Set of software development practices
POPULARITY
Categories
Bret is joined by Dan Garfield of CodeFresh to talk about growth of GitOps as a standard, growth of Argo, and more.
Last week in security news: AWS IAM Identity Center session duration limit increases from 7 to 90 days, Access accounts with AWS Management Console PrivatAccess, A dive through using Amazon Athena in Incident Response, and more!Links: This is an esoteric Firefox/Yubikey compatibility bug that I went blindly stumbling into and has been resolved. Chris Farris has a post up about deploying AWS Backup. In preparation for re:Invent, the MGM had a massive cybersecurity issue Amazon EC2 now supports Block Public Access for Amazon Machine Images AWS IAM Identity Center session duration limit increases from 7 to 90 days AWS Identity and Access Management provides action last accessed information for more than 140 services Access accounts with AWS Management Console Private Access A dive through using Amazon Athena in Incident Response. This is important! Corey will be hosting an AMA on 9/27 @ noon PDT over on Twitch. Bring questions!
Steve Tuck, Co-Founder & CEO of Oxide Computer Company, joins Corey on Screaming in the Cloud to discuss his work to make modern computers cloud-friendly. Steve describes what it was like going through early investment rounds, and the difficult but important decision he and his co-founder made to build their own switch. Corey and Steve discuss the demand for on-prem computers that are built for cloud capability, and Steve reveals how Oxide approaches their product builds to ensure the masses can adopt their technology wherever they are. About SteveSteve is the Co-founder & CEO of Oxide Computer Company. He previously was President & COO of Joyent, a cloud computing company acquired by Samsung. Before that, he spent 10 years at Dell in a number of different roles. Links Referenced: Oxide Computer Company: https://oxide.computer/ On The Metal Podcast: https://oxide.computer/podcasts/on-the-metal TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is brought to us in part by our friends at RedHat. As your organization grows, so does the complexity of your IT resources. You need a flexible solution that lets you deploy, manage, and scale workloads throughout your entire ecosystem. The Red Hat Ansible Automation Platform simplifies the management of applications and services across your hybrid infrastructure with one platform. Look for it on the AWS Marketplace.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. You know, I often say it—but not usually on the show—that Screaming in the Cloud is a podcast about the business of cloud, which is intentionally overbroad so that I can talk about basically whatever the hell I want to with whoever the hell I'd like. Today's guest is, in some ways of thinking, about as far in the opposite direction from Cloud as it's possible to go and still be involved in the digital world. Steve Tuck is the CEO at Oxide Computer Company. You know, computers, the things we all pretend aren't underpinning those clouds out there that we all use and pay by the hour, gigabyte, second-month-pound or whatever it works out to. Steve, thank you for agreeing to come back on the show after a couple years, and once again suffer my slings and arrows.Steve: Much appreciated. Great to be here. It has been a while. I was looking back, I think three years. This was like, pre-pandemic, pre-interest rates, pre… Twitter going totally sideways.Corey: And I have to ask to start with that, it feels, on some level, like toward the start of the pandemic, when everything was flying high and we'd had low interest rates for a decade, that there was a lot of… well, lunacy lurking around in the industry, my own business saw it, too. It turns out that not giving a shit about the AWS bill is in fact a zero interest rate phenomenon. And with all that money or concentrated capital sloshing around, people decided to do ridiculous things with it. I would have thought, on some level, that, “We're going to start a computer company in the Bay Area making computers,” would have been one of those, but given that we are a year into the correction, and things seem to be heading up into the right for you folks, that take was wrong. How'd I get it wrong?Steve: Well, I mean, first of all, you got part of it right, which is there were just a litany of ridiculous companies and projects and money being thrown in all directions at that time.Corey: An NFT of a computer. We're going to have one of those. That's what you're selling, right? Then you had to actually hard pivot to making the real thing.Steve: That's it. So, we might as well cut right to it, you know. This is—we went through the crypto phase. But you know, our—when we started the company, it was yes, a computer company. It's on the tin. It's definitely kind of the foundation of what we're building. But you know, we think about what a modern computer looks like through the lens of cloud.I was at a cloud computing company for ten years prior to us founding Oxide, so was Bryan Cantrill, CTO, co-founder. And, you know, we are huge, huge fans of cloud computing, which was an interesting kind of dichotomy. Instead of conversations when we were raising for Oxide—because of course, Sand Hill is terrified of hardware. And when we think about what modern computers need to look like, they need to be in support of the characteristics of cloud, and cloud computing being not that you're renting someone else's computers, but that you have fully programmable infrastructure that allows you to slice and dice, you know, compute and storage and networking however software needs. And so, what we set out to go build was a way for the companies that are running on-premises infrastructure—which, by the way, is almost everyone and will continue to be so for a very long time—access to the benefits of cloud computing. And to do that, you need to build a different kind of computing infrastructure and architecture, and you need to plumb the whole thing with software.Corey: There are a number of different ways to view cloud computing. And I think that a lot of the, shall we say, incumbent vendors over in the computer manufacturing world tend to sound kind of like dinosaurs, on some level, where they're always talking in terms of, you're a giant company and you already have a whole bunch of data centers out there. But one of the magical pieces of cloud is you can have a ridiculous idea at nine o'clock tonight and by morning, you'll have a prototype, if you're of that bent. And if it turns out it doesn't work, you're out, you know, 27 cents. And if it does work, you can keep going and not have to stop and rebuild on something enterprise-grade.So, for the small-scale stuff and rapid iteration, cloud providers are terrific. Conversely, when you wind up in the giant fleets of millions of computers, in some cases, there begin to be economic factors that weigh in, and for some on workloads—yes, I know it's true—going to a data center is the economical choice. But my question is, is starting a new company in the direction of building these things, is it purely about economics or is there a capability story tied in there somewhere, too?Steve: Yeah, it's actually economics ends up being a distant third, fourth, in the list of needs and priorities from the companies that we're working with. When we talk about—and just to be clear we're—our demographic, that kind of the part of the market that we are focused on are large enterprises, like, folks that are spending, you know, half a billion, billion dollars a year in IT infrastructure, they, over the last five years, have moved a lot of the use cases that are great for public cloud out to the public cloud, and who still have this very, very large need, be it for latency reasons or cost reasons, security reasons, regulatory reasons, where they need on-premises infrastructure in their own data centers and colo facilities, et cetera. And it is for those workloads in that part of their infrastructure that they are forced to live with enterprise technologies that are 10, 20, 30 years old, you know, that haven't evolved much since I left Dell in 2009. And, you know, when you think about, like, what are the capabilities that are so compelling about cloud computing, one of them is yes, what you mentioned, which is you have an idea at nine o'clock at night and swipe a credit card, and you're off and running. And that is not the case for an idea that someone has who is going to use the on-premises infrastructure of their company. And this is where you get shadow IT and 16 digits to freedom and all the like.Corey: Yeah, everyone with a corporate credit card winds up being a shadow IT source in many cases. If your processes as a company don't make it easier to proceed rather than doing it the wrong way, people are going to be fighting against you every step of the way. Sometimes the only stick you've got is that of regulation, which in some industries, great, but in other cases, no, you get to play Whack-a-Mole. I've talked to too many companies that have specific scanners built into their mail system every month looking for things that look like AWS invoices.Steve: [laugh]. Right, exactly. And so, you know, but if you flip it around, and you say, well, what if the experience for all of my infrastructure that I am running, or that I want to provide to my software development teams, be it rented through AWS, GCP, Azure, or owned for economic reasons or latency reasons, I had a similar set of characteristics where my development team could hit an API endpoint and provision instances in a matter of seconds when they had an idea and only pay for what they use, back to kind of corporate IT. And what if they were able to use the same kind of developer tools they've become accustomed to using, be it Terraform scripts and the kinds of access that they are accustomed to using? How do you make those developers just as productive across the business, instead of just through public cloud infrastructure?At that point, then you are in a much stronger position where you can say, you know, for a portion of things that are, as you pointed out, you know, more unpredictable, and where I want to leverage a bunch of additional services that a particular cloud provider has, I can rent that. And where I've got more persistent workloads or where I want a different economic profile or I need to have something in a very low latency manner to another set of services, I can own it. And that's where I think the real chasm is because today, you just don't—we take for granted the basic plumbing of cloud computing, you know? Elastic Compute, Elastic Storage, you know, networking and security services. And us in the cloud industry end up wanting to talk a lot more about exotic services and, sort of, higher-up stack capabilities. None of that basic plumbing is accessible on-prem.Corey: I also am curious as to where exactly Oxide lives in the stack because I used to build computers for myself in 2000, and it seems like having gone down that path a bit recently, yeah, that process hasn't really improved all that much. The same off-the-shelf components still exist and that's great. We always used to disparagingly call spinning hard drives as spinning rust in racks. You named the company Oxide; you're talking an awful lot about the Rust programming language in public a fair bit of the time, and I'm starting to wonder if maybe words don't mean what I thought they meant anymore. Where do you folks start and stop, exactly?Steve: Yeah, that's a good question. And when we started, we sort of thought the scope of what we were going to do and then what we were going to leverage was smaller than it has turned out to be. And by that I mean, man, over the last three years, we have hit a bunch of forks in the road where we had questions about do we take something off the shelf or do we build it ourselves. And we did not try to build everything ourselves. So, to give you a sense of kind of where the dotted line is, around the Oxide product, what we're delivering to customers is a rack-level computer. So, the minimum size comes in rack form. And I think your listeners are probably pretty familiar with this. But, you know, a rack is—Corey: You would be surprised. It's basically, what are they about seven feet tall?Steve: Yeah, about eight feet tall.Corey: Yeah, yeah. Seven, eight feet, weighs a couple 1000 pounds, you know, make an insulting joke about—Steve: Two feet wide.Corey: —NBA players here. Yeah, all kinds of these things.Steve: Yeah. And big hunk of metal. And in the cases of on-premises infrastructure, it's kind of a big hunk of metal hole, and then a bunch of 1U and 2U boxes crammed into it. What the hyperscalers have done is something very different. They started looking at, you know, at the rack level, how can you get much more dense, power-efficient designs, doing things like using a DC bus bar down the back, instead of having 64 power supplies with cables hanging all over the place in a rack, which I'm sure is what you're more familiar with.Corey: Tremendous amount of weight as well because you have the metal chassis for all of those 1U things, which in some cases, you wind up with, what, 46U in a rack, assuming you can even handle the cooling needs of all that.Steve: That's right.Corey: You have so much duplication, and so much of the weight is just metal separating one thing from the next thing down below it. And there are opportunities for massive improvement, but you need to be at a certain point of scale to get there.Steve: You do. You do. And you also have to be taking on the entire problem. You can't pick at parts of these things. And that's really what we found. So, we started at this sort of—the rack level as sort of the design principle for the product itself and found that that gave us the ability to get to the right geometry, to get as much CPU horsepower and storage and throughput and networking into that kind of chassis for the least amount of wattage required, kind of the most power-efficient design possible.So, it ships at the rack level and it ships complete with both our server sled systems in Oxide, a pair of Oxide switches. This is—when I talk about, like, design decisions, you know, do we build our own switch, it was a big, big, big question early on. We were fortunate even though we were leaning towards thinking we needed to go do that, we had this prospective early investor who was early at AWS and he had asked a very tough question that none of our other investors had asked to this point, which is, “What are you going to do about the switch?”And we knew that the right answer to an investor is like, “No. We're already taking on too much.” We're redesigning a server from scratch in, kind of, the mold of what some of the hyperscalers have learned, doing our own Root of Trust, we're doing our own operating system, hypervisor control plane, et cetera. Taking on the switch could be seen as too much, but we told them, you know, we think that to be able to pull through all of the value of the security benefits and the performance and observability benefits, we can't have then this [laugh], like, obscure third-party switch rammed into this rack.Corey: It's one of those things that people don't think about, but it's the magic of cloud with AWS's network, for example, it's magic. You can get line rate—or damn near it—between any two points, sustained.Steve: That's right.Corey: Try that in the data center, you wind into massive congestion with top-of-rack switches, where, okay, we're going to parallelize this stuff out over, you know, two dozen racks and we're all going to have them seamlessly transfer information between each other at line rate. It's like, “[laugh] no, you're not because those top-of-rack switches will melt and become side-of-rack switches, and then bottom-puddle-of-rack switches. It doesn't work that way.”Steve: That's right.Corey: And you have to put a lot of thought and planning into it. That is something that I've not heard a traditional networking vendor addressing because everyone loves to hand-wave over it.Steve: Well so, and this particular prospective investor, we told him, “We think we have to go build our own switch.” And he said, “Great.” And we said, “You know, we think we're going to lose you as an investor as a result, but this is what we're doing.” And he said, “If you're building your own switch, I want to invest.” And his comment really stuck with us, which is AWS did not stand on their own two feet until they threw out their proprietary switch vendor and built their own.And that really unlocked, like you've just mentioned, like, their ability, both in hardware and software to tune and optimize to deliver that kind of line rate capability. And that is one of the big findings for us as we got into it. Yes, it was really, really hard, but based on a couple of design decisions, P4 being the programming language that we are using as the surround for our silicon, tons of opportunities opened up for us to be able to do similar kinds of optimization and observability. And that has been a big, big win.But to your question of, like, where does it stop? So, we are delivering this complete with a baked-in operating system, hypervisor, control plane. And so, the endpoint of the system, where the customer meets is either hitting an API or a CLI or a console that delivers and kind of gives you the ability to spin up projects. And, you know, if one is familiar with EC2 and EBS and VPC, that VM level of abstraction is where we stop.Corey: That, I think, is a fair way of thinking about it. And a lot of cloud folks are going to pooh-pooh it as far as saying, “Oh well, just virtual machines. That's old cloud. That just treats the cloud like a data center.” And in many cases, yes, it does because there are ways to build modern architectures that are event-driven on top of things like Lambda, and API Gateway, and the rest, but you take a look at what my customers are doing and what drives the spend, it is invariably virtual machines that are largely persistent.Sometimes they scale up, sometimes they scale down, but there's always a baseline level of load that people like to hand-wave away the fact that what they're fundamentally doing in a lot of these cases, is paying the cloud provider to handle the care and feeding of those systems, which can be expensive, yes, but also delivers significant innovation beyond what almost any company is going to be able to deliver in-house. There is no way around it. AWS is better than you are—whoever you happen to—be at replacing failed hard drives. That is a simple fact. They have teams of people who are the best in the world of replacing failed hard drives. You generally do not. They are going to be better at that than you. But that's not the only axis. There's not one calculus that leads to, is cloud a scam or is cloud a great value proposition for us? The answer is always a deeply nuanced, “It depends.”Steve: Yeah, I mean, I think cloud is a great value proposition for most and a growing amount of software that's being developed and deployed and operated. And I think, you know, one of the myths that is out there is, hey, turn over your IT to AWS because we have or you know, a cloud provider—because we have such higher caliber personnel that are really good at swapping hard drives and dealing with networks and operationally keeping this thing running in a highly available manner that delivers good performance. That is certainly true, but a lot of the operational value in an AWS is been delivered via software, the automation, the observability, and not actual people putting hands on things. And it's an important point because that's been a big part of what we're building into the product. You know, just because you're running infrastructure in your own data center, it does not mean that you should have to spend, you know, 1000 hours a month across a big team to maintain and operate it. And so, part of that, kind of, cloud, hyperscaler innovation that we're baking into this product is so that it is easier to operate with much, much, much lower overhead in a highly available, resilient manner.Corey: So, I've worked in a number of data center facilities, but the companies I was working with, were always at a scale where these were co-locations, where they would, in some cases, rent out a rack or two, in other cases, they'd rent out a cage and fill it with their own racks. They didn't own the facilities themselves. Those were always handled by other companies. So, my question for you is, if I want to get a pile of Oxide racks into my environment in a data center, what has to change? What are the expectations?I mean, yes, there's obviously going to be power and requirements at the data center colocation is very conversant with, but Open Compute, for example, had very specific requirements—to my understanding—around things like the airflow construction of the environment that they're placed within. How prescriptive is what you've built, in terms of doing a building retrofit to start using you folks?Steve: Yeah, definitely not. And this was one of the tensions that we had to balance as we were designing the product. For all of the benefits of hyperscaler computing, some of the design center for you know, the kinds of racks that run in Google and Amazon and elsewhere are hyperscaler-focused, which is unlimited power, in some cases, data centers designed around the equipment itself. And where we were headed, which was basically making hyperscaler infrastructure available to, kind of, the masses, the rest of the market, these folks don't have unlimited power and they aren't going to go be able to go redesign data centers. And so no, the experience should be—with exceptions for folks maybe that have very, very limited access to power—that you roll this rack into your existing data center. It's on standard floor tile, that you give it power, and give it networking and go.And we've spent a lot of time thinking about how we can operate in the wide-ranging environmental characteristics