 Welcome to SuperUserTV. Thank you guys for being here. Why don't you tell us a little bit about who you are and what you do? Yeah, my name is Shane Dunn. I work for IBM. I'm in charge of the Cloud Platform Compliance Group, focused on compliance regulatory issues for the IBM Cloud. Hi, and my name is Daniel Schumacher. I work for the Runties, and I work with all sorts of technology partners in Runties at the moment, working with them. Okay, so tell me something. When we say compliance, what is it we really mean in this case? Well, so a lot of people, when they think about compliance, they're off the bat. There's all these requirements left to go implement, and that drives controls. But really, it's about data integrity and conformity around the data. And a business driver, so what is it? Is it his hygiene that's helping curate the technology that you go forward with security implementations? And so compliance is a necessary evil. There's a cross blend between security and compliance. Security is the way to implement it and get it done and make sure it's constantly part of your ecosystem. And the compliance is a measurement of that, a point in time that says, yes, I've met a certain regulatory area. What do you think about that? Well, actually, like when you mentioned this word like hygiene, and I think that's a very important thing. It's compliance, like in my opinion, is something that comes from outside, right? So it's like a regulatory authority that helps different types of companies to follow the same standard. So actually, everybody knows that in this particular business area, people follow the same rules, and the level of hygiene is the same, right? And as you said, it's evil, but at the same time it's good, especially for people who consume. Not for people who build business, but for people who use those services and things like that. Yeah, I mean, one quick point to add on that is that it sets the best practices, kind of a table, for basically setting the risk, you know, exposure or risk around your environment. So compliance is on everybody's mind right now. So, well, in terms of you saying that it's on everybody's mind right now, who specifically worries about compliance? Who needs to worry about it? I would say I'm not just blanking it, but everybody. Everybody's concerned about compliance. Not just industry-specific sectors like healthcare or, you know, retail for card processing with PCI DSS certification. Everybody's worried about up-to-top, CQO, CISO offices, you know, the engineer, the dev guy who's implementing the standard. It's on everybody's mind. And it's all about data, you know, integrity and availability, confidentiality around the data. So it's important to everybody. So, how does OpenStack help with compliance? What's the relationship? I wouldn't say it helps or it like doesn't help. It's more about, like, we should consider compliance, right? So all those standards, compliance standards, they are not OpenStack-specific and they are not like any type of application-specific. They are more specific for a particular, like, business area or a particular, like, business use case. And it doesn't matter which type of technology a particular company is using. So we see a trend that a lot of companies go virtual. They go to clouds and they do OpenStack as their choice of cloud operating system. And in this case, what we see is that we need to apply somehow those standards to OpenStack reality, to OpenStack, I would say, like, terminology saying like, hey, like, if PCI DSS, for example, it's pretty, it's a very bad standard, right? It has some really high-level moments that tell you, like, do this and don't do that. But in OpenStack, we should translate it to that. And in some cases, yes, moving to the cloud, it helps somehow. So we say, hey, we don't need to think about it anymore because that's, we are compliant here by default. But in some cases, in OpenStack, we still have to address some of the issues or be very smart when we build OpenStack clouds. But again, as I mentioned, like, it's very important to think not about OpenStack, but other. Yeah, right. And the whole stack of the offering from infrastructure all the way up through the SaaS consumption model. I mean, OpenStack is a means in the end. It's not the stop, right? So OpenStack is when you look at it from the elements of a compliance, it helps implement the controls or the requirements around the controls to meet the attestation around a compliance effort. But it's not a compliance in itself. So it's the framework, as you will, from an infrastructure as a service to get to the means to the end for compliance. So what is, so is there anything new in the world of OpenStack when it comes to compliance issues? So, you know, getting back to being that there's elements there that drive compliance and all the controls around that. There's a lot of great developments that are happening inside of OpenStack right now to help us get to that next level, to say, like, okay, we're not compromising our cloud. We're holding the integrity of the security and the quality the same as any other, you know, say VMware-based cloud. And part of those in particular would be, you know, examples around, you know, Congress and having, you know, putting policies in place that you can manage to. Open attestation is another one around, you know, verifying the integrity of your bare metal solution against misstandards for STIGs. I mean, these are all really important projects inside OpenStack that will help us get to when you do this measurement like CSA, when you do a measurement across gaps of different compliance. They all are very similar in nature of what the requirements are. And so, you know, having a solution to meet one of those and then take that across the line to meet the rest of the compliance is really important. Yeah, what I really like about OpenStack is like it's an open ecosystem so anyone can bring something new there. And now we see a lot of traction around compliance simply because we see that people are more interested in compliance and users who adopt OpenStack, they're not more like POC type of users. They really want to use it in production so they think about compliance and seeing those gaps. We start implementing different types, creating different types of new projects inside of OpenStack as a system. And I would add, so there are some