 Hey guys, welcome back to the show floor of KubeCon CloudBate of Con 22 North America from Detroit, Michigan. Lisa Martin here with John Furrier. This is day one, John, of the Kube's coverage. The Kube's coverage, not the Kube's coverage. The Kube's coverage of KubeCon. Try saying that five times fast. Day one, we have three wall-to-wall days. You know, we've been talking about Kubernetes containers, adoption, cloud adoption, app modernization all morning. We can't talk about those things without addressing security. Yeah, this segment we're going to hear container and Kubernetes security for modern applications because the enterprise are moving there and this segment with Red Hat is going to be important because they are the leader in the enterprise when it comes to open source and Linux. So this is going to be a very fun segment. Very fun segment. Two guests from Red Hat join us. Please welcome Doran Caspin, Senior Principal Product Manager at Red Hat. Michael Foster joins us as well. Principal Product Marketing Manager and Stack Rocks Community Lead at Red Hat. Guys, great to have you on the program. Thanks for having me. Thank you for having me. Yeah, it's awesome. Stack Rocks acquisition's been about a year. You got some news? Yeah, 18 months. Unpack that for us. It's been 18 months, yeah. So Stack Rocks, the 2017, originally we shifted to be the Kubernetes native security platform. That was our goal. That was our vision. Red Hat obviously saw a lot of powerful, let's say mission statement in that and they bought us in 2021. Pre-acquisition, we were looking to create a cloud service. Originally we ran on Kubernetes platforms. We had an operator and things like that. Now we are looking to basically bring customers in into our service preview for ACS as a cloud service. That's very exciting. The security conversation is top notch right now. Yeah. It's an all time high. You can't go with anywhere without talking about security and specifically in the code. We were talking before we came on camera, the software supply chain is real. It's not just about verification. What do you guys see the challenges right now? Containers, scanning is not good enough. First of all, you got to scan them and that may not be good enough. Where's the security challenges and where's the opportunity? I think a little bit of it is a new way of thinking. The speed of security does make you secure. We want to keep our images up and fresh and updated. We also want to make sure that we're keeping the open source and the different images that we're bringing in secure. Doran, I know you have some things to say about that too. He's been working tirelessly on the cloud service. Yeah. I think that one thing that you need to trust your sources, right? Even in the open source world, you don't want to copy paste libraries from the web. And even if most of our customers using third party vendors and getting images from different locations, we need to trust our sources and we have a really good, even if you have a really good scanning solution, you not always can trust it. You need to have a good solution for that. And you guys are having news, you're announcing the Red Hat Advanced Cluster Security cloud service. Yes. What is that? So we took StackRocks and we took the opportunity to make it as a cloud services. So customer can consume the product as a cloud services, as a SaaS offering, and a customer can buy it through Amazon Marketplace and in future Azure Marketplace. So customer can use it for the AKS and EKS and AKS and also, of course, OpenShift. So we are not specifically for OpenShift. We're not just OpenShift, we also provide support for EKS and AKS. So we provided the capability to secure the whole cloud pasture. We know customer are not only OpenShift or not only EKS, they have both. They have three cloud or four cloud, so they have Google Cloud. So it's not just OpenShift, it's Kubernetes environments all together. All together, yeah. Meeting customers where they are. Yeah, exactly. And we focus on, we are not trying to boil the ocean or solve the whole cloud security pasture. We try to solve the Kubernetes security cluster. It's very unique and very neat, unique solution for that. It's not just added value for another cloud security solution. We think it's something special for Kubernetes. And this is what Red Hat is aiming to solve this issue. And the ACS platform really doesn't change at all. It's just how they're consuming it. It's a lot quicker in the cloud. Time to value is right there. As soon as you start up a Kubernetes cluster, you can get started with ACS Cloud Service and get going really quickly. I'm going to ask you guys a very simple question, but I heard it in the bar in the lobby last night, practitioners talking and they were excited about the Red Hat opportunity. They actually asked a question, where do I go and get some free Red Hat to test some Kubernetes out and run Helm or whatever? They want to play around. And do you guys have a program for someone to get started for free? Yes, so the cloud service specifically, we're going to service preview. So if people sign up, they'll be able to test it out and give us feedback. That's what we're looking for. Is that going to be in the cloud? They can run it in their own environment. So they can sign up. Free. For the service preview. All we're asking for is for customer feedback. And I know it's actually getting busy there. It's starting in December. So the quicker people are. So my friend at the lobby, I was talking to him, I told you it was free. I gave you the sandbox, but check out your cloud