DevOps in the enterprise requires focus on security, visibility

Listen to this podcast

App dev, quality and delivery challenges constantly pop up in DevOps implementations. Hear how overworked IT professionals deal with these challenges, and how tools can help -- or not.

It's one thing to prioritize DevOps in the enterprise, but it's another challenge altogether to deal with oft-complex toolsets that are part of this strategy. Automation only goes so far, and there's a lack of skilled workers to carry the torch.

Constant improvement is at the heart of DevOps transformation in established IT organizations. For enterprise IT, the answer can be as convoluted as a multi-cluster container orchestration tool, or as simple as a bowl of candy to get teams collaborating. Identify your problems, address them and repeat.

"Instead of doing DevOps as a project and declaring victory, you look at it as a continuous process," said Beth Pariseau, senior news writer at TechTarget. "You look at everything from your software delivery pipeline to your infrastructure platform as a product, [as with] whatever your business offers, that you need to maintain, in terms of its quality, that you need to update, in terms of its relevance to your market, and that it's not something that's ever finished."

In this episode of Test & Release, Pariseau, who writes for SearchSoftwareQuality and SearchITOperations, discusses technology topics that will matter in 2020. She also shares experiences from containers, cloud and DevOps conferences such as KubeCon and DevSecCon, where diverse leaders related the many challenges associated with DevOps and Agile transformation. Success for DevOps in the enterprise starts with small wins and a consistent march toward improvement.

"It's clear that enterprises have had to handle this digital transformation in phases," Pariseau said. "You have to eat the elephant one bite at a time."

Take security in the SDLC. DevOps purists, she says, intended for business and security concerns to get rolled into the natural cadence of a lifecycle. However, as many teams struggle with pipeline complexities bringing DevOps to mainstream enterprise IT, those concerns took a back seat.

Now, enterprises are putting security back into focus, as high-profile breaches carry potentially disastrous repercussions. It's not enough to simply preach shared security responsibility, she said; you must get dev, ops and security to communicate and cooperate on a deeper level, which can mean fundamentally rethinking how work is done. And soon, as attackers have grown increasingly sophisticated in their efforts.

"In a world where a company as technologically cutting-edge as [banking company] Capital One can have a high-profile data breach, sometimes it's hard to imagine what chance anybody has," Pariseau said, referring to the 2019 data breach perpetrated by an AWS-savvy attacker. "Even as enterprises get better at securing their assets, people whose business is breaking in are getting better and more advanced. I heard one expert estimate that we're still about five years behind the attackers as it is, and they're not stopping, they're not slowing down."

AI-enabled development, testing, monitoring and management tools can bridge the gap in some ways, but it presents a whole new subset of problems, she says, especially for veteran IT professionals who have been burned by vendors in the past.

Perhaps the market with the most instability heading into 2020, she says, is observability. Teams with distributed, cloud-native applications struggle to pinpoint where errors occur. As application performance monitoring vendors and specialty startups flood the market for this increasing need, a clearer picture should emerge -- especially after some consolidation.

Pariseau also spoke about containers in the DevOps toolbelt, including what she makes of the recent Docker-Mirantis deal, which will have ramifications across the open source community. And she explains the glut of Kubernetes distributions on the market for enterprise DevOps adopters.

Editor's note: Pariseau spoke with site editor David Carty and assistant site editor Ryan Black. The transcript has been lightly edited for clarity and brevity.

David Carty: Thanks for being here, Beth. First of all, let's start off with a really high-level question. You cover a lot of shows. It seems like you're constantly on the way to a conference or catching up from a conference. Looking back at 2019, what was the most interesting tech conference you covered, and what kinds of conversations did you have there?