like really compliance related projects and there's something like on a level like down. For example, I would say bandit. It's a framework that chaps the quality of the code which is another very important topic because we are using OpenStack as an application and it's very important to know that this application doesn't have any vulnerabilities because it will have vulnerabilities but at least we can track those somehow. So that's a very good trend, lots of activities around that. So I was wondering if there have been any surprises in the last six to 12 months. Would you consider that to be a surprise or are there other things? You know when I think of surprises is like was there something that we didn't expect? You know OpenStack is a very well planned methodical process of what we're going to do from stage to stage and looking out and when we think about Mataka. You know some of the surprises of you will that jumped out I think are around like Barbican for key management how that's been integrated well with Keystone and how Keystone's been able to make improvements around identity management. That's not necessarily surprises but there are necessary movements around maturing OpenStack and so then we can all consume this with enterprise workloads that everybody expects. I agree that yes OpenStack itself is very well planned and OpenStack users they all know the OpenStack roadmap so it's not a big surprise for them what OpenStack can do and can't do. But as I mentioned before like the whole OpenStack adoption moves forward and we see a lot of production deployments like really big production deployments and of course there is more demand for compliance. So from perspective like from working with partners and customers I would say that we see more and more requirements from them and actually the way we've planned as a company in Meraintys to like move forward with security track we actually looking for different types of partners to build a like build a joint solution that will be compliant with particular standards. Not only OpenStack but other types of technologies that we can integrate and OpenStack is a great thing to do that because of its nature. So what do stakeholders and OpenStack developers need to know about compliance? First I mean from a stakeholder it's all about shared compliance nobody owns any one particular thing and that includes getting back to the model of OpenStack is the means to an end. So as a stakeholder I look at it as the end customer the user that's consuming it and OpenStack will help enable compliance but there's still a lot of tooling and there's a lot of business practices that go around that to really claim you know compliance around that. I think first is you know focus on the security as a foundation to the core of your enterprise or your offering and compliance will come from that right as a result compliance will come from that. Now you know getting back to that blend security and compliance blend together. So that's what I would say from a stakeholder is know where your data is. Yeah I agree. So yeah so as you mentioned like compliance is a very complicated thing. It's a very like it's a beast of different faces and security is one thing and there are also like some sort of like organizational controls and requirements and stakeholders need to keep that in mind and having OpenStack as the part of the solution it sometimes helps sometimes not but stakeholders need to keep that in mind and those cloud providers who help them to create OpenStack based solutions they need to be aware of that as well and as you said as you asked about like what OpenStack developers need to know first of all they need to know that compliance exists. So we need to keep educating them. We need to keep provide some sort of like transparency about what what compliance is what it actually means and show them how it like maps on some some sort of like development practices or like deployment practices because for some engineers it's really hard to map some business requirements to like really like technical requirements that's something we need to focus on now and educate our development community. Yeah and I would just add to that from a developer side. I think a lot of things don't get called out in security implementation or compliance and like an example would be like when you're implementing make sure it fails closed you know so you're fail safe and something happens that you don't open up a port and anybody can just come through like general practices like that and just being clear on this thing. So what do you see as kind of the future of compliance and OpenStack? Yeah that's so I guess my mind goes back to what's in flight right now with OpenStack like when you think about the ref stack project that's going on where interoperability between different clouds that's going to be a gigantic forcing function on compliance because if you're going to be exchanging data or PHI data across you know HIPAA clouds you're going to have to have very very stringent controls in place and uniformity for framework that allows you to do that exchange. So ref you know the ref stack is a big driver there I think another big one is you know around the initiatives to I think it was called the OpenStack and that's a that's a initiative to drive automation into the compliance framework so you're not only measuring but you're remediating in a real-time basis. So those kinds of things you're trying to automate automate automate for awareness and be able to measure often and be able to remediate. So that's why I think trends are going to be going. I would add more like just to continue like the line that I started like from the development perspective we will have more users OpenStack users who will require like compliance and that is like that will drive OpenStack community to focus more on like hardening security for each project and like actually adopting best practices to make sure that they're compliant with like PCI DSS or food ramp or any other like standards. So that's the trend I see like big companies they start using OpenStack they see those gaps and they push actually like very hard OpenStack community to change in that direction and those projects are a very good example. Excellent anything else you want to add? Well great thank you both very much I know you're very busy and have a great summit. Thank you very much.