 From Seattle, Washington, it's theCUBE, covering KubeCon and CloudNativeCon North America 2018. Brought to you by Red Hat, the CloudNative Computing Foundation, and its ecosystem partners. Hey, welcome back to our live coverage here in Seattle for KubeCon and CloudNativeCon 2018. I'm John Furrier, Stu Miniman, here for three days of wall-to-wall coverage, 8,000 people up from 4,000 last year, growing Kubernetes and the CloudNative ecosystem around KubeCon, next to guest John Morello, CTO of Twistlock, hot startup with the news, and Nanda Kumar, who's a fellow systems engineer at Verizon's Global Technology Service. Guys, welcome to theCUBE. Thank you, thanks for having me. Congratulations on your news, and Kelsey Weir in your shirt on theCUBE earlier. Thanks for having us. So take a minute to explain what you guys do, your story. You guys got a lot of hot things happening. Take a minute to talk about the company's value. Sure, so we've been around for about four years now, growing over four years. We're kind of the first company in this space that's really focused on CloudNative cybersecurity. So the idea is not just to take the existing capabilities that you've had on traditional systems and kind of retrofit them onto this new platform, but really to leverage the way that the CloudNative space works to be able to do security in a different and hopefully a more effective way. CloudNative has this notion of immutability and being able to take an artifact, the same artifact from development to staging to production, and that enables us to do things in a security fashion that you really haven't been able to do in the past. Actually be able to enforce security controls at the very beginning of the lifecycle of the app to be able to ensure consistency in your compliance posture all the way through production. And then as we learn things at runtime, to be able to signal that knowledge back to developers so they can actually improve the security application at the beginning. So we basically have a platform that gives you those capabilities, vulnerability management, compliance, runtime defense, and firewalling across VMs, containers, and serverless across any cloud you have. We're not specific to any one cloud provider. Like telemetry coming back to the developer in real time? Yeah, I mean basically as an example, when you have an application that's deployed in the old world, you as a developer would give the app to an operator, they would deploy it, and then maybe weeks later somebody would scan it and they'd say you've got these vulnerabilities and then they have to go back and tell somebody to go and fix them. There's a lot of time where you're exposed, there's a lot of cost to that operation. The way that we're able to do it for the vulnerability case is as a developer builds the application, every build they do, Twislock can scan that and see the vulnerabilities and actually enforce that as a quality gate and say, if you've got critical vulnerabilities, you have to fix them before you progress. And then as you take that application and move that into tests and staging and production, we create this dynamic runtime model that describes basically an implicit allow list of what's normal behaviors. So you don't have to tell us that my application, my web server normally runs Engine X and listens on port 80. We learn that automatically, we create this reference model where you can understand what's normal and then we automatically prevent anomalies. So unlike that traditional world of security where you had to have a whole bunch of manual rules that tried to blacklist everything that was bad, we just say like, we learn what's good and only allow that. It's predicted and prescriptive in one. Yeah, exactly. So what's the role here with Kubernetes? How do you fit into the Kubernetes standardization momentum? Yeah, so I mean for us, we've kind of predated the rise of Kubernetes in some ways and really supported Kubernetes from the very beginning, like when it really became a project became popular. Our platform is designed to work as a native cloud native app itself. So when you deploy Twistlock, you run the Twistlock console, our management service and API controller. All that's run just as a cloud native app. You know, you deploy as a replication controller. When you deploy Twistlock Defender, our agent effective, our containerized agent to all the nodes where you're running compute jobs, you run that as a daemon set. So for us, not only do we protect the platform, but we just are part of the platform. There's nothing abnormal that you have to do. You deploy it and manage it like you would any other Kubernetes application. All right. Let's pull you into the conversation here. You know, Verizon obviously most people know, explain what your group does, how cloud native fits into what you're doing. Sure, I'm part of the global technology services organization. So Verizon as you probably know is a mixed bag of different types of businesses brought together, wireless being the most prominent one that most of you know about it. But we also have other solutions like our file solutions and recently with our acquisition of Yahoo, which is Hoth and so forth. So Verizon is actually on a major transformation journey. Our transformation journey spans around a five year program. We are in the year number three of this transformation. And cloud native and cloud native technology is a very foundational aspect for us as part of this transformation. I was just chatting with John earlier that it's opportunity like this doesn't come that often because we are in a perfect intersection of where automation like Verizon is doing a cloud migration and then you have these cloud native technologies that have been made available whether it's Kubernetes, container and so forth. So that mesh of the opportunity to migrate and as you migrate, you're taking advantage of these technologies and modernizing your application stack is a big win. Okay. And can you connect for us the intersection of what you were just talking about in 5G which is really going to be a huge impact on everything happened telecommunications? Yeah, the whole idea about 5G for us is not just it's a next generation of technology. It's all about human ability of it, which basically means we want to make sure that technology is used to solve real human problems and the technology is capable of doing that, right? Be it whether it is in life science or be it in transportation and so forth. We really want to make sure the technology is being used to solve real human problems and to enable the consumption of this technology, we want to take advantage of cloud native services to support it. Yeah, it helped boil it down for us because you just in general, you say even domestically, I think it's like 40% of the US population doesn't have access to broadband. Right. And wireless, those of us at the conference here understand that wireless isn't always reliable. 