that are commonplace in data centers that focus on themselves, colo facilities, and the like. So, that's really on us so that the customer is not having to go to much work at all to kind of prepare and be ready for it.Corey: One of the challenges I have is how to think about what you've done because you are rack-sized. But what that means is that my own experimentation at home recently with on-prem stuff for smart home stuff involves a bunch of Raspberries Pi and a [unintelligible 00:19:42], but I tend to more or less categorize you the same way that I do AWS Outposts, as well as mythical creatures, like unicorns or giraffes, where I don't believe that all these things actually exist because I haven't seen them. And in fact, to get them in my house, all four of those things would theoretically require a loading dock if they existed, and that's a hard thing to fake on a demo signup form, as it turns out. How vaporware is what you've built? Is this all on paper and you're telling amazing stories or do they exist in the wild?Steve: So, last time we were on, it was all vaporware. It was a couple of napkin drawings and a seed round of funding.Corey: I do recall you not using that description at the time, for what it's worth. Good job.Steve: [laugh]. Yeah, well, at least we were transparent where we were going through the race. We had some napkin drawings and we had some good ideas—we thought—and—Corey: You formalize those and that's called Microsoft PowerPoint.Steve: That's it. A hundred percent.Corey: The next generative AI play is take the scrunched-up, stained napkin drawing, take a picture of it, and convert it to a slide.Steve: Google Docs, you know, one of those. But no, it's got a lot of scars from the build and it is real. In fact, next week, we are going to be shipping our first commercial systems. So, we have got a line of racks out in our manufacturing facility in lovely Rochester, Minnesota. Fun fact: Rochester, Minnesota, is where the IBM AS/400s were built.Corey: I used to work in that market, of all things.Steve: Really?Corey: Selling tape drives in the AS/400. I mean, I still maintain there's no real mainframe migration to the cloud play because there's no AWS/400. A joke that tends to sail over an awful lot of people's heads because, you know, most people aren't as miserable in their career choices as I am.Steve: Okay, that reminds me. So, when we were originally pitching Oxide and we were fundraising, we [laugh]—in a particular investor meeting, they asked, you know, “What would be a good comp? Like how should we think about what you are doing?” And fortunately, we had about 20 investor meetings to go through, so burning one on this was probably okay, but we may have used the AS/400 as a comp, talking about how [laugh] mainframe systems did such a good job of building hardware and software together. And as you can imagine, there were some blank stares in that room.But you know, there are some good analogs to historically in the computing industry, when you know, the industry, the major players in the industry, were thinking about how to deliver holistic systems to support end customers. And, you know, we see this in the what Apple has done with the iPhone, and you're seeing this as a lot of stuff in the automotive industry is being pulled in-house. I was listening to a good podcast. Jim Farley from Ford was talking about how the automotive industry historically outsourced all of the software that controls cars, right? So, like, Bosch would write the software for the controls for your seats.And they had all these suppliers that were writing the software, and what it meant was that innovation was not possible because you'd have to go out to suppliers to get software changes for any little change you wanted to make. And in the computing industry, in the 80s, you saw this blow apart where, like, firmware got outsourced. In the IBM and the clones, kind of, race, everyone started outsourcing firmware and outsourcing software. Microsoft started taking over operating systems. And then VMware emerged and was doing a virtualization layer.And this, kind of, fragmented ecosystem is the landscape today that every single on-premises infrastructure operator has to struggle with. It's a kit car. And so, pulling it back together, designing things in a vertically integrated manner is what the hyperscalers have done. And so, you mentioned Outposts. And, like, it's a good example of—I mean, the most public cloud of public cloud companies created a way for folks to get their system on-prem.I mean, if you need anything to underscore the draw and the demand for cloud computing-like, infrastructure on-prem, just the fact that that emerged at all tells you that there is this big need. Because you've got, you know, I don't know, a trillion dollars worth of IT infrastructure out there and you have maybe 10% of it in the public cloud. And that's up from 5% when Jassy was on stage in '21, talking about 95% of stuff living outside of AWS, but there's going to be a giant market of customers that need to own and operate infrastructure. And again, things have not improved much in the last 10 or 20 years for them.Corey: They have taken a tone onstage about how, “Oh, those workloads that aren't in the cloud, yet, yeah, those people are legacy idiots.” And I don't buy that for a second because believe it or not—I know that this cuts against what people commonly believe in public—but company execs are generally not morons, and they make decisions with context and constraints that we don't see. Things are the way they are for a reason. And I promise that 90% of corporate IT workloads that still live on-prem are not being managed or run by people who've never heard of the cloud. There was a decision made when some other things were migrating of, do we move this thing to the cloud or don't we? And the answer at the time was no, we're going to keep this thing on-prem where it is now for a variety of reasons of varying validity. But I don't view that as a bug. I also, frankly, don't want to live in a world where all the computers are basically run by three different companies.Steve: You're spot on, which is, like, it does a total disservice to these smart and forward-thinking teams in every one of the Fortune 1000-plus companies who are taking the constraints that they have—and some of those constraints are not monetary or entirely workload-based. If you want to flip it around, we were talking to a large cloud SaaS company and their reason for wanting to extend it beyond the public cloud is because they want to improve latency for their e-commerce platform. And navigating their way through the complex layers of the networking stack at GCP to get to where the customer assets are that are in colo facilities, adds lag time on the platform that can cost them hundreds of millions of dollars. And so, we need to think behind this notion of, like, “Oh, well, the dark ages are for software that can't run in the cloud, and that's on-prem. And it's just a matter of time until everything moves to the cloud.”In the forward-thinking models of public cloud, it should be both. I mean, you should have a consistent experience, from a certain level of the stack down, everywhere. And then it's like, do I want to rent or do I want to own for this particular use case? In my vast set of infrastructure needs, do I want this to run in a data center that Amazon runs or do I want this to run in a facility that is close to this other provider of mine? And I think that's best for all. And then it's not this kind of false dichotomy of quality infrastructure or ownership.Corey: I find that there are also workloads where people will come to me and say, “Well, we don't think this is going to be economical in the cloud”—because again, I focus on AWS bills. That is the lens I view things through, and—“The AWS sales rep says it will be. What do you think?” And I look at what they're doing and especially if involves high volumes of data transfer, I laugh a good hearty laugh and say, “Yeah, keep that thing in the data center where it is right now. You will thank me for it later.”It's, “Well, can we run this in an economical way in AWS?” As long as you're okay with economical meaning six times what you're paying a year right now for the same thing, yeah, you can. I wouldn't recommend it. And the numbers sort of speak for themselves. But it's not just an economic play.There's also the story of, does this increase their capability? Does it let them move faster toward their business goals? And in a lot of cases, the answer is no, it doesn't. It's one of those business process things that has to exist for a variety of reasons. You don't get to reimagine it for funsies and even if you did, it doesn't advance the company in what they're trying to do any, so focus on something that differentiates as opposed to this thing that you're stuck on.Steve: That's right. And what we see today is, it is easy to be in that mindset of running things on-premises is kind of backwards-facing because the experience of it is today still very, very difficult. I mean, talking to folks and they're sharing with us that it takes a hundred days from the time all the different boxes land in their warehouse to actually having usable infrastructure that developers can use. And our goal and what we intend to go hit with Oxide as you can roll in this complete rack-level system, plug it in, within an hour, you have developers that are accessing cloud-like services out of the infrastructure. And that—God, countless stories of firmware bugs that would send all the fans in the data center nonlinear and soak up 100 kW of power.Corey: Oh, God. And the problems that you had with the out-of-band management systems. For a long time, I thought Drax stood for, “Dell, RMA Another Computer.” It was awful having to deal with those things. There was so much room for innovation in that space, which no one really grabbed onto.Steve: There was a really, really interesting talk at DEFCON that we just stumbled upon yesterday. The NVIDIA folks are giving a talk on BMC exploits… and like, a very, very serious BMC exploit. And again, it's what most people don't know is, like, first of all, the BMC, the Baseboard Management Controller, is like the brainstem of the computer. It has access to—it's a backdoor into all of your infrastructure. It's a computer inside a computer and it's got software and hardware that your server OEM didn't build and doesn't understand very well.And firmware is even worse because you know, firmware written by you know, an American Megatrends or other is a big blob of software that gets loaded into these systems that is very hard to audit and very hard to ascertain what's happening. And it's no surprise when, you know, back when we were running all the data centers at a cloud computing company, that you'd run into these issues, and you'd go to the server OEM and they'd kind of throw their hands up. Well, first they'd gaslight you and say, “We've never seen this problem before,” but when you thought you've root-caused something down to firmware, it was anyone's guess. And this is kind of the current condition today. And back to, like, the journey to get here, we kind of realized that you had to blow away that old extant firmware layer, and we rewrote our own firmware in Rust. Yes [laugh], I've done a lot in Rust.Corey: No, it was in Rust, but, on some level, that's what Nitro is, as best I can tell, on the AWS side. But it turns out that you don't tend to have the same resources as a one-and-a-quarter—at the moment—trillion-dollar company. That keeps [valuing 00:30:53]. At one point, they lost a comma and that was sad and broke all my logic for that and I haven't fixed it since. Unfortunate stuff.Steve: Totally. I think that was another, kind of, question early on from certainly a lot of investors was like, “Hey, how are you going to pull this off with a smaller team and there's a lot of surface area here?” Certainly a reasonable question. Definitely was hard. The one advantage—among others—is, when you are designing something kind of in a vertical holistic manner, those design integration points are narrowed down to just your equipment.And when someone's writing firmware, when AMI is writing firmware, they're trying to do it to cover hundreds and hundreds of components across dozens and dozens of vendors. And we have the advantage of having this, like, purpose-built system, kind of, end-to-end from the lowest level from first boot instruction, all the way up through the control plane and from rack to switch to server. That definitely helped narrow the scope.Corey: This episode has been fake sponsored by our friends at AWS with the following message: Graviton Graviton, Graviton, Graviton, Graviton, Graviton, Graviton, Graviton, Graviton. Thank you for your l-, lack of support for this show. Now, AWS has been talking about Graviton an awful lot, which is their custom in-house ARM processor. Apple moved over to ARM and instead of talking about benchmarks they won't publish and marketing campaigns with words that don't mean anything, they've let the results speak for themselves. In time, I found that almost all of my workloads have moved over to ARM architecture for a variety of reason, and my laptop now gets 15 hours of battery life when all is said and done. You're building these things on top of x86. What is the deal there? I do not accept that if that you hadn't heard of ARM until just now because, as mentioned, Graviton, Graviton, Graviton.Steve: That's right. Well, so why x86, to start? And I say to start because we have just launched our first generation products. And our first-generation or second-generation products that we are now underway working on are going to be x86 as well. We've built this system on AMD Milan silicon; we are going to be launching a Genoa sled.But when you're thinking about what silicon to use, obviously, there's a bunch of parts that go into the decision. You're looking at the kind of applicability to workload, performance, power management, for sure, and if you carve up what you are trying to achieve, x86 is still a terrific fit for the broadest set of workloads that our customers are trying to solve for. And choosing which x86 architecture was certainly an easier choice, come 2019. At this point, AMD had made a bunch of improvements in performance and energy efficiency in the chip itself. We've looked at other architectures and I think as we are incorporating those in the future roadmap, it's just going to be a question of what are you trying to solve for.You mentioned power management, and that is kind of commonly been a, you know, low power systems is where folks have gone beyond x86. Is we're looking forward to hardware acceleration products and future products, we'll certainly look beyond x86, but x86 has a long, long road to go. It still is kind of the foundation for what, again, is a general-purpose cloud infrastructure for being able to slice and dice for a variety of workloads.Corey: True. I have to look around my environment and realize that Intel is not going anywhere. And that's not just an insult to their lack of progress on committed roadmaps that they consistently miss. But—Steve: [sigh].Corey: Enough on that particular topic because we want to keep this, you know, polite.Steve: Intel has definitely had some struggles for sure. They're very public ones, I think. We were really excited and continue to be very excited about their Tofino silicon line. And this came by way of the Barefoot networks acquisition. I don't know how much you had paid attention to Tofino, but what was really, really compelling about Tofino is the focus on both hardware and software and programmability.So, great chip. And P4 is the programming language that surrounds that. And we have gotten very, very deep on P4, and that is some of the best tech to come out of Intel lately. But from a core silicon perspective for the rack, we went with AMD. And again, that was a pretty straightforward decision at the time. And we're planning on having this anchored around AMD silicon for a while now.Corey: One last question I have before we wind up calling it an episode, it seems—at least as of this recording, it's still embargoed, but we're not releasing this until that winds up changing—you folks have just raised another round, which means that your napkin doodles have apparently drawn more folks in, and now that you're shipping, you're also not just bringing in customers, but also additional investor money. Tell me about that.Steve: Yes, we just completed our Series A. So, when we last spoke three years ago, we had just raised our seed and had raised $20 million at the time, and we had expected that it was going to take about that to be able to build the team and build the product and be able to get to market, and [unintelligible 00:36:14] tons of technical risk along the way. I mean, there was technical risk up and down the stack around this [De Novo 00:36:21] server design, this the switch design. And software is still the kind of disproportionate majority of what this product is, from hypervisor up through kind of control plane, the cloud services, et cetera. So—Corey: We just view it as software with a really, really confusing hardware dongle.Steve: [laugh]. Yeah. Yes.Corey: Super heavy. We're talking enterprise and government-grade here.Steve: That's right. There's a lot of software to write. And so, we had a bunch of milestones that as we got through them, one of the big ones was getting Milan silicon booting on our firmware. It was funny it was—this was the thing that clearly, like, the industry was most suspicious of, us doing our own firmware, and you could see it when we demonstrated booting this, like, a year-and-a-half ago, and AMD all of a sudden just lit up, from kind of arm's length to, like, “How can we help? This is amazing.” You know? And they could start to see the benefits of when you can tie low-level silicon intelligence up through a hypervisor there's just—Corey: No I love the existing firmware I have. Looks like it was written in 1984 and winds up having terrible user ergonomics that hasn't been updated at all, and every time something comes through, it's a 50/50 shot as whether it fries the box or not. Yeah. No, I want that.Steve: That's right. And you look at these hyperscale data centers, and it's like, no. I mean, you've got intelligence from that first boot instruction through a Root of Trust, up through the software of the hyperscaler, and up to the user level. And so, as we were going through and kind of knocking down each one of these layers of the stack, doing our own firmware, doing our own hardware Root of Trust, getting that all the way plumbed up into the hypervisor and the control plane, number one on the customer side, folks moved from, “This is really interesting. We need to figure out how we can bring cloud capabilities to our data centers. Talk to us when you have something,” to, “Okay. We actually”—back to the earlier question on vaporware, you know, it was great having customers out here to Emeryville where they can put their hands on the rack and they can, you know, put your hands on software, but being able to, like, look at real running software and that end cloud experience.And that led to getting our first couple of commercial contracts. So, we've got some great first customers, including a large department of the government, of the federal government, and a leading firm on Wall Street that we're going to be shipping systems to in a matter of weeks. And as you can imagine, along with that, that drew a bunch of renewed interest from the investor community. Certainly, a different climate today than it was back in 2019, but what was great to see is, you still have great investors that understand the importance of making bets in the hard tech space and in companies that are looking to reinvent certain industries. And so, we added—our existing investors all participated. We added a bunch of terrific new investors, both strategic and institutional.And you know, this capital is going to be super important now that we are headed into market and we are beginning to scale up the business and make sure that we have a long road to go. And of course, maybe as importantly, this was a real confidence boost for our customers. They're excited to see that Oxide is going to be around for a long time and that they can invest in this technology as an important part of their infrastructure strategy.Corey: I really want to thank you for taking the time to speak with me about, well, how far you've come in a few years. If people want to learn more and have the requisite loading dock, where should they go to find you?Steve: So, we try to put everything up on the site. So, oxidecomputer.com or oxide.computer. We also, if you remember, we did [On the Metal 00:40:07]. So, we had a Tales from the Hardware-Software Interface podcast that we did when we started. We have shifted that to Oxide and Friends, which the shift there is we're spending a little bit more time talking about the guts of what we built and why. So, if folks are interested in, like, why the heck did you build a switch and what does it look like to build a switch, we actually go to depth on that. And you know, what does bring-up on a new server motherboard look like? And it's got some episodes out there that might be worth checking out.Corey: We will definitely include a link to that in the [show notes 00:40:36]. Thank you so much for your time. I really appreciate it.Steve: Yeah, Corey. Thanks for having me on.Corey: Steve Tuck, CEO at Oxide Computer Company. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this episode, please leave a five-star review on your podcast platform of choice, along with an angry ranting comment because you are in fact a zoology major, and you're telling me that some animals do in fact exist. But I'm pretty sure of the two of them, it's the unicorn.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
The painful side of making video games, Grinder's big problems, and Google's sneakiest trojan horse.
