►
From YouTube: CNCF SIG Security 2020-02-12
Description
CNCF SIG Storage 2020-02-12
C
A
Can
leave
your
name
bank
and
we'll
call
on
you
when
we
go
around
sort
of
you
know:
go
through
a
bit
of
a
roll
call,
we'd
love
to
have
you
introduce
yourself
if
you
don't
have
anything
that
you'd
like
to
update
folks
put
a
little
parenthetical?
No
update
and
I
won't
bother
you
or
put
you
on
the
spot
or
drag
you
out
of
the
other
meeting
you're
hearing.
At
the
same
time,.
A
A
So
let
me
know:
I
want
to
have
a
bit
of
a
discussion,
since
we
don't
have
anything
pressing
on
the
agenda
around
the
role
of
operators
in
our
cloud
native
systems,
kind
of
open
things
up,
we
have
a
new
end
user
group
that
is
forming
and
I
was
instrumental
in
forming
a
similar
group.
In
the
note,
yes,
ecosystem,
that's
been
really,
you
know
beneficial,
and
you
know
in
that
effort.
A
B
Sure
so
we're
going
through
the
process
of
reviewing
the
CFP
for
the
cloud
native
security
day
at
KU,
con
tu
I,
want
to
say
we
have
about
50
for
submissions
those.
Some
of
those
do
include
capture-the-flag
submissions
which
we
still
kept
open,
but
we're
not
going
to
do
a
capture
the
flag,
but
we
wanted
to
kind
of
capture
different
ideas
that
we
could
use
those
for
possibly
coop
con
Boston
and
we
have
about
seven
reviewers.
So
that's
also
an
increase
from
this.
B
The
three
reviewers
that
we
had
last
time
so
we'll
have
a
little
bit
more
data
points
to
make
better
decisions
around
what
talks
are
going
to
be
at
something
and
then
hopefully
we're
gonna
have
a
meeting
we're
going
to
have
a
mean
on
Friday
and
hopefully
we'll
have
the
final
schedule
ready
to
go
by
then
and
then
publish
shortly
thereafter
as
well.
So
stay
tuned
for
that.
A
A
So
I
realized
that
I
didn't
pressure
anybody
into
taking
notes,
so
we
usually
like
to
have
Thank
You
Justin
for
stepping
in
and
taking
on
that.
If
anyone
else
you
know
would
like
to
help
Justin,
especially
while
Justin's
talking
we
like
to
have
you
know
two
scribes
that
we
you
know,
can
capture
everything
and
can
just
take.
D
Yes,
I
have
a
couple
quick
updates
this
week,
one
of
which
is
that
I've
still
been
trying
to
get
a
bit
of
movement
on
the
mock-up
of
the
changes
to
the
landscape.
I've
talked
to
Amy
about
that
yesterday,
but
I
think
maybe
hearing
it
from
from
someone
other
than
me,
because
I
feel,
like
I've
pastored
her
now
about
like
eight
times
about
this
incident.
D
This
need
might
help
to
move
that
along
a
little
bit,
although
maybe
give
her
a
day
or
so,
and
also
mostly
we've
just
been
dealing
with
a
variety
of
things
related
to
tough
and
in
toto
and
stuff.
Tough
adoption
within
the
community
is
always
kind
of
trucking
along.
We
spend
a
surprising
amount
of
time
explaining
to
people
that
this
transparency
blog
idea
this
idea
of
having
what's
basically
a
blockchain
or
you
know,
a
permission.
Blockchain.
D
If
you
don't
like
the
word
blockchain,
then
a
permission
set
of
servers
that
Google
runs
in
in
some
cases
like
keep
a
history
has
been
something
that
it
seems
really
odd
to
us,
but
a
lot
of
people
are
kind
of
starting
to,
or
we
had
heard
people
kind
of
confusing.
This
and
thinking
it
does
things
it
doesn't
do
like
actually
provide
security
other
than
just
detection
of
things.
D
F
D
A
Caboose
I
think
your
consternation
you
know
comes
is
in
line
with
the
topic
that
I'm
trying
to
serve
tea
up
for
today
around
the
role
of
operators.
