system. So when you're pulling in from these multiple sources of open source communities, you can have some provenance around what you're putting in as well. And yeah, I don't want to bite share too much on the technologies, but there's some exciting stuff starting to happen there as well. >> So let's look at an example of something, because I think it's important to understand all of these different aspects. Recently, I think actually still in the news, we found that some logging software distributed by Apache that's widely used in people's websites to gather information about... To help from a security perspective and to help developers improve things that are going on in websites. A vulnerability was discovered. I guess, first Alibaba, some folks were reported it directly to some folks at Apache and the Apache Organization. And then of all people, some folks from Minecraft mentioned it in a blog. That seems like a crazy way to find out about something that's a critical flaw. Now we're looking at this right now with hindsight. So with hindsight, what could we have done to not be in the circumstances that we're in right now? Vincent, I'll toss that to you first, but again, if Luke is more appropriate, let us know. >> No, it's a great question, and it's a hard question. >> How did you let this happen, Vincent? How did you let this happen? >> It wasn't me, I promise. (Dave laughs) >> What I mean, it's a challenging question I mean, and there's a number of areas where we focused on a lot of what we perceived as critical software. So it comes to web server applications, DNS, a number of the kind of the critical infrastructure that powers the internet. Right or wrong. Do we look at logging software as a critical piece of that? Well, maybe, maybe we should, right? Logging is definitely important as part of an incident response or just an awareness of what's going on. So, I mean, yeah, it probably should have been considered critical software, but I mean, it's open source, right? So there's a number of different logging applications. I imagine now we're scrutinizing those a little bit more, but looking beforehand, how do you determine what's critical until an event like this happens, and it's unfortunate that it happens. And I like to think of these as learning opportunities, and certainly not just for Red Hat, but for this (talking over each other) >> Certainly this is not... Yeah, this is not an indictment of our entire industry. We are all in this together and learning every day. It just highlights how complex the situation is that we're dealing with, right? >> It really is. And I mean, a lot of what we're looking at now is how do we get tools into the hands of developers who can catch some of these things earlier. And there's a lot of commercial offerings, there's a lot of open source tools that are available and being produced that are going to help with these sorts of situations moving forward. But I mean, all the tools on the planet aren't going to help if they're not being used. So, I mean, there has to be an education and an incentive for these developers, particularly, maybe in some upstream communities where they are labors of love and they're passionate projects they're not sponsored or backed by a corporation who's paying for these tools, to be able to use some of them and move that forward. I think that looking at things now, there is work to be done. Obviously there's always going to be work to be done. Not all of these tools, and we have to recognize this, they're not all perfect. They're not going to catch everything. These tools could have been... I mean, I don't know if they were running these tools or not, they could have been, and the tool simply could not have picked them up. So part of it is the proactive part. We talk a lot about shift left and moving these things earlier into the development process and that's great, and we should do it. It certainly should never be seen as a silver bullet or a replacement for a good response. And I think the really important thing to highlight with respect to this, and I mean, this touches on the supply chain issue as well, companies, especially those who never maybe saw themselves as a software development company really have to figure out and understand how to do appropriate response. Part of that is awareness, what do you have installed? Part of it is sources of information. Like how do I find out about a new vulnerability or a potential vulnerability? And then it's just the speed to respond. We know that a number of companies they have, maybe it's a Patch Tuesday, maybe it's a patch 26th of the month, maybe it's patch day of the quarter, we have to learn how to respond to these things quickly so that we can apply these mitigations and these fixes as quickly as possible to them protect ourselves and protect the end users or customers that we have, or to keep the kids from using some backdoors in Minecraft is the word. >> (laughs) Yeah. Look, this is an immensely important subject. To wrap us up on this, Luke, I'd like you to pretend that you just got into an elevator in a moderately tall building, and you have 60 seconds to share with me someone who already trusts you, you don't have to convince me of your credentials or anything. I trust you. What tools specifically do you need me to be running, tools and processes. You've got 60 seconds to say, Dave, if you're not doing these things right now, you're unnecessarily vulnerable. So ready, and go, Luke. >> So automatically update all packages. Always stay up-to-date so that when an issue does hit, you're not having to go back 10 versions and work your way forward. That's the key thing. Ensure that everything you pull in, you're not going to have 100%, but have a very strict requirement that there is non-repudiation, is signed content, so you can verify that it's not being tampered with. For your developers that are producing code, run static, dynamic analysis, API fuzzes, all of these sorts of tools. They will find some vulnerabilities for you. Be part of communities. Be part of communities, help chop the wood and carry the water because the log for Jay, the thing is that was found because it was in the open. If it wasn't any open, it wouldn't have been found. And I've been in this business for a long time. Software developers will always write bugs. I do. Some of them will be security bugs. That's never going to change. So it's not about stopping something that's inevitable. It's about being prepared to react accordingly in our right and correct manner when it does happen so that you can mitigate against those risks. >> Well, we're here on the 35th floor. That was amazing. Thank you, Luke. Vincent, you were in the elevator also listening in on this conversation. Did we miss anything? >> No, I mean, the only thing I'll say is that it's really helpful to partner with an enterprise open source provider, be it Red Hat or anybody else. I don't want to toot our own horn. They do a lot of that work on your behalf that you don't have to do. A lot of the things that Luke was talking about, those providers do, so you don't have to. And that's where you.. I liked that you talked about, hey, you don't have to convince me that I'm trusted, or that I trust you. Trust those vendors. They're literally here to do a lot of that heavy lifting for you and trust the process. Yeah, it's a very, very good point. And I know that sometimes it's hard to get to that point where you are the trusted advisor. Both of you certainly are. And with that, I would like to thank you very much for an interesting conversation. Gentlemen, let's keep in touch. You're always welcome on theCUBE. Luke, second time, getting a chance to talk to you on theCUBE personally. Fantastic. With that, I would like to thank everyone for joining this very special series on theCUBE. Managing risk in the digital supply chain is a critical topic to keep on top of. Thanks for tuning into theCUBE. We'll be back soon. I'm Dave Nicholson saying, thanks again. (upbeat music)

>> So Alex, we're going to do, this is a different segment so I'll do a break, okay. What's that? Yeah, yeah. The 2019 SolarWinds hack represents a new threat milestone in the technology industry. The hackers, they patiently waited and evolved their intrusion over several years, literally. They lived in stealth. They tested, they retested their techniques and they use very sophisticated methods to get into email systems, networks, authentication systems, and numerous points in the software supply chain to replicate the malicious code at massive scale. Now they use techniques like they would insert malware steal data, and then they'd remove the malicious code before it was discovered. And so many other advanced approaches were used to cover their tracks. Now the really scary thing about this breach is people often think, oh, I'm good. Thankfully, I don't use SolarWinds, but it's not true. You're not safe because the domino effect of this hack has created massive concerns. We actually, to this day, we don't know the true scope of this attack and who really was impacted. And we may never know. Connecting all the dots on this breach is extremely difficult. Moreover, new threats like those exposed in the recent Log4j vulnerability, seemed to hit the news cycle weekly. And they further underscore the risk to organizations, not just large companies by the way, but small businesses, mid-size organizations and individuals. Hello, my name is Dave Vellante, and welcome to theCUBE's special look at managing risk in the digital supply chain, made possible by Red Hat. Today we're going to hear from some of the top experts that will help you better understand how to think about the exposures in the software supply chain, some of the steps we can all take to reduce our risks and how an endless game of escalation will likely play out over the next decade. Up next is our first segment hosted by Dave Nicholson of theCUBE. He's with Luke Hinds and Vincent Danen of Red Hat. They're going to talk about where the greatest threats exist. How to think about open source versus other commercial software. And discuss ways organizations can reduce their risks going forward. Let's get started. I'm going to do that again. Same one, I'll do each one twice. The 2019 SolarWinds hack represents a new threat milestone in the technology industry. The hackers, they patiently waited and evolved their intrusion over several years, literally. They lived in stealth. They tested and they retested their techniques and used very sophisticated methods to get into email systems, networks, authentication systems in numerous points in the software supply chain to replicate the malicious code at massive scale. They would use techniques like inserting malware and then they would steal data. And then they would remove the code before it was discovered. And they use many other advanced approaches to cover their tracks. The really scary thing about this breach is, people often think, oh, well, I'm good. Thankfully, I don't use SolarWinds, but it's not true you're not safe, because the domino effect of this hack it's created a massive massive concerns throughout the industry. We actually to this day, we don't know the true scope of this attack and we don't even know who was impacted. We may never know. So connecting all the dots in this breach is extremely difficult. Moreover, new threats like those exposed in the recent Log4j vulnerability, they seem to hit the news like weekly. And they further underscore the risks that organizations face, not just large companies by the way, small businesses, mid-size organizations and individuals. Hello, my name is Dave Vellante, and welcome to theCUBE's special look at managing risk in the digital supply chain, made possible by Red Hat. Today, we're going to hear from some of the top experts that will help you better understand how to think about the exposures in the software supply chain, some of the steps that we can all take to reduce our risks and how an endless game of escalation is likely going to play out over the next decade. Up next is our first segment hosted by Dave Nicholson of theCUBE. He's with Luke Hinds and Vincent Danen of Red Hat. They're going to talk about where the greatest threats exist and how to think about open source versus other commercial software. And discuss ways that organizations can reduce their risk going forward. Let's get started. When we return Andrea Hall, a specialist solution architect and project manager for security and compliance, along with Andrew Block, who is a distinguished architect, both from Red Hat will join me. You're watching theCUBE, the global leader in enterprise tech coverage. Now when we return Andrea Hall, who's a specialist solutions architect and project manager for security and compliance will join me along with Andrew Block, who's a distinguished architect. They're both from Red Hat. You're watching theCUBE, the global leader in enterprise tech coverage. So look, I wish I could say there's an end to these threats, there isn't. They will continue indefinitely. Now the adversaries they're well-funded, they're motivated and sophisticated. Your job as practitioners is to make it less profitable for hackers. At the end of the day, this is a business for them and the hackers want value it's all about ROI. That means benefit over cost. So if you can increase the denominator, it lowers their value and they'll go elsewhere to fish in a more productive place. The hard reality is bad user practices are going to trump good security every time. And that's where the vulnerability starts. So shoring up the basics, that's table stakes. Beyond that, working with strong technology partners can bring expertise to compliment your team's skills and reduce the threat against these sophisticated attacks. We hope this program was informative and will inspire you to take action. All of these videos are available on demand, check out thecube.net and theCUBE's and Red Hat's, social channels, and a variety of other places that we'll share with the community. Thanks to our guests today for Dave Nicholson and the entire CUBE team, this is Dave Vellante. Thanks for watching, and we'll see you next time. Do that again. (cough) Excuse me. So look, I wish I could say there's an end. I'll try it again. So look, I wish I could say there's an end to these threats, there isn't. They will continue indefinitely. The adversaries they're well-funded, they're motivated and they're sophisticated. Your job as practitioners is to try and make it less profitable for the hackers. At the end of the day, this is a business for them. And the hackers, what do they want? They want value. It's all about ROI for them. That means benefit over cost. If you can increase the denominator, it lowers their value and they're going to go elsewhere, and they'll fish in more productive places. The hard reality is that bad user practices will trump good security every time. And that's where the vulnerability starts. So shoring up the basics, that's table stakes. Now beyond that, working with strong technology partners can bring expertise to compliment your team's skills, and reduce the threat against these sophisticated attacks. We hope this program was informative and will inspire you to take action. All of these videos that are available on demand at thecube.net and both theCUBE's and Red Hat's social channels, and a variety of other places that we'll share with the community. Thanks to all our guests today for Dave Nicholson and the entire CUBE team. This is Dave Vellante. I appreciate you watching and we'll see you next time.

(upbeat music) >> Welcome to theCUBE. I'm Dave Nicholson, and this is part of the continuing conversation about Managing Risk in the Digital Supply Chain. I have with me today Vincent Danen, vice president of product security from Red Hat and Luke Hines security engineering lead from the office of the CTO at Red Hat. Gentlemen, welcome to theCUBE. >> Thank you. >> Great to be here. >> So let's just start out and dive right into this, Vincent, what is the software or digital supply chain? What are we talking about? Yeah, that's a good question. Software supply chain is basically the software that an end user would get from a vendor or in our case, we're talking about open source, so upstream. It is the software that comes in that is part of your package, operating system, applications. It could be something that you get from one vendor, multiple vendors. So we look at in the example of Red Hat, we are one part of the customer's software supply chain. >> So it's interesting that it's coming in from different areas. Do we have a sense for the ratio of kind of commercial software versus open source software that makes up an enterprise today? >> I think that's a really hard thing to answer and I think every enterprise or every company would have a little bit different. Depends if you have an open source vendor that you choose, you may get a significant amount of software from them. Certainly you're not going to get it all. As an example, Red Hat provides thousands of open source packages. We certainly can't provide all of them. There are millions that are out there. So when you're looking at a specific application that you're building, chances are, you could be running that on a managed platform or an enterprise supply platform, but there are going to be packages that you're going to be obtaining from other sources in other communities as well in order to power your applications. >> So, Luke, that sounds like a kind of a vague situation we're looking at in terms of where all of our software is coming from. So what do we need to know about our software supply chain in that context? What do we need to understand? Before we even get anywhere near the idea of securing it, what are some of the issues that arise from that? >> Yeah, so Vincent's touchpoint is a very wide range in ecosystem, multiple sources when we're talking about open source. So essentially awareness is key really. I think a lot of people are really not aware of the sources that they're drawing from to create their own supply chain. So there's multiple supply chains. You can be somebody like Red Hat that the provide software, and then people will leverage Red Hats for their own supply chain. And then you have the cloud provider and they have their own source of software. So I think that the key thing is the awareness of how much you rely upon that ecosystem before we look at the security of the supply chain. It's really understanding your supply chain. >> And just to follow up on that. So can you... I'm sort of checking my own level of understanding on this subject. When you talk about open source code, you're talking about a code base that is often maintained essentially by volunteers, isn't that correct? >> A mix of volunteers and paid professionals where a company has an interest in the open source project, but predominantly I would say it's... Well, I'm not entirely sure, but volunteers make up a substantial part of the ecosystem that is for sure. So it's a mix really. Some people do it because they enjoy writing software. They want to share software. Other people also enjoy working software, but they're in the position that a company pays for them to work on that software. So it's a mix of both. >> Vincent, give us a reminder of reminder of why this is important from a little bit of a higher level. Step back from the data center view of things, from the IT view of things, just from a societal perspective, Vincent, what happens when we don't secure our digital supply chain? What are the things that are put at risk? >> Okay, well, there's a significant number of things that are placed at risk, the security of the enterprise itself. So your own customer data, your own internal corporate data is place at risk if there were a supply chain breach. But further to that for a software provider, and I think that in a lot of cases, most companies today are software providers or software developers. You actually put your own customers at risk as well, not just their data, but their actual... The things that they're working on, any workloads that they may have, an order that they might place as an example. So there's a number of areas where you want to have the security of that supply chain and the software components that you have figured out. You want to be on top of that because there is that risk that trickles down when it comes to an event. I mean, we've seen that with breaches earlier this year, one company is breached multiple companies end up being breached as a result of that. So it's really important. I think we all have a part to play in that I always view it as it's not just about the company itself. So I mean, speaking from a Red Hat perspective, I don't look at it as we're just securing Red Hat, we're securing our customers, and then we're also doing that for their customers as well, because they're writing software that's running on the software that we're providing to them. So there is this trickle down effect that comes, and so I think that every link in that chain, I mean, it's wonderful that it's called a supply chain. It's only as strong as its weakest link. So our view is how do we strengthen every link in that chain? And we're one part of it, but we're kind of looking a little broader, what can we do upstream and how can we help our customers to ensure the security of their part in that supply chain? >> Yeah, I want to talk about that in a broad sense, but let's see if we can get a little bit more specific in terms of what some of the chains look like because it's not just really one chain when you think about it, there's the idea of inherent flaws that can be caught and then there are the things that bad actors might be doing to leverage those flaws. So you've got all of these different things that are converging. So first and Vincent, if you want to toss this to Luke back and forth, it's up to you guys. What about this issue of inherent flaws in code? We referenced this idea of the maintainer community. What are best practices for locking that down to make sure that there aren't inherent flaws or security risks? >> I'll take a stab at it, and then I'll let Luke follow up with maybe some of the technologies that Red Hat provides. And again, speaking to Red Hat as part of that chain. When we're talking about inherent risk, there's a vulnerability that's present upstream. We pull that software to Red Hat. We package it as a component of one of the pieces of software that we provide to our customers. It's our responsibility to pay attention to those upstream potential vulnerabilities, potential risks, and correct them in our code. So that might be taking a patch from upstream, applying it to our software, might be grabbing the latest version from upstream, whatever the case might be, but it's our responsibility to provide that protection for that software to actually remediate that risk, and then our customers can then install the update and apply the mitigation themselves. If we take a look at it from, when we're looking at multiple suppliers where you'd asked earlier about, what part of it is Red Hat and what part of it is self-service open source? When you look at that, the work that Red Hat's doing there as a commercial provider of open source and end user for that little bit that they're going to grab themselves, that Red Hat doesn't provide, it's going to have to do all of those things as well. They're going to have to pay attention to that risk from upstream. They're going to have to pay attention to any potential vulnerabilities and pull that in to figure out, do I need to patch? Where do I need to patch it? And that's something we didn't really touch on was an inventory of the software that you have in place. I mean, you don't know that you need to fix something. You don't even know that it's running. So, I mean, there's a lot of considerations there where you have to pay attention to a lot of sources. Certainly there's a metadata automation, all of these things that make it easier, but it doesn't absolve us of the responsibility across the board to pay attention to these things, whether you're grabbing it from upstream directly or from the vendor. And it's the vendor's responsibility to then be paying attention to things upstream. >> Yeah, so Luke, I want you to kind of riff on that from the perspective that let's just assume that Vincent was just primarily talking about the idea that, okay, we've established that this code is solid and we've got gold copy of it and we know it's okay. There aren't inherent problems in the code as far as we can tell. Well, that's fine. I'm a developer. I go out to pull code and to use. How do I know if it's not been tampered with? How do I know if it's in fact the code that was validated during this process before? What do you do about that? >> So there's several methods there, but I just like to loop back to that point, because I think this is really interesting around, so if you look at a software supply chain, this is a mix of humans and machines, and both have flaws, probably humans a bit more. And a supply chain, you have developers. You have code reviewers, you have your systems administrators that set up the systems, and then you have your machine actors. So you've got your build systems, the various machines that are part of that supply chain. Now the humans, there's a as an attack factor there 'cause typically they will have some sort of identity, which they leverage for access to the supply chain. So quite often a developer's identity can be compromised. So a lot of the time people will have a corporate account that gives them some sort of single sign on access to multiple systems. So the developers are coming and this could be somebody in the community as well. Their account is compromised, then they're able to easily backdoor systems. So that's one aspect. And then there is machines as well. There's the whole premise of machines software not being up to date. So when the latest nasty vulnerability is released, machines are updated, then the machines have their flaws. They can be exploited. So I would say it's not just a technical problem. There is a humanistic element to this as well around protecting your supply chain. And I would say a really good perspective to carry when you're looking to, how do I secure my supply chain is treat it like you would a production system. So what do I mean by that? When we put something into production and we've got this very long legacy of treating it with a very strict security context around who can access that people, okay. How much it's upgraded and it's patched? And we seem to not have this same perception around our supply chain and our build systems, the integrity of those, the access of those, the policy around the access and so forth. So that's one giveaway that I would say is a real key focus that you should have is treat it like a production system. Be very mindful about what you're bringing in, who can access it because it is the keys to the kingdom, because if somebody compromises your supply chain, your build systems and so forth, they can compromise the whole chain because the chain is only as strong as the weakest link. So that's what I draw upon it. And around the verifications, there is multiple technologies that you can leverage. So Red Hat, we've got a very robust sign in system that we use so that you can be sure that the packages that we get you have non-repudiation that they've been produced by Red Hat. When you update your system, that's automatically looked after. And there are other systems as well, there's other new technologies that are starting to get a foothold around the provenance of aspects of your build system. So when you're pulling in from these multiple sources of open source communities, you can have some provenance around what you're putting in as well. And yeah, I don't want to bite share too much on the technologies, but there's some exciting stuff starting to happen there as well. >> So let's look at an example of something, because I think it's important to understand all of these different aspects. Recently, I think actually still in the