Last month at VMware Explore Las Vegas, VMware announced the latest updates to vSphere 8. This includes not only Version 8 Update 2 of VMware's enterprise workload platform, but also includes a new cloud service to which users of vSphere+ will soon have access. These updates will help enhance the operational efficiencies of IT admins, supercharge the performance of demanding workloads, and accelerate the pace of innovation for DevOps engineers, developers, and anyone else that can benefit from self-service access to infrastructure services. On this episode of The Virtually Speaking Podcast Pete and John welcome vSphere Senior Technical Marketing Architect, Féidhlim O'Leary to walk through the details of this release. Read more
Wes Miller, Research VP at Directions on Microsoft, joins Corey on Screaming in the Cloud to discuss the various intricacies and pitfalls of Microsoft licensing. Wes and Corey discuss what it's like to work closely with a company like Microsoft in your day-to-day career, while also looking out for the best interest of your mutual customers. Wes explains his history of working both at and with Microsoft, and the changes he's seen to their business models and the impact that has on their customers. About WesWes Miller analyzes and writes about Microsoft security, identity, and systems management technologies, as well as Microsoft product licensing.Before joining Directions on Microsoft in 2010, Wes was a product manager and development manager for several Austin, TX, start-ups, including Winternals Software, acquired by Microsoft in 2006. Prior to that, Wes spent seven years at Microsoft working as a program manager in the Windows Core Operating System and MSN divisions.Wes received a B.A. in psychology from the University of Alaska Fairbanks.Links Referenced: Directions on Microsoft Website: https://www.directionsonmicrosoft.com/ Twitter: https://twitter.com/getwired LinkedIn: https://www.linkedin.com/in/wmiller/ Directions on Microsoft Training: https://www.directionsonmicrosoft.com/training TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Welcome to Screaming in the Cloud, I'm Corey Quinn. So, I write a newsletter called Last Week in AWS, which has always felt like it's flying a little bit too close to the sun just because having AWSes name in the title of what I do feels like it's playing with copyright fire. It's nice periodically to talk to someone—again—who is in a similar boat. Wes Miller is a Research VP at Directions on Microsoft. To be clear, Directions on Microsoft is an analyst firm that talks primarily about Microsoft licensing and is not, in fact, part of Microsoft itself. Have I disclaimed that appropriately, Wes?Wes: You have. You have. And in fact, the company, when it was first born, was actually called Microsoft Directions. And they had a reasonably good relationship with Microsoft at the time and Microsoft cordially asked them, “Hey, could you at least reverse that so it corrects it in terms of trademark.” So yes, we're blessed in that regard. Something you probably would never get away with now, but that was 30 years ago.Corey: [laugh]. And now it sounds like it might as well be a product. So, I have to ask, just because the way I think of you is, you are the folks to talk to, full stop, when you have a question about anything that touches on Microsoft licensing. Is that an accurate depiction of what it is you folks do or is that just my particular corner of the world and strange equivalence that gets me there?Wes: That is our parts of the Venn diagram intersecting because that's what I spend a lot of time talking about and thinking about because I teach that with our company founder, Rob Horwitz. But we also spend an inordinate amount of time taking what Microsoft is talking about shipping, maybe servicing, and help customers understand really, as we say, the ‘So, what?' What does this mean to me as a customer? Should I be using this? Should I be waiting? Should I upgrade? Should I stay? Those sorts of things.So, there's a whole roadmapping side. And then we have a [laugh]—because licensing doesn't end with a license, we have a whole side of negotiation that we spend a lot of time, we have a dedicated team that focuses on helping enterprise agreement customers get the most successful deal for their organization, basically, every three years.Corey: We do exactly that with AWS ourselves. I have to ask before we dive into this. In the early days, I felt like I had a much better relationship with Microsoft. Scott Guthrie, the head of Azure, was on this show. A number of very highly placed Microsoft folks were here. And over the years, they more or less have stopped talking to me.And that leaves me in a position where all I can see is their actions and their broad public statements without getting any nuance or context around any of it. And I don't know if this is just a commentary on human nature or me in particular, but I tend to always assume the worst when things like that happen. So, my approach to Microsoft has grown increasingly cynical over the years as a result. That said, I don't actually have an axe to grind with them from any other perspective than as a customer, and occasionally that feels like ‘victim' for a variety of different things. What's your take on Microsoft as far as, I guess, your feelings toward the company?Wes: So, a lot of people—in fact, it used to be more so, but not as much anymore, people would assume I hate Microsoft or I want to demonize Microsoft. But the irony actually is, you know, I want people to remember I worked there for seven-and-a-half years, I shipped—I was on the team that shipped Windows XP, Server 2003, and a bunch of other products that people don't remember. And I still care about the company, but the company and I are obviously in different trajectories now. And also, my company's customers today are also Microsoft's customers today, and we actually have—our customers—our mutual customers—best interest in mind with basically everything we do. Are we helping them be informed? Are we helping them color within the financial lines?And sometimes, we may say things that help a customer that aren't helping the bottom line or helping a marketing direction and I don't think that resonates well within Microsoft. So sure, sometimes we even hear from them, “Hey, it'd be great if you guys might want to, you know, say something nice once in a while.” But it's not necessarily our job to say nice things. I do it once in a while. I want to note that I said something nice about AAD last week, but the reality is that we are there to help our mutual customers.And what I found is, I have found the same thing to be true that you're finding true that, unfortunately, outbound communications from them, in particular from the whole company, have slowed. I think everybody's busier, they've got a very specific set of directions they're going on things, and as a result, we hear very little. And even getting, trying to get clarification on things sometimes, “Did we read that right?” It takes a while, and it has to go through several different rungs of people to get the answer.Corey: I have somewhat similar relationships over the years with AWS, where they—in many cases, a lot of their executives prefer not to talk to me at all. Which again, is fair. I'm not—I don't require any of them to do it. But there's something in the Amazonian ethos that requires them to talk to customers, especially when customers are having a rough time. And I'm, for better or worse, the voice of the customer.I am usually not the dumbest person in the universe when it comes to trying to understand a service or make it do something that, to me, it seems that it should be able to do. And when I actually start having in-depth conversations, people are surprised. “Wow, you were super pleasant and fun to work with. We thought you were just going to be a jerk.” It's, yeah, it turns out I don't go through every meeting like it's Twitter. What a concept.Wes: Yeah, a lot of people, I've had this happen for myself when you meet people in person, when they meet your Twitter persona, especially for someone who I think you and I both come across as rather boisterous, gregarious, and sometimes people take that as our personas. And I remember meeting a friend in the UK for the first time years ago, he's like, “You're very different in person.” I'm like, “I know. I know.”Corey: I usually get the, “You're just like Twitter.” In many respects, I am. Because people don't always see what I'm putting down. I make it a point to be humorous and I have a quick quip for a lot of things, but it's never trying to make the person I'm engaging with feel worse for it. And that's how I work.People are somewhat surprised when I'm working in client meetings that I'm fun and I have a similar sense of humor and personality, as you would see on Twitter. Believe it or not, I haven't spent all this time just doing a bit. But they're also surprised that it tends to drive toward an actual business discussion.Wes: Sure.Corey: Everything fun is contextual.Wes: Absolutely. That's the same sort of thing we get on our side when we talk to customers. I think I've learned so much from talking with them that sometimes I do get to share those things with Microsoft when they're willing to listen.Corey: So, what I'm curious about in the context of Microsoft licensing is something that, once again, it has intruded upon my notice lately with a bunch of security disclosures in which Microsoft has said remarkably little, and that is one of the most concerning things out there. They casually tried to slide past, “Oh, yeah, we had a signing key compromised.” Which is one of those, “Oh, [laugh] and by the way, the building's on fire. But let's talk about our rent [unintelligible 00:07:44] for the next year.” Like, “Whoa, whoa, whoa. Hold on. What?”That was one of those horrifying moments. And it came out—I believe I learned about this from you—that you needed something called E3 licensing—sorry, E5 licensing—in order to look at those audit logs, where versus E3, which sounded like the more common case. And after a couple of days of, “Explain this,” Microsoft very quickly wound up changing that. What do all these things mean? This is sort of a foreign concept to me because AWS, for better or worse, does not play games with licensing in the same way that Microsoft does.Wes: Sure. Microsoft has, over the years, you know, they are a master of building suites. This is what they've done for over 30 years. And they will build a suite, they'll sell you that suite, they'll come back around in three to six years and sell you a new version of that suite. Sometimes they'll sell you a higher price version of that suite, et cetera.And so, you'll see products evolve. And did a great podcast with my colleagues Rob and Mary Jo Foley the other day where we talked about what we've seen over the last, now for me, 11 years of teaching boot camps. And I think in particular, one of the changes we have seen is exactly what you're being exposed to on the outside and what a lot of people have been complaining about, which is, products don't sit still anymore. So, Microsoft actually makes very few products today. Almost everything they sell you is a service. There are a handful of products still.These services all evolve, and about every triennium or two—so every three to six years—you'll see a price increase and something will be added, and a price increase and something will be added. And so, all this began with the BPOS, the first version of Office 365, which became Office 365 E3, then Microsoft 365 E3 then Microsoft 365 E5. And for people who aren't in the know, basically, that means they went from Office as a subscription to Office, Windows, and a bunch of management tools as a subscription, to E5, basically, it took all of the security and compliance tools that many of us feel should have been baked into the fundamentals, into E3, the thing that everybody buys, what I refer to still today as the hero SKU and those security and compliance fundamentals should have been baked in. But no, in fact, a lot of customers when this AAD issue came out—and I think a lot discovered this ad hoc for the same reason, “Hey, we've been owned, how far back in the logs can we look?” And the answer is, you know, no farther than 90 days, a lot of customers hit that reality of, what do you mean we didn't pay for the premium thing that has all the logging that we need?Corey: Since you sat on this for eight months before mentioning it to us? Yeah.Wes: Exactly, exactly. And it's buried. And it's one of those things that, like, when we teach the licensing boot camp, I specifically call out because of my security background, it's an area of focus and interest to me. I call out to customers that a lot of the stuff we've been showing you has not questionable valuable, but kind of squishy value.This piece right here, this is both about security and compliance. Don't cheap out. If you're going to buy anything, buy this because you're going to need it later. And I've been saying that for, like, three years, but obviously only the people who were in the boot camp would hear that and then shake their head;, “Why does it have to be this difficult?” But yeah. Everything becomes a revenue opportunity if it's a potential to upsell somebody for the next tier.Corey: The couple of times I've been asked to look at Azure bills, I backed away slowly as soon as I do, just because so much of it is tied to licensing and areas that are very much outside of my wheelhouse. Because I view, in the cloud context, that cost and architecture tend to be one of the same. But when you bolt an entire layer of seat licensing and what this means for your desktop operating systems on as well as the actual cloud architecture, it gets incredibly confusing incredibly quickly. And architectural advice of the type that I give to AWS customers and would give to GCP customers is absolutely going to be harmful in many respects.I just don't know what I don't know and it's not an area that interests me, as far as learning that competency, just to jump through hoops. I mean, I frankly used to be a small business Windows admin, with the products that you talked about, back when XP and Server 2003 and a few others, I sort of ruled the roost. But I got so tired of surprise audit-style work. It felt like busy work that wasn't advancing what I was trying to get done in any meaningful way that, in a fit of rage, one day, I wound up exploring the whole Unix side of the world in 2006 and never went back.Wes: [whispering] That's how it happened.Corey: Yep.Wes: It's unfortunate that it's become so commonplace, but when Vista kind of stalled out and they started exploring other revenue opportunities, you have Vista Ultimate Enterprise, all the crazy SKUing that Vista had, I think it sort of created a mindset within the company that this is what we have to do in order to keep growing revenue up and to the right, and you know, shareholder value be the most important thing, that's what you've got to do. I agree entirely, though, the biggest challenge I could see for someone coming into our space is the fact that yes, you've got to understand Azure, Azure architecture, development architecture, and then as soon as you feel like you understand that, somebody comes along and says, “Well, yeah, but because we have an EA, we have to do it this way or we only get a discount on this thing.” And yeah, it just makes things more cumbersome. And I think that's why we still see a lot of customers who come to our boot camps who are still very dedicated AWS customers because that's where they were, and it's easier in many regards, and they just want to go with what they know.Corey: And I think that that's probably fair. I think that there is an evolution that grows here that I think catches folks by surprise. I'm fortunate in that my Microsoft involvement, if we set things like GitHub aside because I like them quite a bit and my Azure stuff as well—which is still small enough to fit in the free tier, given that I use it for one very specific, very useful thing—but the rest of it is simply seat licenses for Office 365 for my team. And I just tend to buy the retail-priced one on the internet that's licensed for business use, and I don't really think about it again. Because I don't need, as you say, in-depth audit logs for Microsoft Word. I really don't. I'm sorry, but I have a hard time believing that that's true. But something that immediately crops up when you say this is when you talk about E3 versus E5 licensing, is that organization-wide or is that on a per-seat basis?Wes: It's even worse than that. It usually comes down to per-user licensing. The whole world used to be per device licensing in Microsoft and it switched to per user when they subscript-ified everything—that's a word I made up a while ago—so when they subscript-ified everything, they changed it over to per user. And for better or worse, today, you could—there's actually four different tiers of Microsoft 365. You could go for any one of those four for any distinct user.You could have one of them on F1, F3, E3, and E5. Now, if you do that, you create some other license non-compliance issues that we spend way too much time having to talk about during the boot camp, but the point is, you can buy to fit; it's not one-size-fits-all necessarily. But you run into, very rapidly, if you deploy E5 for some number of users because the products that are there, the security services and compliance services ironically don't do license compliance in most cases, customers can actually wind up creating new license compliance problems, thereby basically having to buy E5 for everybody. So, it's a bit of a trapdoor that customers are not often aware of when they initially step into dabbling in Microsoft 365 E5.Corey: When you take a look at this across the entire board, what is your guidance to customers? Because honestly, this feels like it is a full-time job. At scale, a full-time job for a department simply keeping up with all of the various Microsoft licensing requirements, and changes because, as you say, it's not static. And it just feels like an overwhelming amount of work that to my understanding, virtually no other vendor makes customers jump through. Sure there's Oracle, but that tends to be either in a database story or a per developer, or on rare occasions, per user when you build internal Java apps. But it's not as pervasive and as tricky as this unless I'm missing something.Wes: No, you're not. You're not missing anything. It's very true. It's interesting to think back over the years at the boot camp. There's names I've heard that I don't hear anymore in terms of companies that were as bad. But the reality is, you hear the names of the same software companies but, exactly to your point, they're all departmental. The people who make [Roxio 00:16:26] still, they're very departmentalized. Oracle, IBM, yeah, we hear about them still, but they are all absolutely very departmentalized.And Microsoft, I think one of the reason why we do get so many—for better or worse, for them—return visitors to our licensing boot camps that we do every two months, is for that exact reason, that some people have found they like outsourcing that part of at least trying to keep up with what's going on, what's the record? And so, they'll come back every two, three, or four years and get an update. And we try to keep them updated on, you know, how do I color within the lines? Should it be like this? No. But it is this way.In fact, it's funny, I think back, it was probably one of the first few boot camps I did with Rob. We were in New York and we had a very large customer who had gotten a personalized message from Microsoft talking about how they were going to simplify licensing. And we went to a cocktail hour afterwards, as we often do on the first day of the boot camp, to help people, you know, with the pain after a boot camp, and this gentleman asks us well, “So, what are you guys going to do once Microsoft simplifies licensing?” And Rob and I just, like, looked at each other, smiled, looked back at the guy, and laughed. We're like, “We will cross that bridge when we get to it.”Corey: Yeah, people ask us that question about AWS billing. What if they fix the billing system? Like, we should be so lucky to live that long.Wes: I have so many things I'd rather be doing. Yes.Corey: Mm-hm. Exactly. It's one of those areas where, “Well, what happens in a post-scarcity world?” Like, “I couldn't tell you. I can't even imagine what such a thing would look like.”Wes: Exactly [laugh]. Exactly.Corey: So, the last time we spoke way back, I think in 2019, Microsoft had wound up doing some unfortunate and fairly underhanded-appearing licensed changes, where it was more expensive to run a bunch of Microsoft things, such as server software, most notably SQL Server, on clouds that were not Azure. And then, because you know, you look up the word chutzpah in the dictionary, you'll find the Microsoft logo there in response, as part of the definition, they ran an advertising campaign saying that, oh, running many cloud workloads on Azure was five times cheaper than on AWS. As if they cracked some magic secret to cloud economics. Rather than no, we just decided to play dumb games that win worse prizes with cloud licensing. How did that play out?Wes: Well, so they made those changes in October of 2019, and I kind of wish they'd become a bigger deal. And I wish they'd become a bigger deal earlier so that things could have been, maybe, reversed when it was easier. But you're absolutely right. So, it—for those who don't know, it basically made licensing changes on only AWS, GCP, and Alibaba—who I never had anybody ask me about—but those three. It also added them for Azure, but then they created loopholes for themselves to make Azure actually get beneficial licensing, even better than you could get with any other cloud provider [sigh].So, the net takeaway is that every Microsoft product that matters—so traditionally, SQL Server, Windows Server, Windows client, and Office—is not impossible to use on AWS, but it is markedly more expensive. That's the first note. To your point, then they did do that marketing campaign that I know you and I probably had exchanges about at the time, and it drove me nuts as well because what they will classically do is when they tout the savings of running something on Azure, not only are they flouting the rules that they created, you know, they're basically gloating, “Look, we got a toy that they didn't,” but they're also often removing costs from the equation. So, for example, in order for you to get those discounts on Azure, you have to maintain what's called Software Assurance. You basically have to have a subscription by another name.If you don't have Software Assurance, those opportunities are not available to you. Fine. That's not my point. My point is this, that Software Assurance is basically 75% of the cost of the next version. So, it's not free, but if you look at those 5x claims that they made during that time frame, they actually were hand-waving and waving away the [assay 00:20:45] costs.So, if you actually sat down and did the math, the 5x number was a lie. It was not just very nice, but it was wrong, literally mathematically wrong. And from a—as my colleague likes to say, a ‘colors person,' not a numbers person like me, from a colors person like me, that's pretty bad. If I can see the error and your math, that's bad math.Corey: It just feels like it's one of those taxes on not knowing some of the intricacies of what the heck is going on in the world of Microsoft licensing. And I think every sufficiently complex vendor with, shall we say, non-trivial pricing dimensions, could be accused of the same thing. But it always felt particularly worrisome from the Microsoft perspective. Back in the days of BSA audits—which I don't know at all if they're still a thing or not because I got out of that space—every executive that I ever spoke to, in any company lived in fear of them, not because they were pirating software or had decided, “You know what? We have a corporate policy of now acting unethically when it comes to licensing software,” but because of the belief that no matter what they came up with or whatever good faith effort they made to remain compliant, of course, something was not going to work the way they thought it would and they were going to be smacked with a fine. Is that still the case?Wes: Absolutely. In fact, I think it's worse now than it ever was before. I will often say to customers that you are wildly uncompliant while also being wildly overcompliant because per your point about how broad and deep Microsoft is, there's so many products. Like, every company today, every company that has Project and Visio still in place today, that still pays for it, you are over-licensed. You have more of it than you need.That's just one example, but on the other side, SQL Server, odds are, every organization is subtly under-licensed because they think the rule is to do this, but the rules are actually more restrictive than they expect. So, and that's why Microsoft is, you know, the first place they look, the first rug they look under when they do walk in and do an audit, which they're entitled to do as a part of an organization's enterprise agreement. So BSA, I think they do still have those audits, but Microsoft now they have their own business that does that, or at least they have partners that do that for them. And places like SQL Server are the first places that they look.Why? Because it's big, found money, and because it's extremely hard to get right. So, there's a reason why, when we focus on our boot camps, we'll often tell people, you know, “Our goal is to save you enough money to pay for the class,” because there's so much money to be found in little mistakes that if you do a big thing wrong with Microsoft software, you could be wildly out of compliance and not know about it until Microsoft-or more likely, a Microsoft partner—points it out to you.Corey: It feels like it's an inevitability. And, on some level, it's the cost of doing business. But man, does that leave a sour taste in someone's mouth.Wes: Mm-hm. It absolutely does. It absolutely does. And I think—you know, I remember, gosh, was it Munich that was talking about, “We're going to switch to Linux,” and then they came back into the fold. I think the reality is, it absolutely does put a bad taste.And it doesn't leave customers with good hope for where they go from here. I mean, okay, fine. So, we got burned on that thing in the Microsoft 365 stack. Now, they want us to pay 30 bucks for Copilot for Microsoft 365. What? And we'd have no idea what they're even buying, so it's hard to give any kind of guidance. So, it's a weird time.Corey: I'm curious to see what the ultimate effect of this is going to be. Well, one thing I've noticed over the past decade and change—and I think everyone has as well—increasingly, the local operating system on people's laptops or desktops—or even phones, to some extent—is not what it once was. Increasingly, most of the tools that I find myself using on a daily basis are just web use or in a browser entirely. And that feels like it's an ongoing problem for a company like Microsoft when you look at it through the lens of OS. Which at some level, makes perfect sense why they would switch towards everything as a service. But it's depressing, too.Wes: Yeah. I think that's one of the reasons why, particularly after Steve left, they changed focus a lot and really begin focusing on Microsoft 365 as the platform, for better or worse. How do we make Microsoft 365 sticky? How do we make Office 365 sticky? And the thing about, like, the Microsoft 365 E5 security stuff we were talking about, it often doesn't matter what the user is accessing it through. The user could be accessing it only through a phone, they could be a frontline worker, they could be standing at a sales kiosk all day, they could be using Office every single day, or they could be an exec who's only got an iPad.The point is, you're in for a penny, in for a pound at that point that you'll still have to license the user. And so, Microsoft will recoup it either way. In some ways, they've learned to stop caring as much about, is everyone actively using our technology? And on the other side, with things like Teams, and as we're seeing very, very slowly, with the long-delayed Outlook here, you know, they're also trying to switch things to have that less Win32 surface that we're used to and focus more on the web as well. But I think that's a pretty fundamental change for Microsoft to try and take broadly and I don't anticipate, for example, Office will ever be fully replaced with a fat client like it has on Windows and the Mac OS.Corey: Yeah, part of me wonders what the future that all looks like because increasingly, it feels more than a little silly that I'm spending, like, all of this ever-increasing dollar figure on a per-seat basis every year for all of Microsoft 365. Because we don't use their email system. We don't use so much of what they offer. We need basically Word and Excel and once in a blue moon PowerPoint, I guess. But that's it. Our fundamental needs have not materially shifted since Office 2003. Other than the fact that everything uses different extensions now and there's, of course, the