 From around the globe, it's theCUBE. Covering HPE Discover Virtual Experience, brought to you by HPE. Hi, and welcome back to theCUBE's coverage of HPE Discover 2020, the virtual experience. I'm your host, Stu Miniman. I'm really happy to be joined on the program. Two of our CUBE alumni, we have the Dave's from Coolit Packard Labs sitting in the screen next to me is Dave Hussack, he's a fellow and general manager for the Cloudless Initiative. And on the other side of the screen, we have Dave Larson, vice president and CTO of the Cloudless Initiative. Dave and Dave, thank you so much for joining us again. Delighted to be here. All right, so specifically, we're going to be talking a bit about security, obviously, very important in the cloud era and as we build cloud native architectures. Dave Hussack, I guess, why don't you set the stage for us a little bit where security fits into HPE overall and the mission that last year, a lot of buzz and discussion and interest around Cloudless. So just put that as a start and then we'll get into a lot of discussion about security. Right, yeah, last year we did launch the initiative and we framed it as it composed of three components, one of which is probably the most important aspect of which was the trust fabric of this trust fabric, which was built on the idea of intrinsic security for all workload endpoints, right? And this is a theme that you see playing out a year later playing out, I think it crossed the industry, right? You hear that language and that kind of idea being promoted in the context of zero trust, new capabilities being launched by VMware and other kind of runtime environments, right? And the way I like to say it is that we have entered an era of security first in IT infrastructure. It's no longer going to be practical to build IT infrastructure and then have products that secure it, right? Build perimeters in micro segment or anything like that. Workload endpoints need to be intrinsically secure. And the upshot of that really at this point is that all IT infrastructure companies are security companies now. Do you know it, acknowledge it, like it or not? We're all security companies now. And so, a lot of the principles that we're applying in the cloudless trust fabric are those zero trust principles are based on cryptographic workload identity, leverage unique aspects of HP's products and infrastructure that we've already been delivering with hardware and silicon root of trust built into our polite servers and other capabilities like that. And our mission, my mission is to propel that forward and ensure that HP is at the forefront of securing everything. Excellent, definitely love the security first discussion. Every company we talk to, absolutely. Security is not only a C level, but typically a board level discussion. I guess my initial feedback is you say if every company today is a security company, many of them might not be living up to their expectations just yet. So Dave Larson, let's say applications are at the core of what we look at in cloud native. It's new architectures, new design principles. So give us what is HP's thoughts as to how security fits into that and what's different from how we might have thought about security in the past applications. Well, I think Dave touched on it, right? From a trust fabric perspective, we have to think of moving to something where the end points themselves, whether they're workloads or services are actually intrinsically secure and that we can instantiate some kind of a zero trust framework that really benefits the applications. It really isn't sufficient to do intermediate inspection. In fact, the real primary reason why that's no longer possible is that the world is moving to encryption everywhere. And as soon as all packets are encrypted in flight, not withstanding claims to the contrary, it's virtually impossible to do any kind of inference on the flows to apply any meaningful security. But the way we see it is that the transition is moving to a modality where all services, all workloads, all end points can be mutually attested cryptographically identified in a way that allows a zero trust model to emerge so that all end points can know what they are speaking to on the remote end and by authorization principles determine whether or not they're allowed to speak to those. So from a HPE perspective, the area where we build is from the bottom up. We have a Silicon root of trust in our server platform as part of our ILO 5 integrated lights out base board management controller. We can actually deliver a discrete and measurable identity for the hardware and project it up into the workload and to the software realms. Excellent, so I heard you mentioned identity makes me think of the Sightail acquisition that the HPE made early this year. People in the cloud native community who've been to KubeCon, you know, Spiffy of course is a project that had gotten quite a bit of attention. Give us a little bit as to how that acquisition fits into this overall discussion we were just having. Oh yeah, so we acquired Sightail into the cloud initiative ending of this year. As you understand, Stu, right? Identity, cryptographic identity is fundamental to zero trust security because we're no longer like Dave pointed out, we're no longer relying on intermediary devices, firewalls or other kinds of functions to manage, you know, to authorize those communications. So