 Hello everyone and welcome back to theCUBE's day one coverage of cloud native security con 23. This is going to be an exciting panel. I've got three great guests. I'm Lisa Martin. You know our esteemed analysts, John Furrier and Dave Vellante. Well, and we're excited to welcome to theCUBE for the first time, Eve Sanford, the CEO of com division group who's coming to us from Germany. As you know, cloud native security con is a global event. Everyone, welcome. Eve, great to have you particular. Welcome to theCUBE. Thank you for inviting me. Eve, tell us a little bit before we dig into really wanting to understand your perspectives on the event and get Dave and John's feedback as well. Tell us a little bit about you. So yeah, talking about me or talking about a combination real quick. We are in the business for over 27 years already. We started as a SaaS company that became more like an architecture and cloud native company over the last few years. But what's interesting is, and I think that's really interesting when we look at our industry, it hasn't really, the requirements haven't really changed over the years. It's still security. We still have to figure out how we deal with security. We still have to figure out how we deal with compliance and everything else. And I think therefore it's more and more important that we take these items more seriously, also based on the fact that when we look at it, how development and other things happen nowadays, it's everybody says it's like open source is great because everybody can look into the code. We, I think the last few years have shown us enough example that that's not necessarily solving all the issues, but it's also code and development has changed rapidly when we look at the cloud native approach where it's far more about gluing the pieces together versus the development pieces when I was actually doing software development 25 years ago and had to basically build my code because I didn't have that much internet access for it. So it has evolved, but even back then we had to deal with security and everything. Right, the focus on security is incredibly important and the focus keeps growing as you mentioned. This is guys, and I want to get your perspectives on this. We're going to start with John. This is the first time cloud native security con is its own event being extracted from and amplified from KubeCon. John, I want to understand from your perspective, break down the event, what you see, what you've heard and cloud native security in general, what does this mean to companies? What does it mean to customers? Is this a reality? Well, I think that's the topic we want to discuss. And I think ease background and see the VMware certification. I love that because what VMware did with virtualization abstract that from server virtualization kind of really changed the game on things. And you start to see cloud native kind of go that next level of how companies will be operating their business. Not just digital transformation as digital transformation goes to completion, it's total business transformation where IT is everywhere. And so you're starting to see the trends where, okay, that's happening. Then now you're starting to see that's cloud native con or KubeCon or AWS re-invent or whatever show or whatever way you want to look at it. But in the past decade and past five years, security has always been front and center as almost a separate thing in itself, but the same thing. So you're starting to see the breakout of security conversations around how to make things work. So a lot of operational conversations around what used to be DevOps makes infrastructure as code. And that was great. That fueled that then DevSecOps came. So the cloud native next level is more application development at scale. Developers driving the standards with developer first thinking shifting left. I get all that. But down in the lower ends of the stack you got real operational issues. DNS we've heard in the keynote. We heard about the kernel and Linux kernel. Things that need to be managed and taken care of a secure level. These are like, seem like in the weeds, but you start to see that happen. And the other thing that I think is real about cloud native security con that's going to be interesting in the watch is Amazon has pretty much canceled all their re-invent like shows, except for two, re-invent, which is their annual conference and reinforce, which is dedicated to security. So cloud native Linux, the Linux foundation has now breaking out cloud native con and KubeCon. And now cloud native security con. They can't call it KubeCon because it's not Kubernetes, but it's like security focus. I think this is the beginning of starting to see this new developer driving, developers driving the standards. And it has IT implications, what used to be called IT ops. And that's like the VMware's of the world. You saw like all the stuff that was not at developer focus, but more ops becoming much more in the application. So I think it's real. The question is, where does it go? How fast does it develop? So to me, I think it's a real trend and it's worthy of a breakout, but it's not yet clear where the landing zone is for people to start doing it, how they get started, what are the best practices, machine learning is going to be a big part of this. So to me, it's totally cool, but I'm not yet seeing the beach head. So that's kind of my take. Dave, our