Open Source and the Enterprise

Tune in to this episode of Ask A CISO to hear:

• Is Red Hat Enterprise Linux (RHEL) Open Source? Why then is it called Enterprise Linux?
• Red Hat’s business model
• The role of the Open Source Program Office (OSPO) at Red Hat
• Open Source and Startups
• Doing the right things, and doing the right things right
• The Red Hat WHY
• The importance of going multi-cloud
• The perennial question: Is Open Source secure?

About The Guest: Harish Pillay

Harish Pillay heads up the Open Source Program Office APAC for Red Hat Asia Pacific in Singapore, where he has worked for the past 19 years in many different roles.

He is a recognized thought leader in the use, development, and deployment of the internet and the technologies that support it.

Besides his role at RedHat, Harish is also very active in the local IT scene. He is the current Deputy Chairman of the Singapore IT Standards Committee, which he has been a part of for more than two decades.

Harish received his graduate education from Oregon State University and returned to Singapore in 1991 after spending some years in the US. In 1996, Harish ran the very first APRICOT conference together with a small group of collaborators. Today, the APRICOT conference continues to help educate engineers, network operators, and policymakers around the Asia Pacific.

As a firm believer that enabling customers and societies at large with Open Source tools brings forth significant benefits, Harish is also an educator and mentor to technology startups, especially with solutions built using Open Source technologies.

About The Host: Paul Hadjy

Paul Hadjy is co-founder and CEO of Horangi Cyber Security. 

Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.

Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific. 

He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams. 

He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking. 

Transcript

Mark

All right. Welcome again, to another episode of Ask A CISO podcast brought to you by Horangi Cyber Security, helping your organization, navigate the choppy waters of cybersecurity and get to where you need to go. Today I have a great guest with me. I have Harish Pillay, and he's here to talk to us about a myriad of things all under the umbrella of technology.

Harish heads up the Open Source Program Office APAC for Red Hat Asia Pacific in Singapore, where he's worked for the past 20, 19 years, almost 20. You're recognized as a thought leader in the use, development, and deployment of the Internet and technologies that support it. Besides this role at Red Hat, Harish is also very active in the local IT scene.

He's the current Deputy Chairman of the Singapore IT Standards committee, which has been a part of, which you've been a part of for more than two decades. Harish also received his graduate education from the Oregon State University and returned to Singapore in 1991, after spending a couple years in the US.

In 1996, Harish ran the very first APRICOT conference together with a small group of collaborators, and today the APRICOT conference continues to help educate engineers, network operators, and policy makers around the Asia Pacific. As a firm believer that enabling customers and societies at large with Open Source tools will bring forth significant benefits, Harish is also an educator and mentor to technology startups, especially with solutions built using Open Source technologies.

So yeah, Linux, Red Hat, these things scream Open Source. Of course, some of the younger folks they don't remember when Red Hat was Open Source

Harish

It is still Open Source.

Mark

Oh, right. Oh, so I heard there was you guys did big things in the enterprise now, right?

Harish

Yeah. Enterprise doesn't mean it's not Open Source.

Mark

Well, speak a little bit more about that then.

Harish

Sure.

Mark

What's the difference there for the viewers on the …?

Harish

Okay. The, the principle behind, the business model for Red Hat, just to, to pin, pin that down. Business model for Red Hat is a, it's selling a subscription. We sell subscriptions to customers.

And what do the customers get from the subscription? An accountability from us. They get the support, the certification, all the needed stuff to run an enterprise environment. Now, if they don't have a subscription with us, it is still the same thing, but then they're on your own, you know, you

Mark

Okay .

Harish

Yeah. If you break it, you keep all the pieces.

But if you have a subscription with us, then if you break it, we will help you to put them together or do what's needed to make sure things are working just fine.

Mark

You know, that's funny to me. I've gone my entire career actually thinking there was that hard line

Harish

there isn't a hard line. No, there is …

Mark

hard line to support the word support, right?

Like so I've worked for a lot of enterprises that say, okay, we don't use Open Source, solutions because there is no support. But as you say, that's, there's actually no line.

Harish

So, so, you know, so if, if we, if you peel back the layers and have a look at what it is, and I know probably the understanding is probably incomplete from a lot of individuals and organizations perspective.

Maybe I, I can use this opportunity to clarify and say these things, right? So like for example, Red Hat as an example, right? So Red Hat was established in 1993. At that time, you know, as you, some of you may remember, you know, the web was just not there. Okay, so the web was not there. So it was later 1993 when Tim Berners-Lee got it launched and blah, blah, blah.

And so the thing about it was the early years the, the code was available and you had to download it and do it yourself. Red Hat was providing a “service” at that time by downloading it and making into a CD and then, or, or floppy this those days, right? And you buy it and you do whatever you want. Now, if you deploy that, [00:04:00] the stuff that was provided by under the Red Hat label.