Beth PariseauBeth Pariseau

Beth Pariseau: I think the show in my world is still KubeCon. That show has exploded in growth over the last three conferences that I've been to. [In] 2017, it was about 3,500 people maybe; it filled up one wing of the Austin Convention Center in Texas. And then last year in Seattle, they had about 8,500 and a 2,000-person waiting list. They were not prepared for the onslaught of people who wanted to go to Seattle. And then, this year, it was in San Diego at the much bigger [San Diego Convention Center], and it was 12,200, I think, the official attendance -- plus all the vendors and exhibitors. It was a madhouse, and the energy there is just frenetic, there's so much going on. It seems like every company that's remotely attached to DevOps and cloud-native technologies, which is kind of all of them, is there. Users are there, and [there's] such a broad array of highly complex topics, that there's a lot to talk about.

What's interesting about the conversations this year is, in the past, even last year, the focus was on Kubernetes itself, the core platform, and what features was it still missing, like Windows host support, for example, last year was a big thing, because that got pushed out or released from when it was supposed to be out. This year, there was a Kubernetes core platform release, 1.17 -- today, actually -- and it got no play at the conference. The focus was now on what other things you need, like service mesh was a big one, or multi-tenant security was another hot topic, as kind of an advanced use case, or what can you do with this now? It's not just what is Kubernetes, and how does it work? [It's] okay, how do we get to a specific workflow like GitOps? You know, how do we actually apply this to our business problems? So that's a huge leap in maturity for two calendar years.

Ryan Black: Actually, to stay on the business point, we've been hearing more emphasis on BizDevOps, or DevOps 2.0, which, in a nutshell, encourages more collaboration between IT and the business teams, you know this. But, I'm wondering, what have you heard about how is this done in a practical way without delaying production? And what are the sorts of impediments that usually pop up from what you've heard?

Pariseau: Well, if you talk to DevOps purists, they object to things like DevSecOps and BizDevOps, because their argument is that they've always considered those things -- alignment with the business and secure code -- to be part of DevOps. You don't need a separate term. But it's clear that enterprises have had to handle this digital transformation in phases. You have to eat the elephant one bite at a time. So a lot of it has been the technical folks getting their arms wrapped around the complex infrastructure automation and pipeline technology, but it is starting to branch into broader conversations about, 'How do we secure our enterprise, not just our servers, but our enterprise? How do we avoid making the wrong kind of headlines from a bridge? And, also, how do we actually realize that return on all this investment?'

It's not just a science project. Businesses need to transform for a reason. And so people are getting back to that initial mission, I think, because it is really complex technical work that they have to do just to establish the capabilities, but now it's about, 'What are the capabilities, and what do we want to use them for?' You see this reflected not just in how people are using products, but in what's going into products. So, for example, Atlassian, which has long been a really strong player in the defect management and software planning space, the collaboration space, which is at the far left side of that DevOps pipeline, they acquired AgileCraft this year, which has become their Jira Align product that has a lot more to do with enterprise-level portfolio management, kind of a bird's eye, a 30,000-foot view into all the projects and what they call value streams that are serving the business from a software delivery point of view. There are a lot of experts out there putting out material and guidelines, best practices around what's called a 'project to product' mindset. So instead of doing DevOps as a project and declaring victory, you look at it as a continuous process. You look at everything from your software delivery pipeline to your infrastructure platform as a product, [as with] whatever your business offers, that you need to maintain, in terms of its quality, that you need to update, in terms of its relevance to your market, and that it's not something that's ever finished.

Carty: Right. And this gets into value stream management, right? We see a lot of vendors in the space CollabNet, Plutora, Tasktop, XebiaLabs. This seems like a really emerging space and one that I imagine you'll be covering quite a bit in the next year.

Pariseau: Yes. CloudBees is another one with their acquisition of Electric Cloud. A lot of the Kubernetes and infrastructure automation platforms, not to mention the cloud providers, are also offering pipelines built in, so that you're starting to get more cohesion on the technical side, sort of that middle of the DevOps process, but bringing it into line with the business itself, how ideas are generated, how they are picked up and moved from a piece of paper or word of mouth in a meeting to a deliverable. That's where I think the efforts will be focused next year.