news, we found that some logging software distributed by Apache that's widely used in people's websites to gather information about... To help from a security perspective and to help developers improve things that are going on in websites. A vulnerability was discovered. I guess, first Alibaba, some folks were reported it directly to some folks at Apache and the Apache Organization. And then of all people, some folks from Minecraft mentioned it in a blog. That seems like a crazy way to find out about something that's a critical flaw. Now we're looking at this right now with hindsight. So with hindsight, what could we have done to not be in the circumstances that we're in right now? Vincent, I'll toss that to you first, but again, if Luke is more appropriate, let us know. >> No, it's a great question, and it's a hard question. >> How did you let this happen, Vincent? How did you let this happen? >> It wasn't me, I promise. (Dave laughs) >> What I mean, it's a challenging question I mean, and there's a number of areas where we focused on a lot of what we perceived as critical software. So it comes to web server applications, DNS, a number of the kind of the critical infrastructure that powers the internet. Right or wrong. Do we look at logging software as a critical piece of that? Well, maybe, maybe we should, right? Logging is definitely important as part of an incident response or just an awareness of what's going on. So, I mean, yeah, it probably should have been considered critical software, but I mean, it's open source, right? So there's a number of different logging applications. I imagine now we're scrutinizing those a little bit more, but looking beforehand, how do you determine what's critical until an event like this happens, and it's unfortunate that it happens. And I like to think of these as learning opportunities, and certainly not just for Red Hat, but for this (talking over each other) >> Certainly this is not... Yeah, this is not an indictment of our entire industry. We are all in this together and learning every day. It just highlights how complex the situation is that we're dealing with, right? >> It really is. And I mean, a lot of what we're looking at now is how do we get tools into the hands of developers who can catch some of these things earlier. And there's a lot of commercial offerings, there's a lot of open source tools that are available and being produced that are going to help with these sorts of situations moving forward. But I mean, all the tools on the planet aren't going to help if they're not being used. So, I mean, there has to be an education and an incentive for these developers, particularly, maybe in some upstream communities where they are labors of love and they're passionate projects they're not sponsored or backed by a corporation who's paying for these tools, to be able to use some of them and move that forward. I think that looking at things now, there is work to be done. Obviously there's always going to be work to be done. Not all of these tools, and we have to recognize this, they're not all perfect. They're not going to catch everything. These tools could have been... I mean, I don't know if they were running these tools or not, they could have been, and the tool simply could not have picked them up. So part of it is the proactive part. We talk a lot about shift left and moving these things earlier into the development process and that's great, and we should do it. It certainly should never be seen as a silver bullet or a replacement for a good response. And I think the really important thing to highlight with respect to this, and I mean, this touches on the supply chain issue as well, companies, especially those who never maybe saw themselves as a software development company really have to figure out and understand how to do appropriate response. Part of that is awareness, what do you have installed? Part of it is sources of information. Like how do I find out about a new vulnerability or a potential vulnerability? And then it's just the speed to respond. We know that a number of companies they have, maybe it's a Patch Tuesday, maybe it's a patch 26th of the month, maybe it's patch day of the quarter, we have to learn how to respond to these things quickly so that we can apply these mitigations and these fixes as quickly as possible to them protect ourselves and protect the end users or customers that we have, or to keep the kids from using some backdoors in Minecraft is the word. >> (laughs) Yeah. Look, this is an immensely important subject. To wrap us up on this, Luke, I'd like you to pretend that you just got into an elevator in a moderately tall building, and you have 60 seconds to share with me someone who already trusts you, you don't have to convince me of your credentials or anything. I trust you. What tools specifically do you need me to be running, tools and processes. You've got 60 seconds to say, Dave, if you're not doing these things right now, you're unnecessarily vulnerable. So ready, and go, Luke. >> So automatically update all packages. Always stay up-to-date so that when an issue does hit, you're not having to go back 10 versions and work your way forward. That's the key thing. Ensure that everything you pull in, you're not going to have 100%, but have a very strict requirement that there is non-repudiation, is signed content, so you can verify that it's not being tampered with. For your developers that are producing code, run static, dynamic analysis, API fuzzes, all of these sorts of tools. They will find some vulnerabilities for you. Be part of communities. Be part of communities, help chop the wood and carry the water because the log for Jay, the thing is that was found because it was in the open. If it wasn't any open, it wouldn't have been found. And I've been in this business for a long time. Software developers will always write bugs. I do. Some of them will be security bugs. That's never going to change. So it's not about stopping something that's inevitable. It's about being prepared to react accordingly in our right and correct manner when it does happen so that you can mitigate against those risks. >> Well, we're here on the 35th floor. That was amazing. Thank you, Luke. Vincent, you were in the elevator also listening in on this conversation. Did we miss anything? >> No, I mean, the only thing I'll say is that it's really helpful to partner with an enterprise open source provider, be it Red Hat or anybody else. I don't want to toot our own horn. They do a lot of that work on your behalf that you don't have to do. A lot of the things that Luke was talking about, those providers do, so you don't have to. And that's where you.. I liked that you talked about, hey, you don't have to convince me that I'm trusted, or that I trust you. Trust those vendors. They're literally here to do a lot of that heavy lifting for you and trust the process. Yeah, it's a very, very good point. And I know that sometimes it's hard to get to that point where you are the trusted advisor. Both of you certainly are. And with that, I would like to thank you very much for an interesting conversation. Gentlemen, let's keep in touch. You're always welcome on theCUBE. Luke, second time, getting a chance to talk to you on theCUBE personally. Fantastic. With that, I would like to thank everyone for joining this very special series on theCUBE. Managing risk in the digital supply chain is a critical topic to keep on top of. Thanks for tuning into theCUBE. We'll be back soon. I'm Dave Nicholson saying, thanks again. (upbeat music)

(upbeat music) >> Welcome to this special CUBE program. We're going to help you better understand how to manage risk by securing your digital supply chain. And we're going to first give you a high level preview of what's happening in the market. And with me, is Ben Fischer, who's Emerging Security Technology Advocate at Red Hat. Hello, Ben. Good to see you again. >> Nice to meet you, David. I'm (indistinct) >> Yeah, so let's set it up. What can people expect to hear from this program? >> So today, I'm going to start off and you're going to, we're going to have a conversation about some of the business challenges related to the software supply chain. And then the next video will be with Vincent Danen, Red Hat's VP of product security, and Luke Hinds, our security lead from the office of the CTO. And they're going to discuss more of the security aspects of the software supply chain. Thirdly, you'll (indistinct) the newcomer director of hybrid platforms, security product management. We'll dig into some of the practices and the technologies, and that will be followed up by Andrea Hall and Andrew Block. Andrea is a specialist solution architect, and Andrew is a distinguished architect, and they're going to cover some of the change in environments. There's a lot of change in environments related to the regulations and different movements in the industry and organizations. And then lastly, we'll have a video from an interview you did with Luke Hinds, discussing a software sign in tool called Sigstore and how it can improve security supply chain. >> Excellent. Thank you for that. Okay. So Ben, people hear the term software supply chain, and makes them, "Oh. That's an interesting name." But what do we mean by the term software supply chain, Ben? >> So it's a loaded term. Simply, it's the supply chain but of software. And people think, "Oh well. I just go to a store, and I buy software and it comes packaged," maybe in the old days. But these days, we've got open source software. So there's repositories and collaboration upstream where a lot of people in a community contribute to all these different pieces of the software. It's kind of like when you go to a store. You go to a store and you just see this one piece, but that store carries lots of different products. And for each of those products, they have relationships with different vendors and different distributors to gather all those products into a store. And it's pretty complex. So there's been this kind of curation of products and softwares that's kind of come about kind of like a warehouse club. So like you would trust a warehouse club to be kind of a place to reduce the amount of shopping you might have, or you can kind of go there and you trust that they have good products that you'll like, and that fulfill most of your needs for your family, and you can go there and you can kind of get most of your shopping out of one place versus having to drive all around town to go get a bunch of different products that are carried in different stores, and then having to research all those products, warehouse clubs make that experience very simple. And so there's been kind of an upsurge of organizations like Red Hat that just help simplify your choices and do that curation. And the value there is in trying to not just give you everything, but also curate and try to make sure that what you have is secure. Make sure what you have is up to date. Kind of do all these kinds of nuanced things. The software supply chain is kind of complex in that there's all these extra details you need to be kind of aware of, and it's true. You know, you could run around town and shop for every product you would like yourself, just like in a software supply chain, you could go directly and get all the pieces of software and manage them and update them and do all the work yourself. But it it's a lot of work, and it is, as the word implies, it's a chain. So it's not just one relationship. It's a whole chain of relationships. And having a trusted entity as kind of a proxy, that you could put your faith in, and knowing that they're kind of doing some of that work for you makes life a lot easier just like in the warehouse club, right? You want to kind of go one place, get all your shopping done and be satisfied. And so just like you would in traditional times. You Know, before open source came about, there was a lot of proprietary software, and you'd put your trust and faith into them, that they would satisfy all of your needs, and they service you entirely. But even proprietary software now is an open source software so it comes into the same problem. So you need to have a trusted partner basically to help you understand and give you that level of trust in the software you're buying. >> Makes sense, yeah. And Red Hat plays that critical role. >> Yeah. >> So let's explain why all of a sudden this topic of digital supply chain, software supply chain has taken center stage. Ben, what should people understand about the digital supply chain and how it impacts their respective businesses? >> Well, the digital supply chain is really, really critical, I mean, if nothing else. I mean to bring up the kind of the COVID analogy, right? Everything changed with COVID. Things just got accelerated because we realized that the old way of doing things in person and a lot of physical ways slowed things down. And so when we were trying to social distance and have space, the pressure for doing everything in a digital form, and to make it easier to, you know, order your groceries and have them delivered to your door, or, you know, do a trunk delivery of your pizza at the local pizza shop, all this became really critical. So yeah. It's just, honestly, the COVID experience really accelerated the whole need for digital transformation. I'm not trying to go there, but that was part of the supply chain because all those companies also needed to have that digital experience with all of their vendors, and it's kind of accelerated in that respect. So the supply chain in general is something that's gotten a lot of attention. I think people actually understand, maybe have an idea what the word means over the last two years with all the incidents that have happened, and kind of the power of having it in digital electronic form, really really, I think, has hit home for a lot of people. And it's critical because now, I just don't feel like the world can ever really kind of go back from that. We're all so dependent on transacting in a digital form. Our businesses rely on it. We rely on a daily checking of phones, checking websites for information, doing everything. All this is run on software, right? And it's not just software that maybe one person wrote and can maintain for the rest of their lives, and do it in a perfect form. At some point, the software, you know, almost all of it, is using different parts of software that are open source and out there and available. And the pieces that were already developed, cause there's no reason to recreate the wheel. And they just kind of pulled in all these little open source components. If they didn't make a program, it was the programming around that to kind of make that usable for their particular use case. And everyone's just gotten very, very comfortable with this model of pulling software, what we would say, from the upstream down to the downstream and consume it and utilize it themselves. It's just pervasive everywhere. It's just, you know, open source, they say, is kind of eating the world and that's kind of where it's come from. >> Right. Yeah. And this is really a major issue for folks. We're seeing all kinds of new techniques. And for example, just imagine you've got dozens or even hundreds of suppliers, and the bad guys are targeting, you know, a victim, and they might put a piece of malware in an individual, one of the suppliers, you know. They'll get in to one of the suppliers, and that's a benign piece of code, but when it gets actually through the victims', you know, the targets' firewall, things will start to self-form in ways that we've really not seen before. And so this is really a big issue. There's a lot of talk coming from policymakers. Of course, the POTUS has issued an executive order and is putting pressure on businesses and technology companies to improve their security posture. I wish it were as easy as a sort of a swipe of a pen, but what's behind these trends, Ben? >> So, oh, there's so much behind there. So I think you're alluding to something really, really, really important. So in the security world, I mean, most of the issues in the security world is due to, you know, breaches, I should say. Hacks are due to kind of unpatched vulnerabilities. So the problem with that is then the answer is, well, you should patch and patch regularly, and that's absolutely true. You should patch as much as you can where it's not causing business disruptions. But when you get into a supply chain, or a digital supply chain issue, if you have a hacker who is able to penetrate into a vendor's software, and they're able to play something that gets placed into their update mechanism and then gets pushed out to all of our customers, it can be catastrophic and it can be, it will spread very fast and all the customers that are doing the right thing normally, by doing constant updates, will get infected. This is kind of the scary thing. Obviously, it is the right thing to do. And the right thing is for those vendors to secure their environment as much as possible and do everything they can to make that as tight as possible. But also, as in anything, it's really, we're in a world now where it's not if you're going to be breached or, you know, it's going to be when. Everybody in the world, especially the United States, we've all had breaches with our confidential information exposed, right? It's kind of the world we live in. It's what we expect. So with that understanding, you know, it becomes more about how we'll react to that. You know, if your credit card number gets exposed, you just don't throw your hands up in the air. You go, "Okay. Well, I need to put a credit freeze. I need to do certain diligent actions." Same thing in the industry. You know if something happens like that, an organization needs to respond properly and fast to share with the industry what has happened to stop those updates from continuing to perpetrate and provide guidance on what they can do. And this is one of the wonderful things, I think, about the security industry, is actually the willingness and interest to share. You'd kind of think of people in the old days wanting to hide their security secrets. Hide and protect what they do to make sure that, to safeguard all their assets and safeguard the company, their data, everything. And I'm not saying that everything is exposed, but there's a more willingness to share information on threats they're seeing and collaborate on fixes, and work through very difficult issues in a collaborative way, which is, I think it's really wonderful, and it plays perfectly in my mind, kind of the open source mentality of doing things together, out in the open, across organizations. >> Right. So, I mean, again, it's, you know, the very things that, the good behavior we're supposed to be doing with patching and what everybody's advising us to do, we have to be really careful. That can actually turn around and bite you. So how should we think about trust with software? What does that even mean today, Ben? >> Well, it's becoming more important than ever before, because before, you know, there, like I'll tell you way back when I, long time ago, when I was quite young, you'd just download software. And you would share it with friends and copy it, and there was no such thing as antivirus. And everybody was fine with that, and you didn't even think of an issue. And then I remember the first antivirus or viruses came out and then you went down to your local computer software store, and they're handing out free discs as antivirus fixes for that one particular issue. So you went down and you got it and you'd patch it up. And that was that. And you didn't really have any worries beyond that. These days, you know, and that's because you trust the store, and you knew there was only one issue and nobody was, it's kind of a free environment where nobody thought that anything bad would really happen. Today though, we hear in the news constantly about cyber attacks, about breaches, about just endless numbers of things that are happening. Ransomware. There's so many different types of attacks and it's happening in so many different ways across every industry, every geography. It's everywhere, you know. It's really, in my mind, the world's largest industry, cyber crime. And that's just a scary thing and that's because it's profitable. And so, you know, when you think of it as that, as a kind of an evil industry, if you will, it puts things into a little bit of a perspective that, okay, their motives, for the most part are money, and they're trying to do this. So if that's the case, then you're just trying to create enough friction that it's just not profitable for them. And so it's not about doing everything in terms of security. It's about trying to do, you know, for the right things to mitigate the risks for organization. And so getting back to your point about trust, how do you trust the software that you're given? You know, if you download a piece of software, you should be thinking about where's the software being downloaded from? There's lots of sites. There's lots and lots of ways to get it. There's absolutely millions of different pieces of open source code that's out there. And just because you downloaded it from a site, you don't know who posted it, you don't know a lot of these issues. So it can be scary. And as an organization, you can choose to take on all or part of that risk by trying to understand which locations are safe. You can try to understand, you know, which code is safe, and which code you can basically feel comfortable that there's a level of trust. Or simply you can shift that risk over to an organization that might do some of that work for you, like kind of in any business model. Red Hat is an entity, and it focuses on open source software. So, you know, you can go out and you could download any bit of open source software that Red Hat sells, and you can run it today. There's nothing stopping you, and that's wonderful, and we're happy that you're doing that, but Red Hat plays a particular role in that. We're trying to kind of curate that software. We're trying to pick the best piece of software that we feel we can trust. We have a lot of people in those communities, working with the people who actually work on that software. We believe in the open source model, partly because not only is it collaborative and just open and transparent, but in that transparency and in that collaboration, there is review of all the code that gets submitted. So if you can go to the right upstream article repositories, and you can work with those people, you have insight into what's happening, and you can pull down the pieces and the components that you feel are best that you can package into a product that you feel can meet all the needs for your particular customers, and you can do that in a particular way. And then having that close proximity to those communities, you also have an idea when there's updates and patches and you get to work on those, and that allows you to consume those faster, and bring those to your customers faster. And so this is part of the trust element. It's a matter of do you want to do it yourself? Like, you know, warehouse club analogy? Do you want to go to 100 stores when you do a shopping list, or, you know, 20, 30 stores driving around the whole day? I don't know. I don't want to do that on my Saturday. Or, you know, do you want to go to warehouse stuff? Yeah, you might pay a little bit more. There's a premium there. You have to have that warehouse club membership, but then you kind of go to one store and maybe get 80% of your shopping done there, and that's really good. And maybe get the 20% from a couple other stores down the street, but you're done in a matter of a few hours versus the whole day. And so I would implore you, in terms of trust, you need to think about what are the critical pieces of software that you have in your organization, right? What are the critical digital processes that your organization runs? Think about them, and also not just think about what the risks are around them, but also think about beyond them, what the risks are to the people you're trusting. So whether it's Red Hat, or whether it's a particular website you might be wanting to download that open source software from, you need to think about it's a whole chain of things. So you will need to know that, okay, I have access to these things. I have this information, and I have these risks. Now, if I extend that out one degree further, then what risks are those folks are exposed to? What do they have knowledge of? And do that, and then think about it, and think about and evaluate who has the most information? Where are the risks? And think about what makes sense for the organization in terms of mitigating those risks and giving you the best ability to respond when something does happen. I think you can reduce your risk exposure with an organization that curates open source, or even closed source, but also you can also kind of reduce the blast radius, I think, because if they can get you those updates faster, respond faster than you could yourself, then that's hugely valuable too. >> Yeah. I mean, you know, to your point about it's very lucrative for the hackers. I mean, the criminal algorithm is actually pretty simple. It's all about ROI for them, which is how much value can they extract and what does it cost them to extract that in a numerator denominator? And so to the extent that you can increase the cost to the hacker, there's less value to them, and they will go look somewhere else. So question is, what are the parameters of trust in software that can potentially help organizations increase that denominator? And how do you define trustworthy software? What are the attributes? >> Yeah. So there's a lot of attributes. Yeah. I come back to kind of warehouse club analogy. When you kind of go to the warehouse club, they've kind of already pre-picked for various use cases, kind of, you know. Here's the, you know. Here's the two brands of shavers and we have it in the disposable form and the replacement blade form. And you just have a few options there. And it's you know a nice, simple selection, and you look at it and, you know, you can see the price and you know the quantity and you have certain information. And if you did want to look up more information, it's either on the package or you pull out your phone and get more information. In the open source world, you know, some things you want to look at, you want to see its transparency. So everything in open source is very transparent. If you do want to go with a closed source provider, that's fine too. But you know, you do want to have as much transparency as possible. So you want to build up a good relationship, whether it's Red Hat, open source or a closed source vendor, you want to have that relationship to get insight. And if it's closed source, it's more important because you need to go deeper into that relationship to understand what's happening behind that veiled curtain. Accountability. So, you know, whether it is software that you're getting through another organization, you want to make sure you know who in that organization is accountable. You want to know how they're going to be accountable, how they're going to respond. If it's upstream, right now, one thing that's coming through is, and they call it S bomb, software bills and material, which has details about kind of an ingredient list, if you will, of that software. And that is something that will, in the future, make it a little bit easier for everybody, but also if you're going to get software yourself directly, give you an understanding of maybe who's accountable, who actually wrote the software or made the patch, or submitted the last update to a branch. That type of information is very useful because you need, at some point, you may need to know who did this to verify if something is trustworthy, if something was intentional or not, if you see something that might be curious or, I don't know, questionable in some nature. And traceability. You want to be able to have that ability to understand all the changes that have been done in that