the idea of building cryptographic identity into all workload endpoints, devices and data is sort of a cornerstone of any zero trust security strategy. We were delighted to bring the team on board, not only to the standpoint that they are the world's experts, original contributors and moderators and committers in the stewardship of Spiffy and Spire, the two projects in the CNCF. But, you know, the impact they're gonna have on the HP's product development hardware and software is going to be outsized. And also, you know, as a, I'll have to point this out as well, you know, it is the, this is the most prominent open source project that HP is now, you know, stewarding, right? In terms of its acceptance, Spiffy and Spire are both poised to be, we'll have an announcement here shortly probably, but we expect they're gonna be promoted to the incubating phase of CNCF maturity from the sandbox. It's actually one of the first sandbox projects in the CNCF, and so it's gonna join that pantheon of, you know, the top view does in, out of, I think, 1,390 projects in the CNCF. So, like you pointed out Stu, you know, Spiffy and Spire are right now, you know, the world's leading candidate as, you know, the sort of the certificate standard for cryptographic workload endpoint identity. And we're looking at that as a, you know, a very fundamental enabling technology for this transformation that the industry's gonna go through. Yeah, it's really interesting. If we pull on that open source thread a little bit more, you know, I think back to earlier in my career, you know, 15, 20 years ago, and if you talk to a CIO, you know, security might be important to them, but they keep what they're building and how their IT infrastructure is something that they keep very understood. And if you were vendor supplying to them, you had to be under NDA to understand because that was a differentiation. Now we're talking about leveraging cloud, we're talking about open source, you know, even when I talk to the financial institutions, they're all talking amongst themselves about how do we share best practices because it's not am I secure? It's we all need to be secure. So I wonder if you can comment a little bit on that trend and, you know, how the role of open source. Yeah, this is, you know, an extension of Kirchhoff's principle, right? The idea that a security system has to be secure even if you know the system, right? That it's only the contents of the keys and the communication that are important. And that is playing out at the highest level in our industry now, right? So it is, you know, like I said, you know, cryptographic identity and identity based encryption are the cornerstones of building a zero trust fabric. You know, one of the other things is cause you mentioned that we also observe is that the CNCF, the Apache Foundation, the other thing that's, I think, a contrast to 15 years ago, right? Back 15, 20 years ago, open source was a software development phenomenon, right? Where, you know, the usual idea, you know, there's repositories of code, you pull them down, you modify them for your own particular purposes and you upstream the changes and such, right? It's less about that. It is much more a model for open source operations than it is a model for open source development. Most of the people that are pulling down those repositories are mostly using them. They're not modifying them, right? And as you also, I think, understand, right? The framework of the CNCF landscape is comprehensive, right? You can build an entire IT infrastructure operations environment by, you know, picking storage technology, security technologies, monitoring management, you know, it's complete, right? And it is, you know, becoming really, you know, a major operational discipline out there in the world to harness all of that development, harness the open source communities, not only in the software, not only in the security space, but I think, you know, comprehensively. And that engine of growth and development is, I think, you know, probably the largest, you know, manpower and brainpower and, you know, operational kind of active daily users model out there now, right? And it's going to be critical, I think through the decade that's coming, that successful IT infrastructure companies have to be very tightly engaged with those communities in that process because open source operations is the new thing. It's like, you know, DevOps became ops dev or something like that is the trend. Yeah, and I'm glad you brought that up. You know, I think about the DevOps movement really fused, you know, security. Can't be a bolt on it, can't be an afterthought. The mantra I've heard the last few years is, security is everyone's responsibility. Dave Larson, you know, the question I have for you is, how do we make sure, you know, policy is enforced? You know, even I think about an organization, if everyone's responsible for it, you know, who's actually making sure that things happen because, you know, if everybody's looking after it, it should be okay, but you know, bring us in a little bit from the application standpoint. Well, I would say, you know, first of all, you have to narrow the problem down, right? The more we try to centralize security with discreet appliances at some kind of a choke point, the explosion, the common combinatorial explosion of policy declaratives that are necessary in order to achieve that problem