security story on top of it, too. We just need some fairly basic stuff.Wes: And I think that's the case for a lot of—I mean, we're the exact same way at Directions. And I think that's the case for a lot of small and even into mid-size companies. Microsoft has traditionally with the, like, Small Business Premium, they have an offering that they intentionally only scale up to 300 people. And sometimes they'll actually give you perks there that they wouldn't give away in the enterprise suite, so you arguably get more—if they let you have it, you get more than you would if you've got E5. On the other side, they've also begun, for enterprises, honing in on opportunities that they may have historically ignored.And when I was at Microsoft, you'd have an idea, like, “Hey, Bob. I got an idea. Can we try to make a new product?” He's like, “Okay, is it a billion-dollar business?” And you get waved away if it wasn't all a billion-dollar business. And I don't think that's the case anymore today, particularly if you can make the case, this thing I'm building makes Microsoft 365 sticky or makes Azure sticky. So, things like the Power Platform, which is subtly and slowly replacing Access at a minimum, but a lot of other tools.Power BI, which has come from behind. You know, people would look at it and say, “Oh, it's no Excel.” And now it, I think, far exceeds Excel for that type of user. And Copilot, as I talked about, you know, Microsoft is definitely trying to throw things in that are beyond Office, beyond what we think of as Microsoft. And why are they doing that? Because they're trying to make their platform more sticky. They're trying to put enough value in there so you need to subscribe for every user in your organization.And even things, as we call them, ‘Batteries not Included' like Copilot, that you're going to buy E5 and that you're still going to have to buy something else beyond that for some number of users. So, you may even have a picture in your head of how much it's going to cost, but it's like buying a BMW 5 Series; it's going to cost more than you think.Corey: I wish that there were a better path forward on this. Honestly, I wish that they would stop playing these games, let you know Azure compete head-to-head against AWS and let it win on some of its merits. To be clear, there are several that are great. You know, if they could get out of their own way from a security perspective, lately. But there seems to be a little appetite for that. Increasingly, it seems like even customers asking them questions tends to hit a wall until, you know, a sitting US senator screams at them on Twitter.Wes: Mm-hm. No, and then if you look carefully at—Microsoft is very good at pulling just enough off of the sweater without destroying the sweater. And for example, what they did, they gave enough away to potentially appease, but they didn't actually resolve the problem. They didn't say, “All right, everybody gets logging if they have Microsoft 365 E3,” or, “Everybody gets logging, period.” They basically said, “Here's the kind of logging you can get, and we're going to probably tweak it a little bit more in the future,” and they will not tweak it more in the future. If anything, they'll tighten it back up.This is very similar to the 2019 problem we talked about earlier, too, that you know, they began with one set of rules and they've had to revisit it a couple of times. And most of the time, when they've had an outcry, primarily from the EU, from smaller cloud providers in the EU who felt—justifiably—that Microsoft was being not—uncompetitive with Azure vis-à-vis every other cloud provider. Well, Microsoft turned around and last year changed the rules such that most of these smaller cloud providers get rules that are, ehh, similar to what Azure can provide. There are still exclusives that only Azure gets. So, what you have now is basically, if you're a customer, the best set and cheapest set is with Azure, then these smaller cloud providers give you a secondary—it's close to Azure, but still not quite as good. Then AWS, GCP, and Alibaba.So, the rules have been switched such that you have to know who you're going to in order to even know what the rules are and to know whether you can comply with those rules with the thing you want to build. And I find it most peculiar that, I believe it was the first of last month that Microsoft made the change that said, “You'll be able to run Office on AWS,” which was Amazon WorkSpaces, in particular. Which I think is huge and it's very important and I'm glad they made this change, but it's weird because it creates almost a fifth category because you can't run it anywhere else in Amazon, like if you were spinning something up in VMware on Amazon, but within Amazon WorkSpaces, you can. This is great because customers now can run Office for a fee. And it's a fee that's more than you'd pay if you were running the same thing on Microsoft's cloud.But it also was weird because let's say Google had something competitive in VDI, but they don't really, but if they had something competitive in VDI, now this is the benefit that Amazon has that's not quite as good as what Microsoft has, that Google doesn't get it at all. So, it's just weird. And it's all an attempt to hold… to both hold a market strategy and an attempt to grow market share where they're still behind. They are markedly behind in several areas. And I think the reality is, Amazon WorkSpaces is a really fine offering and a lot of customers use it.And we had a customer at our last in-person boot camp in Atlanta, and I was really impressed—she had been to one boot camp before, but I was really impressed at how much work she'd put into making sure we know, “We want to keep using Amazon WorkSpaces. We're very happy with it. We don't want to move anywhere else. Am I correct in understanding that this, this, this, and this? If we do these things will be aboveboard?” And so, she knew how much more she'd have to pay to stay on Amazon WorkSpaces, but it was that important to the company that they'd already bet the farm on the technology, and they didn't want to shift to somebody else that they didn't know.Corey: I'm wondering how many people have installed Office just through a standard Microsoft 365 subscription on a one-off Amazon WorkSpace, just because they had no idea that that was against license terms. I recall spinning up an Amazon WorkSpace back when they first launched, or when they wound up then expanding to Amazon Linux; I forget the exact timeline on this. I have no idea if I did something like that or not. Because it seems like it'd be a logical thing. “Oh, I want to travel with just an iPad. Let me go ahead and run a full desktop somewhere in the cloud. Awesome.”That feels like exactly the sort of thing an audit comes in and then people are on the hook for massive fines as a result. It just feels weird, as opposed to, there are a number of ways to detect you're running on a virtual machine that isn't approved for this. Stop the install. But of course, that doesn't happen, does it?Wes: No. When we teach at the boot camp, Rob will often point out that, you know, licensing is one of the—and it's true—licensing is one of the last things that comes in when Microsoft is releasing a product. It was that way when he was at the company before I was—he shipped Word 1.0 for the Mac, to give you an idea of his epoch—and I was there for XP, like I said, which was the first version that used activation—which was a nightmare—there was a whole dedicated team on. And that team was running down to the wire to get everything installed.And that is still the case today because marketing and legal make decisions about how a product gets sold. Licensing is usually tacked on at the very end if it gets tacked on at all. And in fact, in a lot of the security, compliance, and identity space within Microsoft 365, there is no license compliance. Microsoft will show you a document that, “Hey, we do this,” but it's very performative. You can't actually rely on it, and if you do rely on it, you'll get in trouble during an audit because you've got non-compliance problems. So yeah, it's—you would hope that it keeps you from coloring outside the lines, but it very much does not.Corey: It's just a tax on going about your business, in some ways [sigh].Wes: Exactly. “Don't worry, we'll be back to fix it for you later.”Corey: [laugh]. I really appreciate your taking the time to go through this with me. If people want to learn more, where's the best place for them to keep up with what you're up to?Wes: Well, obviously, I'm on Twitter, and—oh, sorry, X, whatever.Corey: No, we're calling it Twitter.Wes: Okay, I'm on—I'm on—[laugh] thank you. I'm on Twitter at @getwired. Same alias over on [BlueSky 00:35:27]. And they can also find me on LinkedIn, if they're looking for a professional question beyond that and want to send a quiet message.The other thing is, of course, go to directionsonmicrosoft.com. And directionsonmicrosoft.com/training if they're interested in one of our licensing boot camps. And like I said, Rob, and I do those every other month. We're increasingly doing them in person. We got one in Bellevue coming up in just a few weeks. So, there's opportunities to learn more.Corey: Excellent. And we will, of course, put links to that in the [show notes 00:35:59]. Thank you so much for taking the time to chat with me again, Wes. It's appreciated.Wes: Thank you for having me.Corey: Wes Miller, Research VP at Directions on Microsoft. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry, insulting comment that will no doubt be taken down because you did not sign up for that podcasting platform's proper license level.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
AWS Morning Brief for the week of September 18, 2023 with Corey Quinn. Links: Amazon SNS FIFO topics now support message delivery to Amazon SQS Standard queues Announcing API Gateway console refresh Cost Anomaly Detection increases custom anomaly monitor limit to 500 Custom notifications are now available for AWS Chatbot How to Integrate Amazon CloudWatch Alarms with Atlassian Confluence Knowledge Articles Building a secure webhook forwarder using an AWS Lambda extension and Tailscale Deploy Generative AI Models on Amazon EKS Troubleshoot networking issues during database migration with the AWS DMS diagnostic support AMI Using AWS CloudFormation and AWS Cloud Development Kit to provision multicloud resources Combining content moderation services with graph databases & analytics to reduce community toxicity AWS Private Certificate Authority Retail Partner Conversations: How Rokt is impacting the future of retail Simplify access to internal information using Retrieval Augmented Generation and LangChain Agents How to view Azure costs using Amazon QuickSight Centralized Dashboard for AWS Config and AWS Security Hub Benefits of Domain Registration with Amazon Route 53 Use Bring your own IP addresses (BYOIP) and RFC 8805 for localization of Internet content Using NAT Gateways with multiple-Amazon VPCs at scale Navigating change: From ophthalmologist to AWS Cloud expert
Ramzi Akremi is a senior Salesforce technologist, Modular Salesforce Evangelist, who applies software engineering to Salesforce & DevOps. Main Points Links Video Teaser The YouTube Video URL The post 100. DevOps is not the issue in Salesforce | Ramzi Akremi appeared first on SalesforceWay.
Last week in security news: Corey reported an over-scoped role to AWS security, The bad LastPass breach got even worse, How to enforce DNS name constraints in AWS Private CA, and more!Links: I reported an over-scoped role to AWS security; the response from the SageMaker Canvas team was that it's working as intended. The bad LastPass breach that continues to get worse once again somehow got worse. Microsoft has published a rather thorough postmortem about how their signing key was leaked. A security newsletter features a scam that I reported via Twitter. Google has gone from paragon of security to apparently now sharing aspects of your browsing history with websites in Chrome, Establishing a data perimeter on AWS: Allow access to company data only from expected networks How to enforce DNS name constraints in AWS Private CA Tool of the week: ThreatMapper hunts for threats in your production platforms, and ranks these threats based on their risk-of-exploit.
Victoria and Will interview Rishi Malik, the Founder of Backstop.it and VP of Engineering at Varo Bank. They talk about Rishi's recent adventure at DEF CON, the renowned annual security conference that he's attended for six years, and describes how it has transformed from a mere learning experience into a thrilling competition for him and his team. The conference = their playground for tackling an array of security challenges and brain-teasing puzzles, with a primary focus on cloud security competitions. They talk about the significance of community in such events and how problem-solving through interaction adds value. Rishi shares his background, tracing his path from firmware development through various tech companies to his current roles in security and engineering management. The vital topic of security in the fintech and banking sector highlights the initial concerns people had when online banking emerged. Rishi navigates through the technical intricacies of security measures, liability protection, and the regulatory framework that safeguards online banking for consumers. He also highlights the evolving landscape, where technological advancements and convenience have bolstered consumer confidence in online banking. Rishi shares his unique approach to leadership and decision-making, and pearls of wisdom for budding engineers starting their careers. His advice revolves around nurturing curiosity and relentlessly seeking to understand the "why" behind systems and processes. __ Backstop.it (https://backstop.it/) Follow Backstop.it on X (https://twitter.com/wearebackstop). Varo Bank (https://www.varomoney.com/) Follow Varo Bank on Instagram (https://www.instagram.com/varobank/), Facebook (https://www.facebook.com/varomoney/), X (https://twitter.com/varobank), YouTube (https://www.youtube.com/varomoney), or LinkedIn (https://www.linkedin.com/company/varobank/). Follow Rishi Malik on LinkedIn (https://www.linkedin.com/in/rishilmalik/). Follow thoughtbot on X (https://twitter.com/thoughtbot) or LinkedIn (https://www.linkedin.com/company/150727/). Become a Sponsor (https://thoughtbot.com/sponsorship) of Giant Robots! Transcript: VICTORIA: This is the Giant Robots Smashing Into Other Giant Robots podcast, where we explore the design, development, and business of great products. I'm your host, Victoria Guido. WILL: And I'm your other host, Will Larry. And with us today is Rishi Malik, Founder of Backstop.it and VP of Engineering at Varo Bank. Rishi, thank you for joining us. RISHI: Thanks for having me. I'm excited to be here. VICTORIA: Yes, Rishi. I'm so excited to talk with you today about your security background and get into your role at Varo and Backstop IT. But first, I wanted to hear a little bit more about your recent experience attending DEF CON. How was that? RISHI: It was awesome. I do have quite the background in security at this point. And one of the things I started doing early on, as I was getting up to speed and learning more about the security-specific side of things, was beginning to attend DEF CON itself. So, I've now gone six years straight. And it started out as just kind of experiencing the conference and security and meeting folks. But it's progressed to where I now bring a team of people where we go and we compete. We have a good time. But we do get to kind of bring the security side of things into the software engineering and engineering leadership stuff that we all do on a day-to-day basis. VICTORIA: Yeah. And what kind of puzzles do you solve with your team when you attend DEF CON? RISHI: There's definitely a lot of variety there, which I think is part of the fun. So, DEF CON frequently has electronic badges, you know, with random puzzles on there that you have to solve. Some of it are cryptographic. Some of them are kind of random cultural things. Sometimes there's music challenges based around it. Sometimes, it's social and interactive. And you have to go find the right type of badge or the right person behind it to unlock something. So, all of those, you know, typically exist and are a ton of fun. Primarily, in the last few years, we've been focusing more on the cloud CTF. So, in this case, it's our team competing against other teams and really focused on cloud security. So, it's, you know, figuring out vulnerabilities in, you know, specially designed puzzles around AWS and GCP, the application side of things as well, and competing to see how well you can do. Three years ago, the last couple of years, we've not won it, but we've been pretty competitive. And the great thing is the field is expanding as more and more people get into CTF themselves but, more importantly, into cloud infrastructure and cloud knowledge there. So, it's just great to see that expansion and see what people are into, what people are learning, and how challenging some of these things can be. VICTORIA: I love the idea of having a puzzle at a conference where you have to find a specific person to solve it. And yeah, I'm always interested in ways where we can have these events where you're getting together and building community and growing expertise in a field but in a way that makes it fun [laughs] and isn't just life-draining long, like, talks about random stuff. RISHI: [laughs] I think what you're touching on there is crucial. And you said the word community, and, to me, that is, you know, a big part of what DEF CON and, you know, hacking and security culture is. But it is, I think, one of the things that kind of outside of this, we tend to miss it more, you know, specifically, like, focused conferences. It is more about kind of the content, you know, the hallway track is always a thing. But it's less intentional than I personally, at this stage, really prefer, you know. So, I do like those things where it is encouraging interaction. For me, I'd rather go to happy hour with some people who are really well versed in the subject that they're in rather than even necessarily listening to a talk from them on what they're doing. Simply because I think the community aspect, the social aspect, actually gets you more of the information that is more relevant to what you're doing on a day-to-day basis than just consuming it passively. VICTORIA: I agree because consuming it passively or even intentionally remotely, there are things that you didn't even think to think about [laughs] that aren't going to come up just on your own. You have to have another person there who's...Actually, I have a good friend who's co-working with me this week who's at Ticketmaster. And so, just hearing about some of the problems they have and issues there has been entertaining for me. So yeah, I love that about DEF CON, and I love hearing about community stories and fun ways that companies can get a benefit out of coming together and just putting good content out there. RISHI: Absolutely. I think problem-solving is where you get the most value out of it as a company and as a business. VICTORIA: Yeah, maybe that's a good segue to tell me a little bit more about your background and how you came to be where you are today. RISHI: Yeah. For me growing up, I was always that problem-solver type of person. So, I think that's what kind of naturally gravitated me towards tech and, you know, hardware and software engineering. You know, so, for me, I go back quite a while. I'd been doing a lot of development, you know, in the early days of my career. I started out doing firmware development back in the days of large tape libraries, right? So, if you think about, like, big businesses back before cloud was a big thing and even back before SSDs were a thing, you know, it was all spinning disks. It was all tape. And that's kind of the area that I started in. So, I was working on robots that actually move tapes around these giant tape libraries that are, you know, taller than I am that you can walk inside of because they're so big, for big corporations to be able to backup their data on an overnight basis. You have to do that kind of stuff. Then I started going into smaller and smaller companies, into web tech, into startups, then into venture-backed startups. And then, eventually, I started my own company and did that for a while. All of this is really just kind of, you know, software engineering in a nutshell, lots of different languages, lots of different technologies. But really, from the standpoint of, here's a whole bunch of hard problems that need to be solved. Let's figure out how we can do that and how we can make some money by solving some of these problems. That eventually kind of led me down the security path as well and the engineering management side of things, which is what I do now, both at Backstop...is a security consulting business and being VP of Engineering at Varo Bank. WILL: How was your journey? Because you started as an intern in 2003. RISHI: [laughs] WILL: And then, you know, 20 years later. So, how was your journey through all of that? [laughs] RISHI: [laughs] You know, I hadn't actually put it together that it has been 20 years this year until you said that. So, that's awesome. It's been a blast, you know. I can honestly say it's been wildly different than what I imagined 20 years ago and interesting in different ways. I think I'm very fortunate to be able to say that. When I started out as an intern in 2003, technologies were very different. I was doing some intern shifts with the federal government, you know, so the pace was wildly different. And when I think of where technology has come now, and where the industry has gone, and what I get to do on a day-to-day basis, I'm kind of just almost speechless at just how far we've come in 20 years, how easy some things are, how remarkably hard some other things are that should honestly be easy at this point, but just the things that we can do. I'm old enough that I remember cell phones being a thing and then smartphones coming out and playing with them and being like, yeah, this is kind of mediocre. I don't really know why people would want this. And the iPhone coming out and just changing the game and being like, okay, now I get it. You know, to the experience of the internet and, you know, mobile data and everywhere. It's just phenomenal the advances that we've had in the last 20 years. And it makes me excited for the next 20 years to see what we can do as we go forward. VICTORIA: I'm going to take personal offense to someone knowing that technology being too old [laughs], but, yeah, because it really wasn't that long ago. And I think one thing I always think about having a background in civic tech and in financial tech as well is that the future is here; it's just not evenly distributed. So, now, if you're building a new company, of course, the default is to go straight to the cloud. But many companies and organizations that have been around for 60-80 years and using the internet right when it first came out are still in really old technologies that just simply work. And maybe they're not totally sure why, and change is difficult and slow. So, I wonder if you have any experience that you can take from the banking or fintech industry on how to make the most out of modern security and compliance platforms. RISHI: Yeah, you know, I think most people in tech especially...and the gray hairs on me are saying the younger folks in tech especially don't realize just how much older technologies still exist and will exist for quite some time. When you think of banking itself, you know, most of the major companies that you can think of, you know, in the U.S. especially but kind of across the world that are the top tier names of banks, and networks, and stuff like that, still run mainframes. When you swipe your credit card, there's a very good chance that is processed on a mainframe. And that's not a bad thing. But it's just, you know when you talk to younger engineers, it's not something that kind of crosses their mind. They feel like it is old-tech. The bulk of businesses don't actually run on the cloud. Having been through it, I've racked and stacked servers and had to figure out how to physically take hardware across, you know, country borders and things like those lines. And now, when I do want to spin up a server somewhere else, it's just a different AWS region. So, it's remarkably easy, at this point, to solve a lot of those problems. But once you're up and live and you have customers, you know, where downtime is impactful or, you know, the cost of moving to the cloud or modernizing your technology is substantial, things tend to move a lot slower. And I think you see that, especially when it comes to security, because we have more modern movements like DevOps bringing security into it. And with a lot of the, you know, the modern security and compliance platforms that exist, they work very, very well for what they do, especially when you're a startup or your whole tech stack is modernized. The biggest challenges, I think, seem to come in when you have that hybrid aspect of it. You do have some cloud infrastructure you have to secure. You do have some physical data centers you have to secure. You have something that is, you know, on-premise in your office. You have something that is co [inaudible 10:01] somewhere else. Or you also have to deal with stuff like, you know, much less modern tech, you know, when it comes to mainframes and security and kind of being responsible for all of that. And I think that is a big challenge because security is one of those things where it's, you know, if you think of your house, you can have the strongest locks on your door and everything else like that. But if you have one weak point, you have a window that's left open, that's all it takes. And so, it has to be all-inclusive and holistic. And I think that is remarkably hard to do well, even despite where technology has come to these days. WILL: Speaking of securities, I remember when the Internet banking started a couple of years ago. And some of the biggest, I guess, fears were, like, the security around it, the safety. Because, you know, your money, you're putting your money in it, and you can't go to a physical location to talk to anyone or anything. And the more and more you learn about it...at first, I was terrified of it because you couldn't go talk to someone. But the more and more I learned about it, I was like, oh, there's so much security around it. In your role, what does that look like for you? Because you have such a huge impact with people's money. So, how do you overcome that fear that people have? RISHI: There's, I think, a number of steps that kind of go into it. And, you know, in 2023, it's certainly a little bit easier than it used to be. But, you know, very similar, I've had the same questions, you know, and concerns that you're describing. And I remember using one of the first banks that was essentially all digital and kind of wondering, you know, where is my money going? What happens if something goes wrong? And all of those types of things. And so, I think there is kind of a number of different aspects that go into it. One is, you know, obviously, the technical aspects of security, you know, when you put your credit card number in on the internet, you know, is it encrypted? You know, is it over, you know, TLS? What's happening there? You know, how safe and secure is all that kind of thing? You know, at this point, pretty much everyone, at least in the U.S., has been affected by credit card breaches, huge companies like Home Depot and Target that got cards accessed or, you know, just even the smaller companies when you're buying something random from maybe something...a smaller website on the internet. You know, that's all a little bit better now. So, I think what you have there was just kind of a little bit of becoming comfortable with what exists now. The other aspect, though, I think, then comes into, well, what happens when something goes wrong? And I think there's a number of aspects that are super helpful for that. I think the liability aspect of credit card, you know, companies saying, you know, and the banks "You're not liable for a fraudulent transaction," I think that was a very big and important step that really helps with that. And on top of that, then I think when you have stuff like the FDIC, you know, and insurance in the U.S., you know, that is government-backed that says, you know what? Even if this is an online-only digital bank, you're safe. You're protected. The government's got your back in that regard. And we're going to make sure that's covered. At Varo, that's one of the key things that we think about a lot because we are a bank. Now, most FinTechs, actually, aren't banks, right? They partner with other third-party banks to provide their financial services. Whereas at Varo, we are federally regulated. And so, we have the full FDIC protection. We get the benefits of that. But it also means that we deal with the regulation aspects and being able to prove that we are safe and secure and show the regulators that we're doing the right things for our customers. And I think that's huge and important