too. Okay, we'll get that out of the way. And you also have the open source version. So you can download it in your own. People want to know how to get involved. I'm getting a lot more folks coming to Red Hat from the open source side that want to get their feet wet. That's been a lot of people are rarely interested. That's a real testament to the product leadership. Congratulations. Yeah, thank you. So what are the key challenges that you have on your roadmap right now? You got the products out there. What's the current stake? Can you scope the adoption? Can you share where we're at? What people are doing specifically and the real challenges? I think one of the biggest challenges is talking with customers with a slightly, I don't want to say outdated, but an older approach to security. You hear things like malware pop up. And it's like, well, really what we should be doing is keeping things into low and medium vulnerabilities, looking at the configuration, managing risk accordingly, having disparate security tools or different teams doing various things. It's really hard to get a security picture of what's going on in the cluster. That's some of the biggest challenges that we're focusing, that we talk with customers about. And in terms of resolving those challenges, you mentioned now where we talk about ransomware, it's a household word these days. It's no longer, are we going to get hit? It's when? It's what's the severity? It's how often? How are you guys helping customers to dial down some of the risk that's inherent and only growing these days? Yeah, risk, it's a tough word to generalize, but our whole goal is to give you as much security information in a way that's consumable so that you can evaluate your risk, set policies, and then enforce them early on in the development pipeline so that your developers get the security information they need, hopefully asynchronously. That's the best way to do it, it's nice and quick. But I don't know, Doron, do you want to add to that? Yeah, so I think, yeah, we know that ransomware, again, it's a big word for everyone, and we understand the area of the boundaries where we want to, what we want to protect, and we think it's about policies and where we enforce it. So, and if you can enforce it on, we know that as we discussed before that you can scan the image, but we never know what is in it until you really run it. So, one of the things that we provide is runtime scanning, so you can scan and you can have policy in runtime, so enforce things in runtime, but even if you, one image got in the way and get to your cluster and can run around somewhere, we can stop it in runtime. Yeah, and even with the runtime enforcement, the biggest thing we have to educate customers on is that that's the last ditch effort, right? We want to get these security controls as early as possible. That's where the value's going to be, so we don't want to be blocking things from getting to staging six weeks after developers have been working on a project. I want to get your guys' thoughts on developer productivity. Had Docker CEO on earlier, and since then I had a couple of people messaging me. I love the vision of Docker, but Docker Hub has some legacy and it might not, it doesn't have the kind of adoption that some people think it does. Are people moving, because they want to have their own places, no one place, or maybe there is, or how do you guys see the movement of say Docker Hub to just don't use containers, I don't need to be Docker Hub. What's the vis-a-vis competition? I mean, working with open source, with Red Hat, you have to meet the developers where they are. If your tool isn't cutting it for developers, they're going to find a new tool. And really, they're the engine, the growth engine of a lot of these technologies, so again, if Docker, I don't want to speak about Docker or what they're doing specifically, but I know that they pretty much kicked off the container revolution and got this whole thing started. A lot of people are using your environment too. We're hearing a lot of uptake on the Red Hat side too, so it's basically open source. It all sorts itself out in the end, like you said, but you guys are getting a lot of traction there. Do you share what's happening there? I think one of the biggest things from a developer experience that I've seen is the universal base image that people are using. I can speak from a security standpoint. It's awesome that you have a base image where you can make one change or one issue and it can impact a lot of different applications. That's one of the big benefits that I see in adoption. What are some of the business, I'm curious what some of the business outcomes are. You talked about faster time to value, obviously being able to get security shifted left and from a control perspective, but what are some of the, if I'm a business, if I'm a telco or a healthcare organization or a financial organization, what are some of the top line benefits that this can bubble up to impact? I mean, for me, with those two providers, compliance is a massive one. And just having just an overall look at what's going on in your clusters and your environments so that when audit time comes, you're prepared, you can get through that extremely quickly. And then as well, when something inevitably does happen, you can get a good image of like, let's say a log for shell happens. You know exactly what clusters are affected. The triage time is a lot quicker. Developers can get back to developing. And then, yeah, you can get through it. One thing that we see that customers compliance is huge, right? And