Episode 2: Geek Out with Brandon Gulla - Part 2: Transitioning with Security

Hi, this is Pete Tseronis with Part 2 of my outstanding and important conversation with Brandon Gulla, Chief Technology Officer at Rancher Government. In Part 1, Brandon explained what it takes to move the needle in government, how to pick the right solution, or more importantly, complement that solution with those investments that our federal government makes every day of the week. We discussed how Kubernetes, cloud computing, cybersecurity, containers, distribution, all these terms that are associated in the wonderful world of open source, really are not that complicated. Today we go deeper as Brandon explains what it takes to transition from a legacy solution – and why it matters.

Let me riff on that for a minute because I thought I heard, which was awesome and cool, is if you're living in some infrastructure that you can't take down and say, "Now, we got to do this migration to this new Kubernetes framework," in the spirit of it's never easy, is there something over time in your continuous evolving roadmap for excellence at Rancher Government saying, "Hey, transitioning from maybe your legacy to a Rancher solution, how challenging is it? Is it days, weeks, months?"

Yes, great question. The answer is it depends. We provide the tooling that unlocks the capability. Of course, when it comes to the government IT modernization. The challenge is always evolving the workforce and getting them smarter and adapting the new technologies. We believe in lowering that barrier of entry and making it as consumable as possible.

I mean, I know that's why I'm here at Rancher because I saw that low path to adoption and the low path to being performant, right? You put the whole thing on training wheels, but little do you know, you have a rocket in the back of that bike. What we want to do is lower that barrier of entry.

Now, you mentioned the modernization aspect. I think it's important, your situation was what if you want a future-proof, you want to look down the road, I also believe in looking backwards as well. I'll give you an example. Here, at Rancher, our Kubernetes distributions support the most common server architecture today, which is known as AMD64 or x86-64.

That's what your server is running, what your traditional Windows laptop is running, but now, we're seeing where the advancement of ARM technologies and ARM architectures have unlocked a new paradigm in lightweight single board computers or maybe low power or low heat type of architectures. We've seen where within the US Navy, they're not running out of space on vessels, they're running out of power.

What are they doing? They're ripping out all their server architecture of the AMD64, and they're bringing in ARM64 chipsets, which is huge, but many of the evolving providers out there don't support ARM64 yet. We do and we SLA it. We believe in looking towards the future, but just while we're looking forward, looking towards the future with ARM64, we've recently added first grade support to IBM Z, which is the old supercomputer operating system.

It's important to not lose sight of our people and those who are running in these legacy conditions. We need to pull them with us and be advocates for their cloud native journey, not leave them in the dust.

I like the idea of conveying that it's a whole of government approach when whether it's the administration or The Hill pushes out or we have to become a more secure government to protect, but we can't eliminate forever. We try to, I like the word mitigate that risk and putting in the security. I like the idea of what you just addressed, which is, hey, we're part of that solution, but we still need to understand people say, what keeps you up at night. It's what problems are you trying to solve.

I look at seekers and solvers as, you're seeking as much out of customer that could have their issues, challenges solved with a solution like yours in partnership with that investment and legacy will always be there, but we're skilling, retaining and recruiting federal employees who sometimes have that fear of, hey, they're bringing in all these contractors and tools. You're also providing them with easier ways to determine through dashboards and things, the health and hygiene of that network and that infrastructure. Is that fair, because it benefits...

Also, for my other favorite word in a world where we live, where critical infrastructure is at risk, you mentioned warfighter, water, treatment facilities. I think of our air that we breathe in, the food, resilience matters and speed and flexibility matters. Thank you for that.

Let's jump in though to an awesome story. I know it was abbreviated. Folks, go look at his profile on LinkedIn. You'll be pretty impressed. Brandon, I look up Rancher and I'll get a hit on SUSE. I look up Rancher Government, and I may get something that says government solutions. Can you just kind of speak to just high level that relationship and at the end of the day, just to maybe demystify any confusion that's out there?

It absolutely is. I'm actually going to twist your question a little bit. Let's think about environmental factors. We all know what's happened since 2020 with the great resignation and people wanting to work remotely. Working remotely in highly sensitive government agencies, don't always get along.

What we've seen is where organizations want to develop maybe remotely, whether it's on the low side or the public internet, and find a way to be able to push that work into a high side or classified environment. How do you do that effectively? How can someone write an application in a coffee shop and have that affect mission?

Where we've come in through great partnerships with US Air Force Platform, one, Kessel Run, and other type of organizations like software factories, is we provide the idempotent infrastructure that exists across government classifications or government networks, allowing our customers to focus on that end application and we'll be the abstraction layer between the different infrastructures.

We're promoting this mentality of Kubernetes and cloud native everywhere, but without friction and that includes taking that operator or that developer and allowing them to take on-the-job training at home, or maybe do their development in a coffee shop. We're commoditizing that distributed computing layer and allowing the IT modernization efforts of these independent agencies to meet us halfway and to lower that barrier of entry to make sure they're performant.