Black: On that note, I did want to also ask you about what sorts of things you're hearing from people in terms of what they want from tools. It sounds like it might be that people just want the whole package in one tool. They want to buy whole platforms of tools that include … everything under the sun.

Pariseau: That's at least what industry analysts are telling me. I know that having been on this beat since 2016, early on, it was a lot of sort of artisanal craftsmanship that went into building your own tool chain out of open source components. That was all well and good for early adopters that really had the skills. But, as every business needs to at least have an app and a website, they at least need to do that amount of software development, not everybody is going to have the skill set in-house to put together the platform. Putting together an infrastructure or software delivery platform is not the ultimate goal for most businesses. So, if you're a mainstream business, it's not even necessarily worth the investment to put together your own platform. For compliance purposes, a lot of them need to have someone to rely on for support, security, expertise and in many different areas -- it just isn't possible to source from within. Frankly, this stuff is so complicated. It's so sprawled out. There are so many layers and layers of complicated things that you have to get to work and then work together; they just want somebody to figure it out for them.

Black: So, it sounds like it's less those people who craft together their own tool chains that are disappearing. It's more just the overall pool's getting bigger, and the new entrants into the pool are people who want your more generic [platform].

Pariseau: In terms of the market, yes. In terms of IT skills, that pool is not getting bigger. That's another major problem that I started to cover this year that is really weighing on the minds of enterprises, across the board, even the U.S. Air Force that has a lot of cachet, that's doing a lot of cutting-edge things with Kubernetes and service mesh, is struggling to find people with the right skill set. There are a lot of other kinds of approaches, and, I guess, sort of academic-level theories about the best way to approach that, but the reality is that there just aren't enough people to build these things bespoke.

Black: So, we were talking about before how you're expecting DevSecOps to continue being a big area of coverage for you going into 2020. One of the things that -- I was reading through some of your recent articles before this interview. You were [writing] about how one of the biggest unaddressed challenges is human error, it's much less people not having the tools or the actual software to address the things. It's [that] they're missing the signs, or just the workflow's not in place for them to actually address and fix these vulnerabilities.

Pariseau: Yeah. A security operations monitoring tool is only as good as the eyes that are looking at it. It can be flashing [a] red alert at you, but if you don't know what you're looking at, you're not going to respond to it. In a world where a company as technologically cutting-edge as Capital One can have a high-profile data breach, sometimes it's hard to imagine what chance anybody has, because even as enterprises get better at securing their assets, people whose business is breaking in, are getting better and more advanced. I heard one expert estimate that we're still about five years behind the attackers as it is, and they're not stopping, they're not slowing down. It gets back to that skills issue, which is where some people think AI will bridge the gap. But other people are trying to teach leadership, things that didn't used to be considered inside the purview of IT, at least for certain people within IT. VPs of engineering, CTOs, CIOs and even at the team level, practitioners and consultants, enterprises are starting to realize that the so-called soft skills are really crucial to the next phase of transformation. It's not just about having the right tools in place -- although that is important -- it's also about what you do with those tools, how you respond to what those tools tell you, and the old adage of garbage-in, garbage-out. How do you align people to collaborate effectively on the product you produce, so that it is not only delivered quickly, but also of high quality? Quality includes security.

Carty: That's a great point too, because we know you can't preach DevOps. And that goes to the DevSecOps point too -- you can't preach DevSecOps. You can't preach shared responsibility for security. It's not that simple. It's got to be a really malleable sort of process, depending on your teams, your processes. That's, I think, where so many people struggle.

Black: And that's something so intangible. It's easy to come in [and] have a workshop one day and say, 'You all need to be better leaders.' And everyone's scratching their head. It's like, cool.