inventor and host of breaking analysis. What's your take? So I think when you zoom out, there's a big macro change that's been going on. I think when you look back, let's say 10, 12 years ago, the need for speed far trumped the security aspect, the governance, the data privacy. It was like, yeah, the risks, they're not that great compared to our opportunity. That has completely changed because the risks are now so much higher. And so what's happening, I think there's a major effort amongst CIOs and CISOs to try to make security not a blocker, because it used to be, it still is. Okay, I got this great initiative, give it to the SecOps pros and let them take it for a while before we can go to market. And so the huge challenge now is to simplify, automate, AI comes in, the whole supply chain security, so that companies cannot be facing so much friction. And that is non-trivial. I don't think we're anywhere close there, but I think the goal is by, within the next several years, we're going to be in a position that security we heard today is wasn't designed into the initial internet protocols, it was bolted on. And so increasingly, the fundamental architecture of the internet, the cloud, et cetera, is seeing designed-in security, and that is an imperative or else the business is going to come to a grinding halt. Right, it's no longer, the bolt-on no longer works. Eve, what's your perspective on cloud-native security? Where it stands today, what's in it for customers, whether we're talking about banks or hospitals or retailers? What do you think? I think when we look at security in the modern world is we need to, as Dave mentioned, we need to rethink how we apply it. Very often, security in the past has been always bolted on in the end. If we continue to do that, it will become more and more difficult because as companies evolve and as companies want to bring products and software to market in a much faster and faster way, it's getting more and more difficult if we bolt on the security process at the end. It's like developers build something and then someone checks security. That's not going to work any longer, especially if we also consider now the changes in the industry. I mean, we had Stack Overflow over the last 10 years. If I would have had Stack Overflow 15, 20, or 25 years ago when I was a developer, it would have changed a hell lot. Looking at it now and looking at it, what we had in the last few weeks is like where nearly all of my team members say, it's like, finally, I don't need any script kitties anymore because I can go to ChatGPD and it writes the code for me, which is on one hand great because it enables us to solve certain problems in a much higher pace. But the challenge with that is if the people who just copy and paste that code don't understand the implications of that code, we have a much higher risk continuously. And what people thought is challenging with Stack Overflow, imagine that something in one of these AI engines is actually going ballistic and it creates holes in nearly every one of these applications. And trust me, there will be enough developers who are going to use these tools to develop codes. It's the same as students in university are going to take this to write their essays and everything else. And so it's really important that every developer team basically has a security peer person within their team and not a security at the end. So we build something, we check it to go through QA and then it goes to security. Security needs to be at the forefront. And I think that's where we see Cloud Native Security Con where we see AWS. I saw it during re-invent already where they said it's like we have reinforced next year. I think this becomes more and more of a topic. And I think companies as much as it has become a norm that you have a firewall and everything else, it needs to become a norm that when you are doing software development and every development team needs to have a security person on that needs to be trained. I love that chat comment, Dave, because you and I were talking about this. And I think, you know, that is going to be the issue. Do we need security chat for the chat bot? And there's like a recursive model there. The biases are built in, I think, and I think, you know, our interview with Palothin, it was co-founder Dave, when he talked about zero trust as a structured way to start things. But he was referencing that with Cloud. There's a chance that we think or do a do-over in security. So, you know, I think this is kind of to me where this is all going. And I think you asked Pat Gelsinger, what year? 2013, 2014, is security a do-over? I think we're in that do-over time. I mean- He said yes. He said yes. He was right. But yeah, eight years later. But this is the, how do you, I mean, zero trust gives you some structure. But how do you organize and redo security? Because to me, I think that's what's happening here. And John, you heard near Zook at Palothin Network said, yeah, the word security and architecture, they don't go together historically, right? I mean, and so it is a total, total rethink. Well, is that because there's too many tools out there? And people buy- Yeah. For sure. For every tool? Yeah, well, first of all, a lot of hardware and then yeah, a lot of tools. You even see IIoT and industry 40. You see IoT security coming up as another stovepipe and that's not the right approach. And so, you