You pay $50 for the CD maybe. And that's it. And you are on your own, right? And that's how the early years of Red Hat was because we really had no idea how to make money out of this, right? So it was, so we got listed in 1999 at that time was NASDAQ and subsequently it was moved to New York Stock Exchange.

But when we got listed, made a lot of money from the listing, I think 600 million or so, hundred billion or whatever, but, but, but it was not a profitable business because we did not know how to make money out of these things, right?

So there was not until 2002, when we were speaking to many organizations, primarily banks and financial institutions who were running the downloaded versions, or the ones that you buy for $50 on a CD in their data centers, they were, whatever they were running it for, right? Databases and so on. So the trouble that they were facing with was they needed accountability for all of these things that was running because it's doing the job, it was doing the job, but how do I get as an enterprise you need accountability?

So, in the conversation, you know, Red Hat teams in North America, primarily with the banks in, in Wall Street and in Germany and all that. So they came up with a model, say, you know, what if you pay us a certain amount of money per year, like a subscription. In return, we give you the needed support of accountability, updates, patches, blah, blah, blah, and so on and so forth.

Mark

And is that what we understand today as RHEL?

Harish

That's correct.

That's when the transition happened. It went from Red Hat Linux to Red Hat Enterprise Linux, which came with a subscription.

So the subscription is a business model. Open Source is the software development model. That's how we develop software. Be it in the open, we develop everything. We take the Open Source projects. We turn into Open Source products. It's exactly the same thing, but the productization, we may put additional work into it, whatever needed to be done.

And if there's bug fixers, security fixes, and all that, that's fed back to the project. We don't keep it separate. We keep it, feed it back up.

Mark

Is there any sort of lag between that?

Harish

No, you, we walk upstream first. So if we see that rail has an issue, then we check what is the same? What's the similar issue upstream.

What is it? What is, is there a problem there? So we get it fixed. We get it fixed here as well. And that way we get it through. So now we don't, we try to not have too much of a variation because when you have a variation, you need to a whole series of engineering support for customers because all of these products are supported for 10 years.

You wanna support and give accountability to customers for 10 years as a lot of, lot of investment in people and resources and so on, especially you wanna keep things separate. It's not, it's very, very difficult to do. I mean, you ask the, the, the proprietary guys, they face this all the time, so we didn't want …

We don't wanna deal with that. So we say let's be [00:07:00] clever about it. We can really circle because at the end of the day, what you need is accountability as a customer.

Mark

Exactly.

Harish

And that's what we try to offer.

Mark

That's why I would end up working in a lot of shops that would shy away from a lot of, like we said, we would shy away from the word Open Source. We would just …

Harish

But, reality is they are running Open Source. They may not even know about it because I had many conversations. I had many, many, many, many conversations, many CIOs in Asia Pacific. When we talk about one of the first few questions in the conversation, maybe how much Open Source are you using? The answer is no, we don't, we don't use it.

Then it, you do, you do use it. You don't know about it. Then they go back and check and true enough, come and say, yeah, actually we do, but we have a subscription. Exactly. So it, it, it is kind of connected at the same time. You have, it's not,

Mark

You're running Open Source, you're running an Open Source solution with support …

Harish

With support, with accountability.

Mark

With accountability.

Harish

That's really what it is. It's about accountability.

Mark

That's definitely. And that was always the crux, right? Yeah. Like that's the very reason why [00:08:00] people have that notion in their mind.

Harish

That's right. That's right.

Mark

And I confessed I've been operating under that assumption this whole time. Yeah.

Harish

Well, I mean, it's, uh, it's great. Learned something to, we got you to, to understand a little bit better.

Mark

Yeah, no, no, definitely. I do appreciate it. I do appreciate it. That's a great way to start. And you've been working with Red Hat for 19 years, right?

Harish

Yeah, this is my 19th year. So it's …

Mark

Was it always, was it always in this department?

Harish

No. Well, OSPO is very, very, very new. I mean, I've done many, many roles within Red Hat. Uh, you know, as, as obviously there's so many things to do and we are growing as an organization, so opportunities are constantly unfolding.

So to me, you know, it's like, I have been maybe in five different jobs as it were over the last 19 years. Yeah. It's the same, same enterprise, same entity, but it's different roles to play and you know, so, so it's been fun.

Mark

Your move, your move to OSPO, right? Was this something, was it a push or a pull?

Was it like, you really wanted to move into this role that [00:09:00] you are now? Or was it something that someone said, Hey, we need someone to run this?