we don't want to, the old way was that, okay, I will provision a cluster and I will do scans and find things but I need to do for PCI DSS, for example. Today, the customer want to provision in advance a PCI DSS cluster. So you need to do the compliance before you provision the cluster and make all the configuration already baked for PCI DSS or HIPAA compliance or FedRAMP. And this is where we try to use our compliance. We have tools for compliance today on OpenShift and other clusters on other distributions but you can do this in advance before you even provision the cluster. And we also have tools to enforce it after that, after your provision, but you have to do it again before and after to make it more feasible. Advanced cluster management and the compliance operator really help with that. That's why OpenShift Platform Plus is a bundle. It's so popular. Just being able to know that when a cluster gets provision it's going to be in compliance with whatever the healthcare provider is using and then you can automatically have ACS as well pop up. So you know exactly what applications are running. You know it's in compliance. I mean, that's the speed. You mentioned the word operator. I get a triggering word now for me because operator role is changing significantly on this next wave coming because of the automation. They're operating, but they're also devs too. They're developing and composing. It's almost like a dashboard Lego blocks. The operator's not just, you know, manually racking and stacking like the old days. I'm over simplifying it, but the new operators running stuff that got observability, they got coding, their servicing policy. The lot going on, there's a lot of knobs. Is it going to get simpler? What do you, how do you guys see the org structures changing to fill the gap on what should be a very simple, turn some knobs, you know, operate at scale? Well, when StackRocks originally got acquired one of the first things we did was put ACS into an operator and it actually made the application lifecycle so much easier. It was very easy in the console to go and say, hey, yeah, I want ACS, my cluster, click it. It would get provisioned, new clusters get provisioned automatically. So underneath it might get more complicated, but in terms of the application lifecycle operators make things so much easier. And of course, I saw, I was lucky enough with Lisa to see Project Wisdom and AnsibleFest. You're going to say, hey, Redhead, spin up the clusters just magically will be voice activated. Starting to see AI come in. So again, operations operator is kind of dev vibing an SRE vibe, but not that direct, but something's happening there. We're trying to put our finger on it. What do you guys think's happening? What's the real, what's the action? What's the transfer? What's transforming? That's a good question. I think in general, things just move to the developers all the time. I mean, we talk about shift-left security. Everything's always going that way. Developers have their hand in everything. I'm not sure exactly, Duran. Put your hands on the reaction. It's okay, say what you want. So I spoke with one of our customers yesterday and they say that they, in the last eight years, we've developed tons of code for just to operate their infrastructure. But if developers, so five or six years ago when a developer wanted VM, it will take them a week to get a VM because it needs all their approval and someone need to actually provision this VM on VMware. And today, they automate all the way, end to end. And it takes two minutes to get the VM for developer. So operators are becoming developers, as you said. And they develop code and they help and they make the infrastructure as code and infrastructure as an operator to make it more easy for the business to run, right? Make it. And then also if you add in data ops, AI ops, data ops, security ops, that's the new IT. It seems to be the new IT is the stuff that's scaling, a lot of data's coming in, you got security, so all that's got to be brought in. How do you guys view that into the equation? Oh, I mean, you become big generalists. I think there's a reason why those cloud security, or cloud professional certificates are becoming so popular. You have to know a lot about all the different applications, be able to code it, automate it. Like you said, hopefully everything as code. And then it also makes it easy for security tools to come in and look and examine where the vulnerabilities are, when these things are as code. So because you're going and developing all this automation, you do become, let's say, a generalist. You know, we've been hearing on theCUBE here and we've been hearing in the industry burnout associated with security professionals and some data ops, because the tsunami of data, tsunami of breaches, a lot of engineers getting called in the middle of the night. So that's not automated. So this has got to get solved quickly. Scaled up quickly. Yes, there's two part question there. I think in terms of the burnout aspect, you better send some love to your security team because they only get called when things get broken and when they're doing a great job, you never hear about it. So I think that's one of the things. It's a thankless profession. From the second part, if you have the right tools in place so that when something does hit the fan and does break, then you can make an automated or a specific decision upstream to change that, then things become easy. It's when the tools aren't in place and you have disparate environments so that when a log for shell or something like that comes