 Live from Atlanta, Georgia, it's theCUBE, covering AnsibleFest 2019, brought to you by Red Hat. Okay, welcome back everyone, it's theCUBE's live coverage here in Atlanta, Georgia for AnsibleFest 2019. I'm John Furrier with Stu Miniman, co-host. Our next guest is Massimo Ferrari, product manager with Ansible Security, welcome to theCUBE. Thanks for coming on. Thank you for having me. So, security is obviously a big part of the conversation in automation. Making things more efficient, you know, security, making security driving a lot of automation, obviously job performance, among other things. Red Hat's done a lot of automation in other areas outside of just configuration, network automation. Now, security, looking kind of like the same thing, but security is certainly different and more critical. It is, it's more time sensitive. I guess through the security automation angle, what's going on? Well, basically, there are several things going on, right? I believe the main thing is that IT organizations are changing. Honestly, IT organizations have been changing for the last five years, 10 years, and as a consequence, the infrastructures to be protected are changing as well. And there are a couple of challenges that are kind of common to other areas of it. As you said, automation is all over the place, so clearly there are some challenges that are common to IT operations or network operations, something that is peculiar for the security space. What we are seeing, basically, is that if you think about, there's a major problem of scale, right? If you think about the adoption of technologies like containers or private public cloud, if you're a large organization, you're introducing those technologies side by side with, for example, your legacy applications on bare metal or your fantastic virtual machines, but what they do, actually, is introducing a problem of size, a problem of scale, and a problem of complexity connected to that, and a problem of distribution, which is just unmanageable without automation. And the other problem, which is complexity that I mentioned before, is that I wasn't specifically referring to the complexity of the infrastructure, per se. If we think about adopting best practices or practices like microservices or adopting functions of service, we can easily imagine how an old school three tiers application can be re-engineered to become something like we've made of 10 hundred components, and those are micro components very focused on single things, but from a security perspective, those are ingress points. And what automation did, well, automation proved to be able to do is to manage complexity for other areas. So you can be successful in the operations in network and clearly you can be successful in security. But what is unique to security is that professionals are facing a problem of speed, which means different things, but to give you an example, what we are seeing is that more and more cyber attacks are using automation and artificial intelligence. And the result of that is that the velocity and the impact of those attacks is so big that you can cope with human operators. So we are in a classic situation of fighting fire with fire. So this is a great example. We had the service guys on earlier talking about the automation platform, and one comment was you don't want to boil the ocean over, focus on some things you can break down and show some wins. Security professionals have that same problem. They want to throw automation and AI at the problem. It's going to solve everything. And so it's certainly very valuable. Managing configurations, open ports, S3 buckets, there's a variety of things that entry points for hackers and adversaries to come in, take down networks. What's the best practice? How do you see customers applying automation? What's the playbook, if you will? What's the formula for a customer to look at security? So how can I direct Ansible at my security problems or opportunities to manage that? When you discuss security automation with customers, it really depends on the kind of audience that you have. As you know, security organizations tend to be fairly structured, right? And depending on the person you are talking to, they may have a slightly different meaning for security automation, it's a broader practice in general. What we are trying to do with Ansible security automation is we are targeting a very specific problem. There is a well-known issue in the security world, which is the lack of integration. What we know is that if you are any large organization, you buy tens, hundreds sometime of security solutions. And those are great. They protect whatever they have to protect, but there is little to no integration between them. And the result of that is that security teams have an incredible amount of manual work to do just to correlate data coming from different dashboards or to perform an investigation across different perimeters, or at some point they have to remedy it, something that is going on, and they have to apply this remediation across groups of devices that are sparse. And what we are trying to do with Ansible security automation is to propose Ansible as an integration layer, as a glue between all those different technologies. To, on one hand, is a matter of, you know, become more efficient, streamline the process. On the other hand, is an idea of having truly a way to plan, use automation as your action plan. Because security, as I say, is time critical, and so automation becomes, in this context, become even more important. Massimo, with the launch of the Ansible automation platform, we see a real enhancement of how the ecosystems participating here. Where does security fit into the collections that are coming from the partner ecosystem of Ansible? Well, in one way, we have been building over the shoulders of our friends and network automation. They did an amazing job over four years. They did two major things. The first one is that they expanded for the first time the footprint of Ansible outside the traditional