 Hello and welcome back to theCUBE's coverage of CloudNative SecurityCon North America 2023. Its first inaugural event is theCUBE's coverage. We were there at the first event for a KubeCon before CNCF kind of took it over. It was in Seattle. So in Seattle this week is CloudNative SecurityCon. Of course theCUBE is there covering via our Palo Alto studios and our experts around the world. We're bringing in Besantabara who's the CEO and founder of UpBound.io. That's the URL, but UpBound is the company. The creators of Crossplane, really kind of looking at the Crossplane across the cross abstraction layer, across clouds, a big part of as we call super cloud trend. So I'm great to see you. You've been a legend in the open source community. Great to have you on. Thanks John, always good to be on theCUBE. I really wanted to bring you in because I want to get your perspective. You've seen the movie, you've seen open source software grow. It continues to grow. Now you're starting to see the Linux Foundation which has CNCF really expanding their realm, right? We got the cloud native con KubeCon which is Kubernetes event. That's gotten so massive and so successful. We've been to every single one as you know. I've seen you there and all of them as well. So that's going great. Now they got this new event that kind of spins out dedicated to security. Everybody wants to know why the new event? What's the focus? Is it needed? What will they do? What's different from KubeCon? Where do I play? And so there's a little bit of a question mark in the ecosystem around this event. And so we've been reporting on it. Looking good so far. People are buzzing. Again, they're keeping it small so that kind of managing expectations like any good event would do. But I think it's been successful which I want to get your take on how you see it. Is this good? Are you indifferent? Are you excited by this? What's your take? I mean, look, it's super exciting to see all the momentum around cloud natives. Obviously there are different dimensions of cloud native security and important piece, networking, storage, imputes, like all those things that I think tie back together. And in some ways you can look at this event as a focused event on the security aspect as it relates to cloud native. And there are lots of vendors in the space. There is lots of interesting projects in the space. But the unifying theme is that they come together and probably around the Kubernetes API and the momentum around cloud native and with Kubernetes at the center of it. On the focus on Kubernetes, it seems this event is kind of classic security where you want to have deep dives. Again, I call it the event operating system because you decouple, make things highly cohesive and you link them together. I don't see a problem with that. I kind of like this. I gave it good reviews if they stay focused because security is super critical. There was references to bind and DNS. There's a lot of things in the infrastructure plumbing that need to be looked at or managed or figured out or just refactored for modernization needs. And I know you've done a lot with storage, for instance. Storage, networking, kernel. There's a lot of things in the old tech or tech in the cloud that needs to be kind of, I won't say rebooted, but maybe reset or jump. Do you see it that way? Are there things that need to get done? Or is it just that there's so much complexity in the different cloud cluster code thing going on? It's obviously security is a very, very big space and there are so many different aspects of it that people you can go into, right? I think the thing that's interesting around the cloud native community is that there is a unifying theme. Forget the word cloud native for a second, but there is a unifying theme is that people are building around what looks like a standardized play around Kubernetes. And the Kubernetes API. And as a result, you can recast a lot of the technologies that we are kind of used to in the past in a traditional security sense. You can recast them on top of this new standardized approach around Kubernetes, right? Whether it's policy or protecting a supply chain or scanning or like a lot of the access control authorization, et cetera, all of those things can be either revived to kind of apply to this cloud native play and the Kubernetes play or creating new opportunities for companies to actually build new and interesting projects and companies around the standardized play. Do you think this also will help the KubeCon be more focused around the developer areas there and like just touching on security versus kind of figuring out how to take something so important in KubeCon, which the stakeholders in KubeCon have grown so big, I can see security picking up a lot of, sucking a lot of oxygen out of the room there. So here you move it over, you keep it over here. Will anything change on the KubeCon side? We'll be there in Amsterdam in April. What do you think the impact will be good? Is it good for the community? Just good, swim lanes, what's your take? Yeah, I think, you know, I still think KubeCon will be kind of an umbrella, you know, event for the whole cloud native community. I suspect that you'll see some of the same vendors and projects and everything else represented in KubeCon. The way I think about, you know, all the kind of branched cloud native events are essentially a way to have a more focused discussion, get people together to talk about security topics or networking topics or, you know, things