(upbeat music) >> Welcome back to theCUBE's live coverage of AWS re:Invent. Friends, it's good to see you. Lisa Martin here with Dave Vellante. This is our fourth day of CUBE wall-to-wall coverage, Dave. I can't believe it. And the expo hall is still going incredibly strong. >> Yeah, it is. It feels like the biggest re:Invent ever. I'm told it's almost as big as 2019. I don't know, maybe I was half asleep at 2019. That's very possible. But I'm excited because in 2017 Andy Jassy came on theCUBE and he said if Amazon had to do it all over again, if it knew then what it had now, we would've done the whole thing in containers or using Lambda, using serverless and using containers. Didn't have that opportunity back then. And I'm excited 'cause Rafay Systems is someone we've worked with a lot as an innovator in this space. >> Yep, and we're going to be talking with Rafay again. I think it's your 10th time Haseeb on the show >> Like once or twice. >> And a great customer who's going to talk about their serverless journey. Haseeb Budhani joins us once again, the CEO of Rafay. Great to see you. Rakesh Singh is here as well, the Head of Cloud and DevOps at Regeneron. Guys, it's great to have you on the program. How you feeling on day four of re:Invent? >> Excitement is as high as ever basically. >> Isn't it amazing? >> Rakesh: That's true. >> Haseeb: I just need some sleep. >> I'm with you on that. Caffeine and sleep. >> So many parties. So many meetings, oh my God. >> But the great thing is, Haseeb, that people want to engage with you. They're loving what Rafay is doing. You guys are a great testament to that, which we're going to uncover on the show. What are some of the things that you're hearing in the booth from customers? What's been some of the feedback? >> So firstly, as I said, it feels like the biggest one ever. I've been coming to re:Invent a long time and I mean, I know the numbers say it's not, but oh my God, this is a lot of people. Every time we've spoken over the last year and the point I always make to you, and we've spoken enough time about this is that enterprises are truly adopting this idea of Kubernetes containers, serverless, et cetera. And they're all trying to figure out what is the enterprise strategy for these things? They're thinking beyond technology and thinking operationalization of these technologies. And that's not the same thing. There's a toy and then there's the real thing. And that's not the same thing. And that's the gap that every enterprise customer I talked to and the booth traffic has been just amazing. I mean, but coming here I was thinking, my God, this is really expensive. And I'm thinking, wow, this is a great investment. Because we met such amazing companies who all essentially are saying exactly the same thing, which is as we go and productize and bring our high value applications to the modern infrastructure space, like Kubernetes, Lambda, et cetera, solving for the automation governance is really, really hard because, well, at one point, I guess when the economy was doing crazy well, I could keep hiring people, but I can't do that anymore either. So they're out looking for automation strategies that allow them to do more with the teams they have. And that's exactly what Rafay is here for. >> Yeah. Lisa, Adam Selipsky in his keynote, I love the, he said, "If you want to save money, the cloud is the place to do it." >> Exactly. Yep. Let's talk about Regeneron. Everyone knows it's a household word especially over the last couple of years, but talk about, Rakesh, Regeneron as a technology company that delivers life-saving pharmaceuticals. And where does cloud and Rafay fit into your strategy? >> So cloud has been a backbone of our compute strategy within Regeneron for a very long time now. The evolution from a traditional compute structure to more serverless compute has been growing at a rapid pace. And I would say like we are seeing exponential growth within the adaption of the compute within containers and Kubernetes world. So we've been on this journey for a long time and I think it's not stopping anytime soon. So we have more and more workload, which is running on Kubernetes containers and we are looking forward to our partnership with Rafay to further enhance it, as Haseeb mentioned, the efficiency is the key. We need to do more with less. Resourcing is critical and cloud is evolved from that journey that do more things in a more efficient manner. >> That was the original catalyst as we got to help our development team, be more productive. >> That's correct. >> Eliminate the heavy lifting. And then you started presumably doing some of the less heavy, but still heavy lifting and we talked off camera and then you're increasingly moving toward serverless. >> Rakesh: That's correct. >> Can you describe that journey? What that's like? >> So I think like with the whole adoption that things are taking a much faster pace. Basically we are putting more compute onto containers and the DevOps journey is increasingly getting more, more faster. >> Go ahead. 'Cause I want to understand where Rafay sits in this whole equation. I was talking about, I'm not a developer, but I was talking to developer yesterday trying to really understand the benefits of containers and serverless and I said, take me through what you have to do when you're using containers. He said, I got to build the container image then I got to deploy an EC2 instance where I got to choose and I got to allocate memory of the fence the app in a VM then I got to run the computing instance against the app. And then, oh by the way, I got to pay 'cause all that EC2 that whole time. Depending on how you approach serverless you're going to eliminate a lot of those steps. >> That is correct. So what we do is basically like in a traditional sense, the computer is sitting idle at quite a lot basically. >> But you're paying. >> And you're still paying for that. Serverless technologies allows us to use the compute as needed basis. So whenever you need it, it is available. You run your workload on that and after that it shuts down or goes to minimal state and you don't need to pay as much as your paying. >> And then where do you guys fit in that whole equation? >> Look, serverless has a paradigm. If you step back from the idea of containers versus Lambda or whatever functions. The idea should be that the list you just read out of what developers have to do. Here's what they really should do. They should write their code, they should check it in, and they never have to think about it again. That should be the case. If they want to debug their application, there should be a nice front end where they go and they interact with their application and that's it. What is Kubernetes? I don't care. That's the right answer. And we did not start this journey as an industry there because usually the initial adopters are developers who do the heavy lifting. Developers want to learn, they want to solve these problems. But then eventually the expectation is that the platform organization and an enterprise is going to own this platform for me so I can go back to doing my job, which is writing code. And that's where Rakesh's team comes in. So Rakesh team is building the standard at Regeneron. Whether you're writing a long-lasting app, which is going to run in a container or you're going to write an event-driven application, which is going to be a function, whatever. You write your app, we will give you the necessary tooling and plumbing to take care of all these things. And this is my problem. My being Rakesh. Rakesh is my customer. He has his customers. We as Rafay, A, we have to make Rakesh's system successful because we have to give them right automation to do all these things so that he can service hundred, or in his case, thousands and thousands of different individuals. But then collectively, we have to make sure that the developer experience is optimal so that truly they just write their code and EC2, they don't want to deal with this. In fact, on Monday evening, in the Kubernetes keynote by Barry Cooks, one of the things he said was that in a CIO sort of survey they did, CIO said, 80% of the time of developers is wasted on infrastructure stuff and not on innovation. We need to bring that 80% back so that a hundred percent of the work is on innovation and today it's not. >> And that's what you do. >> That's what we do. >> In your world as a developer, I only have to worry about my writing my code and what functions I'm going to call. >> That is correct. And it is important because the efficiencies of a developer need to be focused on doing the things which business is asking for. The 80% of the work like to make sure the things are secure, they're done the right way, the standards are followed, scanning part of it, that work if we can offload to a platform, for example, Rafay, saves a lot of works, a lot of work cycles from the developers perspective. >> Thank you for that. It was nice little tutorial on the benefits. >> Absolutely. So you transform the developer experience. >> That's correct. >> How does that impact Regeneron overall business? We uplevel that. Give me that view. >> So with that, like what happens, the key thing is the developers productivity increases. We are able to do more with less. And that is the key thing to our strategy that like with the increase in business demand, with the increase in lot of compute things, which we are doing, we need to do and hiring resources is getting more difficult than ever. And we need to make sure that we are leveraging platforms and tools basically to do, enable our developers to focus on key business activity rather than doing redundant things and things which we can leverage some other tooling and platform for that business. >> Is this something in terms of improving the developer experience and their productivity faster time to market? Is this accelerating? >> That's correct. >> Is this even like accelerating drug discovery in some cases? >> So COVID is like a great example for that. Like we were able to fast track our drug discovery and like we were able to turn it into an experience where we were able to discover new drugs and get it to the market in a much faster pace. That whole process was expedited using these tools and processes basically. So we are very proud of that. >> So my understanding is you're running Rafay with EKS. A lot of choices out there. Why? Why did you choose to go in that direction? >> So Regeneron has heavily invested in cloud recently, over the years basically. And then we are focusing on hybrid cloud now that we we are like, again, these multiple cloud providers of platforms which are coming in are strategies to focus on hybrid cloud and Rafay is big leader in that particular space where we felt that we need to engage or partner with Rafay to enable those capabilities, not just on AWS, but across the board. One single tool, one single process, one single knowledge base helps us achieve more efficiencies. >> Less chaos, less complexity. >> That's correct. Let's say when you're in customer conversations, which I know you've had many this week, but you probably do that all the time. Regeneron is a great use case for Rafay. It's so tangible, life sciences. We all get that, especially coming out of the pandemic. What do you say to customers are the top three differentiators of Rafay and why they should go Rafay on top of EKS? >> What's really interesting about these conversations is that, look, we have some pretty cool features in our product. Obviously we must have something interesting otherwise nobody would buy our product. And we have access management and zero trust models and cluster provisioning, all these very nice things. But it always comes down to exactly the same thing, which is every large enterprise that started a journey, independent or Rafay because they didn't know who we were, it's fine. Last year we were a young company, now we are a larger company and they all are basically building towards a roadmap which Rafay truly understands. And in my opinion, and I'm confident when I say this, we understand their life, their journey better than any other company in the market. The reason why we have the flurry of customers we have, the reason why the product has the capacity that it does is because for whatever reason, look, it's scale lock. That's for the history books. But we have complete clarity on what a pharmaceutical company or financial customers company or a high tech company the journey they will take to the cloud and automation for modern infrastructure, we get it. And what I'm selling them is the is the why, not the what. There's a lot of great answers for the what? What do we do? Rakesh doesn't care. I mean, he's trying to solve a bigger problem. He's trying to get his researchers to go faster. So then when they want to run a model, they should be able to do it right now. That's what he cares about. Then he looks for a tool to solve the business problem. And we figured out how to have that conversation and explain why Rafay helps him, essentially multiply the bandwidth that he has in his organization. And of course to that end we have some great technology/ But that's a secondary issue, the first, to me the why is more important than the what. And then we talk about how, which he has to pay us money. That's the how. But yeah, we get there too. But look, this is the important thing. Every enterprise is on exactly the same journey, Lisa. And that if you think about it from just purely economic efficiencies perspective that is not a good investment for our industry. If everybody's solving the same problem that's a waste of resources. Let's find a way to do, what is the point of the cloud? We used to all build data centers. That was not efficient. We all went to the cloud because it's more efficient to have somebody else, AWS, solve this problem for us so we can now focus on the next level problem. And then Rafay solving that problem so that he can focus on his drug discovery, not on Kubernetes. >> That's correct. It's all about efficiencies. Like doing things, learn from each other's experience and build upon it. So the things have been solved. One way you need to leverage that, reuse it. So the principles are the same. >> So then what's next? You had done an amazing job transforming the company. You're facilitating drug discovery faster than ever before. From an infrastructure perspective, what's next on your journey? >> So right now the roadmap what we have is basically talking about making sure that the workload are running more efficient, they're more secure. As we go into these expandable serverless technology, there are more challenging opportunities for us to solve. Those challenges are coming up. We need to make sure that with the new, the world we are living in, we are more securely doing stuff what we were doing previously. More efficiencies is also the key and more distributed. Like if we can leverage the power of cloud in doing more things on demand is on our roadmap. And I think that is where we are all driving. >> And when you said hybrid, you're talking about connecting to your on-prem tools and data? How about cross cloud? >> We are invested in multiple cloud platform itself and we are looking forward to leveraging a technology, which is truly cloud native and we can leverage things together on that. >> And I presume you're helping with that, obviously. >> Last question for both of you. We're making an Instagram reel. Think of this as a sizzle reel, like a 32nd elevator pitch. Question, first one goes to you, Rakesh. If you had a bumper sticker, you put it on, I don't know, say a DeLorean, I hear those are coming back. What would it say about Regeneron as a technology company that's delivering therapeutics? >> It's a tough question, but I would try my best. The bumper sticker would say, discover drug more faster, more efficient. >> Perfect. Haseeb, question about Rafay. What's the bumper sticker? If you had a billboard in on Highway 101 in Redwood City about Rafay and what it's enabling organizations enterprises across the globe to achieve, what would it say? >> I'll tell you what our customers say. So our customers call us the vCenter for Kubernetes and we all know what a vCenter is. We all know why vCenter's so amazingly successful because it takes IT engineers and gives them superpowers. You can run a data center. What is the vCenter for this new world? It us. So vCenter is obviously a trademark with our friends at VMware, so that's why I'm, but our customers truly call us the vCenter for Kubernetes. And I think that's an incredible moniker because that truly codifies our roadmap. It codifies what we are selling today. >> There's nothing more powerful and potent in the voice of the customer. Thank you both for coming on. Thank you for sharing the Regeneron story. Great to have you back on, Haseeb. You need a pin for the number of times you've been on theCUBE. >> At least a gold star. >> We'll work on that. Guys, thank you. We appreciate your time. >> Haseeb: Thank you very much. >> For our guests and for Dave Vellante, I'm Lisa Martin. You're watching theCUBE, the leader in live enterprise and emerging tech coverage. (upbeat music)

>>Hey guys. Welcome back to Detroit, Michigan. Lisa Martin and John Furrier here live with the cube at Coan Cloud Native Con North America. John, it's been a great day. This is day one of our coverage of three days of coverage. Kubernetes is growing up. Yeah, it's maturing. >>Yeah. We got three days of wall to wall coverage, all about Kubernetes. We about security, large scale, cloud native at scale. That's the big focus. This next segment's gonna be really awesome. You have a fast growing private company and a practitioner, big name, blue chip practitioner, building out next NextGen Cloud first, transforming, then building out the next level. This is classic of what we call super cloud-like, like interview. It's gonna be great. I'm looking forward >>To this anytime we can talk about Super Cloud. All right, please welcome back. One of our alumni, Bani is here, the CEO of Rafe. Great to see you Santos. Ula also joins us, the global head of Cloud SRE at Mass Mutual. Ge. Great to have you on the program. Thanks >>For having us. Thank you for having me. >>So Steve, you've been on the queue many times. You were on just recently with the momentum that that's around us today with the maturation of Kubernetes, the collaboration of the community, the recognition of the community. What are some of the things that you're excited about with on, on day one of the show? >>Wow, so many new companies. I mean, there are companies that I don't know who are here. And I, I, I live in this industry and I'm seeing companies that I don't know, which is a good thing. I mean, it means that the, the community's growing. But at the same time, I'm also seeing another thing, which is I have met more enterprise representatives at this show than other coupons. Like when we hung out at, you know, in Valencia for example, or even, you know, other places. It hasn't been this many people, which means, and this is, this is a good thing that enterprises are now taking Kubernetes seriously. It's not a toy. It's not just for developers. It's enterprises who are now investing in Kubernetes as a foundational component, right. For their applications going forward. And that to me is very, very good. >>Definitely becoming foundational. >>Yep. Well, you guys got a great traction. We had many interviews at the Cube and you got a practitioner here with you. You guys are both pioneering kind of what I call the next gen cloud. First you gotta get through gen one, which you guys done at Mass Mutual, extremely well, take us through the story of your transformation. Cause you're on the, at the front end now of that next inflection point. But take us through how you got here. You had a lot of transformation success at Mass Mutual. >>So I was actually talking about this topic few, few minutes back, right? And, and the whole cloud journey in big companies, large financial institutions, healthcare industry or, or our insurance sector. It takes generations of leadership to get, to get to that perfection level. And, and ideally the, the, the cloud for strategy starts in, and then, and then how do you, how do you standardize and optimize cloud, right? You know, that that's, that's the second gen altogether. And then operationalization of the cloud. And especially if, you know, if you're talking about Kubernetes, you know, in the traditional world, you know, almost every company is running middleware and their applications in middleware. And then containerization is a topic that come, that came in. And docker is, is you know, basically the runtime containerization. So that came in first and from Docker, you know, eventually when companies started adopting Docker, Docker Swarm is one of the technologies that they adopted. And eventually when, when, when we were taking it to a more complicated application implementations or modernization efforts, that's when Kubernetes played a key role. And, and Hasi was pointing out, you know, like you never saw so many companies working on Kubernetes. So that should tell you one story, right? How fast Kubernetes is growing and how important it is for your cloud strategy. So, >>And your success now, and what are you thinking about now? What's on your agenda now as you look forward? What's on your plate? What are you guys doing right now? >>So we are, we are past the stage of, you know, proof of concepts, proof of technologies, pilot implementations. We are actually playing it, you know, the real game now. So in the past I used the quote, you know, like, hello world to real world. So we are actually playing in the real world, not, not in the hello world anymore. Now, now this is where the real time challenges will, will pop up, right? So if you're talking about standardizing it and then optimizing the cloud and how do you put your governance structure in place? How do you make sure your regulations are met? You know, the, the, the demands that come out of regulations are met and, and how, how are you going to scale it and, and, and while scaling, however you wanna to keep up with all the governance and regulations that come with it. So we are in that stage today. >>Has Steve talked about, you talked about the great evolution of what's going on at Mass Mutual has talked a little bit about who, you mentioned one of the things that's surprising you about this Coan and Detroit is that you're seeing a lot more enterprise folks here who, who's deciding in the organization and your customer conversations, Who are the deci decision makers in terms of adoption of Kubernetes these days? Is that elevating? >>Hmm. Well this guy, >>It's usually, you know, one of the things I'm seeing here, and John and I have talked about this in the past, this idea of a platform organization and enterprises. So consistently what I'm seeing is, you know, somebody, a cto, CIO level, you know, individual is making a determin decision. I have multiple internal buss who are now modernizing applications. They're individually investing in DevOps. And this is not a good investment for my business. I'm going to centralize some of this capability so that we can all benefit together. And that team is essentially a platform organization and they're making Kubernetes a shared services platform so that everybody else can come and, and, and sort of, you know, consume it. So what that means to us is our customer is a platform organization and their customer is a developer. So we have to make two constituencies successful. Our customer who's providing a multi-tenant platform, and then their customer who's a developer, both have to be happy. If you don't solve for both, you know, constituencies, you're not gonna be >>Successful. You're targeting the builder of the infrastructure and the consumer of that infrastructure. >>Yes sir. It has to be both. Exactly. Right. Right. So, so that look, honestly, that it, it, you know, it takes iterations to figure these things out, right? But this is a consistent theme that I am seeing. In fact, what I would argue now is that every enterprise should be really stepping back and thinking about what is my platform strategy. Cuz if you don't have a platform strategy, you're gonna have a bunch of different teams who are doing different things and some will be successful and look, some will not be. And that is not good for business. >>Yeah. And, and stage, I wanna get to you, you mentioned that your transformation was what you look forward and your title, global head of cloud sre. Okay, so sre, we all know came from Google, right? Everyone wants to be like Google, but no one wants to be like Google, right? And no one is Google, Google's a unique thing. It's only one Google. But they had the dynamic and the power dynamic of one person to large scale set of servers or infrastructure. But concept is, is, is can be portable, but, but the situation isn't. So board became Kubernetes, that's inside baseball. So you're doing essentially what Google did at their scale you're doing for Mass Mutual. That's kind of what's happening. Is that kind of how I see it? And you guys are playing in there partnering. >>So I I totally agree. Google introduce, sorry, Ty engineering. And, and if you take, you know, the traditional transformation of the roles, right? In the past it was called operations and then DevOps ops came in and then SRE is is the new buzzword. And the future could be something like product engineering, right? And, and, and in this journey, you know, here is what I tell, you know, folks on my side like what worked for Google might not work for a financial company, might not work for an insurance company. So, so, so it's, it's okay to use the word sre, but but the end of the day that SRE has to be tailored down to, to your requirements and and, and the customers that you serve and the technology that you serve. Yep. >>And this is, this is why I'm coming back, this platform engineering. At the end of the day, I think SRE just translates to, you're gonna have a platform engineering team cuz you gotta enable developers to be producing more code faster, better, cheaper guardrails policy. So this, it's kind of becoming the, you serve the business, which is now the developers it used to serve the business Yep. Back in the old days. Hey, the, it serves the business. Yep. Which is a terminal, >>Which is actually true >>Now it the new, it serves the developers, which is the business. Which is the business. Because if digital transformation goes to completion, the company is the app. Yep. >>And the, you know, the, the hard line between development and operations, right? So, so that's thining down over the time, you know, like that that line might disappear. And, and, and that's where asari is fitting in. >>Yeah. And they're building platforms to scale the enablement up that what is, so what is the key challenges you guys are, are both building out together this new transformational direction? What's new and what's the same, The same is probably the business results, but what's the new dynamic involved in rolling it out and making people successful? You got the two constituents, the builders of the infrastructures and the consumers of the services on the other side. What's the new thing? >>So the new thing if, if I may go fast these, so the faster market to, you know, value, right? That we are bringing to the table. That's, that's very important. You know, business has an idea. How do you get that idea implemented in terms of technology and, and take it into real time. So that journey we have cut down, right? Technology is like Kubernetes. It makes, it makes, you know, an IT person's life so easy that, that they can, they can speed up the process in, in, in a traditional way. What used to take like an year or six months can be done in a month today or or less than that, right? So, so there's definitely the losses, speed, velocity, agility in general, and then flexibility. And then the automation that we put in, especially if you have to maintain like thousands of clusters, you know, these, these are today like, you know, it is possible to, to make that happen with a click off a button. In the past it used to take like, you know, probably, you know, a hundred, a hundred percent team and operational team to do it. And a lot of time. But, but, but that automation is happening. You know, and we can get into the technology as much as possible. But, but, you know, blueprinting and all that stuff made >>It possible. Well say that for another interview, we'll do it take time. >>But the, the end user on the other end, the consumer doesn't have the patience that they once had. Right? Right. It's, I want this in my lab now. Now, how does the culture of Mass Mutual, how is it evolv to be able to deliver the velocity that your customers are demanding? >>So if once in a while, you know, it's important to step yourself into the customer's shoes and think it from their, from their, from their perspective, business does not care how you're running your IT shop. What they care about is your stability of the product and the efficiencies of the product and, and, and how, how, how easy it is to reach out to the customers and how well we are serving the customers, right? So whether I'm implementing Docker in the background, Dr. Swam or es you know, business doesn't even care about it. What they really care about it is if your environment goes down, it's a problem. And, and, and if you, if your environment or if your solution is not as efficient as the business needs, that's the problem, right? So, so at that point, the business will step in. So our job is to make sure, you know, from an, from a technology perspective, how fast you can make implement it and how efficiently you can implement it. And at the same time, how do you play within the guardrails of security and compliance. >>So I was gonna ask you if you have VMware in your environment, cause a lot of clients compare what vCenter does for Kubernetes is really needed. And I think that's what you guys got going on. I I can say that you're the v center of Kubernetes. I mean, as a, as an as an metaphor, a place to manage it all is all 1, 1 1 paint of glass, so to speak. Is that how you see success in your environment? >>So virtualization has gone a long way, you know where we started, what we call bare metal servers, and then we virtualized operating systems. Now we are virtualizing applications and, and we are virtualizing platforms as well, right? So that's where Kubernetes basically got. >>So you see the need for a vCenter like thing for Uber, >>Definitely a need in the market in the way you need to think is like, you know, let's say there is, there is an insurance company who actually mented it and, and they gain the market advantage. Right? Now the, the the competition wants to do it as well, right? So, so, so there's definitely a virtualization of application layer that, that, that's very critical and it's, it's a critical component of cloud strategy as >>A whole. See, you're too humble to say it. I'll say you like the V center of Kubernetes, Explain what that means and your turn. If I said that to you, what would you react? How would you react to that? Would say bs or would you say on point, >>Maybe we should think about what does vCenter do today? Right? It's, it's so in my opinion, by the way, well vCenter in my opinion is one of the best platforms ever built. Like ha it's the best platform in my opinion ever built. It's, VMware did an amazing job because they took an IT engineer and they made him now be able to do storage management, networking management, VMs, multitenancy, access management audit, everything that you need to run a data center, you can do from a single, essentially single >>Platform, from a utility standpoint home >>Run. It's amazing, right? Yeah, it is because you are now able to empower people to do way more. Well why are we not doing that for Kubernetes? So the, the premise man Rafa was, well, oh, bless, I should have IT engineers, same engineers now they should be able to run fleets of clusters. That's what people that mass major are able to do now, right? So to that end, now you need cluster management, you need access management, you need blueprinting, you need policy management, you need ac, you know, all of these things that have happened before chargebacks, they used to have it in, in V center. Now they need to happen in other platforms. But for es so should do we do many of the things that vCenter does? Yes. >>Kind >>Of. Yeah. Are we a vCenter for es? Yeah, that is a John Forer question. >>All right, well, I, I'll, the speculation really goes back down to the earlier speed question. If you can take away the, the complexity and not make it more steps or change a tool chain or do something, then the devs move faster and the service layer that serves the business, the new organization has to enable speed. So this, this is becoming a, a real discussion point in the industry is that, oh yeah, we've got new tool, look at the shiny new toy. But if it doesn't move the needle, does it help productivity for developers? And does it actually scale up the enablement? That's the question. So I'm sure you guys are thinking about this a lot, what's your reaction? >>Yeah, absolutely. And one thing that just, you know, hit my mind is think about, you know, the hoteling industry before Airbnb and after Airbnb, right? Or, or, or the taxi industry, you know, before Uber and after Uber, right? So if I'm providing a platform, a Kubernetes platform for my application folks or for my application partners, they have everything ready. All they need to do is like, you know, build their application and deployed and running, right? They, they, they don't have to worry about provisioning of the servers and then building the middleware on top of it and then, you know, do a bunch of testing to make sure, you know, they, they, they iron out all the, all the compatible issues and whatnot. Yeah. Now, now, today, all I, all I say is like, hey, you have, we have a platform built for you. You just build your application and then deploy it in a development environment. That's where you put all the pieces of puzzle together, make sure you see your application working, and then the next thing that, that you do is like, you know, you know, build >>Production, chip, build production, go and chip release it. Yeah, that's the nirvana. But then we're there. I mean, we're there now we're there. So we see the future. Because if you, if that's the case, then the developers are the business. They have to be coding more features, they have to react to customers. They might see new business opportunities from a revenue standpoint that could be creatively built, got low code, no code, headless systems. These things are happening where this I call the architectural list environment where it's like, you don't need architecture, it's already happening. >>Yeah. And, and on top of it, you know, if, if someone has an idea, they want to implement an idea real quick, right? So how do you do it? Right? And, and, and you don't have to struggle building an environment to implement your idea and testers in real time, right? So, so from an innovation perspective, you know, agility plays a key role. And, and that, that's where the Kubernetes platforms or platforms like Kubernetes >>Plays. You know, Lisa, when we talked to Andy Chasy, when he was the CEO of aws, either one on one or on the cube, he always said, and this is kind of happening, companies are gonna be builders where it's not just utility. You need that table stakes to enable that new business idea. And so he, this last keynote, he did this big thing like, you know, think like your developers are the next entrepreneurial revenue generators. And I think that, I think starting to see that, what do you think about that? You see that coming sooner than later? Or is that in, in sight or is that still ways away? >>I, I think it's already happening at a level, at a certain level now. Now the question comes back to, you know, taking it to the reality, right? Yeah. I mean, you can, you can do your proof of concept, proof of technologies, and then, and then prove it out. Like, Hey, I got a new idea. This idea is great. Yeah. And, and it's to the business advantage, right? But we really want to see it in production live where your customers are actually >>Using it and the board meetings, Hey, we got a new idea that came in, generating more revenue, where'd that come from? Agile developer. Again, this is real. Yeah, >>Yeah. >>Absolutely agree. Yeah. I think, think both of you gentlemen said a word in, in your, as you were talking, you used the word guardrails, right? I think, you know, we're talking about rigidity, but you know, the really important thing is, look, these are enterprises, right? They have certain expectations. Guardrails is key, right? So it's automation with the guardrails. Yeah. Guardrails are like children, you know, you know, shouldn't be hurt. You know, they're seen but not hurt. Developers don't care about guard rails. They just wanna go fast. They also bounce >>Around a little bit. Yeah. Off the guardrails. >>One thing we know that's not gonna slow down is, is the expectations, right? Of all the consumers of this, the Ds the business, the, the business top line, and of course the customers. So the ability to, to really, as your website says, let's see, make life easy for platform teams is not trivial. And clearly what you guys are talking about here is you're, you're really an enabler of those platform teams, it sounds like to me. Yep. So, great work, guys. Thank you so much for both coming on the program, talking about what you're doing together, how you're seeing the, the evolution of Kubernetes, why, and really what the focus should be on those platform games. We appreciate all your time and your insights. >>Thank you so much for having us. Thanks >>For our pleasure. For our guests and for John Furrier, I'm Lisa Martin. You're watching The Cube Live, Cobe Con, Cloud Native con from Detroit. We've out with our next guest in just a minute, so stick around.