because, obviously, it's safety for customers. But then it changes how you begin to think about how you're designing products, and how you're [inaudible 13:34] them, and, you know, how you're marketing them. Are we making a mobile app that shows that we're safe, and secure, and stable? Or are we doing this [inaudible 13:42] thing of moving too fast and breaking things? When it's people's money, you have to be very, very dialed into that. You still have to be able to move fast, but you have to show the protection and the safety that people have because it is impactful to their lives. And so, I think from the FinTech perspective, that's a shift that's been happening over the last couple of years to continue that. The last thing I'll say, too, is that part of it has just come from technology itself and the comfort there. It used to be that people who were buying, you know, items on the internet were more the exception rather than the rule. And now with Amazon, with Shopify, with all the other stuff that's out there, like, it's much more than a norm. And so, all of that just adds that level of comfort that says, I know I'm doing the right things as a consumer, that I'm protected. If I, you know, do have problems, my bank's got my back. The government is watching out for what's happening and trying to do what they can do to regulate all of that. So, I think all of that has combined to get to that point where we can do much more of our banking online and safely. And I think that's a pretty fantastic thing when it comes to what customers get from that. I am old enough that I remember having to figure out times to get to the bank because they're open nine to five, and, you know, I have to deposit my paycheck. And, you know, I work nine to five, and maybe more hours pass, and I had no idea when I can go get that submitted. And now, when I have to deposit something, I can just take a picture with my phone, and it safely makes it to my account. So, I think the convenience that we have now is really amazing, but it has certainly taken some time. And I think a number of different industry and commercial players kind of come together and make that happen. MID-ROLL AD: Now that you have funding, it's time to design, build, and ship the most impactful MVP that wows customers now and can scale in the future. thoughtbot Liftoff brings you the most reliable cross-functional team of product experts to mitigate risk and set you up for long-term success. As your trusted, experienced technical partner, we'll help launch your new product and guide you into a future-forward business that takes advantage of today's new technologies and agile best practices. Make the right decisions for tomorrow today. Get in touch at thoughtbot.com/liftoff. VICTORIA: I appreciate that perspective on approaching security from the user experience of wanting safety. And I'm curious if we can talk in contrast from that experience to the developer experience with security. And how do you, as a new leader in this financial product company, prioritize security and introduce it from a, like, building a safety culture perspective? RISHI: I think you just said that very eloquently. It is a safety culture. And cultural changes are hard. And I think for quite some time in the developer industry, security was either an afterthought or somebody else's problem. You know, it's the security team that has to think about it. It's, you know, and even these days, it's the red team that's going to go, you know, find these answers or whatever I'm shipping as a developer. My only thing to focus on is how fast I can ship, or, you know, what I'm shipping, rather than how secure is what I'm shipping. And so, I think to really be effective at that, it is a cultural shift. You have to think and talk about security from the outset. And you have to bake those processes into how you build product. Those security conversations really do need to start at the design phase. And, you know, thinking about a mobile app for a bank as an example, you know, it starts when you're just thinking about the different screens on a mobile app that people are going to go through. How are people interpreting this? You know, what is the [inaudible 17:23], and the feeling, and the emotions, that we're building towards? You know, is that safe and secure or, you know, is it not? But then it starts getting to the architecture and the design of the systems themselves to say, well, here's how they're going to enter information, here's how we're passing this back and forth. And especially in a world where a lot of software isn't just 100% in-house, but we're calling other partners for that, you know, be it, you know, infrastructure or risk, you know, or compliance, or whatever else it may be, how are we protecting people's data? How are we making sure our third parties are protecting people's data? You know, how are we encrypting it? How are we thinking about their safety all the way through? Again, even all the way down to the individual developer that's writing code, how are we verifying they're writing good, high-quality, secure code? Part of it is training, part of it is culture, part of it is using good tooling around that to be able to make sure and say, when humans make mistakes because we are all human and we all will make mistakes, how are we catching that? What are the layers do we have to make sure that if a mistake does happen, we either catch it before it happens or, you know, we have defense in depth such that that mistake in and of itself isn't enough to cause a, you know, compromise or a problem for our customers? So, I think it starts right from the start. And then, every kind of step along the way for delivering value for customers, also let's add that security and privacy and compliance perspective in there as well. VICTORIA: Yes, I agree. And I don't want to work for a company where if I make a small human mistake, I'm going to potentially cost someone tens or however many thousands of dollars. [laughs] WILL: I have a question around that. How, as a leader, how does that affect you day to day? Because I feel like there's some companies, maybe thoughtbot, maybe other companies, that a decision is not as critical as working as a bank. So, you, as a leader, how do you handle that? RISHI: There's a couple of things I try and consider in any given big or important decision I have to make, the aspects around, like, you know, the context, what the decision is, and that type of stuff. But from a higher level, there's kind of two things I try and keep in mind. And when I say keep in mind, like, when it's a big, impactful decision, I will actually go through the steps of, you know, writing it down or talking this out loud, sometimes by myself, sometimes with others, just, again, to make sure we are actually getting to the meat of it. But the first thing I'm trying to think of is kind of the Amazon idea of one-way versus two-way doors. If we make this decision and this is the wrong decision, what are the ramifications of that? You know, is it super easy to undo and there's very little risk with it? Or is it once we've made this decision or the negative outcome of this decision has happened, is it unfixable to a certain degree? You know, and that is a good reminder in my head to make sure that, you know, A, I am considering it deeply. And that, B, if it is something where the ramifications, you know, are super huge, that you do take the time, and you do the legwork necessary to make sure you're making a good, valid decision, you know, based on the data, based on the risks involved and that there's a deep understanding of the problem there. The second thing I try to think of is our customers. So, at Varo, our customers aren't who most banks target. A lot of banks want you to take all your money, put it in there, and they're going to loan that money out to make their money. And Varo is not that type of bank, and we focus on a pretty different segment of the market. What that means is our customers need their money. They need it safely and reliably, and it needs to be accurate when they have it. And what I mean by that is, you know, frequently, our customers may not have, you know, hundreds or a thousand dollars worth of float in their bank accounts. So, if they're going and they're buying groceries and they can't because there's an error on our side because we're down, and because the transactions haven't settled, then that is very, very impactful to them, you know, as an individual. And I think about that with most of these decisions because being in software and being in engineering I am fortunate enough that I'm not necessarily experiencing the same economic struggles that our customers may have. And so, that reminder helps me to think about it from their perspective. In addition, I also like to try and think of it from the perspective...from my mom, actually, who, you know, she is retired age. She's a teacher. She's non-technical. And so, I think about her because I'd say, okay, when we're making a product or a design decision, how easy is it for her to understand? And my biases when I think about that, really kind of come into focus when I think about how she would interpret things. Because, you know, again, for me, I'm in tech. I think about things, you know, very analytically. And I just have a ton of experience across the industry, which she doesn't have. So, even something as simple as a little bit of copy for a page that makes a ton of sense to me, when I think about how she would interpret it, it's frequently wildly different. And so, all of those things, I think, kind of come together to help make a very strong and informed decision in these types of situations where the negative outcomes really do matter. But you are, you know, as Varo is, you're a startup. And you do need to be able to build more products quickly because our customers have needs that aren't being met by the existing banking industry. And so, we need to provide value to them so that their lives are a bit better. VICTORIA: I love that focus on a specific market segment and their needs and solving for that problem. And we know that if you're at a certain income level, it's more expensive [laughs] because of the overdraft fees and other things that can cause you problems. So, I really appreciate that that's the mission at Varo, and that's who you're focusing on to create a better banking product that makes more sense. I'm curious if there were any surprises and challenges that you could share from that discovery process and finding out, you know, exactly what were those things where your mom was, like, uh, actually, I need something completely different. [laughs] RISHI: Yeah, so, [chuckles] I'm chuckling because, you know, it's not, like, a single kind of time or event. It's, you know, definitely an ongoing process. But, you know, as actually, we were talking, you know, about earlier in terms of being kind of comfortable with doing things digital and online, that in and of itself is something that even in 2023, my mom isn't as comfortable or as confident as, you know, say, maybe the three of us are. As an example, when sending money, you know, kind of like a peer-to-peer basis, like, if I'm sending my mom a little bit of money, or she's sending me something, you're kind of within the family. Things that I would think would be kind of very easy and straightforward actually do cause her a little bit more concern. Okay, I'm entering my debit card number into this so that it can get, you know, the cash transferred into my bank account. You know, again, for me, it didn't even cross my mind, actually, that that would be something uncomfortable. But for my mom, that was something where she actually had some concerns about it and was messaging me. Her kind of personal point of view on that was, I would rather use a credit card for this and get the money on a credit card instead of a debit card because the debit card is linked to a bank account, and the security around that needs to be, you know, much tighter. And so, it made her more uncomfortable entering that on her phone. Whereas even a credit card it would have given her a little bit more peace of mind simply because it wasn't directly tied to her bank account. So, that's just, you know, the most recent example. I mean, honestly, that was earlier today, but it's something I hadn't thought of. And, again, for most of our customers, maybe that's not the case and how they think. But for folks that are at that retirement age, you know, in a world where there are constant barrages of scam, you know, emails, and phone calls, and text messages going around, the concern was definitely there. VICTORIA: That happened to me. Last week, I was on vacation with my family, and we needed to pay my mom for the house we'd rented. And I had to teach her how to use Zelle and set up Zelle. [laughter] It was a week-long process. But we got there, and it works [laughs] now. But yeah, it's interesting what concerns they have. And the funny part about it was that my sister-in-law happens to be, like, a lawyer who prevents class action lawsuits at a major bank. And she reassured us that it was, in fact, secure. [laughs] I think it's interesting thinking about that user experience for security. And I'm curious, again, like, compare again with the developer experience and using security toolings. And I wonder if you had any top recommendations on tools that make the developer experience a little more comfortable and feeling like you're deploying with security in mind. RISHI: That, in particular, is a bit of a hard question to answer. I try and stay away from specific vendors when it comes to that because I think a lot of it is contextual. But I could definitely talk through, like, some of the tools that I use and the way I like to think about it, especially from the developer perspective. I think, first off, consider what aspect of the software development, you know, lifecycle you're in. If you are an engineer writing, you know, mostly application code and dealing with building product and features and stuff like that, start from that angle. I could even take a step back and say security as an industry is very, very wide at this point. There is somebody trying to sell you a tool for basically every step in the SDLC process, and honestly, before and after to [inaudible 26:23]. I would even almost say it's, to some extent, kind of information and vendor overload in a lot of ways. So, I think what's important is to think about what your particular aspect of that is. Again, as an application engineer, or if you're building cloud infrastructure, or if you're an SRE, you know, or a platform team, kind of depending on what you are, your tooling will be different. The concepts are all kind of similar ideas, but how you go about what you build will be different. In general, I like to say, from the app side of things, A, start with considering the code you're writing. And that's a little bit cultural, but it's also kind of more training. Are you writing code with a security mindset? are you designing systems with a security mindset? These aren't things that are typically taught, you know, in school if you go get a CS degree, or even in a lot of companies in terms of the things that you should be thinking about. So, A, start from there. And if you don't feel like you think about, you know, is this design secure? Have we done, you know, threat modeling on it? Are we considering all of the error paths or the negative ways people can break the system? Then, start from that and start going through some of the security training that exists out there. And there's a lot of different aspects or avenues by which you can get that to be able to say, like, okay, I know I'm at least thinking about the code I write with a security mindset, even if you haven't actually changed anything about the code you're writing yet. What I actually think is really helpful for a lot of engineers is to have them try and break things. It's why I like to compete in CTFs, but it's also why I like to have my engineers do the same types of things. Trying to break software is both really insightful from the aspect that you don't get when you're just writing code and shipping it because it's not something you have time to do, but it's also a great way to build up some of the skills that you need to then protect against. And there's a lot of good, you know, cyber ranges out there. There's lots of good, just intentionally vulnerable applications that you can find on GitHub but that you can just run, you know, locally even on your machine and say, okay, now I have a little web app stood up. I know this is vulnerable. What do I do? How do I go and break it? Because then all of a sudden, the code that you're writing you start to think about a little bit differently. It's not just about how am I solving this product problem or this development problem? But it's, how am I doing this in a way that is safe and secure? Again, as an application side of things, you know, just make sure you know the OWASP Top 10 inside and out. Those are the most basic things a lot of engineers miss. And it only takes, again, one miss for it to be critical. So, start reviewing it. And then, you start to think about the tooling aspect of it. People are human. We're going to make mistakes. So, how do we use the power of technology to be able to stop this? You know, and there is static scanning tools. Like, there's a whole bunch of different ones out there. You know, Semgrep is a great one that's open source just to get started with that can help you find the vulnerable code that may exist there. Consider the SQL queries that you're writing, and most importantly, how you're writing them. You know, are you taking user input and just chucking it in there, or are you sanitizing it? When I ask these questions, for a lot of engineers, it's not usually yes or no. It's much more of an, well, I don't know. Because in software, we do a really good job of writing abstraction layers. But that also means, you know, to some extent, there may be a little bit of magic in there, or a lack thereof of magic that you don't necessarily know about. And so, you have to be able to dive into the libraries. You have to know what you're doing to even be able to say something like, oh no, this SQL query is safe from this user input because we have sanitized it. We have, you know, done a prepared statement, whatever it may be. Or, no, actually, we are just doing something here that's been vulnerable, and we didn't realize we were, and so now that's something we have to address. So, I think, like, that aspect in and of itself, which isn't, you know, a crazy ton of things. It's not spending a ton of money on different tools. But it's just internalizing the fact that you start to think a little bit differently. It provides a ton of value. The last thing on that, too, is to be able to say, especially if you're coming from a development side, or even just from a founder or a startup side of things, what are my big risks? What do I need to take care of first? What are the giant holes or flaws? You know, and what is my threat model around that? Obviously, as a bank, you have to care very deeply right from the start. You know, if you're not a bank, if you're not dealing with financial transactions, or PII, or anything like that, there are some things that you can deal with a little bit later. So, you have to know your industry, and you have to know what people are trying to do and the threat models and the threat vectors that can exist based on where you are. WILL: That's amazing. You know, earlier, we talked about you being an engineer for 20 years, different areas, and stuff like that. Do you have any advice for engineers that are starting out right now? And, you know, from probably year one to year, you know, anything under ten years of experience, do you have any advice that you usually give engineers when you're chatting with them? RISHI: The advice I tend to give people who are just starting out is be the type of person that asks, "How does this work?" Or "Why does this work?" And then do the work to figure out the answer. Maybe it is talking to someone; maybe it's diving into the details; maybe it's reading a book in some aspect that you haven't had much exposure to. When I look at my career and when I look at the careers of folks around me and the people that I've seen be most successful, both in engineering but also on the business side, that desire to know why something is the case is I think, one of the biggest things that determines success. And then the ability to answer that question by putting in the right types of work, the right types of scientific method and processes and such, are the other factor. So, to me, that's what I try and get across to people. I say that mostly to junior folks because I think when you're getting started, it's really difficult. There's a ton out there. And we've, again, as software engineers, and hardware engineers, and cloud, and all this kind of stuff, done a pretty good job of building a ton of abstraction layers. All of our abstraction layers [inaudible 32:28] to some degree. You know, so as you start, you know, writing a bunch of code, you start finding a bunch of bugs that you don't necessarily know how to solve and that don't make any sense in the avenue that you've been exposed to. But as soon as you get into the next layer, you understand how that works begin to make a lot more sense. So, I think being comfortable with saying, "I have no idea why this is the case, but I'm going to go find out," makes the biggest difference for people just starting out their career. WILL: I love that advice. Not too long ago, my manager encouraged me to write a blog post on something that I thought that I really knew. And when I started writing that blog post, I was like, oh boy, I have no idea. I know how to do it, but I don't know the why behind it. And so, I was very thankful that he encouraged me to write a blog post on it. Because once you start explaining it to other people, I feel you really have to know the whys. And so, I love that advice. That's really good advice. VICTORIA: Me too. And it makes sense with what we see statistically as well in the DORA research. The DevOps Research Association publishes a survey every year, the State of DevOps Report. And one of the biggest findings I remember from last year's was that the most secure and reliable systems have the most open communication and high trust among the teams. And so, being able to have that curiosity as a junior developer, you need to be in an environment where you can feel comfortable asking questions [laughs], and you can approach different people, and you're encouraged to make those connections and write blog posts like Will was saying. RISHI: Absolutely, absolutely. I think you touched on something very important there as well. The psychological safety really makes a big difference. And I think that's critical for, again, like, folks especially earlier in their career or have recently transitioned to tech, or whatever the case may be. Because asking "Why?" should be something that excites people, and there are companies where that's not necessarily the case, right? Where you asking why, it seems to be viewed as a sign that you don't know something, and therefore, you're not as good as what you should be, you know, the level you should be at or for whatever they expect. But I do think that's the wrong attitude. I think the more people ask why, the more people are able and comfortable to be able to say, "I don't know, but I'm going to go find out," and then being able to be successful with that makes way better systems. It makes way safer and more secure systems. And, honestly, I think it makes humans, in general, better humans because we can do that. VICTORIA: I think that's a great note to start to wrap up on. Is there any questions that you have for me or Will? RISHI: Yeah. I would love to hear from both of you as to what you see; with the experiences that you have and what you do, the biggest impediments or speed bumps are when it comes to developers being able to write and ship secure code. VICTORIA: When we're talking with new clients, it depends on where they are in really the adoption of their product and the maturity of their organization. Some early founders really have no technology experience. They have never managed an IT organization. You know, setting up basic employee account access and IDs is some of the initial steps you have to take to really get to where you can do identity management, and permissions management, and all the things that are really table stakes for security. And then others have some progress, and they have a fair amount of data. And maybe it's in that situation, like you said before, where it's really a trade-off between the cost and benefit of making those changes to a more secure, more best practice in the cloud or in their CI/CD pipeline or wherever it may be. And then, when you're a larger organization, and you have to make the trade-offs between all of that, and how it's impacting your developer experience, and how long are those deployed times now. And you might get fewer rates of errors and fewer rates of security vulnerabilities. But if it's taking three hours for your deployments to go out [laughs] because there's so many people, and there's so many checks to go through, then you have to consider where you can make some cuts and where there might be more efficiencies to be gained. So, it's really interesting. Everyone's on a different point in their journey. And starting with the basics, like you said, I love that you brought up the OWASP Top 10. We've been adopting the CIS Controls and just doing a basic internal security audit ourselves to get more ready and to be in a position where... What I'm familiar with as well from working in federal agencies, consulting, maintaining some of the older security frameworks can be a really high cost, not only in terms of auditing fees but what it impacts to your organization to, like, maintain those things [laughs] and the documentation required. And how do you do that in an agile way, in a way that really focuses on addressing the actual purpose of the requirements over needing to check a box? And how do we replicate that for our clients as well? RISHI: That is super helpful. And I think the checkbox aspect that you just discussed I think is key. It's a difficult position to be in when there are boxes that you have to check and don't necessarily actually add value when it comes to security or compliance or, you know, a decrease in risk for the company. And I think that one of the challenges industry-wide has always been that security and compliance in and of itself tends to move a little bit slower from a blue team or a protection perspective than the rest of the industry. And so, I mean, I can think of, you know, audits that I've been in where, you know, just even the fact that things were cloud-hosted just didn't make sense to the auditors. And it was a struggle to get them to understand that, you know, there is shared responsibility, and this kind of stuff exists, and AWS is taking care of some things, and we're taking care of some other things when they've just been developed with this on-premise kind of mentality. That is one of the big challenges that still exists kind of across the board is making sure that the security work that you're doing adds security value, adds business value. It isn't just checking the box for the sake of checking the box, even when that's sometimes necessary. VICTORIA: I am a pro box checker. RISHI: [laughs] VICTORIA: Like, I'll get the box checked. I'll use Trello and Confluence and any other tool besides Excel to do it, too. We'll make it happen with less pain, but I'd rather not do it [laughs] if we don't have to. RISHI: [laughs] VICTORIA: Let's make it easy. No, I love it. Is there anything else that you want to promote? RISHI: No, I don't think there's anything else I want to promote other than I'm going to go back to what I said just earlier, like, that culture. And if, you know, folks are out there and you have junior engineers, you have engineers that are asking "Why?", you have people that just want to do the right thing and get better, lean into that. Double down on those types of folks. Those are the ones that are going to make big differences in what you do as a business, and do what you can to help them out. I think that is something we don't see enough of in the industry still. And I would love for that to change. VICTORIA: I love that. Thank you so much, Rishi, for joining us. RISHI: Thanks for having me. This was a great conversation. I appreciate the time. VICTORIA: You can subscribe to the show and find notes along with a complete transcript for this episode at giantrobots.fm. If you have questions or comments, email us at hosts@giantrobots.fm. And you can find me on Twitter @victori_ousg. WILL: And you could find me on Twitter @will23larry. This podcast is brought to you by thoughtbot and produced and edited by Mandy Moore. Thanks for listening. See you next time. ANNOUNCER: This podcast is brought to you by thoughtbot, your expert strategy, design, development, and product management partner. We bring digital products from idea to success and teach you how because we care. Learn more at thoughtbot.com. Special Guest: Rishi Malik.