Harish

Well, it's a combination of both because we didn't have an OSPO at that point in time. Okay, we, we have, okay, there's a bit of a story behind it as well because the, the, the notion of an Open Source Program Office is not necessary for Red Hat because we are by default Open Source; we don't need it, but, but, the challenge we faced many times was when we are at events, conferences and some stuff like that, there will be all these people. Exactly. There will be people, yourself. Yes. And other organizations that have an OSPO, and who are these organizations?

These proprietary software companies. Some of our partners, like they may be motor vehicle or automotive industry. They may be in the media industry. They could be wherever and because they're using software anyway, so they may have the software that they are creating for themselves that they may want to look at how to collaborate within an Open Source manner and so on and so forth.

So they may craft a kind of a program that [00:10:00] does Open Source making things work internally well, right? So a lot of the ideas behind OSPO came from the early years. It actually in, historically, came from Sun, Sun Microsystems, although Sun doesn't claim that because they're not here anymore, but they had the notion of a group within the organization to help with Open Source stuff.

But over the years, then the bigger, the more popular or more well-known ones from Google. Google's Open Source Office was actually the more pop, more well-known OSPO there is. And that idea has then propagated to many, many other organizations, almost every, you know, even interestingly Microsoft has OSPO, which is great.

So they realize that this is no longer a cancer. This is no longer a, a communist of operating system or, or a bad way to do business. But OSPO, as, from a point we was kind of like, we don't need it because we already buddy for Open anyway. But nonetheless, we created one, maybe I think, four years ago, maybe something like that.

Yeah. Uh, only to help answer that question. Do you have an OSPO? Yes, we have.

Mark

So what is the relationship between OSPO and the actual Red Hat Open Source project, the upstream project that you, you described earlier? Is it the same thing? Is it…?

Harish

Well, OSPO is a, is a, it is just like, say for example, the legal department or finance department, the sales department, for example.

So OSPO is another entity within Red Hat and we cover… So my, my group covers all of it, the rest of the world. I mean the whole world, right? So we cover the whole world in terms of what do I, so we will be in many ways you could say that we are the edge. We are the edge between the external Open Source community and all of Red Hat internally.

Okay. So we, we are, in some ways the face, the voice, the, not necessarily spokesperson only, but the face, the voice. We participate in events, we go to conferences. We may be helping to, you know, man the booth, you know, uh, giving away t-shirts for conf… you know, events and so on, sponsoring hackathons perhaps.

So we will work internally with our other stakeholders, you know, in the engineering group or the sales or marketing or partners or ISVs and stuff like that to help them to understand what we can do from an Open Source point of view and, and together. So we are like the conduit between the outside and inside, and it's a constant flow.

Mark

Okay. It's like leveraging the enterprise power

Harish

That's right, that's right.

Mark

for the project.

Harish

So these projects always priority number one. Our products that we ship to our customers are on par, but one has got a little bit of edge because this, the Open Source

Mark

cuz it's kind of the bleeding edge, right?

Harish

Well, it is where a lot of the innovation is happen, and then we take that and make it available. If the customer finds it valuable for the customer to use, then we bring it in. When I say “in” it’s a figurative in, not real in. It's a sub-proprietary in [00:13:00] any way, we just bring the ideas in and then see how best can we support our customer?

Because at the end of the day, whatever that we provide to the customer, we have to be accountable to the customer, in most cases for 10 years. So we wanna make sure that this thing is going to be around and useful and functional and blah, blah, blah, for a reasonably long period of time. Whereas the project can continue moving on. They say, Hey, you know what? I don't care about USB ports anymore. Fine. Then my customer still needs it.

So we are in that sweet spot between the outside and the inside so to speak, you know, but there is a very transparent internal process for a lot of the stuff. And this is sometimes very difficult for companies that have never engaged with the outside world because they don't understand how do you do this?

The question I get a lot of times is why do you do that? Aren't you putting yourself at a disadvantage? I, well, I will beg to differ because I don't think we are, if we were, we wouldn't be a, I think right now we are [00:14:00] somewhere like about $4 billion company in terms of a revenue so, and we are giving things away in that sense. The code is there, do whatever you want with it, but if you don't have a subscription with us, I'm sorry, Mr. Customer, I can't officially help you. Not that I won't, but I can't officially help you, so get a subscription!

Mark

And it actually reminds me in my arena, right? In the cybersecurity consulting arena, you have hackers and you have pen-testers. And then a hacker will do something and then the pen-tester will say, why would you do that?

Harish

Yeah, exactly. Exactly. And then the hacker will cause I want, yeah, because I can,

Mark

because I can. And that's essentially that, that conversation between the enterprise people and the Open Source people, right? That's they want to see if they want to push the limits and see what they can do with this. Thing's whereas you couldn't do that in an it's a all harder.