(bright upbeat music) >> Hey, guys. Welcome back to Detroit, Michigan. Lisa Martin and John Furrier here live with "theCUBE" at KubeCon CloudNativeCon, North America. John, it's been a great day. This is day one of our coverage of three days of coverage. Kubernetes is growing up. It's maturing. >> Yeah, we got three days of wall-to-wall coverage, all about Kubernetes. We heard about Security, Large scale, Cloud native at scale. That's the big focus. This next segment's going to be really awesome. You have a fast growing private company and a practitioner, big name, blue chip practitioner, building out next-gen cloud. First transforming, then building out the next level. This is classic, what we call Super Cloud-Like interview. It's going to be great. I'm looking forward to this. >> Anytime we can talk about Super Cloud, right? Please welcome back, one of our alumni, Haseeb Budhani is here, the CEO of Rafay. Great to see you. Santhosh Pasula, also joins us, the global head of Cloud SRE at Mass Mutual. Guys, great to have you on the program. >> Thanks for having us. >> Thank you for having me. >> So, Haseeb, you've been on "theCUBE" many times. You were on just recently, with the momentum that's around us today with the maturation of Kubernetes, the collaboration of the community, the recognition of the community. What are some of the things that you're excited about with on day one of the show? >> Wow, so many new companies. I mean, there are companies that I don't know who are here. And I live in this industry, and I'm seeing companies that I don't know, which is a good thing. It means that the community's growing. But at the same time, I'm also seeing another thing, which is, I have met more enterprise representatives at this show than other KubeCons. Like when we hung out at in Valencia, for example, or even other places, it hasn't been this many people. Which means, and this is a good thing that enterprises are now taking Kubernetes seriously. It's not a toy. It's not just for developers. It's enterprises who are now investing in Kubernetes as a foundational component for their applications going forward. And that to me is very, very good. >> Definitely, becoming foundational. >> Haseeb: Yeah. >> Well, you guys got a great traction. We had many interviews at "theCUBE," and you got a practitioner here with you guys, are both pioneering, kind of what I call the next-gen cloud. First you got to get through Gen-One, which you guys done at Mass Mutual extremely well. Take us through the story of your transformation? 'Cause you're on at the front end now of that next inflection point. But take us through how you got here? You had a lot of transformation success at Mass Mutual? >> So, I was actually talking about this topic few minutes back. And the whole cloud journey in big companies, large financial institutions, healthcare industry or insurance sector, it takes generations of leadership to get to that perfection level. And ideally, the cloud for strategy starts in, and then how do you standardize and optimize cloud, right? That's the second-gen altogether, and then operationalization of the cloud. And especially if you're talking about Kubernetes, in the traditional world, almost every company is running middleware and their applications in middleware. And their containerization is a topic that came in. And Docker is basically the runtime containerization. So, that came in first, and from Docker, eventually when companies started adopting Docker, Docker Swarm is one of the technologies that they adopted. And eventually, when we were taking it to a more complicated application implementations or modernization efforts, that's when Kubernetes played a key role. And as Haseeb was pointing out, you never saw so many companies working on Kubernetes. So, that should tell you one story, right? How fast Kubernetes is growing, and how important it is for your cloud strategy. >> And your success now, and what are you thinking about now? What's on your agenda now? As you look forward, what's on your plate? What are you guys doing right now? >> So we are past the stage of proof of concepts, proof of technologies, pilot implementations. We are actually playing it, the real game now. In the past, I used the quote, like "Hello world to real world." So, we are actually playing in the real world, not in the hello world anymore. Now, this is where the real time challenges will pop up. So, if you're talking about standardizing it, and then optimizing the cloud, and how do you put your governance structure in place? How do you make sure your regulations are met? The demands that come out of regulations are met? And how are you going to scale it? And while scaling, how are you going to keep up with all the governance and regulations that come with it? So we are in that stage today. >> Haseeb talked about, you talked about the great evolution of what's going on at Mass Mutual. Haseeb talk a little bit about who? You mentioned one of the things that's surprising you about this KubeCon in Detroit, is that you're seeing a lot more enterprise folks here? Who's deciding in the organization and your customer conversations? Who are the decision makers in terms of adoption of Kubernetes these days? Is that elevating? >> Hmm. Well, this guy. (Lisa laughing) One of the things I'm seeing here, and John and I have talked about this in the past, this idea of a platform organization and enterprises. So, consistently what I'm seeing, is somebody, a CTO, CIO level, an individual is making a decision. I have multiple internal Bus who are now modernizing applications. They're individually investing in DevOps, and this is not a good investment for my business. I'm going to centralize some of this capability so that we can all benefit together. And that team is essentially a platform organization. And they're making Kubernetes a shared services platform so that everybody else can come and sort of consume it. So, what that means to us, is our customer is a platform organization, and their customer is a developer. So we have to make two constituencies successful. Our customer who's providing a multi-tenant platform, and then their customer, who's your developer, both have to be happy. If you don't solve for both, you know, constituencies, you're not going to be successful. >> So, you're targeting the builder of the infrastructure and the consumer of that infrastructure? >> Yes, sir. It has to be both. >> On the other side? >> Exactly, right. So that look, honestly, it takes iteration to figure these things out. But this is a consistent theme that I am seeing. In fact, what I would argue now, is that every enterprise should be really stepping back and thinking about what is my platform strategy? Because if you don't have a platform strategy, you're going to have a bunch of different teams who are doing different things, and some will be successful, and look, some will not be. And that is not good for business. >> Yeah, and Santhosh, I want to get to you. You mentioned your transformations, what you look forward, and your title, Global Head of Cloud, SRE. Okay, so SRE, we all know came from Google, right? Everyone wants to be like Google, but no one wants to be like Google, right? And no one is Google. Google's a unique thing. >> Haseeb: Only one Google. >> But they had the dynamic and the power dynamic of one person to large scale set of servers or infrastructure. But concept can be portable, but the situation isn't. So, Borg became Kubernetes, that's inside baseball. So, you're doing essentially what Google did at their scale, you're doing for Mass Mutual. That's kind of what's happening, is that kind of how I see it? And you guys are playing in there partnering? >> So, I totally agree. Google introduce SRE, Site Reliability Engineering. And if you take the traditional transformation of the roles, in the past, it was called operations, and then DevOps ops came in, and then SRE is the new buzzword. And the future could be something like Product Engineering. And in this journey, here is what I tell folks on my side, like what worked for Google might not work for a financial company. It might not work for an insurance company. It's okay to use the word, SRE, but end of the day, that SRE has to be tailored down to your requirements. And the customers that you serve, and the technology that you serve. >> This is why I'm coming back, this platform engineering. At the end of the day, I think SRE just translates to, you're going to have a platform engineering team? 'Cause you got to enable developers to be producing more code faster, better, cheaper, guardrails, policies. It's kind of becoming the, these serve the business, which is now the developers. IT used to serve the business back in the old days, "Hey, the IT serves the business." >> Yup. >> Which is a term now. >> Which is actually true now. >> The new IT serves the developers, which is the business. >> Which is the business. >> Because if digital transformation goes to completion, the company is the app. >> The hard line between development and operations, so that's thinning down. Over the time, that line might disappear. And that's where SRE is fitting in. >> Yeah, and then building platform to scale the enablement up. So, what is the key challenges? You guys are both building out together this new transformational direction. What's new and what's the same? The same is probably the business results, but what's the new dynamic involved in rolling it out and making people successful? You got the two constituents, the builders of the infrastructures and the consumers of the services on the other side. What's the new thing? >> So, the new thing, if I may go first. The faster market to value that we are bringing to the table, that's very important. Business has an idea. How do you get that idea implemented in terms of technology and take it into real time? So, that journey we have cut down. Technology is like Kubernetes. It makes an IT person's life so easy that they can speed up the process. In a traditional way, what used to take like an year, or six months, can be done in a month today, or less than that. So, there's definitely speed velocity, agility in general, and then flexibility. And then the automation that we put in, especially if you have to maintain like thousands of clusters. These are today, it is possible to make that happen with a click off a button. In the past, it used to take, probably, 100-person team, and operational team to do it, and a lot of time. But that automation is happening. And we can get into the technology as much as possible, but blueprinting and all that stuff made it possible. >> We'll save that for another interview. We'll do it deep time. (panel laughing) >> But the end user on the other end, the consumer doesn't have the patience that they once had, right? It's, "I want this in my lab now." How does the culture of Mass Mutual? How is it evolve to be able to deliver the velocity that your customers are demanding? >> Once in a while, it's important to step yourself into the customer's shoes and think it from their perspective. Business does not care how you're running your IT shop. What they care about is your stability of the product and the efficiencies of the product, and how easy it is to reach out to the customers. And how well we are serving the customers, right? So, whether I'm implementing Docker in the background, Docker Swam or Kubernetes, business doesn't even care about it. What they really care about, it is, if your environment goes down, it's a problem. And if your environment or if your solution is not as efficient as the business needs, that's the problem, right? So, at that point, the business will step in. So, our job is to make sure, from a technology perspective, how fast you can make implement it? And how efficiently you can implement it? And at the same time, how do you play within the guardrails of security and compliance? >> So, I was going to ask you, if you have VMware in your environment? 'Cause a lot of clients compare what vCenter does for Kubernetes is really needed. And I think that's what you guys got going on. I can say that, you're the vCenter of Kubernetes. I mean, as as metaphor, a place to manage it all, is all one paint of glass, so to speak. Is that how you see success in your environment? >> So, virtualization has gone a long way. Where we started, what we call bare metal servers, and then we virtualized operating systems. Now, we are virtualizing applications, and we are virtualizing platforms as well, right? So that's where Kubernetes plays a role. >> So, you see the need for a vCenter like thing for Kubernetes? >> There's definitely a need in the market. The way you need to think is like, let's say there is an insurance company who actually implement it today, and they gain the market advantage. Now, the the competition wants to do it as well, right? So, there's definitely a virtualization of application layer that's very critical, and it's a critical component of cloud strategy as a whole. >> See, you're too humble to say it. I'll say, you're like the vCenter of Kubernetes. Explain what that means in your term? If I said that to you, what would you react? How would you react to that? Would you say, BS, or would you say on point? >> Maybe we should think about what does vCenter do today? So, in my opinion, by the way, vCenter in my opinion, is one of the best platforms ever built. Like it's the best platform in my opinion ever built. VMware did an amazing job, because they took an IT engineer, and they made him now be able to do storage management, networking management, VM's multitenancy, access management, audit. Everything that you need to run a data center, you can do from essentially single platform. >> John: From a utility standpoint, home-run? >> It's amazing. >> Yeah. >> Because you are now able to empower people to do way more. Well, why are we not doing that for Kubernetes? So, the premise man Rafay was, well, I should have IT engineers, same engineers. Now, they should be able to run fleets of clusters. That's what people that Mass Mutual are able to do now. So, to that end, now you need cluster management, you need access management, you need blueprinting, you need policy management. All of these things that have happened before, chargebacks, they used to have it in vCenter, now they need to happen in other platforms but for Kubernetes. So, should we do many of the things that vCenter does? Yes. >> John: Kind of, yeah. >> Are we a vCenter for Kubernetes? >> No. >> That is a John Furrier question. >> All right, well, the speculation really goes back down to the earlier speed question. If you can take away the complexity and not make it more steps, or change a tool chain, or do something, then the Devs move faster. And the service layer that serves the business, the new organization, has to enable speed. This is becoming a real discussion point in the industry, is that, "Yeah, we got new tool. Look at the shiny new toy." But if it move the needle, does it help productivity for developers? And does it actually scale up the enablement? That's the question. So, I'm sure you guys are thinking about this a lot. What's your reaction? >> Yeah, absolutely. And one thing that just hit my mind, is think about the hoteling industry before Airbnb and after Airbnb. Or the taxi industry before Uber and after Uber. So, if I'm providing a platform, a Kubernetes platform for my application folks, or for my application partners, they have everything ready. All they need to do is build their application and deploy it, and run it. They don't have to worry about provisioning of the servers, and then building the Middleware on top of it, and then, do a bunch of testing to make sure they iron out all the compatible issues and whatnot. Now, today, all I say is like, "Hey, we have a platform built for you. You just build your application, and then deploy it in a development environment, that's where you put all the pieces of puzzle together. Make sure you see your application working, and then the next thing that you do is like, do the correction. >> John: Shipping. >> Shipping. You build the production. >> John: Press. Go. Release it. (laughs) That when you move on, but they were there. I mean, we're there now. We're there. So, we need to see the future, because that's the case, then the developers are the business. They have to be coding more features, they have to react to customers. They might see new business opportunities from a revenue standpoint that could be creatively built, got low code, no code, headless systems. These things are happening where there's, I call the Architectural List Environment where it's like, you don't need architecture, it's already happening. >> Yeah, and on top of it, if someone has an idea, they want to implement an idea real quick. So, how do you do it? And you don't have to struggle building an environment to implement your idea and test it in real time. So, from an innovation perspective, agility plays a key role. And that's where the Kubernetes platforms, or platforms like Kubernetes plays. >> You know, Lisa, when we talked to Andy Jassy, when he was the CEO of AWS, either one-on-one or on "theCUBE," he always said, and this is kind of happening, "Companies are going to be builders, where it's not just utility, you need that table stakes to enable that new business idea." And so, in this last keynote, he did this big thing like, "Think like your developers are the next entrepreneurial revenue generators." I think I'm starting to see that. What do you think about that? You see that coming sooner than later? Or is that an insight, or is that still ways away? >> I think it's already happening at a level, at a certain level. Now ,the question comes back to, you know, taking it to the reality. I mean, you can do your proof of concept, proof of technologies, and then prove it out like, "Hey, I got a new idea. This idea is great." And it's to the business advantage. But we really want to see it in production live where your customers are actually using it. >> In the board meetings, "Hey, we got a new idea that came in, generating more revenue, where'd that come from?" Agile Developer. Again, this is real. >> Yeah. >> Yeah. Absolutely agree. Yeah, I think both of you gentlemen said a word as you were talking, you used the word, Guardrails. We're talking about agility, but the really important thing is, look, these are enterprises, right? They have certain expectations. Guardrails is key, right? So, it's automation with the guardrails. Guardrails are like children, you know, shouldn't be heard. They're seen but not heard. Developers don't care about guardrails, they just want to go fast. >> They also bounce around a little bit, (laughs) off the guardrails. >> Haseeb: Yeah. >> One thing we know that's not going to slow down, is the expectations, right? Of all the consumers of this, the Devs, the business, the business top line, and, of course, the customers. So, the ability to really, as your website says, let's say, "Make Life Easy for Platform Teams" is not trivial. And clearly what you guys are talking about here, is you're really an enabler of those platform teams, it sounds like to me. >> Yup. >> So, great work, guys. Thank you so much for both coming on the program, talking about what you're doing together, how you're seeing the evolution of Kubernetes, why? And really, what the focus should be on those platform teams. We appreciate all your time and your insights. >> Thank you so much for having us. >> Thanks for having us. >> Our pleasure. For our guests and for John Furrier, I'm Lisa Martin. You're watching "theCUBE" Live, KubeCon CloudNativeCon from Detroit. We'll be back with our next guest in just a minute, so stick around. (bright upbeat music)

>>We're back with Jerome West, product management security lead at for HCI at Dell Technologies Hyper-converged infrastructure. Jerome, welcome. >>Thank you, David. >>Hey, Jerome, In this series, A blueprint for trusted infrastructure, we've been digging into the different parts of the infrastructure stack, including storage, servers and networking, and now we want to cover hyperconverged infrastructure. So my first question is, what's unique about HCI that presents specific security challenges? What do we need to know? >>So what's unique about Hyperconverge infrastructure is the breadth of the security challenge. We can't simply focus on a single type of IT system, so like a server or a storage system or a virtualization piece of software. I mean, HCI is all of those things. So luckily we have excellent partners like VMware, Microsoft, and internal partners like the Dell Power Edge team, the Dell storage team, the Dell networking team, and on and on. These partnerships, in these collaborations are what make us successful from a security standpoint. So let me give you an example to illustrate. In the recent past, we're seeing growing scope and sophistication in supply chain attacks. This mean an attacker is going to attack your software supply chain upstream so that hopefully a piece of code, malicious code that wasn't identified early in the software supply chain is distributed like a large player, like a VMware or Microsoft or a Dell. So to confront this kind of sophisticated hard to defeat problem, we need short term solutions and we need long term solutions as well. >>So for the short term solution, the obvious thing to do is to patch the vulnerability. The complexity is for our HCI portfolio. We build our software on VMware, so we would have to consume a patch that VMware would produce and provide it to our customers in a timely manner. Luckily, VX Rail's engineering team has co engineered a release process with VMware that significantly shortens our development life cycle so that VMware will produce a patch and within 14 days we will integrate our own code. With the VMware release, we will have tested and validated the update and we will give an update to our customers within 14 days of that VMware release. That as a result of this kind of rapid development process, Vxl had over 40 releases of software updates last year for a longer term solution. We're partnering with VMware and others to develop a software bill of materials. We work with VMware to consume their software manifest, including their upstream vendors and their open source providers to have a comprehensive list of software components. Then we aren't caught off guard by an unforeseen vulnerability and we're more able to easily detect where the software problem lies so that we can quickly address it. So these are the kind of relationships and solutions that we can co engineer with effective collaborations with our, with our partners. >>Great, Thank you for that. That description. So if I had to define what cybersecurity resilience means to HCI or converged infrastructure, and to me my takeaway was you gotta have a short term instant patch solution and then you gotta do an integration in a very short time, you know, two weeks to then have that integration done. And then longer term you have to have a software bill of materials so that you can ensure the providence of all the components help us. Is that a right way to think about cybersecurity resilience? Do you have, you know, a additives to that definition? >>I do. I really think that site cybersecurity and resilience for hci, because like I said, it has sort of unprecedented breadth across our portfolio. It's not a single thing, it's a bit of everything. So really the strength or the secret sauce is to combine all the solutions that our partner develops while integrating them with our own layer. So let me, let me give you an example. So hci, it's a, basically taking a software abstraction of hardware functionality and implementing it into something called the virtualized layer. It's basically the virtual virtualizing hardware functionality, like say a storage controller, you could implement it in a hardware, but for hci, for example, in our VX rail portfolio, we, or our vxl product, we integrate it into a product called vsan, which is provided by our partner VMware. So that portfolio strength is still, you know, through our, through our partnerships. >>So what we do, we integrate these, these security functionality and features in into our product. So our partnership grows to our ecosystem through products like VMware, products like nsx, Verizon, Carbon Black and Bsphere. All of them integrate seamlessly with VMware. And we also leverage VMware's software, par software partnerships on top of that. So for example, VX supports multifactor authentication through bsphere integration with something called Active Directory Federation services for adfs. So there is a lot of providers that support adfs, including Microsoft Azure. So now we can support a wide array of identity providers such as Off Zero or I mentioned Azure or Active Directory through that partnership. So we can leverage all of our partners partnerships as well. So there's sort of a second layer. So being able to secure all of that, that provides a lot of options and flexibility for our customers. So basically to summarize my my answer, we consume all of the security advantages of our partners, but we also expand on that to make a product that is comprehensively secured at multiple layers from the hardware layer that's provided by Dell through Power Edge to the hyper-converged software that we build ourselves to the virtualization layer that we get through our partnerships with Microsoft and VMware. >>Great. I mean that's super helpful. You've mentioned nsx, Horizon, Carbon Black, all the, you know, the VMware component OTH zero, which the developers are gonna love. You got Azure identity, so it's really an ecosystem. So you may have actually answered my next question, but I'm gonna ask it anyway cuz you've got this software defined environment and you're managing servers and networking and storage with this software led approach, how do you ensure that the entire system is secure end to end? >>That's a really great question. So the, the answer is we do testing and validation as part of the engineering process. It's not just bolted on at the end. So when we do, for example, the xra is the market's only co engineered solution with VMware, other vendors sell VMware as a hyperconverged solution, but we actually include security as part of the co-engineering process with VMware. So it's considered when VMware builds their code and their process dovetails with ours because we have a secure development life cycle, which other products might talk about in their discussions with you that we integrate into our engineering life cycle. So because we follow the same framework, all of the, all of the codes should interoperate from a security standpoint. And so when we do our final validation testing when we do a software release, we're already halfway there in ensuring that all these features will give the customers what we promised. >>That's great. All right, let's, let's close pitch me, what would you say is the strong suit summarize the, the strengths of the Dell hyperconverged infrastructure and converged infrastructure portfolio specifically from a security perspective? Jerome? >>So I talked about how hyper hyper-converged infrastructure simplifies security management because basically you're gonna take all of these features that are abstracted in in hardware, they're now abstracted in the virtualization layer. Now you can manage them from a single point of view, whether it would be, say, you know, in for VX rail would be b be center, for example. So by abstracting all this, you make it very easy to manage security and highly flexible because now you don't have limitations around a single vendor. You have a multiple array of choices and partnerships to select. So I would say that is the, the key to making it to hci. Now, what makes Dell the market leader in HCI is not only do we have that functionality, but we also make it exceptionally useful to you because it's co engineered, it's not bolted on. So I gave the example of, I gave the example of how we, we modify our software release process with VMware to make it very responsive. >>A couple of other features that we have specific just to HCI are digitally signed LCM updates. This is an example of a feature that we have that's only exclusive to Dell that's not done through a partnership. So we digitally sign our software updates so you, the user can be sure that the, the update that they're installing into their system is an authentic and unmodified product. So we give it a Dell signature that's invalidated prior to installation. So not only do we consume the features that others develop in a seamless and fully validated way, but we also bolt on our own specific HCI security features that work with all the other partnerships and give the user an exceptional security experience. So for, for example, the benefit to the customer is you don't have to create a complicated security framework that's hard for your users to use and it's hard for your system administrators to manage. It all comes in a package. So it, it can be all managed through vCenter, for example, or, and then the specific hyper, hyper-converged functions can be managed through VxRail manager or through STDC manager. So there's very few pains of glass that the, the administrator or user ever has to worry about. It's all self contained and manageable. >>That makes a lot of sense. So you got your own infrastructure, you're applying your best practices to that, like the digital signatures, you've got your ecosystem, you're doing co-engineering with the ecosystems, delivering security in a package, minimizing the complexity at the infrastructure level. The reason Jerome, this is so important is because SecOps teams, you know, they gotta deal with cloud security, they gotta deal with multiple clouds. Now they have their shared responsibility model going across multiple, They got all this other stuff that they have to worry, they gotta secure containers and the run time and, and, and, and, and the platform and so forth. So they're being asked to do other things. If they have to worry about all the things that you just mentioned, they'll never get, you know, the, the securities is gonna get worse. So what my takeaway is, you're removing that infrastructure piece and saying, Okay guys, you now can focus on those other things that is not necessarily Dell's, you know, domain, but you, you know, you can work with other partners to, and your own teams to really nail that. Is that a fair summary? >>I think that is a fair summary because absolutely the worst thing you can do from a security perspective is provide a feature that's so unusable that the administrator disables it or other key security features. So when I work with my partners to define, to define and develop a new security feature, the thing I keep foremost in mind is, will this be something our users want to use in our administrators want to administer? Because if it's not, if it's something that's too difficult or onerous or complex, then I try to find ways to make it more user friendly and practical. And this is a challenge sometimes because we are, our products operate in highly regulated environments and sometimes they have to have certain rules and certain configurations that aren't the most user friendly or management friendly. So I, I put a lot of effort into thinking about how can we make this feature useful while still complying with all the regulations that we have to comply with. And by the way, we're very successful in a highly regulated space. We sell a lot of VxRail, for example, into the Department of Defense and banks and, and other highly regulated environments, and we're very successful >>There. Excellent. Okay, Jerome, thanks. We're gonna leave it there for now. I'd love to have you back to talk about the progress that you're making down the road. Things always, you know, advance in the tech industry and so would appreciate that. >>I would look forward to it. Thank you very much, Dave. >>You're really welcome. In a moment I'll be back to summarize the program and offer some resources that can help you on your journey to secure your enterprise infrastructure. I wanna thank our guests for their contributions and helping us understand how investments by a company like Dell can both reduce the need for dev sec up teams to worry about some of the more fundamental security issues around infrastructure and have greater confidence in the quality providence and data protection designed in to core infrastructure like servers, storage, networking, and hyper-converged systems. You know, at the end of the day, whether your workloads are in the cloud, OnPrem or at the edge, you are responsible for your own security. But vendor r and d and vendor process must play an important role in easing the burden faced by security devs and operation teams. And on behalf of the cube production content and social teams as well as Dell Technologies, we want to thank you for watching a blueprint for trusted infrastructure. Remember part one of this series as well as all the videos associated with this program, and of course, today's program are available on demand@thecube.net with additional coverage@siliconangle.com. And you can go to dell.com/security solutions dell.com/security solutions to learn more about Dell's approach to securing infrastructure. And there's tons of additional resources that can help you on your journey. This is Dave Valante for the Cube, your leader in enterprise and emerging tech coverage. We'll see you next time.