know, I mean- Let me ask you a question, Dave and Eve, if you don't mind. Because I was just riffing on this yesterday about this. In the ML space, you're seeing the ML models, you're seeing proprietary models versus open source. Is security going to go down this proprietary security methods and open source? Because that's interesting because the CNCF is run by the Linux Foundation. So you can almost maybe see a model where there's more proprietary security methods than open source or is that non-issue? I would, let me, if I jump in here first, I think the last, especially last five or 10 years have clearly shown the whole, and I invested early on in the end 90s in several open source startups in the Bay Area. So I'm well behind the whole open source idea and met Linux and others back then several times. But the point is, I think what we have seen is open source is not in general more secure or less secure because code is too complex nowadays. You have millions of lines of code and it's not that either one way or the other is going to solve it. The ways I think we are going to look at it is more is what's the role to market because only because something is open source doesn't necessarily mean it's going to be available for everyone and the same for proprietary source from that perspective, even though everybody mixes licensing and payments and all that all the time, but it doesn't necessarily have anything to do with it. But I think as we are going through it and when we also look at the industry, security industry over the last 10 plus years has been primarily hardware focused and a lot of these vendors have done a good business out of selling hardware boxes, putting software on top of it, whereas in reality, those were still X86 standard boxes in the end. So it was not that we had specific security Essex or anything like that in there anymore. And so overall, the question of the market is going to change. And as we are looking into cloud native, think about someone like an AWS, do you really envision them to have a hardware box of every supplier in their data center and that in every availability zone in every region, same for Microsoft, same for Google, et cetera. So we need to have new ways on how we can apply security. And that applies both on the backend services, but also on the front-end side. And if I could chime in, I think the answer is no and yes. And what I mean by that is if you take antivirus and known malware, I mean, pretty much anybody today can solve that problem. It's the unknown malware. So I think the yes part of the answer is yes, it's going to be proprietary, but in the sense we're going to use open source tooling and then apply that in a proprietary way with specific algorithms and unique architectures that are going to solve problems. For example, XDR with unknown malware. So, and that's the hard part. Somebody said, I think this morning at the keynote, it's all the stuff that the SecOps team couldn't find. That's the really hard part. Well, the question will be, is the new IP, the ability to feed chat GPT, some magical spelled insertion query string that does the job is unique. That might be the new IP, the question to ask. Well, that's what the hackers are going to do. And I, you know, they're on offense and the offense knows what play is coming. They're going to start. So guys, let's take this conversation up a level. I want to get your perspectives on what's in this for me as a customer. We know security is a board level conversation. We talk about this all the time. We also know that they're based on, I think David was the conversations that you and I had with Palo Alto Networks at Ignite in December, there's a lack of alignment between the executives and the board from the security perspective. When we talk about cloud native security, all talked about the value in that, what's in it for customers. I want to get your perspectives on, should this be a board level conversation? And if so, how do you advise organizations whether it is a hospital or a bank or an organization that is really affected by things like ransomware, how should they be thinking about this from an organizational perspective? Well, I'll start first because we had this conversation during our super cloud event last month. And this comes up a lot. And this is the CEO board level. Yes, it is a board level conversation for security as is application development as in terms of transforming their business to be competitive, not to be on the wrong side of history with this wave coming. So I think that's more of a management. But the issue is they tell their people, go do it. And they're like, because they get sold on the idea of, hey, once you transform your business, never it's going to be data-driven and machine learning is going to power your apps, get new customers, be profitable. Oh, sign me up for that. When you have to implement this, it's really hard. And I think the core issue is where are companies in their life cycle of the ability to execute and architect this thing properly? As Dave said, Nick Zer said that you can't have architecture and security. You need platform. So I think the replatforming and the refactoring of business is a big factor. And that's got to get down into the organizational shifts and the people to do it. So are there skills? Do I do a managed service? How do I architect it? Are there more services? Are there developers doing