IT operations space. That was amazing. And we did kind of the same thing, and we started working with some vendors that were already working with us for slightly different use cases, and we helped them to identify the right use cases for security, and expand even more what they were capable of doing through Ansible. And what we are doing now is basically working with customers. We have, you know, a lighthouse customer, we call them, the guy that has to understand which is the next step that we are supposed to perform, and we are gathering together a security community around Ansible. Because, surprisingly, we all know that the security community has always been there, always been super vocal, but open-sourcing security is a fairly new thing, right? And so we have this ability. The important thing is that we all know that Red Hat is not a security vendor, right? We don't want to be a security vendor. That's not the ambition that we have. We are automation experts in the case of Ansible, and we are open-source experts across the board. So what we are doing with them, we are helping them to get there, to cooperate in the open-source world. And for security, it proved to be very interesting the adoption of collection, because in some way allows them to deliver the content that they want to deliver in a very, I would say, focused way, and since security relies on, again, is a matter of time to market or time to solve the problem. Through collection, they have more independence. They are capable to deliver whatever they want to deliver, when they want to deliver according to the start. One of the things you mentioned, glue layer, integration layer, and open-source user expertise and automation, is interesting, and I want to get your reaction on this, because we did a survey of CISOs on our community, prior to the Amazon Web Services Reinforce Conference. This past summer was their first inaugural cloud security, so yeah, cloud security is a big part of it, but with on-premise and hybrid and multi-cloud here, on the, being discussed, this notion of what cloud and role of enterprise is interesting to the CISOs, Chiefs of the Information Care Officer, and the trend on the survey was, is that CISOs are rehiring internal development teams to build stacks on site in their own organizations, investing in their stack, and they're picking a cloud and then a secondary cloud, so as that development team picks up, that seems to be a trend. One, do you agree with that, and if people want to have their own developers in-house for security purposes, how does Ansible fit into that glue layer? Because if it's configuring all the gear and all the pipes and plumbing, it makes sense to kind of think about that. So this might be a trend that's helping you? So the trend, there is a general trend in the corporate enterprise world, that more technical people are coming into traditionally, in areas that are traditionally under the purview of other people or domains, right? So we saw more technical people coming into business lines. We are seeing more developers coming into security. That's certainly a trend. It's a matter of, you know, it's again, it's a matter of managing scale and complexity. You need to have technical people there. So in one hand, that help us to create a more efficient and more pervasive community around security. You have developers there, which means that you need to serve that corner case that you are not targeted at the moment. You have talented people that can cooperate with us and build those kinds of things. And use the open source software. Exactly, well that's the entire purpose, right? You want to drive people to contribute, they get the value back, we get the value back, they get the value back. That's the entire purpose. So you do see the trend of more developers being hired by enterprises in-house? It certainly is. And it's been going on for about, like probably three to five years, I've seen that. In other areas, mainly in the business area, because they want to gain that agility and want to be self-contained in some way. Business want to be self-contained security in some sense is going in the same direction. That feeds clearly one angle of Ansible, so you have more contribution in the community. On the other end, what we are trying to make sure is that we support the traditional security teams. Traditional security teams are not super-development oriented, right? So they want to consume the content. Well DevOps is always infrastructure as code implies that the infrastructure has been coded. And if you look at all the security breaches that have been big, a lot of them have been basic stuff and exposed as three bucket. Is that Amazon's fault or is that the operator's fault? Or patches that aren't deployed? You guys are winning in with Ansible in these areas. This seems to be a nice spot for you guys to come in. I mean, can you elaborate on those points? And is that true? And you guys winning in those areas? Because I mean, I can see automation just solving a lot of those problems. Well there is, I will say something not super popular, but as a security community, we always been horrible at the basics, right? We've been, like any other technical people, we are chasing the latest and greatest, the fun stuff. The basics, we are always been bad at that. Automation is a fairly new thing in security. And what we all know that automation does is providing you consistency and reduce human error. Most of the stuff is because somebody forgot to configure something, some one forgot to rotate a secret or something like that. They didn't bring their playbook to the game. So I'm not trying to fly the parallelism here, but the point is that the same benefits that get the automation. There's just no excuse if you have automation, you can basically load that patch or configure that port properly because a playbook exists. This only helps. Absolutely, but those are the basic values of automation. You communicate in a slightly different way to security because they use