Not your standard DevOps discussion: this session delves into DevOps, but not as you might know it. Featuring special guests Dov B. Katz – Managing Director and Distinguished Engineer at Morgan Stanley who looks at how highly regulated businesses are adopting DevOps and how automation can simplify some regulatory processes. Benny Schnaider – serial tech entrepreneur dives into the expansion of DevOps practices within business layers ( think SalesForce as code…). Dor Atias- VP Engineering at CyCode, gives his take on how DevOps is being used today in startups; and our very own CEO Ariel Dan looks at the expansion of DevOps – reaching beyond infrastructure, delving into DevSecOps and Value Stream Management.
Intro: Welcome to the Cloudify Tech Talk Podcast. Taking a deeper dive into all things DevOps, all things toolchain, all things automation and all things orchestration.
Jonny: A very warm welcome to Episode 10 of the Cloudify Tech Talk Podcast; 10 episodes in and we’re still going strong. My name is Jonny, I will be your moderator today. And today’s session, we’re going to be talking about DevOps but not as you know it. So I don’t really want to step on Nati’s toes here so I’m going to hand it over to him. That is Nati Shalom; our CTO to explain a little bit more about today’s session and what to expect. Nati.
Nati: So welcome everyone to this podcast. This podcast is going to talk more about the market trends in DevOps. And we’re going to talk about what’s coming up in DevOps in 2021. We all know the term I think, at least two people in the audience here, for a while here, it’s not a new term. But we’re kind of experiencing a new wave of things that are happening that are different than what we used to do when we were thinking of DevOps which I think is interesting.
That’s why I think it’s a very interesting topic. So we’re not going to talk about, you know, the terraform of the world or the [inaudible 00:01:21] of the world. We are going to talk about more of the non-regulated business of the world, those who are just starting to join the game right now. We’re going to talk about how DevOps is going to expand into other areas, not necessarily just the infrastructure, and Benny is going to cover that.
And we’re also going to talk about DevSecOps which Dor has been a regular speaker here in some of those calls. We’ll talk quite a bit about that. And hopefully, it will help me also to moderate the discussion. And we got Ariel; Cloudify CEO will talk about the term that is coming to market right now which is called Value Stream Management, VSM, it is called and we’ll cover those types of topics today.
So as you can see, it’s going to be DevOps centric but a different DevOps discussion than what most of you have been accustomed to. So without further ado, I’ll start with a quick round of introduction. We’ll start with you Dov.
Dov: Hi, my name is Dov Katz. I work with Morgan Stanley. I’ve been with them for almost 20 years and I am responsible for an area of the firm that helps with developer productivity and shared technology and infrastructure. Outside of work, I also am the Chair of the FinTech Open Source Foundation which is now part of the Linux Foundation. And I’m very active in that open source community as well, nice to be here.
Nati: Nice Dov. Benny, to you.
Benny: Thank you Nati. I’m Benny Schneider, I’m an entrepreneur. In the past, I had four companies that I co-founded. PentaCom and P-Cube in the networking space, most of them were acquired by Cisco. PentaCom in 2000 and P-Cube in 2004. Then Rami Tamir and I started another company, Qumranet. You guys probably know it from the KVM; Kernel-based Virtual Machine. It was acquired by Red Hat in 2008.
Then we started another company called Ravello that was acquired by Oracle in 2016. Today, in my day job, I’m involved with a company that includes Rami Tamir and Gil Hoffer. We started about two years ago, it’s in the area of business operation, we’ll talk about it some more. It’s called Salto. In my night job, I’m involved with several companies; investors and board members. Some of them to mention [inaudible 00:03:46] in the networking space, Spotinst that was acquired about a year ago by NetApp.
Nati: And I will also mention that it’s not just your night job, you’re available on [inaudible 00:03:57] on Sundays so just the people would be aware of that, the time that you spend helping others. Dor, to you.
Dor: Hi, everyone. So I’m Dor Atias. I’m the VP of R&D of a company called Cycode, it was founded one year ago. Cycode is focusing on securing the DevOps pipeline in lifecycle. Before Cycode, I was R&D group manager on BlazeMeter and Load Testing platform. And I have experience with the DevOps cloud and SaaS platforms.
Nati: Right and Dor has been a regular speaker in this also where some of you are probably familiar with the name. And as I said at the beginning, he’s going to help me also moderate some of the calls. And over to you Ariel.
Ariel: Well, it’s great to be here. My name is Ariel Dan. I’m the CEO of Cloudify for the past two and a half years. Before that, I co-founded a cybersecurity company around the space of managing encryption keys in public clouds. That company has been acquired by Intuit, gives me great pleasure to be here.
Nati: Excellent. I’m actually, you know, it’s surprising that this is the first time that we are on a podcast together. Those who are not familiar with the background, we’re actually meeting at lunch here just a few minutes ago and we’re talking about it. And then I brought him into the podcast, and sorry, I’ll change your schedule immediately and jumped on the call. So one of the topics that we’re going to discuss is agility. So I think that was good, I’d say staging for that topic.
Ariel: A great example, being agile with Nati is —
Nati: A must. So we’re going to start with you Dov. You’re representing what is called the, would say, I wouldn’t call it the dark side but kind of the one who is joining late to the game in terms of DevOps, the regulated business, the financial industry, all these guys, I would say. I can say that you kind of fit both the startup world and both finance worlds. That’s why I thought that it’d be a great addition to this call.
But one question that comes to mind is, why now and why it’s been so late in the game and why so long? And later, we’re going to discuss, you know, the nuances and differences.
Dov: So I’m going to speak from a point of view of the financial services industry, given my involvement in the industry association FINOS. And I wouldn’t describe us as being behind on DevOps, in many cases, there have been teams extremely productive and extremely successful. But you know, perhaps institutionalizing it has historically been a challenge because of various regulatory obligations that we have.
