Narrator: theCUBE presents KUBECON and ClOUDNATIVECON Europe 2022. Brought to you by Red Hat, the CLOUDNATIVE computing foundation and its ecosystem partners. Welcome, to Valencia, Spain and KUBECON CLOUDNATIVECON, Europe 2022. I'm your host Keith Townsend. And we're continuing the conversation with community, with startups, with people building CloudNative. A CUBE alum joined by a CTO, not, as the CTO advisor, I really appreciate talking to CTOs. Kapil Thangavelu, don't... forgive me if I murder the name, that's a tough one. I'm getting warmed up to the CUBE-C, but don't worry. When we get to the technical parts, it's going to be fun. And then a CUBE alum, Umair Khan, director of marketing. Kapil, you're the CTO. So we'll start out with you. What's the problem statement? What are you guys doing? Kapil: So, we're building on top of an open source project, Cloud Custodian, that is in CNCF. And I built when I was at Capital One and just as they were going, they're taking those first few steps. It's a large regulated enterprise into the cloud. And the challenge that I saw was, you know, how do we enable developers to pick whatever tools and technologies that they want if they want to use Terraform or cloud formation or Ansible? I mean, the cloud gives us APIs and we want to be able to enable people to use those APIs through innovative ways. But at the same time, we want to make sure that the regardless of what choices those developers make that the organization is being is being well managed that all those resources all that infrastructure is complying to the organization's policies. And what we saw at the time was that what we were getting impediments around our velocity into the cloud, because we had to cover off on all of the compliance and regulation aspects.

And we were doing that them as one-offs. And so taking a step back, I realized that what we really needed was a way to go faster on the compliance side and Cloud Custodian was born out of that effort inside a desk that we took through enterprise-wide. And it was really about accelerating the velocity around compliance but doing it in the same way that we do application and infrastructures code. So doing policy as code in a very simple readable YAML DSL, because, you know you have, anytime we write code we're going to, more people are going to read that code than than are going to need to be able to write it. And so being able to make it really easy to understand from both the developers that are in the environment from the compliance folks or auditors or security folks that might want to review it it was super important. And then instead of being at the time, we saw lots of (mumbles) products and they were all just big walls of red in somebody's corner office and getting that, to actually, information back on the hands of developers so that they can fix things was problematic. So being able to do realtime remediation and realtime collaboration and communication back to developers, "Hey, you put a database on the internet." "It's okay." "We fixed it for you." "And here's the corporate policy" "on how to do it better in the future." So this is an area of focus of mine that people, I think don't get right a lot. The technology, hard enough by itself. The transformation cloud is not just about adopting new technologies, but adopting new processes the data, and information's there automatically. But when I go to an auditor or, or compliance and say, "Hey" "we've changed the process" "for how do we do change control for our software stack?" I get a blank stare. It's "what do you mean we've been doing it this way" "for the past 15, 20 years," that's resistance. It's a pain point and projects fail due to this issue. So talk to me about that initial customer engagement. What's what's that conversation like? So we start off by deploying our, our platform on top of Cloud Custodian, and as far as our customers and we give them a view of all the things that are in their cloud, what is their baseline, so to speak. But I think it's really important. Like I think you bring up a good point, like communication, the challenge larger challenge for enterprises in the cloud and especially in regards to compliance is understanding that it is not a steady state. It's always, there's always something new in the backlog. And so being able, and the one of the challenges for larger orgs is just being able to communicate out what that is. I remember changing a tag policy and spending the next two years explaining it to people what the actual tag policy was. And so being able to actually inform them you know, via email, via slack, via, you know any communication mechanism as they're doing things is so powerful to be able to to help the organization grow together and move and get in alignment about what the new things are.