Pariseau: There are, but there are experts in the field like Gene Kim, for example, who wrote The Phoenix Project that got this all kicked off. He has another more recent book called The Unicorn Project, about methods, about tangible steps for organizing people and organizing teams. Organizational dynamics is an established field of study that can be brought to bear here. There are tangible methods. At DevSecCon, which was another really interesting conference for me this year, most of the discussion was about practical do's and don'ts and experiences and takeaways from the efforts of companies at the forefront of these things like Mozilla and Apple, about how they organize people, about how they've focused on not really saying that security is everyone's job, as just giving security, and IT ops, and devs, and the business all a seat at the table. That it takes everybody.

Black: Was that the conference where you heard the story about the one chief security officer putting out the bowls of candy in a security team's area?

Pariseau: Yes. There was also discussion of cookies.

Black: For our listeners, Beth, in one of her recent stories, essentially related an anecdote about how one chief security officer would go put out bowls of candy in the security team's area, and that would actually get folks on other teams to stop by. And, well, because they're close by, they would then [ask] questions.

Pariseau: What a lot of IT security people within established enterprises have to overcome [in DevOps] is not just a new way for them to work, but a new way to approach their colleagues in IT ops and development. Unfortunately, the history is not just of developers throwing things over the wall to ops and saying, 'It worked on my machine, you handle it,' but also of IT security being the party of 'no,' to everyone. 'Hey, we want to do this really cool thing. We just need you to sign off on it.' Well, no.

Black: Or even the party that delays releases.

Carty: There's so much baggage there.

Pariseau: So they've got to get in as soon in the process as possible, which means they have to be let in as soon as possible, but it doesn't hurt to catch more flies with honey, and to address those historical resentments, and sort of start over, in terms of how these different factions have traditionally treated each other. So, it sounds really silly, but it's a little human thing. I think a lot of times people want to talk about some kind of super crunchy data science tech that's super awesome. And [instead] something like, 'Make sure people want to talk to you,' [is effective]. I think a lot of people that went to school for computer science, I don't think they imagined that they'd have to think about that sort of thing. I'm not just saying that, that's something that I'm paraphrasing [from] what an IT person has told me is how they feel. 'I was told that there would be no social engineering on this career.' And it turns out that it's quite the opposite. Encouraging that collaboration and that trust is hugely important. It often gets overlooked, and it can seem really silly and really simple, but it's hugely important. I think companies are waking up to that.

Black: It makes sense. It's just like, if you go to work, you want to have the sort of work culture where you could talk to your co-workers about what you're working on.

Pariseau: Right, but to your point earlier, it is intangible. It's not something that there's a set of 10 steps to accomplish, and it varies by organization. One of the trickier problems in DevSecOps and security in general is asset inventory, knowing what you have, knowing who you are. I think that extends to every part of DevOps and Agile transformation. First, you need to know where you are, to know where you're going, and that's really hard. It's actually a really long-standing problem in security software is doing effective asset inventory.

Carty: You spoke earlier about how AI can bridge the gap with security a little bit. Let's talk AIOps, another big area that you that you'll be covering in 2020. As with any kind of implementation of AI, there's a little bit of a hype versus reality element to it. So, what's the reality with AIOps right now? And where do you see that going in the near future?