You
know
a
lot
of
what
we're
building
in
our
cloud
dating
systems
are
automation
and
sort
of
you
know
ease
of
whatever,
and
you
know
there's
behind
some
of
that.
A
you
know,
I
think
a
misconception
that
there
you
know
we
eliminate
operators,
we've
lifted
and
shifted
so
much
of
the
data
center.
A
Out
of
you
know
that
sort
of
operations
into
into
the
cloud,
but
still
you
know
that
new
infrastructure
in
our
cloud
native
world
needs
to
be
operated,
and
you
know
I
think
the
the
types
of
roles
that
exist
there
are
just.
You
know
not
well
enough
to
find
not
well
enough
understood,
especially
not
at
scale,
and
you
know
we'll
all
be
better
off
if
we
begin
to
wrangle.
You
know
the
human
side
of
that
and
you
know
try
to
introduce
more
clarity.
There.
A
B
G
Myself
practically
lotia
I'm,
a
principal
architect
at
Charter
Communications,
which
is
an
Internet
service
provider.
We
starting
to
work
on
a
company's
kubernetes
architecture,
dealing
with
videos,
Siena
is
service,
mesh
policy
and
configuration,
so
I
represent
more
or
the
security
aspect
of
it.
So
that's
why
I'm
here
to
see
what
you
know
value,
what
what
things
are
going
on
in
the
working
group
and
if
there's
anything
value
I
can
add
to
it.
G
G
H
Hey
I
am
a
open
source
technologist
at
at
Amazon
and
currently
hanging
out
with
the
sig,
because
perfect
eyes
are
open.
Former
Capital
One
O'clock
stating
that
we're
trying
to
do
the
assessment
process
to
go
for
the
talk
for
an
incubation
type
of
event,
so
I
been
hanging
out
on
open
source
for
20
plus
years
and
always
I'm
tired
of
my
data
being
leaked.
So
anything
we
can
do
to
improve
security
in
the
cloud.
H
I'm
Williams,
a
road
beyond
that
more
tentacley
on
I've
been
looking
at
the
assessment
issue
and
it's
sort
of
been
like
it's
been
kicking
around
for
a
few
months
without
any
real
movement.
In
the
last
two
weeks,
it's
been
waiting
for
someone
to
sign
off
on
the
reviewers
so
trying
to
figure
out
what
we
need
to
do
to
get
that
done.
A
Awesome,
well,
we
are
the
right
place
for
that.
I
will
help
you
push
that
over
the
edge
and
I
know
I
know
you
know
from
TLC
meetings
that
you've
been
engaged
there.
So
you
know
call
us
out,
you
know
worst
case
escalate
to
the
chairs.
I
am
one
of
them
and
will
you
know
make
sure
that
you
know
we
do
that
puzzle
for.
D
You,
by
the
way,
this
is
just
a
point
for
anybody
else.
Student,
a
similar
situation,
raising
things
like
that
in
the
slack
channel
or
on
the
issues
related
to
the
project,
are
really
good
ways
to
do
it.
I,
don't
know
if
that
was
done
here
and
missed
it
could
entirely
have
been,
but
just
just
let
us
know
that
things
are
lying
because
without
you
know,
we
get
the
we
get
pinged
when
things
happen
like
that,
but
we
don't
get
when
things
haven't
happened
and
should
be
so
look
for.
A
H
E
A
A
C
It's
a
little
off
topic.
This
is
from
the
I
Triple
E
DevOps
of
a
turn,
my
camera
on
yeah
from
the
I
Triple
E
DevOps
community
they've
asked
me
to
try
to
crosswalk
that
draft
with
the
I
Triple
E
reliability
standard,
so
I'm
try
to
put
that
off
for
the
post
public
release
draft,
that's
gonna
happen
a
month
or
two,
so
that
I
don't
have
to
do
it
now,
because
I
don't
have
the
time
but
I'd
love
to
get
feedback
from
anybody
who
has
got
opinions
on
connecting
up
DevOps
with
resilience
issues.