And then additionally, you know, from a perspective of tooling that is built for the real world like being able to, as those new policies come into play being able to say, "okay, we're going to segment" "into stopping the bleeding on the net 'nue" and being able to then take action on what's already deployed that now needs to be come into compliance is, is really important. But coming back to your question on customer engagements so we'll go in and we'll deploy a Stacklet platform for them. We'll basically show them all the things that are there already and extant. We provide a real time SQL interface that customers can use. That is an asset inventory of all their cloud assets. And then we provide policy packs that sort of cover off on compliance, security, cost, optimizations and opportunities for them. And then we help them through get ops around those policies help deploy remediation activities and capabilities for their environment. So walk me through some of the detail of of the process and where the software helps and where people need to step in. I'm making, I'm talking to my security auditor and he's saying, you know what, Keith, I understand that the VM talking to, the application VM talking to the Oracle database there is a firewall rule that says, if that can happen show me that rule in Cloud Custodian. And you're trying to explain, well, well there's no longer a firewall. There's a service. And the service is talking to that. And it's here and Cloud Custodian and Stacklet whether Stacklet help come to either help with the conversation or where do I inject more of my experience and my ability to negotiate with the auditor. So Stacklet from the other perspective and if we take a step back, we we talk about governances code and and the four pillars around compliance security cost optimization operations that we help organizations do. But if we take a step back, what is Cloud Custodian? Cloud Custodian is really a cloud orchestrator a resource orchestrator. What Stacklet provides on top of that is UI UX policy packs at scale execution, across thousands of accounts. But in the context of an auditor, what we're really providing is, here's the policy that we're enforcing. And here's the evidence, the attestation over time. And here's the resource database with history that shows how we got here were we compliant last year to this policy that we just wrote today. So shifting the conversation, you just mentioned operations. One of the larger conversations that I have with CIOs and CTOs is where do I put my people? Like this is a really tough challenge. When you look at moving to something like an SRE model or let's say, even focus on the SRE, like what where does the SRE sit in an organization? How does Stacklet, if at all help me make those types of strategic decisions if I'm talking about governance overall. So, I think in terms of persona if you look at there's a cloud engineer, then SRE I think that what at its core Stacklet and Cloud Custodian does is a centralized engine, right? So your cost policies, your compliance policies your security policies are not in a silo anymore. It's one tool. It's one repository that everyone can collaborate on as well. And even engineering, a lot of engineering teams run Custodian and adopt Custodian as well. So in terms of persona Stacklet really helps bring it together. All teams have the same simple YAML DSL file that they can write their policies, share their policies and communicate and collaborate better as well. Yeah. So I mean, cloud transformation for an enterprise is a deeper topic. Like I think, you know, there's a lot of good best practices establishing a cloud center of excellence. I think, you know, investing in training for people getting certification so everyone can speak the same language when it comes to cloud is key aspect. When it comes to the operations aspect, I very much believe that you should have, you know, try to devolve and get the developers, writing some of the DevOps. And so having SREs around for the actual application teams is valuable but you still have a core cloud infrastructure engineering group that's doing potentially any of your core networking any of your, you know, IM authentication aspects. And so what we found is that, you know Stacklet and Cloud Custodian get primarily get deployed by one of three groups. They, you know, you've got the, the CIO buyer within that cloud infrastructure engineering team.

And what we found is that group is because they're working with the application teams in a read right way. They're very much more used to doing and open to doing remediation in real time. And so, and then we also have the CSO teams that want to get to a secure compliance state be able to do audit and, and validate that all the environments are, you know, secure, frankly. And then we get to the CFO groups. And so, and this sometimes is part of the cloud center of excellence. And so it, it has to be this cross team collaboration. And they're really focused on the, that that cost optimization, finding the over provision, underutilized things, establishing workloads for dev environments to turn them off at night. And of course, respective of time zones cause we're all global these days. And so those are sort of the three groups that we see that sort of really want to engage with us because we can provide value for them to help their accelerate their business goals. So that's an expansive view. Cost compliance, security operations. That's a lot, I'm thinking about all the tools all the information that feeds into that where does Cloud Custodian start and stop? Like, am I putting Cloud Custodian agents on servers or pods? Like how, how am I interacting with this? So the (mumbles) it's stateless. It's designed to be operationally simple. And so you can run it in Kubernetes, in Jenkins we've seen people use GitLab. We've seen people run just as a query interactive tool just from investigations perspective on their laptop. But when you write a policy, a policy really consists of you know, a couple of core elements. You identify a resource you want to target say an S3 bucket or a Google cloud VM. And then you say you establish a set of filters. I want to look for all the EC2 instances that are on public subnets with an IM roll attached that has the ability to create another IM user. And so that, you know, you filter down you ask the arbitrary questions to filter to the interesting set of things you want.