Pariseau: I think the real-world use case that I've seen in any kind of statistically significant use so far is people using machine learning and algorithmic analysis to reduce the fire hose of alerts their IT teams get. So alert reduction and correlation is real. It is something that I know mainstream enterprises with compliance concerns, like Keybank, for example, are using Moogsoft and they feed it with a Kafka [open source stream processing software] pipeline. But data cleansing and data management is an overlooked part of that because, again, garbage in, garbage out. You can have all the whiz-bang algorithms in your AIOps where you want, but if you're feeding it garbage, or you're feeding it unreliable data, it's not going to give you anything useful. So, early adopters of AIOps tools have had to tackle the challenge of getting their data consistently stored in one repository that can be read by the AIOps tool, so that it will deliver them useful information. As far as the dream that started to get articulated, probably in 2017 or so, maybe late 2016, about AI and algorithms and machine learning replacing human intervention for things like incident response and remediation, it's getting there, but I'd say it's still on the cutting edge, if not the bleeding edge. Some companies are more ambitious than others in what they believe they'll offer by this time next year. For example, Dynatrace just came out with a set of services and an open source tool that they talk about being autonomous cloud, but they use the term NoOps, which had sort of become a dirty word, at least in the [] world. But it's still not clear how far automation will go. And the other thing that's really clear, is that IT guys, especially those who've been around a lot longer than, like, two years, don't trust it, because of vendors coming to you saying, 'We have these world-class eggheads with multiple PhDs that designed this algorithm that's going to automate your IT ops, so you can put your feet up, and you can never worry about anything again. It'll just take care of it for you.' And they're saying, these enterprise IT guys, the first question they ask is, 'What happens when your software screws up? Do I need data scientists on my team to figure out if it's your software or something else?' Finger pointing is the first time-honored problem that they anticipate having to deal with. And, of course, the idea is that no, you don't need your own data scientists because you're buying the work product of another company's data scientists being your vendor, but IT guys [are skeptical], I think, with good reason -- they've been burned so many times with the latest software automation that's going to cure cancer and solve world hunger. Their question isn't even, 'Is that possible?' but, 'What happens when it fails?'

Carty: Right. That goes beyond the inherent skepticism toward AI or the fact that maybe it's being oversold or overmarketed. I mean, that goes into how do we debug this problem right now, that's happening right now?

Pariseau: Right. However, the problem is, there's a huge business mandate to transform in these ways that bring this stuff of unfathomable complexity into your world. That unfathomable complexity is going to need to be automatically managed at some point, because it's just beyond the capabilities of even 20 human beings working full time, if not more, to actually get their arms around it. But, it's scary. It's not something that people trust, whose business has essentially been risk management.

The next question that people ask is, 'What happens when and if your company goes away?' Now I've got this thing in the middle of my data path, not just between my users and my infrastructure, but between me and what's going on in the infrastructure. And, all of a sudden, your company goes out of business or you get acquired by a company that we consider a competitor. Example, Amazon, right? If I'm Walmart, and I buy this little startup's product, and then AWS picks them up, now what? So the whole AIOps idea is that it's just asking a lot of trust from people who've learned the very hard way, so far in the history of this industry, to trust no one. So, they are facing a problem that they probably need some level of a leap of faith to solve between trusting new technology and trusting new work processes, but it's a big ask.

Black: Regarding AI, would you say people's apprehension is more that it can be a huge headache for them if they take this AI-driven product, and it goes wrong, and less that, 'Oh, I'm really skeptical of this technology because it's going to replace my job.'?

Pariseau: Yeah, I think that whole thing, people have moved past that. People understand that the magnitude, that the complexity and the number of resources that their team, which is not getting any bigger, is being asked to manage, is beyond human capacity. That is true. I don't think anybody has to worry about not having enough work to do. And, I think people are sold on the idea of doing more meaningful work than break fix and responding to help desk tickets and kind of drone work all day. They want to become SREs, they want to work on higher-level problems, which automation, when it works, can absolutely help them with.

I don't want to seem too pessimistic about the automation techs that are out there, because I do know enterprises, mainstream enterprises, including health care companies with lots of compliance to worry about that are putting these things to use. It's just when people talk about this idea of unsupervised AI algorithms, autonomously responding to incidents in your production infrastructure, and letting you know that they're fixed, that's a long way off, not necessarily because the technical capabilities aren't there anywhere, but because people are not going to trust that sight unseen. People are going to really have to test, and they're going to have to take baby steps. They're gonna have to put part of it into production and let a human push the button for a while. And you know, they do eventually get to a point of gradually turning over that control, but it's not something that's going to happen quickly.