5G, silver bullet, everybody's going to have infinite bandwidth everywhere, right? Absolutely, and that's the value proposition of the technology that it brings to the table. I know the spread of the technology is going to vary depending upon the commercialization of the product, the solution and so forth. But the reality is in the new world that we live in, it is not just one piece of technology that's going to make it. It's going to be a mesh of the new technologies like 5G with the combination of Wi-Fi and so forth, all of this coming together. It all comes down to fundamentally what are the use cases or what type of solutions they're going to go after and how it's going to make sense. How is cloud native and this transformation changed how you guys make investments? Obviously the security equations paramount, central of that, get a lot of data. Right. How is the investments and how you guys are building out change? Obviously looking at reimagining operations, security, et cetera, et cetera. How's that going to shape for you guys? One of the things that we're talking about earlier is that not because of cloud native, but it's enabled by cloud native. I think you look at almost all organizations and to reuse that phrase that Andreessen quoted about software in the world, it really is a true thing. Unlike in the past where IT had been this cost center that most organizations sought to strangle out and reduce as much as possible, I think most, at least modern, and I think the companies that will be successful in the future, realize that that's part of their competitive advantage. It's not just about providing an app because your competitor has an app, it's about providing a better experience so that you're driving more revenue, having a better relationship, a longer term, deeper relationship with that customer. We were talking about it, it's not just like, in his case, if they build kind of a minimal application or minimal experience for their customers, their customers may choose to go to AT&T or whomever else if they can feel like, hey, it's easier for me to work with them, I get better data, I can use my systems more easily, and if you have that inflection point where people are having to really invest in building better software, better industry-specific software, you need those tools of mass innovation to do that, and that's what cloud-native really is. It's about being able to take and innovate and iterate on those innovations much more rapidly than you've been able to do in the past, and so it's really this confluence of those two trends that make this space as big as it is, I mean, that's why we have so many people here. Well, you go faster, too, you need investment in apps and your applications. Faster, so your security solution replaces the old way of, hey, is there a problem? We'll patch it. Well, it also has to get away from that approach where people took in the past where security was always this friction, it was this impediment. You wanted to deploy something and you had to go through the security review and create all these rules and it was a hassle and it slowed things down. If that's your approach to security, you're going to be at a fundamental conflict to this situation. I think you'll be out of business personally. I think that paradigm, that ship has sailed, that's dead, we see the breaches every day. You see all the dark webs that have been harvesting all that. IoT, though, is a different kind of animal. How are you guys going to get the IoT equation because that's a good use case for cloud, you can push now, compute to the edge, you don't have to move data around, certainly you guys are in the telecom business. You know what that means, so latency matters. How are you looking at the edge, IoT, and where does security fit into that? So in terms of IoT, I think, as you said mentioned, there are going to be use cases where IoT is going to be very critical. I mean, there are two paradigms through the concept of the mobile edge compute. One is for the IoT use cases. The other could be even for, like AR, VR is a good example. You want the compute to be so fast where you want responses immediately based on the location you are and so forth. So that's a very important foundation that we're working on and making that a reality for our organization to come use it. And of course, any solution that we provide, security needs to be baked into it because that's going to be foundational for how successful it is. Back to your 5G point, that's great backhaul too for those devices. That one at least, if they want to send data back or interface with the edge, you need power and connectivity. Yeah, exactly. Very true. Yeah, so, what's next, I guess? If you look forward, where's this journey going? How does this partnership help us solve things? I mean, for us, I think the key to any successful transformation is you got to take into consideration your current landscape. I mean, you certainly can have a broad vision of where the future is and so forth, but if you can't build a bridge between where we are to where we need to go, that's going to be a very challenging space. So, when we look at the cloud-native technologies, we look at it making it operational efficiency for us. In terms of how do we do our operations, like the earlier question that you talked about, what is changing for us? Our operation is getting better. Our security posture is getting better because we're now shifting more of this to left, which means as the workloads are being built and so forth, we are taking into