in, you're scrambling, trying to figure out what clusters are where and where your impact is. Point of attack, remediate, fast. That seems to be the new move. Yeah, and you do need to know exactly what's going on in your clusters and how to remediate it quickly. How to get the most impact with one change. And that makes sense. The surface area is expanding. More things are being pushed. So things will, whether it's a zero day vulnerability or just, you know, an attack. Just to make, yeah. Yeah, you know that you automate, customer automates a lot of things, but it's good and bad, right? Some customer tools, they, I think Spotify lost the whole full zone because of one mistake of a customer, because they automate everything and they make one mistake. It scaled the failure. Exactly, it scaled the failure very fast. That was actually a cute con talk, I think. Four years ago, they talked about it. It was a great learning experience, but. It worked double-edged sword there. Yeah, so definitely we need to allow, again, scale automation, test automation, the way to, you need to hold the drills around it. Yeah, you have to know the impact. There's a lot of talk in the security space about what you can and can't automate. And by default, when you install ACS, everything is not enforced. You have to have an admission control. How are you guys seeing your customers? Obviously, Red Hat's got a great customer base. How are they adopting to the managed service way that's coming? People are liking the managed services now because they may not have skills gap issues. So managed services is becoming a big part of the portfolio. What's your guys take on the managed services piece? It's just time to value. You're developing a new application. You need to get it out there quick. If somebody, your competitor, gets it out there a month before you do, that's a huge market advantage. Do you care how you got there? Exactly, so we've had so much Kubernetes expertise over the last 10 or so, 10 plus year, or well, Kubernetes for seven plus years, at Red Hat, that why wouldn't you leverage that knowledge internally so you can get your applications out of the project? Why change your tool chain and your workflows a little faster and take advantage of the managed service because it's just about getting from point A to point B. Exactly. Well, in time to value, as you mentioned that, it's not a trivial term. It's not a marketing term. There's a lot of impact that can be made. Organizations that can move faster, like can iterate faster, develop what their customers are looking for so that they have that competitive advantage. It's definitely not something that's trivial. Yeah, and working in marketing, whenever you get that new feature out and I can go and chat about it online, it's always awesome, we always get customers interested. Pushing new code, being secure. What's next for you guys? What's on the agenda? What's around the corner? We'll see a lot of Red Hat at re-invent, I'll see your relationship with AWS as strong as a company. Multi-cloud is here, SuperCloud is, we've been saying, SuperCloud's a thing. What's next for you guys? So we want to, we launch the cloud services and the idea that we will get feedback from customers. We are not going GA, we're not going to sell it for now. We want to get customers, we want to get feedback to make the product as best we can give our customers and get feedback. And when we go GA and we start selling this product, we will get the best product in the market. So this is our goal. We want to get the customer in the loop and get as much as the feedback as we can. And also we're working very closely with our customers, we are existing customers to enhance the product to add more and more features. But the customer needs, it's all about supply chain, I don't like it, but we have to say it. It's all about making things more automated and make things more easy for a customer to have security in the Kubernetes environments. So where can your customers go? Clearly you've made a big impact on our viewers with your conversation today. Where are they going to be able to go to get their hands on the release? So we have, we have, just, you can find it online. We have a website to sign up for this, for this program. It's on my blog, we have a blog out there for ACS cloud services. You can just go there, sign up and we'll contact the customer. Yeah, and there's another way, if you ever want to get your hands on it and you can do it for free, open source StackRocks. The product is open source completely. And I would love feedback in Slack channel. It's one of the, we also get a ton of feedback from people who aren't actually paying customers and they contribute upstream. So that's an awesome way to get started. But like you said, you go to, if you search ACS cloud service, then service preview. Don't have to be a Red Hat customer. You're running a CNCF compliant Kubernetes version that we'd love to hear from you. All open source, all out in the open. Yep. Right, right, getting it available to the customers, the non-customers that they, hopefully, pending customers. Guys, thank you so much for joining John and me, talking about the new release. The evolution of StackRocks in the last years of 18 months. Lot of good stuff here. I think you've done a great job of getting the audience excited about what you're releasing. Thank you for your time. Thank you. Thank you. All right, for our guests and for John Furrier, Lisa Martin here in Detroit. KubeCon, CloudNativeCon, North America. Coming to you live, we'll be back with our next guest in just a minute.