that are more focused on. But I don't think it changes the, you know, the effect of KubeCon being the umbrella around all of it. So I think you'll see the same presence and maybe larger presence going forward at Amsterdam. We're planning to be there, obviously, and I'm excited to be there. And I think it'll be a big event and having a smaller event is not going to diminish the effect of KubeCon. And if you look at the developer community, they've all been online for a long time, you know, from IRC chat to now Slack and now new technologies and stuff like Discord out there. The event world has changed post-pandemic. So it makes sense and we're seeing this with all vendors, by the way, and projects. The digital community angle is huge because if you have a big tent event like KubeCon, you can make that kind of a rallying moment in the industry and then have similar smaller events that are highly focused that build off that, that are just connective tissue or subnets, if you will, or communities targeted for really deeper conversations. And they could be smaller events. You don't have to be monster events. So it's like, but they're connected and traversed into the main event. This might be the event format for the future for all companies, whether it's AWS or a company that has a community where you kind of create this network effect, if you will, around the people. That's right. And, you know, if you look at things like AWS re-invent, that's a massive event, right? And in some ways, if it was a set of smaller sub-events, maybe it actually will flourish more, I'm not sure, but... They just killed the Francisco event, so... That's right, yeah. But they have reinforced, but they have reinforced, all right? So they just established that their big events are re-invent and reinforce as their big... Oh, I didn't hear about reinforce. That's news to me. Reinforce is their third event. So they're doing something similar as CloudNativeCon, which is our currency after having an event, and then they're going to create a lot of sub-events underneath, so I think they are trying to do that. Very interesting. Very interesting, for sure. So let's talk about what you guys are up to. I know from your standpoint, you had a lot of security conversations. How's Crossplane doing? Obviously you saw our super cloud coverage. You guys fit right into that model where clients, customers, enterprises are going to want to have multiple cloud operating environments for whatever the use case is. Whether you're using chat GDP, you got to get an Azure instance up and running for that now with APIs. We're hearing a lot of developers doing that. So you're going to start to see this CrossCloud, as VMware calls what we call it, SuperCloud, there's more need for Crossplane-like thinking. What's the... For sure, and we see this very clearly as well. The fact that there is a standardization layer, there is a layer that lets you converge, the different vendors that you have, the different clouds that you have, the different models that you have whether it's hybrid or private, public, et cetera, right? The unifying theme here is that you're literally bringing all those things under one control plane that enables you to actually centralize and standardize on security, access control, helps you standardize on cost control, quota policy, as well as create a self-service experience for your developers, right? And so from a security standpoint, the beauty of this is like, you could use really popular projects like open policy agent or Kiverno or others, if you want to do policy and do so uniformly across your entire stack, your entire footprint of tooling, vendors, services, and across deployment models, right? Those things are possible because you're standardizing and soldating on a control plane on top of all, right? And that's the thing that gets our customers excited that we're seeing in the community that they could actually now normalize, standardize on small number of projects and tools to kind of manage everything. We were talking about that in our summary of the keynote yesterday was Dave Vellante and I were talking about the idea of clients want to have a redo of their security. They've been just that the tooling has been building up. They got zero trust in place, maybe with some big vendor, but now they got the cloud native opportunity to refactor and reset and reinvent their security paradigm. And so that's the positive thing we're hearing. Now we're seeing enterprises want this cross-cloud capabilities or cross-plane-like thinking that you guys are talking about. What are your customers telling you? Can you share from an enterprise perspective where they're at in this journey? Because part of the security problems that we've been reporting on has been because clients are moving from IT to cloud native and not everyone's moved over yet. So they're highly vulnerable to ransomware and all kinds of other crap. So another attack, so they're wide open. But people who are moving to cloud native, are they stepping up their game on this cross-plane opportunity? Where are they at? Can you share data on that? Yeah, we're grateful to be talking to a lot of customers these days. And the interesting thing is like, even if you talked about kind of large financial institutions, banks, et cetera, the common theme that we hear is that they bought tools for each of the different departments and however they're organized. But sometimes you see the folks that are running databases network and being separated