Producing evidence, making sure there is the accountability and the tooling that we historically have had over the years, might not have really been as helpful to us or we build some other workflows around it. So it becomes difficult to adopt new tools. But I think that now a couple of interesting things are happening. One, with a different attitude towards cloud, you know, more of the tools that are being innovated on are being made available for us to consider using.
And in addition to that, we have just the general development talent pool coming with ideas of how to automate things. And the realization is there now where people are fully aware that machines do things more accurately than people. And that the heart of the issue around perhaps automating high amounts of change into an environment that is extremely risky, a big part of that issue is not having enough confidence that you’re not going to break something.
And this is where a lot of the change freezes typically come into regulated businesses, where you may have a change freeze during market hours because you don’t know what’s going to happen. And you certainly don’t want something to disrupt the business and impact clients or something else. In fact, in the markets similarly, you might have a situation where you’re not quite sure if the right checks are done. So you get these change approval boards together.
And then you need to make sure that those processes are documented the way regulators like them. And, you know, there was a book that Dr. Nicole Forsgren wrote, I guess, with Gene Kim and some others; Accelerate, where they talk about the fact that change approval boards or cabs, as they call them, that kind of process.
They did some correlation between stability and people who had these processes and found that in some cases, there was no correlation between more stability and those processes actually being instituted in organizations. So then the question becomes, okay, well, we were too afraid to change that, what do we do about it? So ultimately, I think, really, it comes down to what technology can we put in place that produces a high degree of confidence that nothing bad is going to happen.
And that can be either the technology and the tools themselves or the impact of the breakage is so small if you’re making smaller changes, you’re doing trunk-based development, you’re doing blue-green deployments, whatever it is. All those practices ultimately shrink the blast radius such that there’s more confidence. I mean, we can look at it now. Right.
We’re all going through Corona right now. And we have to shut down society because we’re not sure what’s going to happen. We have to shut down everything, we’re not sure where the dangers are. We have no confidence. If we had more confidence, we open half the industries because they are not risky but we don’t know. So instead, we have to be extremely careful. I think it’s very similar here.
So I think that the realization going on right now is there are tools out there that can produce more competence for us. And when we have that in place, working with the regulators, they’ll get a better outcome over time if we can show them we are more confidently reducing the inherent risks of making change. Because the volume of changes is going up and —
Nati: Yeah, what’s the compelling event? I mean, why now? Is that because there is more competition in the market right now by those who are born in cloud startups that are starting to get into the game and those kinds of forces that change or is it just a maturity cycle?
Dov: So I think it is the cloud and innovation a little bit in the sense that the tools and technology platforms that we want to adopt and every large enterprise has some form of cloud transformation initiative in its various stages of maturity. You know those come with a new generation of tools and those tools are way easier to use. And the pace of change that’s needed to deliver is way higher.
So, you know, while in the past that was done with extra-human discipline and some clever tools, many groups have written. In fact, at FINOS, we’re trying to figure out together, what tools have we written to make it easier for us to comply and be responsibly deploying changes to production? What can we share with each other? These aren’t the sources of competitive advantage, the software we’re releasing is but the tools are not.
How do we collaborate on that? FINOS is the Fintechs Open Source Foundation, it is all of the largest financial institutions in the world on the sell side, a bunch on the buy side, as well as some strategic vendors and partners and Fintechs. And really, you know, it’s a new world of embracing things we have in common, where we’re not competing with one another and how we do those together.
Anything from our cloud configurations, config as code actually complies with what the regulators would like us around security standards and around the way we deploy it to other areas like common data formats, replication, free rights to exchange data between each other. So it’s been extremely successful, you know, as evidenced by acquisition merger with the Linux Foundation and the large financials are doing a lot of the contribution.
So that fear of being in the open-source community, you know, we crossed that chasm as it’s been put before. And so now it’s like, let’s find these opportunities together, what are some of the challenges we have in common? One of them is we’re a highly regulated business. And if we’re highly regulated, we’re all coping with what kind of evidence do we need to demonstrate to our regulators or others that we are responsibly delivering changes to production in a way that does not compromise the integrity of the markets and the stability of our firm systems.
And while that used to be lots of paperwork and workflows that are human-intensive, there are now the opportunities to use tools and all the modern breed of tools that are out there to do a lot of this in a more automated fashion. And some really clever tools that are emerging in the space, that again, help us build confidence.
So to me, you know, it’s the need for confidence and the need for speed and one will enable the other. So if you have more competence, you can move more quickly. If you don’t have that confidence, you have no choice but to move slowly. And so I think with the new breed of developers coming out of the talent pools into our organizations and the new breed of tools that’s coming along with cloud, there are tremendous opportunities for institutions and innovators of new tools to help people go quicker.
And ultimately, the regulators, I would imagine would not only benefit because their objectives would be achieved more easily. But at some point, they’re going to demand that these DevOps practices are the only way development takes place in organizations because it’s that much more reliable.
Nati: Excellent. And just one, plugged into FINOS, we’re going to have a separate podcast dedicated to FINOS. So we’re going to talk a little bit more about it, I would say that it’s not the regular Linux Foundation project that you’re accustomed to. It’s not, you know, there is no source code or specific product behind it. It’s a more collaboration kind of entity where, you know, people from those organizations meet together to discuss best practices.
And at some point, it ends up with some code examples and code references. But it’s not the main I think target at least, that’s my understanding. Again, we’re going to have a podcast dedicated to FINOS later this month.
So that kind of thing provides a good segue to Benny. Benny was in Ravello at the beginning like before this startup for Salto, which kind of had a different concept on how to deal with regulated business, trying to enable the cloud into them and maybe Benny could touch on that.
And now you’re kind of doing the transformation even within your own startups that you’re doing in kind of almost regular business, moving from how to take those Brownfield applications or Brownfield environment into Cloud like you did in Ravello and now doing everything as code. So maybe you could touch a bit about your experience with Revello and then Salto and how those two are different and what the concept and why are we calling it everything installed.