>>The cybersecurity landscape continues to be one characterized by a series of point tools designed to do a very specific job, often pretty well, but the mosaic of tooling is grown over the years causing complexity in driving up costs and increasing exposures. So the game of Whackamole continues. Moreover, the way organizations approach security is changing quite dramatically. The cloud, while offering so many advantages, has also created new complexities. The shared responsibility model redefines what the cloud provider secures, for example, the S three bucket and what the customer is responsible for eg properly configuring the bucket. You know, this is all well and good, but because virtually no organization of any size can go all in on a single cloud, that shared responsibility model now spans multiple clouds and with different protocols. Now that of course includes on-prem and edge deployments, making things even more complex. Moreover, the DevOps team is being asked to be the point of execution to implement many aspects of an organization's security strategy. >>This extends to securing the runtime, the platform, and even now containers which can end up anywhere. There's a real need for consolidation in the security industry, and that's part of the answer. We've seen this both in terms of mergers and acquisitions as well as platform plays that cover more and more ground. But the diversity of alternatives and infrastructure implementations continues to boggle the mind with more and more entry points for the attackers. This includes sophisticated supply chain attacks that make it even more difficult to understand how to secure components of a system and how secure those components actually are. The number one challenge CISOs face in today's complex world is lack of talent to address these challenges. And I'm not saying that SecOps pros are not talented, They are. There just aren't enough of them to go around and the adversary is also talented and very creative, and there are more and more of them every day. >>Now, one of the very important roles that a technology vendor can play is to take mundane infrastructure security tasks off the plates of SEC off teams. Specifically we're talking about shifting much of the heavy lifting around securing servers, storage, networking, and other infrastructure and their components onto the technology vendor via r and d and other best practices like supply chain management. And that's what we're here to talk about. Welcome to the second part in our series, A Blueprint for Trusted Infrastructure Made Possible by Dell Technologies and produced by the Cube. My name is Dave Ante and I'm your host now. Previously we looked at what trusted infrastructure means and the role that storage and data protection play in the equation. In this part two of the series, we explore the changing nature of technology infrastructure, how the industry generally in Dell specifically, are adapting to these changes and what is being done to proactively address threats that are increasingly stressing security teams. >>Now today, we continue the discussion and look more deeply into servers networking and hyper-converged infrastructure to better understand the critical aspects of how one company Dell is securing these elements so that dev sec op teams can focus on the myriad new attack vectors and challenges that they faced. First up is Deepak rang Garage Power Edge security product manager at Dell Technologies. And after that we're gonna bring on Mahesh Nagar oim, who was consultant in the networking product management area at Dell. And finally, we're close with Jerome West, who is the product management security lead for HCI hyperconverged infrastructure and converged infrastructure at Dell. Thanks for joining us today. We're thrilled to have you here and hope you enjoy the program. Deepak Arage shoes powered security product manager at Dell Technologies. Deepak, great to have you on the program. Thank you. >>Thank you for having me. >>So we're going through the infrastructure stack and in part one of this series we looked at the landscape overall and how cyber has changed and specifically how Dell thinks about data protection in, in security in a manner that both secures infrastructure and minimizes organizational friction. We also hit on the storage part of the portfolio. So now we want to dig into servers. So my first question is, what are the critical aspects of securing server infrastructure that our audience should be aware of? >>Sure. So if you look at compute in general, right, it has rapidly evolved over the past couple of years, especially with trends toward software defined data centers and with also organizations having to deal with hybrid environments where they have private clouds, public cloud locations, remote offices, and also remote workers. So on top of this, there's also an increase in the complexity of the supply chain itself, right? There are companies who are dealing with hundreds of suppliers as part of their supply chain. So all of this complexity provides a lot of opportunity for attackers because it's expanding the threat surface of what can be attacked, and attacks are becoming more frequent, more severe and more sophisticated. And this has also triggered around in the regulatory and mandates around the security needs. >>And these regulations are not just in the government sector, right? So it extends to critical infrastructure and eventually it also get into the private sector. In addition to this, organizations are also looking at their own internal compliance mandates. And this could be based on the industry in which they're operating in, or it could be their own security postures. And this is the landscape in which servers they're operating today. And given that servers are the foundational blocks of the data center, it becomes extremely important to protect them. And given how complex the modern server platforms are, it's also extremely difficult and it takes a lot of effort. And this means protecting everything from the supply chain to the manufacturing and then eventually the assuring the hardware and software integrity of the platforms and also the operations. And there are very few companies that go to the lens that Dell does in order to secure the server. We truly believe in the notion and the security mentality that, you know, security should enable our customers to go focus on their business and proactively innovate on their business and it should not be a burden to them. And we heavily invest to make that possible for our customers. >>So this is really important because the premise that I set up at the beginning of this was really that I, as of security pro, I'm not a security pro, but if I were, I wouldn't want to be doing all this infrastructure stuff because I now have all these new things I gotta deal with. I want a company like Dell who has the resources to build that security in to deal with the supply chain to ensure the providence, et cetera. So I'm glad you you, you hit on that, but so given what you just said, what does cybersecurity resilience mean from a server perspective? For example, are there specific principles that Dell adheres to that are non-negotiable? Let's say, how does Dell ensure that its customers can trust your server infrastructure? >>Yeah, like when, when it comes to security at Dell, right? It's ingrained in our product, so that's the best way to put it. And security is nonnegotiable, right? It's never an afterthought where we come up with a design and then later on figure out how to go make it secure, right? Our security development life cycle, the products are being designed to counter these threats right from the big. And in addition to that, we are also testing and evaluating these products continuously to identify vulnerabilities. We also have external third party audits which supplement this process. And in addition to this, Dell makes the commitment that we will rapidly respond to any mitigations and vulnerability, any vulnerabilities and exposures found out in the field and provide mitigations and patches for in attacking manner. So this security principle is also built into our server life cycle, right? Every phase of it. >>So we want our products to provide cutting edge capabilities when it comes to security. So as part of that, we are constantly evaluating what our security model is done. We are building on it and continuously improving it. So till a few years ago, our model was primarily based on the N framework of protect, detect and rigor. And it's still aligns really well to that framework, but over the past couple of years, we have seen how computers evolved, how the threads have evolved, and we have also seen the regulatory trends and we recognize the fact that the best security strategy for the modern world is a zero trust approach. And so now when we are building our infrastructure and tools and offerings for customers, first and foremost, they're cyber resilient, right? What we mean by that is they're capable of anticipating threats, withstanding attacks and rapidly recurring from attacks and also adapting to the adverse conditions in which they're deployed. The process of designing these capabilities and identifying these capabilities however, is done through the zero press framework. And that's very important because now we are also anticipating how our customers will end up using these capabilities at there and to enable their own zero trust IT environments and IT zero trusts deployments. We have completely adapted our security approach to make it easier for customers to work with us no matter where they are in their journey towards zero trust option. >>So thank you for that. You mentioned the, this framework, you talked about zero trust. When I think about n I think as well about layered approaches. And when I think about zero trust, I think about if you, if you don't have access to it, you're not getting access, you've gotta earn that, that access and you've got layers and then you still assume that bad guys are gonna get in. So you've gotta detect that and you've gotta response. So server infrastructure security is so fundamental. So my question is, what is Dell providing specifically to, for example, detect anomalies and breaches from unauthorized activity? How do you enable fast and easy or facile recovery from malicious incidents, >>Right? What is that is exactly right, right? Breachers are bound to happen and given how complex our current environment is, it's extremely distributed and extremely connected, right? Data and users are no longer contained with an offices where we can set up a perimeter firewall and say, Yeah, everything within that is good. We can trust everything within it. That's no longer true. The best approach to protect data and infrastructure in the current world is to use a zero trust approach, which uses the principles. Nothing is ever trusted, right? Nothing is trusted implicitly. You're constantly verifying every single user, every single device, and every single access in your system at every single level of your ID environment. And this is the principles that we use on power Edge, right? But with an increased focus on providing granular controls and checks based on the principles of these privileged access. >>So the idea is that service first and foremost need to make sure that the threats never enter and they're rejected at the point of entry, but we recognize breaches are going to occur and if they do, they need to be minimized such that the sphere of damage cost by attacker is minimized so they're not able to move from one part of the network to something else laterally or escalate their privileges and cause more damage, right? So the impact radius for instance, has to be radius. And this is done through features like automated detection capabilities and automation, automated remediation capabilities. So some examples are as part of our end to end boot resilience process, we have what they call a system lockdown, right? We can lock down the configuration of the system and lock on the form versions and all changes to the system. And we have capabilities which automatically detect any drift from that lockdown configuration and we can figure out if the drift was caused to authorized changes or unauthorized changes. >>And if it is an unauthorize change can log it, generate security alerts, and we even have capabilities to automatically roll the firm where, and always versions back to a known good version and also the configurations, right? And this becomes extremely important because as part of zero trust, we need to respond to these things at machine speed and we cannot do it at a human speed. And having these automated capabilities is a big deal when achieving that zero trust strategy. And in addition to this, we also have chassis inclusion detection where if the chassis, the box, the several box is opened up, it logs alerts, and you can figure out even later if there's an AC power cycle, you can go look at the logs to see that the box is opened up and figure out if there was a, like a known authorized access or some malicious actor opening and chain something in your system. >>Great, thank you for that lot. Lot of detail and and appreciate that. I want to go somewhere else now cuz Dell has a renowned supply chain reputation. So what about securing the, the supply chain and the server bill of materials? What does Dell specifically do to track the providence of components it uses in its systems so that when the systems arrive, a customer can be a hundred percent certain that that system hasn't been compromised, >>Right? And we've talked about how complex the modern supply chain is, right? And that's no different for service. We have hundreds of confidence on the server and a lot of these form where in order to be configured and run and this former competence could be coming from third parties suppliers. So now the complexity that we are dealing with like was the end to end approach and that's where Dell pays a lot of attention into assuring the security approach approaching and it starts all the way from sourcing competence, right? And then through the design and then even the manufacturing process where we are wetting the personnel leather factories and wetting the factories itself. And the factories also have physical controls, physical security controls built into them and even shipping, right? We have GPS tagging of packages. So all of this is built to ensure supply chain security. >>But a critical aspect of this is also making sure that the systems which are built in the factories are delivered to the customers without any changes or any tapper. And we have a feature called the secure component verification, which is capable of doing this. What the feature does this, when the system gets built in a factory, it generates an inventory of all the competence in the system and it creates a cryptographic certificate based on the signatures presented to this by the competence. And this certificate is stored separately and sent to the customers separately from the system itself. So once the customers receive the system at their end, they can run out to, it generates an inventory of the competence on the system at their end and then compare it to the golden certificate to make sure nothing was changed. And if any changes are detected, we can figure out if there's an authorized change or unauthorize change. >>Again, authorized changes could be like, you know, upgrades to the drives or memory and ized changes could be any sort of temper. So that's the supply chain aspect of it and bill of metal use is also an important aspect to galing security, right? And we provide a software bill of materials, which is basically a list of ingredients of all the software pieces in the platform. So what it allows our customers to do is quickly take a look at all the different pieces and compare it to the vulnerability database and see if any of the vulner which have been discovered out in the wild affected platform. So that's a quick way of figuring out if the platform has any known vulnerabilities and it has not been patched. >>Excellent. That's really good. My last question is, I wonder if you, you know, give us the sort of summary from your perspective, what are the key strengths of Dell server portfolio from a security standpoint? I'm really interested in, you know, the uniqueness and the strong suit that Dell brings to the table, >>Right? Yeah. We have talked enough about the complexity of the environment and how zero risk is necessary for the modern ID environment, right? And this is integral to Dell powered service. And as part of that like you know, security starts with the supply chain. We already talked about the second component verification, which is a beneath feature that Dell platforms have. And on top of it we also have a silicon place platform mode of trust. So this is a key which is programmed into the silicon on the black service during manufacturing and can never be changed after. And this immutable key is what forms the anchor for creating the chain of trust that is used to verify everything in the platform from the hardware and software integrity to the boot, all pieces of it, right? In addition to that, we also have a host of data protection features. >>Whether it is protecting data at risk in news or inflight, we have self encrypting drives which provides scalable and flexible encryption options. And this couple with external key management provides really good protection for your data address. External key management is important because you know, somebody could physically steam the server walk away, but then the keys are not stored on the server, it stood separately. So that provides your action layer of security. And we also have dual layer encryption where you can compliment the hardware encryption on the secure encrypted drives with software level encryption. Inion to this we have identity and access management features like multifactor authentication, single sign on roles, scope and time based access controls, all of which are critical to enable that granular control and checks for zero trust approach. So I would say like, you know, if you look at the Dell feature set, it's pretty comprehensive and we also have the flexibility built in to meet the needs of all customers no matter where they fall in the spectrum of, you know, risk tolerance and security sensitivity. And we also have the capabilities to meet all the regulatory requirements and compliance requirements. So in a nutshell, I would say that you know, Dell Power Service cyber resident infrastructure helps accelerate zero tested option for customers. >>Got it. So you've really thought this through all the various things that that you would do to sort of make sure that your server infrastructure is secure, not compromised, that your supply chain is secure so that your customers can focus on some of the other things that they have to worry about, which are numerous. Thanks Deepak, appreciate you coming on the cube and participating in the program. >>Thank you for having >>You're welcome. In a moment I'll be back to dig into the networking portion of the infrastructure. Stay with us for more coverage of a blueprint for trusted infrastructure and collaboration with Dell Technologies on the cube, your leader in enterprise and emerging tech coverage. We're back with a blueprint for trusted infrastructure and partnership with Dell Technologies in the cube. And we're here with Mahesh Nager, who is a consultant in the area of networking product management at Dell Technologies. Mahesh, welcome, good to see you. >>Hey, good morning Dell's, nice to meet, meet to you as well. >>Hey, so we've been digging into all the parts of the infrastructure stack and now we're gonna look at the all important networking components. Mahesh, when we think about networking in today's environment, we think about the core data center and we're connecting out to various locations including the cloud and both the near and the far edge. So the question is from Dell's perspective, what's unique and challenging about securing network infrastructure that we should know about? >>Yeah, so few years ago IT security and an enterprise was primarily putting a wrapper around data center out because it was constrained to an infrastructure owned and operated by the enterprise for the most part. So putting a rapid around it like a parameter or a firewall was a sufficient response because you could basically control the environment and data small enough control today with the distributed data, intelligent software, different systems, multi-cloud environment and asset service delivery, you know, the infrastructure for the modern era changes the way to secure the network infrastructure In today's, you know, data driven world, it operates everywhere and data has created and accessed everywhere so far from, you know, the centralized monolithic data centers of the past. The biggest challenge is how do we build the network infrastructure of the modern era that are intelligent with automation enabling maximum flexibility and business agility without any compromise on the security. We believe that in this data era, the security transformation must accompany digital transformation. >>Yeah, that's very good. You talked about a couple of things there. Data by its very nature is distributed. There is no perimeter anymore, so you can't just, as you say, put a rapper around it. I like the way you phrase that. So when you think about cyber security resilience from a networking perspective, how do you define that? In other words, what are the basic principles that you adhere to when thinking about securing network infrastructure for your customers? >>So our belief is that cybersecurity and cybersecurity resilience, they need to be holistic, they need to be integrated, scalable, one that span the entire enterprise and with a co and objective and policy implementation. So cybersecurity needs to span across all the devices and running across any application, whether the application resets on the cloud or anywhere else in the infrastructure. From a networking standpoint, what does it mean? It's again, the same principles, right? You know, in order to prevent the threat actors from accessing changing best destroy or stealing sensitive data, this definition holds good for networking as well. So if you look at it from a networking perspective, it's the ability to protect from and withstand attacks on the networking systems as we continue to evolve. This will also include the ability to adapt and recover from these attacks, which is what cyber resilience aspect is all about. So cybersecurity best practices, as you know, is continuously changing the landscape primarily because the cyber threats also continue to evolve. >>Yeah, got it. So I like that. So it's gotta be integrated, it's gotta be scalable, it's gotta be comprehensive, comprehensive and adaptable. You're saying it can't be static, >>Right? Right. So I think, you know, you had a second part of a question, you know, that says what do we, you know, what are the basic principles? You know, when you think about securing network infrastructure, when you're looking at securing the network infrastructure, it revolves around core security capability of the devices that form the network. And what are these security capabilities? These are access control, software integrity and vulnerability response. When you look at access control, it's to ensure that only the authenticated users are able to access the platform and they're able to access only the kind of the assets that they're authorized to based on their user level. Now accessing a network platform like a switch or a rotor for example, is typically used for say, configuration and management of the networking switch. So user access is based on say roles for that matter in a role based access control, whether you are a security admin or a network admin or a storage admin. >>And it's imperative that logging is enable because any of the change to the configuration is actually logged and monitored as that. Talking about software's integrity, it's the ability to ensure that the software that's running on the system has not been compromised. And, and you know, this is important because it could actually, you know, get hold of the system and you know, you could get UND desire results in terms of say validation of the images. It's, it needs to be done through say digital signature. So, so it's important that when you're talking about say, software integrity, a, you are ensuring that the platform is not compromised, you know, is not compromised and be that any upgrades, you know, that happens to the platform is happening through say validated signature. >>Okay. And now, now you've now, so there's access control, software integrity, and I think you, you've got a third element which is i I think response, but please continue. >>Yeah, so you know, the third one is about civil notability. So we follow the same process that's been followed by the rest of the products within the Dell product family. That's to report or identify, you know, any kind of a vulnerability that's being addressed by the Dell product security incident response team. So the networking portfolio is no different, you know, it follows the same process for identification for tri and for resolution of these vulnerabilities. And these are addressed either through patches or through new reasons via networking software. >>Yeah, got it. Okay. So I mean, you didn't say zero trust, but when you were talking about access control, you're really talking about access to only those assets that people are authorized to access. I know zero trust sometimes is a buzzword, but, but you I think gave it, you know, some clarity there. Software integrity, it's about assurance validation, your digital signature you mentioned and, and that there's been no compromise. And then how you respond to incidents in a standard way that can fit into a security framework. So outstanding description, thank you for that. But then the next question is, how does Dell networking fit into the construct of what we've been talking about Dell trusted infrastructure? >>Okay, so networking is the key element in the Dell trusted infrastructure. It provides the interconnect between the service and the storage world. And you know, it's part of any data center configuration for a trusted infrastructure. The network needs to have access control in place where only the authorized nels are able to make change to the network configuration and logging off any of those changes is also done through the logging capabilities. Additionally, we should also ensure that the configuration should provide network isolation between say the management network and the data traffic network because they need to be separate and distinct from each other. And furthermore, even if you look at the data traffic network and now you have things like segmentation isolated segments and via VRF or, or some micro segmentation via partners, this allows various level of security for each of those segments. So it's important you know, that, that the network infrastructure has the ability, you know, to provide all this, this services from a Dell networking security perspective, right? >>You know, there are multiple layer of defense, you know, both at the edge and in the network in this hardware and in the software and essentially, you know, a set of rules and a configuration that's designed to sort of protect the integrity, confidentiality, and accessibility of the network assets. So each network security layer, it implements policies and controls as I said, you know, including send network segmentation. We do have capabilities sources, centralized management automation and capability and scalability for that matter. Now you add all of these things, you know, with the open networking standards or software, different principles and you essentially, you know, reach to the point where you know, you're looking at zero trust network access, which is essentially sort of a building block for increased cloud adoption. If you look at say that you know the different pillars of a zero trust architecture, you know, if you look at the device aspect, you know, we do have support for security for example, we do have say trust platform in a trusted platform models tpms on certain offer products and you know, the physical security know plain, simple old one love port enable from a user trust perspective, we know it's all done via access control days via role based access control and say capability in order to provide say remote authentication or things like say sticky Mac or Mac learning limit and so on. >>If you look at say a transport and decision trust layer, these are essentially, you know, how do you access, you know, this switch, you know, is it by plain hotel net or is it like secure ssh, right? And you know, when a host communicates, you know, to the switch, we do have things like self-signed or is certificate authority based certification. And one of the important aspect is, you know, in terms of, you know, the routing protocol, the routing protocol, say for example BGP for example, we do have the capability to support MD five authentication between the b g peers so that there is no, you know, manages attack, you know, to the network where the routing table is compromised. And the other aspect is about second control plane is here, you know, you know, it's, it's typical that if you don't have a control plane here, you know, it could be flooded and you know, you know, the switch could be compromised by city denial service attacks. >>From an application test perspective, as I mentioned, you know, we do have, you know, the application specific security rules where you could actually define, you know, the specific security rules based on the specific applications, you know, that are running within the system. And I did talk about, say the digital signature and the cryptographic check that we do for authentication and for, I mean rather for the authenticity and the validation of, you know, of the image and the BS and so on and so forth. Finally, you know, the data trust, we are looking at, you know, the network separation, you know, the network separation could happen or VRF plain old wheel Ls, you know, which can bring about sales multi 10 aspects. We talk about some microsegmentation as it applies to nsx for example. The other aspect is, you know, we do have, with our own smart fabric services that's enabled in a fabric, we have a concept of c cluster security. So all of this, you know, the different pillars, they sort of make up for the zero trust infrastructure for the networking assets of an infrastructure. >>Yeah. So thank you for that. There's a, there's a lot to unpack there. You know, one of the premise, the premise really of this, this, this, this segment that we're setting up in this series is really that everything you just mentioned, or a lot of things you just mentioned used to be the responsibility of the security team. And, and the premise that we're putting forth is that because security teams are so stretched thin, you, you gotta shift the vendor community. Dell specifically is shifting a lot of those tasks to their own r and d and taking care of a lot of that. So, cuz scop teams got a lot of other stuff to, to worry about. So my question relates to things like automation, which can help and scalability, what about those topics as it relates to networking infrastructure? >>Okay, our >>Portfolio, it enables state of the automation software, you know, that enables simplifying of the design. So for example, we do have, you know, you know the fabric design center, you know, a tool that automates the design of the fabric and you know, from a deployment and you know, the management of the network infrastructure that are simplicities, you know, using like Ansible s for Sonic for example are, you know, for a better sit and tell story. You know, we do have smart fabric services that can automate the entire fabric, you know, for a storage solution or for, you know, for one of the workloads for example. Now we do help reduce the complexity by closely integrating the management of the physical and the virtual networking infrastructure. And again, you know, we have those capabilities using Sonic or Smart Traffic services. If you look at Sonic for example, right? >>It delivers automated intent based secure containerized network and it has the ability to provide some network visibility and Avan has and, and all of these things are actually valid, you know, for a modern networking infrastructure. So now if you look at Sonic, you know, it's, you know, the usage of those tools, you know, that are available, you know, within the Sonic no is not restricted, you know, just to the data center infrastructure is, it's a unified no, you know, that's well applicable beyond the data center, you know, right up to the edge. Now if you look at our north from a smart traffic OS 10 perspective, you know, as I mentioned, we do have smart traffic services which essentially, you know, simplifies the deployment day zero, I mean rather day one, day two deployment expansion plans and the lifecycle management of our conversion infrastructure and hyper and hyper conversion infrastructure solutions. And finally, in order to enable say, zero touch deployment, we do have, you know, a VP solution with our SD van capability. So these are, you know, ways by which we bring down the complexity by, you know, enhancing the automation capability using, you know, a singular loss that can expand from a data center now right to the edge. >>Great, thank you for that. Last question real quick, just pitch me, what can you summarize from your point of view, what's the strength of the Dell networking portfolio? >>Okay, so from a Dell networking portfolio, we support capabilities at multiple layers. As I mentioned, we're talking about the physical security for examples, say disabling of the unused interface. Sticky Mac and trusted platform modules are the things that to go after. And when you're talking about say secure boot for example, it delivers the authenticity and the integrity of the OS 10 images at the startup. And Secure Boot also protects the startup configuration so that, you know, the startup configuration file is not compromised. And Secure port also enables the workload of prediction, for example, that is at another aspect of software image integrity validation, you know, wherein the image is data for the digital signature, you know, prior to any upgrade process. And if you are looking at secure access control, we do have things like role based access control, SSH to the switches, control plane access control that pre do tags and say access control from multifactor authentication. >>We do have various tech ads for entry control to the network and things like CSE and PRV support, you know, from a federal perspective we do have say logging wherein, you know, any event, any auditing capabilities can be possible by say looking at the clog service, you know, which are pretty much in our transmitter from the devices overts for example, and last we talked about say network segment, you know, say network separation and you know, these, you know, separation, you know, ensures that are, that is, you know, a contained say segment, you know, for a specific purpose or for the specific zone and, you know, just can be implemented by a, a micro segmentation, you know, just a plain old wheel or using virtual route of framework VR for example. >>A lot there. I mean I think frankly, you know, my takeaway is you guys do the heavy lifting in a very complicated topic. So thank you so much for, for coming on the cube and explaining that in in quite some depth. Really appreciate it. >>Thank you indeed. >>Oh, you're very welcome. Okay, in a moment I'll be back to dig into the hyper-converged infrastructure part of the portfolio and look at how when you enter the world of software defined where you're controlling servers and storage and networks via software led system, you could be sure that your infrastructure is trusted and secure. You're watching a blueprint for trusted infrastructure made possible by Dell Technologies and collaboration with the cube, your leader in enterprise and emerging tech coverage, your own west product management security lead at for HCI at Dell Technologies hyper-converged infrastructure. Jerome, welcome. >>Thank you Dave. >>Hey Jerome, in this series of blueprint for trusted infrastructure, we've been digging into the different parts of the infrastructure stack, including storage servers and networking, and now we want to cover hyperconverged infrastructure. So my first question is, what's unique about HCI that presents specific security challenges? What do we need to know? >>So what's unique about hyper-converge infrastructure is the breadth of the security challenge. We can't simply focus on a single type of IT system. So like a server or storage system or a virtualization piece of software, software. I mean HCI is all of those things. So luckily we have excellent partners like VMware, Microsoft, and internal partners like the Dell Power Edge team, the Dell storage team, the Dell networking team, and on and on. These partnerships in these collaborations are what make us successful from a security standpoint. So let me give you an example to illustrate. In the recent past we're seeing growing scope and sophistication in supply chain attacks. This mean an attacker is going to attack your software supply chain upstream so that hopefully a piece of code, malicious code that wasn't identified early in the software supply chain is distributed like a large player, like a VMware or Microsoft or a Dell. So to confront this kind of sophisticated hard to defeat problem, we need short term solutions and we need long term solutions as well. >>So for the short term solution, the obvious thing to do is to patch the vulnerability. The complexity is for our HCI portfolio. We build our software on VMware, so we would have to consume a patch that VMware would produce and provide it to our customers in a timely manner. Luckily VX rail's engineering team has co engineered a release process with VMware that significantly shortens our development life cycle so that VMware would produce a patch and within 14 days we will integrate our own code with the VMware release we will have tested and validated the update and we will give an update to our customers within 14 days of that VMware release. That as a result of this kind of rapid development process, VHA had over 40 releases of software updates last year for a longer term solution. We're partnering with VMware and others to develop a software bill of materials. We work with VMware to consume their software manifest, including their upstream vendors and their open source providers to have a comprehensive list of software components. Then we aren't caught off guard by an unforeseen vulnerability and we're more able to easily detect where the software problem lies so that we can quickly address it. So these are the kind of relationships and solutions that we can co engineer with effective collaborations with our, with our partners. >>Great, thank you for that. That description. So if I had to define what cybersecurity resilience means to HCI or converged infrastructure, and to me my takeaway was you gotta have a short term instant patch solution and then you gotta do an integration in a very short time, you know, two weeks to then have that integration done. And then longer term you have to have a software bill of materials so that you can ensure the providence of all the components help us. Is that a right way to think about cybersecurity resilience? Do you have, you know, a additives to that definition? >>I do. I really think that's site cybersecurity and resilience for hci because like I said, it has sort of unprecedented breadth across our portfolio. It's not a single thing, it's a bit of everything. So really the strength or the secret sauce is to combine all the solutions that our partner develops while integrating them with our own layer. So let me, let me give you an example. So hci, it's a, basically taking a software abstraction of hardware functionality and implementing it into something called the virtualized layer. It's basically the virtual virtualizing hardware functionality, like say a storage controller, you could implement it in hardware, but for hci, for example, in our VX rail portfolio, we, our Vxl product, we integrated it into a product called vsan, which is provided by our partner VMware. So that portfolio of strength is still, you know, through our, through our partnerships. >>So what we do, we integrate these, these security functionality and features in into our product. So our partnership grows to our ecosystem through products like VMware, products like nsx, Horizon, Carbon Black and vSphere. All of them integrate seamlessly with VMware and we also leverage VMware's software, part software partnerships on top of that. So for example, VX supports multifactor authentication through vSphere integration with something called Active Directory Federation services for adfs. So there's a lot of providers that support adfs including Microsoft Azure. So now we can support a wide array of identity providers such as Off Zero or I mentioned Azure or Active Directory through that partnership. So we can leverage all of our partners partnerships as well. So there's sort of a second layer. So being able to secure all of that, that provides a lot of options and flexibility for our customers. So basically to summarize my my answer, we consume all of the security advantages of our partners, but we also expand on them to make a product that is comprehensively secured at multiple layers from the hardware layer that's provided by Dell through Power Edge to the hyper-converged software that we build ourselves to the virtualization layer that we get through our partnerships with Microsoft and VMware. >>Great, I mean that's super helpful. You've mentioned nsx, Horizon, Carbon Black, all the, you know, the VMware component OTH zero, which the developers are gonna love. You got Azure identity, so it's really an ecosystem. So you may have actually answered my next question, but I'm gonna ask it anyway cuz you've got this software defined environment and you're managing servers and networking and storage with this software led approach, how do you ensure that the entire system is secure end to end? >>That's a really great question. So the, the answer is we do testing and validation as part of the engineering process. It's not just bolted on at the end. So when we do, for example, VxRail is the market's only co engineered solution with VMware, other vendors sell VMware as a hyper converged solution, but we actually include security as part of the co-engineering process with VMware. So it's considered when VMware builds their code and their process dovetails with ours because we have a secure development life cycle, which other products might talk about in their discussions with you that we integrate into our engineering life cycle. So because we follow the same framework, all of the, all of the codes should interoperate from a security standpoint. And so when we do our final validation testing when we do a software release, we're already halfway there in ensuring that all these features will give the customers what we promised. >>That's great. All right, let's, let's close pitch me, what would you say is the strong suit summarize the, the strengths of the Dell hyper-converged infrastructure and converged infrastructure portfolio specifically from a security perspective? Jerome? >>So I talked about how hyper hyper-converged infrastructure simplifies security management because basically you're gonna take all of these features that are abstracted in in hardware, they're now abstracted in the virtualization layer. Now you can manage them from a single point of view, whether it would be, say, you know, in for VX rail would be b be center, for example. So by abstracting all this, you make it very easy to manage security and highly flexible because now you don't have limitations around a single vendor. You have a multiple array of choices and partnerships to select. So I would say that is the, the key to making it to hci. Now, what makes Dell the market leader in HCI is not only do we have that functionality, but we also make it exceptionally useful to you because it's co engineered, it's not bolted on. So I gave the example of spo, I gave the example of how we, we modify our software release process with VMware to make it very responsive. >>A couple of other features that we have specific just to HCI are digitally signed LCM updates. This is an example of a feature that we have that's only exclusive to Dell that's not done through a partnership. So we digitally signed our software updates so the user can be sure that the, the update that they're installing into their system is an authentic and unmodified product. So we give it a Dell signature that's invalidated prior to installation. So not only do we consume the features that others develop in a seamless and fully validated way, but we also bolt on our own a specific HCI security features that work with all the other partnerships and give the user an exceptional security experience. So for, for example, the benefit to the customer is you don't have to create a complicated security framework that's hard for your users to use and it's hard for your system administrators to manage it all comes in a package. So it, it can be all managed through vCenter, for example, or, and then the specific hyper, hyper-converged functions can be managed through VxRail manager or through STDC manager. So there's very few pains of glass that the, the administrator or user ever has to worry about. It's all self contained and manageable. >>That makes a lot of sense. So you've got your own infrastructure, you're applying your best practices to that, like the digital signatures, you've got your ecosystem, you're doing co-engineering with the ecosystems, delivering security in a package, minimizing the complexity at the infrastructure level. The reason Jerome, this is so important is because SecOps teams, you know, they gotta deal with cloud security, they gotta deal with multiple clouds. Now they have their shared responsibility model going across multiple cl. They got all this other stuff that they have to worry, they gotta secure the containers and the run time and and, and, and, and the platform and so forth. So they're being asked to do other things. If they have to worry about all the things that you just mentioned, they'll never get, you know, the, the securities is gonna get worse. So what my takeaway is, you're removing that infrastructure piece and saying, Okay guys, you now can focus on those other things that is not necessarily Dell's, you know, domain, but you, you know, you can work with other partners to and your own teams to really nail that. Is that a fair summary? >>I think that is a fair summary because absolutely the worst thing you can do from a security perspective is provide a feature that's so unusable that the administrator disables it or other key security features. So when I work with my partners to define, to define and develop a new security feature, the thing I keep foremost in mind is, will this be something our users want to use and our administrators want to administer? Because if it's not, if it's something that's too difficult or onerous or complex, then I try to find ways to make it more user friendly and practical. And this is a challenge sometimes because we are, our products operate in highly regulated environments and sometimes they have to have certain rules and certain configurations that aren't the most user friendly or management friendly. So I, I put a lot of effort into thinking about how can we make this feature useful while still complying with all the regulations that we have to comply with. And by the way, we're very successful in a highly regulated space. We sell a lot of VxRail, for example, into the Department of Defense and banks and, and other highly regulated environments and we're very successful there. >>Excellent. Okay, Jerome, thanks. We're gonna leave it there for now. I'd love to have you back to talk about the progress that you're making down the road. Things always, you know, advance in the tech industry and so would appreciate that. >>I would look forward to it. Thank you very much, Dave. >>You're really welcome. In a moment I'll be back to summarize the program and offer some resources that can help you on your journey to secure your enterprise infrastructure. I wanna thank our guests for their contributions in helping us understand how investments by a company like Dell can both reduce the need for dev sec up teams to worry about some of the more fundamental security issues around infrastructure and have greater confidence in the quality providence and data protection designed in to core infrastructure like servers, storage, networking, and hyper-converged systems. You know, at the end of the day, whether your workloads are in the cloud, on prem or at the edge, you are responsible for your own security. But vendor r and d and vendor process must play an important role in easing the burden faced by security devs and operation teams. And on behalf of the cube production content and social teams as well as Dell Technologies, we want to thank you for watching a blueprint for trusted infrastructure. Remember part one of this series as well as all the videos associated with this program and of course today's program are available on demand@thecube.net with additional coverage@siliconangle.com. And you can go to dell.com/security solutions dell.com/security solutions to learn more about Dell's approach to securing infrastructure. And there's tons of additional resources that can help you on your journey. This is Dave Valante for the Cube, your leader in enterprise and emerging tech coverage. We'll see you next time.