C
A
C
If
I
understand
the
question
right,
it's
really
about
trying
to
take
the
existing
standards
work
explain
what
DevOps
is,
how
it
changes.
The
existing
standards.
I,
don't
think,
there's
the
kind
of
ops
centric
focus
you
would
get
with
sree.
That
by
the
way
was
the
you
know.
The
Google
sre
approach
is
somewhat
orthogonal
to
this
in
many
respects,
because
it's
not
so
for
product
release
rhythm,
that's
important
for
us.
A
C
A
G
C
C
C
Google
to
some
extent
here
and
there,
but
also
a
lot
of
folks
very
in
their
late
career,
with
a
lot
of
you
know
trying
to
make
their
mark
in
a
discursive
environment
and
that
those
folks
tend
to
be
a
little
at
some
distance
from
current
practice.
So
that's
the
sociology
of
the
standards
organizations
is
a
little
a
bit
of
an
impediment
to
tech
transfer
yeah
and
in
the
DevOps
group,
I
think
we've
made
some
traction
there
I'm
concerned
that
the
document
is
going
to
be
really
big.
C
For
example,
it's
taken
ISO
work
on
the
from
the
test
community
and
trying
to
apply
that
to
DevOps
automation
and
also
to
connect
it
up
with
quality
and
risk
management,
and
all
of
these
things
are
pretty
deep
disciplines
in
their
own
and
to
trying
to
DevOps
eyes.
All
of
these
things
he's
really
trying
to
come
to
terms
with
a
thing
that
really
hasn't
evolved
in
current
practice,
yet
so
yeah.
This
is
a
large
topic
yeah.
We
could
talk
about
this
for
a
whole
meeting
right.
A
Yeah,
it's
the
biggest,
you
know,
I,
think
we're
you
know
potentially
undervaluing
it.
I
think
those
of
us
who
you
know
may
have
a
little
bit
more
experience.
You
know
under
fire
may
have
more
appreciation
for
it
and
just
sort
of
a
natural
expectation
that
that's
the
you
know,
part
of
the
the
process.
But
those
who
you
know
haven't
you
know
sort
of
had
that
opportunity.
Don't
have
the
appreciation
and
you
know
a
lot
of
what
we're
building
is
abstracting
those
things
out
or
automating
those
things.
C
That's
a
good
summary,
and
you
know
just
to
really
evangelize
this
even
further
for
this
audience.
If
you
look,
if
you
try
to
fast
forward
5
or
10
years
and
where
this
automation
is
going
to
go,
security
becomes
in
part
at
least
AI
versus
AI
and
the
extent
to
which
those
algorithms
require
deep
subject
matter.
Specializations
say
to
automate
the
generation
of
test
plans
for
things
like
two-factor
authentication
or
for
testing
and
resilience
of
distributed
systems
that
have
part.
I
OT
part
concentrator
part
cloud-based
operations.
These
require.
A
C
By
Fiat
or
org
chart,
but
just
because
you
become
a
specialist
who
knows
things,
you
have
to
become
steeped
in
it,
so
building
test
cases
that
work
across
them
is
a
big
challenge
so
yeah.
If
this
this
is
a
problem,
we're
gonna
face
and
in
an
equally
siloed
way
the
adversaries
are
going
to.
You
know
architect
their
own
approaches
to
this
they're,
going
to
leverage
the
same
open
source
tools
that
we're
using
to
implement
our
counter
measures.
C
So
you
know,
at
the
same
time
as
we're
you
know,
embracing
an
open
community
to
what
secure
our
systems
we're,
also
providing
them
tools
to
combat
us.
You
know
to
offset
these
safeguards,
so
these
these
alternative
perspectives
on
on
security
writ
large
beyond
the
issues
that
you're
addressing
you
know
is
something
we
kind
of
have
to
have
in
the
back
of
our
minds
at
all
times.