applications that are going to be more agile? So this is not an easy thing. And to move a business from IT operations that is proven to be positioned for this enablement is just really difficult and it's expensive. And if you screw it up, you could be on the wrong side of things. So to me, that's the big issue is you sell the dream and then you got to implement and that's really difficult. Eve, give us your perspective on based on John's comments, how do organizations shift so dramatically? There's a cultural element there as well, but there's also organizations that have competitors on the rearview mirror and there's no time to waste. What are your thoughts on that? I think that's exactly the point is like as an organization, you need to take the decision between the time, the risk and all the other elements that we have into this game because you can try to achieve 100% security but that's exactly the same as trying to protect gold or anything else 100%. It's most likely not going to be from a risk perspective anyway, sensible. And that's the same from a operational perspective. When you look at building new internet services or IoT services or any kind of new shopping experience or whatever else, you need to balance out between the risks and the advantages out of it. And you also need to be accepting that you potentially on the way make mistakes, but then it's more important than ever that you are able to quickly fix any mistakes and to adjust to anything what's happening in the market because as we are building all these new cloud native applications and build up all these skill sets, one of the big scenarios is we are far more depending on individual building blocks. These building blocks come out of open source communities which have a much different way. When we look back in software development back then we had application servers from Oracle WebLogic whatsoever. They had a release cycle of every three to six months. And now we have to deal with open source where sometimes release cycles are on a four week schedule in between security patches. So you need to be much faster in adopting that, checking that, implementing that, getting things to work. So there is a security stretch from that perspective. There is a speech stretch on the other thing companies have to deal with. And on the other side, it's always a measurement between the risk and the security you can afford because reality is you will not be 100% protected no matter what you do. So you need to balance out what you as an organization can actually build on. But I think coming back also to the point it's on the board level nowadays. It's like nearly every discussion we have with companies nowadays as they move into the cloud, especially also here in Europe where for the last five years it was always it's like it's data privacy. Data privacy is no longer, I mean, yes for certain people it's still the point, but for many more people it's like, how protected is my data? What do we do in case of ransomware attack? How do we do in case of a denial of service? All of these things become more vulnerable where in the past you were discussing these things with a batting page or like a stock exchange. They were as like, what the hell is going to happen if we have a denial of service? And all of the sudden this now affects nearly everyone in their storefronts and everything else because everything is depending on it. I think you're right on it. You think about how cultural change occurs. It's bottom up top down or middle out. And what's happened with security is the people in the security team cared about it. They were the, everybody said, oh, it's their problem. And then it just did an end run to the board kind of mid early last decade. And then the board sort of pushed that down and the line of business is realizing, holy cow, my business, my EBIT can be dramatically affected by this so I care. Now it's this whole house, cultural team sport. I know it's sort of a cliche, but it's true. Everybody actually is beginning to care about security because the risks are now so high and it's going to affect not only the bottom line of the company, the bottom line of the business, their job, it's virtually everywhere. It's a huge cultural shift that we're seeing. And that's a big challenge for organizations in any industry. And EB talked about ransomware, general service, every industry across the globe is vulnerable to this. But how can maybe John, we'll start with you. How can cloud native security help organizations if they're able to embrace it operationally, culturally, dial down some of the vulnerabilities that just seem to keep growing? Well, I mean, that's the big question. The breaches are critical. The governance is also could be a way to anchors down growth. So I think the balance between the governance compliance piece of it is key, but making the developers faster and more productive is the key to me. And I think having the security paradigm where they're not blockers, as Dave said, is critical. So I love the whole shift left, but now that we have more data focused initiatives around how you can use data to understand the security issues. I think data and security are together. And I think there's going to be a data operating system model emerging where data and security will be almost one thing. And that will be set up by the security teams and the data teams together. And that will feed guardrails