Harish

It's not impossible. It's a lot harder. It's just a lot …

Mark

Yeah. And it's, there's a lot of more, there's a lot more process that you have to go through. There's a lot [00:15:00] more, you know, consideration that you have to have. So, so, um,

Harish

Typically, typically when we talk to customers like banks and organizations that have, you know, infrastructure, they need to be accountable for, from a regulator perspective, from a whole bunch of stuff, which is completely understandable.

We know how that works, but the question here is, how can you be more agile about it? How can you be rapidly innovating to the extent that you can safely do it? The easy way to say is no, I'm not gonna do it and then nothing happens. But the way you want to do it is find the way to make that work.

Because a lot of times we have had customers who say, Hey, we have built this bunch of tools for ourselves to. Then they recognize that in order to keep that going for themselves, there's a lot of effort and investment they need to do for the long term. Many times what has happened here is they have approached us and said, Red Hat, can you take over this thing, this thing that we built internally, and can you now shepherd it, maintain it, foster it and make it grow and make it useful and so on? So some of these projects we say, yeah, that makes sense. We'll take that. So transfer across to us, and then we will start nurturing it. And it becomes an Open Source project. It also benefits that first customer who gave us the stuff and everybody else as well, including that customer's competition.

Right? So you make the entire, so it grows the whole entire ecosystem into a level where you wouldn't have connect, you wouldn't have reached by yourself.

Mark

Do you ever run into, I mean, because I think of enterprise, uh, again, I think of enterprise as business first, profit first, revenue first. Right?

And then, you know, I think of Open Source as innovation first, for the community, for the ecosystem, like you said, like you said, do you ever run into enterprise clients that are dread opposed to sharing these things like [00:17:00] in that case where they say, Hey, we have this thing, can you guys shepherd it for us?

And then you decide to feed it into the project and say, no, no, no, no. That's proprietary. That's …

Harish

So no, is that so if, no, our starting premise is, if you ask us to shepherd it, to look after it, to bring it forward, it will be open. There's no such thing as closing it up. There's no such thing, because if that is the case, we are not interested because that's a lot of effort on our side.

That's not good. That's not scalable at all. So we, we do another thing as well, right? So every now and then we see there is this particular niche in technology space that is, there are Open Source projects that answer it, that addresses it, that offers some value, but it's not as mature as existing solution by somebody else.

And if we find it interesting enough, maybe we will acquire it. We have acquired many, many companies over the last 25 years and a lot of, not a lot of them, a significant [00:18:00] percentage of them are proprietary software companies. So what do we do? This is the Red Hat promise. What we do is when we acquire a proprietary software company, we bring the technology on board.

We will then Open Source the whole thing, so we have opened, we have brought in, you know, many, many technologies, three, $400 million, $500 million acquisitions. And then we open-source it. Like, for example, there was a product called Stack, um, StackRox, S-T-A-C-K-R-O-X, which is a cloud security tool, which is a proprietary software from the get-go.

So when we bought them over, we bought the entire company and the product and the project and product they had, and now we have open-sourced it. So. It's not about holding the stuff back and keeping it proprietary because when we’ve opened it up, you get lot more people participating in it. So it becomes something that all of us can benefit.

Mark

Yeah. A hundred percent. And like, from everything you're saying, I just keep everything I keep hearing is like, I hear the Linus Torvalds’ DNA. It's for the world. Right. We're sharing it with the world. We're trying to. Move it forward. We're not trying to hoard information.

Harish

Yeah. I mean, there's some, the pushback we get sometimes is by people who say, why are we doing this?

You know, we are, we just spent $300 million buying this company and we’re giving away the source code. Yeah. Because guess what, you want to just hold it back, and then what happens when you do that? Because 300 million doesn't mean you can now run it safely, that you can scale in terms of skill sets and so on.

And so you can do up to a point and after that, what are you gonna do, right?

Mark

Right. What are you gonna do? Like you need, you need the ecosystem as much as …

Harish

So, by opening it up, we change the dynamics entirely. And when we had a, when, before we got acquired by IBM, our Board of Directors, they understand that. They completely understand the rationale, because it makes a lot of sense, ‘cuz we have proven that that works.

That's essentially what it is proven by making, making work.

Mark

That's super surprising to me actually, to hear these, to hear that that's how it happened. I [00:20:00] mean working in startups and stuff all these years, the first thing I learned working in startups was you really gotta be careful whose money you take because they might not have the same values, and probably the most rare kind of vision is Open Source.

Harish

Yeah. It's, it's not easy. It's not easy because the there's this, I mean, I, I do, you know, as a mentor for startups and all that, the challenge, you find that a lot of startups because of the way they started up, and the type of people who are advising them, a lot of them tends to be VCs and, you know, people like that, they have a notion of, I need to monetize every single bit to the maximum extent it can be, which is a fair starting point.