I
Just
linked
in
the
doc
that
for
the
kubernetes
working
policy
working
variable
we're
kind
of
discussing
a
policy
violation
of
standard
across
so
that
we
different
projects
can
plug
in
and
have
the
output
to
be
readable.
So
I
link
to
the
docket
people,
especially
from
more
policy
related
projects,
would
be
interested
in
chiming
in
and
contributing
slash
integrating
with
it.
That's
I
like
that.
A
I
A
little
bit
agnostic
on
purpose
so
that
we're
kind
of
there's
a
lot
of
different
kind
of
plugins
and
projects
to
cover,
know
oppan
with
gatekeeper,
etc.
That
are
kind
of
approaching
the
policy
landscape
within
kubernetes
in
different
ways,
and
we
kind
of
just
want
to
get
some
parts
on
the
same
page
so
that
we
can
kind
of
have,
especially
so
that
users
can
switch
between
certain
aspects
of
them.
So
it's
a
we're
trying
to
keep
it
pretty
minimal
and
not
prescribe
much
at
all,
except
that
you
know
the
output.
A
D
A
A
You
know
across
the
ecosystem-
and
you
know
there's
this
interesting
sort
of
duality
of
especially
around
kubernetes,
where
you
know
we're
both
trying
to
you
know,
standardize
it
and
abstract
it
away.
At
the
same
time-
and
you
know
both
of
those
things
are-
are
needed,
but
you
know
what
one
of
the
drivers
that
I
see
you
know
wanting
to
abstract
it
away.
Is
you
know?
Kubernetes
is
hard
and
I
don't
want
I,
don't
know
enough
about
it.
A
You
know
effectively
manage
it,
so
you
know
make
it
go
away
and
just
make
it
easy
for
me-
and
you
know
this
reality
of
that
is
folks-
are
leaping
over.
You
know
necessary
steps
of
understanding
and
integrating
new
systems
with
you
know
tons
of
distilled
complexity.
You
know
we've
lifted
and
shifted.
You
know
the
entire
workflows
of
you
know:
data
centers
and
the
operators
in
the
data
centers
that
you
know
have
you
know
had
physical
abstractions
that
you
know
enabled
us
to.
A
A
But
you
know
I've
been
at
this
for
now.
You
know
25
years
and
I'm
increasingly
of
the
mind
that
you
know
there
is
no
other
end
of
the
rainbow
that
were
only
going
to
be
changing
the
wheels
on
the
car
faster.
More
often-
and
you
know,
probably
we
ought
to
get
better
at
doing
you
know.
Sort
of
you
know
live
mechanic,
you
know,
rather
than
expecting
that
you
know
think
we're
going
to
get
to
some
some
perfect
state.
I
spent.
A
You
know
five
years,
you
know
commercializing
know
des
bring.
You
know
what
I
thought
we
were.
You
know
eventually
bringing
things
into
helping
developers
I'm
a
developer.
You
know
solving
developer
problems.
Ultimately,
you
know
once
we
got
into
protocol
product
market
fit
the
reality
was
we
were
serving
operators
folks
didn't
know
how
to
run
those
systems
and
we
were
providing
the
the
tooling
that
enabled
those
operators,
the
individuals
responsible
for
running.
A
You
know
these
new
novel
systems
that
you
know,
hadn't
existed
and
hadn't
been
run
at
scale
before
and
you
know
providing
the
tools
that
they
needed
to
successfully
operate,
and
you
know
I've
come
back
to
that
premise.
You
know
as
I've
spoken
to
many
organizations
recently
that
you
know
is
I'm
a
developer.
It
is
you
know,
developing
the
solution,
you're
really
going
to
get
us
the
outcome,
and
you
know
that
we're
looking
for
and
you
know,
even
with
with
our
sort
of
best.
You
know
approach
that
we
have
today
around
sre.
Yes,
we're
solving.
A
You
know
actively
solving
things
problems
with
with
software.
You
know
helping
accelerate
our
systems,
but
ultimately
we're
putting.
You
know,
experienced
individuals
that
understand
the
subject
matter.