software, right? Software is, you know, it's highly versioned. So there's constantly new features or updates or patches. And you want to be able to go through and know what's happened there. So not only for the benefit of understanding the things that have been added and the benefits that have been added to the software, but if something happened or you were trying to make sure nothing bad happened, you'd want to make sure maybe there has been no malicious submissions into that code stream as well. And so by tracing that, that's good. And then the whole auditability of it, to go back and look at the software, and having somebody understand what might have happened by kind of digging into all the records for that particular software. I'd also say risk management, because you, as an organization, you really need to know what your risks are, and you need to be able to not just do that at the macro level, but now with the software supply chain, you need to bring that down to kind of a software level and really understand, you know, if my business relies on a particular software component, like open SSL for VPN software and site-to-site networking and whatnot, I need to make sure that if anything happens to this piece of software, which is a critical component for me operating my business, what am I going to do about it? You know do I just terminate all my VPN connections and leave my rural workers stranded and, you know, disable site-to-site networking so my different sites don't have direct networking connections? You have to kind think about what are the risks and, you know, what's my plan B? How would I possibly manage things? And it feels very overwhelming when you think about the number of components. And so this is where understanding this and trying to find ways to mitigate risk and manage it and make things a little bit simpler so you can really focus on things that matter and think are important. And then incident response, which is, there's going to be something that happens sometimes to some piece of software that your organization has. So how are you going to respond? How are you going to even find out? How are you going to know that something happened? How are you monitoring for vulnerabilities in the software? How are you connecting with the upstream communities and being aware that something is happening wrong, and there's a bunch of developers scrambling to try to fix something quick because maybe there's a known (indistinct) of some software out in the wild. So having that awareness and having that ability to building to respond really is probably one of the most critical things here. >> Ben, can you give us a sense of just kind of the scope of this problem? Are there metrics you can share to kind of frame the issue for the audience? >> Yeah. So in terms of open source supply chain attacks, some type, a software vendor, actually has reports every year. And they've reported that there was a 650% increase in open source supply chain attacks in the past year. And this is on top of a 430% increase the prior year. So it's scary, but it's basically literally exploding in terms of the threats happening in the supply chain attacks. Supply chain attacks are not new, but they've become quite popular. And the power of the supply chain, as an amplifying factor, is starting to get exploited really well by the attackers these days. >> Mm-hmm. Okay. So let's kind of go to best practice. I mean, what are businesses doing about these today? These problems today? What should they be doing that maybe they're not doing? >> So with the explosion, you can understand that with the spike of these supply chain attacks, organizations are honestly, and understandably pretty caught off guard. So while organizations have been working on their cybersecurity programs for some time now, they're mostly trying to react. And by react, they're reacting with maybe not the most efficient of incident response plans yet. And these attacks are spreading like wildfire, but as an industry, you know, it's not really helping us get ahead. So, you know, it's the unfortunate place where we're at. You mentioned that there's, obviously there's some guidance from POTUS and other folks in the industry, and various efforts in the industry to work on improving the supply chain, work on improving different components that can help make things dramatically better for the industry, but they're still pretty early stage. There's still a lot of work to be done. So as far as kind of what we can be doing as an industry, obviously, you know, I'll say collaboration again, because, you know, by working together, whether it's with the government or in an upstream organization setting standards, these things are all really important. And especially within verticals, I think it's really important to kind of get together because even if you have a general standard, things can vary quite a bit within the verticals. But besides that outwardly looking action, looking inside and trying to understand, in a sense, it's kind of a simple thing. It's a business process engineering a question of, okay, what are your critical business processes? You know, what do those business processes rely upon? You know, what software components are there? And then okay, for those pieces of software, they also have different components. So even if you go to, you know, whether you go to an open source provider or a closed source provider, there are open source components. So understanding the software that you use, understanding where you get that software from, and understanding the components in those software and how those are digested, whether it's from an organization like Red Hat that's open source, or maybe a closed source provider, is really important. Developing the relationships that you have, that bi-directional trust with those organizations that are running that critical software for your organization is really important. So it's a lot more of a mapping and awareness type exercise, because from there, you can start asking a bunch of different questions. And by engaging in conversations about those questions, you're going to learn more and more and more. And that will continue to lead forward. Eventually, you'll get an understanding of, "I have these risks," and you may not necessarily know everything, but along the way, you'll start developing awareness of risks, and then you can ask yourself along the way, "Okay. As an organization, let's come together and figure out how can we- Let's look at these risks and how can we think about mitigating these right within our budget? To meet our business needs," et cetera. But it's a hard question because there's so many software out there. Our businesses are so critical on so many ways. There's so much software, and each software has so many different components. It's a pretty overbearing problem. I just not trying to scare anybody, but it's just important to just take some time and think about it and understand what you have, and be diligent about kind of walking through those business processes, and start with the most critical ones and kind of keep walking forward. And as you're mitigating them, think about, do you want to have an organization help you with these, or do you want to hire people and have them invest their time into doing the work that an outside organization might do for you? >> Right. Hey, Ben, I've taken a lot of your time. Really appreciate your insights, and really great to have you on. Thank you. >> Well, thank you for having me, Dave. Appreciate it. >> And thank you for watching the CUBE. This is Dave Vellante, and we are the leader in enterprise technology coverage. (upbeat music)

>>Welcome to this cube conversation. I'm Dave Nicholson and we're having this conversation in advance of cube con cloud native con north America, 2021. Uh, we are going to be talking specifically about a subject near and dear to my heart, and that is security. We have a very special guest from red hat, the security lead from the office of the CTO. New kinds. Welcome. Welcome to the cube Luke. >>Oh, it's great to be here. Thank you, David. Really looking forward to this conversation. >>So you have a session, uh, at a CubeCon slash cloud native con this year. And, uh, frankly, I look at the title and based on everything that's going on in the world today, I'm going to accuse you of clickbait because the title of your session is a secure supply chain vision. Sure. What other than supply chain has is in the news today, all of these things going on, but you're talking about the software supply chain. Aren't you tell, tell us about, tell us about this vision, where it came from Phyllis in. >>Yes, very much. So I do agree. It is a bit of a buzzword at the moment, and there is a lot of attention. It is the hot topic, secure supply chains, thanks to things such as the executive order. And we're starting to see an increase in attacks as well. So there's a recent statistic came out that was 620%. I believe increase since last year of supply chain attacks involving the open source ecosystem. So things are certainly ramping up. And so there is a bit of clickbait. You got me there. And um, so supply chains, um, so it's predominantly let's consider what is a supply chain. Okay. And we'll, we'll do this within the context of cloud native technology. Okay. Cause there's many supply chains, you know, many, many different software supply chains. But if we look at a cloud native one predominantly it's a mix of people and machines. >>Okay. So you'll have your developers, uh, they will then write code. They will change code and they'll typically use our, a code revision control system, like get, okay, so they'll make their changes there. Then push those changes up to some sort of repository, typically a get Harbor or get level, something like that. Then another human will then engage and they will review the code. So somebody that's perhaps a maintain will look at the code and they'll improve that a code. And then at the same time, the machine start to get involved. So you have your build servers that run tests and integration tests and they check the code is linted correctly. Okay. And then you have this sort of chain of events that start to happen. These machines, these various actors that start to play their parts in the chain. Okay. So your build system might generate a container image is a very common thing within a cloud native supply chain. >>Okay. And then that image is typically deployed to production or it's hosted on a registry, a container registry, and then somebody else might utilize that container image because it has software that you've packaged within that container. Okay. And then this sort of prolific expansion of use of coasts where people start to rely on other software projects for their own dependencies within their code. Okay. And you've got this kind of a big spaghetti of actors that are dependent on each other and feed him from each other. Okay. And then eventually that is deployed into production. Okay. So these machines are a lot of them non open source code. Okay. Even if there is a commercial vendor that manages that as a service, it's all based on predominantly open source code. Okay. And the security aspects with the supply chain is there's many junctures where you can exploit that supply chain. >>So you can exploit the human, or you could be a net ferrous human in the first place you could steal somebody's identity. Okay. And then there's the build systems themselves where they generate these artifacts and they run jobs. Okay. And then there are the production system, which pulls these down. Okay. And then there's the element of which we touched upon around libraries and dependencies. So if you look at a lot of projects, they will have approximately around a hundred, perhaps 500 dependencies that they all pull in from. Okay. So then you have the supply chains within each one of those, they've got their own set of humans and machines. And so it's a very large spaghetti beast of, of, of sort of dependence and actors and various identities that make up. >>Yeah. You're, you're describing a nightmarish, uh, scenario here. So, uh, so, so I definitely appreciate the setup there. It's a chain of custody nightmare. Yeah. >>Yes. Yeah. But it's also a wonderful thing because it's allowed us to develop in the paradigms that we have now very fast, you know, you can, you can, you can prototype and design and build and ship very fast, thanks to these tools. So they're wonderful. It's not to say that they're, you know, that there is a gift there, but security has arguably been left as a bit of an afterthought essentially. Okay. So security is always trying to it's at the back of the race. It's always trying to catch up with you. See what I mean? So >>Well, so is there a specific reason why this is particularly timely? Um, in, you know, when we, when we talk about deployment of cloud native applications, uh, something like 75% of what we think of is it is still on premesis, but definitely moving in the direction of what we loosely call cloud. Um, is why is this particularly timely? >>I think really because of the rampant adoption that we see. So, I mean, as you rightly say, a lot of, uh, it companies are still running on a, sort of a, more of a legacy model okay. Where deployments are more monolithic and statics. I mean, we've both been around for a while when we started, you would, you know, somebody would rack a server, they plug a network cable and you'd spend a week deploying the app, getting it to run, and then you'd walk away and leave it to a degree. Whereas now obviously that's really been turned on its head. So there is a, an element of not everybody has adopted this new paradigm that we have in development, but it is increasing, there is rapid adoption here. And, and many that aren't many that rather haven't made that change yet to, to migrate to a sort of a cloud type infrastructure. >>They certainly intend to, well, they certainly wished to, I mean, there's challenges there in itself, but it, I would say it's a safe bet to say that the prolific use of cloud technologies is certainly increasing as we see in all the time. So that also means the attack vectors are increasing as we're starting to see different verticals come into this landscape that we have. So it's not just your kind of a sort of web developer that are running some sort of web two.site. We have telcos that are starting to utilize cloud technology with virtual network functions. Uh, we have, um, health banking, FinTech, all of these sort of large verticals are starting to come into cloud and to utilize the cloud infrastructure model that that can save them money, you know, and it can make them, can make their develop more agile and, you know, there's many benefits. So I guess that's the main thing is really, there's a convergence of industries coming into this space, which is starting to increase the security risks as well. Because I mean, the security risks to a telco are a very different group to somebody that's developing a web platform, for example. >>Yeah. Yeah. Now you, you, uh, you mentioned, um, the sort of obvious perspective from the open source perspective, which is that a lot of this code is open source code. Um, and then I also, I assume that it makes a lot of sense for the open source community to attack this problem, because you're talking about so many things in that chain of custody that you described where one individual private enterprise is not likely to be able to come up with something that handles all of it. So, so what's your, what's your vision for how we address this issue? I know I've seen in, um, uh, some of the content that you've produced an allusion to this idea that it's very similar to the concept of a secure HTTP. And, uh, and so, you know, imagine a world where HTTP is not secure at any time. It's something we can't imagine yet. We're living in this parallel world where, where code, which is one of the four CS and cloud security, uh, isn't secure. So what do we do about that? And, and, and as you share that with us, I want to dive in as much as we can on six store explain exactly what that is and, uh, how you came up with this. >>Yes, yes. So, so the HTTP story's incredibly apt for where we are. So around the open source ecosystem. Okay. We are at the HTTP stage. Okay. So a majority of code is pulled in on trusted. I'm not talking about so much here, somebody like a red hat or, or a large sort of distributor that has their own sign-in infrastructure, but more sort of in the, kind of the wide open source ecosystem. Okay. The, um, amount of code that's pulled in on tested is it's the majority. Okay. So, so it is like going to a website, which is HTTP. Okay. And we sort of use this as a vision related to six store and other projects that are operating in this space where what happened effectively was it was very common for sites to run on HTTP. So even the likes of Amazon and some of the e-commerce giants, they used to run on HTTP. >>Okay. And obviously they were some of the first to, to, uh, deploy TLS and to utilize TLS, but many sites got left behind. Okay. Because it was cumbersome to get the TLS certificate. I remember doing this myself, you would have to sort of, you'd have to generate some keys, the certificate signing request, you'd have to work out how to run open SSL. Okay. You would then go to an, uh, a commercial entity and you'd probably have to scan your passport and send it to them. And there'll be this kind of back and forth. Then you'll have to learn how to configure it on your machine. And it was cumbersome. Okay. So a majority just didn't bother. They just, you know, they continue to run their, their websites on protected. What effectively happened was let's encrypt came along. Okay. And they disrupted that whole paradigm okay. >>Where they made it free and easy to generate, procure, and set up TLS certificates. So what happened then was there was a, a very large change that the kind of the zeitgeists changed around TLS and the expectations of TLS. So it became common that most sites would run HTTPS. So that allowed the browsers to sort of ring fence effectively and start to have controls where if you're not running HTTPS, as it stands today, as it is today is kind of socially unacceptable to run a site on HTTP is a bit kind of, if you go to HTTP site, it feels a bit, yeah. You know, it's kind of, am I going to catch a virus here? It's kind of, it's not accepted anymore, you know, and, and it needed that disruptor to make that happen. So we want to kind of replicate that sort of change and movement and perception around software signing where a lot of software and code is, is not signed. And the reason it's not signed is because of the tools. It's the same story. Again, they're incredibly cumbersome to use. And the adoption is very poor as well. >>So SIG stores specifically, where did this, where did this come from? And, uh, and, uh, what's your vision for the future with six? >>Sure. So six door, six doors, a lockdown project. Okay. It started last year, July, 2020 approximately. And, uh, a few people have been looking at secure supply chain. Okay. Around that time, we really started to look at it. So there was various people looking at this. So it's been speaking to people, um, various people at Purdue university in Google and, and other, other sort of people trying to address this space. And I'd had this idea kicking around for quite a while about a transparency log. Okay. Now transparency logs are actually, we're going back to HTTPS again. They're heavily utilized there. Okay. So when somebody signs a HTTPS certificate as a root CA, that's captured in this thing called a transparency log. Okay. And a transparency log is effectively what we call an immutable tamper proof ledger. Okay. So it's, it's kind of like a blockchain, but it's different. >>Okay. And I had this idea of what, if we could leverage this technology okay. For secure supply chain so that we could capture the provenance of code and artifacts and containers, all of these actions, these actors that I described at the beginning in the supply chain, could we utilize that to provide a tamper resistant publicly or DePaul record of the supply chain? Okay. So I worked on a prototype wherever, uh, you know, some, uh, a week or two and got something basic happening. And it was a kind of a typical open source story there. So I wouldn't feel right to take all of the glory here. It was a bit like, kind of, you look at Linux when he created a Linux itself, Linus, Torvalds, he had an idea and he shared it out and then others started to jump in and collaborate. So it's a similar thing. >>I, um, shared it with an engineer from Google's open source security team called Dan Lawrence. Somebody that I know of been prolific in this space as well. And he said, I'd love to contribute to this, you know, so can I work this? And I was like, yeah, sure though, you know, the, the more, the better. And then there was also Santiago professor from Purdue university took an interest. So a small group of people started to work on this technology. So we built this project that's called Rico, and that was effectively the transparency log. So we started to approach projects to see if they would like to, to utilize this technology. Okay. And then we realized there was another problem. Okay. Which was, we now have a storage for signed artifacts. Okay. A signed record, a Providence record, but nobody's signing anything. So how are we going to get people to sign things so that we can then leverage this transparency log to fulfill its purpose of providing a public record? >>So then we had to look at the signing tools. Okay. So that's where we came up with this really sort of clever technology where we've managed to create something called ephemeral keys. Okay. So we're talking about a cryptographic key pair here. Okay. And what we could do we found was that we could utilize other technologies so that somebody wouldn't have to manage the private key and they could generate keys almost point and click. So it was an incredibly simple user experience. So then we realized, okay, now we've got an approach for getting people to sign things. And we've also got this immutable, publicly audited for record of people signing code and containers and artifacts. And that was the birth of six store. Then. So six store was created as this umbrella project of all of these different tools that were catering towards adoption of signing. And then being able to provide guarantees and protections by having this transparency log, this sort of blockchain type technology. So that was where we really sort of hit the killer application there. And things started to really lift off. And the adoption started to really gather steam then. >>So where are we now? And where does this go into the future? One of the, one of the wonderful things about the open source community is there's a sense of freedom in the creativity of coming up with a vision and then collaborating with others. Eventually you run headlong into expectations. So look, is this going to be available for purchase in Q1? What's the, >>Yeah, I, I will, uh, I will fill you in there. Okay. So, so with six door there's, um, there's several different models that are at play. Okay. I'll give you the, the two predominant ones. So one, we plan, we plan to run a public service. Okay. So this will be under the Linux foundation and it'll be very similar to let's encrypt. So you as a developer, if you want to sign your container, okay. And you want to use six door tooling that will be available to you. There'll be non-profit three to use. There's no specialties for anybody. It's, it's there for everybody to use. Okay. And that's to get everybody doing the right thing in signing things. Okay. The, the other model for six stories, this can be run behind a firewall as well. So an enterprise can stand up their own six store infrastructure. >>Okay. So the transparency log or code signing certificates, system, client tools, and then they can sign their own artifacts and secure, better materials, all of these sorts of things and have their own tamper-proof record of everything that's happened. So that if anything, untoward happens such as a key compromise or somebody's identity stolen, then you've got a credible source of truth because you've got that immutable record then. So we're seeing, um, adoption around both models. We've seen a lot of open source projects starting to utilize six store. So predominantly key, um, Kubernetes is a key one to mention here they are now using six store to sign and verify their release images. Okay. And, uh, there's many other open-source projects that are looking to leverage this as well. Okay. And then at the same time, various people are starting to consider six door as being a, sort of an enterprise signing solution. So within red hat, our expectations are that we're going to leverage this in open shift. So open shift customers who wish to sign their images. Okay. Uh, they want to sign their conflicts that they're using to deploy within Kubernetes and OpenShift. Rather they can start to leverage this technology as open shift customers. So we're looking to help the open source ecosystem here and also dog food, this, and make it available and useful to our own customers at red hat. >>Fantastic. You know, um, I noticed the red hat in the background and, uh, and, uh, you know, I just a little little historical note, um, red hat has been there from the beginning of cloud before, before cloud was cloud before there was anything credible from an enterprise perspective in cloud. Uh, I, I remember in the early two thousands, uh, doing work with tree AWS and, uh, there was a team of red hat folks who would work through the night to do kernel level changes for the, you know, for the Linux that was being used at the time. Uh, and so a lot of, a lot of what you and your collaborators do often falls into the category of, uh, toiling in obscurity, uh, to a certain degree. Uh, we hope to shine light on the amazing work that you're doing. And, um, and I, for one appreciate it, uh, I've uh, I've, I've suffered things like identity theft and, you know, we've all had brushes with experiences where compromise insecurity is not a good thing. So, um, this has been a very interesting conversation. And again, X for the work that you do, uh, do you have any other, do you have any other final thoughts or, or, uh, you know, points that we didn't cover on this subject that come to mind, >>There is something that you touched upon that I'd like to illustrate. Okay. You mentioned that, you know, identity theft and these things, well, the supply chain, this is critical infrastructure. Okay. So I like to think of this as you know, there's, sir, they're serving, you know, they're solving technical challenges and, you know, and the kind of that aspect of software development, but with the supply chain, we rely on these systems. When we wake up each morning, we rely on them to stay in touch with our loved ones. You know, we are our emergency services, our military, our police force, they rely on these supply chains, you know, so I sort of see this as there's a, there's a bigger vision here really in protecting the supply chain is, is for the good of our society, because, you know, a supply chain attack can go very much to the heart of our society. You know, it can, it can be an attack against our democracies. So I, you know, I see this as being something that's, there's a humanistic aspect to this as well. So that really gets me fired up to work on this technology., >>it's really important that we always keep that perspective. This isn't just about folks who will be attending CubeCon and, uh, uh, uh, cloud con uh, this is really something that's relevant to all of us. So, so with that, uh, fantastic conversation, Luke, it's been a pleasure to meet you. Pleasure to talk to you, David. I look forward to, uh, hanging out in person at some point, whatever that gets me. Uh, so with that, uh, we will sign off from this cube conversation in anticipation of cloud con cube con 2021, north America. I'm Dave Nicholson. Thanks for joining us.