into the developer environment. So the developer should feel no pain at all in doing this. So I think the best practice will end up being what we're seeing with supply chain security, with making sure code's verified. And you're going to see the container security side completely addresses been in KubeCon. We just, I asked Scott Johnson, the CEO of Docker, and I asked him directly, are you guys all tight on container security? He said yes, but other people are suggesting that's not true. There's a lot of issues with the container security. So there's all kinds of areas where there's holes. So cloud native is cool on one hand and very relevant, but if it's not short up, it's going to be a problem. But I think that's where the action will be at the developer pipeline in the containers and the data. So that will be very relevant. And if companies nail that, they'll be faster, they'll have better apps, and that'll be the differentiator. And again, if they're on this next wave, they're going to be driftwood. Dave, how do they prevent becoming driftwood? Well, I think cloud has had a huge impact and a cloud by no means of panacea, but let's face it, it's dramatically improved a lot of companies' security posture. Now there's still that shared responsibility. You know, even though an S3 bucket is encrypted, it's still your responsibility to make sure that it doesn't get decrypted by somebody who has access to it. So there are things like that, but to Eve's earlier point, that can be, that's done through software now. It's done through best practices. Those best practices can be shared. So the way you don't become driftwood, as you stepped back, rethink that security architecture, as we were talking about earlier, take advantage of the cloud, take advantage of cloud native, and all the rapid pace of innovation that's occurring there. And you know, you don't use, like it's called before, the audit is the last line of the fence. That's no longer a checkbox item. Oh yeah, we're in compliance. This is a business imperative and because we're going to reduce our expected loss and reduce our business risk, that's part of the business case today. Yeah. It's a huge, critically important part of the business case. Eve, question for you. If you're in an elevator with a CEO, a CFO and a CISO, and they're talking about security and cloud native security, what's your value proposition to them on a say a 30 second elevator ride? Difficult story. I think at the moment, the most important part is we need to get people to work together and we need to train people to work more, much better together. I think that's the overall most important part for all of these solutions because in the end, security is always a person issue. If we can have the best tools in the industry, as long as we don't get all of these teams to work together, then we have a problem. If the security team is always seen as the end of the solution to fix everything, that's not going to work because they always are the bad guys in the game. And so we need to bring the teams together. And once we have the teams work together, I think we have a far better track on maintaining security. John and Dave, want to get your perspectives on what Eve just said. In all the experience that the two of you have is industry analysts here on theCUBE, Wikibon, SiliconANGLE Media. How do you advise organizations to get those teams together? As Eve said, that alignment is critical, but John, we'll start with you. Then Dave, go to you. What's your advice for organizations that need to align those teams and really don't have a lot of time to wait to do it? That's a great question. I think that's everyone pays hundreds of thousands of millions of dollars to get that advice from these consultants, organizations out there doing the transformations. But I think it comes down to personnel and commitment. I think if there's a C level commitment to the effort, you'll see the institutional structure change. So you can see really getting behind it with their wallet and their support of either getting more personnel to support and assist or manage services or giving the power to the teams to execute and doing it in a way that's well known and best practices. Start small, build up the pilots, build the platform, and then start getting it right. And I think that's the key, not the magic wand. The old model of rolling out stuff in six month cycles. It's really get the proof points, double down and change the culture, but also execute and have real metrics and change in the architecture, like having more penetration tests as a service. Doing pen tests is like a joke now. So like, it doesn't make any sense. You got to have that built in almost every day, every minute, so these kinds of new techniques have to be implemented and have to be tried. So that's why these communities are growing. That's why I like what open source has been doing. And I like the open source as the place to have these conversations because that's where the action will be for new stuff. And I think people will implement open source like they did before, but with different ways. Better testing, better supply chain on the software side, verifying code. So I see open source actually getting a tailwind from this, not a headwind. So I'm bullish on the open source piece here on all levels, machine learning. Lisa, my answer is intramural sports. And it's because I think it's cultural. And