Thomas LaRock, Principal Developer Evangelist at Selector AI, joins Corey on Screaming in the Cloud to discuss why he loves having a career in data and his most recent undertaking at Selector AI. Thomas explains how his new role aligned perfectly with his career goals in his recent job search, and why Selector AI is not in competition with other data analysis tools. Corey and Thomas discuss the benefits and drawbacks to going back to school for additional degrees, and why it's important to maintain a healthy balance of education and practical experience. Thomas also highlights the impact that data can have on peoples' lives, and why he finds his career in data so meaningful. About ThomasThomas' career and life experiences are best described as follows: he takes things that are hard and makes them simple for others to understand. Thomas is a highly experienced data professional with over 25 years of expertise in diverse roles, from individual contributor to team lead. He is passionate about simplifying complex challenges for others and leading with empathy, challenging assumptions, and embracing a systems-thinking approach. Thomas has strong analytical reasoning skills and expertise to identify trends and opportunities for significant impact, and is a builder of cohesive teams by breaking down silos resulting in increased efficiencies and collective success. He has a track record of driving revenue growth, spearheading industry-leading events, and fostering valuable relationships with major tech players like Microsoft and VMware. Links Referenced: Selector: https://www.selector.ai/ LinkedIn: https://www.linkedin.com/in/sqlrockstar/ TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Do you wish there were cheat codes for database optimization? Well, there are – no seriously. If you're using Postgres or MySQL on Amazon Aurora or RDS, OtterTune uses AI to automatically optimize your knobs and indexes and queries and other bits and bobs in databases. OtterTune applies optimal settings and recommendations in the background or surfaces them to you and allows you to do it. The best part is that there's no cost to try it. Get a free, thirty-day trial to take it for a test drive. Go to ottertune dot com to learn more. That's O-T-T-E-R-T-U-N-E dot com.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. There are some guests I have been nagging-slash-angling to have on this show for years on end, and that you almost give up, until they wind up having a job change. At which point, there's no better opportunity to pounce like some sort of scavenger or hyena or whatnot in order to get them on before their new employer understands what I am, and out of an overabundance of caution, decides not to talk with me. Thomas LaRock is a recently minted Principal Developer Evangelist at Selector. Thomas, thank you for finally deigning to appear on the show. It is deeply appreciated.Thomas: Oh, thanks for having me. Thanks for extending invitation. I'm sorry. It's my fault I haven't come here before now; it's just been one of those scheduling things. And I always think I'm going to see you. Like, I'll go to re:Invent, and I'm like, “I'll see Corey there.” And then, nah, Corey is a little busy.Corey: Yeah, I have no recollection of basically anything that ever happens at re:Invent, just because it is eight days of ridiculous Cloud Chanukah and thing to thing to thing to thing to thing. It's just overload and I wind up effectively blocking all of it out. You are one of those very interesting people where, depending upon the context in which someone encounters you, it's difficult to actually put a finger on where you start and where you stop. You are, for example, a Microsoft MVP, which means you presumably have a fair depth of experience with at least some subset of Microsoft products. You have been working at SolarWinds for a while now, and you also have the username of SQLRockstar on a number of social media environments, which leads me to think, oh, you're a database person. What are you exactly? Where do you start? Where do you stop?Thomas: Yeah, in my heart-of-hearts, a data professional. And that can mean a lot of things to a lot of different people. My latest thing I've taken from a friend where I just call myself a data janitor because that's pretty much what I do all day, right? I'll clean data up, I'll move it around, it's a pile here and a pile there. But that's my heart of hearts. I've been a database administrator, I've been the data advocate. I've done a lot of roles, but it's always been heavily focused on data.Corey: So, these days, your new role—let's start at the present and see if we work our way backwards or not—you've been, at the time of this recording, in your role for a week where you are a principal developer evangelist at Selector, which to my understanding, is an AIOps or MLOps or whatever buzzword that we're sprinkling on top of things today is, which of course presupposes having some amount of data to wind up operating on. What do you folks do over there?Thomas: That's a great question. I'm hoping to figure that out eventually. No. So, here's the thing, Corey. So, when I started my unforced sabbatical this past June, I was, of course, doing what everybody does: panicking. And I was looking for job opportunities just about anywhere.But I, again, data professional. I really wanted a role that would allow me to use my math skills—I have a master's in mathematics—I wanted to use those math and analytical skills and go beyond the data into the application of the data. So, in the past five, six years, I've been earning a lot of data science certifications, I've been just getting back into my roots, right, statistical analysis, even my Six Sigma training is suddenly relevant again. So, what happened was I was on LinkedIn and friend had posted a note and mentioned Selector. I clicked on the link, and [all of sudden 00:04:17] I read, I go, “So, here's a company that is literally building new tools and it's data-science-centric. Is data-science-first.”It is, “We are going to find a way to go through your data and truly build out a better set of correlations to get you a signal through the noise.” Traditional monitoring tools, you know, collect a lot of things and then they kind of tell you what's wrong. Or you're collecting a lot of different things, so they slap, like, I don't know, timestamps in there and they guess at correlations. And these people are like, “No, no, no. We're going to go through everything and we will tell you what the data really says about your environment.”And I thought it was crazy how at the moment I was looking for a role that involve data and advocacy, the moment I'm looking for that role, that company was looking for someone like me. And so, I reached out immediately. They wanted not just a resume, but they're like, where's your portfolio? Have you spoken before? I'm like, “Yeah, I've spoken in a couple places,” right?So, I gave them everything, I reached right out to the recruiter. I said, “In case it doesn't arrive, let me know. I'll send it again. But this sounds very interesting.” And it didn't take more than—Corey: Exactly. [unintelligible 00:05:24] delivery remains hard.Thomas: Yeah. And it didn't take more than a couple of weeks. And I had gone through four or five interviews, they said that they were going to probably fly me out to Santa Clara to do, like, a last round or whatever. That got changed at some point and we went from, “Hey, we'll have you fly out,” to, “Hey, here's the offer. Why don't you just sign?” And I'm like, “Yeah, I'll start Monday. Let's go.”Corey: Fantastic. I imagine at some point, you'll be out in this neck of the woods just for an off-site or an all-hands or basically to stare someone down when you have a sufficiently large disagreement.Thomas: Yes, I do expect to be out there at some point. Matter of fact, I think one of my trips coming up might be to San Diego if you happen to head down south.Corey: Oh, I find myself all over the place these days, which is frankly, a welcome change after a few years of seclusion during the glorious pandemic years. What I like about Selector's approach, from what I can tell at least, is that it doesn't ask all of its customers to, “Hey, you know, all that stuff that you've instrumented over the last 20 years with a variety of different tools in the observability pipeline? Yeah, rip them all out and replace them with our new shiny thing.” Which never freaking happens. It feels like it's a better step toward meeting folks where they are.Thomas: Yeah. So, we're finding—I talk like I've been there forever: “What we're finding,”—in the past 40 hours of my work experience there, what we're finding, if you just look at the companies that are listed on the website, you'll get an idea for the scale that we're talking about. So no, we're not there to rip and replace. We're not going to show up and tell you, “Yeah, get rid of everything. We're going to do that for you.”Matter of fact, we think it's great you have all of those different things because it just reflects the complexity of your environment right now, is that you've grown, you've got so many disparate systems, you've got some of the technologies trying to monitor it all, and you're really hoping to have everything rolled into one big dashboard, right? Instead of right now, you've got to go through three, four, or five dashboards, to even think you have an idea of the problem. And you never really—you guess. We all guess. We think we know where it is, and you start looking and then you figure it out.But yeah, we take kind of a different approach right from the start, and we say, “Great, you've got all that data? Ingest it. Bring it right to us, okay? We don't care where it comes from, we can bring it in, and we can start going through it and start giving you true actionable insights.” We can filter out the noise, right, instead of one node going down, triggering a thousand alerts, we can just filter all of that out for you and just let you focus on the things that you need to be looking at right now.Corey: One of the things that I think gets overlooked in this space a lot is, “Well, we have this tool that does way better than that legacy tool that you're using right now and it's super easy to do a just drop-in replacement with our new awesomeness.” Great. What that completely misses is that there are other business units who perhaps care about data interchange and the idea that yeah, thing's a legacy piece of junk and replacing it would take an afternoon. And then it would take 14 years to wind up redoing all the other reports that other things are generating downstream of that because they integrate with that thing. So yeah, it's easy to replace the thing itself, but not in a way that anything else can take advantage of it.Thomas: Right.Corey: And when it turns out also when you sit there making fun of people's historical technological decisions, they don't really like becoming customers as it turns out. This was something of a shock for an awful lot of very self-assured startup founders in the early days.Thomas: Yeah. And again, you're talking about how, you know some of the companies we're looking at, it's y—we don't want to rip and replace things. Like you just said, you've got an ecosystem. It's a delicate ecosystem that has [laugh] developed over time. We aren't interested in replacing all that. We want to enhance it, we want to be on top of it and amplify what's in there for you.So yeah, we're not interested in coming in and say, “Yeah, rip every tool out.” And in some ways, when somebody will ask, you know, “Who do you compete with?” I'll go, “Nobody.” Because I'm not looking to replace anybody. I'm looking to go on top.And again, the companies we're dealing with have lots of data. We're talking very large companies. Some of these are the backbone of the internet. They just have way too much data for any of these legacy tools to help with, you know? They can help with, like, little things, but in terms of making sense of it all, in terms of doing the real big data analytics, yeah, that's where our tool comes in and it really shines.Corey: Yeah, it turns out that is not a really compelling sales pitch to walk it and say, “Hey, listen up, idiots, you all are doing it wrong. Now, pay me and we'll do it right.” Yeah, even if you're completely right, you've already lost the room at that point.Thomas: Exactly.Corey: People make decisions based upon human aspects, not about arithmetic, in most cases. I will say, taking a glance at the website, a couple of things are very promising. One, your picture and profile are already up there, which is good. No one is still on the fence about that, and further as a bonus, they've taken your job role down off the website, which is always disconcerting when you're there and, “Why is that job still open?” “Oh, we're preserving optionality. Don't you worry your head about that. We've got it.” No one finds that a reassuring story when it's about the role that they're in. So, good selection.Thomas: I went to—after I signed, it was within the day, I went to send somebody the link to the job req. Like, they're like, “What are”—I go, “Here, let me show you.” It was already down. The ink was even dry on the DocuSign and it was already down. So, I thought that—Corey: Good on them.Thomas: —was a good sign, too.Corey: Oh, yeah. Now, looking at the rest of your website, I do see a couple of things that lead to natural questions. One of the first things I look at on a web page is, okay, how is this thing priced? Because you always want to see the free tier option when I'm trying to solve a problem the middle of the night that I can just sign up for and see if it works for a small use case, but you also, in a big company definitely want to have the ‘Contact Us' option because we're procurement and we don't know how to sign a deal that doesn't have two commas in it with a bunch of special terms that ride along with it. Selector does not at the time of this recording, have a pricing page at all, which usually indicates if you have to ask, it might not be for you.Then I look at your customer case studies and they talk about very large enterprises, such as a major cable operator, for example, or TracFone. And oh okay, yeah, that is probably not the scale that I tend to be operating at. So, if I were to envision this as a carnival ride and there's a sign next to it, “You must be at least this tall to ride,” how tall should someone be?Thomas: That is a great way of putting it and I would—I can't really go into specifics because I'm still kind of new. But my understanding—Corey: Oh yeah. Make sweeping policy statements about your new employer 40 hours in. What could possibly go wrong?Thomas: My understanding is the companies that we—that are our target market today are fairly large enterprises with real data challenges, real monitoring data challenges. And so no, we're not doing—it's not transactional. You can't just come to our website and say, “Here, click this, you'll be up and running.” Because the volumes of data we're talking about, this requires a little bit of specialty in helping make sure that things are getting set up and correct.Think of it this way. Like if somebody said, “Here, do the statistical analysis on whatever, and here's Excel and go at it and get me that report by the end of the day and tell me how we're doing,” most people would be like, “I don't have enough information on that. Can you help me?” So, we're still at that, hey, we're going to need to help you through this and make sure it's correctly configured. And it's doing what you expect. So, how tall are you? I think that goes both ways. I think you're at a height where you still need some supervision [laugh]. Does that make sense?Corey: I think that's probably a good way of framing it. It's a—again, I'm not saying that you should never ever, ever, ever have a ‘you must contact us to get started.' There are a bunch of products like that out there. It turns out that even at The Duckbill Group here, we always want to have a series of conversations first. We don't have a shopping cart that's, “One consulting, please,” just because we'll get into trouble with that.Though I think our first pass offering of a two-day engagement might have one of those somewhere still lurking around. Don't quote me on that. Hell is other people's websites. It's great. But your own yeah, whoever reads that thing“. Wait, we're saying what?” Don't quote me on any of that, my God.Thomas: But I think that's a good way of putting it. Like, you want to have some conversations first. Yeah, so you—and again, we're still, we're fairly young. We've only—we're Series A, so we've been around 16 months, like… you know, the other website you're looking at is probably going to change within the next six or eight weeks just because information gets outdated—Corey: It already has. It put your picture on it.Thomas: Right. But I mean, things are going to things move pretty fast with startups, especially this one. So, I just expect that over time, I envision some type of a free tier, but we're not there yet.Corey: That's one of those challenges as far as in some cases moving down market. I found that anything that acts like a security tool, for example, has to, on some level, charge enough to be worth the squeeze. One of the challenges there is, I'm either limited for anything that does CloudTrail analysis over in AWS-land, for example. I can either find a bunch of janky things off GitHub or I can spend what starts at $1,000 a month and increases rapidly from there, which is about twice the actual AWS bill that it would wind up alerting on. Not that the business value isn't there, but because a complex sale is, in many cases, always going to be attendant with some of these products, so why not go after the larger companies where the juice is worth the squeeze rather than the folks who are not going to see the value and it'd be just as challenging to wind up launching a sale into?The corollary, of course, is that some of those small companies do in fact, grow meteorically. But it's a bit of a lottery.Thomas: Yep.Corey: Ugh. So, I have to ask as well, while we're talking about strange decisions that people might have made, in the world of tech, in many cases, when someone gets promoted—like, “So, does that mean extra money?” “No, not really. We just get extra adjectives added to our job title.” Good for us. You have decided to add letters in a different way, by going back for a second master's degree. What on earth would possess you to do such a thing?Thomas: I—man, that is—you know, so I got my first master's degree because I thought I was going to, I thought I was be a math teacher and basketball coach. And I had a master's degree in math and I thought that was going to be a thing. I'll get a job, you know, coaching and teaching at some small school somewhere. But then I realized that I enjoyed things like eating and keeping the wind off me, and so I realized I had to go get a jobby-job. And so, I took my masters in math, I ended—I got a job as a software analyst, and just rolled that from one thing to another until where I am today.But about four years ago, when I started falling back in love with my roots in math, and statistical analysis became a real easy thing for people to really start doing for themselves—well actually, that was about eight years ago—but the past four or five years, I've been earning more certifications in data science technologies. And then I found this program at Georgia Tech. So, Georgia Tech has an online masters of science and data analytics. And it's extremely affordable. So, I looked at a lot of programs, Corey, over the past few years, especially during the pandemic.I had some free time, so I browsed the love these places, and they were charging 50, $60,000 and you had to do it within two, three years. And in one case, the last class you had to take, your practicum, had to be all done on campus. So, you had to go, like, live somewhere. And I'm looking at all—none of that was practical. And all of a sudden, somebody shows up and goes, “So, you can go online, fully online, Georgia Tech, $275 a credit. Costs ten grand for the entire program.”And you can—it's geared towards a working professional and you can take anywhere from two to six years. So, you take, like, one class a semester if you want, or two or even three if they allow you, but they usually restrict you. So, it just blew my mind. Like, this exists today that I can start earning another Master's degree in data analytics and I'll say, be… classically trained in how—it's funny because when I learn things in class, I'm like, I feel like I'm Thornton Melon in Back to School, and I'm just like, “Oh, you left out a bunch of stuff. That isn't how you do it all,” right?That's kind of my reaction. I'm like, “Calm down. I'm sure the professor has point. I'll hear [laugh] him out.” But to me, you asked why, and I just the challenge. Am I really good at what I do? Like, I feel I am. I already have a master's degree. I'm not worried about the level of work and the commitment involved in earning another one.I just wanted to show to myself that could—I want to learn and make sure I can do things like code in Python. If anybody has a chance to take a programming class, a graduate-level programming classes at Georgia Tech, you should do it. You should see where your skills rate at that level, right? So, it was for the challenge. I want to know if I can do it. I'm three classes in. I just started my fourth, actually, today was the start of the fall semester.And so, I'm about halfway through, and I'm loving it. It's not too taxing. It's just the right speed for me. I get to do it in my leisure hours as they were. Yeah, so I did it for the challenge. I'm really glad I'm doing it. I encourage anybody interested in obtaining a degree in data analytics to look at the Georgia Tech program. It's well worth it. Georgia Tech's not a bad school. Like, if you had to go to school in the South, it's all right.Corey: I always find it odd, just, you had your first master's degree in, you know, mathematics, and now you're going for data analytics, which sounds like mathematics with extra steps.Thomas: It is.Corey: Were there opportunities that you were hoping to pursue that were not available to you with just the one master's degree?Thomas: So, it's interesting you say that because I'm so old that when I went to school, all we had was math, that was it. It was pure mathematics. I could have been a statistics major, I think, and computer science was a thing. And one day I met a guy who transferred into math from computer science. I'm like, “Why would you do that? What are you going to do with the degree in math?”And his response is, “What am I going to do with a degree in computer science?” And I look back and I realized how we were both right. So, I think at the time if there had been a course in applied mathematics, that would have piqued my interest. Like, what am I going to do with this math degree other than become an actuary because that was about all I knew at the time. You were a teacher or an actuary, and that was about it.So, the idea now that they have these programs in data analytics or data science that are little more narrow of focus, like, “This is what we're going to do: we're going to apply a little bit of math, some calculus, some stats; we're going to show you how to build your own simulations; we're going to show you how to ask the right questions of the data.” To give you a little bit of training. Because they can't teach you everything. You really have to have real-world experience in whatever domain you're going to focus on, be it finance or marketing or whatever. All these bright financial operations, that's just analytics for finance, marketing operations, that's analytics for marketing. It's just, to me, I think just the opportunity to have that focus would have been great back then and it didn't exist. And I want to take advantage of it now.Corey: I've always been a fan of advising people who ask me, “Should I go back to school,” because usually, there's something else driving that. Like, I am honestly not much of a career mentor. My value basically comes in as being a horrible warning to others. On paper, I have an eighth-grade education. I am not someone to follow for academic approaches.But