You
know
in
the
line
of
fire,
and
you
know,
enabling
our
system
to
operate
successfully
by
essentially
putting
operators
in
the
mix
the
who
are
better
equipped
to
deal
with.
You
know
the
design
dynamic
changes
that
we
have
in
our
cloud
native
systems.
So
that's
the
premise:
I'd
love
to
get
your
feedback
on
that,
and
you
know
you
see
working
draw
some
some
inspiration.
A
You
know
to
to
move
that
forward,
and
you
know
also
see
if
you
know
that's
something
that
we
collectively
are
interested
in
spending
you
know
and
any
of
our
cycles
on
you
know
a
lot
of
the
folks
that
have
raised
their
hands
to
participate
in
the
assessments
are
looking
to.
You
know,
build
their
skill
set
and
ramp
up.
You
know
their
understanding
of
how
they
can
work
more
effectively
in
this
cloud
native
ecosystem.
B
Guess
I'll
just
add
my
two
cents,
I
think
the
operative
framework
or
the
operator
model.
It's
actually
good
from
the
perspective
of
Liao's.
If
it's
done
properly,
it
allows
you
to
bake
in
a
lot
of
our
security,
posture
and
security
configurations
into
the
configuration.
Of
course,
part
of
the
challenges
is
most
of
it
becomes
a
black
box.
B
B
A
D
Mean
I
think
things
shift
so
much
over
time
that,
like
if
you'd
asked
you
know
five
years
ago,
what
people
doing
this
kind
of
work
would
be
doing.
And
how,
like
you
know
how?
How
would
you
train
somebody
to
know
how
to
use
cloud
now,
it's
very
different
to
deco,
so
I
I,
don't
I,
don't
sort
of
know
what
that
we're
going
to
be
able
to
come
up
with
some
meaningful
prognostication
about
this.
I
Yeah
I
agree
with
that
I
think
when
people
try
to
say
they're
going
to
automate
away
jobs,
it's
just
besides
like
doesn't
even
I,
don't
even
think
it
makes
sense.
It's
like
I
thought
you're
trying
to
do
more
right.
Most
companies
are
trying
to
grow,
so
it's
more
I
think
if
you
think
frame,
it
is
we're
building
tools
to
help
people
do
even
more.
With
this
who
are
already
overworked,
it's
a
better
frame
than
thinking
about
getting
rid
of
them
and
I.
I
Think
that
goes
for
operators
as
well,
that
you
know
we're
giving
them
the
tools
to
do
their
job
more
effectively
to
run
more
services
with
fewer.
You
know
with
fear
of
them.
What
are
the
tools
just
like?
What
are
the
tools
that
developers
need
one
of
the
tools
that
the
operators
need
to
be
able
to
do
their
jobs
more
effectively
in
the
cloud
native
environment?
How.
C
H
B
H
B
C
H
C
D
C
Just
gonna
say
it's
the
people
that
we
call
doing
infrastructure
it
now
means,
for
example,
the
folks
trying
to
implement
micro
networks.
You
know
the
smaller
subnets
of
authorization,
and
you
know,
policy
connected
subnets
is
what
used
to
be
done
by
network
engineers,
and
that
was
a
clear
that
was
your
Cisco
guys,
your
Palo
Alto
guy.
Well,
if
that
becomes
software,
there's
a
fusion
that's
happening
here.
That
is
a
force
multiplier
to
use
the
DoD
framing
for
this
and
I
think
that
does
mean
reduced
headcount
and
because
it's
it
now
becomes
a
cross
specialization.
C
It's
now
Python
skill,
plus
networking
skill
and
also,
if
it
becomes
open-source,
it
means
you're,
not
hiding
behind
a
paywall
to
teach
people
how
to
do
it.
So
I
think
there
is
a
sort
of
democratization
of
infrastructure
that
will
happen
through
cloud
but
sort
of
the
offsetting
thing.
That's
going
to
happen
and
I
see
and
on
two
fronts
that
one
is
the
sustainability
metrics,
which
is
kind
of
related
to
security,
but
not
directly.