consideration in how it's going to run, where it's going to run, and so forth. So that's going to create the savings and operational efficiency, which then allows us to take that and transform it into how do we focus on more modern technologies and modern solutions and so forth. The customer satisfaction. And customer satisfaction. And build a top-line business revenue model. Right. So I got to ask, how is it going with Twistlock? Where's their role in your transformation? It's on the security side. Where do they play into your mix? So, when we rolled out our solution for our Kubernetes platform, we certainly want to make sure that, to John's earlier point, where we can shift left and really look at security holistically. And the only way you could do that is you need to capture the essence or integrate security as the product is being built. Because today we do have a security posture, but it's kind of where you have it during the development phase or during operations or during run time. You're not even able to stitch it together. But with container and Kubernetes, you now have the advantage of really knowing what is end-to-end. And that is where our partnership with Twistlock is to be able to oversee that and provide the insights on what is running, what vulnerabilities exist, and how do we fix it. It kind of makes sense too. I mean, we've talked for years, the perimeter is dead. You guys are addressing security up front at the application lab level, where it's coding. Is this is working out for you guys well? Yeah, and that's been a big shift, in fact, for why we have been successful with this transformation. Because we now have insights to it and everybody in the organization has line of sight of what's going on, where things are running, and so forth. So, it's been a good project. John, talk about this dynamic because this is really kind of compelling because we've heard, oh yeah, we've got all the throwing, everything against the wall and security. And everyone always says, hey, the perimeter is dead and you got to start from security in mind from day one. I mean, what is day one? The minute you start coding, right? I get your overall point about the perimeter being dead. I would actually rephrase it a bit and say the perimeter being dissolved. And I think that's really a more, a probably accurate way to look at it, and that in a lot of customers, you've got this, what used to be this very tightly defined, we deploy things in this network, or even VPC and it's got this control around it, whereas a lot of customers today, we see choosing an intentional multi-cloud strategy. Like, they want to preserve the ability to have some leverage, not just with Amazon, but with Azure, with Google, or whomever, maybe, or on-premises. And when you have that model where you've got infrastructure in multiple regions, multiple different providers, you no longer have that very clean separation between what's yours and what's kind of out on the outside. And so, one of the things that we really think is important is to be able to bring the perimeter to the application. So, the way that we look at protecting the application is around the app itself. Regardless of what the underlying compute platform is, the cloud, the region, it's really about protecting the app. You learn how those different microservices normally communicate with each other. You only allow that normal, good communication, and thus you can really constrain the blast radius if you do have some kind of compromise in the future. And to really try to mitigate that compromise is to, again, find those vulnerabilities as you develop the app and prevent them in development before they ever get out to production. And that's a super smart approach. I love that. I think it's a winner. Congratulations. Final question, what's their prediction for multi-cloud in 2019? Since you brought it up, multi-cloud seems to be the hot, hot thing. What's your prediction 2019? It becomes a conversation, it becomes practice. I would say at this point, it already is practice in most organizations. And I would say that in 2019, you'll see that become something that's accepted, not just as an option, but as really the preferred, the better operational model so that you're able to choose technology platforms and operational approaches that are designed to work in a model in which you have multiple providers because you have a dependency layer that you can take now with Kubernetes and containers that's universal across those. Theoretically, you could have always taken a VM, you put in Azure and moved it to AWS, but it was really difficult and painful and hard to do that. If you do that well with Kubernetes, it's really pretty straightforward to deploy an application across multiple providers or multiple regions of the same provider even. And I think you'll see that become a more real thing in 2019 because it gives you as a company or you as a customer more leverage to be able to choose the services and negotiate the rates that you want with your provider. And if you move security to the app level like you guys are doing, you take away all that extra work around how to send policy and make a dynamic. Yeah, and it doesn't matter whether or not you've got, I mean, our customers may have one twist lock environment that manages things in Azure and AWS and GCP and on-premises and that's fine because we care about protecting the app, not the underlying infrastructure. You agree? It's an absolute, I think that's going to be the case. Even from our perspective, they're going to always going to be looking for, you know, where is the best place to run these workloads and in a cost-effective way in a secure manner. And as long as you have a single control plane that you can manage it, I think the multi-cloud is going to be a reality. They're going to be easier to operate same standard language for developers, lock in security at the front end. That's right, yeah. Great stuff. Guys, thanks for coming on. I appreciate the insight. Smart commentary here on security, cloud native Kubernetes all breaking down here on theCUBE. I'm John Furrier with Stu Miniman. Here with us more day one coverage of three days of live coverage here in Seattle for KubeCon and cloud native. We'll be right back.