>>mhm Yes. >>Welcome back to the Cube coverage of Red Hat summit 21 2021. I'm john for host of the Cubans virtual this year as we start preparing to come out of Covid a lot of great conversations here happening around technology. This is the emerging technology with Red hat segment. We've got three great guests steve watt manager, distinguished engineer at Red Hat hurl saying senior software engineer Red Hat and luke Hines, who's the senior software engineer as well. We got the engineering team steve, you're the the team leader, emerging tech within red hat. Always something to talk about. You guys have great tech chops that's well known in the industry and I'll see now part of IBM you've got a deep bench um what's your, how do you view emerging tech um how do you apply it? How do you prioritize, give us a quick overview of the emerging tech scene at Redhead? >>Yeah, sure. It's quite a conflated term. The way we define emerging technologies is that it's a technology that's typically 18 months plus out from commercialization and this can sometimes go six months either way. Another thing about it is it's typically not something on any of our product roadmaps within the portfolio. So in some sense, it's often a bit of a surprise that we have to react to. >>So no real agenda. And I mean you have some business unit kind of probably uh but you have to have first principles within red hat, but for this you're looking at kind of the moon shot, so to speak, the big game changing shifts. Quantum, you know, you got now supply chain from everything from new economics, new technology because that kind of getting it right. >>Yeah, I think we we definitely use a couple of different techniques to prioritize and filter what we're doing. And the first is something will pop up and it will be like, is it in our addressable market? So our addressable market is that we're a platform software company that builds enterprise software and so, you know, it's got to be sort of fit into that is a great example if somebody came up came to us with an idea for like a drone command center, which is a military application, it is an emerging technology, but it's something that we would pass on. >>Yeah, I mean I didn't make sense, but he also, what's interesting is that you guys have an open source D N A. So it's you have also a huge commercial impact and again, open sources of one of the 4th, 5th generation of awesomeness. So, you know, the good news is open source is well proven. But as you start getting into this more disruption, you've got the confluence of, you know, core cloud, cloud Native, industrial and IOT edge and data. All this is interesting, right. This is where the action is. How do you guys bring that open source community participation? You got more stakeholders emerging there before the break down, how that you guys manage all that complexity? >>Yeah, sure. So I think that the way I would start is that, you know, we like to act on good ideas, but I don't think good ideas come from any one place. And so we typically organize our teams around sort of horizontal technology sectors. So you've got, you know, luke who's heading up security, but I have an edge team, cloud networking team, a cloud storage team. Cloud application platforms team. So we've got these sort of different areas that we sort of attack work and opportunities, but you know, the good ideas can come from a variety of different places. So we try and leverage co creation with our customers and our partners. So as a good example of something we had to react to a few years ago, it was K Native right? So the sort of a new way of doing service um and eventing on top of kubernetes that was originated from google. Whereas if you look at Quantum right, ibms, the actual driver on quantum science and uh that originated from IBM were parole. We'll talk about exactly how we chose to respond to that. Some things are originated organically within the team. So uh luke talking about six law is a great example of that, but we do have a we sort of use the addressable market as a way to sort of focus what we're doing and then we try and land it within our different emerging technologies teams to go tackle it. Now. You asked about open source communities, which are quite interesting. Um so typically when you look at an open source project, it's it's there to tackle a particular problem or opportunity. Sometimes what you actually need commercial vendors to do is when there's a problem or opportunity that's not tackled by anyone open source project, we have to put them together to create a solution to go tackle that thing. That's also what we do. And so we sort of create this bridge between red hat and our customers and multiple different open source projects. And this is something we have to do because sometimes just that one open source project doesn't really care that much about that particular problem. They're motivated elsewhere. And so we sort of create that bridge. >>We got two great uh cohorts here and colleagues parole on the on the Quantum side and you got luke on the security side. Pro I'll start with you. Quantum is also a huge mentioned IBM great leadership there. Um Quantum on open shift. I mean come on. Just that's not coming together for me in my mind, it's not the first thing I think of. But it really that sounds compelling. Take us through, you know, um how this changes the computing landscape because heterogeneous systems is what we want and that's the world we live in. But now with distributed systems and all kinds of new computing modules out there, how does this makes sense? Take us through this? >>Um yeah john's but before I think I want to explain something which is called Quantum supremacy because it plays very important role in the road map that's been working on. So uh content computers, they are evolving and they have been around. But right now you see that they are going to be the next thing. And we define quantum supremacy as let's say you have any program that you run or any problems that you solve on a classical computer. Quantum computer would be giving you the results faster. So that is uh, that is how we define content supremacy when the same workload are doing better on content computer than they do in a classical computer. So the whole the whole drive is all the applications are all the companies, they're trying to find avenues where Quantum supremacy are going to change how they solve problems or how they run their applications. And even though quantum computers they are there. But uh, it is not as easily accessible for everyone to consume because it's it's a very new area that's being formed. So what, what we were thinking, how we can provide a mechanism that you can you don't connect this deal was you have a classical world, you have a country world and that's where a lot of thought process been. And we said okay, so with open shift we have the best of the classical components. You can take open shift, you can develop, deploy around your application in a country raised platform. What about you provide a mechanism that the world clothes that are running on open shift. They are also consuming quantum resources or they are able to run the competition and content computers take the results and integrate them in their normal classical work clothes. So that is the whole uh that was the whole inception that we have and that's what brought us here. So we took an operator based approach and what we are trying to do is establish the best practices that you can have these heterogeneous applications that can have classical components. Talking to our interacting the results are exchanging data with the quantum components. >>So I gotta ask with the rise of containers now, kubernetes at the center of the cloud native value proposition, what work clothes do you see benefiting from the quantum systems the most? Is there uh you guys have any visibility on some of those workloads? >>Uh So again, it's it's a very new, it's very it's really very early in the time and uh we talk with our customers and every customers, they are trying to identify themselves first where uh these contacts supremacy will be playing the role. What we are trying to do is when they reach their we should have a solution that they that they could uh use the existing in front that they have on open shift and use it to consume the content computers that may or may not be uh, inside their own uh, cloud. >>Well I want to come back and ask you some of the impact on the landscape. I want to get the look real quick because you know, I think security quantum break security, potentially some people have been saying, but you guys are also looking at a bunch of projects around supply chain, which is a huge issue when it comes to the landscape, whether its components on a machine in space to actually handling, you know, data on a corporate database. You guys have sig store. What's this about? >>Sure. Yes. So sick store a good way to frame six store is to think of let's encrypt and what let's encrypt did for website encryption is what we plan to do for software signing and transparency. So six Door itself is an umbrella organization that contains various different open source projects that are developed by the Six door community. Now, six door will be brought forth as a public good nonprofit service. So again, we're very much basing this on the successful model of let's Encrypt Six door will will enable developers to sign software artifacts, building materials, containers, binaries, all of these different artifacts that are part of the software supply chain. These can be signed with six door and then these signing events are recorded into a technology that we call a transparency log, which means that anybody can monitor signing events and a transparency log has this nature of being read only and immutable. It's very similar to a Blockchain allows you to have cryptographic proof auditing of our software supply chain and we've made six stores so that it's easy to adopt because traditional cryptographic signing tools are a challenge for a lot of developers to implement in their open source projects. They have to think about how to store the private keys. Do they need specialist hardware? If they were to lose a key then cleaning up afterwards the blast radius. So the key compromise can be incredibly difficult. So six doors role and purpose essentially is to make signing easy easy to adopt my projects. And then they have the protections around there being a public transparency law that could be monitored. >>See this is all about open. Being more open. Makes it more secure. Is the >>thief? Very much yes. Yes. It's that security principle of the more eyes on the code the better. >>So let me just back up, is this an open, you said it's gonna be a nonprofit? >>That's correct. Yes. Yes. So >>all of the code is developed by the community. It's all open source. anybody can look at this code. And then we plan alongside the Linux Foundation to launch a public good service. So this will make it available for anybody to use if your nonprofit free to use service. >>So luke maybe steve if you can way into on this. I mean, this goes back. If you look back at some of the early cloud days, people were really trashing cloud as there's no security. And cloud turns out it's a more security now with cloud uh, given the complexity and scale of it, does that apply the same here? Because I feel this is a similar kind of concept where it's open, but yet the more open it is, the more secure it is. And then and then might have to be a better fit for saying I. T. Security solution because right now everyone is scrambling on the I. T. Side. Um whether it's zero Trust or Endpoint Protection, everyone's kind of trying everything in sight. This is kind of changing the paradigm a little bit on software security. Could you comment on how you see this playing out in traditional enterprises? Because if this plays out like the cloud, open winds, >>so luke, why don't you take that? And then I'll follow up with another lens on it which is the operate first piece. >>Sure. Yes. So I think in a lot of ways this has to be open this technology because this way we have we have transparency. The code can be audited openly. Okay. Our operational procedures can be audit openly and the community can help to develop not only are code but our operational mechanisms so we look to use technology such as cuba netease, open ship operators and so forth. Uh Six store itself runs completely in a cloud. It is it is cloud native. Okay, so it's very much in the paradigm of cloud and yeah, essentially security, always it operates better when it's open, you know, I found that from looking at all aspects of security over the years that I've worked in this realm. >>Okay, so just just to add to that some some other context around Six Law, that's interesting, which is, you know, software secure supply chain, Sixth floor is a solution to help build more secure software secure supply chains, more secure software supply chain. And um so um there's there's a growing community around that and there's an ecosystem of sort of cloud native kubernetes centric approaches for building more secure software. I think we all caught the solar winds attack. It's sort of enterprise software industry is responding sort of as a whole to go and close out as many of those gaps as possible, reduce the attack surface. So that's one aspect about why 6th was so interesting. Another thing is how we're going about it. So we talked about um you mentioned some of the things that people like about open source, which is one is transparency, so sunlight is the best disinfectant, right? Everybody can see the code, we can kind of make it more secure. Um and then the other is agency where basically if you're waiting on a vendor to go do something, um if it's proprietary software, you you really don't have much agency to get that vendor to go do that thing. Where is the open source? If you don't, if you're tired of waiting around, you can just submit the patch. So, um what we've seen with package software is with open source, we've had all this transparency and agency, but we've lost it with software as a service, right? Where vendors or cloud service providers are taking package software and then they're making it available as a service but that operationalize ng that software that is proprietary and it doesn't get contributed back. And so what Lukes building here as long along with our partners down, Lawrence from google, very active contributor in it. Um, the, is the operational piece to actually run sixth or as a public service is part of the open source project so people can then go and take sixth or maybe run it as a smaller internal service. Maybe they discover a bug, they can fix that bug contributed back to the operational izing piece as well as the traditional package software to basically make it a much more robust and open service. So you bring that transparency and the agency back to the SAS model as well. >>Look if you don't mind before, before uh and this segment proportion of it. The importance of immune ability is huge in the world of data. Can you share more on that? Because you're seeing that as a key part of the Blockchain for instance, having this ability to have immune ability. Because you know, people worry about, you know, how things progress in this distributed world. You know, whether from a hacking standpoint or tracking changes, Mutability becomes super important and how it's going to be preserved in this uh new six doorway. >>Oh yeah, so um mutability essentially means cannot be changed. So the structure of something is set. If it is anyway tampered or changed, then it breaks the cryptographic structure that we have of our public transparency service. So this way anybody can effectively recreate the cryptographic structure that we have of this public transparency service. So this mutability provides trust that there is non repudiation of the data that you're getting. This data is data that you can trust because it's built upon a cryptographic foundation. So it has very much similar parallels to Blockchain. You can trust Blockchain because of the immutable nature of it. And there is some consensus as well. Anybody can effectively download the Blockchain and run it themselves and compute that the integrity of that system can be trusted because of this immutable nature. So that's why we made this an inherent part of Six door is so that anybody can publicly audit these events and data sets to establish that there tamper free. >>That is a huge point. I think one of the things beyond just the security aspect of being hacked and protecting assets um trust is a huge part of our society now, not just on data but everything, anything that's reputable, whether it's videos like this being deep faked or you know, or news or any information, all this ties to security again, fundamentally and amazing concepts. Um I really want to keep an eye on this great work. Um Pearl, I gotta get back to you on Quantum because again, you can't, I mean people love Quantum. It's just it feels like so sci fi and it's like almost right here, right, so close and it's happening. Um And then people get always, what does that mean for security? We go back to look and ask them well quantum, you know, crypto But before we get started I wanted, I'm curious about how that's gonna play out from the project because is it going to be more part of like a C. N. C. F. How do you bring the open source vibe to Quantum? >>Uh so that's a very good question because that was a plan, the whole work that we are going to do related to operators to enable Quantum is managed by the open source community and that project lies in the casket. So casket has their own open source community and all the modification by the way, I should first tell you what excuse did so cute skin is the dedicate that you use to develop circuits that are run on IBM or Honeywell back in. So there are certain Quantum computers back and that support uh, circuits that are created using uh Houston S ticket, which is an open source as well. So there is already a community around this which is the casket. Open source community and we have pushed the code and all the maintenance is taken care of by that community. Do answer your question about if we are going to integrate it with C and C. F. That is not in the picture right now. We are, it has a place in its own community and it is also very niche to people who are working on the Quantum. So right now you have like uh the contributors who who are from IBM as well as other uh communities that are specific specifically working on content. So right now I don't think so, we have the map to integrated the C. N. C. F. But open source is the way to go and we are on that tragic Torri >>you know, we joke here the cube that a cubit is coming around the corner can can help but we've that in you know different with a C. But um look, I want to ask you one of the things that while you're here your security guru. I wanted to ask you about Quantum because a lot of people are scared that Quantum is gonna crack all the keys on on encryption with his power and more hacking. You're just comment on that. What's your what's your reaction to >>that? Yes that's an incredibly good question. This will occur. Okay. And I think it's really about preparation more than anything now. One of the things that we there's a principle that we have within the security world when it comes to coding and designing of software and this aspect of future Cryptography being broken. As we've seen with the likes of MD five and Sha one and so forth. So we call this algorithm agility. So this means that when you write your code and you design your systems you make them conducive to being able to easily swap and pivot the algorithms that use. So the encryption algorithms that you have within your code, you do not become too fixed to those. So that if as computing gets more powerful and the current sets of algorithms are shown to have inherent security weaknesses, you can easily migrate and pivot to a stronger algorithms. So that's imperative. Lee is that when you build code, you practice this principle of algorithm agility so that when shot 256 or shot 5 12 becomes the shar one. You can swap out your systems. You can change the code in a very least disruptive way to allow you to address that floor within your within your code in your software projects. >>You know, luke. This is mind bender right there. Because you start thinking about what this means is when you think about algorithmic agility, you start thinking okay software countermeasures automation. You start thinking about these kinds of new trends where you need to have that kind of signature capability. You mentioned with this this project you're mentioning. So the ability to actually who signs off on these, this comes back down to the paradigm that you guys are talking about here. >>Yes, very much so. There's another analogy from the security world, they call it turtles all the way down, which is effectively you always have to get to the point that a human or a computer establishes that first point of trust to sign something off. And so so it is it's a it's a world that is ever increasing in complexity. So the best that you can do is to be prepared to be as open as you can to make that pivot as and when you need to. >>Pretty impressive, great insight steve. We can talk for hours on this panel, emerging tech with red hat. Just give us a quick summary of what's going on. Obviously you've got a serious brain trust going on over there. Real world impact. You talk about the future of trust, future of software, future of computing, all kind of going on real time right now. This is not so much R and D as it is the front range of tech. Give us a quick overview of >>Yeah, sure, yeah, sure. The first thing I would tell everyone is go check out next that red hat dot com, that's got all of our different projects, who to contact if you're interested in learning more about different areas that we're working on. And it also lists out the different areas that we're working on, but just as an overview. So we're working on software defined storage, cloud storage. Sage. Well, the creator of Cf is the person that leads that group. We've got a team focused on edge computing. They're doing some really cool projects around um very lightweight operating systems that and kubernetes, you know, open shift based deployments that can run on, you know, devices that you screw into the sheet rock, you know, for that's that's really interesting. Um We have a cloud networking team that's looking at over yin and just intersection of E B P F and networking and kubernetes. Um and then uh you know, we've got an application platforms team that's looking at Quantum, but also sort of how to advance kubernetes itself. So that's that's the team where you got the persistent volume framework from in kubernetes and that added block storage and object storage to kubernetes. So there's a lot of really exciting things going on. Our charter is to inform red hats long term technology strategy. We work the way my personal philosophy about how we do that is that Red hat has product engineering focuses on their product roadmap, which is by nature, you know, the 6 to 9 months. And then the longer term strategy is set by both of us. And it's just that they're not focused on it. We're focused on it and we spend a lot of time doing disambiguate nation of the future and that's kind of what we do. We love doing it. I get to work with all these really super smart people. It's a fun job. >>Well, great insights is super exciting, emerging tack within red hat. I'll see the industry. You guys are agile, your open source and now more than ever open sources, uh, product Ization of open source is happening at such an accelerated rate steve. Thanks for coming on parole. Thanks for coming on luke. Great insight all around. Thanks for sharing. Uh, the content here. Thank you. >>Our pleasure. >>Thank you. >>Okay. We were more, more redhead coverage after this. This video. Obviously, emerging tech is huge. Watch some of the game changing action here at Redhead Summit. I'm john ferrier. Thanks for watching. Yeah.

>>From around the globe. It's the queue with digital coverage of AWS reinvent 2020 sponsored by Intel, AWS, and our community partners. >>Hello, and welcome back to the cubes coverage of ADFS reinvent 2020 it's virtual this year because of the pandemic we can't be in person normally would do in these interviews face to face, but we're here remote. I'm your host, John furrier. We're the cube virtual and we're here with Teresa Carlson, who is the chief and heads up the public sector business, uh, for AWS and also now has industries, which is a lot of the verticals and just continues to, um, have great leadership and continues to do well in the business. I Theresa great to see you for the eighth consecutive cube interview you've been on every year and we thank you for coming on big year this year. Thanks for coming on. Great to see you. >>Thank you, John. Thank you for having me. It's hard to believe it's eight years already. Wow, go ahead. >>Well, first of all, I want to say congratulations. Um, the first year you will run, you never wavered. You always had a North star. Um, you had the Amazonia and kind of way, um, you told us what you were going to do and you did it. The CIA came on board and the dots just connected. So congratulations this year more than ever, um, during your keynote. And re-invent, even though it was virtual, um, again, you're raising the bar on the theme leadership and making use of the data two major themes this year on your keynote because of the pandemic. And just because of the cloud computing benefits are all kind of coming together. You're helping more people than ever doing a more public service with cloud when it needs it. The most. This has been a big story. Share your, your reaction to that. >>Yeah. Well, John, thank you again for having me in your coverage of reinvent. It's been three weeks of, wow. I mean, three weeks we do one hour a day three, uh, that COVID, you know, we're still, we're still not dead, right? The vaccinations are out. People are starting to, I saw on the television yesterday here in the U S the first nurse that was vaccinated. Uh, but for us, I will tell you the data side of this piece during COVID has been huge. I mean, huge. It has been, you know, our customers have always said data is golden for them, right. Uh, but during COVID, we have actually seen the use of data, just go up like crazy and not just the use of it, but, um, I will say it's multiple data lakes that are used hydrating multiple data lakes and using that data to merge. >>So if you think about economic data and health data and putting those data sets together in a way that they have deeper understanding of what's happening within their community, their state, their, their, uh, their country. So we've seen emerging of data, uh, in a big way. If you think about the vaccinations themselves, uh, John, that wouldn't have been possible to move this fast without the use of scalable compute, processing and analytics in a way like no one has ever seen it. And, uh, it's, it's, it's pretty amazing. And I don't think we'll ever go back. And also I'll just say sharing of that data has changed. Researchers are now much more open to sharing that data air cord 19 a research site that we've done has thousands of researchers on it. Now, hundreds of thousands of views on it with people sharing research about COVID and think about that. I mean, research has always been held tightly, and now we're really starting to see them open up and share that data so that we can move much faster. >>I think doing that public service with the data has always been a killer idea. We talked about national parks being kind of open for the people over the years now, super computing and data. You guys do a great job doing that, but the other area that you're getting a lot of press on and, and rightfully so is an area that I know is close to your heart, as well as our mission, which is getting people trained up on cloud computing. And you've done this for years, but this year more importantly, with all the pressure and all the need, you guys have offered, offering a huge training skills training for 29 million people globally. I saw that on the news, I saw you on doing some TV interviews on this. It's been all over the press has been getting a lot of great buzz. Can you tell me more about what that is? >>Yeah. So part of my, when I picked up bear industry business units also picked up our training and certification organization that is ran by Maureen Lonergan. I know you've had Maureen on your show before too, and then I have education, which is run by Kimma Jarris in the U S and max, uh, Peterson internationally. And we are now we've merged so that we have a model that we can teach and train around the world in a much more scalable way that this announcement was about going into 200 Kemp countries and territories training, 29 million people by 2025 free do free skills training and making that available job through multiple different programs and scaling those. So we'll take the programs we have and we'll scale those app much more rapidly. And then now we'll also look for new programs that we need to run in parallel because that's what we do. >>We have to look around corners. Also make sure that we have the right programs and, you know, I've lived, I've lived, you know, they're all amazing, but near and dear to my heart has always been our AWS educate, which we started, uh, for ages 14 and up to at the university and high school level, to be able to start to bring on those cloud skills. Then we added badging and credentialing onto that. And from there, you can go into the air Academy, which you can actually get certifications as a solution architect. Uh, but we've, we've added so many more, uh, our program restart now, which has been really, which is about training. Those who are jobless or an underserved communities and socioeconomic depressed areas. Uh, and I love that program. I told a story about an individual in Boston who had opened a training center, a gym he's a fitness trainer, and he had to close it, uh, because you know, COVID, and he went through our 12 week. >>We restart training program and now has a job with a company there in Boston. And I just love those kind of stories where you know, that you're putting people to work. And I think for us, there's thousands and thousands of jobs around the world, just in any city, if you, if you search on cloud computing jobs open, I just looked in New York when I was on CNBC. I looked in New York and there are 10,000 cloud jobs just there in New York. And I just did a quick search. So there's always jobs, and we've got to make sure that we're skilling them so they can go now fill those jobs. And that will help us close that gap. Uh, John, which we still have a big one, uh, to get all the jobs filled that are out there. >>That's a great mission. And I got to say, it's super important because one is cloud computing. There's openings for this kind of new, the new paradigm, which is now mainstream and playing out on, in real time, as, as Andy was talking about, but also the global it markets being reshaped by cloud computing. So you have the intersection of those two, which is a new skill. You can't just take it and make a cloud. You've got to bring it together. So it's a great opportunity for someone to come into the industry and level up pretty quickly. You don't have to have the 20 years of experience to do this. It's you can come in instantly level up, have a great job. >>You know, it's the one thing John, I hear all the time around the world before from like when I would go and speak with university chancellors and presidents and just professors, they would say, Hey, you know, AWS, we need you to do the micro-credentialing along the way. And this was pre COVID when they said, we need to get your students want to work while they're in school. Well now more than ever, it's important. And we also, John Luke, just in September, over 800,000 women left the workplace. That is a trend that we do not want and we can not sustain. And so doing, you know, doing programs like this virtually that you can do self paced environments, intensive environments. We want to make, we want to make these programs fit for whatever the individual needs. So it's not just a one size fits all. We want to make sure that the programs that we're providing will fit the needs of the individuals doing the training. And I, I particularly am, uh, I want to push this with their, you know, inclusion and diversity of the individuals that we need to get into the workplace, but it is pretty alarming when you see that many women leaving the workplace, you know, when a choice is being made right now, we're seeing women take the brunt of that. And we want to make sure that they have the opportunity to work virtually train themselves and get those new jobs that are out in tech. >>Well, that's one of the questions I had for you. I'll just jump to that. Now I'll get back to some of the other ones, but the customers that pivot to remote work and learning, uh, it's changing. And, you know, I was, um, riffing on an interview. Um, I think it was with one of your public sector customers, the future of work. And if you just think about the word work workforce, workplace workload work flows, the notion of work is now impacted. And you mentioned the diversity piece. This is an opportunity. So how should people think about this, uh, relearning? So we don't lose people and we actually get a net positive inbound migration to the workforce. >>You know, the flexibility I had, I did a fireside chat with Andrew Nooney. Um, he was the former CEO of PepsiCo and chairman, and is now on our Amazon board, uh, for re-invent. And she talked about, you know, being your authentic self, uh, curiosity, but one of her big points is women in the workplace. Uh, and she's gonna publish a new book soon, and it's going to be really focused on kind of equity policy, uh, areas of need that we have to focus on to make sure that we have at women being able to tackle both the home issues and being able to work and taking advantage of that plus 50%. And I would say the virtual opportunity is really fantastic, especially for, um, all levels of socioeconomic individuals, because you can work part-time full-time, you can work virtually. And I do believe while we all want to get back into the workplace. >>I think for me, I'm a social animal. I'd love to be there sitting beside you, John, you know, I think for a lot of us, we are, we kind of yearn to be back in the office, but there's also a lot that working from home, um, is, is much more achievable for them, right? Especially with childcare if school day, if it's a short day, because the schools and allowing flexibility with work is going to be really important and COVID has taught us that that is possible. My team did not miss a beat during COVID. I tell ya, it's like unbelievable. Our business, uh, has, has really kinda been on fire because public sector. And if you look at the other industries, I've picked up financial services, uh, energy and telecommunications and training and certification. These are all that had to keep going. Uh, governments were moving faster than ever. >>So our team was really busy. Um, I've had individuals asked me, well, how did you manage the downtowns? Like we didn't have any downtime. Like literally day one, we were like 24 seven and the teams were working with it pretty much every government around the world because COVID moved so quickly and all virtually. And I will have to say, John, I was really skeptical in the beginning about how is this? How, how are we going to do this? Um, but the teams really, we figured out how to operate. You know, you had to, it's a new muscle. You kind of have to build that virtual work muscle and figure out how you manage your day, how you fit things in. And then there's the point that people think you're always available because you are at home, right? So you can never, that you can't possibly not be available because you know, you're, you are sitting at home. And then there's the many times where people's cats walk across and kind of with their tail on their face. And that dog child were at REMS in with the diaper. And you know, it's all, you, you have to have grace and humor about all this. Sometimes T like you can't take everything so seriously. And perhaps we've learned that, um, work and life can blend a little bit more, right? That you can, you can have that when a lot of people, when they talk about work-life balance, now we have work-life harmony. >>You know, you and I have talked about this before. If you can tap whoever taps, the diversity of talent will always let me win the game and not just, um, diversity in terms of gender or background role. I mean, if you can tap the virtual space, you're a winner because there's talent out there that can be aggregated in, and there's no stigma associated with anything. So, you know, this is, I think Andy kinda, uh, expressed that to me. And, and he heard it in his keynote where he said, Hey, people are a square, but you can get more participation. I think that is a real positive, um, upside. And I love the perspective of this new muscle. I totally agree. You need to, you need to have that >>Square. I mean, we've, we've actually chatted. I don't know if we'll ever go back to having big rooms with people in it, because you have a voice, you have a face. And I do believe, especially for women, uh, John, who can not always speak up, it's an opportunity for them to have their own space. They ha they can have their own voice. All individuals cause centers. They have great ideas, but they don't always value them. So having, you know, when you, each person has their own square, you can actually kind of see, well, who's, who's has an opinion. Who's spoken up. Who, who do I want to call on here and ask them if they have an opinion? So I like the idea of everybody having their own space when you're having a meeting. If you have to be virtual, because you get lost in translation, especially if you have that large leader in the room and everybody else's around them, then sometimes they only kind of adhere to their voice. This is an opportunity for others to really have that pool. >>I was just, I saw a joke on Twitter from a friend that said, Hey, I run all the meetings now because I can mute people. So if someone starts talking, you're muted bye-bye. So again, this is a whole new muscle great stuff. Well, since you've, since you brought up your role, I know you have a new expanded role. Could you take a minute to explain what that is? Because I'm still not clear. I know you've been doing an amazing job. I've written about, uh, your initial successes, and now you continue to do well with public sector and believe me, I've exploding. I see it. We're reporting on it. Public service is changing with digital transformation, but these other things, what are you working on? What are the new areas? Yeah, so I >>Just passed my 10th year. I'm starting my 11th year and it's been like amazing building this public sector business. I, I, and our government customers. Wow. The innovation and education during COVID has been pretty off the charts, which I don't think I'll slow down. And then a few months ago I was asked to take on our, uh, our training and certification org and our evangelist in solution architecture org, along with the industry business units of, uh, finance, telecommunications, and energy. And then, uh, John, if you remembering June, I announced our aerospace and satellite industry business unit. So, uh, these are the ones that we have right now are very regulated. A lot of them are, you know, very closely aligned to regulated industry. Um, you know, there could be others that are not as regulated, but the ones right now, if you think about aerospace, satellite, financial services, telecommunications in, in, in energy. >>So they, for me, um, they're very, it can tell a lot of the work I've been doing in building public sector, because when I go into a country today, when my teams go in, we generally always have to work with these groups. So if you think about telecommunications, we have to go in and make sure that we're working on our networking, our connectivity, and we negotiate and work with those telco providers. Same with the energy companies, both large ones and small ones. We go in and we work to build a power purchasing agreements, you know, solar power, uh, renewable energy to power our data centers and make sure that we're giving back to the grid. So we have that partnership. And then in the financial sector, I've had our, uh, I've had all of our regulators anyway, like FINRA fed reserve. Um, I R S treasury. >>So I've already, I've always had all the regulators. So now working with the, uh, you know, the additional, the banking, the investment sector, capital markets, it's very, it's, it seems so natural if that makes sense. And now diving into the upstream and downstream stream of supply chain for both that energy and telco and what a fantastic time now for telcos with 5g. I mean, I've been saying for two or three years that I thought this would be a huge opportunity for telecommunications companies to actually look for new, uh, work streams for their customers. And I mean, edge, you know, now our connect or call centers that they can do and take advantage of that. So I'm actually really excited. Uh, John seeing seven of new opportunities and, you know, renewable the new energy, uh, startups that are out there, the things I'm seeing, power, solar, nuclear, um, and then seeing a lot of the larger energy companies take on these projects. It's a lot of fun. And, um, I'm very excited now to continue to meet those customers. I got to meet a lot during re-invent. I love their energy. Yeah. I love kind of learning about what they're looking to solve. And, and I'm also just looking forward to helping them, um, with the connections that we've already been doing in government. I think it's a really nice combination of working together. Now. >>I, I see it as, um, what you've done with public sector was take a partnership approach to an old standing industry, changed them quickly, get the transformation, build the relationships, get the successes and establish that transformation and this needed versus the organically developing, you know, stuff. That's going to be the cloud startups and whatnot. Those are going to use Amazon, but you're a transformational leader. >>John, if I could just save for a minute, if you think about re-invention, you're at re-invent and a lot of these are going through massive reinvention, uh, you know, again, 5g with telco renewables, uh, with energy and then financial services where everything is kind of moving to an online model and digital model with different types of currencies that they have to deal with. It's, it's really perfect for cloud and what we offer. So I think the opportunity, um, to dive in and really partner with these industries and aerospace and Salado. Oh my gosh. It's just, I have to say, I really do believe cloud computing is, um, the perfect kind of step forward with all these industries for reinvention and innovation, which they're all moving towards. >>Well, Theresa, you're a re-invention leader. Uh, we've covered it. And now we've got all new territory for you to work on. Um, bring your playbook, you know, people-centric partner results are charging Theresa, thank you for your time. Great to have you on. Great to see you. Wish you, we were in person in real life again soon. Thank you for coming on. >>Yeah, John, thank you. Happy holidays. I look forward to seeing you next year. >>Okay. This is the cubes coverage of AWS reinvented. We have Teresa Carlson, she heads up the public sector. She's the chief of the whole public sector, and now taking on other industries to bring that playbook, the reinvention to the industries, really a big part of the Amazon web services, vision and cultural change. That's going on with the pandemic reach rechanging and reformatting and refactoring industries. That's what's going on in the big picture and a lot of gay tech under the hood. I'm John for your host. Thanks for watching.