(upbeat music) >> We're back with Jerome West, the Product Management Security Lead for HCI at Dell Technologies Hyper-Converged Infrastructure. Jerome, welcome. >> Thank you, Dave. >> Hey, Jerome, in this series "A Blueprint for Trusted Infrastructure," we've been digging into the different parts of the infrastructure stack, including storage servers and networking, and now we want to cover hyper-converged infrastructure. So my first question is what's unique about HCI that presents specific security challenges? What do we need to know? >> So what's unique about hyper-converged infrastructure is the breadth of the security challenge. We can't simply focus on a single type of IT system, so like a server or a storage system or a virtualization piece of software. I mean, HCI is all of those things. So luckily we have excellent partners like VMware, Microsoft and internal partners, like the Dell Power Edge Team, the Dell Storage Team, the Dell Networking Team, and on and on. These partnerships and these collaborations are what make us successful from a security standpoint. So let me give you an example to illustrate. In the recent past, we're seeing growing scope and sophistication in supply chain attacks. This means an attacker is going to attack your software supply chain upstream, so that hopefully a piece of code, malicious code that wasn't identified early in the software supply chain is distributed like a large player, like a VMware or a Microsoft or a Dell. So to confront this kind of sophisticated hard to defeat problem, we need short-term solutions and we need long-term solutions as well. So for the short-term solution, the obvious thing to do is to patch the vulnerability. The complexity is for our HCI portfolio, we build our software on VMware. So we would have to consume a patch that VMware would produce and provide it to our customers in a timely manner. Luckily, VxRail's engineering team has co engineered a release process with VMware that significantly shortens our development life cycle, so that VMware will produce a patch, and within 14 days we will integrate our own code with the VMware release. We will have tested and validated the update, and we will give an update to our customers within 14 days of that VMware release. That as a result of this kind of rapid development process, VxRail had over 40 releases of software updates last year. For a longer term solution, we're partnering with VMware and others to develop a software bill of materials. We work with VMware to consume their software manifest including their upstream vendors and their open source providers to have a comprehensive list of software components. Then we aren't caught off guard by an unforeseen vulnerability, and we're more able to easily detect where the software problem lies so that we can quickly address it. So these are the kind of relationships and solutions that we can co-engineer with effective collaborations with our partners. >> Great, thank you for that description. So if I had to define what cybersecurity resilience means to HCI or converged infrastructure, to me, my takeaway was you got to have a short-term instant patch solution and then you got to do an integration in a very short time, you know, two weeks to then have that integration done. And then longer-term, you have to have a software bill of materials so that you can ensure the provenance of all the components. Help us, is that a right way to think about cybersecurity resilience? Do you have, you know, additives to that definition? >> I do. I really think that cybersecurity and resilience for HCI, because like I said it has sort of unprecedented breadth across our portfolio. It's not a single thing. It's a bit of everything. So really the strength or the secret sauce is to combine all the solutions that our partner develops while integrating them with our own layer. So let me give you an example. So HCI, it's a basically taking a software abstraction of hardware functionality and implementing it into something called the virtualized layer. It's basically the virtualizing hardware functionality, like say a storage controller. You could implement it in the hardware, but for HCI, for example, in our VxRail portfolio, our VxRail product, we integrated it into a product called vSan which is provided by our partner VMware. So that portfolio strength is still, you know, through our partnerships. So what we do, we integrate these security functionality and features into our product. So our partnership grows through our ecosystem through products like VMware products, like NSX, Horizon, Carbon Black and vSphere. All of them integrate seamlessly with VMware. And we also leverage VMware's software partnerships on top of that. So for example, VxRail supports multifactor authentication through vSphere's integration with something called Active Directory Federation Services or ADFS. So there is a lot of providers that support ADFS, including Microsoft Azure. So now we can support a wide array of identity providers such as Auth0, or I mentioned Azure or Active Directory through that partnership. So we can leverage all of our partners' partnerships as well. So there's sort of a second layer. So being able to secure all of that, that provides a lot of options and flexibility for our customers. So basically to summarize my answer, we consume all of the security advantages of our partners, but we also expand on them to make a product that is comprehensively secured at multiple layers from the hardware layer that's provided by Dell through Power Edge to the hyper-converged software that we build ourselves to the virtualization layer that we get through our partnerships with Microsoft and VMware. >> Great, I mean, that's super helpful. You've mentioned NSX, Horizon, Carbon Black, all the you know, the VMware component, Auth0, which the developers are going to love. You got Azure Identity. So it's really an ecosystem. So you may have actually answered my next question, but I'm going to ask it anyway cause you've got this software-defined environment, and you're managing servers and networking and storage with this software-led approach. How do you ensure that the entire system is secure end to end? >> That's a really great question. So the answer is we do testing and validation as part of the engineering process. It's not just bolted on at the end. So when we do, for example VxRail is the market's only co-engineered solution with VMware. Other vendors sell VMware as a hyper-converged solution, but we actually include security as part of the co-engineering process with VMware. So it's considered when VMware builds their code, and their process dovetails with ours because we have a secure development lifecycle which other products might talk about in their discussions with you, that we integrate into our engineering lifecycle. So because we follow the same framework, all of the code should inter-operate from a security standpoint. And so when we do our final validation testing, when we do a software release, we're already halfway there in ensuring that all these features will give the customers what we promised. >> That's great. All right, let's close. Pitch me. What would you say is the strong suit, summarize the the strengths of the Dell hyper-converged infrastructure and converged infrastructure portfolio, specifically from a security perspective, Jerome? >> So I talked about how hyper-converged infrastructure simplifies security management because basically you're going to take all of these features that are abstracted in hardware. They're not abstracted in the virtualization layer. Now you can manage them from a single point of view, whether it would be say, you know, for VxRail it would be vCenter, for example. So by abstracting all this, you make it very easy to manage security and highly flexible because now you don't have limitations around a single vendor. You have a multiple array of choices and partnerships to select. So I would say that is the key to making, to HCI. Now what makes Dell the market leader in HCI is not only do we have that functionality, but we also make it exceptionally useful to you because it's co-engineered. It's not bolted on. So I gave the example of SBOM. I gave the example of how we modify our software release process with VMware to make it very responsive. A couple of other features that we have specific just to HCI are digitally signed LCM updates. This is an example of a feature that we have that's only exclusive to Dell. It's not done through a partnership. So we digitally sign our software updates. So the user can be sure that the update that they're installing into their system is an authentic and unmodified product. So we give it a Dell signature that's invalidated prior to installation. So not only do we consume the features that others develop in a seamless and fully validated way, but we also bolt on our own specific HCI security features that work with all the other partnerships and give the user an exceptional security experience. So for example, the benefit to the customer is you don't have to create a complicated security framework. That's hard for your users to use, and it's hard for your system administrators to manage. It all comes in a package, so it can be all managed through vCenter, for example. And then the specific hyper-converged functions can be managed through VxRail manager or through STDC manager. So there's very few panes of glass that the administrator or user ever has to worry about. It's all self-contained and manageable. >> That makes a lot of sense. So you've got your own infrastructure. You're applying your best practices to that like the digital signatures. You've got your ecosystem. You're doing co-engineering with the ecosystems, delivering security in a package, minimizing the complexity at the infrastructure level. The reason, Jerome, this is so important is because SecOps teams, you know, they got to deal with Cloud security. They got to deal with multiple Clouds. Now they have their shared responsibility model going across multiple. They got all this other stuff that they have to worry. They got to secure the containers and the run time and the platform and so forth. So they're being asked to do other things. If they have to worry about all the things that you just mentioned, they'll never get, you know, the security is just going to get worse. So my takeaway is you're removing that infrastructure piece and saying, okay, guys, you now can focus on those other things that is not necessarily Dell's, you know, domain, but you, you know, you can work with other partners and your own teams to really nail that. Is that a fair summary? >> I think that is a fair summary because absolutely the worst thing you can do from a security perspective is provide a feature that's so unusable that the administrator disables it or other key security features. So when I work with my partners to define and develop a new security feature, the thing I keep foremost in mind is will this be something our users want to use and our administrators want to administer? Because if it's not, if it's something that's too difficult or onerous or complex, then I try to find ways to make it more user-friendly and practical. And this is a challenge sometimes because our products operate in highly regulated environments, and sometimes they have to have certain rules and certain configurations that aren't the most user friendly or management friendly. So I put a lot of effort into thinking about how can we make this feature useful while still complying with all the regulations that we have to comply with. And by the way, we're very successful in a highly regulated space. We sell a lot of VxRail, for example, into the Department of Defense and banks and other highly regulated environments. And we're very successful there. >> Excellent, okay, Jerome, thanks. We're going to leave it there for now. I'd love to have you back to talk about the progress that you're making down the road. Things always, you know, advance in the tech industry, and so would appreciate that >> I would look forward to it. Thank you very much, Dave. >> You're really welcome. In a moment, I'll be back to summarize the program and offer some resources that can help you on your journey to secure your enterprise infrastructure. (upbeat music)

>>Welcome back everyone to Supercloud 22. This is the Cube's live presentation streaming out virtually our inaugural event, kind of a pilot I'm John Furo of the cube with Dave ante. Got a great panel here to discuss the enablers and blockers question mark for superclouds. We got, we got kit Culbert, CTO of VMware basketball, Gor CEO platform nine, and has Pani who is the CEO of RA systems. We got a mix of the big leader, VMware and the upstart companies growing into the same space, all cloud native friends of the cube. Great to see you guys. Thanks for coming on. Thank >>You. >>Start. All right. So there's no debate cloud native is booming. We see that clearly Kubernetes became a unifying force. It's an ops layer kind of almost like a kind of a midline between dev and ops DevSecOps is happening at scale. What are the blockers and what are the enablers for super cloud? What do we need? Let's see what do get your take? >>Sure. So UN I spoke about this a little bit in, at New York summit, the big trend I'm seeing, and it's, it's a blocker that's being sort of taken care of by enterprises, which is, you know, until very recently, Kubernetes was effectively a project that NA would take on. They'd try things out, they'd go to the cloud, they'd spin things up. And then the next team would come and they'd do the same things. And there was no consistency. There was no ization, it's a mess, right? It's all over the place. Some things are moving fast. Some things are not going fast and this is not how enterprises do business, right? That's not how things work. Traditionally enterprises have had it organizations that create standards, right? So those it organizations now kind of are starting to think like a platform organization. So centrally come up with the right framework for all application teams to consume infrastructure, modern infrastructure. So I'm not using the word Kubernetes here because Kubernetes is an enabler. We are a Kubernetes company, obviously, but it's about modern applications, modern infrastructure. So stepping back and thinking about it as to how an enterprise will do this across the board is the right answer. And I'm seeing this happen in a pretty significant way across all the large enterprises I talked to. >>That's why you've had a great career. And we talked before you came on Opia you did a turnaround there, we, you even go back to the old days of the web web 1.0 and early software. You've seen the movie before. >>Yes. >>You know, complexity is not solved way more complexity. This is kind of the old enterprise way. And they don't want that. They've seen the benefits of self-service. They see architecture and standards as being an enabler. Where are we in here in the market? Is, are we positioned in your opinion for customers to get the value of a super cloud? >>Absolutely. So if you think about, first of all, I think the topic of cloud native developers and app developers picking containers and Kubernetes, that's a done deal, right? That has already happened. So every cloud native developer is already using these tools. Now, I think as has been discussed today in you, in the earlier sessions, is, are the operations and infrastructure catching up or they're lagging behind, right? As more and more developers are using multi-cloud technologies, enterprises are creating a choice, I think operations and what we also strongly believe that's actually part of the name of our company is, is a platform. The platform of which a company uses to transform itself to be cloud native is the big opportunity. I don't think it's a blocker, but it's a huge opportunity. And I think this is where, you know, as you can't stop developers from developing on different clouds, private, public, multi edge, that's gonna happen. Innovation is gonna continue. But then how does the infrastructure in the platform make it seamless? Right? And almost treat all these different clouds as a single pan super cloud platform. That's I think is the >>Opportunity. So we in a platform more than with other companies, or is there one unified platform called cloud native? We know customers been buying tools from security they're they got so many tools in, in their tools shed, so to speak. What is that platform? I mean, is it more unique, fragmentation? Is it unified? >>I mean, if you think about it, a couple of it's a combination of tools that are stitched together to reach a purpose, right? So if you think about, you know, APIs continued APIs that's been discussed earlier today, I think that's, that should be standardized. The other thing is always on monitoring because I think that's a very key aspect. Once you build it, then as the enterprises are using it, the always on monitoring becomes. So I think it's a combination of capabilities that are stitched together to enable the acceleration for companies to become cloud native. >>I, I have a thought on a blocker. None of you guys are gonna like it. Oh, maybe you can come. Maybe some of you guys probably won't but comment, but maybe John will. I think AWS is a blocker to Supercloud cuz they, they don't want those cross cloud service. It's like they, they, for years they wouldn't even say multicloud. The first time I heard it was in Boston three weeks ago, I actually heard it. So Hey, you see, >>You know, I'm gonna disagree with that. Okay. >>But, but okay, go ahead. All >>So we'll get their reaction. So my, we just heard from the last panel that the security should be leading the consortium. Yeah. Because they're, they're not the enemy they're actually, >>Maybe they should be >>Well back in the old web days, when standards were driving things, you had a common enemy, proprietary NASAs, proprietary networking stack. So the evil empire was at and T that's owned Unix. If you remember, they copyright that. >>So you think they're greasing the skids for, >>I think Supercloud, I think the hyperscalers could cuz they're driving the CapEx, they're providing the value. So in my opinion, Amazon and Azure, whoever does the right thing first can win every, maybe >>This is how Google could catch up >>It. It could be a, it could be a Slingshot move. It could, you know, boomerang, someone to the front of the line or extend. Amazon's already huge lead. So if I'm AWS, if I'm Adam Slosky and I'm talking to Andy Jassy, he says, how am I gonna differentiate myself? I'd say, I'm gonna come in and own multicloud. I'm gonna own Supercloud we are the Supercloud and you work with AWS's primitives in a way that makes services work. I would go for that. I'd be like, okay, show me more. What do you >>Think? I, I, I don't think think any one company is going to be a super cloud because I think yes, there is going to be a lot of workloads on public clouds, but there's a huge amount of workloads at the enterprise at the edge at the store. I think those will continue for various reasons, whether it's data, sovereignty regulations. So I think it's going to be a combination. Everybody's not gonna go to one, you know, cloud, it's going to be an amalgamation. >>Okay. But I I've argued that snowflake is a form of a super data cloud and a very specific use case, you know, Aviatrix is trying to be a network, you know, layer and you know, sneak in a security, let me on and on, on a lot of small you get, you get super cloud stove pipes, but, but nonetheless you're, you're still abstracting. I mean, we've this industry attractions, right? >>Well this, this concept I completely agree with, right? This idea that, so, so one of the, my is that right now enterprises buy 500 different technologies and they have to become PhDs in 500 different things. It's just never gonna happen skills issue, which is no way. Right. So what's gonna happen is all of these providers are gonna essentially become managed service providers. Cloud is in manifestation of that. Snowflake is a ation data breaks is a manifestation of that. Right? So in our general industry, there's gonna be a handful of platforms. Right. And they're gonna work across these clouds. Amazon may have one too. Right? Look, they, they, they, for the longest time sort of ignored OnPrem, but now they have something called SSA, which runs on Preem. Right. Why, why would they bother? Because, well, obviously there's a lot of money to be made in a data center as well. >>So I, my sense is they get it completely understand and appreciate that there's other things outside of Amazon. But in terms of what Bosco was talking about, my sense is, you know, these multiple platforms will come about. And to the point we were making earlier about standardization and I, I mean, is it gonna be one company or is it gonna be standards that everybody will else will adopt? There's a topic that the three of us have talked about before, which is this vCenter for Kubernetes. Right. And all due respect to kit. Right. My sense is that there there's gonna be multiple companies that are gonna start working towards a vCenter for Kubernetes. And it is right. I mean, that's how I've, I mean, I've been thinking about this before and a half years, including >>VMware. >>Yeah. And you know, and we, we should compare notes. Right. But what's gonna happen is there was a, there was a distinct advantage VMware had back in the day because ESX was their product. Right. And that was a standard right now. What's the ESX in the new it's sort of Kubernetes, right. I mean, it's on bare metal for the most part or whatever VMs. So that's a standard, that's got standardized APIs, the things around it are standardized APIs. So what is the unfair advantage that one company has other than execution? >>Nothing. Well also composability if you over rotate on Kubernetes, for example, and not take advantage of say C two, for instance. Totally, >>Totally. >>It's a mix and match. >>Yeah. But I think, I think if you get too focused on Kubernetes, it's a means to an end. Yeah. But at the end of the day, it it's a mean to end end. And I think all these tools, there's a lot of standardization happening that's gonna happen. Right. And no one vendor is gonna control that. Right. It's it's going to be, it's gonna continue. I think how you bring these together and orchestrate right. And manage the service. Because I think that if you think about the lack of skills to keep up with the operations and platforms is one of the largest inhibitors right now for enterprises to move as fast as they want to become cloud native. >>And you have the shiny new toy problem kit where people just go and grab it. You know, Keith Townsend has a, as a quote, he says, look, we essentially move at the speed of the CIO or else we're going too fast or too slow. So, so the, to, to the point about the new toy now I've got new skills. >>Yep. Well, so this has been a really good discussion. And I think so there's a couple of things, right. Going back to the, the paper that we wrote, right. How we have these different sort of layers of multi-cloud services or, or categories of multi-cloud services. And it's exactly to capture some of the ex different examples you just mentioned. And yeah, the challenge is that each of them by themselves are a little bit of an island today. Like you don't have that extra level of integration. And so what the platform teams typically do is try to add that extra glue to make the experience more seamless for the, the, the, you know, developers at that company. And so like, you know, for instance, things like identity. So the nice thing about going to a single public cloud is that there's one, usually one identity system for everything. And that's great. All the different services roles are, you know, are back all that. Stuff's all centralized, but you don't have that when you're going across many different multicloud services. So what does that look like? So I think there's some of these different crosscutting concerns that we need to look at how we standardize on as an industry. And that's, again, one of the things >>You felt that part. And I think, I think also the other key thing is yes, you can always say I'll put everything in one world, world garden and I'm done. Yeah. Okay. But that's not the reality because at some point you need, the flexibility and cost comes into play and flexibility to move comes into play. And I think that is a key factor. Yep. Right. >>Yeah. And so like, so then the question is, what degrees of freedom do you give yourself there? And I think that's the architectural question is how you, how do you design it? What sort of abstractions do you leverage? And I think that goes back to some of our discussion before, which is, do you directly go on top of a native cloud service or do you use a multi-cloud service? >>But I think it's a combination of, I don't think it's either or no, it's not, it's not an either or you have to have the ability to choose a public cloud or do it private. Yeah. At the same time you don't change. It's like a common dictionary, right. You're not gonna change every time the accent changes, you know? So that's, >>So here's a question for you guys. So what has to happen for super clouds, be existing assume that AWS and Azure and Google, aren't gonna sit still assume that maybe they normalize into some sort of swim lane or position that they have to rationalize. What, assuming they're not gonna sit still, what has to happen for super clouds to, to actually work >>Well? Well, I think, you know, really quick going back to the platform team point, I would say that the platform teams at various companies, and we got one at VMware two, they're creating a rudimentary form of a super cloud. Right. Cause they, you know, absolutely like if, if they are supporting multiple clouds, like all the things they're stitching together and all that work, that is a super cloud. The problem is that there's not really a standard approach or architecture or reusable things to enable that. I think that's really what's missing. >>Yeah. But I think the key here is standard us reusable. Because for example, we have customers who are in doesn't matter where they are, some of their loads are in public cloud. Some are in private, some are at the edge, but they're still using the same platform. Yeah. Right. So it is a standard open source based technology. So it is standard. There's no lock in for them from an infrastructure point of view. Yep. And it gives them the flexibility because certain apps, you wanna put it on the public cloud, certain apps, you do not, you need the, I mean, for example, some of the AI, I think earlier discussion that was going on about chips and AI and ML workloads. I mean, think about moving all of that to a public cloud, to, and I think a lot of machine learning and AI applications are going to happen where the data is getting created at the edge. Yeah. At the edge >>Public cloud. It's not gonna happen cloud. It's gonna be real time in, >>It's gonna the end time. And so therefore you have to decide based on your workload, what are you gonna move all the way to a public cloud? And what are you need to do to make business decisions at this spot where the data is created? >>That's a huge disruptor potentially to Supercloud. This is a whole new architecture that emerges at the edge with a whole new set of economics. I >>Think the edge is gonna be like massively disruptive. >>I think it's gonna think about, if you think about the edge, go beyond just the classic definition of edge. Think about branches in stores, retail stores. Yeah. Right. I mean, you cannot shut down retail store because you lost connectivity to the network or something you still have to serve your company >>Edge is a disruptive enabler. I think it's gonna change potentially change the position of the players in the business. Whoever embraces the edge. >>Yeah. Maybe going back to the question that you had asked before, which is what is, what is a framework for a super cloud? So you said something that is important, which is your team's burning one. Yeah. I met that team. Actually. They seem to be very sharp guys. >>They're they're mine. They're my are great. They're awesome. >>We got a deal going on here. Yeah. >>I tried. We have >>It. >>So this is the interesting part, right? So I will pause it that the super cloud of the future will be a company that owns zero servers and no network. >>Okay. >>That's gonna happen. Okay. So I just kind of it's >>Full point you >>Made before I made that point just about the public cloud, just so Mr. >>Yeah, yeah, yeah, yeah. No, that really interesting. Not >>We that, so I've thought about this a long time that in my opinion, and I've, I'm, I'm sure I've said this to you, John, that, you know, the one company that I've always believed has the best shot at doing this well is actually VMware because that's the one company that's, you know, that there's, there's no, you know, infrastructure back haul. Right. You know, that you're carrying, but, but in terms of thinking and getting there, you know, being, being a company that can do it is not the same as being the company who has done it. That's a, there's a distance, but >>I have to defend that now because hyperscalers are not gonna be able to super cloud. They're not now it's hype. See, agreed, great point. Public clouds will be part of the super cloud. Yeah, totally. But they will not, the hyperscalers are not building super clouds. Totally. They're blocking it. Right. Yeah. >>They're enabling it. >>We agree on >>No, they're enabling >>Because it's, it's not in there to their advantage. Right. Look, the, the snowflake example you gave is the pivotal example in this conversation. Yep. Right. Why does snowflake exist at all when Redshift exists and all these other things exist because they provide value that is beyond a single clouds purview. Right. And at that point, just step back from our platforms and what we sell. Forget about that for a minute. Right. It's it's about, look, I think, I think this, we are, this market is early, we're out early, right. 10 years from now, what will a company look like? That actually solves a superly problem they're gonna solve for yeah. Kubernetes, whatever. Right. But they're gonna solve for truly modern applications. >>Yeah. They're gonna refactor application that has new economics new value, right. >>At that point, this idea of edge and cloud, forget about it. Right. This is all distribution issues, right. It doesn't really matter. Is it retail or not? Yeah, absolutely. These are places, but, but the way, the right way to think about this is not about edge versus cloud, right? This is about an app. Sometimes it needs to run in one location and it's good enough. Sometimes it needs to run in 10,000 locations and, and it's a distribution issue. I've always believed there's this idea of edge versus cloud. This is BS, right? Because it, it is a cloud over a different size. Sure. But, but I'm making a slightly different point. Sure. Which is, it's a distribution problem. Right. If you step back and think about distribution, my app could run in Azure or AWS or in a retail store, in a branch or whatever. Right. >>And once that is done, the question is, how am I in, in making all this happen? There was a point made in the prior conversation, in the, in the session about a database kind of popping up in the place where I needed to run. Okay. Nobody does that today, by the way. Right. At least truly well right about that, sir, that will come. Right? Yeah. But when that comes, my application is a conglomerate of compute data. I don't know a, a service bus and network and all these things and they will all kind of pop together. That company does not exist >>Today. Well, we'll, we will be documenting which we have more time. We're gonna document it. We have to unfortunately stop this panel because it's awesome. We can go for another hour. Sure. Let's bring you guys back, but that's it. The super cloud of the future will look like something and we're gonna debate it. And speaking of snowflake, we have the co-founder here next to sit down with us to talk about what he thinks about this super cloud. He, he probably heard the comment, come back more coverage. This break with the co-founder of snowflake after the short break. >>Do thank you.

>>Hey guys. Good morning. And welcome back to the cube. Lisa Martin here with John furrier. This is the Cube's third day of Wal Dal coverage of VMware Explorer. We're very pleased to welcome one of our alumni back to the program. Chris Wolf joins us chief research and innovation officer at VMware. Chris, welcome back to the >>Cube. Yeah. Thanks Lisa. It's always a pleasure. >>This has been a great event. We, we, the key note was standing room only on Tuesday morning. We've had great conversations with VMware's ecosystem and VMware of course, what are some of the, the hot things going on from an R and D perspective? >>Yeah, there's, there's a lot. I mean, we're, we have about four or five different priorities. And these look at this is looking at sovereign clouds and multi-cloud edge computing, modern applications and data services. We're doing quite a bit of work in machine learning as well as insecurity. So we're, we're relatively large organization, but at the same time, we really look to pick our bets. So when we're doing something in ML or security, then we wanna make sure that it's high quality and it's differentiated and adds value for VMware, our partners and our customers. >>Where are our customers in the mix in terms of being influential in the roadmap? >>Very, very much in the mix. What we, what we like to do is in early stage R and D, we want to have five to 10 customers as design partners. And that really helps. And in addition to that, as we get closer to go to market, we look to a lineup between one and three of our SI partners as well, to really help us, you know, in a large company, sometimes your organic innovations can get lost in the shuffle. Yeah. And when we have passionate SI that are like, yes, we want to take this forward with you together. That's just awesome. And it also helps us to understand at a very early stage, what are the integration requirements? So we're not just thinking about the, the core product itself, but how would it play in the ecosystem equally important? >>We had hit Culbert on CTO, great work. He's dealing with the white paper and cross cloud, obviously vSphere, big release, lot of this stuff. Dave ante had mentioned that in the analyst session, you had a lot of good stuff you were talking about. That's coming around the corner. That's shipping coming outta the oven and a big theme this year is multi-cloud cloud native. The relationship what's one's ahead. Bleed dog. No one, you kinda get a feel for multi-cloud. It's kind of out front right now, but now cloud native's got the most history what's coming out of the oven right now in terms of hitting the market. That's not yet in this, in the, in the, in the numbers, in terms of sales, like there's, there's some key cloud native stuff coming out. Where's the action. Can you share what you've shared at the analyst meeting? >>Yeah. So at the analyst meeting, what I was going through was a number of our new innovation projects or projects. And, and these are things that are typically close to being product or service at VMware, you know, somewhere in the year out timeframe. Some, some of these are just a few months out. So let me just go through some of them, I'll start with project keek. So keek is super exciting because when you think about edge, what we're hearing from customers is the, the notion of a single platform, a single piece of hardware that can run their cloud services, their containers, their VMs, their network, and security functions. Doing all of this on one platform, gives them the flexibility that as changes happen, it's a software update. They don't have to buy another piece of hardware, but if we step back, what's the management experience you want, right? >>Simple get ops oriented, simple life cycle and configuration management, very low touch. I don't need technical skills to deploy these types of devices. So this is where keek comes in. So what keek is doing is exposing a Kubernetes API above the ESXi hypervisor and taking a complete, get op style of management. So imagine now, when you need to do an update for infrastructure, you're logging into GitHub, you're editing a YAML file and pushing the update. We're doing the same thing for the applications that reside. I can do all of this through GitHub. So this is very, I would say, even internally disruptive to VMware, but super exciting for our customers and partners that we've shared this with. >>What else is happening? What else on the cloud native side Tansu Monterey those lot areas. >>Oh, there's so much. So if we look at project Monterey, I had a presentation within Invidia yesterday. We're really talking through this. And what I'm seeing now is there's a couple of really interesting inflection points with DPU. The first thing is the performance that you're getting and the number of cores that you can save on an X 86 host is actually providing a very strong business case now to bring DPU into the servers, into the data center. So that's one. So now you have a positive ROI. Number two, you start to decouple core services now from the X 86 host itself. So think about a distributed firewall that I can run on a PCI adapter. Now that's DEC coupled, physically from the server, and it really allows me to scale out east west security in a way that I could not do before. So again, I think that's really exciting and that's where we're seeing a lot of buzz from customers. >>So that DPU, which got a lot of buzz, by the way, Lisa, I never, you had trouble interviews on this. I had to the Dell folks too, V X RS taking the advantage of it, the performances, I see the performance angle on that and deep user hot. Can you talk about that security east west thing? Cuz Tom Gillis was on yesterday talking about that's a killer advantage for the security side. Can you touch on that real >>Quick? Yeah. A hundred percent. So what I can now do is take a, a firewall and run it isolated from the X 86 host that it's trying to protect. So it's right next to the host. I can get line rate speeds in terms of analytics and processing of my network and security traffic. So that's also huge. So I'm running line rate on the host and I'm able to run one of these firewall instances on every host in my data center, you cannot do that. You can never afford it with physical appliances. So to me, this is an inflection point because this is the start of network and security functions moving off of hardware appliances and onto DPU. And if you're the ecosystem vendors, this is how they're going to be able to scale some of their services and offerings into the public >>Cloud. So a lot of good stuff happening within the VMware kind of the hardware, low level atoms and the bits as well as the software. The other thing I wanna get your thoughts on relative to the next question is that takes to the next level is the super cloud world we're living in is about cloud native developers, which is DevOps dev security ops and data ops are now big parts of the, the challenges that the people are reigning in the chaos that that's being reigned in. How does VMware look at the relationship to the cloud providers? Cause we heard cloud universal. We had the cloud. If you believe in multi-cloud, which you guys are saying, people are agreeing with, then you gotta have good tight