Wonderful. Let's take a pivot now because as we kind of get towards the future state and vision being the thought leader that you are, I do want to hit on something for the audience.  

At the risk of Brandon and I diving into each of these, what I liked as we prepared for this, is your ability to say, "Pete, we could talk open source and low code, no code and cloud computing and FedRAMP," but for the audience, if I may, Brandon, feel free to say one of these or two of these really resonate with you when you're giving that, "Hey, we're selling you a tool, or we're helping solve problems, because it says right here in the guidance to the agencies, this is what thou shall do."

For everybody, if you didn't know, November was critical infrastructure, security and resilience month. Anybody who reads that proclamation will see words like everybody in the United States or the American people rely on resilient and secure infrastructure check. It sounds like Rancher does that pretty darn well.

The National Cybersecurity Pillar one, defending critical infrastructure. Brandon talked about essential services and enabling that public-private collaboration. Not a bad read, the National Cybersecurity Strategy folks. I like that OMB Memorandum 23-18, which talks about fiscal year '25 budget priorities, mentions Federal Zero Trust and Secure by Design, and while I can list this, that and the other, there's a couple that the cloud security technical reference architecture, DevSecOps, M-22-09, modern technology and security practices.

That was my riffing on, you at Rancher understand these pieces of legislation and policy and guidance are constantly coming up, but there is a thread, cloud, open source, Secure by Design, is there one or two of these? Of course, Executive Order 14028 really hit on that, which one do you find is like a bedrock for your value proposition to federal agencies?

I think there's two. You asked me to give you two. I'm going to give you tw

Give me five, but I know there's more than one or two, but buddy, anyone that you feel helps convey your value.

It starts off, you mentioned it, Secure by Design also thrown in that bucket is Secure by Default. This is something that CISA has been putting out a lot of guidance about and some white papers, and it's singing the tune of my heart because that's everything that we've tried to do here at Rancher Government.

Back in 2020, we unveiled our latest distribution of Kubernetes that was then called RKE Government, a Rancher Kubernetes Engine Government, because we took the best in class Kubernetes distribution and then wrapped it in body armor. Kubernetes itself and other cloud native technology ship by default with a bunch of security knobs, but they're all cranked down to zero.

We go in and we actually crank them all up to 11 by default and ship that so it ships in a hardened state. So often we see in technologies today the concept of a hardening guide, right? We'll ship it to you and it will be insecure, and it's your responsibility to go in and make it secure for your environment.

CISA put out something that really resonated with me, and they said, "Hey, how about no more hardening guides? Let's ship in a secure state and provide loosening guides to loosen that security if it makes sense for your organization, but by default, we should promote best practices and best practice security models for our customers."

We love that. We believe that security and those day two types of decisions should not be the responsibility of the end operator. Sure, they should be able to modify them at will, but we want to promote the concept of Secure by Default and move that responsibility left to the vendor. Us, being a vendor, and other vendors out there, we have a responsibility to bake in those security best practices in a proactive state, not leave it to the reactive responsibility of a customer.

Man, I love that, and shout out to you for being willing to say, we aren't going to sit back, but we're going to recommend and suggest and then put it back on someone to say, "Maybe I need to learn a bit more, because I know this is a turnkey situation." Hey, really quickly, the Kubernetes Hardening Guide, were you referring to that? Was that the CISA document?

Well, that's one of the corpus of documents that are out there that's really turning the needle here. Back, I believe 18 months ago, the NSA and MITRE put out a Kubernetes Hardening Guide that is speaking to the best practices of launching Kubernetes in these cloud native environments.

We were actually proud enough to sit back and we did a cross matrix of all the best practices laid out there versus our Secure by Default implementations with RKE2 or now called RKE2, formerly called RKE Government and we unlocked a lot of those capabilities by default. I think that that speaks to what we've done historically, but what the rest of the vendors in the community can do to move that responsibility left.

I think Secure by Design, Secure by Default is the proactive way that we can help our customers. The reactive and where it kind of falls into the customer's lap or responsibility is where Zero Trust comes in. Zero Trust is a very hot buzzword, which means different things to different people, but in reality, it goes back to that word that I mentioned earlier, and that's iterative, right?

Security, nothing can ever be fully secure. You have to continue to iterate and build on top of your security model. Zero Trust has this concept that it's denied by default, and they have to prove their worthiness to run on your compute platform, that starts in the data center or at the operating system, even underneath the operating system with something like a TPM or Trusted Platform Module support, validating the supply chain integrity of the hardware running on your server.

There's different layers there, but I want you to think of it as a layer cake or as some of my colleagues like to call it burrito, because good security is iterative. It stacks on top of each other, and there's not just one Zero Trust solution that checks every single box, but you have to take an iterative approach to have a collective, robust ecosystem of Zero Trust assurance.

Where we come in, certainly from the proactive side with Rancher Carbide, we also have a security platform container, native security platform in-house called New Vector, which does all your scanning, but not just scanning, but behavior anomaly detection, web application firewalls, but it's more of that reactive, continuous monitoring play to build in that Zero Trust approach.