Benny: Okay, so let’s get to it by the order that you describe right now. Ravello. So in Ravello the business model was basically to be a cloud provider. The vision that we had is that everybody will eventually move to the cloud. We are talking about 2011, 2012 when we created this vision. And because we came from a virtualization background, the assumption was that everybody will move their application from private to the public cloud, as is without any changes.
So we created this special layer because the environment in the private and the public cloud is different. We kind of simulated the environment of the private cloud on the public cloud. We have a shim layer, we called it HVX because we knew virtualization. We use nested virtualization, we created an overlay network, an overlay storage layer, all with taking a monolithic application from one place and moving it to the other place.
We probably want to talk separately about this and what we have learned that given our assumption, even in retrospect of almost 10 years later. But I want to talk about the pain that we had in the operational part of the business. As we said, we were kind of the virtual cloud provider and we needed to support all the business tools. So CRM, marketing, finance, and all the rest.
And we very quickly realized that the wall of the business operation is probably 20 years from where software development was about 20 years ago. So we created Salto with the knowledge and the know-how of the DevOps and software development methodologies. And we said, let’s bring in to the area of business operation. So let me pause you for a second and try to explain what do I mean by ‘everything is code.’
So it’s really about the methodologies and software methodologies. So code is always related to software. And here I’m relating to software methodologies. So what we have in software methodologies are several things. I touch three or four main aspects that are relevant, also to what Dov has described.
So first of all, is automation. The ability to repeat the process again and again, without making many mistakes. So the alternative to automation is doing things manually. With software methodologies, you’re able to do things repeatedly, reliably. And you can guarantee that if you do everything for a starting point, in other words, you have predictability in your system, you will apply the same processes, you will get the same results.
The other aspects of soft methodologies are things like backup and recovery. So Dor talked a lot about being confident in changes. We tend to break things even in software and the powerful thing is that we are able to go back to the last backup or the last point where we had something and recover very quickly. So all these methodologies that we are borrowing from the software development world are good things that are enabling things like agility, which is critical in today’s business.
The ability to move fast and to adjust to changes, the environment around us is constantly changing. And companies that can adjust quickly are the one which will win eventually. So you need to be agile in everything that you do. So going back to the point of everything is stored, it really means from my perspective, everything in what you’re doing is using software methodologies that have proven themselves in the past in the area of software development and recently in DevOps.
So let’s go back to Salto. In Salto, we said let’s look at the area of business operation. In business operation, in the past used to have monolithic tools like a [inaudible00:19:43] system from SAP, [inaudible 00:19:46] system from Oracle which were pretty good as a standalone. Today, when you look at modern companies especially SAS companies boarding the cloud, they usually use best of breed from all the different segments.
If you go to these companies, you will find 10s, maybe hundreds of SAS tools that together need to comprise their business operation processes. So at Salto, we looked at the business operation as three main components. Number one is the configuration of the tool. Number two is the interaction between the different tools. And number three, it’s the business processes themselves.
In Salto, we are focusing on the configuration of those tools. So if you look today, just to illustrate why ‘everything is code’ is important, these tools were basically designed from the get-go by the vendors for time to value, which means once you install the code or my tool, I’ll show you the value in the fastest possible time. This is great but when you look and I’m sure that other people here can testify, the time is already being spent on making changes and maintenance.
And if you don’t have good methodologies, you don’t know who will change what and it’s not only for regulation. If you’re unable to recover from changes, all your processes in your organization are slow. So we said let’s bring configuration or let’s bring our non-methodology, software development methodology to configuration. So very similar to what HashiCorp is done, we have created our own configuration language that specifically design is a declarative language for configuration.
We’re able to extract configurations and we are able to understand them. We have an Intel representation that allows us to do very powerful operations on these configurations. Now, this is only the first step. The next step if you want to do where these things are going, I would say that the next step will be to apply softer methodologies of ‘everything is code’ to the business processes themselves.
The business processes will be defined as the code in a formal language. And then I think the next thing will be putting it all together in a concept that’s called a monolithic repository. So what I mean is that everything that’s related to your organization will be sitting in a repository. The monolithic doesn’t mean that you have to install everything. It means just that there is a way to restart your business from any non-point, whether it is the entire business or portion of the business.
And I think it’s extremely important because things tend to break at the boulders and the interruption between modules. And what we see today is that because this business operation is separate from the code, when you’re making a new release in your code or people are making changes, because, on the process of the integration is many, it always breaks. And it breaks in production usually, at the most critical point.
So the vision is really to get everything into the same methodology, same repository. So to summarize, to me, when we say ‘everything is code,’ it’s really about using software methodologies to enable agility and adjustment and adjustment to changes that are constantly happening in our environment.
Nati: So in your specific example of Salto, automation, obtained business tools and marketing and sales tools are not, you know, we used to have IFTTT and you know, the likes of IFTTT. What’s the difference here? How is this different from IFTTT?
Nati: For those not familiar. It’s If This Then That.
Benny: Good question. So, the first difference is that we are making those changes with softer methodology. So we are enabling, by the way, the dual-mode so you can still configure your CRM, let’s say salesforce.com with your Salesforce [inaudible00:24:42]. We have a tool that extracts the configuration, allows you to view it like you would view it in any ideal environment.
You can save the state in a get-up and you can compare. You can add a truck here which constantly monitors those changes that are being done in one environment. And you can make rolling or back them up in another environment. So the first difference is that we are focusing on the configuration. And we are codifying the configuration, we are making the configuration generic that can be stored in the one repository in GitHub.
The second change which I think is important, this language is generic. Actually, it’s an open-source platform that has adapters to each and every SAS tools that are currently running. When I say each and every one I mean, I’m a little bit cheating here because we’re only supporting a few. It’s open-source, among other reasons to allow other vendors and partners to come and write their own adapters.