Then you try and then you walk down the line and say, okay, they say, oh, you know, I cannot share my ideas because if my ideas get taken by somebody else, I'm dead, to which my question, my answer to that, that statement when I, when it's made to me is: in the first place, if you have an idea and if you don't execute on the idea, it means nothing. It means zero. So if somebody else takes your idea and executes on it, that's congratulations to them, and they did well. That's success! Now, so then how do you, then I say, oh, but I'm not gonna get rewarded for that. I know. Why don't you just publish the idea, openly publish it. Make it, write example code or something, put your name there, put your organization name there and be done with it.

And then when someone takes it and says, oh yeah, the original source was from here, there you go. Now this becomes your calling card as an organization, right? Yes. But VCs don’t see it that way because they say, oh, I need to maximize every bit. Okay. Then don't take that money.

Mark

But you're exactly right. You're exactly right when, that's another thing, right? Everybody's got an idea. Everybody's got an idea, right?

Execution is key.

Harish

Execution makes a difference

Mark

And yes, it's really the difference and actually the bridge between ideation and execution is a treacherous road. So the one thing that I try to tell a lot of people with ideas who want to be founders, it's you overestimate how easy it is to have an idea. And you underestimate how hard it is to execute on that idea. And so like you said, uh bC don't see it that way.

Harish

Only the enlightened ones see it, only the enlightened ones see it. They recognize that there is actually a difference because the other one that the VCs would tend to throw at you is, oh, why didn’t you go and patent this particular idea that you have?

So again, I go back to the founders and ask them when you wanna patent this, what are you going to do after you are awarded the patent? Okay. So I want them to think it through, right? They say, oh, because I need to do it because my VC says I need to have in my portfolio before I get before exit or IPO or whatever it is, I got patents and all that because it increases evaluation.

I say, okay, that's one argument. But my question to you is if you patented, firstly, you have to hire a bunch of lawyers to do the work that needs to be done. Once a pattern is granted, are you actively licensing it out to people or are you putting on the shelf? So that someday somewhere when an IPO or an exit happens, they count it in.

So who's the winner in all of this? The lawyers. Are you making anything out of it? A lot of times the founders will tell me, oh, we don't have any plans right now to license it out. Then what are you doing? What are you using it for? You might as well take the money you spend on the lawyers to hire better engineers, more engineers, or some product ideas and marketing, make things happen.

Make things happen then, you know, you can say, then you got a much higher evaluation at the end than some pieces of paper sitting on a shelf somewhere. Sometimes they get it. I'm not saying not, they don't all get it, but some of those … it's hard. It's hard, they don't wanna see it. No matter how many times I show it to them, they say, I don't wanna see it. I know you're making sense, but I don't wanna see it. OK. I understand that.

Mark

And it's also, it also has to do with this concept, this concept I ran into recently called existential flexibility.

Harish

Yep.

Mark

Like they know that this is the thing they want. This idea is they're so married to it that they're unwilling to let it out and it's one of the hardest things to do is, is to let go of something you're so

Harish

Yeah, it's like doing the right thing and doing the things right. So that's really the difference between the two. So yeah, you can always do the right thing, but are you doing the right things right? that's the harder thing, right? I'm doing all the right things. It's just like the meme that went around when Nokia collapsed, where the CEO at her press conference was crying, saying that, oh, we did everything correctly. We did everything right. Yeah, but did you do the right thing? They didn't. They were not listening to people like me because I was trying to figure out some stuff with the Nokia phones to do some kind of a communication, but it's a proprietary protocol and it was very difficult.

So I keep asking them for [00:25:00] help. Can you release the, publish the protocol for the phones? Cuz I wanted to send SMS using the phone and all using a cable. They were, Oh, you have to run my proprietary software to do it. So there was a whole bunch of us. We reverse-engineered the entire protocol and we published it. Okay. This is 1997, 1998, no, maybe 99 or so somewhere around that timeframe. So there’s an example of someone say, oh, we did everything right, and yet we collapsed because we are not doing the right things. So it's, it's sad but true.

Mark

Yeah, and definitely again, just the same thing. Nokia is another example of just a company that's just holding on so tightly to what made them successful in the nineties.

They couldn't change with the time.

Harish

They were just refusing to appreciate that there is a different way of doing stuff.

Mark

Yes! Yeah, most definitely. And I think this, this type of mindset comes. It comes from doing what you do, right? Working with Open Source things, working with things, working with environment, constantly changing.

Harish

I mean, that's why in Red Hat we have the, there are few things that this poster that hangs up on the wall here, and I'll read it, we can share it on screen, but I'll read it out to you.