[Music] from the cube studios in Palo Alto in Boston it's the cube covering the IBM think brought to you by IBM hi everybody welcome back to the cubes coverage wall-to-wall coverage of the IBM think 20/20 digital event experience my name is Dave Volante we'll be going really all week and and focusing on the impact of the pandemic how IBM is responding how customers are likely to respond I'm really excited Luke Niazi is here's the global managing director of consumer industries at IBM Luke good to see you nice do you see even that nice to be on the cool I mean if I think about consumer all the assumptions that we made about consumer behavior they're really up in the air right now I wonder if you could share with us what your current thinking is I mean the consumer has powered this global economy years what are you thinking about the consumer right now in the consumer behavior well was he some a massive shift in terms of the immediacy let me this back a little bit Dave and give you a bit of context we did some research at the beginning of the year that we launched the National Retail Federation and we surveyed over 19,000 people globally and that survey showed that they were do be on a shifts that are appearing first of all there was a shift in of the purpose given consumer of the 19,000 people that we surveyed 40% of them said that they were making decisions that were purpose different compared to 41% that make visions that were convenience and that's people who care about sustainability and where products are coming and the other big thing that we saw was popping in micro moments increase digital shopping and of anytime anywhere now of course with the and Emmy we are seeing an acceleration and fastening of those first of all beyond the immediate move panic buying that occurred we've seen a big big shift in online buying and we think like Ron and driver also a reinforcement of this move to more sustainable product and services yeah I mean so right now you have I guess buying for what's available you need something it might not be available as a consumer you're making a lot of trade-offs okay well I'll go for you know alcohol-based hand sanitizer you know as opposed to just conventional hand sanitizer as an example oh well I'll make some trade-offs in tissue paper etcetera etcetera and maybe there's some boredom buying I don't have you've seen that your people are shut-in but though all kinds of of daily changes weekly changes so how do you see this exiting how do you see compute consumer behavior you know changing as we exit this pandemic in waves and we're only sure how we're going to exit well let me kind of break it down in terms of what's been going on right now so of course we saw this massive waves of you know a shift to sanitary products a shift or groceries then we've seen a shift about how can I keep my kids entertained while they're at home and kind of more discretionary choices being much lower so when you kind of look at that in terms of actual impact on business we've seen grocery say in the u.s. up by about twenty seven and we've seen a move on digital in the u.s. about three percent of the of the US population shifts about buys online that's do 43 percent during this period and of course we think that these are things that are going to sustain what it's done is it's accelerate the type of purchases that people are doing in a digital context and we think that that is you know continued by some thoughts the data on the pandemic looks like it's been to continue for many months and and in ways those that we've seen the shifted digital and initially people are kind of looking for things anywhere but it's going to be combined with a kind of a new type of delivery model there's much more buy online pick up in center distribution center pick up our part whether that's you know your groceries or whether that's health related so it's going to change the delivery models it also means of course that stores are going to change a great great deal at the moment grocery stores all have social distancing with the protection of the store associates been you know a key element of that you're gonna see not the same amount of people in those stores going forward and you know a different configuration and application of technology also in store to keep monitoring both the safety of the employees and the safety of the customers but also make sure that occupancy levels are appropriate etc so big shifts the digital the big shifts to different types of delivery models you know big shifts of safety related technology of course what we're also seeing and this is the difficult piece which is if you have discretionary spend fashion apparel luxury the open those volumes are very very significant I mean look I've actually been quite impressed with some providers that have pivoted very quickly to things like curbside pickup and have really responded you know quite fast to that at the same time I've seen others where I mean it's clear that they really didn't have the infrastructure or the processes of their asking hey how how did we do do you mind taking a quick survey because they need to iterate how can I be M help those that really weren't that prepared and it sort of band-aided together some solutions get to the point post pandemic before this thing ends where they really need to be what are you guys doing with client yeah so well first and foremost as the pandemic we focused very much on resilience making sure that our clients but operators as robustly as possible in fact you know 95 percent to our services are being delivered it just began and remotely right what then happened was how do I deal with these massive volumes of airing in my two centers where by the way I have less staff because the people are I having to even themselves safe and social distance and so we deployed immediately beyond our resiliency solutions all centers that are helping our clients booth by aura ties and scream one of our major retail clients in the u.s. said you know I thought that the Watson Chapman knowledge ease were going to be helpful they weren't just helpful they saved us and so that kind of things occurring in the immediate that's the next piece of course you then start see is that finds have realized that both their digital panels and their fulfillment models have not been able to keep up nobody is being able to keep up with the demand that's not even Amazon's been able to keep up and what was you know a 24 or 48 hour delivery slot those those kind of slots have gone out the window so we are going to see a wave of reinvest in enhancing digital channels and we will leverage no both our our services business as well as our cloud knowledge ease to support that and then underpinning that you you're also seeing a need to rebalance the supply chain because of course where products come from have changed where is vsauce is now having to move much more from a global supply chain to a global local supply chain and we're having to balance supply with more local providers and so is a there's a demand supply balancing to be done that means that eyes are and i think about the practicalities of that but they were investing in next-generation technologies to support that for IBM that things like our IBM sterling portfolio but it's also the activation of our supply chain AI this massive demand set by and of imbalancing and we've been helping certain clients look at that and move stock most appropriate locations we've been doing that to help clients kind of rethink that there's this budgeting so we're gonna see a lot of that we have all of the intelligence of by chain and we're going to see no investment in the intelligence of buy chain just like we see this investment at baring in the change in the commerce engines last thing to say is wrap in trace is going to be hugely important reckon trace of all products and where they come from where they were handled and people and so technologies like lock pane and what we do with food trusts are also going to be a really important element yeah another really piece of digital I mean the cube we go to physical events and we've been saying that hang that this is not going to go back to 2019 the people are going to learn through this experience that there's really some additional value that they they can create through digital you think you think about consumer that's a much much more complex environment tens of thousands and fully hundreds of thousands or even millions of fights the product dimension chat thoughts you know the entire experience that we talked about a curbside pickup lead times people you know managing demand with lead times you can only or limiting the volume you mentioned supply chain track and trace block pain so a whole new set of digital assumptions are going to emerge or are emerging I don't want to make it sound like there's a there's some kind of binary beginning an end to this thing this is this is going to be a slow but yet fast iteration of constant iteration and continuous improvement yeah it is what am i - the newer faculty were talking earlier this week and they said look as difficult the environment is right now and of course we've been focused on our current operations and fulfilling our customers as best we can it's actually bringing us through a whole new window about who we think the priority is of our investment and how we look at that going forward and you know he's almost saying well I'm gonna have to zero based budgeting approach and against that we're gonna see a much better investment in almost regardless of what your model is whether you are digital first or physical first you're gonna see much better focus on kind of dealing with the pasady and the variability that we've experienced because organizations weren't geared up for that and you're going to see them the investment in the intelligence and the supply chain who support that backed up with trust and traceability and now back to the points that I start at the beginning of this session it means that the trends that we saw and we assess actually are going to be almost perpetuated because we think this move to sustainable and more local sourcing more balanced sourcing will continue to be a big factor and we think that this kind of idea of shopping in the micro moment but shopping in a much more digital way is here to stay the consequence of that is it's gonna have a what a big impact on the physical environments and unfortunately there aren't gonna do there are going to be as easy in this with certain sectors that are not going to be able to sustain the the big shift in the model so obviously physical down for the immediate and probably mid and maybe even long term digital up you one of your areas of expertise is agribusiness we thought you note you know tumour in general I wonder if you could share with us what you're what you're seeing there I'm inferring more more local sourcing which obviously has some impacts on what's available at different times a year potentially on on pricing thoughts on agribusiness and how they're responding yeah well it's it's fascinating you know if you take it into first of all of course you know agriculture has been impacted right now by not so much for the professional farming which has a large-scale mechanization before a lot of farming in large parts of Asia or Latin parts of Latin America or parts of Africa and even parts of Europe there's a lot of transitionary labor that occurs in order to be able to harvest crops and so that's a that's a really difficult immediate problem we've seen you people volunteering in certain countries like here in the UK where I live either people volunteering you can't work in their current job see how can I help that's kind of it an immediate thing that's needed right now but the broader topic in the work that my teams do is that actually the application of digital technologies and science who is behind what it is in other industries and there's such a great opportunity by leveraging digital only be more effective in actually hitting the most out of farming land without over farming the land and so we're working quite a lot on digital economics of buying base ability you truly from farmed or and no but have been together data sources that were not in the same base to be able to help build effectively an AgrAbility for the benefit the farmers and cross those things were going to see farmers empowered with more information in it more insight so simple things like The Weather Channel application that we have from our weather comm we're deploying that to millions of farmers in Africa and Asia and on top of that we're being able to and for the deployment of other related information though how to farm but also we could start to look at how to provide safety related information etcetera to those farmers so so we are going to see through effective use of technology increase appropriate digitization of no farming processes and there'll be in a very practical level what I'd put onto my phone so so definitely this is a big thing and and of course as you know the traceability that we do with our food resan isn't just about safety and talk about how food was produced how far it's traveled what conditions was it handled in what's a co2 footprint and so that traceability engine can actually accelerate also this is and as I referred to earlier Luca mean as we're discussing you know the moment-by-moment the assumptions are changing you know the narrative this weekend of course at least in the US was pay we've got it now get out there and and many are saying this not all but but just effect mass unity that it's really going to be the only way vaccines aren't coming anytime soon young people will go out retail environment of course you're gonna have social distancing people that are compromised or older aren't going to go out the clearly volumes are going to be down but it's a very fluid situation so business resiliency and flexibility is critical here and it sounds like you're helping organizations really build that into their operating model that is critical yeah absolutely and you know for some of the grantees that I haven't boomer you what you're seeing in things like a chorale fashion luxury is a a move to try to drive that engagement to you the customer in a much more digital sense so how do I interact with the brand how do I experience the band how can I all the way through to my purchase digitally when I don't have the ability to get stores so this digital transformation agenda will affect pretty much all major segments obviously the foods by chain the health by chain is the focus right now but we will see on the increasing digitization and a need to rebalance the in-store experience even for the segments so there will be a lot of transformation to be done a while of course having to deal with the cost balancing that need in these industries as they effectively shift more towards digital yeah you're right I mean the cost structure may dramatically change yet at the same time it may be critical for or maintaining or even gaining market share so a lot of potential disruption Luke I'll give you the final word your thoughts bring us home well you know first of all you know people's well-being in safety is our paramount purpose and that's what we've been looking at the outset but I think people would be positive that there is a lot of opportunity in which we can deliver the things that they need in a safe way in a secure way in a digital way that is able to cope with the environments that we see today and may prevail and it's about winning that intelligence and innovation into both the promise and the digital channels and into the supply chains all the way through to the track and trace which is what we focus on well look thanks so much for coming on the cube was great to have you with your your insights on the IBM very clearly has its hands and a lot of these different industries and it's great to have your industry expertise sharing with our audience I really appreciate your time take care thank you all right thank you for watching everybody this is Dave Volante for our continuous coverage of IBM think digital event experience 2020 you're watching the cube right back right after this short break you [Music] you

from around the globe it's the cube with digital coverage of Red Hat summit 2020 brought to you by Red Hat welcome back this is the cubes coverage of Red Hat summit 2020 of course this year instead of all gathering together in San Francisco we're getting to talk to red hat executives their partners and their customers where they are around the globe I'm your host Stu minimun and happy to welcome to the program Nick Barr said who is the senior director of Technology Strategy at Red Hat he happens to be on a boat in the Bahamas so Nick thanks so much for joining us hey thank you for inviting me it's a great pleasure to be here and it's a great pleasure to work for a company that has always dealt with remote people so it's really easy for us to kind of thing yeah Nick you know it's interesting I've been saying probably for the last 10 years that the challenge of our time is really distributed systems you know from a software standpoint that's what we talked about and even more so today and number one of course the current situation with the global plan global pandemic but number two the topic we're gonna talk to you about is edge and 5g it's obviously gotten a lot of hype so before we get into that - training Nick you know you came into Red Hat through an acquisition so give us a little bit about your background and what you work on Baretta about five years ago company I was working for involves got acquired by read at and I've been very lucky in that acquisition where I found a perfect home to express my talent I've been free software advocate for the past 20-some years always been working in free software for the past 20 years and Red Hat is really wonderful for that yeah it's addressing me ok yeah I remember back the early days we used to talk about free software now we don't talk free open-source is what we talk about you know dream is a piece of what we're doing but yeah let's talk about you know Ino Vaughn's I absolutely remember the they were a partner of Red Hat talked to them a lot at some of the OpenStack goes so I I'm guessing when we're talking about edge these are kind of the pieces coming together of what red had done for years with OpenStack and with NFB so what what what's the solution set you're talking about Ferguson side how you're helping your customers with these blue well clearly the solution we are trying to put together as to combine what people already have with where they want to go our vision for the future is a vision where openshift is delivering a common service on any platform including hardware at the far edge on a model where both viens and containers can be hosted on the same machine however there is a long road to get there and until we can fulfill all the needs we are going to be using combination of openshift OpenStack and many other product that we have in our portfolio to fulfill the needs of our customer we've seen for example a Verizon starting with OpenStack quite a few years ago now going with us with openshift that they're going to place on up of OpenStack or directly on bare metal we've seen other big telcos use tag in very successful to deploy their party networks there is great capabilities in the existing portfolio we are just expanding that simplifying it because when we are talking about the edge we are talking about managing thousands if not millions of device and simplicity is key if you do not want to have your management box in Crete excellent so you talked a lot about the service providers obviously 5g as a big wave coming a lot of promise as what it will enable both for the service providers as well as the end-users help us understand where that is today and what we should expect to see in the coming years though so in respect of 5g there is two reason why 5g is important one it is B it is important in terms of ad strategy because any person deploying 5g will need to deploy computer resources much closer to the antenna if they want to be able to deliver the promise of 5g and the promise of very low latency the second reason it is important is because it allows to build a network of things which do not need to be interconnected other than through a 5g connection and this simplifies a lot some of the edge application that we are going to see where sensors needs to provide data in a way where you're not necessarily always connected to a physical network and maintaining a Wi-Fi connection is really complex and costly yeah Nick a lot of pieces that sometimes get confused or conflated I want you to help us connect the dots between what you're talking about for edge and what's happening the telcos and the the broader conversation about hybrid cloud or red hat calls at the O the open hybrid cloud because you know there were some articles that were like you know edge is going to kill the cloud I think we all know an IP nothing ever dies everything is all additive so how do these pieces all go together so for us at reddit it's very important to build edge as an extension of our open hybrid cloud strategy clearly what we are trying to build is an environment where developers can develop workloads once and then can the administrator that needs to deploy a workload or the business mode that means to deploy a workload can do it on any footprint and the edge is just one of these footprint as is the cloud as is a private environment so really having a single way to administer all these footprints having a single way to define the workloads running on it is really what we are achieving today and making better and better in the years to come um the the reality of [Music] who process the data as close as possible to where the data is being consumed or generated so you have new footprints - let's say summarize or simplify or analyze the data where it is being used and then you can limit the traffic to a more central site to only the essential of it is clear that we've the current growth of data there won't be enough capacity to have all the data going directly to the central part and this is what the edge is about making sure we have intermediary of points of processing yeah absolutely so Nikki you talked about OpenStack and OpenShift of course there's open source project with with OpenStack openshift the big piece of that is is kubernetes when it comes to edge are there other open source project the parts of the foundations out there that we should highlight when looking at these that's Luke oh there is a tremendous amount of projects that are pertaining to the edge read ad carry's many of these projects in its portfolio the middleware components for example Quercus or our amq mechanism caki are very important components we've got storage solutions that are super important also when you're talking about storing or handling data you've got in our management portfolio two very key tool one called ansible that allows to configure remotely confidence that that is super handy when you need to reconfigure firewall in Mass you've got another tool that he's a central piece of our strategy which is called a CM read at forgot the name of the product now we are using the acronym all the time which is our central management mechanism just delivered to us through IBM so this is a portfolio wide we are making and I forgot the important one which is real that Enterprise Linux which is delivering very soon a new version that is going to enable easier management at the edge yeah well of course we know that well is you know the core foundational piece with most of the solution in a portfolio that's really interesting how you laid that out though as you know some people on the outside look and say ok Red Hat's got a really big portfolio how does it all fit together you just discussed that all of these pieces become really important when when they come together for the edge so maybe uh you know one of the things when we get together summit of course we get to hear a lot from your your your customer so any customers you can talk about that might be a good proof point for these solutions that you're talking about today so right now most of the proof points are in the telco industry because these are the first one that have made the investment in it and when we are talking about their eyes and we are talking about a very large investment that is reinforced in their strategy we've got customers in telco all over the world that are starting to use our products to deploy their 5g networks and we've got lots of customer starting to work with us on creating their tragedy for in other vertical particularly in the industrial and manufacturing sector which is our necks and ever after telco yet yeah well absolutely Verizon a customer I'm well familiar with when it comes to what they've been used with Red Hat I'd interviewed them it opens back few years back when they talked about that those nmv type solutions you brought a manufacturing so that brings up one of the concerns when you talk about edge or specifically about IOT environment when we did some original research looking at the industrial Internet the boundaries between the IT group and the OT which heavily lives lives in manufacturing wouldn't they did they don't necessarily talk or work together so Houser had had to help to make sure that customers you know go through these transitions Plus through those silos and can take advantage of these sorts of new technologies well obviously you you have to look at a problem in entirety you've got to look at the change management aspect and for this you need to understand how people interact together if you intend on modifying the way they work together you also need to ensure that the requirements of one are not impeding the yeah other the man an environment of a manufacturer is really important especially when we are talking about dealing with IOT sensors which have very limited security capability so you need to add in the appropriate security layers to make what is not secure secure and if you don't do that you're going to introduce a friction and you also need to ensure that you can delegate administration of the component to the right people you cannot say Oh from now on all of what you used to be controlling on a manufacturing floor is now controlled centrally and you have to go through this form in order to have anything modified so having the flexibility in our tooling to enable respect of the existing organization and handle a change management the appropriate way is our way to answer this problem right Nick last thing for you obviously this is a maturing space lots of age happening so gives a little bit of a look forward as to what users should be affecting and you know what what what pieces will the industry and RedHat be working on that bring full value out of the edge and find a solution so as always any such changes are driven by the application and what we are seeing is in terms of application a very large predominance of requirements for AI ml and data processing capability so reinforcing all the components around this environment is one of our key addition and that we are making as we speak you can see Chris keynote which is going to demonstrate how we are enabling a manufacturer to process the signal sent from multiple sensors through an AI and during early failure detection you can also expect us to enable more and more complex use case in terms of footprint right now we can do very small data center that are residing on three machine tomorrow we'll be able to handle remote worker nodes that are on a single machine further along we'll be able to deal with disconnected node a single machine acting as a cluster all these are elements that are going to allow us to go further and further in the complication of the use cases it's not the same thing when you have to connect a manufacturer that is on solid grounds with fiber access or when you have to connect the Norway for example or a vote and talk about that too Nick thank you so much for all the updates no there's some really good breakouts I'm sure there's lots on the Red Hat website find out more about edge in five B's the Nick bark set thanks so much for joining us thank you very much for having me all right back with lots more covered from Red Hat summit 2020 I'm stoom in a man and thanks though we for watching the queue [Music]