But
you
know,
as
we
become
have
corporate
responsibility
for
power
footprint,
for
everything
that
we
do
and
also
for
measuring
it.
C
That
becomes
an
IT.
You
know
demand
to
produce
real-time
metrics
for
that
sort
of
thing
and
and
to
plan
for
it
that
creates
new
demands
on
our
infrastructure.
So
so
there
is
that
pressure
on
it
and
also
I
think
there
is
a
demand
to
move
toward
real-time,
which
is
a
slow-moving
front,
taking
moving
things
across
sector
by
sector.
A
C
A
No,
you
know
I
just
know
the
way
that
we
value
subject
matter
expertise
and
apply
it.
A
lot
of
the
you
know,
sort
of
scale,
ways
that
were
applying
subject
matter.
Expertise
is,
you
know
through
you
know
what
we
keep
calling
AI,
which
you
know
behind
the
scenes
is
often
you
know.
Mechanical
Turk
and
you
know,
feeding
in
you
know,
training
into
systems
that
we
don't
fully
understand
to
achieve
the
outcomes
that
we
would
like
to
have.
A
So
you
know
real
boots-on-the-ground
application
things,
not
not
the
idealized
or
perfect
state,
and
you
know
that
that
workflow
that
process,
the
flywheel
you
know
fundamentally,
is
abstract
away
the
subject
matter:
expertise,
not
distilling
in
subject
matter
expertise.
You
know
based
on
years
of
experience,
you
mentioned,
you
know
those
you
know
trained
and
certified
operators,
and
you
know
kind
of
two
generations
ago,
with
our
network
operators.
You
know
all
of
those
folks
to
get
to
you
know
be
able
to
participate
in
the
marketplace
had
to
go
through
extensive
expensive.
A
A
A
C
That's
clear,
so
a
short
thought
about
that
is:
the
flywheels
are
operating
autonomously
now
inside
the
the
major
vendor
toolkits.
So
like
the
ante
fishing
tools,
there's
a
whole
bunch
of
deep
knowledge
required
to
use
them
same
thing
with
the
you
know,
the
edge
connect.
Do
you
know
the
edge
edge
tools,
the
dark
web
intelligence
tools?
All
of
these
things
have
their
own
sort
of
deep
specialization
stuff
that
is
still
there.
So
is
your
writing.
Api
is
into
these
tools
to
do
orchestration.
C
You
have
to
come
to
terms
with
pretty
deep
snv's
around
that,
some
of
which
stays
on
the
vendor
side,
some
of
which
gets
brought
into
the
institution,
but
but
but
still
I
think
you've
got
this.
The
thing
you're
you're
tackling
here
you've
got
this
sort
of
decentralization
of
that
expertise
into
a
broader
community,
whether
that's
good
or
bad.
That
is
going
on.
It's
true
right.
E
C
A
A
Yes,
the
mark
you,
you
worked
with
framework
that
actually
you
know,
collides
and
coincide
with
our
you
know,
former
or
moniker
called
safe.
You
know
that
is
kind
of
a
very
large
structured
process,
for
you
know,
beginning
to
look
at
that.
That's
you
know
been
in
flight
now,
for
you
know
several
years
you
know,
would
you
mind
sort
of
do
describing
safe,
and
you
know
that
framework-
and
you
know,
if
you
could,
you
know,
touch
on.
You
know
some
of
the
challenges
that
that
actually
implementing
that
you
know
have
new
than
you've
encountered.
A
A
C
C
You
know,
but
I
think
this
community
on
this
call
is
more
sophisticated
than
really
that
standard
trying
to
tackle.
You
know,
for
example,
the
ability
to
take
you
know
an
openstack
like
architecture
and
say
this
is
how
I'm
going
to
partition
off
classes
of
data
and
protect
it
and
how
I'm
going
to
you
know,
control
the
anonymization
algorithms
that
I'm
using
and
how
to
try
to
defeat
D
Animas,
HD,
anonymization,
tooling.
C
You
know
this
audience
would
get
that.
We
don't
really
try
to
tackle
that
in.
In
that
framework,
you
know,
I
can
come
back
and
talk
about
this.