And by having one place, one language that keeps the configuration of all your SAS tools, you have a very powerful way to configure those different tools that may not be necessarily related the way they are currently configured. But the semantic, the business logic is very irrelevant. I’ll give you an example. Let’s say —
Nati: We will have to just run a little bit faster here but I think from what I’m hearing, I think the experience is quite interesting. So we’ve kind of been in Ravello, in the lift and shift business I would call it for the sake of simplicity. And now you’re moving into ‘everything is code with Salto which is basically applying DevOps practices into not just infrastructure, but also the Salesforce and managing the marketing tools which used to have some automation, marketing automation tools, but not necessarily managers code.
And the change that we’re seeing right now is that when it comes to automation, the tools that we’re kind of, the marketing automation were built in certain ways, infrastructure automation was done in a certain different way. And we had this lift and shift up of processes. We kind of, again, from a trend perspective, it looks like we’re moving into a model in which we all are adopting the same type of automation practices which is determined by code, determined by practices of how we develop projects in code and applying them to other areas in the business.
So that’s kind of an interesting way to look at that one, top-down perspective, I’ll switch over to Dor. I think the other area where we see this type of automation and ‘everything is code’ moving also into areas of security which is, you know, not necessarily, I think everyone can understand why it’s been relatively late in the game where we’re starting to see automation in security. It sounds almost like an oxymoron, right?
When you apply automation to security, are you not really creating more vulnerabilities? But I think the type of description that I heard from Dov about the type of business that we’re seeing is also automation of behavior, kind of detecting. This is where probably AI comes into play. We’re not just automating securities, we also now have more information about behavior like when [inaudible 00:28:29] has happened, you know, what are the expected behavior in terms of processes? And how can we detect anomalies around that?
And I’ll let Dor maybe cover that part. And first of all, start with what is DevSecOps and how do you view those things?
Dor: So I must say that I love automation. I talked about it with my [inaudible00:28:54] six years ago that QA should be also automated and we shouldn’t do manual QA anymore. And from, you know, six years ago, it was about QA but today, it’s about DevOps. You need to do everything automated because like Dov and Benny said it will cause errors and bugs because people are doing mistakes.
But even if you are doing all the things automated and in the DevOps pipeline, you need to think about security. You need to remember that, okay, everything is now as code as Benny said and also ‘everything is code.’ So, code is everything, okay. You must secure your DevOps pipeline because your code will probably cause a bridge to your production system and your sensitive data. So you have to secure not only parts of the development lifecycle.
For example, you don’t need only to enable two-factor authentication on GitHub and you don’t need only to make sure the buckets in S3 are public. You need to take a look at all the pipeline from a high-level perspective and see that every action in every stage can cause you harm. For example, if one of the developers will commit to a protected branch because it has admin rights, it can help your protection because now all the infrastructure is code.
Terraform, cloud formation components, all of that files are stored in your source control and now the developers have much more power than they had a few years ago. I mean DevOps is about removing complexity in the development process and increase velocity like Dov said before. But because we need to adopt new tools and be all the time, you know, close to the new technologies, you need to secure the DevOps infrastructure.
You can’t forget about it because it will hurt your system. And also, because you are automating your process, you don’t know everything. You don’t know all the parameters of every issue to instance that you are provisioning of every Kubernetes cluster you are provisioning. You need to have processes around the DevOps pipeline to notify you if you do something wrong.
Also, because you have like regulations and all of that like Dov said, you need to have pauses every few months or every, you know, one year to have compliance with both, to see that everything you’re doing, you’re doing right because you there are standards in the industry you need to follow.
Nati: And I think what’s interesting about this area is that I think Dov was talking about automation as you know, doing things more reliably; meaning that we’re taking manual processes or human-driven which obviously is not a reliable machine into something automated. In here, I think we’re crossing that point towards something that is, you know, doing things that we as human are very poor at being able to do, can’t even do, which is all the behavioral analysis and anomalies that you’re talking about.
So we kind of think with DevSecOps moving from automating manual processes in a consistent way to a process in which we also add a dimension of behavioral analysis, trend analysis and applying it into those automated processes. Things that, you know, before that, when I look at what we’ve been doing before it was human, we’re not really scanning all those things and we’re not able to do those stuff.
Can you describe a little bit, you know, how you see that trend moving? Like, to what extent are we going to use those types of automation? Are we going to be in next podcast or upside a couple of years, are we going to have this entire podcast being done automatically by Cyborg or by, you know, robots?
Dor: So I don’t know. I don’t want to
Nati: We’re going to have an automated Dor?
Dor: I hope not. But I must say that a few months ago, I talked with my colleagues in Cycode and I said, “everything is going to be as code.” And then I saw Salto, I just saw the investment announcements and I said, “you see, everything is code.” You can see that even configuring your SAS tools and Salesforce is doing by code and you must secure your Salesforce.
Because maybe someone did some configuration that will expose sensitive data of your customers, not even your source code or your production system but your sensitive company details. And even today, we have a telephone plugin, for example, for everything. You have terraform plugin for GitHub, even to give you an admin on the GitHub organization I can do via a source code. I can commit to a side branch and give [inaudible 00:34:25] admin and it shouldn’t have admin on all the repositories.
So I think in a few years, we will see a trend become higher and higher on this area I think and because of that, we will see more and more security standards and compliance that the company should follow. And especially companies like JP Morgan and financial services that go now from the on-premises services to the cloud and they should make sure that everything is compliant. Because you can see that even the simple developer today can do harm, can do harm in many cases.
You can see that even Uber breach that happened one year ago, two years ago, GitHub user that has admin repo have access to, is admin to one of the repositories and committed infrastructures code file with a secret and it didn’t have two-factor authentication enabled. So someone just hacked his GitHub personal account, then he saw the secret he committed from the infrastructure file and then you just hacked Uber production system. So this is something that companies should follow and make sure that their security is in place.