>>Fly from San Francisco. It's the cube covering RSA conference, 2020 San Francisco brought to you by Silicon angle media. >>Welcome to the cubes coverage here in Moscone in San Francisco for RSA copper's 2020. I'm John hosted the cube and you know, cyber security is the hottest thing. Transforming businesses and you know, old. It has to transform into not only playing defense but playing off fence and understand the threats, how to organize around it. And that's really been a big part of this new next generation architecture operations and just mindset. We've got a great guest here to share his perspective. Luke Wilson, who's the vice president, intelligence for four IQ hot startup but also former FBI counter terrorism of right other DOD state department. Uh, tons of experience on both sides. Now on the commercial side. Luke, thanks for coming on. Thanks for having me. So obviously your background gives you a unique perspective and you know, I've been in uh, in the commercial side, I haven't done any government service like you have, but I can tell you it in the enterprise it's been boring. >>Oh yeah. He has storage, provisioning, storage, business servers, cloud comes in, it gets exciting. Yeah. Startups are doing cloud native lot more robust scale and you starting to see the new applications with that, the security perimeter is gone. It's now a huge surface area. So the enterprise has to get more FBI like or more smarter around how they organize, how they hire. Yeah. This is your, this is your world. Yes, it is. What's your take on this? What's it, what's your view of the industry right now? Well, I think right now what you're seeing is this change from, uh, you know, I hate to be cliche about it, but for years we've been playing whack-a-mole against the bad guys. I've see Matt, you know, uh, at my time at the FBI and various government, different agencies there, um, we're starting to see a shift of alright, we want, they want to know, okay, how is this happening to them? >>So it's just not the, the, what's happened. It's like who's behind it. And you know, in today's, in today's, uh, arena with the, you know, with cyber security, you have to start figuring out what entity is behind these attacks, uh, what they're going after. So you can start protecting that, but then also using that information, that intelligence from there, sharing it with other business sectors and then also turn in that big backend side so you can have some kind of preventive maintenance as well. I mean, you've got a lot going on. There used to be a nice little neat little industry in a box security by some software. You've got the servers, you have firewalls, all that nice stuff. Now you're talking about elaboration. Operating models are changing. A whole new dimension and open source has given a, an ability to cloak, whether it's nation States can now be operating under stealth mode. >>Oh yeah. You have all kinds of new dynamics. What is, what does the company do? You know, how do people solve this? There, there is no one answer or that, you know, it's got, it's gonna take a community, uh, the community of protectors and, uh, groups that want to help solve these issues. Uh, you know, and law enforcement, we always say, you know, it's a, it's a cat and mouse game. We catch up to them and then they change a little, you know, maybe a little bit here and there and then we catch up to him again and, uh, we're just gonna keep playing that game. But you know, uh, businesses, commercial businesses are starting to get into that, into that mode as well of, Hey, just because I defeated something today doesn't mean it's going to be right back at my door tomorrow. You know, you and I saw each other last night at the general Alexander's, uh, talk, uh, and he's always been all about offense, defense and understanding visibility and signals. >>Um, you know, there's a lot to do there. Um, you got to know where things are coming from. There's a lot of shared responsibility, but shared work, right? It's like, yes, we want, there's a lot of redundancy going on in security now. Oh yeah. And within and without pumping. So the collaboration, you mentioned the big part, how do you see that evolving that you work with the FBI counterterrorism, you kind of see how this kind of thinking renders itself. How does that work in a commercial world? How do you see that evolving? Well, you have certain cyber centers that are built for that kind of model, uh, for, uh, helping, you know, commercial, uh, industries, uh, deal with that threat. You know, there's no, uh, one tool, one company that can protect itself from a nation state attack. Uh, we've seen that, you know, so, uh, the best thing that's happening right now is people are starting to understand in order to get the entire, um, I would say the topology of the attack, that's that that's affecting you. >>You're going to have to share this information. You're going to have to learn from other groups. Uh, law enforcement, intelligence agencies are sharing. Um, and, you know, it's quite frankly, it's, it's, we're kind of late in the game of sharing, which the criminals have been doing this now for years, you know, sharing that information and understanding who to attack them, when to attack. Yeah. And they've been been winning. So I gotta ask you, as someone who's been in the industry now, and I'm book both sides, you look at RSA this year, um, besides the headline of the coronavirus who's got a backdrop to all of this, there's still a huge show here and, and the trends are changing. It seems to be the scene game, whack a mole on steroids, but now you've got cloud. What's new out there that, that's getting you excited? What do you think people should be paying attention to? >>Why? I think what people should be paying attention to is now a lot of the, I would say the products and the tools that are coming out are actually being developed by people who are practitioners have been in that space and understand what it takes in order to defeat, uh, the, the types of criminals that you're facing every day. Um, you know, I, I see a lot of products, uh, getting into the, the hoop, you know, and for me, I think that's a very, uh, a very strong point now that you can't just keep saying, I closed this court and that court in this sport and we're good. No, they're just gonna change little thing and come right back in. Um, so I see a lot of tools or act or identification or identification time attribution, um, people are trying to get to the who in this space now in order to turn that back around for prevention as well. >>So something where normally this is, you know, an FBI, uh, uh, you know, a federal government, uh, uh, agency trying to figure out the who, a lot of the tools and, and some of the, uh, you know, the data today is helping out with that for private industry. So that are great point gradient site by the way. I love that. I love that angle on that. What about meal time? Because now real time is a big one and people are overworked. It's a pile of threat detection out there. Like, Hey, there's some stuff happening in another company. So people are buying feeds. I get it right now. You need a data processing perspective. You've got to get the data. How does that, how do you see that whole challenge become an opportunity? Well, you know, uh, we're a data driven society now, right? So everything has data connected to it. >>Um, you know, and, and you're getting that amount of data stream float into your commercial entity. You know, first of all, it needs to be automated. You're going to have, you know, a lot, a lot of data to sift and sort through to understand what's actually happening here. So I think the, the, you know, that that live feed going real time is very helpful, but also content, uh, you know, put some context context behind that and having and having that, that information fully digested so you can understand what's the threat, how's it coming at you. And then using that for prevention. Super exciting time. I want to get into your experience and how that translates into maybe your advice for people that are kinda kind of waking up from lack of multiple, kind of being more of a kind of a versatile athlete, if you will, athletes, cyber athletes. >>Um, but I gotta ask you about, um, the idea of threats that are coming in that you seen in the FBI that enterprises should be paying attention. Because I'll give you an example. I'll say, Luke, I'm good. My it department covering this for years. I don't really have anything that's valuable, right? So I'm good. I got my patches done, so I don't really need to buy anything from you or I'm good, right? Not everyone's saying that, but that can be the mentality at different spectrum of, all right, so what do, what do you say to that? Well, you know, besides, I'm an idiot, you know, we see that a lot and I think, um, you have to, that, that's a very big naive approach about it. Um, you know, you also have to start thinking about, are you good with your insider threat? Are you good with your third party risks, you know, threats. >>Um, so there's so many things going down the line. When you look at what it takes for, let's say a large financial institution to run, would it take for a large, uh, company like an Uber or Lyft to run? Um, you know, there's, there's threats there and if you're saying you don't have any threats and you're, you're, you're OK, then uh, you know, I would say that's a, that's another, it's being polite, being polite. What you're saying is, no, you're not. Okay. Well, I mean, cause if, think about it, if you're just running a main small little manufacturing operation, I don't have any IP, but your operations is your IP. You might be exposed for ransomware or some, you know what I'm saying? There's always disruption. This has been kind of an interesting, there's a mindset. It's not just what you think you have. There's a holistic view. >>What's your take on the reaction to that? Yeah. It isn't the holistic view. You have to take that approach. You've seen what's happening nowadays, especially within the ransomware. Uh, you know, it's, it may come from a third party that basically didn't secure their systems, but they knew exactly what they went with, the cyber criminal, exactly what they were doing because they solely wanted to attack you and they knew the weakest link was three steps down from you. And so that's exactly where they went to. You know, I love these conversations and not, you know, a lot. I'm a Patriot and I love to help our country. I do my best. I don't really serve in the government, but one of the things I feel strongly about and people know I rant about this all the time when I'm on the cube is that digital war is happening and I really believe that, you know, our, we're a free society. >>You can't lock every door in this country. You've got borders, physical borders, so digital borders or if we're open society, you can't really be defensive all the time. Yeah. So if someone does strike us, our answers especially been counter strike back with a vengeance. Exactly. Which is how the deterrent is. But digitally, where's that line? I mean if you drop chips in Manhattan, you know you're, we're a tapping attack. What's the digital drawing in your opinion? Because this is something that Noah's talking about, but it's kind of paper cuts is that there's a line of knowing is are we being attacked? It's the who. What's your view on this? I know it's a new emerging area. Yeah. Aye. Aye. Aye. I seem to I think a little bit on both sides here. I want to do something back, but I don't think I'm most special, especially commercial businesses. >>Understand what that means. Actually find some attribution and then say, you know, it is this entity or this country that's doing that and it's kind of a slippery slope when you start getting out of that cutting edge societal issue. Because I mean the government has a military to protect me, right? But if I'm a cyber company, I going to build my own military digital military. Now what are we talking about here? I mean, it's interesting. It's, it's again, that's why I start seeing a lot. If you look at the place, you know around here you start looking at some of these tools, they are offensive weapons. When you look at them, these are weapons to understand, well not weapons, but tools to understand who and you already know what happened. And so now you get the who and the why, right? Yeah. You can't really strike back. >>But what you could do is turn that back inward and say, okay, I'm going to start preventing this stuff. Yeah. Right. But then also, Hey, I can go to the, you know, the FBI and say, here's a nice neat packet of information on what happened to me and who we believe it to be. And that's where that conversation starts to happen. And I'm really excited by the digital twin and the simulation environments where you can start having flex, you can flex scenarios to do, use some of this scenario based planning so you can protect and plan for scenarios which is reacting to it. Yeah. Yeah. The digital training space, when he got there, you know, and it just like you stated earlier, right? You know, the, the, the United States military goes out here and trains for certain scenarios all the time. Companies have to start doing that because that's what's happening to them. >>You know, they're, you're right on the money. I love the insight. Thanks for sharing. Greetings. I love that you got to get the reps and you got to do the operations. You got to nail that. So just give a quick plug before IQ. Thanks for sharing your awesome insight. What do you guys do and what are you guys all about? What's your value proposition? Great. Yeah, we're, we're identity intelligence company. Oh, what that means is that we have tools and products that's going to allow our clients get to that who, you know, uh, and we also have tools that allow them to get to the what as well. So we're on both sides of a, of the fence there. Um, we're trying to get left of boom, what they call it. Um, but our data and our intelligence allows us clients to find the bad guy. >>A very simple, we have some AI and machine learning built into there where it's almost like a click of a button, I can expand and figure out who these individuals are and understand their TTPs. And what we want to do is make automation of these different types of tools easier and faster for the clients to use. So you want to bring intelligence into their visibility space or data space or, yes, I actionable intelligence. Yeah. So basically in their, into their digital space of understanding, you know, their attack surface, understanding what problems that they're having. And then we have, um, you know, like I said, a lot of tools and, and, and, and, and, um, it's, I would call it tell who calls you out, who's the customer, who's the buyer, the IOC show? Is it, uh, uh, off-gas? What's the, who's buying your stuff? So mainly what we're into a lot of, um, cyber fraud, fusion centers, just like that. >>Law enforcement intelligence agencies. Um, I would say, you know, I, I know for a fact that I wouldn't use this, you know, if I had this tool and the FBI. Um, and, and, and a lot of, you know, if you have a large digital footprint, uh, we have cryptocurrency companies using this as well. Um, you know, you're, you're seeing some, some, some pretty bad guys attacking your systems, trying to defraud you. Our product helps you out with that. Right. Luke, great conversation. Thanks for coming on. Appreciate RSA coverage. Taking the show. What's the hot thing at the show? What's your favorite moment here? What's, what's the big story here at RSA? I w I would say, uh, for me it's this, uh, sit in the one, uh, Ashton Martin sit now, you know, every year there's something different. You know, I go to these Bitcoin conferences and I see they usually have Lamborghinis out for it. And now I think this is happening. So yeah, I don't know if we're trending in that direction now. Get in that car and we're gonna erase away. Great. Luke Wilson, VP of intelligence before I Q a here inside the cube, the cube coverage show our say I'm John furrier. Thanks for watching.

>>From San Francisco. It's the cube covering PagerDuty summit 2019 brought to you by PagerDuty. >>Hey, welcome back everybody. Jeff, Rick here with the queue. We're at PagerDuty. Simon in downtown San Francisco at the Western st Francis. I think we've just about busted the seams in this beautiful old hotel. Thousand people. Fourth conference. We're excited to be here. And the big announcement today is around, you know, PagerDuty getting closer to the revenue, getting closer to the customer, getting beyond just break fix and incident response. And a huge partner. Big announcement of that was Zen desk. So we're happy to have today from Zendesk. Luke Benkei, the VP of product. Lou, great to see you. Yeah. Hey Jeff, thanks for being here. Thanks for absolutely. So before we get into the announcements and some of this stuff with the, with PagerDuty, give us kind of an update on Zendesk. We're all happy to see as Zen desk email in our inbox have been, someone's working on are working on my customer service issue. >>But you guys are a lot more than that. We are, yeah. Thanks for asking. Yes. So Zendesk started in, you know, it as a great solution for customer support and solving customer support issues. And we've really expanded recently to think more about the overall customer experience. Uh, and so that means, you know, launching more channels where customers can reach out beyond just emails and tickets to live chat and messaging and really rich experiences to communicate with your customers. But it also means, uh, you know, getting into the sales automation world and kind of helping sales and success work together, uh, on the whole customer experience and the customer life cycle. And underneath all of it, uh, our new sunshine platforms and as sunshine, it's a CRM platform that allows you to bring in a ton of information about the customer. You know, the, the products that customer owns. >>Um, you know, how they, how you've done business with them across all the different systems you have, right, that you do business with. Some, most companies we talked to have hundreds of different systems that store a little bit of information about the customer elusive three 60 degree. I mean, the single view of the customer. You know, I talked to a customer recently that said, Oh, I have 12 CRMs. Like are you going to be my 13th? And we said, no. You had to bring the right bits of information into Zandesk in order to make the right kind of actions that you want to take on behalf of that customer. Whether it's routing them to the right agent at the right time, whether that's making sure this is a VIP customer that has a, a hot deal with your sales team and you want to alert the sales rep if there's an incident that's affecting that customer open right now. >>Or maybe you want to have a bot experience that really solves a lot of the customer, uh, pain with knowing who that customer is, what products they own, et cetera. Right? So, right. That's really been what we've been trying to do with sunshine is, is move beyond just customer support into, uh, a full blown CRM solution. The one, you know, one place where a lot of your customer information can live to deliver that experience. Okay. So then we've got PagerDuty. So PagerDuty is keeping track of have more incidents, not necessarily customer problems per se, but system system incidents and website incidents and all these. How does that system of record interface with your system of record to get a one plus one makes three? That's it. I mean, so you know, if PagerDuty is the source of truth where your dev ops team and your developers and your product team are when there's an incident, you know, I've been part of this, uh, unfortunately we've, you know, if we have an incident at Zendesk, I'm, I'm in there as well kind of understanding what's happening, you know. >>But what's really missing there is that customer context and who's affected, you know, and even as good as our monitoring might be, sometimes customers tell us they're having problems, uh, or, or the extent of the problems they're having before we've fully been able to dig into it. Right? And so taking those two systems, the incident management portal and the customer record on the customer communications portal and bringing those two together, you know, it's better for the dev ops teams. They can learn. Like maybe we're getting some insight from the field about exactly who's affected and it's great for the customer support team because they don't have to sit there and tapping the, the engineer on the shoulder like have you fixed it yet? Right. What's the latest? Right. They can write within Zendesk with the new integration that that the PagerDuty Zendesk integration that we are, that we announced today, right. >>Within Zendesk, you know, reps can see a support, reps can see exactly what's happening in, in pretty close to real time with that incident so that they can keep customers proactively up to date. You know, before the customer reaches out, I have a problem, you know, they can say, Hey, here's the latest, you know, we're working on it. We estimate a fixed in this amount of time. Okay, now we've launched a fix. You should start to see things coming back up. Right. Okay. That that's a one plus one equals three. Okay. This is a two way communication. It's a two way writing. Yeah. I'm just curious, how does it, how does it get mapped? How does this particular Zen desk issue that I just sent it a note that I'm having a problem get mapped to, you know, this particular incident that's being tracked in PagerDuty. >>We got, you know, a power outage at a, at a distribution center right place. How do I know those two are related? So it's a, it's a two way integration, right? So it's installed both into the PagerDuty console as well as into Zendesk support where your agents are. And so, uh, you can create a really, it's all about the incident number and so you can create that out of, out of PagerDuty and then start attaching tickets, uh, as they come in to that incident or a customer's. Our rep could create an incident in PagerDuty, right through Zendesk. And so, you know, you're really working off of that same information about that incident number and then you're able to start attaching customers and tickets and other information that your customer support rep has to that incident number. And then you're all working off the same, you know, the same playbook and you're all understanding in real time if, if the developers are updating what's happening, the latest, the latest on it, you can sort of see that right in Zendesk and it's all based on that, that incident. >>So that's gotta be a completely different set of data and or you know, kind of power that the customer service agent has with this whole new kind of dead data set of potential if not root causes, at least known symptoms. Yeah, exactly. That's right. I mean, you know, part of our job on the product team at Zendesk is to sit with real customers and watch them shadow agents, watch them do their job every day and it's an ma even sometimes I log in and actually field tickets myself for Zendesk and it's an incredible experience to sit there and you log in and customers just start reaching out to you and they want answers, they want information. And you know, we've, we deliver a lot of automation and, and products like that, but still it's up to that customer support rep to quickly get back to that customer. >>And so to have some data right in front of them, Oh, it looks like this customer uses a certain product, that product is affected by this outage. Right. To be able to immediately have that customer support rep kind of alerted there is an outage. It might be effecting this customer, here's the latest information I can give that customer, you know, that's just less back and forth and round trips that they have to do to solve that customer's problem. Right. You know, as customers ourselves, we don't want that. We don't want to have to sit and wait or do they even know my tickets open? Do they have an update for me? I've been waiting 20 minutes, you know, to cut that down to give the agents context, it's, it's huge. It really helps them do their job. And of course the Holy grail is to not be reactive, to wait for the ticket, but to get predictive and even prescriptive. >>That's it. So where's that kind of in terms of, of your roadmap, how close are we to know adding things where we can get ahead, you can get ahead of the clients can get ahead of we see this coming down the road, let's get ahead and nip it in the bud before it even becomes a problem. Yeah, I mean, you know, we all are accustomed to whatever the last great experience we had with a company that suddenly just becomes what we expect next. And I think a big trend we're seeing in the last year or two is really customers want to get more proactive. And so we launched the Zendesk sunshine platform, which is all about bringing more of that data in. And the vision there then is really being able, which a lot of our customers are doing today. You know, they're able to say, I know which customers are using a certain product and when that product has an issue, send a proactive ticket. >>You know, before they even reach out to you were aware of an issue. You might be seeing these symptoms, here's some troubleshooting advice and here's our latest update and we'll keep this ticket up to date. We'll keep this conversation up to date as we learn more. You know, customers are already doing that was NS, but you're exactly right. That is more and more customers are trying to get there because it's becoming expected. You know, customers don't want to have to uh, log in and find that something's down and then try to troubleshoot unplugged re, you know, figure out, maybe it's me, maybe it's them. They want to know, okay, I get it. I can now plan around that. Maybe I'll go have my agents go work on a different, um, you know, updating some knowledge content or maybe put them on a different channel for a little bit or move people around depending on what's happening in the business. >>You know, the other thing that came up in the keynote that I think it's pretty saying that I don't know that people are thinking about is that there's more people that need to know what's going on than just the people tasked with fixing the problem. Whether it's account reps, whether it's senior executives, whether it's the PR team, you know, depending on the incident, there's a lot of people that aren't directly involved in fixing the incident that's still need that information and that seems like a super valuable asset to go beyond the ticket to a much broader kind of communication of the issue. As we actually, as we started to work, uh, with PagerDuty on expanding this integration with Zendesk and PagerDuty, we were talking to their team and we both have the same mantra, which is that the customer experience, it's a team sport. You know, it's not just the developers who are trying to fix the problem on behalf of the customers and it's not just your front line customer support reps who are fielding all those inquiries, right? >>It's everybody's job. In the end, as you said, the sales rep wants to know what's happening with my top accounts. Do I need to get in touch with them? Do I need to put in a phone call? Uh, you know, do I need to alert other teams? Maybe we should stop the marketing campaign that we were about to send. Cause the last thing you want is a buy more stuff, email when the site is down right now. So let's really start to think about this as a team sport. And I think this integration is a really great, uh, you know, how customer support and product and dev ops and engineering can kind of work together to deliver a better customer experience. It's, it's, so, it's, so Kate, you know, kind of multifaceted, so many things that need to happen based on that. Really seeing that single service call, that single transaction. >>Awesome. Well Luke, thanks for uh, for sharing the story and yeah, it's great to hear the Zendesk is still doing well. We are like, I like Zen desk emails like, yeah, I know. The next thing that we'll do is I will start to solve your problem before you even have to get us on that split up. Like we'll be working on your behalf even when you're not getting it. Okay. So Luke, thanks. Thanks Jeff. Appreciate it. See ya. Alright, he's Luke. I'm Jeff. You're watching the cube where PagerDuty summit in downtown San Francisco. Thanks for watching. We'll see you next time.