Carty: To your point, I've found that people are almost more flippant about AI and automation taking over some of their responsibilities, right? It's like, 'Yes, automate me away, I have enough else to do.' So it's almost having this opposite reaction now, where it's like, 'No, we want this to advance to this next level.' But, speaking of complexity, in this age of cloud-based, distributed apps with microservices and serverless, orchestration with containers -- all of this -- observability is so important now. But it's such a difficult task to try to tackle. How are you seeing [observability] emerge as a topic? And how are people in the industry tackling these kinds of [distributed] apps?

Pariseau: You know, again, in the original vision for Agile and DevOps, fast feedback to developers and observability were part and parcel of the whole thing, but, as with security and value streams, the focus has been on the core pipeline and infrastructure first, and it's expanding out. So, monitoring and observability do tend to follow those initial efforts.

In terms of the vendor space, it's really volatile. You know, CI/CD tools are starting to kind of coalesce into a few large companies. Same with Kubernetes, although that market is still way too overcrowded. But, a few of the big heavyweight vendors and some plucky upstarts are starting to make names for themselves and infrastructure automation and Kubernetes management. But, in terms of AIOps, observability and IT monitoring, it's such a fragmented space. I actually did a story just this week about companies to watch in 2020. The people I talked to about it, we checked off the list of major areas within DevOps, DevSecOps, CI/CD, Infrastructure automation. I did bring up, 'What about AIOps and observability?' I think the best answer I got about that was, 'Ask me this time next year, because I think it's going to take that long for there to be any kind of clear leader in this space, let alone a winner.' You have so many companies coming at it from so many different angles. You have companies that started on the infrastructure side, adding the application side; APM tools that have added the infrastructure side; then you have specialists that come along with every wave of new technology that there is to observe, like serverless right now. Then those get bought up, and they get consolidated. You also still have container security specialists that are now expanding into hosts because they're not getting snapped up by the bigger fish the way that a lot of people thought they would. So there's all this churn, all this volatility, new companies coming to market every day. That same analyst told me that fully half of his briefings at KubeCon were monitoring and observability vendors. I talked to another analyst just today whose whole focus is monitoring and observability tools, who said that there were [about] a dozen companies at [KubeCon] that she'd never heard of. So, it's just so volatile. There are so many different angles, so many different players. It's really hard to know, in terms of market winners and losers, where we will be this time next year.

I think people are starting to embrace the need for automation. They are starting to get to the observability aspect that they have known is on their to-do list for a long time. But that same analyst that saw all those vendors pop up at KubeCon has told me that, in her experience working with enterprise clients, it gets worse before it gets better. [When] you have a proliferation of tools in-house the way we have in the market, confusion reigns, things get more murky and less clear, until a company finally decides to get a strategic hold on everything it has, streamline its tools, find one tool to rule them all, and send the other data sources into that, have that fabled single pane of glass -- which is a term I've hated for a decade. But, you know, start to get a handle on things, start to just whittle things down to what's really important. The process of getting there gets muddier actually, with more data and more observability information before it gets clearer.

Carty: Well, you have quite the background covering emerging markets with your experience with cloud and with containers, and you are our resident container expert.

Pariseau: And I'm on the container beat.

Carty: That's right, and your reporting on the Docker-Mirantis deal was very interesting. Lots of great insight in there. Now that the dust is settled a little bit, how does this look for the container market moving forward?