when someone early or mid-career asks, “Should I get another degree?” Unpacking that is always a bit of a fun direction for me to go in. Because at some level, we've sold entire generations a bill of goods, where oh, if you don't know what to do, just get more credentials and then your path will be open to you in a bunch of new and exciting ways. Okay, great. I'm not saying that's inherently wrong, but talk to people doing the thing you'd want to do after you have that degree, maybe, you know, five or six years down the professional line from where you are and get their take on it.Because in some cases, yeah, there are definite credentials you're going to need—I don't want you to be a self-taught surgeon, for example—but there are other things where it doesn't necessarily open doors. People are just reflexively deciding that I'm going to go after that instead. And then you can start doing the math of, okay, assume that you have whatever the cost of the degree is in terms of actual cost and opportunity cost. Is this the best path forward for you to wind up getting where you want to go? It sounds like in your particular case, this is almost a labor of love or a hobby style of approach, as opposed to, “Well, I really want Job X, but I just can't get it without the right letters after my name.” Is that a fair assessment?Thomas: It's not unfair. It is definitely fair, but I would also say, you know, if somebody came and said, “Hey Tom, we need somebody to run our data science team or our data engineering team,” I've got the experience for—the only thing I would be lacking is, you know, production experience, like, with machine-learning pipelines or something. I don't have that today.Corey: Which is basically everyone else, too, but that's a little—bit of a quiet secret in the industry.Thomas: Yeah, that's—okay. Bad example. But you know what I'm saying is that the only thing I'd be lacking would be that practical experience, so this is one way that—to at least start that little bit of experience, especially with the end result being the practicum that we'll be doing. It's, like, six credits at the very end. So yes, it's a fair thing.I wouldn't—hobby isn't really the right—this is really something that makes me get out of bed in the morning. I get to work with data today and I'm going to get—I'm going to tell a great story using data today. I really do enjoy those things. But then at the tail end of this, if it happens to lead to a position that somebody says, “Hey, we need somebody, vice president of data engineering. This a really good”—honestly, the things I look for are the roles and the roles I want are to have a role that allows me to really have an impact on other people's lives.And that's one of the things about Selector. The things that we're able to do for these admins that are just drowning in data, the data is just in their way, and that we can help them make sense of it all, to me, that's impactful. So, those are the types of roles that I will be looking for as well in the future, especially at the high level of something data science-y.Corey: I think that that is a terrific example of what I'm talking about. Because I've met a number of folks, especially very early-20s range where, okay, they've gotten the degree, but now they don't know what to do because every time they're applying for jobs, it doesn't seem to work for them. You've been around this industry for 25 years. Everyone needs a piece of paper that says they know certain things, and in your case, it long ago transitioned into being—I would assume—your resumé, the history of things you have done that look equivalent. Part of me, on some level, wonders if there isn't an academic snobbery going on at some level, where a number of teams are, “Oh, we'd love to have you in, but you don't have a PhD.”And then people get the PhD. “From the right school, in the right area of concentration.” It's like, you just keep moving these very expensive goalposts super quickly. Remember, I have an eighth-grade education. I'm not coming at this from a place of snobbery and I'm also not one of those folks who's well it didn't work for me, therefore, it won't work for anyone else either because that's equally terrible in a different direction.It's just making sure that people are going into these things with their eyes open. With you, it's never been a concern. You've been around this industry so long that it is extremely unlikely to me [laugh] that you, “Oh, wait. You mean a degree won't magically solve all of my problems and regrow some of my hair and make me two inches taller, et cetera, et cetera?” But yeah, do I remember in the early days just how insipid and how omnipresent that pressure was.Thomas: Yeah. I've been at companies where we've brought in people because of the education and—or I'm sorry. Let's be more specific. I've been at companies where we've sent current employees—as we used to call it—off the charm school, which is basically [MBA 00:25:44].Corey: [laugh].Thomas: And I swear, so many of them came back and they just forgot how to think, how to have common sense. Like, they were very much focused on one particular thing and this is just it, and they forgot there were maybe humans involved, and maybe look for a human answer instead of the statistically correct one. So, I think that was a good thing for me as well to be around that because, yeah, somebody put it me best years ago: “Education by itself isn't enough. If you combine education with motivation, now you've really got something.” And your case, I don't know where you went for eighth grade, it could have been the best eighth-grade program ever, but you definitely have the motivation through the years to overcome anything that might have been lacking in the form of education. So, it's really the combination—Corey: Oh, you'd be surprised. A lot of those things are still readily apparent to people who work with me, so I've done a good job of camouflaging them. Hazzah.Thomas: Just it's, you got to have both. You can't just rely on one or the other.Corey: So, last question, given that you are the data guy and SQLRockstar is your username in a bunch of places. What's the best database? I mean, I would always say it's Route 53, but I understand that can be controversial for some folks, given that their SQL implementation is not yet complete. What's your take?Thomas: So clearly, I'm partial to anything inside the Microsoft data platform, with the exception being Access. I think if Access disappeared from the universe… society might be better off. But that's for a different day, I think the best database is the one that does the job you need it to do. Honestly, the database shouldn't really matter. It's just an abstraction. The database engine is just something in between you and the data you need, right?So, whatever you're using, if it's doing the job that you need it to do, then that's the best database you could have. I learned a long time ago to not pick sides, choose fiefdoms. Like, it just didn't matter. It's all kind of the same. And in a lot of cases, if you go to, like, the DB-Engines Rankings, you'll see how many of these systems these days, there's a lot of overlap. They offer all the same features and the differences between them are getting smaller and smaller in a lot of cases. So yeah, it's… you got to database, it does what you need to do? That's great. That's the best database.Corey: Especially since any database, I suspect, can be made to perform a given task, even if sub-optimally. Which states back to my core ethos of, quite frankly, anything is a database if you hold it wrong.Thomas: Yeah, it really is. I mean, we've had those discussions. I kid about Access because it's just a painful thing for a lot of different reasons. But is Excel a database? And I would say no but, you know—because it can't do certain things that I would expect a relational engine to do. And then you find out, well, I can make it do those things. So, now is it a database? And, yeah…Corey: [laugh]. Yeah. Well, what if I apply some brute force? Will it count then? Like, you have information, Thomas. Can I query you?Thomas: Yes. Yes, yes, [laugh] you can. I also have latency.Corey: Exactly. That means you are a suboptimal database.Thomas: [laugh].Corey: Good job. I really want to thank you for taking the time to talk about what you're up to these days and finally coming on the show. If people want to learn more, where's the best place for them to find you?Thomas: Well, I'm becoming more active on LinkedIn. So, it's linkedin/in/sqlrockstar. Just search for SQLRockstar, you'll find me everywhere. I mean, I do have a blog. I rarely blog these days. Most of the posts I do is over at LinkedIn.And you might find me at some networking events coming up since Selector really does focus on network observability. So, you could see me there. And you know what? I'm also going to have an appearance on the Screaming in the Cloud podcast, so you can listen to me there.Corey: Excellent. And I imagine that's the one we don't have to put into these [show notes. 00:29:44]. Thank you so much for taking the time to speak with me. I really do appreciate it.Thomas: Thanks for having me, Corey. I look forward to coming back.Corey: As I look forward to seeing you again over here. Thomas LaRock, Principal Developer Evangelist at Selector. I'm Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an insulting comment because then we're going to use all those together as a distributed database.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
Welcome episode 227 of the Cloud Pod podcast - where the forecast is always cloudy! This week your hosts are Justin, Jonathan, Matthew and Ryan - and they're REALLY excited to tell you all about the 161 one things announced at Google Next. Literally, all the things. We're also saying farewell to EC2 Classic, Amazon SES, and Azure's Explicit Proxy - which probably isn't what you think it is. Titles we almost went with this week:
AWS Morning Brief Extras edition for the week of September 13, 2023.Want to give your ears a break and read this as an article? You're looking for this link.https://www.lastweekinaws.com/blog/why-your-cpu-based-utilization-metric-is-absolute-nonsenseNever miss an episode Join the Last Week in AWS newsletter Subscribe wherever you get your podcasts Help the show Leave a review Share your feedback Subscribe wherever you get your podcasts Buy our merch https://store.lastweekinaws.comWhat's Corey up to? Follow Corey on Twitter (@quinnypig) See our recent work at the Duckbill Group Apply to work with Corey and the Duckbill Group to help lower your AWS bill
Go's known for it's fantastic standard library, but there are some places where the libraries can be challenging to use. The html/template package is one of those places. So what alternatives do we have? On today's episode we're talking about Templ, an HTML templating language for Go that has great developer tooling. Co-hosts Kris Brandow and Jon Calhoun are joined by Adrian Hesketh, the creator of Templ, and Joe Davidson, one of the maintainers on the project.
So In today's episode, titled "DevOps in Test," our speaker, Rosalind Radcliffe, an IBM Fellow, CIO DevSecOps CTO, dives deep into the world of interface DevOps testing and its crucial role in the API economy and digital transformation. Join us as we uncover the secrets to successful testing in a DevOps environment and learn how to optimize your DevOps testing practices. Also, just so you know, the Automation Guild 2024 online conference dedicated to all things Automation, including DevOps, Performance, and Security, is now open. I'd love to hear from you if you would like to submit a session idea. Just go to guildspeaker.com and submit now.
Did Apple's event live up to our expectations? And our thoughts on what new goodies for developers might be in the new hardware and software.
Tony Baer, Principal at dbInsight, joins Corey on Screaming in the Cloud to discuss his definition of what is and isn't a database, and the trends he's seeing in the industry. Tony explains why it's important to try and have an outsider's perspective when evaluating new ideas, and the growing awareness of the impact data has on our daily lives. Corey and Tony discuss the importance of working towards true operational simplicity in the cloud, and Tony also shares why explainability in generative AI is so crucial as the technology advances. About TonyTony Baer, the founder and CEO of dbInsight, is a recognized industry expert in extending data management practices, governance, and advanced analytics to address the desire of enterprises to generate meaningful value from data-driven transformation. His combined expertise in both legacy database technologies and emerging cloud and analytics technologies shapes how clients go to market in an industry undergoing significant transformation. During his 10 years as a principal analyst at Ovum, he established successful research practices in the firm's fastest growing categories, including big data, cloud data management, and product lifecycle management. He advised Ovum clients regarding product roadmap, positioning, and messaging and helped them understand how to evolve data management and analytic strategies as the cloud, big data, and AI moved the goal posts. Baer was one of Ovum's most heavily-billed analysts and provided strategic counsel to enterprises spanning the Fortune 100 to fast-growing privately held companies.With the cloud transforming the competitive landscape for database and analytics providers, Baer led deep dive research on the data platform portfolios of AWS, Microsoft Azure, and Google Cloud, and on how cloud transformation changed the roadmaps for incumbents such as Oracle, IBM, SAP, and Teradata. While at Ovum, he originated the term “Fast Data” which has since become synonymous with real-time streaming analytics.Baer's thought leadership and broad market influence in big data and analytics has been formally recognized on numerous occasions. Analytics Insight named him one of the 2019 Top 100 Artificial Intelligence and Big Data Influencers. Previous citations include Onalytica, which named Baer as one of the world's Top 20 thought leaders and influencers on Data Science; Analytics Week, which named him as one of 200 top thought leaders in Big Data and Analytics; and by KDnuggets, which listed Baer as one of the Top 12 top data analytics thought leaders on Twitter. While at Ovum, Baer was Ovum's IT's most visible and publicly quoted analyst, and was cited by Ovum's parent company Informa as Brand Ambassador in 2017. In raw numbers, Baer has 14,000 followers on Twitter, and his ZDnet “Big on Data” posts are read 20,000 – 30,000 times monthly. He is also a frequent speaker at industry conferences such as Strata Data and Spark Summit.Links Referenced:dbInsight: https://dbinsight.io/ TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: This episode is brought to us in part by our friends at RedHat.As your organization grows, so does the complexity of your IT resources. You need a flexible solution that lets you deploy, manage, and scale workloads throughout your entire ecosystem. The Red Hat Ansible Automation Platform simplifies the management of applications and services across your hybrid infrastructure with one platform. Look for it on the AWS Marketplace.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. Back in my early formative years, I was an SRE sysadmin type, and one of the areas I always avoided was databases, or frankly, anything stateful because I am clumsy and unlucky and that's a bad combination to bring within spitting distance of anything that, you know, can't be spun back up intact, like databases. So, as a result, I tend not to spend a lot of time historically living in that world. It's time to expand horizons and think about this a little bit differently. My guest today is Tony Baer, principal at dbInsight. Tony, thank you for joining me.Tony: Oh, Corey, thanks for having me. And by the way, we'll try and basically knock down your primal fear of databases today. That's my mission.Corey: We're going to instill new fears in you. Because I was looking through a lot of your work over the years, and the criticism I have—and always the best place to deliver criticism is massively in public—is that you take a very conservative, stodgy approach to defining a database, whereas I'm on the opposite side of the world. I contain information. You can ask me about it, which we'll call querying. That's right. I'm a database.But I've never yet found myself listed in any of your analyses around various database options. So, what is your definition of databases these days? Where do they start and stop? Tony: Oh, gosh.Corey: Because anything can be a database if you hold it wrong.Tony: [laugh]. I think one of the last things I've ever been called as conservative and stodgy, so this is certainly a way to basically put the thumbtack on my share.Corey: Exactly. I'm trying to normalize my own brand of lunacy, so we'll see how it goes.Tony: Exactly because that's the role I normally play with my clients. So, now the shoe is on the other foot. What I view a database is, is basically a managed collection of data, and it's managed to the point where essentially, a database should be transactional—in other words, when I basically put some data in, I should have some positive information, I should hopefully, depending on the type of database, have some sort of guidelines or schema or model for how I structure the data. So, I mean, database, you know, even though you keep hearing about unstructured data, the fact is—Corey: Schemaless databases and data stores. Yeah, it was all the rage for a few years.Tony: Yeah, except that they all have schemas, just that those schemaless databases just have very variable schema. They're still schema.Corey: A question that I have is you obviously think deeply about these things, which should not come as a surprise to anyone. It's like, “Well, this is where I spend my entire career. Imagine that. I might think about the problem space a little bit.” But you have, to my understanding, never worked with databases in anger yourself. You don't have a history as a DBA or as an engineer—Tony: No.Corey: —but what I find very odd is that unlike a whole bunch of other analysts that I'm not going to name, but people know who I'm talking about regardless, you bring actual insights into this that I find useful and compelling, instead of reverting to the mean of well, I don't actually understand how any of these things work in reality, so I'm just going to believe whoever sounds the most confident when I ask a bunch of people about these things. Are you just asking the right people who also happen to sound confident? But how do you get away from that very common analyst trap?Tony: Well, a couple of things. One is I purposely play the role of outside observer. In other words, like, the idea is that if basically an idea is supposed to stand on its own legs, it has to make sense. If I've been working inside the industry, I might take too many things for granted. And a good example of this goes back, actually, to my early days—actually this goes back to my freshman year in college where I was taking an organic chem course for non-majors, and it was taught as a logic course not as a memorization course.And we were given the option at the end of the term to either, basically, take a final or do a paper. So, of course, me being a writer I thought, I can BS my way through this. But what I found—and this is what fascinated me—is that as long as certain technical terms were defined for me, I found a logic to the way things work. And so, that really informs how I approach databases, how I approach technology today is I look at the logic on how things work. That being said, in order for me to understand that, I need to know twice as much as the next guy in order to be able to speak that because I just don't do this in my sleep.Corey: That goes a big step toward, I guess, addressing a lot of these things, but it also feels like—and maybe this is just me paying closer attention—that the world of databases and data and analytics have really coalesced or emerged in a very different way over the past decade-ish. It used to be, at least from my perspective, that oh, that the actual, all the data we store, that's a storage admin problem. And that was about managing NetApps and SANs and the rest. And then you had the database side of it, which functionally from the storage side of the world was just a big file or series of files that are the backing store for the database. And okay, there's not a lot of cross-communication going on there.Then with the rise of object store, it started being a little bit different. And even the way that everyone is talking about getting meaning from data has really seem to be evolving at an incredibly intense clip lately. Is that an accurate perception, or have I just been asleep at the wheel for a while and finally woke up?Tony: No, I think you're onto something there. And the reason is that, one, data is touching us all around ourselves, and the fact is, I mean, I'm you can see it in the same way that all of a sudden that people know how to spell AI. They may not know what it means, but the thing is, there is an awareness the data that we work with, the data that is about us, it follows us, and with the cloud, this data has—well, I should say not just with the cloud but with smart mobile devices—we'll blame that—we are all each founts of data, and rich founts of data. And people in all walks of life, not just in the industry, are now becoming aware of it and there's a lot of concern about can we have any control, any ownership over the data that should be ours? So, I think that phenomenon has also happened in the enterprise, where essentially where we used to think that the data was the DBAs' issue, it's become the app developers' issue, it's become the business analysts' issue. Because the answers that we get, we're ultimately accountable for. It all comes from the data.Corey: It also feels like there's this idea of databases themselves becoming more contextually aware of the data contained within them. Originally, this used to be in the realm of, “Oh, we know what's been accessed recently and we can tier out where it lives for storage optimization purposes.” Okay, great, but what I'm seeing now almost seems to be a sense of, people like to talk about pouring ML into their database offerings. And I'm not able to tell whether that is something that adds actual value, or if it's marketing-ware.Tony: Okay. First off, let me kind of spill a couple of things. First of all, it's not a question of the database becoming aware. A database is not sentient.Corey: Niether are some engineers, but that's neither here nor there.Tony: That would be true, but then again, I don't want anyone with shotguns lining up at my door after this—Corey: [laugh].Tony: —after this interview is published. But [laugh] more of the point, though, is that I can see a couple roles for machine learning in databases. One is a database itself, the logs, are an incredible font of data, of operational data. And you can look at trends in terms of when this—when the pattern of these logs goes this way, that is likely to happen. So, the thing is that I could very easily say we're already seeing it: machine learning being used to help optimize the operation of databases, if you're Oracle, and say, “Hey, we can have a database that runs itself.”The other side of the coin is being able to run your own machine-learning models in database as opposed to having to go out into a separate cluster and move the data, and that's becoming more and more of a checkbox feature. However, that's going to be for essentially, probably, like, the low-hanging fruit, like the 80/20 rule. It'll be like the 20% of an ana—of relatively rudimentary, you know, let's say, predictive analyses that we can do inside the database. If you're going to be doing something more ambitious, such as a, you know, a large language model, you probably do not want to run that in database itself. So, there's a difference there.Corey: One would hope. I mean, one of the inappropriate uses of technology that I go for all the time is finding ways to—as directed or otherwise—in off-label uses find ways of tricking different services