>> from San Francisco. It's the Cube covering the em. Where Radio twenty nineteen brought to you by the PM where >> hi. Welcome to the Cube. Lisa Martin with John Furrier way are in the middle of the excitement and the action at the, um where Radio twenty nineteen in San Francisco. Please welcome back to the Cube. David Tennant House, the chief research officer at the end. Where. David Welcome back. >> Thank you. It's always great to have the Cube here radio, >> and it's we had in a really exciting day. And then suddenly this whole space opens up and you can imagine all the innovation and the collaboration that's going on in here. This is the fifteenth radio. This is just one of several big programs that the M where does that really inspires and fosters this really collaborative, innovative culture? You've been here for five years. You came from Microsoft tells a little bit about what makes not just radio, but the emir's culture of innovation unique and really gives it some competitive advantage in the market. >> Yeah, well, so that you know, I think there's a number of different things there. People are super passionate about technology I think there's also this shared thing at P m. Where which is, you know, we're a little understated, right? We're not a big consumer brand. And, you know, we almost pride ourselves in creating technology that goes under the covers, right? So whether it's inside the data center, you know, can we make, you know, with virtual ization, right, Khun? Oui. Make it so that you can run ten times as many virtual machines as you had physical machines and the applications never have to know, right? So that's kind of, you know, for us, it's perfect, technically hard problem and, you know, a little understated. So that kind of, you know, fits with our culture. I think another thing that we found, you know, having a research group often a challenge. His researchers will go to people in the product teams, and they sort of want to start the discussion. I've got this new idea, and maybe it could really help you with your product. And, you know, meanwhile, of course, the product people are, you know, they're working against deadlines. They want to get stuff out. They don't want people derailing their, you know, their agenda and their work. So something we find at PM where which is really I find unique, is let's say we goto a product team in many other companies environments, and I'm really not naming anyone. What happens is you gotta have a discussion with somebody who sort of, you know, is the expert on whatever name your technology and you say the reason starting point isn't Hey, I've got this whole new way of doing your stuff, right? Starting point is can you tell me how your stuff works? And usually the response that other companies is. Why do you want to know? Right. It's a really pointed defense of we find it. The m where is really people are incredibly open. I don't, you know, know exactly how this got embedded in the culture. Maybe because it was a spin off from the university, but deeply embedded in this culture is Oh, yeah, let me tell you how this stuff works. And, uh, you know, maybe you'LL have a better idea. We don't even have to start with, You know, we have a better idea. It's like, you know, and then from there way can have ongoing discussions about >> Oh, that prints and improve it. That Cruz, why you have a community? Yeah, transparent creates openness that creates solidarity around open >> concept. Exactly. And and that's kind of what you see here. Radio. I don't know if people can see in the background is This is, you know, already day for in the Expo Hall and people don't want to leave and they're walking around. They're looking at each other's posters, they're talking to each other, making connections, and then they're going to build on those connections in the coming, you know, week. It's months and over the next year. And, you know, this is they said, you know, this has been going on for four days. You think that by now people have seen all the posters, they talked about everything there is still finding things that they want to talk to the kid. >> The candy store is a lot to taste here and learn ivory engaged graphic contents good and congratulations and thank you. And I just want to add, >> like something I love is, uh, getting here. Actually, before people arrive on the first day each year because when they come in, it's like greeting old friends right. It's sort of like a reunion except nobody's worried about, you know, like school reunion. You know, people are just playing happy to see each other, so that fits with that community thing, you know, because sometimes they're there in their teams and they don't necessarily get what you're being humble. We've talked last year about some of the content you put together in the team, so it's not. It's a hive mind, but you're the chief researcher, >> So you've gotta figure out on at least some canvas to start shaping framing sets of agendas to go after that. So if you can. So Lisa and I were just talking about this here today about how if you have a tech canvas, you don't want to create barriers of thinking. You want to open it up but not make it two restricted. That's your job. What can you tell us about the research agenda that's here and way out there and how how do you see that aperture range >> of yeah topics? Well, I think you know, I want to re first before even getting into that agenda, reaffirm a key point you made right, which is don't constrain people too much. So radio, by the way, is really very, you know, bottoms up. This is not about saying, you know, here's the four topics people really submit. It's a very competitive process people want to be. Not every engineering BM where gets to come to radio, right? It's it's eighteen hundred developers, which is an incredible commitment by the company. He's still a small fraction of our community, so they're actually submitting, you know, bottoms up, uh, to you know, see you and then we have a program committee that reviews it. So that's Ah, bottoms up part of the process from where I sit, You know what I think happens is whether it's our research team or filtering. You know, we'LL look at what comes. Bottoms up and say, Well, what's the signal to noise? For example, there's you know, we've had this year a tremendous amount of machine learning activity, and you see this in the posters here and in the presentations. However, you know that it wasn't too hard to detect a rising signal a couple years ago. So in that case a couple years ago, we said, OK, this is important. We see it in the external community way see it in the developer community. We see it within our own teams and developers. Clearly important. So starting a few years ago, we pulled together some of the senior most technologists, the principal engineers, a subset of them, and said, Hey, we want you guys to dio what we call a of a test study for tests are going faster, but also Veum, Where? Technology Study. We want you to actually do a strategy, but not a business strategy. Technology strategy. Look at the landscape of this. Look at where we are. Look at where we need to be and start charting a course. So in that sense, what we you know, coming out of that was, for example, information of an internal machine Learning program office? Who? One of them gold. It's billed the ML community. You talked about that before. Inside the company. It's not just a technical goal, it's an organizational on community goal. And that's just sort of, you know, kind of one example that wasn't the only output of that. But it's it's one example and what you see a big surprise, you know, kind of ten x, the engagement in the space so that that would be, you know, one case. I think one of the key things is, well, pick up on different topics. And then the thing that we do that I think it's different from some other companies to stop and say what our enterprise is going to need to do because at the end of the war in enterprise company and our customers, our enterprises and their needs her actually, although they're in different verticals, for example, let me just use machine learning. But it could be blockchain. It could be I ot. Actually, what they need is different from, say, the machine learning that that the hyper scale er's needs. So we realised that actually, there's a very interesting needs for us to explore the underserved parts of machine learning because all of these companies, if you look at them, they have a larger number of machine learning problems to work on the hyper scaler. You know, Facebook, Google, love them. They're actually working on a very focused set of problems, right? It's you know it's at serving. It's the social network graph. It's, you know, cat photo recognition, and I don't mean to knock those and they've got a great business is built around them. But notice it's a small number of problems. They do it it immense scale. Okay, given Enterprise probably wants to apply machine learning to a large number of problems, they're not going to run each of those problems on a million servers there, actually, probably running those problems on tens or hundreds of the EMS, right? And so what's the technology they need to address those problems and you can go through way looked at, you know, machine learning That way. We looked at I ot that when he said, You know, look, we think the analytics and the M L. That's a really cool things. We want to play in that space, too. But you know what everybody's trying to do. That, and not a lot of attention being paid to our enterprise is going to secure right and and managed all these I O T devices and the gateways to the devices. So we chartered a strategy for both research and business in that space, watching same thing, really exciting technology Now for enterprises, it's not about big point. It's not about currency, right? It's a money decentralized trust. It's an infrastructure for decentralized trust and effectively think of this is, you know, a database like thing. Except now it's going to be shared across many different organizations. And it's going to change how organizations work with each other and how they work with their auditors on how they work with their regulators. So this is great. >> But, you know, let's focus on what am I the way I just retweeted while you were talking? I just got a clip from last year. I asked you that question about Blockchain. You nailed it Way talked about how all the hype and fraud and i CEOs and confusing it. Yeah, but the world kept moving along. A lot of progress on the supply chain side, lots of interest, rafters trust. He sat realized that it's not about >> the eye. Indio. Yeah, so wave you, that is, You know that there's the high poker and, you know, they'LL be a deflation after the hiker passes. But there's real signal under there and so, you know, and we just turn our strategy and we keep marching down that path, and we're, you know, building up more partners, more people to work with. So it's it's that sort of thing. Quantum computing, right? We're not, you know, developing our own quantum computers. I can tell you that right now, and we're not even doing quantum algorithms. I have some albums researchers, but they're not doing quantum algorithm. You know, I kind of wish we were doing some of that stuff, but what we did do, and we looked at this and we said, Okay, hold on a key challenges. Uh, when the quantum computers do show up, we're going to need to transition to new cryptography to quantum resistant. You know, our post quantum there. Two terms, they're used. Cryptography enterprise customers are going to need to do that. Well, one second, they can't wait till this shows up. It takes ten years. Change your crypto. And by the way, you know if you've encrypted data and other people got a copy of your encrypted data, if it's long living data like, you know, health care records, you don't want them decrypting that in five or ten years. So you got a sort of start now and again, this goes back to what oh enterprise customers need to do Well, okay. The new crypto standards for miffed and others aren't quite ready, Okay, but But by the time they're ready, it's going to be too late to get started. Okay, But we could start working with our customers to work on crypto agility to change how they handle their cryptography. First off, get a good inventory of it, and then get set up so that they're using essentially plug mobile libraries so that it's easier for them to change their cryptography as soon as the standard shows up. And by the way, even if quantum computing takes a lot longer than we all think, this is good hygiene anyway. In other words, it's just a no regrets move for our customers and Khun. We sort of help them go down that path. And this is an example where we can actually also partner with our colleagues that are, say, other parts of Del technologies to help make that work for We're working with others in the industry, you know, intel, and we've kind of convened a form of players within the industry. You know, start working in that direction again. What do enterprise you know, what's the cool new technology. What oh enterprises need. >> So you talked about this event being open in terms of like the agenda and the topics being driven from the bottom of it, That gets really cool. So in the spirit of talking about customers and, like you were saying designing for what enterprises need and all of the variations that encompasses where is customer influence not just a radio, but within the em wears research and innovation programs and strategy. What's that? I mean, I just Advisors don't like that. It's >> a great question. So, like many companies, you know, we do have various advisory body's right, so we bring them in and, well, we'Ll sort of half like, you know, the sea tabs are customer technical advisory body. So the more technical people in some of our kind of more leading customers and we'LL show them things that we're working on, you know, under any kind of India arrangement, and get their feedback, you know, sort of OK, Does this make sense? You know? If not, why not? If it does, you know often it's not that finery, right? It's how would you use it? And we really sort of them give that feedback backto our teams. Now many people do this kind of thing, so we have lots of other customer engagements. We bring customers into forms like radio to be on panels, breakouts, things like that to give presentation so that basically, let's face it in one or two events, that's not going to convey much signal to our engineers. It's a madam, a six storey engineers way want you to be out talking to customers, right? So getting our engineers to be at PM world but way have programmes to actually allow engineers and encourage them to get out, make customer visits above and beyond. And by the way, if you look at it again, our principal engineers in our fellows I think what you find is the vast bulk of them are distinguished because they love engaging with customers. They don't just do it because it's part of the job. They love getting that feedback, so it actually helps them in their career, and we try to sort of essentially teach that to folks. One of the programs we have that in the CTO office, but I love it's not him. It's not in my part, So you know this is a case of I love all the things that we have that just my own, You know, uh, is it's like it's like loving your nieces and nephews, right? Not just your own children way. You were going to ask you your favorite child so way have, like, the CTO ambassadors program, Uh, which basically is coming from the field. So we have, you know, field engineers. They're not on the development side, but these air super technical people that are out in the field touching our customers all the time in any company, there's always a subset of those folks that just have a really good intuitions for where the customers are going and are good at raising their hands about that. So way actually have a program with CTO Ambassador Program CTO way where, you know, literally we give them a pin right way, give them a bad on DH. So we've tried to identify that subset of the field engineers and way regularly bring them in, you know, to pollo alter or bring them together. Whether it's a V m world or radio or whatever again, same thing. We're going to let them know what we've got cooking. We're going to get their feedback. We're gonna hear from them on. And this is not just on research right away. This is on the product pipe lines. You know what's going on in the road map and everything else now to me again. That's just actually a starting point. Because when I put my people in front of Seo is its telling my people, this is the group of folks. When you have a new idea, don't just talk to the product people go find CTO is because, you know, one of the best ways and I'm gonna be a little selfish. One of the best ways for us to influence the customers it influence the company is to get customers excited about something you were doing right. So you know Helen Lawson talk about technology push. And if you really want to be a success, we'LL get innovating it. In a large company, you need to create whole absolutely, and so the CDOs are great. They help us find people to do posies with, because you have to find just the right. You have to find a customer that has a need for this new stuff, but they also have to be somebody that understands this isn't yet a product. This is a journey, right? We're going to jointly try something out. You're gonna learn about whether this new tech can help you and how it could help you. We're going to learn what the product ultimately means, but, you know, you're not gonna be able to actually take out your checkbook at the end and get it right away. So you have toe, you know, be comfortable investing the time and energy, and then they have >> a spy in three that is really one of the core elements that's essential to drive innovation. >> Absolutely. And you need that. As I said, you need that customer partnership to help fine tune things. It's, you know, one of the things more broadly I try to do with research team is, you know, on the one, and give them the freedom to say, Hey, I have a new idea and I want to explore that new idea. That's great. Now, if you think about it right, then they're running open. Luke, they're running based on, you know, kind of their guesses. What educated guess. Right? And their intuition what people might want in the future. So that's good. What a then do it say. Okay, that's great. Uh, you know, you did a little bit. You wrote a paper build a prototype. Okay, so now they get a prototype bill. Okay, That starts getting this idea little more concrete. They're okay with that. The next step, it sort of is. Okay. Now, >> you got to >> get somebody to use that prototype, because I need you to get. And you need you to get feedback and create a feedback loop. Because otherwise, what's gonna happen is they made that first intuitive guests. So let's say they had their really phenomenal and they have a seventy five percent chance of getting it right. Okay, that that. But if they now continue to make a series of educated guesses and they have, ah, you know, seventy eighty percent chance on each educated guests and they make a siri's of four or five of those they have almost, you know, very quickly, close to zero chance of being in the right spot if you just multiply out the probabilities. But if they make that first big league and they start getting customer feedback That actually helps them right get more and more focused on where the bull's eye is. You have a really great chance of changing, >> so they don't build this great technology with no customers. Crichton second >> don't want somebody for a problem, right? But if you want to, you know, kind of have >> some really big ball change. You've >> got to be. >> Well, you've got to be willing to make that first big step without the feedback because the customers don't wear right. And if you just went to the customers said if you had this, what would you do? And they probably say, No, no, no. Instead of that, I want another feature over here. So you got to go and build that first prototype and take the leap of faith. The issue is, if you compound the leap of faith, your odds of being successful slope. If you quickly get into the hands of the customers, get feedback and start focusing in on where the value is, your chance goes up dramatically. >> Awesome. I wish we had more time with you, David. We're gonna let you get back to all of the amazing innovation that I have no doubt it's going on right behind us. Thank you. Something, Johnny on the Cube today. >> Look forward to seeing you again soon. >> Absolutely. For John Ferrier, I'm least Martin. You're watching the cubes. Exclusive coverage of the young Where? Radio twenty nineteen. Thanks for watching.