couple coupled relationships with the cloud services, >>A hundred percent. >>We can be decoupled, but highly cohesive, but you gotta connect in via APIs. What's the vision for the VMware customers who want to connect say AWS, for instance, is that seamless? What makes that happen? What's that roadmap look like for taking that VMware on premises hybrid and making it like turbo charging it to be like public cloud hybrid together? >>Yeah, I think there's some lessons that can be learned here. You know, an analogy I've been using lately is look at the early days of virtualization when VMware had vCenter, right? What was happening was you saw the enterprise management vendors try to do this overlay above virtualization management and say, we can manage all hypervisors. And at the end of the day, these multi hypervisor managers, no one bought 'em because they can do 20% of the functionality of a tool from VMware or Microsoft. And that's the lesson that we have to take to multi-cloud. We don't have to overlay every functionality. There's really good capabilities that the cloud providers are offering through their own tooling and APIs. Right? But you, you, if you step back, you say, well, what do I wanna centralize? I wanna have a centralized, secure software supply chain and I can get that through VMware tan zoo and, and where we're going with Kubernetes. When you're going with native cloud services, you might say, you know what, I wanna have a central view of, of visibility for compliance. So that's what we're doing with secure state or a central view of cost management. And we're doing that with cloud health. So you can have some brokering and governance, but then you also have to look from a surgical perspective as to what are the things that I really need to centralize versus what do I not need to centralize? >>One of the themes that we heard on the keynote on Tuesday was the, the different phases and that a lot of customers are still in the cloud chaos phase. We talked a lot about that in the last couple days with VMware, with its partner ecosystem. And, but the goal of getting to cloud smart, how does the R and D organization, how do, how are you helping customers really navigate that journey from the chaos that they're in, maybe they've inherited multi-cloud environment to getting to cloud smart. And what does cloud smart mean from your perspective >>Cloud? Smartt from my perspective means pragmatism. It means really thinking about what should I do here first, right? I don't want to just go somewhere because I can, right. I want to be really mindful of the steps I'm going to take. So one ex one example of this is I've met with a customer this morning and we were talking about using our vRealize network insight tool, because what that allows 'em to do is get a map of all of their application dependencies in their data center. And they can learn like, well, I can move this to the cloud or maybe I can't move this cuz it has all these other dependencies and it would be really difficult. So that's that's one example. It also means really thinking through issues around data sovereignty, you know, what do I wanna hold onto a customer? I just met with yesterday. They were talking about how valuable their data is and their services that they want to use via SA in the cloud. But then there's also services, which is their core research. They wanna make sure that they can maintain that in their data centers and maintain full control because they see researchers will leave. And now all of a sudden, so that intellectual property has actually gone with the person and they need to, they need to have, you know, better accountability there. >>Yeah. One of the things about that we discovered at our super cloud event was is that, you know, we kind didn't really kind of put too much structure on other than our, our vision. It's, it's not just SaaS on cloud and it's not just, multi-cloud, it's a new kind of application end state or reality that if you believe in digital transformation, then technology is everywhere. And like it in the old days, it powered the back office and then terminals and PCs and whatnot, wasn't powering the boardroom obviously or other business. But if, if it happens like that digital transformation, the company is the app, the app is the company. So you're all digital. So that means the operating expenses has to drive an income statement and the CapEx handled by the cloud provides a lot of goodness. So I think everyone's gonna realize that AWS and the hyperscalers are providing great CapEx gifts. They do all the work and you only pay when you've made your success. So that's a great business model. >>Absolutely >>That's and then combine that with open source, which is now growing so fast, going next level, the software industry's open source. That's not even a debate Mo in some circles, maybe like telco, cloud's got the CapEx. The new operating model is this cloud layer. That's going to transform the companies finally in a hundred percent. Okay. That's super cloud. If that's the case, does it really matter who provides the electricity or the power? It's the coders that are in charge. It's the developers that have to make the calls because if the application is the core, the developers are, are not only the front lines, they are the company. This is really kind of where the sea change is. So if, if we believe that, I'm sure you, you agree with that generally? >>Yeah, of >>Course. Okay. So then what's the VMware customer roadmap here. So to me, that's the big story here at the show is that we're at this point in time where the VMware customers are, have to go there >>A hundred percent, >>What's that path. What is the path for the VMware customer to go from here to there? And what's this order of operations or is there a roadmap? Can, can you share your thoughts on >>That? Yeah, I think part of it is, is with these disruptive technologies, you have to start small, you know, whether it's in your data center, into cloud, you have to build the own institutional knowledge of your team members in the organization. It's much easier than trying to attract outside talent, for least for many of our customers. So I think that's important. The other part of this when with the developer and control, like in my organization, I want my innovators to innovate any other noise around them. I don't want them to have to worry about it. And it's the same thing with our customers. So if your developers are building the technologies that is really differentiating your company, then things like security and cryptography shouldn't have to be things they worry about. So we've been doing a lot of work. Like one of the projects we announced this week was around being able to decouple cryptography from the applications themselves. And we can expose that through a proxy through service mesh. And that's really exciting because now it ops can make these changes. Our SecOps teams can make these changes without having to impact the application. So that's really key is focusing the developers on innovation and then really being mindful about how you can build the right automation around everything else. And certainly open source is key to all >>That. So that's so, so then if you, if that's happening, which I'm, I'm not gonna debate that then in essence, what's really going on here is that the companies are decomposing their entire businesses down to levels that are manageable completely different than the way they did them 20, 30 years ago. >>Absolutely. You, you, you could take a modular approach to how you're solving business problems. And we do the same thing with technology, where there might be a ML algorithms that we've developed that we're exposing as SA service, but then all of the interconnects around that service are open source and very flexible so that the businesses and the customers and the VMware partners can decide what's the right way to build a puzzle for a given problem. >>We were talking on day one, I was riffing with an executives. It was Ragu and Victoria. And the concept around cross cloud was if you get to this Nirvana state, which is we, people want to get to this or composability mode, you're not coding, you're composing cuz coding's kinda happening open source and not the old classic, write some code and write that app. It's more orchestrate, compose and orchestrate. Do you, what's your thoughts on >>That? Yeah, yeah. Yeah. I, I agree. And it's it's I would add one more part to it too, which is scope. You know, I think sometimes we see projects fail because the, the initial scope is just too big. You know, what is the problem that you need to solve, scope it properly and then continuously calibrate. So even like our customers have to listen to their customers and we have to be thinking about our customers' customers, right? Because that's really how we innovate because then we can really be mindful of a holistic solution for them. >>You know, Lisa, when we had a super cloud event, you know, one of the panels was called the innovators dilemma with a question mark. And of course everyone kinds of quotes that book innovators dilemma, but one of the panelists, Chris ho beaker on Twitter said, let's change the name from the innovator's dilemma to the integrator's dilemma. And we all kind of got chuckled. We all kind of paused and said, Hey, that's actually a good point. Yeah. If you're now in a cloud and you're seeing some of the ecosystem floor vendors out there talking in this game too, they're all kind of fitting in snapping in almost like modular, like you said, so this is a Lego game. Now it feels like, it feels like, you know, let's compose, let's orchestrate, let's integrate. Now I integrations API driven. Now you're seeing a lot more about API security in the news and we've been covering at least I've probably interviewed six companies in the past, you know, six months that are doing API security, who would've thought API, that's the link, frankly, with the web. Now that's now a target area for hackers. >>Oh. And that's such an innovation area for VMware, John. Okay. >>There it is. So, I mean, this is, again, this means the connected tissue is being attacked yet. We need it to grow. No one's debating that is wrong, but it's under siege. >>Yes. Yes. So something else we introduced this week was a project. We called project Trinidad. And the way, the way you can think about it is a lot of the anomaly detection software today is looking at point based anomalies. Like this API header looks funny where we, where we've gone further is we can look at full sequence based anomalies so we can learn the sequences of transactions at an application takes and really understand what is expected behavior within those API calls within the headers, within the payloads. And we can model legitimate application behavior based on what those expectations are. So like a, like a common sequence might be doing an e-commerce checkout, right? There's lots of operations that happen logging into the site, searching, finding a product, going through the cart. Right. All of those things. Right. So if something's out of sequence, like all of a sudden somebody's just trying to do a checkout, but they haven't actually added to the cart. Right. This just seems odd. Right. So we can start to, and that's a simplistic example, but we're able now to use our algorithms to model legitimate application behavior through the entire sequence of how applications behave and then we can start to trap on anomalies. That's very differentiating IP and, and we think it's gonna be really important for the industry. Yeah. >>Because a lot of the hacks, sometimes on the API side, even as a example, are not necessarily on the API, it's the business logic in them. That's what you're getting at here. Yes. The APIs are hard. Oh our APIs are secure. Right. Well, yeah, but you're not actually securing the business logic internally. That's what you're getting at. If I read >>That right. Or exactly. Exactly. Yeah. Yeah. And it, it's the thing it's right. It's great that you can, you can look at a header, but what's the payload, right? What is what's, what's the actual data flow, right. That's associated with the call and that's what we want to really hone in on. And that's just a, it's, it's a, it's a far different level of sophistication in being able to understand east west vulnerabilities, you know, log for JX voice and these kind of things. So we have some real, it's interesting technology >>There. Security conversations now are not about security there about defense ability because security's a state of time, your secure here, you're not secure or someone might be in the network or in the app, but can you defend yourself from, and in >>That's it, you know, our, our, our malware software, right. That we're building to prevent and respond has to be more dynamic than the threats we face. Right. And this is why machine learning is so essential in, in these types of applications. >>Let me ask you a question. So just now zooming out riffing here since day, three's our conversational day where we debate and just riff more like a podcast style. If you had to do a super cloud or build a NextGen cloud multi-cloud with abstraction layer, that's, you know, all singing and dancing and open everyone's happy hardware below it's working ISAs and then apps are killed. Can ass what's in that. What does it look like to you if you had to architect the, the ultimate super cloud enabler, that something that would disrupt the next 10 years, what would it look like and how does, and assuming, and trying to do where everybody wins go, you have 10 seconds. No, >>Yeah, yeah. So the, you know, first of all, there has to be open source at all of the intersections. I think that's really important. And, and this is, this goes from networking constructs to our database, as a service layers, you know, everything in between, you know, the, the, the participants should be able to win on merit there. The other part of super cloud though, that hasn't happened that I probably is the most important area of innovation is going to be decoupled control planes. We have a number of organizations building sovereign cloud initiatives. They wanna have flexibility in where their services physically run. And you're not going to have that with a limited number of control planes that live in very specific public cloud data centers. So that's an area, give >>An example of what a, a, a, a narrowly defined control plane is. >>Yeah, sure. So my database as a service layer, so the, the, the actual portal that the customer is going into to provision databases, right. Rep managed replication, et cetera. Right. I should be able to run that in a colo. I should be able to run that somewhere in region that is guaranteed, that I'm going to have data stay physically in region. You know, we still have some of these challenges in networking in terms of being able to constrain traffic flows and be able to predict and audit them within a particular region as well. >>It's interesting. You bring up region again, more complexity. You know, you got catalogs here, catalogs different. I mean, this is where the chaos really comes down. I mean, it's, it's advancing, but it's advancing the state of functionality, but making it hella complex, I mean, come on. Don't you think it's like pretty amazingly hard to reign in that? Well, or is it maybe you guys making it easier? I just think I just, my mind just went, oh my God, I gotta, I gotta provision to that region, but then it's gotta be the same over there. And >>When you go back to modular architecture constructs, it gets far easier. This has been really key for how VMware is even building our own clouds internally is so that we have a, a shared services platform for the different apps and services that we're building, so that you do have that modularized approach. Like I said, the, the examples of innovation projects I've shared have been really driven by the fact that, you know, what, I don't know how customers are gonna consume it, and I don't have to know. And if you have the right modular architecture, the right APIs around it, you don't have to limit a particular project or technology's future at the time you build >>It. Okay. So your super would have multiple control planes that you can move, manage with that within one place. I get that. What about the data control plane? That seems to be something that used to be the land grab in, in conversations from vendors. But that seems to be much more of a customer side, cuz if I'm a customer, I want my control plane data plane to be, you know, mine. Like I don't want to have anyone cuz data's gotta move around, gotta be secure. >>Oh exactly. >>And that's gonna be complicated. How does, how do you see the data planes emerging? >>Yeah. Yeah. We, we see an opportunity really around having a, a centralized view that can give me consistent indexing and consistent awareness of data, no matter where it resides. And then being able to have that level of integration now between my data services and my applications, because you're right, you know, right now we have data in different places, but we could have a future where data's more perpetually in motion. You know, we're already looking at time sensitive fabrics where we're expecting microservices to sometimes run in different cell towers depending on the SLA that they need to achieve. So then you have data parts that's going to follow, right? That may not always be in the same cloud data center. So there's, this is enormously complicated, not just in terms of meeting application SLAs, but auditing and security. Right. That makes it even further. So having these types of data layers that can give me a consistent purview of data, regardless of where it is, allow me to manage and life cycle data globally, that's going to be super important, I believe going forward. >>Yeah. Awesome. Well, my one last question, Lisa, gonna get a question in here. It's hard. Went for her. I'm getting all the, all the questions in, sorry, Lisa that's okay. What's your favorite, most exciting thing that you think's going on right now that people should pay attention to of all the things you're looking at, the most important thing that that's happening and maybe something that's super important that people aren't talking about or it could be the same thing. So the, the most important thing that you think that's happening in the industry for cloud next today and, and maybe something that you think people should look at and pay more attention to. >>Okay. Yeah, those are good questions. And that's hard to answer because there's, there's probably so much happening. I I've been on here before I've talked about edge. I still think that's really important. I think the value of edge soft of edge velocity being defined by software updates, I think is quite powerful. And that's, that's what we're building towards. And I would say the industry is as well. If you look at AWS and Azure, when they're packaging a service to go out to the edge it's package as a container. So it's already quite flexible and being able to think about how can I have a single platform that can give me all of this flexibility, I think is really, really essential. We're building these capabilities into cars. We have a version of our Velo cloud edge device. That's able to run on a ruggedized hardware in a police car today. We're piloting that with a customer. So there is a shift happening where you can have a core platform that can now allow you to layer on applications that you're not thinking about in the future. So I think that's probably obvious. A lot of people are like, yeah. Okay. Yes. Let's talk about edge, big deal. >>Oh it's, it's, it's big. Yes. It's >>Exploding, but >>It's complicated too. It's not easy. It's not obvious. Right. And it's merging >>There's new things coming every day. Yeah. Yeah. And related to that though, there is this kind of tension that's existing between machine learning and privacy and that's really important. So an area of investment that I don't think enough people are paying attention to today is federated machine learning. There's really good projects in open source that are having tangible impact on, in a lot of industries in VMware. We are, we're investing in a, in a couple of those projects, namely fate in the Linux foundation and open FFL. And in these use cases like the security product I mentioned to you that is looking at analyzing API sequence API call sequences. We architected that originally so that it can run in public cloud, but we're also leveraging now federated machine learning so that we can ensure that those API calls and metadata associated with that is staying on premises for the customers to ensure privacy. So I think those intersections are really important. Federated learning, I think is a, an area not getting enough attention. All right. All >>Right, Chris, thanks so much for coming on. Unfortunately we are out of time. I know you guys could keep going. Yeah. Good stuff. But thank you for sharing. What's going on in R and D the customer impact the outcomes that you're enabling customers to achieve. We appreciate your >>Insights. We're just getting started >>In, in early innings, right? Yeah. Awesome. Good stuff for guest and John furrier. I'm Lisa Martin. You're watching the cube live from VMware Explorer, 2022. Our next guest joins us momentarily. >>Okay.

(soft joyful music) >> Welcome back everyone to the live CUBE coverage here in San Francisco for VMware Explore '22. I'm John Furrier with my host Dave Vellante. Three days of wall to wall live coverage. Two sets here at the CUBE, here on the ground floor in Moscone, and we got VMware and HPE back on the CUBE. Paul Turner, VP of products at vSphere and cloud infrastructure at VMware. Great to see you. And Mark Nickerson, Director of Go to Mark for Compute Solutions at Hewlett-Packard Enterprise. Great to see you guys. Thanks for coming on. >> Yeah. >> Thank you for having us. >> So we, we are seeing a lot of traction with GreenLake, congratulations over there at HPE. The customers changing their business model consumption, starting to see that accelerate. You guys have the deep partnership, we've had you guys on earlier yesterday. Talked about the technology partnership. Now, on the business side, where's the action at with the HP and you guys with the customer? Because, now as they go cloud native, third phase of the inflection point, >> Yep. >> Multi-cloud, hybrid-cloud, steady state. Where's the action at? >> So I think the action comes in a couple of places. Um, one, we see increased scrutiny around, kind of not only the cost model and the reasons for moving to GreenLake that we've all talked about there, but it's really the operational efficiencies as well. And, this is an area where the long term partnership with VMware has really been a huge benefit. We've actually done a lot of joint engineering over the years, continuing to do that co-development as we bring products like Project Monterey, or next generations of VCF solutions, to live in a GreenLake environment. That's an area where customers not only see the benefits of GreenLake from a business standpoint, um, on a consumption model, but also around the efficiency operationally as well. >> Paul, I want to, I want to bring up something that we always talk about on the CUBE, which is experience in the enterprise. Usually it's around, you know, technology strategy, making the right product market fit, but HPE and VMware, I mean, have exceptional depth and experience in the enterprise. You guys have a huge customer base, doesn't churn much, steady state there, you got vSphere, killer product, with a new release coming out, HP, unprecedented, great sales force. Everyone knows that you guys have great experience serving customers. And, it seems like now the fog is clearing, we're seeing clear line of sight into value proposition, you know, what it's worth, how do you make money with it, how do partners make money? So, it seems like the puzzle's coming together right now with consumption, self-service, developer focus. It just seems to be clicking. What's your take on all this because... >> Oh, absolutely. >> you got that engine there at VMware. >> Yeah. I think what customers are looking for, customers want that cloud kind of experience, but they want it on their terms. So, the work that we're actually doing with the GreenLake offerings that we've done, we've released, of course, our subscription offerings that go along with that. But, so, customers can now get cloud on their terms. They can get systems services. They know that they've got the confidence that we have integrated those services really well. We look at something like vSphere 8, we just released it, right? Well, immediately, day zero, we come out, we've got trusted integrated servers from HPE, Mark and his team have done a phenomenal job. We make sure that it's not just the vSphere releases but VSAN and we get VSAN ready nodes available. So, the customers get that trusted side of things. And, you know, just think about it. We've... 200,000 joined customers. >> Yeah, that's a lot. >> We've a hundred thousand kind of enabled partners out there. We've an enormous kind of install base of customers. But also, those customers want us to modernize. And, you know, the fact that we can do that with GreenLake, and then of course with our new features, and our new releases. >> Yeah. And it's nice that the products market fits going well on both sides. But can you guys share, both of you share, the cadence of the relationship? I mean, we're talking about vSphere, every two years, a major release. Now since 6, vSphere 6, you guys are doing three months' releases, which is amazing. So you guys got your act together there, doing great. But, you guys, so many joint customers, what's the cadence? As stuff comes out, how do you guys put that together? How tightly integrated? Can you share a quick... insight into that dynamic? >> Yeah, sure. So, I mean Mark can and add to this too, but the teams actually work very closely, where it's every release that we do is jointly qualified. So that's a really, really important thing. But it's more interesting is this... the innovation side of things. Right? If you just think about it, 'cause it's no use to just qualify. That's not that interesting. But, like I said, we've released with vSphere 8 you know... the new enhanced storage architecture. All right? The new, next generation of vSphere. We've got that immediately qualified, ready on HPE equipment. We built out new AI servers, actually with Invidia and with HPE. And, we're able to actually push the extremes of... AI and intelligence... on systems. So that's kind of work. And then, of course, our Project Monterey work. Project Monterey Distributed Services Engine. That's something we're really excited about, because we're not just building a new server anymore, we're actually going to change the way servers are built. Monterey gives us a new platform to build from that we're actually jointly working. >> So double click on that, and then to explain how HPE is taking advantage of it. I mean, obvious you have more diversity of XPU's, you've got isolation, you've got now better security, and confidential computing, all that stuff. Explain that in some detail, and how does HPE take advantage of that? >> Yeah, definitely. So, if you think about vSphere 8, vSphere 8 I can now virtualize anything. I can virtualize your CPU's, your GPU's, and now what we call DPU's, or data processing units. A data processing unit, it's... think of it as we're running, actually, effectively another version of ESX, sitting down on this processor. But, that gives us an ability to run applications, and some of the virtualization services, actually down on that DPU. It's separated away from where you run your application. So, all your applications get to consume all your CPU. It's all available to you. Your DPU is used for that virtualization and virtualization services. And that's what we've done. We've been working with HPE and HPE and Pensando. Maybe you can talk some of the new systems that we've built around this too. >> Yeah. So, I mean, that's one of the... you talked about the cadence and that... back to the cadence question real briefly. Paul hit on it. Yeah, there's a certain element of, "Let's make sure that we're certified, we're qualified, we're there day zero." But, that cadence goes a lot beyond it. And, I think Project Monterey is a great example of where that cadence expands into really understanding the solutioning that goes into what the customer's expecting from us. So, to Paul's point, yeah, we could have just qualified the ESX version to go run on a DPU and put that in the market and said, "Okay, great. Customers, We know that it works." We've actually worked very tightly with VMware to really understand the use case, what the customer needs out of that operating environment, and then provide, in the first instantiation, three very discrete product solutions aimed at different use cases, whether that's a more robust use case for customers who are looking at data intensive, analytic intensive, environments, other customers might be looking at VDI or even edge applications. And so, we've worked really closely with VMware to engineer solutions specific to those use cases, not just to a qualification of an operating environment, not just a qualification of certain software stack, but really into an understanding of the use case, the customer solution, and how we take that to market with a very distinct point of view alongside our partners. >> And you can configure the processors based on that workload. Is that right? And match the workload characteristics with the infrastructure is that what I'm getting? >> You do, and actually, well, you've got the same flexibility that we've actually built in why you love virtualization, why people love it, right? You've got the ability to kind of bring harness hardware towards your application needs in a very dynamic way. Right? So if you even think about what we built in vSphere 8 from an AI point of view, we're able to scale. We built the ability to actually take network device cards, and GPU cards, you're to able to build those into a kind of composed device. And, you're able to provision those as you're provisioning out VM's. And, the cool thing about that, is you want to be able to get extreme IO performance when you're doing deep learning applications, and you can now do that, and you can do it very dynamically, as part of the provisioning. So, that's the kind of stuff. You've got to really think, like, what's the use case? What's the applications? How do we build it? And, for the DPU side of things, yes, we've looked at how do we take some of our security services, some of our networking services, and we push those services down onto the SmartNIC. It frees up processors. I think the most interesting thing, that you probably saw on the keynote, was we did benchmarks with Reddit databases. We were seeing 20 plus, I'm sure the exact number, I think it was 27%, I have to get exact number, but a 27% latency improvement, to me... I came from the database background, latency's everything. Latency's king. It's not just... >> Well it's... it's number one conversation. >> I mean, we talk about multi-cloud, and as you start getting into hybrid. >> Right. >> Latency, data movement, efficiency, I mean, this is all in the workload mindset that the workhorses that you guys have been working at HPE with the compute, vSphere, this is heart center of the discussion. I mean, it is under the hood, and we're talking about the engine here, right? >> Sure. >> And people care about this stuff, Mark. This is like... Kubernetes only helps this better with containers. I mean, it's all kind of coming together. Where's that developer piece? 'Cause remember, infrastructure is code, what everybody wants. That's the reality. >> Right. Well, I think if you take a look at... at where the Genesis of the desire to have this capability came from, it came directly out of the fact that you take a look at the big cloud providers, and sure, the ability to have a part of that operating environment, separated out of the CPU, free up as much processing as you possibly can, but it was all in this very lockdown proprietary, can't touch it, can't develop on it. The big cloud guys owned it. VMware has come along and said, "Okay, we're going to democratize that. We're going to make this available for the masses. We're opening this up so that developers can optimize workloads, can optimize applications to run in this kind of environment." And so, really it's about bringing that cloud experience, that demand that customers have for that simplicity, that flexibility, that efficiency, and then marrying it with the agility and security of having your on premises or hybrid cloud environment. And VMware is kind of helping with that... >> That's resonating with the customer, I got to imagine. >> Yeah. >> What's the feedback you're hearing? When you talk to customers about that, the like, "Wait a minute, we'd have to like... How long is that going to take? 'Cause that sounds like a one off." >> Yeah. I'll tell you what... >> Everything is a one off now. You could do a one off. It scales. >> What I hear is give me more. We love where we're going in the first instantiation of what we can do with the Distributed Services Engine. We love what we're seeing. How do we do more? How do we drive more workloads in here? How do we get more efficiency? How can we take more of the overhead out of the CPU, free up more cores. And so, it's a tremendously positive response. And then, it's a response that's resonating with, "Love it. Give me more." >> Oh, if you're democratizing, I love that word because it means democratization, but someone's being democratized. Who's... What's... Something when... that means good things are happening, which means someone's not going to be winning out. Who's that? What... >> Well it, it's not necessarily that someone's not winning out. (laughs) What you read, it comes down to... Democratizing means you've got to look at it, making it widely available. It's available to all. And these things... >> No silos. No gatekeepers. Kind of that kind of thing. >> It's a little operationally difficult to use. You've got... Think about the DPU market. It was a divergent market with different vendors going into that market with different kind of operating systems, and that doesn't work. Right? You've got to actually go and virtualize those DPU's. So then, we can actually bring application innovation onto those DPU's. We can actually start using them in smart ways. We did the same thing with GPU's. We made them incredibly easy to use. We virtualized those GPU's, we're able to, you know, you can provision them in a very simple way. And, we did the same thing with Kubernetes. You mentioned about container based applications and modern apps in the one platform now, you can just set a cluster and you can just say, "Hey I want that as a modern apps enabled cluster." And boom. It's done. And, all of the configurations, set up, Kubernetes, it's done for you. >> But the thing that just GreenLake too, the democratization aspect of how that changed the business model unleashes... >> Right. >> ...efficiency and just simplicity. >> Oh yeah, absolutely. >> But the other thing was the 20% savings on the Reddit's benchmark, with no change required at the application level, correct? >> No change at the application level. In the vCenter, you have to set a little flag. >> Okay. You got to tick a box. >> You got to tick a little box... >> So I can live with that. But the point I'm making is that traditionally, we've had... We have an increasing amount of waste to do offloads, and now you're doing them much more efficiently, right? >> Yes. >> Instead of using the traditional x86 way of doing stuff, you're now doing purpose built, applying that to be much more efficient >> Totally agree. And I think it's becoming, it's going to become even more important. Look at, we are... our run times for our applications, We've got to move to a world where we're building completely confidential applications at all time. And that means that they are secured, encrypted, all traffic is encrypted, whether it's storage traffic, whether it's IO traffic, we've got to make sure we've got complete route of trust of the applications. And so, to do all of that is actually a... compute intensive. It just is. And so, I think as we move forward and people build much more complete, confidential, compute secured environments, you're going to be encrypting all traffic all the time. You're going to be doing micro-zoning and firewalling down at the VM level so that you've got the protection. You can take a VM, you can move it up to the cloud, it will inherit all of its policies, will move with it. All of that will take compute capacity. >> Yup. >> The great thing is that the DPU's give us this ability to offload and to use some of that spare compute capacity. >> And isolate so the application chance can't just tunnel in and get access to that >> You guys got so much going on. You can have your own CUBE show, just on the updating, what's going on between the two companies, and then the innovation. We got one minute left. Just quickly, what's the goal in the partnership? What's next? You guys going to be in the field together, doing joint customer work? Is there bigger plans? Is there events out there? What are some of your plans together in the marketplace? >> That's you. >> Yup. So, I think, Paul kind of alluded to it. Talk about the fact that you've got a hundred thousand partners in common. The venn diagram of looking at the HPE channel and the VMware channel, clearly there's an opportunity there to continue to drive a joint, go to market message, through both of our sales organizations, and through our shared channel. We have a 25,000 strong... solution architect... force that we can leverage. So as we get these exciting things to talk about, I mean, you talk about Project Monterey, the Distributed Services Engine. That's big news. There's big news around vSphere 8. And so, having those great things to go talk about with that strong sales team, with that strong channel organization, I think you're going to see a lot stronger partnership between VMware and HPE as we continue to do this joint development and joint selling >> Lots to get enthused about, pretty much there. >> Oh yeah! >> Yeah, I would just add in that we're actually in a very interesting point as well, where Intel's just coming out with Next Rev systems, we're building the next gen of these systems. I think this is a great time for customers to look at that aging infrastructure that they have in place. Now is a time we can look at upgrading it, but when they're moving it, they can move it also to a cloud subscription based model, you know can modernize not just what you have in terms of the capabilities and densify and get much better efficiency, but you can also modernize the way you buy from us and actually move to... >> Real positive change transformation. Checks the boxes there. And put some position for... >> You got it. >> ... cloud native development. >> Absolutely. >> Guys, thanks for coming on the CUBE. Really appreciate you coming out of that busy schedule and coming on and give us the up... But again, we can do a whole show some... all the moving parts and innovation going on with you guys. So thanks for coming on. Appreciate it. Thank you. I'm John Dave Vellante we're back with more live coverage day two, two sets, three days of wall to wall coverage. This is the CUBE at VMware Explorer. We'll be right back.