It’s, we are Red Hat, the passion of a startup, the perspective of an industry leader, the power of a community. Okay. That's it. That's, that's really what it is. It's a startup. We think like a startup, but Hey, we are comfortable from an enterprise point of view, but we are leveraging the Open Source community to do all of this together.

So we say there's no hard and fast wall that says, oh, this is community side, therefore I don't touch it. Or this is the enterprise side, I don't touch it. Or thou shall not mix. No, let's mix because the mix is when interesting things happen, and knowing that you're mixing it and that makes it even more powerful.

So that's how you start thinking like a startup while I'm accountable to my enterprise customers. So …

Mark

You know, I'm learning so many new things today.

Harish

Well, that's good.

Mark

It's such a novel approach. What a great mixture, taking the best of all those worlds and putting into one approach.

Harish

Two, three, maybe, maybe 2019. Yeah, 2019 or 2018, I think it was, we were trying to figure out how do we, as we were growing, the number of people joining Red Hat is increasing significantly, which is good, and which is bad. Which is good because you know, there's business we had and it's bad because how do we get everybody to understand why we do what we do?

So the Red Hat Why? So we had an internal because this is how an Open Source project works, so we do it the same way internally. We said, okay, we had about eight or 9,000 people participate. What is, why do you show up at work? Or why do you do at Red Hat what you do at Red Hat? Why do you do it? So, after I think took us about nine months or something like that, a lot of iterations, a lot of conversations, a lot of meetings. Why the heck do you do this? So eventually the why statement was crafted.

The why statement for Red Hat is Open Unlocks the World's Potential.

That's it.

Mark

Wow. Yeah, it's true.

Harish

It's not about us. It's about everybody else. And we wanna be part of that story. We wanna drive that story forward. So, open unlocks the world's potential.

That's it.

Mark

And I've, I mean, don't get me wrong. I've always believed that anyway but the thing that's new to me here in this interaction is that there have always been hard and fast walls between, you know, enterprise, startup, you know, like business, Open Source.

Like it was always a fact to me. An accepted fact.

Harish

Totally agree. I totally understand that.

Mark

And I would say that a lot of people in the industry are like myself, that don't actually, are not aware of or are not aware that, Hey, actually, you know what, they can coexist.

Harish

They have to coexist. I mean, I look at they, it does coexist. It's just that we are not acknowledging it. It's partially that because, you know, I don't want to, I don't want to do that because either there’s an insufficient understanding or what that means. It's an insufficient understanding and then, oh, that's how things move.

Ah, that's how it works. And so. It takes, I mean, it took us a long time, honestly. I mean, I'm not saying this is easy. From Red Hat point of view. It's like we had no idea how we made money until we changed the business model to say, Hey, the business model is a subscription, but even then that was hard. Cuz why would somebody, because I know I was in that, at that point, because at that time I had my startup before Red Hat, was an Open Source startup.

And when Red Hat announced that Red Hat Enterprise Linux was being launched, I looked at it and say, Hey, what is that all about? Oh, now you're, you're gonna become like Microsoft? You know, so, so when I dived into it and look at the, the code is available, I can now create an equivalent of the same stuff that they provide to their customer.

So that one of the projects that came out is CentOS, [00:30:00] the community enterprise offerings stuff, right? So CentOS idea is, the code is there because it's GPL code. Red Hat follows the ethos of the Open Source community and we publish it because that's what there has to be. Now, if somebody takes it and runs with it, go for it, but you're not, I'm not gonna be accountable for what you do because you took it and ran it. That's fine. So CentOS is an, it’s an example of that reaction to that change. But at the end of the day, there is this reason why the business exists, because there are people who require that kind of accountability.

And that's the reason why enterprise …

Mark

A hundred percent. I remember, I remember early, I had early 2000s. I started working in a secure, Security Operations Center at Verizon. I walked in and I sat, I walked in, I sat down at my station. I looked on the left and I said, yeah, there's a Linux machine here.

Why is there this Linux machine sitting here? And I said, and I asked my SOC manager and he said, oh no, that's. That's Red Hat Enterprise. That's Red Hat Enterprise, he said, so it's not open source. And they were like, yeah, it's enterprise. It's not Open Source. That's what they told me.

I said, I, well, my first thing was like, well, why are you guys using Linux? You know, it's Open Source. What? There's no support. What if this thing, what if all these machines crash? What if, what happens? You know, this is … no, no, it's enterprise, the Red Hat that's enterprise, it doesn't make sense to me, you know?

And so it was, it was a, I mean, it was just a … There's a huge leap in my mind that didn't, it didn't make sense to me. The two shall never meet. That was what I always thought, but definitely when you guys made that jump, it was a big leap to me as well, because I did prefer Linux over using Windows machines at the time, you know, because when you're, you know, when you're starting out, that's the cool thing to do. You know? It's very legit. Yes. Legit. Legit to be

Harish

it still. Is it still, is it so it still is.