And then you take a set of actions on them. So you might take an action, like stop an EC2 instance and you might use it as an incident response. You might use it for off hours in a, in that type of policy. So you get this library of filters and actions that you can combine to form, you know, millions of different types of policies. Now, we also have this notion of an execution mode. So you might say let's operate in real time. Whenever someone launches this instance, whenever there's an API call, we want to interspect what that API call is doing. You make sure that it's compliant to policy. Now, when you do that, Custodian will when and you run it with the COI, Custodian will active provision a Lambda function and hook up the event sources to it and sorry, Lambda really the serverless we bind into the serverless native capabilities of the underlying cloud provider. So Google cloud function, Azure serverless functions and (mumbles) Lambda, native US. And so now that policy is effectively hermetically sealed running in the serverless run time of that cloud and responding to API calls in real time, all with, you know structured outputs and logs and metrics to the native cloud provider capabilities around those. And that really ensures that, you know, it's effectively becomes operation free from the perspective of the user of having to maintain infrastructure for it. So let's talk about Agent list and API base. Let's talk about like the a non-developer use case specifically finance. Umair: Absolutely. You have to deploy, the ability to deploy a SAP in a EC2 instance, but it's very expensive. Do it only when you absolutely need to do it but you have the rights to do it. And I want to run a check to see if anyone's doing it like this is this isn't a coder, developer what is their experience? So primarily we focus on the infrastructure. So low balancers, VMs, you know, encryption and address on discs. When we get into the application workloads running on those instances, we spend, we, we don't spend that that's on our target focus area. We can do it. And it really depends on the underlying cloud provider's capabilities. So in Amazon, there's a system called systems manager and it runs, and it's basically running an agent on the box. We're not running the agent, but we can communicate with that agent. We can, interspect the, the inventory that's running on that box. We can send commands to that box, through those serverless functions and through those policies. And so we see it commonly used for like incident response and a security perspective where you might want to take a memory snapshot of the instance before putting it into a forensic credit and Adding to that, like these days, we're seeing the emerging personas of a fin-ops engineer or a fin-ops director as well because cost in cloud is totally different. So what Custodian and Stacklet allows to do is again using the simple policy files. Even if they have a non-developer background they can understand this DSL, they can create policies they can better target developers, better get them to take actions on policy as well. If they're overspending in the cloud or underspending in the cloud, especially with Stacklet you get, they get a lot of, out of the box dashboards and policy packs too. So say they can really understand how the cost has been consumed. They can have the developers take actions because a lot of the fin-ops finance people complain. Like "my developers does not understand it." Right. "How do we get them to take action and make sure we are not over spending?" Right? So with Custodian policies, they're able to send them educational messages on Slack or open a Jira ticket and really enforce them to take action as well and start saving cost. Like if you, if you imagine Cloud Custodian as you know, cleaning staff for your your cloud environment, like it's, you know if you go to a typical, you know, cloud account you're going to see chairs that are 10 feet tall sitting at the table. You're going to, because it's been over provision and obviously, you, no one can use it. You're going to find like the trash is overflowing because no one set up a log retention policy on the log group or set up S3 life cycle rules on their buckets. And so you just have this sort of, this this explosion of things that people now, you know beyond application functioning, like beyond, you know getting to, you know, high performance, DR-capable SLAs around your application model you now have to worry about the life cycle of all those resources and helping people manage that life cycle and making sure that they're using the, just the resources and consumption that they need because we're all utilization based in the cloud. And so getting that to be more in line with what the application actually needs is really where we can help organizations and the CFO cost. So, Umair, you got 10 seconds to tell me why you brought me a comic book. (laughs) We created this comic book to explain the concept of governance as code in a simplified fashion. I know Keith, you like comic books, I believe. So. It's a simple way of describing what we do why it's important for fin-ops for sec-ops teams. And it talks about Custodian and Stacklet as well. Well, I'm more of an Ironman type of guy or Batman. Cloud governance or governance in general cloud native governance is a very tough problem. I can't underemphasize how many projects get stalled or fail from a perception perspective, even if you're technically delivered what you've asked to deliver. That's where a lot of these conversations are going. We're going to talk to a bunch of startups that are solving these tough problems. Here from Valencia, Spain, I'm Keith Townsend and you're watching theCUBE, the leader in high tech coverage. (upbeat music)