You
know
at
greater
length
if
you
like,
but
you
know
the
short
version
of
this
is
that
you
know
it's.
We
we
just
conceived
of
three
voluntary
compliance
levels
that
try
to
look
increasingly
deep
at
this
intersection
between
domain-specific
and
cross-domain
security
apparatus.
C
To
promote
privacy
and
security
across
a
bunch
of
segments
which
we're
all
familiar
with,
you
know:
encryption,
trans,
transparency
of
of
algorithms,
adversarial
testing
automation,
reduced
cycle
time
for
for
the
promotion
of
of
code,
in
order
to
sort
of
stabilize
the
interaction
between
what
we
find
in
adversarial
testing
and
new
product
releases.
You
know
there
are
other
facets
to
that.
G
C
In
the
government,
looking
you
know
it's
like
the
GSA
level
of
how
do
you
do
this
for
agencies?
And
how
do
you
do
this?
For
a
twenty
thousand
employee
company,
where
you
have
to
deal
with
a
lot
of
legacy
code,
you
know
as
well
as
well
as
you
know,
cuz
I
think
cloud
native
gets
to
deal
with
a
lot
of
green
field
and
the
green
field
luxury
is
not
a
common
one
across
our
industry.
You
know
even
in
telecom,
there's
a
lot
of
you
know
for
a
lot
of
reasons.
There's
a
lot
of
legacy
stuff.
C
You
have
to
work
with,
and
this
constrains
the
way
that
you
get
you
architects
systems.
So
the
framework
driven
approach
with
I
know
not
it'll
be
on.
This
call.
Is
it's
fond
of
tends
to
work
better
in
those
places
where
the
legacy
stuff
is
all
in
the
mix?
It's
you
know
everywhere.
You
turn,
there's
something
you
you
don't
have
full
control
over
so
you're.
You
know
you're
controlling
it
through
controls,
as
opposed
to
automation,
which
is
kind
of
not
where
you
want
to
get.
A
A
You
know
that
those
formal
efforts
that
you
know
really
document
all
of
those
interaction
points
and
rough
edges,
I
think
might
help
us
inform
you
know
some
of
those
things
where
you
know
we
might
not
know
what
we
don't
know
and
you
know
and
need
to
draw
on
other
insights
to
do.
Do
that
better
and
and
and
and
that
your
comment
on
green
fields
is,
you
know,
I,
think
one
of
the
the
main
actual
reasons
why
we
see
so
much.
A
You
know
acceleration
in
in
in
this
field
in
this
area,
because
we,
you
know,
have
the
the
privilege
of
going
in
and
and
working
in
greenfield
and
have
gotten
that
you
know
time
under
fire,
and
you
know
the
ability
to
just
you
know
really
map
that
particular
route
out
well,
but
you
know,
then
we
got
to
integrate
it
with
everybody
else.
Build
consensus,
figure
out
how
it
fits.
Is
this
cloud
native
or
not?
You
know,
there's
a
lot
of
fit
up
work
that
we
all
collectively
have
to
do
to
come
out.
A
A
A
Process
that
we
can
draw
inspiration
from
it's,
so
we
can,
you
know,
begin
to
inform
ourselves
on
how
we
can
integrate
the
work
that
we're
doing
here
in
security
into
the
the
rest
of
the
ecosystem.
You
know
make
it
usable
make
it
approachable
and
you
know
make
it
something
that
you
know.
Folks
are
you
know
one
of
the
main
inspirations
that
JJ
Sarah
and
I
you
know
had
when
we
got
together
to
kick
off.
This
thing
is
really
making
security.
A
You
know
a
first-class
citizen
and
the
default
and
I
still
think
we
have
a
fair
amount
of
work
to
do
to
get
to
that,
and
you
know
a
lot
of
that.
Work
is
going
to
be
fit
up
and
you
know
helping
folks
manage
their
expectations.
You
know
with
the
other
parts
of
the
ecosystem,
not
just
through
our
individual
and
collective
subject
matter,
expertise.