Pariseau: So it's interesting because that Docker-Mirantis was … inevitable -- I mean, I had been talking to people and hearing speculation about Docker being an acquisition target for quite a while. And I had been hearing rumblings and criticisms of Docker's business strategy since 2016. It's not news that people had questions about Docker's business strategy and where they'd ultimately end up, especially as Kubernetes ate the world. However, I don't think anybody saw Mirantis being the one to acquire them. I've known Mirantis since the early OpenStack days. I've known Boris [Renski, cofounder and CMO] over at Mirantis; I've been running into him at conferences for probably 10 years. That name [Mirantis] would never have crossed my mind [to acquire Docker]. So, it was shocking, but it wasn't. Docker had been sort of on the bubble, as they say, for a while with Docker Enterprise. At the end of 2017, they did concede to Kubernetes essentially and pledged their support for it. But, the problem is that OpenShift has already beaten them to the punch. Cloud Foundry has had the same problem. They got to Kubernetes integration with Kubo in 2017, but OpenShift made that move in 2014, OpenShift version 3. Cloud Foundry and Docker both continued to offer their own orchestrators alongside Kubernetes as a choice, or because they didn't want to just throw away what they'd already done. But Red Hat got in so early with Kubernetes, and so early in the life of OpenShift, that they did just throw away their previous orchestrator and just go whole hog into Kubernetes. That turned out to be the right bet, and they still have the largest market share among enterprises, and they've got a head start. And there were also lots of -- I heard consistently people having technical issues with Docker's Universal Control Plane, that backed Swarm and their Kubernetes implementation under Docker Enterprise, some issues at scale that companies consistently reported. As far as how it's going to affect the market further, I think it's not necessarily good for the market to have it be kind of a Kubernetes monopoly.

Black: Monopolies are never good.

Pariseau: However, it's not a proprietary corporate monopoly. It's a monopoly belonging to an open source platform that is governed in the open. So that's better than it could be. But, it's also, again, it's not really about the container orchestration platform. It's about what people are doing with it. So, for it to be a standardized, agreed-upon component is going to enable a lot of things that have been a long time coming in IT. As an old storage reporter, interoperability is one of the long-standing issues in IT in general. The promise that containers and Kubernetes have for multi-cloud mobility, and for things like cloud bursting, and follow-the-sun, and all these kind of pie-in-the-sky things that companies like VMware were talking about 10 years ago is really great. You do need to have some sort of standardization for that to happen. But it also means that you have a lot of vendors -- I think there are 95 Kubernetes [distributions] that CNCF [Cloud Native Computing Foundation] recognizes now. Name the major IT vendor, they're in the market with a Kubernetes distribution, even HPE [Hewlett Packard Enterprise] just came out with one at KubeCon. [Others include] Cisco, IBM, Red Hat, Pivotal, VMware, which obviously falls under Dell. Then you have Rancher and you have a million, bazillion little startups nobody's heard of. And then if you expand it to things that are like Kubernetes accessories, like service mesh, it's still just a huge universe of really complex technology.

Carty: And that's just over the last year or two.

Black: I was going to say, it sounds like there's more [Kubernetes distributions] than there are cryptocurrencies.

Pariseau: So, maybe a little simplification or standardization is a good thing. But, the idea that this kind of major player in containerization has all but disappeared, at least in the form that we know it, I think it's a sign of how fast this market moves now. I think it's also -- the warning I think here is in the open source and open core business model. Open source is all the rage. One of the things that happened was Docker tried to claw back some of its differentiation into its proprietary product, and they got killed for it -- when they tried to build Docker swarm into Docker Engine. But that also meant that, in the long run, they couldn't figure out how to make money on this technology that they had made ubiquitous. Everybody wants open source, but then what happens when your open source vendor you come to rely on, say for IT automation that is too complex for you to pull back apart and understand as we were talking about, can't make money? So, there's kind of a two-edged sword there, right? To me, Docker took so much funding, they were such a huge force to be reckoned with, even a year ago. To see the rise and fall be so meteoric, it does raise, I think, broader questions about the open source craze and vendor stability that I think enterprises really do need to consider carefully.

Carty: Certainly not what we would have expected four or five years ago, when Docker made containers ubiquitous, as you mentioned. Well, this has been great, a lot of great topics we've been able to discuss, and thanks for joining us here.

Pariseau: Thanks for having me.

Next Steps

How Gantt charts help, hinder DevOps transformation

Cloud Computing
App Architecture