what I mean by that is you take your best and brightest security, and this is what frankly, a lot of CSOs do, an example is Lena Smart, MongoDB. Take your best and brightest security pros, make them captains of the intramural teams, and pair them up with pods of individuals across the organization, which is most people who don't know anything about security and put them together so that the folks that understand security can realize how little people know what the worst practices that are out there in the reverse, how they can cross pollinate. And they do that on a regular basis, I know at Mongo and other companies. And that kind of cultural assimilation is a starting point for how you get security awareness up to your question around making it a team sport. Absolutely critical. Eve, I want to kind of wrap things with you. We've got a couple of minutes left. When you're really looking at the cloud native community, the growth of it, we talked about earlier in the program, cloud native security con being now extracted and elevated out of KubeCon. What are your thoughts on the groundswell that this community is generating around cloud native security, the benefits that organizations will achieve from it? I think overall, when we have these security conferences or these security arms a bit spread out and separated out of the main conference, it helps to a certain degree because especially in the security space, when you look at other like black hat or white hat conferences and things like that in the past, although they were not focused on cloud native, a lot of these security folks didn't feel well taken care of in any of the other conferences because they were always these, it's like they are always blocking us. They are always making us problems and all these kinds of things. Now that we really take the cloud native piece and the security piece together or like AWS does it with reinforce, I think we will see more and more that people understand is that security is a prominent topic we need to cover but we need to bring different people together because security also has compliance and a lot of other components in there. So we will see at these conferences moving forward also a different audience. It's not going to be only the cloud native developers. And if I see some of these security audiences, I can't really imagine them to really be at KubeCon because there is too much other things going on. And you couldn't really see much of that at reinvent because reinvent by itself has become a complete monster of a conference. It covers too many topics. And so having this very, very important security piece separated also gives the opportunity, I think, that we can bring in the security people but also have the type of board level discussions potentially between the leaders of the industry to also discuss on how we can evolve, how we can make things better and how we can actually, yeah, evolve our industry for it because let's face it, that threat is not going to go away. It's a business. And one of the last security conferences I was on the ransomware part, it was one of the topics someone said, it's like, look, currently on average, it takes a hacker group roughly around, they said 15 to 20K to break into a company and they on average make 100K. It's a business. Let's face it. And it's a business we don't like and ethically, it's no discussion that this is not good, but that's something which is happening. People are making money with it. And as long as that's going to go on and we have enough countries where these people can hide, it's going to stay and survive. And so with that being said, it's important for us to really build an industry around this, but I also think it's good that we have separate conferences. In the past, we had more the RSA conference which tried to cover all of these areas, but that is not really fitting cloud native and everything else. So I think it's good that we have these new opportunities, the cloud native one, but also what AWS brings up for someone. You know, Yves, you just nailed it. It just comes down to simple math. It's a fraction revenue over cost. And if you could increase the hacker's cost, increase the denominator, their ROI will go down and that is the game. Great point, Dave. When I'm hearing guys, and we can talk about technology for days and days. I know all of you, but there's a big component that the elevation of cloud native security on its own, AscendLand is critical as is the people component. You guys all talked about that. We talked about the cultural chains necessary for that. Hopefully what we're seeing with cloud native security con 23, this first event is going to give us more insight over the next couple of days and the next months or so is to how this elevation and how the people can come together to really help organizations from a math perspective, as Dave talked about, really dial down the risks there, understand more of the vulnerabilities so that ransomware as a service is not as lucrative as it is today. Guys, so much appreciate your time really breaking down cloud native security, the value in it from different perspectives and what your thoughts are on where it's going. Thanks so much for your time. All right, thanks. Thanks Lisa. Thank you. Thanks Yves. All right, for my guests, I'm Lisa Martin. You're watching the Q's day one coverage of cloud native security con 23. Thanks for watching.