Nati: Excellent. So I think if I kind of do a recap of what we discussed so far. So Dov was covering why organization outside the regulated business, the financial organization and the rest of the businesses are now joining the game and why confident and doing automation in confidence is key.
I think Benny kind of covered his personal experience with being from kind of the lift and shift trying to make the cloud look as the old world and, you know, the challenges that have been there. And why he is moving from that concept into everything, Salto and expanding into other areas.
And I think Dor, you describe the behavior of automation which I think applies to DevSecOps in which we’re not just automating configuration management, we’re also monitoring behavior, historical behavior and patterns of usage which is kind of getting into a different territory of automation. And by the way, in the industry, we are now starting to hear the word [inaudible 00:37:02] and AI ops and another type of Ops which kind of indicates that ‘everything is code’ is now spreading towards other things.
And that’s a great segue to you, Ariel because I think what comes clear out of this trend is that we are starting to see many types of automation. Each one of them specializes in different areas. And now we’re at the world in which we’re not moving manual processes into automatic processes, we actually having, you know, a storm of many, many automation tools. What do we do with all that?
Ariel: It’s very true, right. I mean and I think that all the speakers touched on the issue, everyone from its own perspective. I think that the biggest problem in the automation world is the, you know, number of automation tools that are out there. And they’re out there for a good reason, right, you need certain tools for networking configuration automation, you need certain tools to automate your public clouds, you need certain tools to automate your containers. And you need certain automation tools to automate your security, right.
But what the industry had learned and you know, interestingly enough, I didn’t talk to Benny prior to this podcast. But it’s very interesting to hear Benny think about this from a business operations perspective because it’s exactly the same thing. Right. What you are finding in the industry now is that certain teams would continue to use certain tools and the problem is still, you know, automation is done at silos, right.
And that may, you know, very well be a security exposure, right. We’ve seen one of the largest banks in the US being exposed in Amazon Web Services due to a misconfigured web application firewall. And that was a huge one, right. And it happened because someone had automated something not exactly as it should have been automated, right.
So this brings the world specifically, you know, the world that we’re playing in, not the infrastructure and operation to the realization of what, you know, Gartner is defining as what value stream management platform, right. It’s no longer silos have automation tools or automation being done in silos. It’s the realization that there are a number of tools and there is a need for best of breed, i.e, I’ll forever continue to use more than one tool to automate my stack.
I’ll use one for security, another one for networking, another one with public cloud, another one Kubernetes, etc, etc, etc. How do I manage all of this? And Value Stream Management Platforms or VSMPs is exactly this, right. I mean, I think that you know, the first thing that is sorely needed is that a single pane of glass. You know I’m an operator, show me everything that’s being automated. I want to see it all from a single location, that’s the first thing.
The second thing is I need a ‘market place of, you know, plugins and architectures,’ right. I need to integrate it all together into something that would make sense. And to end, some of my architecture would start with a virtual machine on my private cloud and very quickly move to a container running on Amazon Web Services. Right.
How do I manage the end to end? How do I see that there are no security risks throughout that service, automation process and so on and so forth? So I think it’s very clear and again, it’s not surprising, it’s part of the evolution that we’re seeing, right. I mean, when public cloud just started, specific tools were fine. It was a disruptive technology and you know, at the time, all you needed was to automate infrastructure architecture in AWS.
You know fast forward to where we are today, you know, that the de facto reality is that you need much, much more than that. You have many automation tools, you have many teams using separated automation tools and infrastructure. And, you know, the next evolution is bringing it all together, having someone dictating, right, how a specific automation process would look like and expose it to the relevant team.
And, you know, give you an example if we have time. DevOps in many cases, DevOps teams are the youngest, most kind of capable teams in or I would say, modern, not capable in the enterprise, right. So you have those DevOps teams running around, figuring out how to bring environments very, very quickly in public clouds, right. If this wouldn’t be regulated, if there is no guidance from an operational or DevSecOps teams, then very quickly security compliance, governance will be broken as part of that process.
Because, you know, the DevOps intent is to do things quickly and most efficiently, where it’s operationally and security-wise as Dov mentioned, that wouldn’t necessarily be the case, right. You have to do this with confidence. And so by providing an end-to-end methodology that allows a service designer to specify how a certain architecture would look like, right, and then hand it over to the DevOps teams And basically tell them listen guys, “this is how you bring up a web application server in Amazon Web Services.”
That’s all you can do, you can’t do anything more than that. But you can do that with a click of a button. This is where the industry is heading, that’s a very simplified explanation of Value Stream Management Platform. And, you know, I think it makes a lot of sense. And again, what Benny described is exactly this from a business operations perspective. You know it goes exactly the same way for infrastructure and operations, the same thing.
Nati: Okay, so I think what comes out clear in all this discussion is that we are moving from, I would say a linear progression in automation where we’ve seen [inaudible 00:43:03] doing integration management. And [inaudible 00:43:05] did the same thing but in a much simpler way. We discussed Sage and terraform came with infrastructure as code where they were basically taking that concept of, you know, how do you develop gate and apply it into infrastructure automation across many clouds.
I think that was kind of the wave of progression that we’ve seen which as I said, was mostly linear like one thing did slightly better than the others. And that’s kind of where we are today. What we’re discussing here is, what I think [inaudible 00:43:34], they’re calling the next wave of automation in which we’re expanding into everything that’s code but not in that linear progression. It’s kind of almost exploding, at least from the web.
We’re talking about real, you’re talking about the automation of automation and I’ll talk to Dor about it which is kind of interesting. We’re talking about behavioral automation like in the case of what Dor describes with Cycode and Benny talk about, you know, automating everything in marketing and salesforce and business type of processes and SaaS-based applications and kind of taking it to the rest of the organization.