(upbeat music) >> Narrator: Live from Orlando, Florida. It's theCUBE, covering .conf 18 brought to you by Splunk >> Welcome back to Orlando, everybody. This is Dave Vellante with Stu Miniman You're watching theCUBE, the leader in live tech coverage. We go out to events, we extract the signal from the noise. This is day two of Splunk's big user conference #Splunkconf18 Winding down, Stu. Been quite an amazing two days just said Doug Paradon had tons of customers, a lot of security talk today. Luke Bampton is here, another security expert, he's the application security specialists with SecurePay, >> Hi guys >> from Australia. Hi, how ya doing, mate? >> Good, not bad, can you tell that I'm from Australia, or not so much from the accent? >> That rack of beer you got down there gives it away. >> Haha, yeah (laughing) >> Australians like beer or so they say. But they don't drink Fosters so I hear. >> No, no, no such thing, actually, it's yeah, >> That's great marketing to dumb Americans. >> Yeah, a very common misconception though, so kudos to you for picking it up. >> Well, we were talking about the Melbourne Cup, but we'll get back to that later. But lets talk about SecurePay. >> Luke: Sure >> What do you guys do and what's your role there? >> Yeah so, we're an online payment gateway, so we help businesses trade online facilitating e-commerce, so we're actually owned by Australia Post so, Australia's premiere mail network. So that gives us kind of a unique competitive advantage being able to sell both parceled delivery and payments facilitation all in one service to our customers. Um, makes it really compelling offering to customers have an all in one kind of one-stop shop for all their e-commence needs. >> What's your role and what are the big drivers from the business or the operations that are effecting that role? >> So my role is an Application Security Specialist, so I look after a lot of the PCI, DSS constraints, so payment card industry, data security standard. I do a lot of stuff around vulnerability management, card reviews, penetration testing, web application, firewall administration, I work very heavily with our SOC guys work very heavily with our network, security team, platform application, you name it, we do it pretty much. >> So-- >> Yeah, yeah I mean security obviously for a payment company is pretty important, maybe you can talk about you know, what was changing in the industry, how does that impact your job? >> Yeah, so financial tech or fin tech has kind of boomed in Australia. If not the world in the last like five ten years, so there are a lot of new companies, and so therefore, it's driving a lot of innovation. So big players even like SecurePay are even feeling that, feeling that desire to work faster, more agile, and be more competitive in market, and that means a lot of change, a lot of fast paced change, especially when you're dealing with industry regulation such as calculating surcharges on the flyer, making sure the people aren't skimming off the top of what is just what it's supposed to be at cost covering exercise. For our merchants, so competing with legislative changes competing with industry changes, best practice, and if payments stopped then your entire ecosystem stops, and the economy stops. >> Yeah, so, I see hear application security, and I'm a networking guy by background so I start thinking level four through say, layer four through seven. Bring us inside a little bit. What your team does and kind of solutions you're using, I would expect Splunk's, piece of it, what's the stack and security layer look like? >> Yeah, sure, so from a security viewpoint, SecurePay being a subsidiary and being a payment card provider kind of has to be stand alone, so we can't leverage, we have to manage a lot of stuff in-house, I should say. Um, so what that means is basically you have to think of it as condensing your entire organization into a team of like five, six, seven. And really making the most of your products that you've got available to you. So that means really making the most of technologies out of the firewall space, out of the application security space, code scanning, basically everything that you'd expect a full blown enterprise to do, only with a much smaller team, much smaller budget, which means you've got a lot of competing priorities all the time. >> So when you say, in house, I'm inferring that means a lot on PREM as well or not sure? >> Yeah so at the moment, we are prominently on PREM, in terms of our infrastructure, we are moving to more of a hybrid cloud, particularly with non production environmentS. But, with that said, everything's got to be to be in line with all of the network controls, all of the application controls, segmentation all the rest of it is required under PCI. As far as individual tooling is concerned, we work very heavily with Splunk in terms of the event correlation, event management, alerting. Our risk guys use it to fraud profile, and risk profile both our merchants and our customers. And really like just keep an eye on what's going on in the overall enrollments payment ecosystem. Not only for our customers, but also for customers in the overall payment scene, because we hold relationships with other significant players, we can give them a head's up of what's going on. So any market trends, intelligence, like sharing, makes it a really good place to be. >> How long have you been a Splunk customer? >> So we've been a Splunk customer about 18 months now. >> Okay great. So relatively recent? >> Yeah. >> Tell us about life, what was the catalyst to bring Splunk in? What was life like before and the after? >> Yeah, so, the catalyst for bringing Splunk in was really the contract negotiation with our parent company in Australian Post. So we've moved away from our previous tooling and moved to Splunk. I'll be honest, there wasn't a huge adoption 'cause there was so much going on at that point in time, but about twelve months ago, we started really investing heavily in optimizing our instance of Splunk cloud, to the point where we're now able to leverage it's functionality in terms of application monitoring, making logs available and searchable. Just make things a lot more visible for even our senior leadership team to come up and see a dashboard on a TV screen on a wall and be like, "Hey, we're doing really well today". Or "hey, what's with that number, do I need," "is there something that I need to know?" The power of visibility when you're talking to leadership teams is just amazing. >> And you couldn't do this before, or you could do it would take a lot more resources? >> Yeah, exactly. You could do it, it's just that it's a lot less visual, and a lot more time intensive to actually pull that out. So where Splunk has really assisted us is in the ease of reporting, and the visibility and speed with which we can deliver the information required. So, with our previous tools, there was an issue with the timeliness of the data, so by the time that we'd actually pulled it out, taken the core insights that we needed it was probably not as accurate, or as up to date as what we like, and being in high paced financial industry time is money. >> So what have you done with that extra time is it just sort of perfecting the dashboards and the reporting and that process, or have you shifted resources to other activities? >> Yeah, so I mean when you're dealing with such a small team, time is key. And really that reporting time got shifted away and back into the hands of more technical on hands, technical uplift. You have more time you know, making sure that your firewall rules are correct, you've got more time making sure that you're applications, and your code reviews are going well, and you're clearing pipelines, and you're looking at training, you're looking for indicators of compromise instead of just kind of sitting there hoping that your current configures okay, but knowing that you could probably give it some more love if you had more time. >> Alright, yup Luke, one of the things we talked to a lot of customers about is that they start with a specific use case for Splunk, but then the business starts asking questions other groups get involved, what's your experience? >> Yeah, no, as our experience in that field is exactly the same, so we brought Splunk onboard purely as a seam for the security team to use. And it got to the point where you had say the sales team approach us and were like, "hey we know that you" "guys are pulling out a lot of metrics about" "our customers and what activities are going on in system," "is there any way we can leverage this" "to say calculate profitability for various accounts" "or you know can we offer bulk discounts?" Or you know, whatever so it kind of starts getting extended to the sales team, and then the customer service guys came aboard and they're like, "Hey, if we had access to this information" "sooner, we could better service our customers." And that offering itself was really powerful because it has a direct impact on our ability to deliver as a service provider. And it just keeps growing, and growing and growing to the point where pretty much every single team uses Splunk in some way, shape, or form, and are getting real value out of it. >> Now, when you say every single team, >> Yeah >> You mean across the company or? >> Yeah, just, across our company, so across SecurePay, so from the infrastructure guys to the network guys to the dev team, to the QA's to the BA's, just yeah. >> What about well, so we heard a lot of announcements today there sort of positioning Splunk for the lines of business the business users, the less technical folks. Do you see that happening in the near to midterm? >> Yeah, so that has. That's going to have a big impact as to where we sit, so on our current experience has been with the internal customers using Splunk who aren't as technical because we are using Splunk Cloud and we've got that shared like service pool from Splunk. Can unfortunately impact the ability of users who do need access to certain things, in a faster manner can be limited sometimes. So the ability to actually give those guys the ability to self serve a little bit bettter, up skill and actually kind of kind of teach them to fish as opposed as to delivering fish. Is really going to be very powerful, and it's just going to be it's going to be something to play to Splunk's credit. >> How large of an installation are you? How do you measure that, is that like, I guess it's gigabytes or terabytes right? >> Yeah, so in terms about our daughter in just I'm not 100% sure. I think we're, the majority of our logging comes out of our firewalls and perimeter stuff, as you'd expect, being a public facing organization so we've always got scans and whatever going on. But, in terms of the rest of our ingest, >> Dave: So small, medium or large? >> Yeah, I'd say we're probably, small or medium, depending on our ingest. So SecurePay for reference is only about 100, 120 people strong. So, we try to keep things as agile as possible and as lightweight as possible and Splunk's kind of there to support that because we can, we know when we're hitting our overhead and what we can do to actually kind of peg that back or wrap it up and where we've got the head room. >> Things you'd like to see Splunk do, what's on their to do list? >> That's a fantastic question, I'd like to, so I'm personally not a Splunk ninja by any means, I'm still very new, so given the fact that we've only had Splunk for about 18 months I would like, there are people here who would Splunk me into the ground. (laughing) >> But, >> That sounds vicious. (laughing) >> But personally what I'd like to see is a lot of that natural language translation stuff coming through that they announced, Can be really, really powerful. Just to empower those guys who haven't got quite like trying to reduce that barrier to entry rather than in nothing else. >> Luke, thanks so much for coming on theCUBE and good luck >> Yeah, no worries. >> with the future. That's it for us too, that's a wrap, I mean your final thoughts, you want to bring it home? >> Yeah, at the crossroads at day to day, it's really amazing to see this, they going to have WAS tomorrow, they got a huge party at Universal, so it's been a great experience for me, I really appreciate ya you know coming and sharing the ride. >> My pleasure. It's all about the data. We're seeing, we've watched the ascendancy of Splunk, Splunk went public with a very little of the cash, forty million dollars in cash, got to the public markets been growing like crazy, we're seeing a massive CAM expansion now into lines of business and new areas like IOT, so we're actually very excited about Splunk. We really appreciate them having us here. Busy month for theCUBE. theCUBE team's packing up. I'll be going to Miami. Stu will be going to Miami. You guys will be going to Miami. You guys are going back to California. We'll see you next week. Check out the Cube.net it will show you where theCUBE is for all the shows, checkout siliconangle.com for all the news. Some big news today, so look for that in the big data space Hortonworks and Cloudera merging evidently, just just came across the wire, wow. Hatfields and the McCoys. And, check out wikibottom.org sorry wikibottom.com for all the research. Thanks for watching everybody, This is theCUBE, we're out from Splunk .conf 2018 We'll see you next time. (upbeat music)

live from San Francisco it's the cube covering Google cloud next 2018 brought to you by Google cloud and its ecosystem partners ok welcome back everyone we're live here in San Francisco this is the cubes exclusive coverage of Google clouds event next 18 Google next 18 s the hashtag we got two great guests talking about services kubernetes sto and the future of cloud aparna scene how's the group product manager of kubernetes and we have hen goldberg director of engineering of google cloud - amazing cube alumni x' really awesome guests here to break down why kubernetes why is Google cloud really doubling down on that is do a variety of other great multi cloud and on-premise activities guys welcome to the queue great to see you guys again thank you always a pleasure and again you know we love kubernetes the CN CF and we've talked many times about you know we were riffing and you know Luke who Chuck it was on Francisco who loves sto we thought service meshes are amazing you guys had a great open source presence with cube flow and a variety of other great things the open source contribution is recognized by Diane green and the whole industry as number one congratulations why is this deal so important we're seeing the big news at least for me this kind of nuances one datos available you get general availability we're supposed to be kind of after kubernetes made it but now sto is now happening faster why so what we've seen in the industry is that it only becomes too easy to create micro services or services overall but we still want to move fast so with the industry today how can you make sure that you have the right security policies how do you manage those services at scale and what if tio does really in one sense is to expand it it's decoupled the service development from the service operations so developers are free they don't need to take care of monitoring audit logging network traffic for example but instead the operation team has really sophisticated tool to manage all of that on behalf of the developers in a consistent way you know Penn and I did a session yesterday a spotlight session and it covered cloud services platform including ISTE oh we had a guest from eBay and eBay has been with Google kubernetes engine for a long time and they're also a contributor to the kubernetes open source project they talked about how they have hundreds of micro services and they're written in different languages so they're using gold Python Ruby everything under the Sun and as an operator how do you figure out how the services are communicating with each other how do you know which ones are healthy so they I asked him you know so how did you solve that complexity problem and he said boom you assist EO and I deployed this deal it deploys as just kind of like a sidecar proxy and it's auto injected so none of your developers have to do anything and then it's available in every service and it gives you so much out of the box it gives you traffic management it gives you security it gives you observability it gives you the ability to set quotas and to have SL o--'s and and that's really you know something that operators haven't had before describe SL lows for a second what is why is that important objectives so you can see an example so you can have an availability objective that this service should always always be available you know 99.9 percent of the time that's an SLO or you know the response rate needs to be have a certain type of latency so you can have a latency SLO but the key here with this deal is that as an operator previously Jeff was working Jeff from eBay he was working at the at the VM or container or network port level now he's working at the service level so he understands intelligence about the parts of the application that weren't there before and that has two things it makes him powerful right and more intelligent and secondly the developer doesn't need to worry about those things and I think one of the things for network guys out there is that it's like policy breeze policy to the equation now I want to ask course on the auto injections what's the role of the how much coding is involved in doing this zero coding how much how much developer times involved in injecting the sidecar proxies zero from a developer perspective that's not something that you need to worry about you you can focus on you know the chatbot your writing or the webpage your writing or whatever logic you're developing that's critical for your business that's gonna make you more competitive that's why you were hired as a developer right so you don't have to worry about the auto injection of sto and what we announced was really managed it's d1 gke so that's something that Google will manage for you in the future oh go ahead I want less thing about sto I think it also represented changing the transformation because before we were all about kubernetes and containers but definitely when we see the adoption the complexity is much broader so in DCP were actually introducing new solutions that are appropriate for that so easier for example works on both container eyes applications and VM based applications cloud build that we announced right it also works across applications of all types doesn't have to be only containers we introduced some tools for multi cluster management because we know all customers have multi cluster the large ones so really thinking about it how is in a holistic way we are solving those problems we've seen Google evolve its position in the enterprise clearly when we John and I first started talking to Google about cloud is like everything's going to cloud now we're seeing a lot of recognition of some of the challenges that enterprises face we heard a lot of announcements today that are resonating or going to resonate with the enterprise can you talk about the cloud services platform is that essentially your hybrid strategy is it encompass that maybe you could talk about that little bit closer services platform is a big part of our hybrid cloud strategy I mean for as a Google platform we also have networking and compute and we bridge private and public and that's a foundation but cloud services platform it comes from our heritage with open source it comes from our engagement with many large enterprises banks healthcare institutions retailers do so many of them here you know we had HSBC speaking we had target speaking we know that there are large portions of enterprise IT that are going to remain on premise that have to remain on premise because you know they're in a branch office or they have some sort of regulatory compliance or you know that's just where their developers are and they want to have a local environment so so we're very very sensitive and and knowledgeable about that and that's why we introduced cloud services platform as Google's technology in your environment on Prem so you can modernize where you are at your own pace so some of the things we heard today in the keynote we heard support for Oracle RAC and Exadata and sa P that's obviously traditional enterprises partnership with NetApp cloud armor shielded VMs these are all you know traditional enterprise things what enterprise grade features should we be looking for from cloud services platform so the first one which I actually love the most is the G key policy management one of the things we've heard from our customers they say okay portability is great consistency great but we want security portability right they now have those all of those environment how can they ensure that they're combined with the gtp are in all of their environments how they manage tenants in all of their environments in the same way and G key policy measurement is exactly that okay we're allowing customers to apply the same policy while not locking them in okay we're fully compatible with the kubernetes approach and the primitives of our bug enrolls but it is also aligned with G CPI M so you can actually manage it once and apply it to all your environment including clusters kubernetes cluster everywhere you have so I expect we'll have more and more effort in this area I'm making sure that everything is secured and consistent auto-scaling is that enterprise greed auto-scaling yes yes I mean auto-scaling is a inherent part of kubernetes so kubernetes scales your pods automatically that's a very mature I mean it's been stable for more than a year or probably two years and it's used everywhere so auto skip on auto scaling is something that's used and everywhere the thing about gke is that we also do cluster auto scaling cluster auto scaling is actually harder and we not only do it for CPU as we do it for GPUs which is innovative you know so we can scale an auto scale and auto implements Auto provision your GPUs if you machine learning we're gonna bring that on-prem - it's not in the first version but that's something that with the approach that we've taken to GK on Prem we're gonna be adding those kinds of capabilities that gonna be the go on parameters it's just an extension just got to get the job done or what time frame we look API that we've built it's a downward API that works with some sort of hardware clustering technology right now it's working with vSphere right and so it basically if you're under an underlying technology has that capability we will auto scale the cluster in the future you know I got to say you guys are like the dynamic duo of kubernetes seen you in the shows you had Linux Foundation events talk about the relationship between you guys you have an engineering your product management how were you guys organizer you're moving fast I mean just the progress since we've been interviewing you to CN CF segoe all just been significant since we started talking on the cube you see in kubernetes obviously you guys have some inside knowledge of that but it's really moving fast how is the team organized what's the magic internal formula that you guys are engineering and you guys are working as a team I've seen you guys opens is it just open stores is the internal talk about some of the dynamics we're working as one team one thing I love mostly about the Google culture is about doing the right thing for the user like the announcements you've seen yesterday on the on the keynote there are many many teams and I've been working together you know to get that done but you cannot see that right you don't see that there are so many different teams and different product managers and different engineering managers all working together but well I I think where we are right now I know is that really Google is backing up kubernetes and you can see it everywhere right you can see with ours our announcement about key native yeah for example so the idea of portability the idea of no lock-in is really important for us the idea of open cloud freedom of choice so because we're all aligned to that direction and we all agree about the principles is actually super easy to the she's very modest you know this type of thing doesn't just happen by itself right I mean of course google has a wonderful culture and we have a great team but I you know I really enjoy working with hen and she is an amazing leader she is the leader of the engineering team she also brings together these other teams you know every large company has many teams and the announcement at the scale that we made it and the vision that you see the cohesiveness of it right it comes from collaboration it comes from thinking as a team and you know the management and leadership depend has brought to the kubernetes project and to kubernetes and gke and cloud services platform is phenomenal it's an inspiration I really enjoy the progress congratulate and it's been great progress so I hear a lot of customers talk about things like hey you know they evaluate vendors you know those guys have done the work and it's kind of a categorical way of saying it's complete they're working hard they're doing the right things as you guys continue this mission what's some of the work that you're continuing to what's the work that you guys are doing the work we see some of that evidence if it does ascribe to someone says hey have you done the work to earn the cred in the crowd cloud what would it be how would you describe the work that you've done and the work that you're doing and continue to do what does that work what would you say that I mean I hope that we have done the work to you know to earn the credit I think we're very very conscientious you know in the kubernetes open source project I can say we have 300 plus contributors we are working not just on the future functionality but we work on the testing and the we work on the QA we work on all the documentation stuff we work on all the nitty-gritty details so I think that's where we earn the credit on the open source side I think in cloud and in Enterprise do well you're seeing a lot of it here today you know the announcements that you mentioned we're very very cognizant and I think the thing I like about one of the things that Diane said I liked very much as I think the industry underestimates us well when you talk about well we look at the kubernetes if I can call it a playbook it took the world by storm obviously solving some of your own problems you open source it develop the community should we think about it Co the same it's still the same way are you going to use that sort of similar approach it seems to be working yes doing open source is not easy okay managing and investing and building something like kubernetes requires a lot of effort by the way not just from Google we have a lot of people that working full time just on kubernetes the way we look at that we we look about the thing that we have valued the most like portability for example if there is anything that you would like to make a standard like with K native those are kind of thing that we really want to bring to the industry as open source technologies because we want to make sure that they will work for customers everywhere right we need we need to be genuine and really stand behind what we were saying to our customers so this is the way we look at things again another example you can see about Q flow right so we actually have a lot of examples or we want to make sure that we give those options so that's one it's one is for the customer the second thing I want actually the emphasize is the ecosystem and partners yeah we know that innovation not a lot of innovation will come from Google and we want to make sure that we empower our powders and the ecosystem to build new solutions and is again another way to do it yes I mean because we're talking before we came on camera about the importance of ecosystems Dave and I have covered many industries within you know enterprise and now cloud and big data and I see blockchain on the horizon another part of our coverage area ecosystems are super important when you have openness and you have inclusion inclusion Airy culture around building together and co-creation this is the ethos of open source but people need to make money right so at the end of the day we're you guys are not you're not a non-profit you know it's gonna make profit so instead of the partners so as the world turns to cloud there's going to be new value opportunities how do you guys view that ecosystem because is it yeah is it more educational is it more just keep up a lot of people want to be on the right side of history with cloud and begin a lot of things are changing how do you guys view that ecosystem in terms of nurturing it identifying it working with it building it sharing what's your thoughts sure you know I I believe that new technology comes with lots of opportunity we've seen this with kubernetes and I think going forward we see it it's not a zero-sum game you know there's a huge ecosystem that's grown up around kubernetes and now we see actually around sto a huge ecosystem as well the types of opportunities in the value chain I think that it changes it's not what it used to be right it's not so much I think taking care of hardware racking and stacking hardware it's higher level when we talked about SEO and how that raises the level of management I think there's a huge role for operators it's a transformative role you know and we've seen it at Google we have this thing called site reliability engineering sre it's a big thing like those people are God you know when it comes to your services I think that's gonna happen in the enterprise that's gonna be a real role that's an Operations role and then of course developers their life changes and I think even like for regular people you know for kids for you and I and normal people they can become developers and start writing applications so I think there's a huge shift that's a huge thing you're touching on a lot of areas of IT transformation you know talking about the operations piece we've touched upon some of the application development how do you guys look at IT transformation and what are some of your customers doing IT transformation is enabled by you know this raising of the level of abstraction by having a multi cluster multi cloud environment what I see in in the customer base is that they don't want to be limited to one type of cloud they don't want to be limited to just what's on Prem or just what's in one you know in any one cloud they want to be able to consume best-of-breed they want to be able to take what they have and modernize it even if it's even if they can't completely rewrite or even if they can't completely transform it they want to be able they wanted to be able to participate so they even they want their mainframes to be able to participate but yeah I had one customers say you know I I don't want to have two platforms a slow platform and a fast platform I want just a fast platform know about the future now as we end the segment here I want to get your thoughts we're gonna see CN CF s coming up to Seattle in a couple months and also his ST O's got great traction with I'll see with the support and and general availability but what's the impact of the customers because gke Google Cabernets engine is evolving to be the single in her face it's almost as ease of use because that's a real part of what you guys are trying to do is make it easy the abstraction layer is gonna create new business models obviously we see that with the transformation fee she were just mentioning the end of the day I got to operate something I'm a network guy I'm now gonna might be a operating the entire environment I'm gonna enable my developers to be modern fast or whatever they want to be in the day you got to run things got to manage it so what does gke turn into what's the vision can you share your thoughts on on how this transforms and what's the trajectory look like so our goal is actually to help automate that for our customers so they can focus elsewhere as we said from the operations perspective making things more reliable defining the SLO understanding what kind of service they want to provide their customers and our hope you know you can again you can see in other things that we are building like Auto ml okay actually giving more tools to provide those capabilities to the application I think that's really see more and more so the operators will manage services and they will do it across clusters and across environments this is this is a new skill set you know it's the sre skill set but but even bigger because it's not just in one cloud it's across clouds yeah it's not easy they're gonna do it with centralized policy centralized control security compliance all of that so you see us re which is site reliability engineers at Google term but you see that being a role in enterprises and it's also knowing what services to use when what's going to be the most cost effective the right service for the right job that's really an important point I agree I think yeah I think security I think cost perspective was something definitely that will see enterprises investing more in and understanding and how they can leverage that right for their own benefit the admin the operator is gonna say okay I've got this on Prem I've got these three different regions I have to be that traffic coordinator to figure out who can talk to who where should this traffic go there's who should have how much quota all of that right that's the operator role that's the new roles so it's a it's an opportunity for operations people who might have spent their lives managing lawns to really transform their careers yes there's no better time to be an operator I mean you can I want to be an operator and I can't tell you how my dear sorry impacts our team like the engineering team how much they bring the focus on customer the service we are giving to our customers thinking about our services in different ways I think that actually is super important for any engineering team to have that balance okay final questions just put you on the spot real quick answer great stuff congratulations on the work you guys are doing great to follow the progress but I'm a customer I'll put my customer hat on par in ahead I can get that on Amazon Microsoft's got kubernetes why Google cloud what makes Google cloud different if kubernetes is open why should I use Google Cloud so you're right and the wonderful thing is that Google is actually all in kubernetes and we are the first public cloud that actually providing a managed kubernetes on-prem well the first cloud provider to have a GCP marketplace with a kubernetes application production-ready with our partners so if you're all in kubernetes I would say that it's obvious yeah III see most of the customers wanting to be multi cloud and to have choice and that is something that you know is very aligned with what we're look at this crowd win open source is winning great to have you on a part of hend thanks for coming on dynamic duo and kubernetes is - a lot of new services are happening we're bringing all those services here in the cube it's our content here from Google cloud Google next I'm Jennifer and David Lonnie we'll be right back stay with us for more day two coverage after this short break thank you