>>Hey, welcome back everyone. Through the cubes coverage of VMware Explorer, 22, I'm John Fett, Dave ante, formerly world, our 12th year extracting the signal from the noise. A lot of great guests. It's very vibrant right here. The floor's great. The expo halls booming, the keynotes went great. We just had a keynote announce. So our next first guest here on day one is car Capor C co-founder and COO min IO. Welcome to the cube. Thanks for joining us. >>Thank you for having >>Me. You're also angel investor of variety of companies of Q alumnis and been in the valley for a long time. Thanks for coming on sharing. What's going on. So, first of all, obviously VMware still on the wave. They've always been relevant and they've always been part of it. Yes. But as that's changing a lot's going on security data's big conversation. Yeah. And now with their multi-cloud we call super cloud. But their multi-cloud it's it's about hyperscaler participation. Yes. Yes. Cloud universal. Yes. It's clear that VMware has to be successful in every cloud. Okay. And that's really important. And storage is one of it. You guys do that? So talk about how you guys relate with min IO, the vision, how that connects with what's happening here. >>Yeah. So like you already said, right? Most of the enterprises are become data enterprises in itself and storage is a foundation layer of how, and you do need a system that is simple, scalable, and high perform it at scale. Right? So that's where min IO fits into the picture. And we are software defined, open source. So, you know, like VMware has traditionally been focused on enterprise it, but that world is fast changing. They are making a move in terms, developer first approach and min IO, because it's open source. It's simple enough to start, get, start deploying object storage and cloud native applications on top. So that's where we come in. We have around 1.3 million DACA downloads a day. So we own the developer market overall. And that is where I feel the partnership with VMware as they are coming into multi-cloud on their own min IO is a foundational layer. >>So just to elaborate on it, whenever you talk about multi-cloud, there are two pieces to it. One is the compute side and one is on the storage side. So compute Kubernetes takes care of the compute sites. Once you containerize an application, you can deploy it any cloud, but the data has gravity and all the clouds that you see AWS, your Google cloud, they're inherently incompatible with each other. So you need a consistent storage layer with industry standard APIs that you can just deploy it around with your application without a single line of code change. So that's what we >>Do. Oh, so you got a great value proposition, love the story. So just kind of connect on something. So we heard the keynote today. We gotta win the developers. They didn't say that, but they said, they said that they have the ops lockdown, but DevOps is now the new developer. Yes. We've been covering a lot of the poop coupon as you know, and shifting left everyone's in the C I C D pipeline. So developers are driving all the action and it has to be self-service. Absolutely. It has to be high velocity. Can't be slow. Yes. Gotta be fast. So that sounds like you're winning that piece. >>Yes. Yes. And I think more than that, what is most important is it needs to be simple. It needs to get your job done in a very simple and efficient way. And I think that is very important to the developers overall. They don't like complex appliances or complex piece of software. They just want to get their job done and move on the next thing in order to build their application and deploy it successfully. So whatever you do, it needs to be very simple. And of course, you know, it needs to be feature rich and high performant and whatnot that comes with the, with the flow in itself. But I think simplicity is what wins, the developers, hearts and minds overall. >>So object storage always been simple, get put right. Pretty simple, you know, paradigm. Yes. But it was sort of the backwater before, you know, Amazon, you know, launched. Yes. You know, it's cloud. How have you seen object evolve? You mentioned performance. So I presume yes. Yes. You're not just for cheap and deep you're for cheap bin performance. So you could describe that a little bit if you would, >>For, for sure. Like you mentioned, right. When AWS was launched, S3 was the foundation layer. They launched S3 first and then came everything else around it. So object storage is the foundation of any cloud that you go with. And over a period of time, when we started the company back in 20 end of 2014, beginning 2015, it was all about cheap and deep storage. You know, you just get, put it into one basket, but over years, if you see, because the scale of data has increased quite a bit, new applications have emerged as well. That require high performance. That is where we partnered very closely with Intel early on. And I have to give it to them. Intel was the one who convinced us that you need to do high performance. You need to optimize your software with all the AVX five, 12 instruction set and so on. >>So we partnered very closely with them and we were the first one to come up with, you know, you need high performance, object storage and that in collaboration with Intel. So that's something that we take a lot of pride in, in terms of being the leader in that direction of bringing high performance object storage to the market, especially for big data workloads, AI ML, workloads, they're all object first, like even, you know, new age applications like snowflake and data bricks, they are not built on sand or file system. Right. They're all built on object storage rates. So that's where the, you need >>Performance. And I think the, I think the data bricks, snowflake examples. Good. And then you mentioned in 2014, when you started yes. At that time, big data was Hudu and you know, data, legs, data swamp. Yes. Yes. But the ones that were successful, the ones who optimize had the right bets, like you guys. Yeah. Now we're in an era. Okay. I gotta deploy this. So you got great downloads and update from developers. Now we see ops struggling to keep up yes. With the velocity of the development cycle. Yes. And with DevOps driving the cloud native yeah. Security data ops becomes important. Okay. Exactly. Security and data. A lot with storage going on there. Yes. How do you guys see that emerging? Cuz that becomes a lot of the conversations now in the architecture of the ops teams. I want to be supportive in enablement of dev. Yes. Yes. Do you guys target that world too? Or >>Yeah, we, we do target that. So the good thing about object storage is that if you look at the architecture in itself, it's very granular in terms of the controls that it can give to the end user. Right? So you can really customize in terms of, you know, what objects need to be accessible to whom what kind of policies you need to implement on the bucket level, what kind of access controls and provisions that you need to do. And especially like with ransomware attacks and what not, you can enable immutability and so on, so forth. So that's an important part of it. Especially I think the ransomware threats have increased quite a bit, especially with, you know, the macro, you know, situation with war and stuff. So we see that come up quite a bit. And that's where I think, you know, the data IU immutability, the data governance and compliance becomes extremely, extremely important for organizations. So we, we are partnering very closely with a lot of big organizations just for this use case itself. >>So how's it work if I want to build some kind of multi-cloud whatever X, right. Okay. I, I can use S three APIs or Azure blah. Okay. And I, and are all different. Yes. But if I want to use min IO, what's the experience like describe how I go about doing >>So if you've had any experience working with AWS, you don't need to even change a single line of code with us. You can just bring your applications directly onto min IO and it just behaves and act same way transparently what you would've experienced in AWS. Now you can just lift and shift that application and deploy it wherever you need it to be. Whether it is Azure, blah, whether it is Google cloud or even on edge. Like what we are seeing is that data is getting generated outside of public cloud. And most of the data that, you know, the emerging trend is that we see that data gets generated on edge quite a bit, whether it is autonomous cars, whether it is IOT, manufacturing units and so on. And you cannot push all that data back in the central cloud, it's extremely expensive for bandwidth and latency reasons. >>So you need to have an environment that looks and feels exactly what you have experienced at the central cloud on the edge itself. So a lot of our use cases are also getting deployed with Mani on the edge itself, whether it is on top of VMware because of the footprint of that VMware has within all these organizations itself. So we see that emerging quite a bit as well. And then you can tier the data off to any cloud, whether it is mid IO cloud, whether it is AWS, Azure, Google cloud, and so on. So you can have like a true multi-cloud environment. >>So you would follow VMware to the edge and be the object store there, or not necessarily if it's not VMware Kubernetes or whatever. >>Exactly. Exactly. Depending on the skill set that the organization has within, within their setup, if their DevOps savvy Kubernetes is becomes a very natural choice. If they are traditional enterprise, it, VMware is an ideal choice. So yeah. >>So you're seeing a lot of edge action you're saying, and we, >>We, we have seen starting it increasing yes. And >>Are customers. So they're persisting data at the edge. Yes. Yes they >>Are. Okay. >>It's not just the femoral and >>No, they are not because what the cost of putting all the data through bandwidth is extremely expansive to push all the data in central cloud and then process it and then store it. So we see that the data gets persisted on edge cloud as well in terms of processing and only the data that you need for, for the processing through whatever application systems that you, whether it is snowflake or data, bricks and whatnot, you know, you choose what applications from compute side, you want to bring on top of storage. And that can just seamlessly and transparently work. Yeah. >>Maria, you were saying that multi-cloud yeah. Games around Kubernetes. You, yes. That Kubernetes is all about multi-cloud that's the game. >>Yes. >>Yes. Can you explain what you mean by that? Why is multi-cloud a Kubernetes game? >>So multi-cloud has two foundations to it. One is the compute side. Another one is the storage side. Compute Kubernetes makes it extremely simple to deploy any application that is containerized. Once you containerize an application, it's no longer tied to the underlying infrastructure. You can actually deploy it no matter where you go. So Kubernetes makes that task extremely easy. And from storage standpoint, you know, the state of applications need to be held somewhere. You know, it's it, people say it's cloud, but it's computer somewhere. Right? So >>Exactly it's the >>Container. It needs, it needs to be stored somewhere. So that's where, you know, storage systems like man IO come into play where you can just take the storage and deploy it wherever you go. So it gets tightly bound with application itself, just like Kubernetes is for compute. Mano is for storage. >>I saw Scott Johnson, the CEO of Docker in Palo Alto last week did yeah. The spring to his step. So to speak Dockers doing pretty well as a result, they got, you know, starting to see certifications. Yes. So people are really rallying around containers in a more open way. Yes. But that's open source, but it's the Kubernetes, that's the action. Absolutely. That the container's really there now Docker's got a great business. Yes. Right now going yes. With how they're handling. I thought they did a great job. Yeah. But the Docker's now lingua Franco, right? Yes. That's the standard. It >>Is. It is. And I think where Kubernetes really makes it easy is in terms of when the scale is involved. Right. If there are, if the scale is small, it's okay. You can, you can work around it. But Kubernetes makes it extremely simple. If you have the right Kubernetes skill, I just need to put a disclaimer around there because not lot of people are Kubernetes expert, at least not yet. So if you have the expertise, Kubernetes makes the task extremely simple, predictable and automate and automated scale. I think that is what is >>The, so take me through a use case, cuz I've talked to a lot of enterprises, multiple versions, we're lifting and shifting to the cloud, that's kind of the, you know, get started, get your feet wet. Yes. Then there's like, okay, now we're refactoring really doing some native development and they're like, we don't have a staff on Kubernetes. We do a managed service. Yeah. So how does, how do you see that evolution piece taking place? Cause that's a critical adoption component as they start figuring out their Kubernetes relationship yes. To compute yes. How they roll it out. Yes. How do you see that playing out as a big part of this growth for a customer? >>Yeah. So we see a mix, you know, we see organizations that are born within cloud. Like they have just been in mono cloud like AWS. Now they are thinking about two things, right. With the economy being, you know, and the state that it is, they're getting hurt on the margin. Some of the SaaS companies that were born in cloud. So they are now actively thinking in terms of what mode they can do to bring the cost down. So they are partnering with min IO either to, you know, be in a colocation at Equinix, like data centers or go to other clouds to optimize for the compute modes and so on. So that's one thing that we see increasingly amongst enterprise. Second thing that we see is that because you know of that whole multi-cloud and cloud does go down, it's not like it, you know, and it's been evident over the last year or so that, you know, we've seen instances where Amazon was down or Google cloud was down. So they want to make sure that the data is available across the clouds in a consistent way. So with man IO, with the active, active application and so on, you can make the data available across the cloud. So your applications, even if one cloud is down for Dr. Purposes and so on, you can, you know, transparently, move the applications to another cloud and make sure that your business is not affected. So from business continuity reasons as well, the customers are partnering with us. So like I said, it's a mix. >>So the Tansu, you know, 1.3, the application development platform that we heard in the keynotes this morning, critical, you have to have that for cross cloud services. If you don't have a consistent experience, absolutely forget it. I mean it's table stake. Absolutely. But there's a lot of chatter on Twitter. A lot of skepticism that VMware can appeal to developers, some folk John as well chimed in saying, well, you know, it's, don't forget about the op side of the equation as well. They need security and consistency. Yes. What are you seeing in the marketplace in terms of VMware, specifically their customers and, and what do you, what do you, how do you rate their chances in terms of them being able to track the developer crowd, your, your peeps? >>Yeah. So VMware has a very strong hold on enterprise. It, you know, you have to give it to them. I don't come across any organization that does not have VMware, you know, for, with 500,000 customers. Right. Right. So they have done something really right for themselves. And if you have such a strong hold on the customers, it's not that hard to make the transition over to the developer mindset as well. And that is where with VMware partnership with partners like us, they can make, make that jump happen. So we partnered with them very closely for the data persistence layer and they wanted to bring Kubernetes the VMware tan natively to the VSAN interface itself. So we partnered with them, you know, we were their design partner and in, I think, 2020 or something, and we were their launch partner for that platform service. So now through the vCenter itself, you can provision object storage as a service for the developers. So I think they are working in terms of bridging the gap and they have the right mindset. It's all about execution like this. Right. >>They gotta get it >>Justed >>And it's the execution and timing. Exactly. And if they overshoot and the, it shifts over here, you know, this comes up a lot in our conversations. I want to get your reaction to this because I think that's a really great point. You guys are a nice foundational element. Yes. For VMware that plugs into them. That makes everything kind of float for them. Yes. Now we would, we were comparing OpenStack back in the day, how that had so much promise. Yes it did. If you remember, and storage was a big part of that conversation. It, it did. But the one thing that a lot of people didn't factor in on those industry discussions was Amazon was just ramping. Yes. So assuming that the hyper scales aren't stopping, innovating. Yeah. How does the multi-cloud fit with the constant struggles? Cuz abs is not rah multi-cloud cause they're there for the cloud, but customers are using Azure for yeah. Say office productivity teams or whatever, and then they have apps over here and then I'll see on private, private. Right. So hybrids there we get hybrid. Yeah. The clouds aren't changing. Yes. How does that change the dynamics in the market? Because it's a moving train. Some say, >>You know, it is, I would not characterize it like that because you know, AWS strength is that it is AWS, but also that it is not outside of AWS. Right. So it comes with the strengths and weaknesses and same goes for Azure. And same goes for Google cloud where VMware strength lies is the enterprise customers that it has. And I think if they can bridge the gap between the developers, enterprise customers and also the cloud, I think they have a really fair shot at, you know, making sure that the organizations and enterprise have the right experiences in terms of, you know, everyone needs to innovate. There is just no nothing that you can just sit back and relax. Everyone needs to innovate. And I think the good part about VMware is the partnership ecosystem that they have developed over the years and also making sure that their partners are successful along with them. And I think that is, that is going to be a key determining factor in terms of how well and how fast they can execute because nobody can do it alone in, in the enterprise world. So I think that that would be the >>Key, well, gua you're a great guest. Thanks for coming on and sharing you for having perspective on the cube. And obviously you've been on a, this from day 1, 20 15. Yes. I mean that's early and you guys made some great moves. Thank you. In a great position with VMware. Thank you. I like how you're the connective tissue and bridge to developers without a lot of disruption. Right? Real enablement. I think the question is can the VMware customers get there? So congratulations. No, thank you. And we got a couple minutes left. Take a minute to explain what's going on with the company that you co-founded, the team what's going on. Any updates funding very well, well funded. Yeah. How many people do you have? What's new. Are you gonna hire where take a minute to give the plug, give the commercial real quick >>For sure. So we started in 24 15, so it has been like seven, eight years now that we are at it. And I think we've been just very focused with the S3 compatible object storage, being AWS S3 for rest of the world. Like we get characterized at and over the years we've been like now we, we are used 60% in fortune 500 companies in some shape or format. So in terms of the scale and growth, we couldn't be more happier. We are about to touch a billion dollar billion Docker downloads in September. So that's something that we, we are very excited about. And in terms of the funding, we closed the, our series B sometime I think end of December last year and it's a billion dollar valuation and we have great partners in Intel capital and Dell ventures and soft bank. So we couldn't be in a more happier >>Spot. You're a unicorn soon to be decor. Right. >>What's next? Yes. I think, I think what is exciting for us is that the market, we could not be more happier with how the market is coming together with our vision, what we saw in 2015 and how everything is coming together nicely with, from the, the organization, realizing that multi-cloud is the core foundation and strategy of whatever they do next and lot has been accelerated due to COVID as well. Yeah. So in those terms, I think from market and product alignment, we just couldn't be more happier. >>Yeah. We think multi-cloud hybrids here. Steady state multi-cloud is gonna be a reality. Yeah. It becomes super cloud with the new dynamics. And again, David and I were talking last night, storage, networking, compute never goes away, never goes the operating. System's still gonna be out there. Just gonna be looked different and that >>Differently. Yes. I mean, yeah. And like, you know, in 10 years from now, Kubernetes might or might not be there as the foundation for, you know, compute, but storage is something that is always going to be there. People still need to persist the data. People still need a performance data store. People still need something that can scale to hundreds and hundreds of petabytes. So we are here. You bet against data >>As indie gross head once, you know, let chaos rain, rain in the chaos. There you go. Chaos cloud is gonna be simplified. Yeah. That's what innovation looks like. That's, >>That's what it is. >>Thanks for coming on the queue. Appreciate thank you for having me more coverage here. I'm John furrier with Dave Alane. Thanks for watching. More coverage. Three days just getting started. We'll be right back.

(upbeat music) >> Hey, everyone. Welcome to theCUBE's presentation of the AWS Startup Showcase, season two, episode four. I'm your host, Lisa Martin. This topic is cybersecurity detect and protect against threats. Very excited to welcome a CUBE alumni back to the program. Snehal Antani, the co-founder and CEO of Horizon3 joins me. Snehal, it's great to have you back in the studio. >> Likewise, thanks for the invite. >> Tell us a little bit about Horizon3, what is it that you guys do? You were founded in 2019, got a really interesting group of folks with interesting backgrounds, but talk to the audience about what it is that you guys are aiming to do. >> Sure, so maybe back to the problem we were trying to solve. So my background, I was a engineer by trade, I was a CIO at G Capital, CTO at Splunk and helped grow scale that company. And then took a break from industry to serve within the Department of Defense. And in every one of my jobs where I had cyber security in my responsibility, I suffered from the same problem. I had no idea I was secure or that we were fixing the right vulnerabilities or logging the right data in Splunk or that our tools and processes and people worked together well until the bad guys had showed up. And by then it was too late. And what I wanted to do was proactively verify my security posture, make sure that my security tools were actually effective, that my people knew how to respond to a breach before the bad guys were there. And so this whole idea of continuously verifying my security posture through security testing and pen testing became a passion project of mine for over a decade. And through my time in the DOD found the right group of an early people that had offensive cyber experience, that had defensive cyber experience, that knew how to build and ship and deliver software at scale. And we came together at the end of 2019 to start Horizon3. >> Talk to me about the current threat landscape. We've seen so much change in flux in the last couple of years. Globally, we've seen the threat actors are just getting more and more sophisticated as is the different types of attacks. What are you seeing kind of horizontally across the threat landscape? >> Yeah, the biggest thing is attackers don't have to hack in using Zero-days like you see in the movies. Often they're able to just log in with valid credentials that they've collected through some mechanism. As an example, if I wanted to compromise a large organization, say United Airlines, one of the things that an attacker's going to go off and do is go to LinkedIn and find all of the employees that work at United Airlines. Now you've got say, 7,000 pilots. Of those pilots, you're going to figure out quickly that their user IDs and passwords or their user IDs at least are first name, last initial @united.com. Cool, now I have 7,000 potential logins and all it takes is one of them to reuse a compromised password for their corporate email, and now you've got an initial user in the system. And most likely, that initial user has local admin on their laptops. And from there, an attacker can dump credentials and find a path to becoming a domain administrator. And what happens oftentimes is, security tools don't detect this because it looks like valid behavior in the organization. And this is pretty common, this idea of collecting information on an organization or a target using open source intelligence, using a mix of credential spraying and kind of low priority or low severity exploitations or misconfigurations to get in. And then from there, systematically dumping credentials, reusing those credentials, and finding a path towards compromise. And less than 2% of CVEs are actually used in exploits. Most of the time, attackers chain together misconfigurations, bad product defaults. And so really the threat landscape is, attackers don't hack in, they log in. And organizations have to focus on getting the basics right and fundamentals right first before they layer on some magic easy button that is some security AI tools hoping that that's going to save their day. And that's what we found systemically across the board. >> So you're finding that across the board, probably pan-industry that a lot of companies need to go back to basics. We talk about that a lot when we're talking about security, why do you think that is? >> I think it's because, one, most organizations are barely treading water. When you look at the early rapid adopters of Horizon3's pen testing product, autonomous pen testing, the early adopters tended to be teams where the IT team and the security team were the same person, and they were barely treading water. And the hardest part of my job as a CIO was deciding what not to fix. Because the bottleneck in the security process is the actual capacity to fix problems. And so, fiercely prioritizing issues becomes really important. But the tools and the processes don't focus on prioritizing what's exploitable, they prioritize by some arbitrary score from some arbitrary vulnerability scanner. And so we have as a fundamental breakdown of the small group of folks with the expertise to fix problems tend to be the most overworked and tend to have the most noise to need to sift through. So they don't even have time to get to the basics. They're just barely treading water doing their day jobs and they're often sacrificing their nights and weekends. All of us at Horizon3 were practitioners at one point in our career, we've all been called in on the weekend. So that's why what we did was fiercely focus on helping customers and users fix problems that truly matter, and allowing them to quickly reattack and verify that the problems were truly fixed. >> So when it comes to today's threat landscape, what is it that organizations across the board should really be focused on? >> I think, systemically, what we see are bad password or credential policies, least access privileged management type processes not being well implemented. The domain user tends to be the local admin on the box, no ability to understand what is a valid login versus a malicious login. Those are some of the basics that we see systemically. And if you layer that with it's very easy to say, misconfigure vCenter, or misconfigure a piece of Cisco gear, or you're not going to be installing, monitoring security observability tools on that HPE Integrated Lights Out server and so on. What you'll find is that you've got people overworked that don't have the capacity to fix. You have the fundamentals or the basics not well implemented. And you have a whole bunch of blind spots in your security posture. And defenders have to be right every time, attackers only have to be right once. And so what we have is this asymmetric fight where attackers are very likely to get in, and we see this on the news all the time. >> So, and nobody, of course, wants to be the next headline, right? Talk to me a little bit about autonomous pen testing as a service, what you guys are delivering, and what makes it unique and different than other tools that have been out, as you're saying, that clearly have gaps. >> Yeah. So first and foremost was the approach we took in building our product. What we set upfront was, our primary users should be IT administrators, network engineers, and that IT intern who, in three clicks, should have the power of a 20-year pen testing expert. So the whole idea was empower and enable all of the fixers to find, fix, and verify their security weaknesses continuously. That was the design goal. Most other security products are designed for security people, but we already know they're task saturated, they've got way too many tools under the belt. So first and foremost, we wanted to empower the fixers to fix problems that truly matter. The second part was, we wanted to do that without having to install credentialed agents all over the place or writing your own custom attack scripts, or having to do a bunch of configurations and make sure that it's safe to run against production systems so that you could test your entire attack surface. Your on-prem, your cloud, your external perimeter. And this is where AWS comes in to be very important, especially hybrid customers where you've got a portion of your infrastructure on AWS, a portion on-prem, and you use Horizon3 to be able to attack your complete attack surface. So we can start on-prem and we will find say, the AWS credentials file that was mistakenly saved on a shared drive, and then reuse that to become admin in the cloud. AWS didn't do anything wrong, the cloud team didn't do anything wrong, a developer happened to share a password or save a password file locally. That's how attackers get in. So we can start from on-prem and show how we can compromise the cloud, start from the cloud and show how we can compromise on-prem. Start from the outside and break in. And we're able to show that complete attack surface at scale for hybrid customers. >> So showing that complete attack surface sort of from the eyes of the attacker? >> That's exactly right, because while blue teams or the defenders have a very specific view of their environment, you have to look at yourself through the eyes of the attacker to understand what are your blind spots, what do they see that you don't see. And it's actually a discipline that is well entrenched within military culture. And that's also important for us as the company. We're about a third of Horizon3 served in US special operations or the intelligence community with the United States, and then DOD writ large. And a lot of that red team mindset, view yourself through the eyes of the attacker, and this idea of training like you fight and building muscle memory so you know how to react to the real incident when it occurs is just ingrained in how we operate, and we disseminate that culture through all of our customers as well. >> And at this point in time, every business needs to assume an attacker's going to get in. >> That's right. There are way too many doors and windows in the organization. Attackers are going to get in, whether it's a single customer that reused their Netflix password for their corporate email, a patch that didn't get applied properly, or a new Zero-day that just gets published. A piece of Cisco software that was misconfigured, not buy anything more than it's easy to misconfigure these complex pieces of technology. Attackers are going to get in. And what we want to understand as customers is, once they're in, what could they do? Could they get to my crown jewel's data and systems? Could they borrow and prepare for a much more complicated attack down the road? If you assume breach, now you want to understand what can they get to, how quickly can you detect that breach, and what are your ways to stifle their ability to achieve their objectives. And culturally, we would need a shift from talking about how secure I am to how defensible are we. Security is kind of a point in time state of your organization. Defensibility is how quickly you can adapt to the attacker to stifle their ability to achieve their objective. >> As things are changing constantly. >> That's exactly right. >> Yeah. Talk to me about a typical customer engagement. If there's, you mentioned folks treading water, obviously, there's the huge cybersecurity skills gap that we've been talking about for a long time now, that's another factor there. But when you're in customer conversations, who are you talking to? Typically, what are they coming to you for help? >> Yeah. One big thing is, you're not going to win and win a customer by taking 'em out to steak dinners. Not anymore. The way we focus on our go to market and our sales motion is cultivating champions. At the end of the proof of concept, our internal measure of successes is, is that person willing to get a Horizon3 tattoo? And you do that, not through steak dinners, not through cool swag, not through marketing, but by letting your results do the talking. Now, part of those results should not require professional services or consulting. The whole experience should be self-service, frictionless, and insightful. And that really is how we've designed the product and designed the entire sales motion. So a prospect will learn or discover about us, whether it's through LinkedIn, through social, through the website, but often because one of their friends or colleagues heard about us, saw our result, and is advocating on our behalf when we're not in the room. From there, they're going to be able to self-service, just log in to our product through their LinkedIn ID, their Google ID. They can engage with a salesperson if they want to. They can run a pen test right there on the spot against their home without any interaction with a sales rep. Let those results do the talking, use that as a starting point to engage in a more complicated proof of value. And the whole idea is we don't charge for these, we let our results do the talking. And at the end, after they've run us to find problems, they've gone off and fixed those issues, and they've rerun us to verify that what they've fixed was properly fixed, then they're hooked. And we have a hundred percent technical win rate with our prospects when they hit that find-fix-verify cycle, which is awesome. And then we get the tattoo for them, at least give them the template. And then we're off to the races. >> Sounds like you're making the process more simple. There's so much complexity behind it, but allowing users to be able to actually test it out themselves in a simplified way is huge. Allowing them to really focus on becoming defensible. >> That's exactly right. And the value is, especially now in security, there's so much hype and so much noise. There's a lot more time being spent self-discovering and researching technologies before you engage in a commercial discussion. And so what we try to do is optimize that entire buying experience around enabling people to discover and research and learn. The other part, remember is, offensive cyber and ethical hacking and so on is very mysterious and magical to most defenders. It's such a complicated topic with many nuance tools that they don't have the time to understand or learn. And so if you surface the complexity of all those attacker tools, you're going to overwhelm a person that is already overwhelmed. So we needed the experience to be incredibly simple and optimize that find-fix-verify aha moment. And once again, be frictionless and be insightful. >> Frictionless and insightful. Excellent. Talk to me about results, you mentioned results. We love talking about outcomes. When a customer goes through the PoC, PoV that you talked about, what are some of the results that they see that hook them? >> Yeah, the biggest thing is, what attackers do today is they will find a low from machine one plus a low from machine two equals compromised domain. What they're doing is they're chaining together issues across multiple parts of your system or your organization to opone your environment. What attackers don't do is find a critical vulnerability and exploit that single machine. It's always a chain, always multiple steps in the attack. And so the entire product and experience in, actually, our underlying tech is around attack paths. Here is the path, the attack path an attacker could have taken. That node zero our product took. Here is the proof of exploitation for every step along the way. So you know this isn't a false positive. In fact, you can copy and paste the attacker command from the product and rerun it yourself and see it for yourself. And then here is exactly what you have to go fix and why it's important to fix. So that path, proof, impact, and fix action is what the entire experience is focused on. And that is the results doing the talking, because remember, these folks are already overwhelmed, they're dealing with a lot of false positives. And if you tell them you've got another critical to fix, their immediate reaction is "Nope, I don't believe you. This is a false positive. I've seen this plenty of times, that's not important." So you have to, in your product experience and sales process and adoption process, immediately cut through that defensive or that reflex. And it's path, proof, impact. Here's exactly what you fix, here are the exact steps to fix it, and then you're off to the races. What I learned at Splunk was, you win hearts and minds of your users through amazing experience, product experience, amazing documentation. >> Yes. >> And a vibrant community of champions. Those are the three ingredients of success, and we've really made that the core of the product. So we win on our documentation, we win on the product experience, and we've cultivated pretty awesome community. >> Talk to me about some of those champions. Is there a customer story that you think really articulates the value of node zero and what it is that you are doing? >> Yeah, I'll tell you a couple. Actually, I just gave this talk at Black Hat on war stories from running 10,000 pen tests. And I'll try to be gentle on the vendors that were involved here, but the reality is, you got to be honest and authentic. So a customer, a healthcare organization ran a pen test and they were using a very well-known managed security services provider as their security operations team. And so they initiate the pen test and they wanted to audit their response time of their MSSP. So they run the pen test and we're in and out. The whole pen test runs two hours or less. And in those two hours, the pen test compromises the domain, gets access to a bunch of sensitive data, laterally maneuvers, rips the entire environment apart. It took seven hours for the MSSP to send an email notification to the IT director that said, "Hey, we think something suspicious is going on." >> Wow. >> Seven hours! >> That's a long time. >> We were in and out in two, seven hours for notification. And the issue with that healthcare company was, they thought they had hired the right MSSP, but they had no way to audit their performance. And so we gave them the details and the ammunition to get services credits to hold them accountable and also have a conversation of switching to somebody else. >> Accountability is key, especially when we're talking about the threat landscape and how it's evolving day to day. >> That's exactly right. Accountability of your suppliers or your security vendors, accountability of your people and your processes, and not having to wait for the bad guys to show up to test your posture. That's what's really important. Another story that's interesting. This customer did everything right. It was a banking customer, large environment, and they had Fortinet installed as their EDR type platform. And they initiate us as a pen test and we're able to get code execution on one of their machines. And from there, laterally maneuver to become a domain administrator, which in security is a really big deal. So they came back and said, "This is absolutely not possible. Fortinet should have stopped that from occurring." And it turned out, because we showed the path and the proof and the impact, Fortinet was misconfigured on three machines out of 5,000. And they had no idea. >> Wow. >> So it's one of those, you want to don't trust that your tools are working, don't trust your processes, verify them. Show me we're secure today. Show me we're secure tomorrow. And then show me again we're secure next week. Because my environment's constantly changing and the adversary always has a vote. >> Right, the constant change in flux is huge challenge for organizations, but those results clearly speak for themselves. You talked about speed in terms of time, how quickly can a customer deploy your technology, identify and remedy problems in their environment? >> Yeah, this find-fix-verify aha moment, if you will. So traditionally, a customer would have to maybe run one or two pen tests a year. And then they'd go off and fix things. They have no capacity to test them 'cause they don't have the internal attack expertise. So they'd wait for the next pen test and figure out that they were still exploitable. Usually, this year's pen test results look identical than last year's. That isn't sustainable. So our customers shift from running one or two pen tests a year to 40 pen tests a month. And they're in this constant loop of finding, fixing, and verifying all of the weaknesses in their infrastructure. Remember, there's infrastructure pen testing, which is what we are really good at, and then there's application level pen testing that humans are much better at solving. >> Okay. >> So we focus on the infrastructure side, especially at scale. But can you imagine, 40 pen tests a month, they run from the perimeter, the inside from a specific subnet, from work from home machines, from the cloud. And they're running these pen tests from many different perspectives to understand what does the attacker see from each of these locations in their organization and how do they systemically fix those issues? And what they look at is, how many critical problems were found, how quickly were they fixed, how often do they reoccur. And that third metric is important because you might fix something, but if it shows up again next week because you've got bad automation, you're in a rat race. So you want to look at that reoccurrence rate also. >> The reoccurrence rate. What are you most excited about as, obviously, the threat landscape continues to evolve, but what are you most excited about for the company and what it is that you're able to help organizations across industries achieve in such tumultuous times? >> Yeah. One of the coolest things is, because I was a customer for many of these products, I despised threat intelligence products. I despised them. Because there were basically generic blog posts. Maybe delivered as a data feed to my Splunk environment or something. But they're always really generic. Like, "You may have a problem here." And as a result, they weren't very actionable. So one of the really cool things that we do, it's just part of the product is this concept of flares, flares that we shoot up. And the idea is not to cause angst or anxiety or panic, but rather we look at threat intelligence and then because all of the insights we have from your pen test results, we connect those two together and say, "Your VMware Horizon instance at this IP is exploitable. You need to fix it as fast as possible, or is very likely to be exploited. And here is the threat intelligence and in the news from CSAI and elsewhere that shows why it's important." So I think what is really cool is we're able to take together threat intelligence out in the wild combined with very precise understanding of your environment to give you very accurate and actionable starting points for what you need to go fix or test or verify. And when we do that, what we see is almost like, imagine this ball bouncing, that is the first drop of the ball, and then that drives the first major pen test. And then they'll run all these subsequent pen tests to continue to find and fix and verify. And so what we see is this tremendous amount of excitement from customers that we're actually giving them accurate, detailed information to take advantage of, and we're not causing panic and we're not causing alert and fatigue as a result. >> That's incredibly important in this type of environment. Last question for you. If autonomous pen testing is obviously critical and has tremendous amount of potential for organizations, but it's only part of the equation. What's the larger vision? >> Yeah, we are not a pen testing company and that's something we decided upfront. Pen testing is a sensor. It collects and understands a tremendous amount of data for your attack surface. So the natural next thing is to analyze the pen test results over time to start to give you a more accurate understanding of your governance, risk, and compliance posture. So now what happens is, we are able to allow customers to go run 40 pen tests a month. And that kind of becomes the initial land or flagship product. But then from there, we're able to upsell or increase value to our customers and start to compete and take out companies like Security Scorecard or RiskIQ and other companies like that, where there tended to be, I was a user of all those tools, a lot of garbage in, garbage out. Where you can't fill out a spreadsheet and get an accurate understanding of your risk posture. You need to look at your detailed pen test results over time and use that to accurately understand what are your hotspots, what's your recurrence rate and so on. And being able to tell that story to your auditors, to your regulators, to the board. And actually, it gives you a much more accurate way to show return on investment of your security spend also. >> Which is huge. So where can customers and those that are interested go to learn more? >> So horizonthree.ai is the website. That's a great starting point. We tend to very much rely on social channels, so LinkedIn in particular, to really get our stories out there. So finding us on LinkedIn is probably the next best thing to go do. And we're always at the major trade shows and events also. >> Excellent. Snehal, it's been a pleasure talking to you about Horizon3, what it is that you guys are doing, why, and the greater vision. We appreciate your insights and your time. >> Thank you, likewise. >> All right. For my guest, I'm Lisa Martin. We want to thank you for watching the AWS Startup Showcase. We'll see you next time. (gentle music)