So kind of making the entire organization think as developers in many ways. And Dov was talking about the regular business getting into that and figuring out ways to do automation, safely and with confidence, kind of put that into place which is very interesting in the sense that we are seeing that big wave coming towards us. And that brings the question of, where’s that going to end? I mean, are we really going to be at the point in which the things that we’re discussing right now are going to be automated as well?
I think Dor and Ariel will be discussing a lot here. But the discovery, for example, why do I need to create template files manually? Why do I need to even start with that as a starting point? Why can I just take a snapshot and say, I want to use this EKS environment in this type of configuration that I’m already running, just create a clone of that in Azur, or create a clone of that another cloud? You already know —
Dor: I’m saying I completely agree with you because I already created it on, you know, my playground maybe on creating such a cluster on AWS and you can understand from looking on my architecture, how to build it automatically. And it will make the companies more agile because they don’t need to write their own terraform template or their own cloud formation template because someone has already done that. And you just need to do, you know, the small tweaks to make it fulfill my needs. So I completely agree with you about that.
Nati: So maybe Dov and Benny, try to kind of look at that from your lens and try to explain why we’re seeing that, you know, jump from that linear progression into that jump that we’re seeing right now. Is that because now the fact that everything is already automated makes it possible to do things much faster than it used to be in the first auto-generation, which we’re moving from manual into automated? And now moving from automated to much more automated is not the same type of progression, it’s not linear, it’s more of an explosion?
Dov: So I would just add to that I think we’re seeing a large amount of infrastructure being retired and upgraded. And those come with a whole set of new tools. And the infrastructure’s code is more of a given than it’s ever been before. So you’ve got, you know, that turnover taking place along with a much more mature organization, these technology departments of these large enterprises that are way more educated in the kind of latest tools, either because new talents has come in, or because these companies have already adopted them.
And that’s just allowed for like a breeding ground for let’s automate as much as we can. I think they’re recognizing that you know, without automation, we’re going to be spending years doing things that some of the nimble, you know, smaller operators out there can do much more quickly. So, looking at how do you produce enough confidence that the control structures in these larger organizations allow for the same speed as you can get in places where maybe some of their fewer controls and that’s I think people are opening up to that now and people are seeing the value and the additional safety, not the opposite that that provides.
Nati: Benny, anything on your end?
Benny: Yeah, so I want to continue those points about having the recipes. I think the next step may be things like a library where people can donate maybe open source there. Cook recipes on how to do business processes, how to do full development. I can tell you in Ravello, for example, we had the recipes for the entire data center deployment.
We could deploy, you know, 1000 VMS. It was for security gains that you can kind of test how you will behave under attack and it can put your entire data center, this was the template and the template was for, you know, smaller, maybe three, five VMS, up to 1000 may be more than 1000 VMS. The same thing can happen here, you can have recipes. So, you know, companies like Netflix will give to the community the way they are doing customer grading.
And it could be a recipe that can be applied to other companies, adopted by other company and they can make changes and adapted to what they need. The same thing comes for configuration. Now, if you ask me where it is going from my experience in this field, somebody smarter than me said that there is no problem that cannot be solved with yet another layer of [inaudible 00:49:16]
Yeah, so you know without talking about the performance implication, especially in software and hardware where my roots are, I think once you have the recipes, it will be about creating invariant platforms that could serve those recipes in the best way. But we are talking here, way into the future. But practically what I can tell you today, you know, we’re talking here between us like the world is already there.
I saw a presentation the other day by AWS who said that only 4% of the total IT budget is in the cloud. So it means that we have a long way to go where the industry is and my point is that it takes customers and organizations a long time to adopt these methodologies that we are talking about. Most of the things that we are talking about here, we are in the front end of where most of the industry is. So we have to realize that it takes the organization time to adopt these methodologies as vendors.
And also that the current way that the entire cloud is set is mainly set to support the bonding of the cloud companies and not necessarily for the 90, the [inaudible00:50:58] connector, right. It’s like the document of the 4% and the 96%, the [inaudible 00:51:03] of the rest of the IT industry, where they need a lot of failing in order to adopt these methodologies. So it will take time till we get there and there are many startup and business opportunities to fill this gap.
The good news is that what’s driving these people is business. Unless you adopt agile methodologies and your business is code, you will not be able to compete with a company that you are competing with. I can tell you as an entrepreneur that in the old days, we used to compete with companies who move slow. And it was kind of probably the new idea, just run faster. We have a good saying in Hebrew, “you start as fast as you can and then you increase the speed.” I know —
That’s the way it was in the past because the incumbents were slow-moving. Now we are facing competition that they are fast-moving too, they are adopting this methodology. So when I say on the design cycle I’m being shortened and you have to move as fast as you can. You have no choice to adopt these methodologies. So I’m saying to summarize, in the short term, it probably will take longer than what we realize. But at the end of the day, there is no other choice because that’s the only way to compete in the future.
Nati: And maybe I want to add exactly to your point, my kind of personal experience from the past few weeks or even months working with AWS on something that is, you know, related to 5G for example. 5G for those who are not familiar, it’s not an icon on your iPhone 12. There is a whole set of technology around it and think about the seller network that you’re seeing when you’re seeing antennas here, being now automated.
So it goes as far as that but the experience in terms of agility was quite amazing. I was working with another, I would say highly regulated business before on a similar project. And that was kind of a process that took us six months to do just the PSC which did a fraction of what we did with AWS. And with AWS we’re able to like, in a net time over a week plus, do all the things that we’ve done in six months, plus much more.
Having teams that are running here in Israel, in India, and the United States, adding new features and configuration in matters of two hours. Like we’re just literally doing it all by, by the way, we’re using a lot of surplus and other things. And that was for me, even though I’m, you know, covering DevOps for a long time, it was quite an experience. It was an experience that, you know, like kind of took a step back and said what really happened here.