from, say the computer app developers there are all these different departments within an organization. And for each one of those, they've made localized decisions for tooling and services that they bought. What we're seeing now consistently is that they're all together, getting together and trying to figure out how to standardize on a smaller, one set of tooling and services that goes across all the different departments and all different aspects of the business that they're running. And this is where this discussion gets a lot very interesting. If instead of buying with different policy tools for each department or once that fits it, you could actually standardize on policy for the entire footprint of services that they're managing. And you get that by standardizing on the control plane or standardizing on effectively one point of control for everything that they're doing. And that theme is like, literally it gets all our customers excited. This is why they're engaging in all of this. It's almost a holy grail. The thing that I've been trying to do for a long time and it's finally happening. I know you and I have talked about this many times, but I got to ask you the one thing that jumps into everybody's head when you hear control plane is lock in. So how do you discuss that lock in perception from the reality of the situation? How do you unpack that for the customer? Because they want choice at the end of the day. There's the preferred vendors for sure on the hyperscale side and app side and open source. But what's the lock in? What does the lock in conversation look like? Or do we even have, they have that conversation? Yeah, to be honest on it. And so the lock in could be a two dimensions here, right? Most of our customers that people are using cross plane or using up end product around it. Most of them are concentrated in say, one cloud vendor and have others. So I don't think this is about necessarily about multi-cloud per se or being locked into one vendor. But they do manage many different services and they have legacy tooling and they have different systems that they bought at different stages and they want to bring them all together, right? And by bringing them all together that helps them make choices about consulting or even replacing some of them, right? But right now everything is siloed. Everything is separate, both organizationally as well as the code bases or investments and tooling on contracts. Everything is just completely separated and it requires humans to put them together, right? And organizations actually try to gather around and put them together. And so what they're, from a, I don't know if lock in is the driving goal for this but it is standardization and consolidation, right? That's the driving initiative. And so unification and building is the big driver. They're building out. Right, yeah. And you can ask, why are they doing that? What does standardization help with? It helps them to become more productive. They can move faster. They can innovate faster, right? Not as a ton of like literally revenue written all over it. So it's super important to them that they achieve this kind of increase their face of innovation around this, right? They do that by standardizing. The great point in all of this and your success at upbound and now CNCF success with KubeCon, CloudNativeCon and now with the inaugural event of CloudNative SecurityCon is that the customers are involved. A lot of end users are involved. There's a big driver, not only from the industry and the developers and getting architecture right and having choice. The customers want this to happen. They're leaning in, they're part of it. So that's a big driver. Where does this go? If you had to throw a dart at the board five years from now, CloudNative SecurityCon what does it look like if you had to kind of predict out the trajectory of this event and community? Yeah, I mean, I look, I think the trajectory one is that we have what looks like a standardization layer emerging that is all encompassing, right? And as a result, there is a ton of opportunity for vendors, projects, communities to build around within on top of this layer, right? And essentially create what, you know, I think you talked about an operating system earlier and decentralized aspect of this, but like, you know, it's an opportunity to actually, we, what it looks like for the first time we have a convergence happening industry-wide and through open source and open source foundations, right? And I think that means that there's living new opportunity and lots of new projects and things that are created in the space. And it also means that, you know, if you don't attach to this space you're likely to be left out. Awesome, so I'm great to have you on great expert commentary, obviously multi-cube alumni and support of theCUBE and as you become successful we really appreciate your support for helping us get the content out there and best of luck to your team and thanks for weighing in on CloudNative SecurityCon. Awesome, that was good talking to you, John. Thank you. Great stuff. Okay, this is more coverage, CUBE coverage from Palo Alto, getting folks on the ground on location, getting us the stories in Seattle, of course, CloudNative SecurityCon, the inaugural event, which looks like will be the beginning of a series of multi-year journey for the CNCF, focusing on security, of course the CUBE's here to cover it, every angle of it and extract the signal from the noise. I'm John Furrier, thanks for watching.