>>Hey everyone. Welcome to the Cube's presentation of the AWS startup showcase. Season two, episode four, I'm your host. Lisa Martin. This topic is cybersecurity detect and protect against threats. Very excited to welcome a Cub alumni back to the program. SNA hall, autonomy, the co-founder and CEO of horizon three joins me SNA hall. It's great to have you back in the studio. >>Likewise, thanks for the invite. >>Tell us a little bit about horizon three. What is it that you guys do you we're founded in 2019? Got a really interesting group of folks with interesting backgrounds, but talk to the audience about what it is that you guys are aiming to do. >>Sure. So maybe back to the problem we were trying to solve. So my background, I was a engineer by trade. I was a CIO at G capital CTO at Splunk and helped, helped grows scale that company and then took a break from industry to serve within the department of defense. And in every one of my jobs where I had cyber security in my responsibility, I suffered from the same problem. I had no idea I was secure or that we were fixing the right vulnerabilities or logging the right data in Splunk or that our tools and processes and people worked together well until the bad guys had showed up. And by then it was too late. And what I wanted to do was proactively verify my security posture, make sure that my security tools were actually effective, that my people knew how to respond to a breach before the bad guys were there. And so this whole idea of continuously verifying my security posture through security testing and pen testing became a, a passion project of mine for over a decade. And I, through my time in the DOD found the right group of an early people that had offensive cyber experience that had defensive cyber experience that knew how to build and ship and, and deliver software at scale. And we came together at the end of 2019 to start horizon three. >>Talk to me about the current threat landscape. We've seen so much change in flux in the last couple of years globally. We've seen, you know, the threat actors are just getting more and more sophisticated as is the different types of attacks. What are you seeing kind of horizontally across the threat landscape? >>Yeah. The biggest thing is attackers don't have to hack in using zero days. Like you see in the movies. Often they're able to just log in with valid credentials that they've collected through some mechanism. As an example, if I wanted to compromise a large organization, say United airlines, one of the things that an attacker's gonna go off and do is go to LinkedIn and find all of the employees that work at United airlines. Now you've got, say 7,000 pilots of those pilots. You're gonna figure out quickly that their use varie and passwords or their use varie@leastarefirstnamelastinitialatunited.com. Cool. Now I have 7,000 potential logins and all it takes is one of them to reuse a compromise password for their corporate email. And now you've got an initial user in the system and most likely that initial user has local admin on their laptops. And from there, an attacker can dump credentials and find a path to becoming a domain administrator. >>And what happens oftentimes is security tools. Don't detect this because it looks like valid behavior in the organization. And this is pretty common. This idea of collecting information on an organization or a topic or target using open source intelligence, using a mix of credentialed spraying and kinda low priority or low severity exploitations or misconfigurations to get in. And then from there systematically dumping credentials, reusing those credentials and finding a path towards compromise and almost less than 2% of, of CVEs are actually used in exploits. Most of the time attackers chain together misconfigurations bad product defaults. And so really the threat landscape is attackers don't hack in. They log in and organizations have to focus on getting the basics right and fundamentals right first, before they layer on some magic, easy button that is some security AI tools hoping that that's gonna save their day. And that's what we found systemically across the board. >>So you're finding that across the board, probably pan industry, that, that a lot of companies need to go back to basics. We talk about that a lot when we're talking about security, why do you think that >>Is? I think it's because one, most organizations are barely treading water. When you look at the early rapid adopters of horizon threes, pen testing, product, autonomous pen testing, the early adopters tended to be teams where the it team and the security team were the same person and they were barely treading water. And the hardest part of my job as a CIO was deciding what not to fix because the bottleneck in the security processes, the actual capacity to fix problems. And so fiercely prioritizing issues becomes really important, but the, the tools and the processes don't focus on prioritizing what's exploitable, they prioritize, you know, by some arbitrary score from some arbitrary vulnerability scanner. And so we have as a fundamental breakdown of the small group of folks with the expertise to fix problems, tend to be the most overworked and tend to have the most noise to need to sift through. So they don't even have time to get to the basics. They're just barely treading water doing their day jobs. And they're often sacrificing their nights and weekends. All of us at horizon three were practitioners at one point in our career, we've all been called in on the weekend. So that's why, what we did was fiercely focus on helping customers and users fix problems that truly matter, and allowing them to quickly retack and verify that the problems were truly fixed. >>So when it comes to today's threat landscape, what is it that organizations across the board should really be focused on? >>I think systemically what we see are bad password or credential policies, least access, privileged management type processes, not being well implemented. The domain user tends to be the local admin on the box, no ability to understand what is a valid login versus a, a malicious login. Those are some of the basics that we see systemically. And if you layer that with, it's very easy to say misconfigure vCenter, or misconfigure a piece of Cisco gear, or you're not gonna be installing monitoring and OB observa security observability tools on that. HP integrated lights out server. And so on. What you'll find is that you've got people overworked that don't have the capacity to fix. You have the fundamentals or the basics, not, not well implemented. And you have a whole bunch of blind spots in your security posture, and defenders have to be right. Every time attackers only have to be right once. And so what we have is this asymmetric fight where attackers are very likely to get in. And we see this on the news all the time. >>So, and, and nobody of course wants to be the next headline. Right? Talk to me a little bit about autonomous pen testing as a service, what you guys are delivering and what makes it unique and different than other tools that have been out there as, as you're saying that clearly have >>Gaps. Yeah. So first and foremost was the approach we took in building our product. What we set up front was our primary users should be it administrators, network, engineers, and P. And that, that it intern who in three clicks should have the power of a 20 year pen testing expert. So the whole idea was empower and enable all of the fixers to find, fix in verify their security weaknesses continuously. That was the design goal. Most other security products are designed for security people, but we already know they're they're task saturated. They've got way too many tools under the belt. So first and foremost, we wanted to empower the fixers to fix problems. That truly matter, the second part was we wanted to do that without having to install credentialed agents all over the place or writing your own custom attack scripts, or having to do a bunch of configurations and make sure that it's safe to run against production systems so that you could, you could test your entire attack surface your on-prem, your cloud, your external perimeter. >>And this is where AWS comes in to be very important, especially hybrid customers where you've got a portion of your infrastructure on AWS, a portion on-prem and you use horizon three to be able to attack your complete attack surface. So we can start on Preem and we will find, say the AWS credentials file that was mistakenly saved on a, a share drive, and then reuse that to become admin in the cloud. AWS didn't do anything wrong. The cloud team didn't do anything wrong. A developer happened to share a password or save a password file locally. That's how attackers get in. So we can start from on-prem and show how we can compromise the cloud, start from the cloud and, and, and show how we can compromise. On-prem start from the outside and break in. And we're able to show that complete attack surface at scale for hybrid customers. >>So showing that complete attack surface sort of from the eyes of the attacker, >>That's exactly right, because while blue teams or the defenders have a very specific view of their environment, you have to look at yourself through the eyes of the attacker to understand what are your blind spots? What do do they see that you don't see? And it's actually a discipline that is well entrenched within military culture. And that's also important for us as the company. We're about a third of horizon, three served in us special operations or the intelligence community with the United States, and then do OD writ large. And a lot of that red team mindset view yourself through the eyes of the attacker and this idea of training. Like you fight in building muscle memories. So you know how to react to the real incident when it occurs is just ingrained in how we operate. And we disseminate that culture through all of our customers as well. >>And, and at this point in time, it's, every business needs to assume an attacker's gonna get in >>That's right. There are way too many doors and windows in the organization. Attackers are going to get in, whether it's a single customer that reused their Netflix password for their corporate email, a patch that didn't get applied properly, or a new zero day that just gets published a piece of Cisco software that was misconfigured, you know, not by anything more than it's easy to misconfigure. These complex pieces of technology attackers are going to get in. And what we want to understand as customers is once they're in, what could they do? Could they get to my crown Jewel's data and systems? Could they borrow and prepare for a much more complicated attack down the road? If you assume breach, now you wanna understand what can they get to, how quickly can you detect that breach and what are your ways to stifle their ability to achieve their objectives. And culturally, we would need a shift from talking about how secure I am to how defensible are we. Security is kind of a state, a point in time, state of your organization, defense ability is how quickly you can adapt to the attacker to stifle their ability to achieve their objective >>As things are changing >>Constantly. That's exactly right. >>Yeah. Talk to me about a typical customer engagement. If there's, you mentioned folks treading water, obviously there's the huge cybersecurity skills gap that we've been talking about for a long time. Now that's another factor there, but when you're in customer conversations, who were you talking to? What typically are, what are they coming to you for help? >>Yeah. One big thing is you're not gonna win and, and win a customer by taking 'em out to steak dinners. Not anymore. The way we focus on, on our go to market and our sales motion is cultivating champions. At the end of the proof of concept, our internal measure of successes is that person willing to get a horizon three tattoo. And you do that, not through state dinners, not through cool swag, not through marketing, but by letting your results do the talking. Now, part of those results should not require professional services or consulting it. The whole experience should be self-service frictionless and insightful. And that really is how we've designed the product and designed the entire sales motion. So a prospect will learn or discover about us, whether it's through LinkedIn, through social, through the website, but often because one of their friends or colleagues heard about us saw our result and is advocating on our behalf. >>When we're not in the room from there, they're gonna be able to self-service just log to our product through their LinkedIn ID, their Google ID. They can engage with a salesperson if they want to, they can run a pen test right there on the spot against their home, without any interaction with a sales rep, let those results do the talking, use that as a starting point to engage in a, in a more complicated proof of value. And the whole idea is we don't charge for these. We let our results do the talking. And at the end, after they've run us to find problems they've gone off and fixed those issues. And they've rerun us to verify that what they've fixed was properly fixed, then they're hooked. And we have a hundred percent technical win rate with our prospects when they hit that fine fix verify cycle, which is awesome. And then we get the tattoo for them, at least give them the template. And then we're off to the races >>That it sounds like you're making the process more simple. There's so much complexity behind it, but allowing users to be able to actually test it out themselves in a, in a simplified way is huge. Allowing them to really focus on becoming defensible. >>That's exactly right. And you know, the value is we're all, especially now in security, there's so much hype and so much noise. There's a lot more time being spent, self discovering and researching technologies before you engage in a commercial discussion. And so what we try to do is optimize that entire buying experience around enabling people to discover and research and learn the other part, right. Remember is offensive cyber and ethical hacking. And so on is very mysterious and magical to most defenders. It's such a complicated topic with many nuance tools that they don't have the time to understand or learn. And so if you surface the complexity of all those attacker tools, you're gonna overwhelm a person that is already overwhelmed. So we needed the, the experience to be incredibly simple and, and optimize that fine fix verify aha moment. And once again, be frictionless and be insightful, >>Frictionless and insightful. Excellent. Talk to me about results. You mentioned results. We, we love talking about outcomes. When a customer goes through the, the POC POB that you talked about, what are some of the results that they see that hook them? >>Yeah. The biggest thing is what attackers do today is they will find a low from machine one, plus a low from machine two equals compromised domain. What they're doing is they're chaining together issues across multiple parts of your system or your organization to hone your environment. What attackers don't do is find a critical vulnerability and exploit that single machine it's always a chain is always, always multiple steps in the attack. And so the entire product and experience in actually our underlying tech is around attack pads. Here is the path, the attack path an attacker could have taken. You know, that node zero, our product took here is the proof of exploitation for every step along the way. So, you know, this isn't a false positive, in fact, you can copy and paste the attacker command from the product and rerun it yourself and see it for yourself. >>And then here is exactly what you have to go fix and why it's important to fix. So that path proof impact and fix action is what the entire experience is focused on. And that is the results doing the talking, because remember, these folks are already overwhelmed. They're dealing with a lot of false positives. And if you tell them you've got another critical to fix their immediate reaction is Nope. I don't believe you. This is a false positive. I've seen this plenty of times. That's not important. So you have to in your product experience in sales process and adoption process immediately cut through that defensive or that reflex and its path proof impact. Here's exactly what you fix here are the exact steps to fix it. And then you're off to the races. What I learned at Splunk was you win hearts and minds of your users through amazing experience, product experience, amazing documentation, yes, and a vibrant community of champions. Those are the three ingredients of success, and we've really made that the core of the product. So we win on our documentation. We win on the product experience and we've cultivated pretty awesome community. >>Talk to me about some of those champions. Is there a customer story that you think really articulates the value of no zero and what it is that, that you are doing? Yeah. >>I'll tell you a couple. Actually, I just gave this talk at black hat on war stories from running 10,000 pen tests. And I'll try to be gentle on the vendors that were involved here, but the reality is you gotta be honest and authentic. So a customer, a healthcare organization ran a pen test and they were using a very well known, managed security services provider as their, as their security operations team. And so they initiate the pen test and they were, they wanted to audit their response time of their MSSP. So they run the pen test and we're in and out. The whole pen test runs two hours or less. And in those two hours, the pen test compromises, the domain gets access to a bunch of sensitive data. Laterally, maneuvers rips the entire entire environment apart. It took seven hours for the MSSP to send an email notification to the it director that said, Hey, we think something's suspicious is wow. Seven hours. That's >>A long time >>We were in and out in two, seven hours for notification. And the issue with that healthcare company was they thought they had hired the right MSSP, but they had no way to audit their performance. And so we gave them the, the details and the ammunition to get services credits to hold them accountable and also have a conversation of switching to somebody else. >>That accountability is key, especially when we're talking about the, the threat landscape and how it's evolving day to day. That's >>Exactly right. Accountability of your suppliers or, or your security vendors, accountability of your people and your processes, and not having to wait for the bad guys to show up, to test your posture. That's, what's really important. Another story is interesting. This customer did everything right. It was a banking customer, large environment, and they had Ford net installed as their, as their EDR type platform. And they, they initiate us as a pen test and we're able to get code execution on one of their machines. And from there laterally maneuver to become a domain administrator, which insecurity is a really big deal. So they came back and said, this is absolutely not possible. Ford net should have stopped that from occurring. And it turned out because we showed the path and the proof and the impact Forder net was misconfigured on three machines out of 5,000. And they had no idea. Wow. So it's one of those you wanna don't trust that your tools are working. Don't trust your processes. Verify them, show me we're secure today. Show me we're secured tomorrow. And then show me again, we're secure next week, because my environment's constantly changing. And the, and the adversary always has a vote, >>Right? The, the constant change in flux is, is huge challenge for organizations, but those results clearly speak for themselves. You, you talked about the speed in terms of time, how quickly can a customer deploy your technology, identify and remedy problems in their environment. >>Yeah. You know, this fine fix verify aha moment. If you will. So traditionally a customer would have to maybe run one or two pen tests a year and then they'd go off and fix things. They have no capacity to test them cuz they don't have the internal attack expertise. So they'd wait for the next pen test and figure out that they were still exploitable. Usually this year's pen test results look identical the last years that isn't sustainable. So our customers shift from running one or two pen tests a year to 40 pen tests a month. And they're in this constant loop of finding, fixing and verifying all of the weaknesses in their infrastructure. Remember there's infrastructure, pen testing, which is what we are really good at. And then there's application level pen testing that humans are much better at solving. Okay. So we focus on the infrastructure side, especially at scale, but can you imagine so 40 pen tests a month, they run from the perimeter, the inside from a specific subnet from work from home machines, from the cloud. And they're running these pen tests from many different perspectives to understand what does the attacker see from each of these locations in their organization and how do they systemically fix those issues? And what they look at is how many critical problems were found, how quickly were they fixed? How often do they reoccur? And that third metric is important because you might fix something. But if it shows up again next week, because you've got bad automation, you're not gonna you're in a rat race. So you wanna look at that reoccurrence rate also >>The recurrence rate. What are you most excited about as obviously the threat landscape continues to evolve, but what are you most excited about for the company and what it is that you're able to help organizations across industries achieve in such tumultuous times? Yeah. You >>Know, one of the coolest things is back because I was a customer for many of these products, I, I despised threat intelligence products. I despised them because they were basically generic blog posts maybe delivered as a, as a, as a data feed to my Splunk environment or something. But they're always really generic. Like you may have a problem here. And as a result, they weren't very actionable. So one of the really cool things that we do, it's just part of the product is this concept of, of flares flares that we shoot up. And the idea is not to be, to cause angst or anxiety or panic, but rather we look at threat intelligence and then because all, all the insights we have from your pen test results, we connect those two together and say your VMware horizon instance at this IP is exploitable. You need to fix it as fast as possible or as very likely to be exploited. >>And here is the threat intelligence and in the news from CSUN elsewhere, that shows why it's important. So I think what is really cool is we're able to take together threat intelligence out in the wild combined with very precise understanding of your environment, to give you very accurate and actionable starting points for what you need to go fix or test or verify. And when we do that, what we see is almost like, imagine this ball bouncing, that is the first drop of the ball. And then that drives the first major pen test. And then they'll run all these subsequent pen tests to continue to find and fix and verify. And so what we see is this tremendous amount of AC excitement from customers that we're actually giving them accurate, detailed information to take advantage of, and we're not causing panic and we're not causing alert, fatigue as a result. >>That's incredibly important in this type of environment. Last question for you. If, if autonomous pen testing is obviously critical and has tremendous amount of potential for organizations, but it's not, it's only part of the equation. What's the larger vision. >>Yeah. You know, we are not a pen testing company and that's something we decided upfront. Pen testing is a sensor. It collects and understands a tremendous amount of data for your attack surface. So the natural next thing is to analyze the pen test results over time, to start to give you a more accurate understanding of your governance risk and compliance posture. So now what happens is we are able to allow customers to go run 40 pen tests a month. And that kind of becomes the, the initial land or flagship product. But then from there we're able to upsell or increase value to our customers and start to compete and take out companies like security scorecard or risk IQ and other companies like that, where there tended to be. I was a user of all those tools, a lot of garbage in garbage out, okay, where you can't fill out a spreadsheet and get an accurate understanding of your risk posture. You need to look at your detailed pen, test results over time and use that to accurately understand what are your hotspots, what's your recurrence rate and so on. And being able to tell that story to your auditors, to your regulators, to the board. And actually it gives you a much more accurate way to show return on investment of your security spend also, which >>Is huge. So where can customers and, and those that are interested go to learn more. >>So horizon three.ai is the website. That's a great starting point. We tend to very much rely on social channels. So LinkedIn in particular to really get our stories out there. So finding us on LinkedIn is probably the next best thing to go do. And we're always at the major trade shows and events also. >>Excellent SNA. It's been a pleasure talking to you about horizon three. What it is that you guys are doing, why and the greater vision we appreciate your insights and your time. >>Thank you, likewise. >>All right. For my guest. I'm Lisa Martin. We wanna thank you for watching the AWS startup showcase. We'll see you next time.

(gentle music) (upbeat music) (crowd chattering) >> Welcome back to The City That Never Sleeps. Lisa Martin and John Furrier in New York City for AWS Summit '22 with about 10 to 12,000 of our friends. And we've got two more friends joining us here today. We're going to be talking with Haseeb Budhani, one of our alumni, co-founder and CEO of Rafay Systems, and Kevin Coleman, senior manager for Go-to Market for EKS at AWS. Guys, thank you so much for joining us today. >> Thank you very much for having us. Excited to be here. >> Isn't it great to be back at an in-person event with 10, 12,000 people? >> Yes. There are a lot of people here. This is packed. >> A lot of energy here. So, Haseeb, we've got to start with you. Your T-shirt says it all. Don't hate k8s. (Kevin giggles) Talk to us about some of the trends, from a Kubernetes perspective, that you're seeing, and then Kevin will give your follow-up. >> Yeah. >> Yeah, absolutely. So, I think the biggest trend I'm seeing on the enterprise side is that enterprises are forming platform organizations to make Kubernetes a practice across the enterprise. So it used to be that a BU would say, "I need Kubernetes. I have some DevOps engineers, let me just do this myself." And the next one would do the same, and then next one would do the same. And that's not practical, long term, for an enterprise. And this is now becoming a consolidated effort, which is, I think it's great. It speaks to the power of Kubernetes, because it's becoming so important to the enterprise. But that also puts a pressure because what the platform team has to solve for now is they have to find this fine line between automation and governance, right? I mean, the developers, you know, they don't really care about governance. Just give me stuff, I need to compute, I'm going to go. But then the platform organization has to think about, how is this going to play for the enterprise across the board? So that combination of automation and governance is where we are finding, frankly, a lot of success in making enterprise platform team successful. I think, that's a really new thing to me. It's something that's changed in the last six months, I would say, in the industry. I don't know if, Kevin, if you agree with that or not, but that's what I'm seeing. >> Yeah, definitely agree with that. We see a ton of customers in EKS who are building these new platforms using Kubernetes. The term that we hear a lot of customers use is standardization. So they've got various ways that they're deploying applications, whether it's on-prem or in the cloud and region. And they're really trying to standardize the way they deploy applications. And Kubernetes is really that compute substrate that they're standardizing on. >> Kevin, talk about the relationship with Rafay Systems that you have and why you're here together. And two, second part of that question, why is EKS kicking ass so much? (Haseeb and Kevin laughing) All right, go ahead. First one, your relationship. Second one, EKS is doing pretty well. >> Yep, yep, yep. (Lisa laughing) So yeah, we work closely with Rafay, Rafay, excuse me. A lot of joint customer wins with Haseeb and Co, so they're doing great work with EKS customers and, yeah, love the partnership there. In terms of why EKS is doing so well, a number of reasons, I think. Number one, EKS is vanilla, upstream, open-source Kubernetes. So customers want to use that open-source technology, that open-source Kubernetes, and they come to AWS to get it in a managed offering, right? Kubernetes isn't the easiest thing to self-manage. And so customers, you know, back before EKS launched, they were banging down the door at AWS for us to have a managed Kubernetes offering. And, you know, we launched EKS and there's been a ton of customer adoption since then. >> You know, Lisa, when we, theCUBE 12 years, now everyone knows we started in 2010, we used to cover a show called OpenStack. >> I remember that. >> OpenStack Summit. >> What's that now? >> And at the time, at that time, Kubernetes wasn't there. So theCUBE was present at creation. We've been to every KubeCon ever, CNCF then took it over. So we've been watching it from the beginning. >> Right. And it reminds me of the same trend we saw with MapReduce and Hadoop. Very big promise, everyone loved it, but it was hard, very difficult. And Hadoop's case, big data, it ended up becoming a data lake. Now you got Spark, or Snowflake, and Databricks, and Redshift. Here, Kubernetes has not yet been taken over. But, instead, it's being abstracted away and or managed services are emerging. 'Cause general enterprises can't hire enough Kubernetes people. >> Yep. >> They're not that many out there yet. So there's the training issue. But there's been the rise of managed services. >> Yep. >> Can you guys comment on what your thoughts are relative to that trend of hard to use, abstracting away the complexity, and, specifically, the managed services? >> Yeah, absolutely. You want to go? >> Yeah, absolutely. I think, look, it's important to not kid ourselves. It is hard. (Johns laughs) But that doesn't mean it's not practical, right. When Kubernetes is done well, it's a thing of beauty. I mean, we have enough customer to scale, like, you know, it's like a, forget a hockey stick, it's a straight line up, because they just are moving so fast when they have the right platform in place. I think that the mistake that many of us make, and I've made this mistake when we started this company, was trivializing the platform aspect of Kubernetes, right. And a lot of my customers, you know, when they start, they kind of feel like, well, this is not that hard. I can bring this up and running. I just need two people. It'll be fine. And it's hard to hire, but then, I need two, then I need two more, then I need two, it's a lot, right. I think, the one thing I keep telling, like, when I talk to analysts, I say, "Look, somebody needs to write a book that says, 'Yes, it's hard, but, yes, it can be done, and here's how.'" Let's just be open about what it takes to get there, right. And, I mean, you mentioned OpenStack. I think the beauty of Kubernetes is that because it's such an open system, right, even with the managed offering, companies like Rafay can build really productive businesses on top of this Kubernetes platform because it's an open system. I think that is something that was not true with OpenStack. I've spent time with OpenStack also, I remember how it is. >> Well, Amazon had a lot to do with stalling the momentum of OpenStack, but your point about difficulty. Hadoop was always difficult to maintain and hiring against. There were no managed services and no one yet saw that value of big data yet. Here at Kubernetes, people are living a problem called, I'm scaling up. >> Yep. And so it sounds like it's a foundational challenge. The ongoing stuff sounds easier or manageable. >> Once you have the right tooling. >> Is that true? >> Yeah, no, I mean, once you have the right tooling, it's great. I think, look, I mean, you and I have talked about this before, I mean, the thesis behind Rafay is that, you know, there's like 8, 12 things that need to be done right for Kubernetes to work well, right. And my whole thesis was, I don't want my customer to buy 10, 12, 15 products. I want them to buy one platform, right. And I truly believe that, in our market, similar to what vCenter, like what VMware's vCenter did for VMs, I want to do that for Kubernetes, right. And that the reason why I say that is because, see, vCenter is not about hypervisors, right? vCenter is about hypervisor, access, networking, storage, all of the things, like multitenancy, all the things that you need to run an enterprise-grade VM environment. What is that equivalent for the Kubernetes world, right? So what we are doing at Rafay is truly building a vCenter, but for Kubernetes, like a kCenter. I've tried getting the domain. I couldn't get it. (Kevin laughs) >> Well, after the Broadcom view, you don't know what's going to happen. >> Ehh. (John laughs) >> I won't go there! >> Yeah. Yeah, let's not go there today. >> Kevin, EKS, I've heard people say to me, "Love EKS. Just add serverless, that's a home run." There's been a relationship with EKS and some of the other Amazon tools. Can you comment on what you're seeing as the most popular interactions among the services at AWS? >> Yeah, and was your comment there, add serverless? >> Add serverless with AKS at the edge- >> Yeah. >> and things are kind of interesting. >> I mean, so, one of the serverless offerings we have today is actually Fargate. So you can use Fargate, which is our serverless compute offering, or one of our serverless compute offerings with EKS. And so customers love that. Effectively, they get the beauty of EKS and the Kubernetes API but they don't have to manage nodes. So that's, you know, a good amount of adoption with Fargate as well. But then, we also have other ways that they can manage their nodes. We have managed node groups as well, in addition to self-managed nodes also. So there's a variety of options that customers can use from a compute perspective with EKS. And you'll continue to see us evolve the portfolio as well. >> Can you share, Haseeb, can you share a customer example, a joint customer example that you think really articulates the value of what Rafay and AWS are doing together? >> Yeah, absolutely. In fact, we announced a customer very recently on this very show, which is MoneyGram, which is a joint AWS and Rafay customer. Look, we have enough, you know, the thing about these massive customers is that, you know, not everybody's going to give us their logo to use. >> Right. >> But MoneyGram has been a Rafay plus EKS customer for a very, very long time. You know, at this point, I think we've earned their trust, and they've allowed us to, kind of say this publicly. But there's enough of these financial services companies who have, you know, standardized on EKS. So it's EKS first, Rafay second, right. They standardized on EKS. And then they looked around and said, "Who can help me platform EKS across my enterprise?" And we've been very lucky. We have some very large financial services, some very large healthcare companies now, who, A, EKS, B, Rafay. I'm not just saying that because my friend Kevin's here, (Lisa laughs) it's actually true. Look, EKS is a brilliant platform. It scales so well, right. I mean, people try it out, relative to other platforms, and it's just a no-brainer, it just scales. You want to build a big enterprise on the backs of a Kubernetes platform. And I'm not saying that's because I'm biased. Like EKS is really, really good. There's a reason why so many companies are choosing it over many other options in the market. >> You're doing a great job of articulating why the theme (Kevin laughs) of the New York City Summit is scale anything. >> Oh, yeah. >> There you go. >> Oh, yeah. >> I did not even know that but I'm speaking the language, right? >> You are. (John laughs) >> Yeah, absolutely. >> One of the things that we're seeing, also, I want to get your thoughts on, guys, is the app modernization trend, right? >> Yep. >> Because unlike other standards that were hard, that didn't have any benefit downstream 'cause they were too hard to get to, here, Kubernetes is feeding into real app for app developer pressure. They got to get cloud-native apps out. It's fairly new in the mainstream enterprise and a lot of hyperscalers have experience. So I'm going to ask you guys, what is the key thing that you're enabling with Kubernetes in the cloud-native apps? What is the key value? >> Yeah. >> I think, there's a bifurcation happening in the market. One is the Kubernetes Engine market, which is like EKS, AKS, GKE, right. And then there's the, you know, what, back in the day, we used to call operations and management, right. So the OAM layer for Kubernetes is where there's need, right. People are learning, right. Because, as you said before, the skill isn't there, you know, there's not enough talent available to the market. And that's the opportunity we're seeing. Because to solve for the standardization, the governance, and automation that we talked about earlier, you know, you have to solve for, okay, how do I manage my network? How do I manage my service mesh? How do I do chargebacks? What's my, you know, policy around actual Kubernetes policies? What's my blueprinting strategy? How do I do add-on management? How do I do pipelines for updates of add-ons? How do I upgrade my clusters? And we're not done yet, there's a longer list, right? This is a lot, right? >> Yeah. >> And this is what happens, right. It's just a lot. And