And, you know, I shared with you some of the analyses about agility and wire organization are not really there even in terms of diversity. And we know those concepts that we’re discussing here right now, not really new and it touched on something here. And that’s the thing that I’m looking at, when I’m looking at trends and timing when trends will happen. I’m looking at a catalyst event, you know, like what would be that business force that will create that Netflix versus blockbuster, I would say equivalent in industries.
And those who are not familiar, you know, both of them were serving media, using CDs at stores, and then Netflix took the cloud route. But they decided to take the cloud route all the way. And obviously, people who are not some of the audience probably not even know what the blockbuster is right now. And Netflix is something that is now globally reached. Everyone has it, it’s not just a US based company and everyone is the experience.
And when I looked at AWS and the way they operate in the traditional world, that’s a catalyst event for me. When AWS getting into this, for example, 5G networking type of world and applying DevOps practices into such a traditional business. And I can see the speed at which they’re moving compared to the speed at which those other guys are moving, I understand that we’re going to see here and now that blockbuster and Netflix.
So there’s going to be some of those players, it’s going to be Netflix who are going to realize that very few of them and a lot of them would end up like blockbuster because they still stuck into their old habits. And it is happening right now. And something that I think, Dov, to your point, I think it’s not just the ability to you know do automation and feeling safe. It’s really the competition that is driving things more than I would say the regular progression, that the evolution that I think drives usually business.
And I think that bonding Cloud company, the Netflix, if you like in finance, are probably going to be the high catalyst that will drive organizations, even those highly regulated businesses to adopt those type of things much faster just because it’s the way to survive.
Dov: I think that there’s the second angle to this which ties into, you know, FINOS and, you know, the things that we’re starting to see around financial institutions engaging with open source, right. We have to keep in mind that the cloud providers will always try to drive their own agendas, right, and not necessarily be interested in, you know, a hybrid cloud, multi-cloud approach, and world peace, right.
They have a business to manage and at the end of the day, they would want most of your workload to run their cloud. And I think that’s the other angle of your question, which is open source and open source projects such as [inaudible 00:57:10]. I think that those will be the catalysts that will drive the industry into adopting those open platforms and open tools, and multi-cloud approaches because otherwise, it will be up to Microsoft, Azure or AWS or GCP, they’ll have their way and we’ve seen it with Kubernetes. Right.
The beginning of Kubernetes was a Google thing. And, you know, everyone tried their own approach to Kubernetes. Once they saw that this is the de-facto standard, you started seeing Kubernetes being adopted by Amazon Web Services in Azure. And I hope, right, that the same thing would happen here. We have to be driven by open source communities and open source initiatives such as Venus, because otherwise, it will be an industry defined journey which is not ideal, right.
So just to summarize my thought here, I think that an open-source approach in this evolution of DevOps is critical.
Nati: Dor, what are your thoughts about you know those trends? I know that you’ve been using all the cutting edge with terraform and Kubernetes? How do you see yourself based on also what we heard here, kind of into 2021? Are you planning to do something different or?
Dor: So I assume you said Dor because of Terraform and Kubernetes. So all of our infrastructures are built on top of Terraform and Kubernetes and what I want to do is even enhance that. For example, to make my GitHub permissions managed by infrastructures code, I want to have all the monitoring and logging configured also in infrastructures code. I don’t want to do anything manually anymore because I see, because we have not only one environment.
I have production, I have staging, I have several development environments, I have client environments, I don’t want to do everything. And I mean, for this environment every time, I want to make it automated as Dov said at the beginning. That way, I can save a lot of time and money basically to my organization. And even my [inaudible 00:59:38] is next week with my team, we have a [inaudible 00:59:41] for the back end of the DevOps team.
So we will configure the, for example, the New Relic and the logging system in an automated way. And I think everyone should do it, I remember my friend just founded a company six months ago and it started to click some buttons in situ and then EKS and make it connected with VPC peering and everything with the AWS portal. And I said to him, forget about it, you will do it five times in a month, just write a file cloud formation, I don’t know, a terraform that does it automatically for you, don’t waste your time. He didn’t listen to me. So I think wasting his time but I can show you the SMS he sent me that I was right so
Nati: There’s a long list of people that are somewhere in the grave that are not listening to Dor.
Ariel: You know, to me, what’s most surprising is the fact that the startups that are cloud-native, born in the cloud are facing these same challenges. I’m not talking about, you know, specifically infrastructure automation. But you know, very quickly, young startups are getting into the need for VSMPs, for Value Stream Management Platforms. And that to me is a surprise, it happened much faster than
Because when I’m looking at the industry, I’m meaning towards those large enterprises that have the legacy and the Brownfield and, you know, very slow migration processes into the cloud and into cloud-native. But it’s happening from you know, South and North I think, which to me is fascinating.
Nati: And then maybe just to wrap up, I want to move to Dov, and that kind of take Benny’s comment about the fact that you know, we’re not just startups that are moving faster and then I would say the traditional incumbents. But those incumbents are now becoming startups themselves and I think when we’re discussing these, you know, the transformation that is happening right now, with the Netflix versus blockbuster.
Netflix wasn’t a startup and the leading the industry so we kind of think about them, as you know, the slow mover and maybe adoptive. We can end with you and talk about, you know, how do you see this industry in 2021, 2022 going forward?
Dov: I mean, for me, I think I agree everything is getting extremely automated, there’s a lot more expressible ways to define things that historically were done by hand and therefore there are better ways to test that information and verify it and all of that. The industry, I mean, I really see the kind of the financial services industry, in particular, has a bright future with you know, some of the work FINOS is doing with regulators now.
It should be very interesting to see where they’re going to take that in 2021 and 2022. Because until now, it’s everyone coping with the challenges of being regulated and trying to make sure we find the most you know, the easiest way to satisfy the obligations we have. If the regulators are on board that will be a further catalyst to say you need to move quickly, you need to use these automations. And you know, that will give more or less a green light to the champions of these tools within the organizations to use them.