Mark

Yeah, it still is. And it still is all of you out there listening, it's still legit to be Linux. I misspoke there, but yes, it's very fascinating to me to see the way you guys are seeing things.

Harish

It's a matter of empowering people. So when you are empowered to do things, whoever you may be. You could be a student, you could be an enterprise CIO. I don't care who you are, right? When you're empowered to do it, you don't want to lose the empowerment, and we don't wanna take it back.

We want you to be empowered. Now we want you to come back to us because you want to come back and work with us. Not because I'm forcing you to come back because, Hey, sorry buddy. It's not gonna work anymore, whatever. It should never be that. That should never be that because then I am beholden. So the term is called when vendor lock in, you're locked in.

I'm sorry, that's just not acceptable. And so over the years, I think a lot of the success in many ways comes from the fact that there's this thing called a cloud, right? The cloud, if you only have your stuff running on one cloud vendor, you have vendor lock in! That's it. If that vendor says, [00:33:00] sure, I'm gonna increase rises, what are you gonna do?

Go somewhere else? Where? Where you gonna go? Or I take away somewhere you're go services, where you gonna do, then you have multiple clouds coming up. Okay. So you got many cloud providers, but then how do you move easily? So we recognize that there is a problem there. So we created an Open Source project called Openshift. So OpenShift is laid across all the clouds so it doesn't matter where you run it, you get the benefit of, in a hybrid environment, whether your own data center, Cloud A, Cloud B, Cloud C, Cloud D, Cloud whatever, doesn't matter, it's the same base plane.

Mark

So tell us, tell us a little bit about how that works, how, how that. You like,

Harish

So you have cross all cloud…

So, you have, so OpenShift is something we, it is a Platform-as-a-Service in the, in the older terminology, right? The Platform-as-a-Service. So, it is built on all the notion of Kubernetes, all the tools and [00:34:00] techniques within Kubernetes is used in that.

So it is a, the term that is used is an opinionated version of Kubernetes. Kubernetes is a bunch of projects, so many projects and you craft it for yourself. You can do a DIY, perfectly fine. But if the, the parts break, that's your problem, you go fix it. So, what we try to do is, okay, we see what's available there and see how do we make it work reliably for an enterprise.

But what happens then is the same OpenShift environment running on Cloud A, Cloud B, Cloud C, Cloud D, and your own data center. And you have, so it's the Openshift running across all of them. So if you deploy an app that runs in your data center for whatever reason, and you decide, I’ll need to move out to another cloud provider somewhere, but it's still an Openshift.

So your workload just moves. That's

Mark

Okay. How does that happen? Just out of curiosity, how does that happen? Is there some sort of translation between the Kubernetes instances?

Harish

No, it's not, it's not their instance. It is still Openshift that's running, it's Openshift running there, you see. So, I, I know I jumped, I jumped a few steps ahead, but it is running Openshift across all of them.

It's not a instance of their Kubernetes, Cloud A, Cloud B, Cloud C. It's not their Instance of Kubernetes, but it is Openshift that we provide. Now you can turn around and say, Hey Harish, that's a good way to lock a customer into Openshift. Totally. I totally agree. Completely agree. But the difference is this is Open Source stuff.

So you can run it yourself if you want to. You don't have to come back to us. Again, goes back to accountability. You wanna do it yourself? Please go ahead. You can do it yourself.

Mark

And I think it, I think it's a, it's definitely, cuz to me, yeah, it is future.

Harish

We call it hybrid cloud. That's the term that we use.

Mark

Yeah, yeah. There's no [00:36:00] argument about it anymore so I think this is something that's just at the right. It's showing up just at the right time, solves a real,

Harish

A real, problem's actually a real problem. Yeah. I mean, it's kinda interesting some organizations have put all their eggs in one basket, which is fine. I mean, if they think cloud A is good enough, that's fine. But if prices go up or you have different issues, then you have to deal with that, right? They may have a contractual agreement with them to be compensated and all that, but that's one part of the story, because then what is a customer experience?

Mark

Yes, because I mean, you know, we're dealing with a lot of customers who are working different clouds and what's coming out is that's cloud A has strengths and weaknesses, Cloud B has strengths and weaknesses, and depending on your use case, and depending on what you're trying to do, you might not wanna do everything on one cloud, so this is becoming the rule.

Harish

So that's the offering that we give. So that's what we give the offer to customers so that you can now. We have a peace of mind that I don't care where it is being run is run on this environment. And it's all container based and all the, all the good stuff that comes with that.

So I don't care where you run it.

Mark

And it gives them that choice and freedom gives them that choice and freedom.

Harish

But then that's always an obvious question that comes out: how often am I going move from Cloud A to Cloud B? The thing is you don't have to be thinking about it. It should just, it just moves it on it own.