to achieve the solution becomes untenable, right? There is no way to achieve the right kind of policy enforcement unless we get as close to the actual workloads themselves, unless we implement a zero trust model where only known and authorized endpoints are allowed to communicate with each other. You know, we've lived with a really unfortunate situation in the internet at large for the last couple of decades where an IP address is both a location and an identifier. This is a problem because that can be abused. It's something that can be changed. It's something that is easily spoofed. And frankly, the nature of that element of the way we connect applications together is the way that almost virtually all exploits get into the environment and cause problems. If we move to a zero trust model where the individual endpoints will only speak with, only respond to something that is authorized and only things that are authorized and they trust nothing else, we eliminate 95 to 99% of the problem when we are in an automated stance that will allow us to have much better assurance of the security of the connections between the various endpoints and services. Excellent, so one of the questions that always comes up, some of the pieces we're talking about here are open sort. You talk about security and trust across multiple environments. How does HPE differentiate from everything else out there and how are you taking the leadership position? I'd love to hear both of your commentary on that. Yeah, well, like I said, initially, the real differentiation for us is that HPE was the market leader for industry standard servers from a security perspective. Three years ago in our Proliant Gen 10 servers when we announced them, they had the Silicon Root of Trust and we've shipped more than a million and a half servers into the market with this capability that is unique in the market. And we've been actively extending that capability so that we can project the identity not just to the actual hardware itself, but that we can bind it in a multi-factor sense to the individual software components that are hosted on that server, whether it's the operating system, a hypervisor, a VM, a container framework or an actual container or a piece of code from a serverless perspective. All of those things need to be able to be identified and we can bring a multi-factor identity capability to individual workloads that can be the underpinning for this zero trust connection capability. Great. And Dave, anything you'd like to add there? No, what he said, I think HPE is uniquely positioned. The depth and the breadth of our installed base of platforms that are already zero trust ready, if you will, right? Coupled with the identity technology that we're developing in the context of the site tail acquisition. And Dave and my work in building the cloudless trust fabric are the, like I said, the cornerstones of these architectures, right? And HPE has a couple of unfair advantages here, that the breadth and depth of our customer base and the installed base of the system was already put out there. So while the world is transitioning inevitably to these kinds of security architectures, these kinds of IT infrastructure architectures, HPE has a leadership position by default here that we can take advantage of. And our customers can reap the benefits of without rebuilding, forklift upgrading or otherwise. As Dave talked about, a lot will change, right? There's more to do, right? As we move from IP addresses important numbers is identities for security because we know perimeter security, network security like that is busted, right? It's, you know, every headline making, you know, kind of advanced persistent threat kind of vulnerabilities. It's all at the root of all those problems, right? There are technologies like OPA, right? You know, policy has to be reframed in the context of workload identity, not in network identity. You know, I call this, you know, sort of the micro segmentation fallacy, right? You know that, you know, perimeters are broken, not a valid security strategy anymore. So the answer can't be, let's just draw smaller perimeters, especially since we're now filling them up with ever more, you know, dynamic evidence and kind of workload endpoints, you know, containers coming and going at a certain pace and serverless instances, right? All of those things springing up and being torn down, you know, on, you know, very short, you know, life cycles, right? It is inconceivable that traditional, you know, perimeter-based, micro segmentation-based security frameworks can keep up with the combinatorial explosion and the pace with which we are gonna be, where, you know, orchestration frameworks are gonna be deploying these endpoints. So there are, there's a lot more to do, you know, but this is the transformation store. This is of the 2020s, you know, infrastructure, it's gonna look very different in two, five, 10 years from now than it does today. And, you know, that's, you know, we believe HP has, like I said, a few unfair advantages to leave the world in terms of those transformations. Excellent, well, appreciate the look towards the future as well as where we are today. Dave and Dave, thanks so much for joining us. Thank you, Stu. Thanks, Stu, pleasure. All right, we'll be back with lots more coverage. HPE Discover 2020, the virtual experience. I'm Stu Miniman, and thank you for watching theCUBE.