So I think from the perspective of that, there, again, within these larger companies, there are groups and, you know, many of them large groups that are, as they’re indistinguishable from the startup community, both in their level of innovation, they’re forward-thinking in terms of what tools they can adopt, the rolling up their sleeves, it’s just about how you institutionalize that. And that’s kind of you know, from that perspective and the tools that are out there in the industry are making that way easier.
Even things like the low code platforms, just like we’re talking before about taking things out of the hands of manual button pushers and putting them into scripts and doing that. Similarly, there is low-value coding that’s going on that can move to low code and no-code platforms that would further free up the technical expertise to work on other things. And again, all this depends on cloud, all this depends on configures code and everything like that.
So I think, for me, it’s about these types of things becoming way more adopted within the enterprise, that really again, starts to free up some of that innovation power. And, you know, we’ve already seen it happen. But, you know, the tool ecosystem that comes along with that, I think provides just an even bigger accelerate.
Benny: So you know, coming from I’ll call it the virtualization, full virtualization religion concept, going into container was a big change for me. Because, you know, I gave 10 years of my career developing the hypervisor, VM, and so forth but the great thing about containers is; number one, the boot time is very fast. It’s very important for the developer, the patient of developers. And the second thing is the other concept that they don’t care if delivered.
What I mean is you can take a template or you can take a recipe, whatever it’s called from the hub, and being able to deploy. So once you’re dealing with these two powerful features of containers, the fast boot time and the ability to take version and clone them, the ability to move from one environment to the other environments. So kind of the Cloudify vision, moving south-north, from private to public, and east-west from public to public, makes it more realistic.
I’m ignoring all the services that the cloud providers are offering but suddenly, with containers, you have a way to do it. So this is one comment that I want to make. The other one is about the example that you gave with Netflix. So you know on Netflix, I remember the days of paying a fine for delivering or returning late the cassette, the videocassette, or cluster. The first innovation was really to move, to change the business model to go from, you know, your pay for rent to a subscription model where your mailings in the mail.
And the technology when they started from network bandwidth and storage was not there to deliver what they are delivering. And the amazing thing, in my opinion about Netflix is that they created the business again. At the end of the day, it is the same value to the customer. You know watching the media and they are innovating again and again.
So to me, it’s related to our discussion because this agility that we are providing is enabling also new business models and specifically for Netflix is the ability to scale with the cloud, the ability to replicate the environment and serve hundreds of millions of customers now. It’s mainly about the cloud, the ability to do it in a relatively getting started cheap way.
Nati: Excellent. And I think I want to touch on that, plus, I think what the rest of the people here talking about the one thing that you mentioned about the comment of the Amazon CEO at Reinvent, I believe it was, that only 4% of the industry now in the cloud and there is a whole industry that is not yet in the game. It’s a big opportunity. For those who are thinking like entrepreneurs, that’s 95% of the market that is untapped in many ways.
And that’s one way to think about it from again, entrepreneurs’ perspective that we used to go to the bonding cloud, especially in Israel, the startup communities kind of as the main, say go to market strategy. And now there is 95% that is untapped and we can think about that. And that’s another kind of thing to think about as I would say the next wave of startups here, and obviously where we play.
The other thing that I think he touched on and I think Dov also kind of touched on and the Netflix experience kind of touched on that. The fact that we are now moving into this infrastructure and the rest of the industries, almost adjacent industries including the regulated business, think about the financial industry. But I also mentioned Telcos. And we now talk about Netflix, those industries were themselves siloed, they had their own events and they had their own, I would say, ecosystem and pitch.
And now that the infrastructure is becoming old cloud and infrastructure is code and common, the infrastructure is not playing a part of that world in which those outside industries are completely siloed and it’s moving towards the fact that it’s different. But on the business side, not necessarily on the infrastructure side. What does that mean?
It means that as a product company, again, we talked about the untapped market, the same product that you know, works with the cloud, can now address a much larger market, those vertical markets that previously were, you know, siloed. And, you know, you’re talking about manufacturing as a separate thing, you’re talking about Telcos as separate things, finances as separate things. And companies kind of differentiated as they go to market, especially in the infrastructure world based on those silos.
And all of a sudden, you can now create one tool that can serve a lot of those industries and obviously with a twist but that kind of opened that market quite a bit. So the shift that we are seeing right now, the effect of it is not just again, the natural or linear progression of the thing we’re talking about here. We’re moving to, you know, manual processing into automated processes, it’s now getting to the point where ‘everything is code.’
And then that creating a common ground or like common practices across industries, right now, that is a completely new game. And that touches that 95% of the market that is now getting the game. And that’s in my view, not just another linear progression, it’s a much bigger opportunity. And those who will figure it out, I think we’ll see the next wave of success. And that’s, I think, where, at least, again, my compilation of a lot of the inputs here, the discussion of where we are going. We are going to see this at the beginning of it in 2021 but we definitely going to see much more of that towards 2022 and the rest of it.
So with that, I want to kind of wrap up. It’s been very interesting and I’m sure we can continue this stuff of discussions for a while here. But first on to that for our audience so that they can move to the next thing. And I wanted to thank you, the panelists here. Obviously, Ariel, CEO, Dor and Benny, Dov, call them in reverse order. It’s been great hearing your thoughts here and hopefully, the audience feels the same thing. So thank you very much, guys.
Jonny: Thanks so much Nati. And indeed, thanks to everyone for an excellent Episode 10. As usual, all supporting material for this podcast can be found at www.cloudify.co/podcast. And if there’s anything that you particularly would like us to be discussing, then please reach out to us at email@example.com. For now, I’m going to wish you guys well.
Stay happy, stay healthy, stay safe, and we will catch you for Episode 11 which will be coming your way soon.
Outro: This episode has been brought to you by Cloudify. The one platform you need to accelerate, migrate and manage your multi-cloud environment for faster deployment, optimize cost, and total compliance. Head to cloudify.co to learn more.