different language and for them automation is still a new thing. But what you heard during the keynote, so the entire purpose of the platform is to help different areas in the AT organization to cooperate with each other. As we know, security is not a problem of IT security anymore, it's a broader problem and needs to have a common tool to be solved. In the demo in the keynote this morning, I thought they did a good job showing how the various stakeholders in the organization can all collaborate and work together. Wanting to explain how security fits into that discussion, and also they added the hardening piece in there, but I would expect for many companies that I want to flag when I'm creating this image that it's going to say, hey, have you put the right security policies on top of it? Not something that they just, oh, it's one of the steps that I do. How do we make sure that everybody follows those corporate edicts that we have? Well, it's mainly a matter, I want to use the play the usual card of cultural change, but the fact is that security, especially, we are looking at two major shifts, and one of these shifts is that pretty much everyone, I would say private organization and government, kind of a knowledge that security, cybersecurity is not an IT problem anymore, it's a business problem, right? Being a business problem, that means that the stakeholders involved are in all different parts of the organization, and that requires a different level of collaboration. Collaboration starts with training and enablement of people to understand where the problems are and understand that they are part of the same process. We used to have security as an highly specialized function of IT. Right now, what happens is that, if you think about a data breach, a data breach could be caused by an IT problem, but most of the impact is on the business, right? So right now, a lot of security processes are shifting to give responsibility to the business owners, and if the government is involved, I live in London and in Europe for another month, I guess, we have this fantastic thing that you know, it's called GDPR. GDPR forces you to have what is called a data breach notification process, which means that now, if you're investigating a cyber threat, you want to have legal there to make sure that everything is fine, and if this data breach could become a media thing, you want to have PR there because you want to have a plan to mitigate whatever kind of impact you may have on your corporate image. You may also want to have there, I don't know, customer care, just to handle the calls of the customer, worry for the data. So the point is that this is becoming a process that needs to involve people. People needs to be aware that they are part of this process, and on what we can do as an automation provider, we are trying to enable through the platform, the IT organization to cooperate with each other. You know, having workflows, having the ability to contribute to the same process allows you to be responsible for your piece. Massimo, the new security track here at the show this year, for those that didn't get to come or maybe that didn't get to see all of it, some of the highlights you want to share with the audience. So this year, the general message this year is there, is the first time that we have this fantastic security track, and this is not a security conference, it's never going to be a security conference. So what we are trying to do is to enable security teams to talk with the automation experts to introduce automation in that space. So the general message that we have this year is, what the desire is to create a bridge between the Ansible practitioners, the Ansible heroes, whatever you want to call them, to understand what the problem is, what the problem could be, and have a sort of a common language that can use to communicate. So the message that we had this year was, is go back home and sit down at the same table with your security folks and make sure that they are aware that it's the new possibility and you can help them that you now have a common tool together. We have a couple of very interesting tracks, we have partners, a lot of partners are contributing to security space, we mentioned that before, and most of them have tracks here and they are showing what they built with us, what are the possibilities of those tools. We have a couple of customer stories that are extremely interesting, that just came out from a session presenting one of our customer stories. And in general, we are trying to show also how you can integrate security in all the broader processes, like the mythical DevSecOps process. What's been the feedback from customers specifically around the talk and the security conversations here at Ansible Fest? It wasn't unexpected, but it's going particularly well. We have very good, we have very good feedbacks. And we have, we kind of... What are they saying? Well, they are saying something, okay, the best quote that I can give you, the customer told me, this year I learned something new. I learned that we can do something in this space we never thought about. Which is a good feedback to have at a conference and a lot of people are attending this session. We have quite a lot of security professionals that was kind of unexpected. So the old sessions are pretty full, but we also are seeing people that are just curious, they are coming in and they are staying. They are paying attention. So there is the real opportunity. They see the same opportunity that we see. And hopefully that will bring the message home. Massimo, thank you for coming on theCUBE, sharing your insights. Certainly security is a main driver for automation. One of the key four bullet points that we outlined in our opening. Thanks for coming on. Thank you very much for having me. And sharing your insights. This is theCUBE coverage here at Ansible Fest 2019, where Red Hat's announced their Ansible Automation platform. I'm John Furze, Stu Miniman. Stay with us for more after this short break.