Mark

Yeah, you do.

Harish

Okay. There is a, a price differential. Maybe there's an arbitrage of cost for compute, for example, at a certain time of the day. Yeah. Then you, why don't you move your workload that does a lot of compute to that cloud? It's essentially the difference between moving your house from one place, one house to another, or moving to another hotel.

Exactly. In many ways, that's exactly right.

So you're not locked into it. You can now move transparently, so it's actually a very powerful model and this is enabled because it's over Open Source stuff and you can see exactly how we do it. There's nothing hidden in Openshift. The upstream to OpenShift is called OKD. OKD is your Open Kubernetes Distribution. So that is taking Kubernetes, making it consumable to you, Mr. End-user.

And then Mr. Enterprise, we will make that from a project to a product. And then we make that available to you at a subscription. That's it! The model is very straightforward. It's all about empowerment. It's all about empowerment. You wanna experiment with something? Please, experiment! Learn from it, train your people on it, understand how it breaks, how you can fit it together and then let's work together, right?

So it it's a very, I like the model. The model is so much more.

Mark

Yeah. It's refreshing.

You know, working in this business environment.

Harish

Yeah, exactly. You get really jaded and to hear something like that, to hear a vision like that, that's very refreshing. I think it's very, it gives me a little bit more faith.

Well, we try to, we try to do this and please join us if you can, because you know, we all together, it makes a difference. It's never, it's never a, you win or I win, you lose kind of thing. It's win, win. Let's win everyone. Yeah. We all win.

Mark

Yeah, let's all win.

Harish

So that's win. So it's okay. If I don't make a hundred dollars, I mean, $90 and you make $10. That's fine. Yeah, that's fine. It's okay. I don't to be hundred and you to be zero. No, you know,

Mark

Exactly like I say, at the, at the blackjack table when the dealer busts.

Harish

Yeah, exactly.

Mark

I love it when everybody wins.

Harish

Exactly. Exactly.

Mark

I love it when everybody wins. I remember doing that one, I have to mention that the next time.

Mark

Yes. Yes.

So we're coming up at the top of our time here.

Harish

Yeah.

Mark

We just lost track of time. A lot of great stuff to talk about. I didn't, actually, I had a bunch more questions I didn't get to any of them. So I think we have a lot of extra for another guest spot on the show here.

But today, if I wanted everyone to walk away with one, one big message today ...

Harish

Well, it depends on who I'm speaking with as well. So if you're talking about security point of view, security, because that's really about security, a lot of cases here, right? So the question here is people have been questioning ... it's a myth, right? Oh, open source is not secure.

Actually, it's not, it's really not secure.

It is only as secure as you wanna make it secure, just like proprietary software. You can make it

Mark

Oh, that's great.

Harish

as unsecure as you want to, because if you ... like your door, you may have the best locks on your door, but if you never lock it, what's the point?

So when you talk about Open Source software, software by definition, doesn't imply security or otherwise. It's about practices. It's about how you do it, and more importantly, when something is found to be wrong, how quickly can you fix it, right?

So Open Source gives you the ability to fix it as quickly as you can, because you know why? Everybody knows there's a problem. So if my window is broken, everybody knows my window is broken. I better go fix it. As opposed to an internal window somewhere, I hide it inside my store room. Nobody knows about it. I may fix it when I want to fix it. That's what you find, sadly, in the proprietary world, they may not tell you what it is, right?

I mean, are all the CVEs, I won't discuss how they, they won't it's too late. Yeah, yeah. Too late, you know, zero day stuff. It happens. Why does it happen? Because software inherently is in secure. Let's let's call it, call it as it is, right?

How do I make it better? So let's all of us come together to solve the problem. And, and this is the pushback that I get say, oh, why, you know, there'll be bad guys. Yes. There will be because we know there will be. So knowing that they're already there. Why don't we see how can we work together to sort this thing out?

So Open Source to me is a Please, you know, join us, contribute ideas, thoughts, you know, criticisms. That's fine. Let's welcome. Let's challenge the idea and make everything better. So that, really, Open Unlocks the World's Potential.

That's what I would say.

Mark

There you have it, everybody.

So you have it, as with anything it's only as good as to make it or as secure as you, you make it.

Harish

Exactly.

Mark

Right. That's awesome.

Thank you so much, Harish,

Harish

Thanks, Mark.

Mark

for being with us here today.

Harish

Thank you.

Mark

Such a great conversation.

Harish

Let's do it. Let's do it.

Mark

Cool. Do it again sometimes soon.

Harish

All right.

Mark

Alright, and everybody else out there, this has been Ask A CISO podcast.

Harish

Thank you.

Mark

Catch us again on the next one.