I say all that because you asked me to pick two, proactive, being all things with Secure by Design. Then, you've got your application stack in the middle, and then the other side of that is reactive, and that's where Zero Trust can really come in and fortify all your assurances to ensure that you're delivering mission capabilities that are secure, but in a way that scales and makes sense for that organization.

That's great. Maybe you should come up with some new acronym of SBD at Rancher, Secure by Design and Default. I liked it, and the proactive, reactive continuous modernization improvement. I want to close this part out with saying again, folks, everybody and their brother since 2021 has looked at Executive 14028 as a foundational document. I encourage everybody in the audience to reread just the first couple pages because a lot of what Brandon talked about is right there in plain English for the average person to understand. 

IT is about data and cloud and information processing. Operational technology is that vital machinery that underpins the American way of life, the water we drink, the warfighter, the food and agriculture sector. Think about those sectors when you think about how Rancher Government understands the ultimate mission in our country.

Kudos to you and for tracking a lot of this, but again, Executive Order 14028, which says, and I quote, "Ensure and attest to the extent practicable to the integrity and provenance of open source software," doesn't get any better than that.

Brandon, thanks again. I know we didn't hit on all the solutions, New Vector, RKE2, MCM, Rancher MCM, that is Longhorn, k3s, Harvester, SUSE, Linux. Folks, that's the homework you have. Go see about the wonderful capabilities. We could speak hours on that and the benefits of Kubernetes, but appreciate you, Brandon, addressing that.

You mentioned continuous improvement. I always like to close out some of these thought leadership discussions with, we're here in a new fiscal year '24. What are you excited about leading up over the coming months and just the living, breathing roadmap of Rancher Government? Are there some things you can put out there that's not a trade secret that you're pretty jazzed about?

Yes, absolutely. We've seen where the opportunity of choice has now provided itself to the US government and their customers when it comes to cloud. All things cloud are still very exciting to those within the US government, but we're seeing this rapid adoption of all things edge. Edge is another subjective turn that means something different to each organization, but to me, edge is commoditizing the compute away from the data center and providing that low latency, all the benefits of cloud, no matter where the mission is.

We have customers today taking our stack with great OEMs and being able to take everything that they know and love, the resiliency, the high availability, the disaster recovery that the cloud provides, and bringing that in-house, no matter if it's at a forward operating base or a Humvee, they're bringing the compute with them and they're not sacrificing mission opportunity because of infrastructure availability.

We're putting out some very innovative solutions around hyperconverged infrastructure, edge computing, virtualization that really brings these technologies with the warfighter no matter where the mission takes them, but in a way that builds in these Zero Trust models and deny by default, because as you extend away from the cloud or the data center, all those things like the wrought iron fences and the barbed wire guardings, those aren't there.

You have to adopt a compromise by default and a Zero Trust model at the tactical edge as well. It's a very hard problem to solve, but it's one that we're honored to be a player in and help support the mission.

Well, you clearly are canvassing the public sector as a company, and again, the relationship with SUSE and then with the commercial side of your company, I think, it's just phenomenal. Thank you for helping convey that story and weaving a tapestry of how complex it could be, but at the same time, doesn't have to be. Clearly, your intellect and your ability to convey value proposition, for me, even, I know we chatted Brandon, it was super helpful.

I hope the audience isn't worried about getting tested, but yes, words like Kubernetes clusters, cloud native containers, orchestration, abstraction, pods, operational technology, folks, you got to understand that, and I'm speaking to my government buyers. When you sit down with somebody like Brandon, ask the tough question or more importantly, allow him to convey how he feels or whoever's representing that they can meet the mission of the government.

With that, I always like finishing with some parting shots or a shot, quick and dirty, what did you take away from this, Brandon, given that you're speaking to a million people globally, you brought up this edge compute future state, which by the way, I love because the world is connected, and folks, again, think about everything in your life that you rely on, securing that requires something in there that has open source focus, and Rancher does that. Brandon, what came out of this conversation? If you can leave an imprint on our audience, what would that be?

I mean, while we're speaking to the US government market and customer set, it's important to note that good security and good compliance can benefit every organization. No matter if you run an accounting team or a small website or a shop somewhere, the best practices of the US government when it comes to security and compliance, those can be adopted even in someone's home lab for proper security and IT assurance.

Don't think that just because we're talking about weapon systems and U-2 spy planes, that doesn't mean that your organization cannot benefit from Secure by Design, secure by default, best practices, and building that strategy into your organization from day one

Slam dunk, buddy. I appreciate you, always have. I look forward to talking with you again. For the audience, if you don't know who he is, look him up. Look up Rancher. We talked today about who these people are. They humanize technology so you can understand and the effect that it's having on our nature's future state infrastructure. Shout out to you and the Rancher Government family. Brandon, great talking with you.

Thanks, Pete. Let's do this again.