really, the companies who understand that plethora of problems that need to be solved and build easy-to-use solutions that enterprises can consume with the right governance automation, I think they're going to be very, very successful here. >> Yeah. >> Because this is a train, right? I mean, this is happening whether, it's not us, it's happening, right? Enterprises are going to keep doing this. >> And open-source is a big driver in all of this. >> Absolutely. >> Absolutely. >> And I'll tag onto that. I mean, you talked about platform engineering earlier. Part of the point of building these platforms on top of Kubernetes is giving developers an easier way to get applications into the cloud. So building unique developer experiences that really make it easy for you, as a software developer, to take the code from your laptop, get it out of production as quickly as possible. The question is- >> So is that what you mean, does that tie your point earlier about that vertical, straight-up value once you've set up it, right? >> Yep. >> Because it's taking the burden off the developers for stopping their productivity. >> Absolutely. >> To go check in, is it configured properly? Is the supply chain software going to be there? Who's managing the services? Who's orchestrating the nodes? >> Yep. >> Is that automated, is that where you guys see the value? >> That's a lot of what we see, yeah. In terms of how these companies are building these platforms, is taking all the component pieces that Haseeb was talking about and really putting it into a cohesive whole. And then, you, as a software developer, you don't have to worry about configuring all of those things. You don't have to worry about security policy, governance, how your app is going to be exposed to the internet. >> It sounds like infrastructure is code. >> (laughs) Yeah. >> Come on, like. >> (laughs) Infrastructure's code is a big piece of it, for sure, for sure. >> Yeah, look, infrastructure's code actually- >> Infrastructure's sec is code too, the security. >> Yeah. >> Huge. >> Well, it all goes together. Like, we talk about developer self-service, right? The way we enable developer self-service is by teaching developers, here's a snippet of code that you write and you check it in and your infrastructure will just magically be created. >> Yep. >> But not automatically. It's going to go through a check, like a check through the platform team. These are the workflows that if you get them right, developers don't care, right. All developers want is I want to compute. But then all these 20 things need to happen in the back. That's what, if you nail it, right, I mean, I keep trying to kind of pitch the company, I don't want to do that today. But if you nail that, >> I'll give you a plug at the end. >> you have a good story. >> But I got to, I just have a tangent question 'cause you reminded me. There's two types of developers that have emerged, right. You have the software developer that wants infrastructures code. I just want to write my code, I don't want to stop. I want to build in shift-left for security, shift-right for data. All that's in there. >> Right. >> I'm coding away, I love coding. Then you've got the under-the-hood person. >> Yes. >> I've been to the engines. >> Certainly. >> So that's more of an SRE, data engineer, I'm wiring services together. >> Yeah. >> A lot of people are like, they don't know who they are yet. They're in college or they're transforming from an IT job. They're trying to figure out who they are. So question is, how do you tell a person that's watching, like, who am I? Like, should I be just coding? But I love the tech. Would you guys have any advice there? >> You know, I don't know if I have any guidance in terms of telling people who they are. (all laughing) I mean, I think about it in terms of a spectrum and this is what we hear from customers, is some customers want to shift as much responsibility onto the software teams to manage their infrastructure as well. And then some want to shift it all the way over to the very centralized model. And, you know, we see everything in between as well with our EKS customer base. But, yeah, I'm not sure if I have any direct guidance for people. >> Let's see, any wisdom? >> Aside from experiment. >> If you're coding more, you're a coder. If you like to play with the hardware, >> Yeah. >> or the gears. >> Look, I think it's really important for managers to understand that developers, yes, they have a job, you have to write code, right. But they also want to learn new things. It's only fair, right. >> Oh, yeah. >> So what we see is, developers want to learn. And we enable for them to understand Kubernetes in small pieces, like small steps, right. And that is really, really important because if we completely abstract things away, like Kubernetes, from them, it's not good for them, right. It's good for their careers also, right. It's good for them to learn these things. This is going to be with us for the next 15, 20 years. Everybody should learn it. But I want to learn it because I want to learn, not because this is part of my job, and that's the distinction, right. I don't want this to become my job because I want, I want to write my code. >> Do what you love. If you're more attracted to understanding how automation works, and robotics, or making things scale, you might be under-the-hood. >> Yeah. >> Yeah, look under the hood all day long. But then, in terms of, like, who keeps the lights on for the cluster, for example. >> All right, see- >> That's the job. >> He makes a lot of value. Now you know who you are. Ask these guys. (Lisa laughing) Congratulations on your success on EKS 2. >> Yeah, thank you. >> Quick, give a plug for the company. I know you guys are growing. I want to give you a minute to share to the audience a plug that's going to be, what are you guys doing? You're hiring? How many employees? Funding? Customer new wins? Take a minute to give a plug. >> Absolutely. And look, I come see, John, I think, every show you guys are doing a summit or a KubeCon, I'm here. (John laughing) And every time we come, we talk about new customers. Look, platform teams at enterprises seem to love Rafay because it helps them build that, well, Kubernetes platform that we've talked about on the show today. I think, many large enterprises on the financial service side, healthcare side, digital native side seem to have recognized that running Kubernetes at scale, or even starting with Kubernetes in the early days, getting it right with the right standards, that takes time, that takes effort. And that's where Rafay is a great partner. We provide a great SaaS offering, which you can have up and running very, very quickly. Of course, we love EKS. We work with our friends at AWS. But also works with Azure, we have enough customers in Azure. It also runs in Google. We have enough customers at Google. And it runs on-premises with OpenShift or with EKS A, right, whichever option you want to take. But in terms of that standardization and governance and automation for your developers to move fast, there's no better product in the market right now when it comes to Kubernetes platforms than Rafay. >> Kevin, while we're here, why don't you plug EKS too, come on. >> Yeah, absolutely, why not? (group laughing) So yes, of course. EKS is AWS's managed Kubernetes offering. It's the largest managed Kubernetes service in the world. We help customers who want to adopt Kubernetes and adopt it wherever they want to run Kubernetes, whether it's in region or whether it's on the edge with EKS A or running Kubernetes on Outposts and the evolving portfolio of EKS services as well. We see customers running extremely high-scale Kubernetes clusters, excuse me, and we're here to support them as well. So yeah, that's the managed Kubernetes offering. >> And I'll give the plug for theCUBE, we'll be at KubeCon in Detroit this year. (Lisa laughing) Lisa, look, we're giving a plug to everybody. Come on. >> We're plugging everybody. Well, as we get to plugs, I think, Haseeb, you have a book to write, I think, on Kubernetes. And I think you're wearing the title. >> Well, I do have a book to write, but I'm one of those people who does everything at the very end, so I will never get it right. (group laughing) So if you want to work on it with me, I have some great ideas. >> Ghostwriter. >> Sure! >> But I'm lazy. (Kevin chuckles) >> Ooh. >> So we got to figure something out. >> Somehow I doubt you're lazy. (group laughs) >> No entrepreneur's lazy, I know that. >> Right? >> You're being humble. >> He is. So Haseeb, Kevin, thank you so much for joining John and me today, >> Thank you. >> talking about what you guys are doing at Rafay with EKS, the power, why you shouldn't hate k8s. We appreciate your insights and your time. >> Thank you as well. >> Yeah, thank you very much for having us. >> Our pleasure. >> Thank you. >> We appreciate it. With John Furrier, I'm Lisa Martin. You're watching theCUBE live from New York City at the AWS NYC Summit. John and I will be right back with our next guest, so stick around. (upbeat music) (gentle music)

>> Announcer: "theCUBE" presents HPE Discover 2022. Brought to you by HPE. >> Welcome back to HPE Discover 2022. You're watching "theCUBE's" coverage. This is Day 2, Dave Vellante with John Furrier. Sheila Rohra is here. She's the Senior Vice President and GM of the Data Infrastructure Business at Hewlett Packard Enterprise, and of course, the storage division. And Omer Asad. Welcome back to "theCUBE", Omer. Senior Vice President and General Manager for Cloud Data Services, Hewlett Packard Enterprise storage. Guys, thanks for coming on. Good to see you. >> Thank you. Always a pleasure, man. >> Thank you. >> So Sheila, I'll start with you. Explain the difference. The Data Infrastructure Business and then Omer's Cloud Data Services. You first. >> Okay. So Data Infrastructure Business. So I'm responsible for the primary secondary storage. Basically, what you physically store, the data in a box, I actually own that. So I'm going to have Omer explain his business because he can explain it better than me. (laughing) Go ahead. >> So 100% right. So first, data infrastructure platforms, primary secondary storage. And then what I do from a cloud perspective is wrap up those things into offerings, block storage offerings, data protection offerings, and then put them on top of the GreenLake platform, which is the platform that Antonio and Fidelma talked about on main Keynote stage yesterday. That includes multi-tenancy, customer subscription management, sign on management, and then on top of that we build services. Services are cloud-like services, storage services or block service, data protection service, disaster recovery services. Those services are then launched on top of the platform. Some services like data protection services are software only. Some services are software plus hardware. And the hardware on the platform comes along from the primary storage business and we run the control plane for that block service on the GreenLake platform and that's the cloud service. >> So, I just want to clarify. So what we maybe used to know as 3PAR and Nimble and StoreOnce. Those are the products that you're responsible for? >> That is the primary storage part, right? And just to kind of show that, he and I, we do indeed work together. Right. So if you think about the 3PAR, the primary... Sorry, the Primera, the Alletras, the Nimble, right? All that, right? That's the technology that, you know, my team builds. And what Omer does with his magic is that he turns it into HPE GreenLake for storage, right? And to deliver as a service, right? And basically to create a self-service agility for the customer and also to get a very Cloud operational experience for them. >> So if I'm a customer, just so I get this right, if I'm a customer and I want Hybrid, that's what you're delivering as a Cloud service? >> Yes. >> And I don't care where the data is on-premises, in storage, or on Cloud. >> 100%. >> Is that right? >> So the way that would work is, as a customer, you would come along with the partner, because we're 100% partner-led. You'll come to the GreenLake Console. On the GreenLake Console, you will pick one of our services. Could be a data protection service, could be the block storage service. All services are hybrid in nature. Public Cloud is 100% participant in the ecosystem. You'll choose a service. Once you choose a service, you like the rate card for that service. That rate card is just like a hyperscaler rate card. IOPS, Commitment, MINCOMMIT's, whatever. Once you procure that at the price that you like with a partner, you buy the subscription. Then you go to console.greenLake.com, activate your subscription. Once the subscription is activated, if it's a service like block storage, which we talked about yesterday, service will be activated, and our supply chain will send you our platform gear, and that will get activated in your site. Two things, network cable, power cable, dial into the cloud, service gets activated, and you have a cloud control plane. The key difference to remember is that it is cloud-consumption model and cloud-operation model built in together. It is not your traditional as a service, which is just like hardware leasing. >> Yeah, yeah, yeah. >> That's a thing of the past. >> But this answers a question that I had, is how do you transfer or transform from a company that is, you know, selling boxes, of course, most of you are engineers are software engineers, I get that, to one that is selling services. And it sounds like the answer is you've organized, I know it's inside baseball here, but you organize so that you still have, you can build best of breed products and then you can package them into services. >> Omer: 100%. 100%. >> It's separate but complementary organization. >> So the simplest way to look at it would be, we have a platform side at the house that builds the persistence layers, the innovation, the file systems, the speeds and feeds, and then building on top of that, really, really resilient storage services. Then how the customer consumes those storage services, we've got tremendous feedback from our customers, is that the cloud-operational model has won. It's just a very, very simple way to operate it, right? So from a customer's perspective, we have completely abstracted away out hardware, which is in the back. It could be at their own data center, it could be at an MSP, or they could be using a public cloud region. But from an operational perspective, the customer gets a single pane of glass through our service console, whether they're operating stuff on-prem, or they're operating stuff in the public cloud. >> So they get storage no matter what? They want it in the cloud, they got it that way, and if they want it as a service, it just gets shipped. >> 100%. >> They plug it in and it auto configures. >> Omer: It's ready to go. >> That's right. And the key thing is simplicity. We want to take the headache away from our customers, we want our customers to focus on their business outcomes, and their projects, and we're simplifying it through analytics and through this unified cloud platform, right? On like how their data is managed, how they're stored, how they're secured, that's all taken care of in this operational model. >> Okay, so I have a question. So just now the edge, like take me through this. Say I'm a customer, okay I got the data saved on-premise action, cloud, love that. Great, sir. That's a value proposition. Come to HPE because we provide this easily. Yeah. But now at the edge, I want to deploy it out to some edge node. Could be a tower with Telecom, 5G or whatever, I want to box this out there, I want storage. What happens there? Just ship it out there and connects up? Does it work the same way? >> 100%. So from our infrastructure team, you'll consume one or two platforms. You'll consume either the Hyperconverged form factor, SimpliVity, or you might convert, the Converged form factor, which is proliant servers powered by Alletras. Alletra 6Ks. Either of those... But it's very different the way you would procure it. What you would procure from us is an edge service. That edge service will come configured with certain amount of compute, certain amount of storage, and a certain amount of data protection. Once you buy that on a dollars per gig per month basis, whichever rate card you prefer, storage rate card or a VMware rate card, that's all you buy. From that point on, the platform team automatically configures the back-end hardware from that attribute-based ordering and that is shipped out to your edge. Dial in the network cable, dial in the power cable, GreenLake cloud discovers it, and then you start running the- >> Self-service, configure it, it just shows up, plug it in, done. >> Omer: Self-service but partner-led. >> Yeah. >> Because we have preferred pricing for our partners. Our partners would come in, they will configure the subscriptions, and then we activate those customers, and then send out the hardware. So it's like a hyperscaler on-prem at-scale kind of a model. >> Yeah, I like it a lot. >> So you guys are in the data business. You run the data portion of Hewlett Packard Enterprise. I used to call it storage, even if we still call it storage but really, it's evolving into data. So what's your vision for the data business and your customer's data vision, if you will? How are you supporting that? >> Well, I want to kick it off, and then I'm going to have my friend, Omer, chime in. But the key thing is that what the first step is is that we have to create a unified platform, and in this case we're creating a unified cloud platform, right? Where there's a single pane of glass to manage all that data, right? And also leveraging lots of analytics and telemetry data that actually comes from our infosite, right? We use all that, we make it easy for the customer, and all they have to say, and they're basically given the answers to the test. "Hey, you know, you may want to increase your capacity. You may want to tweak your performance here." And all the customers are like, "Yes. No. Yes, no." Basically it, right? Accept and not accept, right? That's actually the easiest way. And again, as I said earlier, this frees up the bandwidth for the IT teams so then they actually focus more on the business side of the house, rather than figuring out how to actually manage every single step of the way of the data. >> Got it. >> So it's exactly what Sheila described, right? The way this strategy manifests itself across an operational roadmap for us is the ability to change from a storage vendor to a data services vendor, right? >> Sheila: Right. >> And then once we start monetizing these data services to our customers through the GreenLake platform, which gives us cloud consumption model and a cloud operational model, and then certain data services come with the platform layer, certain data services are software only. But all the services, all the data services that we provide are hybrid in nature, where we say, when you provision storage, you could provision it on-prem, or you can provision it in a hyperscaler environment. The challenge that most of our customers have come back and told us, is like, data center control planes are getting fragmented. On-premises, I mean there's no secrecy about it, right? VMware is the predominant hypervisor, and as a result of that, vCenter is the predominant configuration layer. Then there is the public cloud side, which is through either Ajour, or GCP, or AWS, being one of the largest ones out there. But when the customer is dealing with data assets, the persistence layer could be anywhere, it could be in AWS region, it could be your own data center, or it could be your MSP. But what this does is it creates an immense amount of fragmentation in the context in which the customers understand the data. Essentially, John, the customers are just trying to answer three questions: What is it that I store? How much of it do I store? Should I even be storing it in the first place? And surprisingly, those three questions just haven't been answered. And we've gotten more and more fragmented. So what we are trying to produce for our customers, is a context to ware data view, which allows the customer to understand structured and unstructured data, and the lineage of how it is stored in the organization. And essentially, the vision is around simplification and context to ware data management. One of the key things that makes that possible, is again, the age old infosite capability that we have continued to hone and develop over time, which is now up to the stage of like 12 trillion data points that are coming into the system that are not corroborated to give that back. >> And of course cost-optimizing it as well. We're up against the clock, but take us through the announcements, what's new from when we sort of last talked? I guess it was in September. >> Omer: Right. >> Right. What's new that's being announced here and, or, you know, GA? >> Right. So three major announcements that came out, because to keep on establishing the context when we were with you last time. So last time we announced GreenLake backup and recovery service. >> John: Right. >> That was VMware backup and recovery as a complete cloud, sort of SaaS control plane. No backup target management, no BDS server management, no catalog management, it's completely a SaaS service. Provide your vCenter address, boom, off you go. We do the backups, agentless, 100% dedup enabled. We have extended that into the public cloud domain. So now, we can back up AWS, EC2, and EBS instances within the same constructs. So a single catalog, single backup policy, single protection framework that protects you both in the cloud and on-prem, no fragmentation, no multiple solutions to deploy. And the second one is we've extended our Hyperconverged service to now be what we call the Hybrid Cloud On-Demand. So basically, you go to GreenLake Console control plane, and from there, you basically just start configuring virtual machines. It supports VMware and AWS at the same time. So you can provision a virtual machine on-prem, or you can provision a virtual machine in the public cloud. >> Got it. >> And, it's the same framework, the same catalog, the same inventory management system across the board. And then, lastly, we extended our block storage service to also become hybrid in nature. >> Got it. >> So you can manage on-prem and AWS, EBS assets as well. >> And Sheila, do you still make product announcements, or does Antonio not allow that? (Omer laughing) >> Well, we make product announcements, and you're going to see our product announcements actually done through the HPE GreenLake for block storage. >> Dave: Oh, okay. >> So our announcements will be coming through that, because we do want to make it as a service. Again, we want to take all of that headache of "What configuration should I buy? How do I actually deploy it? How do I...?" We really want to take that headache away. So you're going to see more feature announcements that's going to come through this. >> So feature acceleration through GreenLake will be exposed? >> Absolutely. >> This is some cool stuff going on behind the scenes. >> Oh, there's a lot good stuff. >> Hardware still matters, you know. >> Hardware still matters. >> Does it still matter? Does hardware matter? >> Hardware still matters, but what matters more is the experience, and that's actually what we want to bring to the customer. (laughing) >> John: That's good. >> Good answer. >> Omer: 100%. (laughing) >> Guys, thanks so much- >> John: Hardware matters. >> For coming on "theCUBE". Good to see you again. >> John: We got it. >> Thanks. >> And hope the experience was good for you Sheila. >> I know, I know. Thank you. >> Omer: Pleasure as always. >> All right, keep it right there. Dave Vellante and John Furrier will be back from HPE Discover 2022. You're watching "theCUBE". (soft music)

>> Announcer: theCUBE presents "Kubecon and Cloudnativecon Europe 2022" brought to you by Red Hat, the Cloud Native Computing Foundation and its ecosystem partners. >> Welcome to theCUBE coverage of Kubecon 2022, E.U. I'm here with my cohost, Paul Gillin. >> Pleased to work with you, Keith. >> Nice to work with you, Paul. And we have our first two guests. "theCUBE" is hot. I'm telling you we are having interviews before the start of even the show floor. I have with me, we got to start with the customers first. Enterprise Architect Adnan Khan, welcome to the show. >> Thank you so much. >> Keith: CUBE time first, now you're at CUBE-alumni. >> Yup. >> And Haseeb Budhani, CEO Arathi, welcome back. >> Nice to talk to you again today. >> So, we're talking all things Kubernetes and we're super excited to talk to MoneyGram about their journey to Kubernetes. First question I have for Adnan. Talk to us about what your pre-Kubernetes landscape looked like? >> Yeah. Certainly, Keith. So, we had a traditional mix of legacy applications and modern applications. A few years ago we made the decision to move to a microservices architecture, and this was all happening while we were still on-prem. So, your traditional VMs. And we started 20, 30 microservices but with the microservices packing. You quickly expand to hundreds of microservices. And we started getting to that stage where managing them without sort of an orchestration platform, and just as traditional VMs, was getting to be really challenging, especially from a day two operational. You can manage 10, 15 microservices, but when you start having 50, and so forth, all those concerns around high availability, operational performance. So, we started looking at some open-source projects. Spring cloud, we are predominantly a Java shop. So, we looked at the spring cloud projects. They give you a number of initiatives for doing some of those management. And what we realized again, to manage those components without sort of a platform, was really challenging. So, that kind of led us to sort of Kubernetes where along with our journey new cloud, it was the platform that could help us with a lot of those management operational concerns. >> So, as you talk about some of those challenges, pre-Kubernetes, what were some of the operational issues that you folks experienced? >> Yeah, certain things like auto scaling is number one. I mean, that's a fundamental concept of cloud native, right? Is how do you auto scale VMs, right? You can put in some old methods and stuff, but it was really hard to do that automatically. So, Kubernetes with like HPA gives you those out of the box. Provided you set the right policies, you can have auto scaling where it can scale up and scale back, so we were doing that manually. So, before, you know, MoneyGram, obviously, holiday season, people are sending more money, Mother's Day. Our Ops team would go and basically manually scale VMs. So, we'd go from four instances to maybe eight instances, but that entailed outages. And just to plan around doing that manually, and then sort of scale them back was a lot of overhead, a lot of administration overhead. So, we wanted something that could help us do that automatically in an efficient and intrusive way. That was one of the things, monitoring and and management operations, just kind of visibility into how those applications were during what were the status of your workloads, was also a challenge to do that. >> So, Haseeb, I got to ask the question. If someone would've came to me with that problem, I'd just say, "You know what? Go to the plug to cloud." How does your group help solve some of these challenges? What do you guys do? >> Yeah. What do we do? Here's my perspective on the market as it's playing out. So, I see a bifurcation happening in the Kubernetes space. But there's the Kubernetes run time, so Amazon has EKS, Azure as AKS. There's enough of these available, they're not managed services, they're actually really good, frankly. In fact, retail customers, if you're an Amazon why would you spin up your own? Just use EKS, it's awesome. But then, there's an operational layer that is needed to run Kubernetes. My perspective is that, 50,000 enterprises are adopting Kubernetes over the next 5 to 10 years. And they're all going to go through the same exact journey, and they're all going to end up potentially making the same mistake, which is, they're going to assume that Kubernetes is easy. They're going to say, "Well, this is not hard. I got this up and running on my laptop. This is so easy, no worries. I can do EKS." But then, okay, can you consistently spin up these things? Can you scale them consistently? Do you have the right blueprints in place? Do you have the right access management in place? Do you have the right policies in place? Can you deploy applications consistently? Do you have monitoring and visibility into those things? Do your developers have access when they need it? Do you have the right networking layer in place? Do you have the right chargebacks in place? Remember you have multiple teams. And by the way, nobody has a single cluster, so you got to do this across multiple clusters. And some of them have multiple clouds. Not because they want to be multiple clouds, because, but sometimes you buy a company, and they happen to be in Azure. How many dashboards do you have now across all the open-source technologies that you have identified to solve these problems? This is where pain lies. So, I think that Kubernetes is fundamentally a solve problem. Like our friends at AWS and Azure, they've solved this problem. It's like a AKS, EKS, et cetera, EGK for that matter. They're great, and you should use them, and don't even think about spinning up QB best clusters. Don't do it, use the platforms that exist. And commensurately on-premises, OpenShift is pretty awesome. If you like it, use it. But then when it comes to the operations layer, that's where today, we end up investing in a DevOps team, and then an SRE organization that need to become experts in Kubernetes, and that is not tenable. Can you, let's say unlimited capital, unlimited budgets. Can you hire 20 people to do Kubernetes today? >> If you could find them. >> If you can find 'em, right? So, even if you could, the point is that, see five years ago when your competitors were not doing Kubernetes, it was a competitive advantage to go build a team to do Kubernetes so you could move faster. Today, you know, there's a high chance that your competitors are already buying from a Rafay or somebody like Rafay. So, now, it's better to take these really, really sharp engineers and have them work on things that make the company money. Writing operations for Kubernetes, this is a commodity now. >> How confident are you that the cloud providers won't get in and do what you do and put you out of business? >> Yeah, I mean, absolutely. In fact, I had a conversation with somebody from HBS this morning and I was telling them, I don't think you have a choice, you have to do this. Competition is not a bad thing. If we are the only company in a space, this is not a space, right? The bet we are making is that every enterprise, they have an on-prem strategy, they have at least a handful of, everybody's got at least two clouds that they're thinking about. Everybody starts with one cloud, and then they have some other cloud that they're also thinking about. For them to only rely on one cloud's tools to solve for on-prem, plus that second cloud, they potentially they may have, that's a tough thing to do. And at the same time, we as a vendor, I mean, the only real reason why startups survive, is because you have technology that is truly differentiator. Otherwise, I mean, you got to build something that is materially interesting, right? We seem to have- >> Keith: Now. Sorry, go ahead. >> No, I was going to, you actually have me thinking about something. Adnan? >> Yes. >> MoneyGram, big, well known company. a startup, adding, working in a space with Google, VMware, all the biggest names. What brought you to Rafay to solve this operational challenge? >> Yeah. A good question. So, when we started out sort of in our Kubernetes, we had heard about EKS and we are an AWS shop, so that was the most natural path. And we looked at EKS and used that to create our clusters. But then we realized very quickly, that, yes, to Haseeb's point, AWS manages the control plane for you, it gives you the high availability. So, you're not managing those components which is some really heavy lifting. But then what about all the other things like centralized dashboard? What about, we need to provision Kubernetes clusters on multicloud, right? We have other clouds that we use, or also on-prem, right? How do you do some of that stuff? We also, at that time were looking at other tools also. And I had, I remember come up with an MVP list that we needed to have in place for day one or day two operations before we even launch any single applications into production. And my Ops team looked at that list and literally, there was only one or two items that they could check off with EKS. They've got the control plane, they've got the cluster provision, but what about all those other components? And some of that kind of led us down the path of, you know, looking at, "Hey, what's out there in this space?" And we realized pretty quickly that there weren't too many. There were some large providers and capabilities like Antos, but we felt that it was a little too much for what we were trying to do at that point in time. We wanted to scale slowly. We wanted to minimize our footprint, and Rafay seemed to sort of, was a nice mix from all those different angles. >> How was the situation affecting your developer experience? >> So, that's a really good question also. So, operations was one aspect to it. The other part is the application development. We've got MoneyGram is when a lot of organizations have a plethora of technologies from Java, to .net, to node.js, what have you, right? Now, as you start saying, okay, now we're going cloud native and we're going to start deploying to Kubernetes. There's a fair amount of overhead because a tech stack, all of a sudden goes from, just being Java or just being .net, to things like Docker. All these container orchestration and deployment concerns, Kubernetes deployment artifacts, (chuckles) I got to write all this YAML as my developer say, "YAML hell." (panel laughing) I got to learn Docker files. I need to figure out a package manager like HELM on top of learning all the Kubernetes artifacts. So, initially, we went with sort of, okay, you know, we can just train our developers. And that was wrong. I mean, you can't assume that everyone is going to sort of learn all these deployment concerns and we'll adopt them. There's a lot of stuff that's outside of their sort of core dev domain, that you're putting all this burden on them. So, we could not rely on them in to be sort of CUBE cuddle experts, right? That's a fair amount overhead learning curve there. So, Rafay again, from their dashboard perspective, saw the managed CUBE cuddle, gives you that easy access for devs, where they can go and monitor the status of their workloads. They don't have to figure out, configuring all these tools locally, just to get it to work. We did some things from a DevOps perspective to basically streamline and automate that process. But then, also Rafay came in and helped us out on kind of that providing that dashboard. They don't have to break, they can basically get on through single sign on and have visibility into the status of their deployment. They can do troubleshooting diagnostics all through a single pane of glass, which was a key key item. Initially, before Rafay, we were doing that command line. And again, just getting some of the tools configured was huge, it took us days just to get that. And then the learning curve for development teams "Oh, now you got the tools, now you got to figure out how to use it." >> So, Haseeb talk to me about the cloud native infrastructure. When I look at that entire landscape number, I'm just overwhelmed by it. As a customer, I look at it, I'm like, "I don't know where to start." I'm sure, Adnan, you folks looked at it and said, "Wow, there's so many solutions." How do you engage with the ecosystem? You have to be at some level opinionated but flexible enough to meet every customer's needs. How do you approach that? >> So, it's a really tough problem to solve because... So, the thing about abstraction layers, we all know how that plays out, right? So, abstraction layers are fundamentally never the right answer because they will never catch up, because you're trying to write a layer on top. So, then we had to solve the problem, which was, well, we can't be an abstraction layer, but then at the same time, we need to provide some, sort of like centralization standardization. So, we sort of have this the following dissonance in our platform, which is actually really important to solve the problem. So, we think of a stack as floor things. There's the Kubernetes layer, infrastructure layer, and EKS is different from AKS, and it's okay. If we try to now bring them all together and make them behave as one, our customers are going to suffer. Because there are features in EKS that I really want, but then if you write an abstraction then I'm not going to get 'em so not okay. So, treat them as individual things that we logic that we now curate. So, every time EKS, for example, goes from 1.22 to 1.23, we write a new product, just so my customer can press a button and upgrade these clusters. Similarly, we do this for AKS, we do this for GK. It's a really, really hard job, but that's the job, we got to do it. On top of that, you have these things called add-ons, like my network policy, my access management policy, my et cetera. These things are all actually the same. So, whether I'm EKS or AKS, I want the same access for Keith versus Adnan, right? So, then those components are sort of the same across, doesn't matter how many clusters, doesn't matter how many clouds. On top of that, you have applications. And when it comes to the developer, in fact I do the following demo a lot of times. Because people ask the question. People say things like, "I want to run the same Kubernetes distribution everywhere because this is like Linux." Actually, it's not. So, I do a demo where I spin up access to an OpenShift cluster, and an EKS cluster, and then AKS cluster. And I say, "Log in, show me which one is which?" They're all the same. >> So, Adnan, make that real for me. I'm sure after this amount of time, developers groups have come to you with things that are snowflakes. And as a enterprise architect, you have to make it work within your framework. How has working with Rafay made that possible? >> Yeah, so I think one of the very common concerns is the whole deployment to Haseeb's point, is you are from a deployment perspective, it's still using HELM, it's still using some of the same tooling. How do you? Rafay gives us some tools. You know, they have a command line Add Cuddle API that essentially we use. We wanted parity across all our different environments, different clusters, it doesn't matter where you're running. So, that gives us basically a consistent API for deployment. We've also had challenges with just some of the tooling in general that we worked with Rafay actually, to actually extend their, Add Cuddle API for us so that we have a better deployment experience for our developers. >> Haseeb, how long does this opportunity exist for you? At some point, do the cloud providers figure this out, or does the open-source community figure out how to do what you've done and this opportunity is gone? >> So, I think back to a platform that I think very highly of, which has been around a long time and continues to live, vCenter. I think vCenter is awesome. And it's beautiful, VMware did an incredible job. What is the job? It's job is to manage VMs, right? But then it's for access, it's also storage. It's also networking in a sec, right? All these things got done because to solve a real problem, you have to think about all the things that come together to help you solve that problem from an operations perspective. My view is that this market needs essentially a vCenter, but for Kubernetes, right? And that is a very broad problem. And it's going to spend, it's not about a cloud. I mean, every cloud should build this. I mean, why would they not? It makes sense. Anto exist, right? Everybody should have one. But then, the clarity in thinking that the Rafay team seems to have exhibited, till date, seems to merit an independent company, in my opinion, I think like, I mean, from a technical perspective, this product's awesome, right? I mean, we seem to have no real competition when it comes to this broad breadth of capabilities. Will it last? We'll see, right? I mean, I keep doing "CUBE" shows, right? So, every year you can ask me that question again, and we'll see. >> You make a good point though. I mean, you're up against VMware, You're up against Google. They're both trying to do sort of the same thing you're doing. Why are you succeeding? >> Maybe it's focused. Maybe it's because of the right experience. I think startups, only in hindsight, can one tell why a startup was successful. In all honesty, I've been in a one or two startups in the past, and there's a lot of luck to this, there's a lot of timing to this. I think this timing for a product like this is perfect. Like three, four years ago, nobody would've cared. Like honesty, nobody would've cared. This is the right time to have a product like this in the market because so many enterprises are now thinking of modernization. And because everybody's doing this, this is like the boots strong problem in HCI. Everybody's doing it, but there's only so many people in the industry who actually understand this problem, so they can't even hire the people. And the CTO said, "I got to go. I don't have the people, I can't fill the seats." And then they look for solutions, and via that solution, that we're going to get embedded. And when you have infrastructure software like this embedded in your solution, we're going to be around with the... Assuming, obviously, we don't score up, right? We're going to be around with these companies for some time. We're going to have strong partners for the long term. >> Well, vCenter for Kubernetes I love to end on that note. Intriguing conversation, we could go on forever on this topic, 'cause there's a lot of work to do. I don't think this will over be a solved problem for the Kubernetes as cloud native solutions, so I think there's a lot of opportunities in that space. Haseeb Budhani, thank you for rejoining "theCUBE." Adnan Khan, welcome becoming a CUBE-alum. >> (laughs) Awesome. Thank you so much. >> Check your own profile on the sound's website, it's really cool. From Valencia, Spain, I'm Keith Townsend, along with my Host Paul Gillin . And you're watching "theCUBE," the leader in high tech coverage. (bright upbeat music)