into running containers for me. It's kind of a problem; this is probably why everyone is very grateful I no longer write production code for anyone.But it does seem that there's been an awful lot of noise lately. I'm lazy. I take shortcuts very often, and one of those is that whenever AWS talks about something extensively through multiple marketing cycles, it becomes usually a pretty good indicator that they're on their back foot on that area. And for a long time, they were doing that about data and how it's very important to gather data, it unlocks the key to your business, but it always felt a little hollow-slash-hypocritical to me because you're going to some of the same events that I have that AWS throws on. You notice how you have to fill out the exact same form with a whole bunch of mandatory fields every single time, but there never seems to be anything that gets spat back out to you that demonstrates that any human or system has ever read—Tony: Right.Corey: Any of that? It's basically a, “Do what we say, not what we do,” style of story. And I always found that to be a little bit disingenuous.Tony: I don't want to just harp on AWS here. Of course, we can always talk about the two-pizza box rule and the fact that you have lots of small teams there, but I'd rather generalize this. And I think you really—what you're just describing is been my trip through the healthcare system. I had some sports-related injuries this summer, so I've been through a couple of surgeries to repair sports injuries. And it's amazing that every time you go to the doctor's office, you're filling the same HIPAA information over and over again, even with healthcare systems that use the same electronic health records software. So, it's more a function of that it's not just that the technologies are siloed, it's that the organizations are siloed. That's what you're saying.Corey: That is fair. And I think at some level—I don't know if this is a weird extension of Conway's Law or whatnot—but these things all have different backing stores as far as data goes. And there's a—the hard part, it seems, in a lot of companies once they hit a certain point of maturity is not just getting the data in—because they've already done that to some extent—but it's also then making it actionable and helping various data stores internal to the company reconcile with one another and start surfacing things that are useful. It increasingly feels like it's less of a technology problem and more of a people problem.Tony: It is. I mean, put it this way, I spent a lot of time last year, I burned a lot of brain cells working on data fabrics, which is an idea that's in the idea of the beholder. But the ideal of a data fabric is that it's not the tool that necessarily governs your data or secures your data or moves your data or transforms your data, but it's supposed to be the master orchestrator that brings all that stuff together. And maybe sometime 50 years in the future, we might see that.I think the problem here is both technical and organizational. [unintelligible 00:11:58] a promise, you have all these what we used call island silos. We still call them silos or islands of information. And actually, ironically, even though in the cloud we have technologies where we can integrate this, the cloud has actually exacerbated this issue because there's so many islands of information, you know, coming up, and there's so many different little parts of the organization that have their hands on that. That's also a large part of why there's such a big discussion about, for instance, data mesh last year: everybody is concerned about owning their own little piece of the pie, and there's a lot of question in terms of how do we get some consistency there? How do we all read from the same sheet of music? That's going to be an ongoing problem. You and I are going to get very old before that ever gets solved.Corey: Yeah, there are certain things that I am content to die knowing that they will not get solved. If they ever get solved, I will not live to see it, and there's a certain comfort in that, on some level.Tony: Yeah.Corey: But it feels like this stuff is also getting more and more complicated than it used to be, and terms aren't being used in quite the same way as they once were. Something that a number of companies have been saying for a while now has been that customers overwhelmingly are preferring open-source. Open source is important to them when it comes to their database selection. And I feel like that's a conflation of a couple of things. I've never yet found an ideological, purity-driven customer decision around that sort of thing.What they care about is, are there multiple vendors who can provide this thing so I'm not going to be using a commercially licensed database that can arbitrarily start playing games with seat licenses and wind up distorting my cost structure massively with very little notice. Does that align with your—Tony: Yeah.Corey: Understanding of what people are talking about when they say that, or am I missing something fundamental? Which is again, always possible?Tony: No, I think you're onto something there. Open-source is a whole other can of worms, and I've burned many, many brain cells over this one as well. And today, you're seeing a lot of pieces about the, you know, the—that are basically giving eulogies for open-source. It's—you know, like HashiCorp just finally changed its license and a bunch of others have in the database world. What open-source has meant is been—and I think for practitioners, for DBAs and developers—here's a platform that's been implemented by many different vendors, which means my skills are portable.And so, I think that's really been the key to why, for instance, like, you know, MySQL and especially PostgreSQL have really exploded, you know, in popularity. Especially Postgres, you know, of late. And it's like, you look at Postgres, it's a very unglamorous database. If you're talking about stodgy, it was born to be stodgy because they wanted to be an adult database from the start. They weren't the LAMP stack like MySQL.And the secret of success with Postgres was that it had a very permissive open-source license, which meant that as long as you don't hold University of California at Berkeley, liable, have at it, kids. And so, you see, like, a lot of different flavors of Postgres out there, which means that a lot of customers are attracted to that because if I get up to speed on this Postgres—on one Postgres database, my skills should be transferable, should be portable to another. So, I think that's a lot of what's happening there.Corey: Well, I do want to call that out in particular because when I was coming up in the naughts, the mid-2000s decade, the lingua franca on everything I used was MySQL, or as I insist on mispronouncing it, my-squeal. And lately, on same vein, Postgres-squeal seems to have taken over the entire universe, when it comes to the de facto database of choice. And I'm old and grumpy and learning new things as always challenging, so I don't understand a lot of the ways that thing gets managed from the context coming from where I did before, but what has driven the massive growth of mindshare among the Postgres-squeal set?Tony: Well, I think it's a matter of it's 30 years old and it's—number one, Postgres always positioned itself as an Oracle alternative. And the early years, you know, this is a new database, how are you going to be able to match, at that point, Oracle had about a 15-year headstart on it. And so, it was a gradual climb to respectability. And I have huge respect for Oracle, don't get me wrong on that, but you take a look at Postgres today and they have basically filled in a lot of the blanks.And so, it now is a very cre—in many cases, it's a credible alternative to Oracle. Can it do all the things Oracle can do? No. But for a lot of organizations, it's the 80/20 rule. And so, I think it's more just a matter of, like, Postgres coming of age. And the fact is, as a result of it coming of age, there's a huge marketplace out there and so much choice, and so much opportunity for skills portability. So, it's really one of those things where its time has come.Corey: I think that a lot of my own biases are simply a product of the era in which I learned how a lot of these things work on. I am terrible at Node, for example, but I would be hard-pressed not to suggest JavaScript as the default language that people should pick up if they're just entering tech today. It does front-end, it does back-end—Tony: Sure.Corey: —it even makes fries, apparently. There's a—that is the lingua franca of the modern internet in a bunch of different ways. That doesn't mean I'm any good at it, and it doesn't mean at this stage, I'm likely to improve massively at it, but it is the right move, even if it is inconvenient for me personally.Tony: Right. Right. Put it this way, we've seen—and as I said, I'm not an expert in programming languages, but we've seen a huge profusion of programming languages and frameworks. But the fact is that there's always been a draw towards critical mass. At the turn of the millennium, we thought is between Java and .NET. Little did we know that basically JavaScript—which at that point was just a web scripting language—[laugh] we didn't know that it could work on the server; we thought it was just a client. Who knew?Corey: That's like using something inappropriately as a database. I mean, good heavens.Tony: [laugh]. That would be true. I mean, when I could have, you know, easily just use a spreadsheet or something like that. But so, I mean, who knew? I mean, just like for instance, Java itself was originally conceived for a set-top box. You never know how this stuff is going to turn out. It's the same thing happen with Python. Python was also a web scripting language. Oh, by the way, it happens to be really powerful and flexible for data science. And whoa, you know, now Python is—in terms of data science languages—has become the new SaaS.Corey: It really took over in a bunch of different ways. Before that, Perl was great, and I go, “Why would I use—why write in Python when Perl is available?” It's like, “Okay, you know, how to write Perl, right?” “Yeah.” “Have you ever read anything a month later?” “Oh…” it's very much a write-only language. It is inscrutable after the fact. And Python at least makes that a lot more approachable, which is never a bad thing.Tony: Yeah.Corey: Speaking of what you touched on toward the beginning of this episode, the idea of databases not being sentient, which I equate to being self-aware, you just came out very recently with a report on generative AI and a trip that you wound up taking on this. Which I've read; I love it. In fact, we've both been independently using the phrase [unintelligible 00:19:09] to, “English is the new most common programming language once a lot of this stuff takes off.” But what have you seen? What have you witnessed as far as both the ground truth reality as well as the grandiose statements that companies are making as they trip over themselves trying to position as the forefront leader and all of this thing that didn't really exist five months ago?Tony: Well, what's funny is—and that's a perfect question because if on January 1st you asked “what's going to happen this year?” I don't think any of us would have thought about generative AI or large language models. And I will not identify the vendors, but I did some that had— was on some advanced briefing calls back around the January, February timeframe. They were talking about things like server lists, they were talking about in database machine learning and so on and so forth. They weren't saying anything about generative.And all of a sudden, April, it changed. And it's essentially just another case of the tail wagging the dog. Consumers were flocking to ChatGPT and enterprises had to take notice. And so, what I saw, in the spring was—and I was at a conference from SaaS, I'm [unintelligible 00:20:21] SAP, Oracle, IBM, Mongo, Snowflake, Databricks and others—that they all very quickly changed their tune to talk about generative AI. What we were seeing was for the most part, position statements, but we also saw, I think, the early emphasis was, as you say, it's basically English as the new default programming language or API, so basically, coding assistance, what I'll call conversational query.I don't want to call it natural language query because we had stuff like Tableau Ask Data, which was very robotic. So, we're seeing a lot of that. And we're also seeing a lot of attention towards foundation models because I mean, what organization is going to have the resources of a Google or an open AI to develop their own foundation model? Yes, some of the Wall Street houses might, but I think most of them are just going to say, “Look, let's just use this as a starting point.”I also saw a very big theme for your models with your data. And where I got a hint of that—it was a throwaway LinkedIn post. It was back in, I think like, February, Databricks had announced Dolly, which was kind of an experimental foundation model, just to use with your own data. And I just wrote three lines in a LinkedIn post, it was on Friday afternoon. By Monday, it had 65,000 hits.I've never seen anything—I mean, yes, I had a lot—I used to say ‘data mesh' last year, and it would—but didn't get anywhere near that. So, I mean, that really hit a nerve. And other things that I saw, was the, you know, the starting to look with vector storage and how that was going to be supported was it was going be a new type of database, and hey, let's have AWS come up with, like, an, you know, an [ADF 00:21:41] database here or is this going to be a feature? I think for the most part, it's going to be a feature. And of course, under all this, everybody's just falling in love, falling all over themselves to get in the good graces of Nvidia. In capsule, that's kind of like what I saw.Corey: That feels directionally accurate. And I think databases are a great area to point out one thing that's always been more a little disconcerting for me. The way that I've always viewed databases has been, unless I'm calling a RAND function or something like it and I don't change the underlying data structure, I should be able to run a query twice in a row and receive the same result deterministically both times.Tony: Mm-hm.Corey: Generative AI is effectively non-deterministic for all realistic measures of that term. Yes, I'm sure there's a deterministic reason things are under the hood. I am not smart enough or learned enough to get there. But it just feels like sometimes we're going to give you the answer you think you're going to get, sometimes we're going to give you a different answer. And sometimes, in generative AI space, we're going to be supremely confident and also completely wrong. That feels dangerous to me.Tony: [laugh]. Oh gosh, yes. I mean, I take a look at ChatGPT and to me, the responses are essentially, it's a high school senior coming out with an essay response without any footnotes. It's the exact opposite of an ACID database. The reason why we're very—in the database world, we're very strongly drawn towards ACID is because we want our data to be consistent and to get—if we ask the same query, we're going to get the same answer.And the problem is, is that with generative, you know, based on large language models, computers sounds sentient, but they're not. Large language models are basically just a series of probabilities, and so hopefully those probabilities will line up and you'll get something similar. That to me, kind of scares me quite a bit. And I think as we start to look at implementing this in an enterprise setting, we need to take a look at what kind of guardrails can we put on there. And the thing is, that what this led me to was that missing piece that I saw this spring with generative AI, at least in the data and analytics world, is nobody had a clue in terms of how to extend AI governance to this, how to make these models explainable. And I think that's still—that's a large problem. That's a huge nut that it's going to take the industry a while to crack.Corey: Yeah, but it's incredibly important that it does get cracked.Tony: Oh, gosh, yes.Corey: One last topic that I want to get into. I know you said you don't want to over-index on AWS, which, fair enough. It is where I spend the bulk of my professional time and energy—Tony: [laugh].Corey: Focusing on, but I think this one's fair because it is a microcosm of a broader industry question. And that is, I don't know what the DBA job of the future is going to look like, but increasingly, it feels like it's going to primarily be picking which purpose-built AWS database—or larger [story 00:24:56] purpose database is appropriate for a given workload. Even without my inappropriate misuse of things that are not databases as databases, they are legitimately 15 or 16 different AWS services that they position as database offerings. And it really feels like you're spiraling down a well of analysis paralysis, trying to pick between all these things. Do you think the future looks more like general-purpose databases, or very purpose-built and each one is this beautiful, bespoke unicorn?Tony: [laugh]. Well, this is basically a hit on a theme that I've been—you know, we've been all been thinking about for years. And the thing is, there are arguments to be made for multi-model databases, you know, versus a for-purpose database. That being said, okay, two things. One is that what I've been saying, in general, is that—and I wrote about this way, way back; I actually did a talk at the [unintelligible 00:25:50]; it was a throwaway talk, or [unintelligible 00:25:52] one of those conferences—I threw it together and it's basically looking at the emergence of all these specialized databases.But how I saw, also, there's going to be kind of an overlapping. Not that we're going to come back to Pangea per se, but that, for instance, like, a relational database will be able to support JSON. And Oracle, for instance, does has some fairly brilliant ideas up the sleeve, what they call a JSON duality, which sounds kind of scary, which basically says, “We can store data relationally, but superimpose GraphQL on top of all of this and this is going to look really JSON-y.” So, I think on one hand, you are going to be seeing databases that do overlap. Would I use Oracle for a MongoDB use case? No, but would I use Oracle for a case where I might have some document data? I could certainly see that.The other point, though, and this is really one I want to hammer on here—it's kind of a major concern I've had—is I think the cloud vendors, for all their talk that we give you operational simplicity and agility are making things very complex with its expanding cornucopia of services. And what they need to do—I'm not saying, you know, let's close down the patent office—what I think we do is we need to provide some guided experiences that says, “Tell us the use case. We will now blend these particular services together and this is the package that we would suggest.” I think cloud vendors really need to go back to the drawing board from that standpoint and look at, how do we bring this all together? How would he really simplify the life of the customer?Corey: That is, honestly, I think the biggest challenge that the cloud providers have across the board. There are hundreds of services available at this point from every hyperscaler out there. And some of them are brand new and effectively feel like they're there for three or four different customers and that's about it and others are universal services that most people are probably going to use. And most things fall in between those two extremes, but it becomes such an analysis paralysis moment of trying to figure out what do I do here? What is the golden path?And what that means is that when you start talking to other people and asking their opinion and getting their guidance on how to do something when you get stuck, it's, “Oh, you're using that service? Don't do it. Use this other thing instead.” And if you listen to that, you get midway through every problem for them to start over again because, “Oh, I'm going to pick a different selection of underlying components.” It becomes confusing and complicated, and I think it does customers largely a disservice. What I think we really need, on some level, is a simplified golden path with easy on-ramps and easy off-ramps where, in the absence of a compelling reason, this is what you should be using.Tony: Believe it or not, I think this would be a golden case for machine learning.Corey: [laugh].Tony: No, but submit to us the characteristics of your workload, and here's a recipe that we would propose. Obviously, we can't trust AI to make our decisions for us, but it can provide some guardrails.Corey: “Yeah. Use a graph database. Trust me, it'll be fine.” That's your general purpose—Tony: [laugh].Corey: —approach. Yeah, that'll end well.Tony: [laugh]. I would hope that the AI would basically be trained on a better set of training data to not come out with that conclusion.Corey: One could sure hope.Tony: Yeah, exactly.Corey: I really want to thank you for taking the time to catch up with me around what you're doing. If people want to learn more, where's the best place for them to find you?Tony: My website is dbinsight.io. And on my homepage, I list my latest research. So, you just have to go to the homepage where you can basically click on the links to the latest and greatest. And I will, as I said, after Labor Day, I'll be publishing my take on my generative AI journey from the spring.Corey: And we will, of course, put links to this in the [show notes 00:29:39]. Thank you so much for your time. I appreciate it.Tony: Hey, it's been a pleasure, Corey. Good seeing you again.Corey: Tony Baer, principal at dbInsight. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice, along with an angry, insulting comment that we will eventually stitch together with all those different platforms to create—that's right—a large-scale distributed database.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.
Jeff Willams of Contrast Security joins Chris and Robert on the Application Security Podcast to discuss runtime security, emphasizing the significance of Interactive Application Security Testing (IAST) in the modern DevOps landscape. After reflecting on the history of OWASP, the conversation turns to the challenges organizations face in managing their application security (AppSec) backlogs. Jeff highlights the alarming number of unresolved issues that often pile up, emphasizing the inefficiencies of traditional security tools.Jeff champions IAST, and here are a few highlights that he shares. IAST is ideally suited for DevOps by seamlessly transforming regular test cases into security tests. IAST can provide instant feedback, leading to a Mean Time To Repair (MTTR) of just three days across numerous applications. Unlike Static Application Security Testing (SAST) or Dynamic Application Security Testing (DAST), which can take hours or even days, IAST can complete security testing during the build, fitting within the tight SLAs of modern pipelines.IAST offers developers comprehensive insights, which aids in a better understanding and quicker resolution of the identified issues. It is also adaptable, as IAST can detect vulnerabilities before they are exploited. Jeff argues that IAST's ability to work with existing test cases and provide rapid feedback makes it a perfect fit for the fast-paced DevOps environment.Jeff emphasizes that while runtime security can be a game-changer, it doesn't replace other essential aspects of AppSec programs, such as training. In conclusion, Jeff Williams champions IAST as a revolutionary tool in the application security domain. Its adaptability, efficiency, and depth of insights make it a must-have in the toolkit of modern developers and security professionals.Links:Jeff on LinkedIn: https://www.linkedin.com/in/planetlevel/Java Observability Toolkit (JOT): https://github.com/planetlevel/jotIdentified by John Wilander: https://www.amazon.com/IDENTIFIED-hacker-thriller-headlines-newspapers/dp/B09NRF399JVenture in Security article about circle stickers: https://ventureinsecurity.net/p/solving-the-circle-sticker-problemFOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~