KubeCon + CloudNativeCon NA 2025 | Brian Cook, DTCC

Clips
More from KubeCon + CloudNativeCon NA 2025

Brian Cook

Director Kubernetes Platform

DTCC (Depository Trust and Clearing Corporation)

play_circle_outline Brian from DTCC on Enhancing Financial Markets: The Role of Kubernetes in Driving Growth and Efficiency

play_circle_outline Brian's leadership transformation from security role to leading an entire team.

play_circle_outline Introduction of a zero-touch policy to enhance operational velocity and efficiency.

play_circle_outline Creation of a dedicated governance and security team for Kubernetes policies.

Info
Transcript

Brian Cook, DTCC

Brian Cook

Director Kubernetes Platform DTCC (Depository Trust and Clearing Corporation)

In this KubeCon + CloudNativeCon North America segment, Brian Cook from DTCC joins theCUBE’s Rob Strechay and Savannah Peterson to unpack how a zero-touch, GitOps-driven approach is accelerating secure Kubernetes adoption at the heart of global securities processing. Cook describes DTCC’s evolution – from a 50-year market infrastructure to a Kubernetes platform built on declarative configs (Helm, Kustomize) and fleet management – where manual changes are prohibited outside labs and config drift is automatically reverted within minutes. He details a structured... Read more

explore Keep Exploring

What is DTCC and what role does it play in the financial ecosystem? add

What has been the evolution of the individual's role and responsibilities within the company over the past six and a half years? add

What is the concept of a zero-touch policy in the context of software environments and how is it implemented? add

What is the structure and focus of your governance and security approach in relation to Kubernetes? add

bolt Powered by CUBE AI

Brian Cook, DTCC

search

>> Good afternoon nerd fam and welcome back to beautiful Atlanta, Georgia. We're here on day one of KubeCon CNCF's flagship event in North America. My name's Savannah Peterson. Delighted to be bringing you all the stories from the show floor with the one and only Rob Strechay. Rob, first time on the desk with you today. I'm so excited.

>> Glad to have you in here. I mean, I've been here warming it up for us all morning.

>> Yeah, I guess you have. Thank you. Thank you very much for doing so. I believe this is our seventh or eighth KubeCon together.

>> I think so.

>> That's pretty cool.

>> It's been a while.

>> Yeah.

>> It been a thing.

>> It has been a thing. Speaking of things, our next guest is definitely a thing. Please welcome Brian. Thank you for being here with us today.

>> Hey, thank you guys for having me here.

>> It is super exciting. You are getting us all warmed up before we went live. I'm really excited to dive into this conversation. But just in case the audience has not heard of DTCC, tell us a little bit about the organization and the role that you play in our financial ecosystem.

>> Sure, happy to. DTCC stands for Depository Trust and Clearing Corporation. So we're at the center of the financial markets for processing securities globally. So with that, take a look at our website. There's some more information on what we do and how much money that we process, as you can see from the stats from the previous years. The company-

>> Spoiler, it's a lot.

>> It's a lot. It's amazing. And then when you take a look at it, the company has about a 50-year history. So you can start to see the timeframes of where we came really small to now we're leveraging one of the fastest growing technologies of Kubernetes. So it's a very fun time.

>> And you described yourself as the heartbeat, right?

>> So as the heartbeat, I started at the company six and a half years ago as the only individual to lead the security inside Kubernetes. How do we protect it? How do we govern it? How do we get that rolling to prove that we are the technology to use? Now that's kind of changed the three and a half years ago. I now lead the entire team. It's a small team, but we move at a high velocity. So my is for this team, we are going to continue increase velocity. I'm used to doing presentations and security at velocity, which if you know security, they're kind of slow, which is-

>> It's not always the sector I think of as being lightning fast.

>> Well, not just lightning fast, but mostly they're not innovative. So how do you change that dynamics to where you can keep up with your customers and actually show by third parties, we are the platform to use? Nothing better than third-party validation saying, "Eh, we can't really break into you, so we need to figure something else out."

>> That's a great feeling.

>> I think one of the things to maintain that velocity, as I was saying, I was at the infrastructure's code conference last night and one of the things that the platform engineers that I talked about were sitting there racking their brain, from all different sized companies, like big, small, medium-sized, AI startups, one of the things they were looking at was how they can not only keep their velocity up, but how do they not end up in toil? How do they get to self-service and things of that nature. And I know you have a good story about this and where you've gone and how you're doing this. So why don't we go in there?

>> Very interesting. So I'm the one who, if I do it once, I've done it too much. Manual, not my timeframe. And again, having a security background to say we are going to increase our velocity, give the customers what they need as we talk to them. So we started implementing what we call a zero-touch policy.

>> What does that mean?

>> No changes can be directly made to any environment that's not a lab. So in our lab environment-

>> So no touching?

>> No touch, no touch. Let it run. Let Kubernetes do what it does best. So as part of our zero-touch, we write everything as code, right? So everything is declarative. We use the typical Kubernetes standard. So Helm charts, customize where we need to do overlays. We make it simple. To do this, we actually have, for each one of the three teams that report to me, a very structured training program. So I have what's known as the engineering, so the platform engineers are responsible for build and maintenance, rolling out new capabilities. Now we go into the what we call service integration team. They are the developer focused, how to leverage the technology, how to fill out this form. You automatically get your deployment instructions, 90% completed.

>> Wow.

>> And believe it or not, that's all done through GitOps. We don't want customers to have to figure this out. We are the experts. Let us make your life easier. And here's the shocker, I had this when I was at KubeCon last year. I actually have my own dedicated governance and security team outside of a traditional cybersecurity team. And all they focus on is policies and security for Kubernetes. They plan all the testing, war games, they deal that, and they tell no one what's happening.

>> So you're doing all of the tabletops and all of the actual chaos in invoking stuff?

>> So we haven't gotten to tabletops yet.

>> Okay.

>> We're talking actual get somebody and break it.

>> Okay.

>> Luckily, we haven't broken it yet. Now, it's nice that you speak about this. So this is one of the things I think there's a little bit lack as we talk in the industry, as we talk in organizations, is I'm now pushing what I call permanent chaos. Things just happen. So you've got performance clusters, you've got applications running. Everything should just be randomized, just knock things all over the place. Knock nodes off, knock pods all over the place. Get it to run, show the stabilization, show what happens. Do you have proper recovery? If not, you know where to focus on, make it difficult for that chaos team.

>> I love that you're embracing permanent chaos, I feel like, especially with Kubernetes. And the conversation is still here, it's often been about decreasing complexity, trying to make things easier because it can be complex. And I love how you're just like, we're just going to live in a state of permanent chaos. So talk to me a little bit, I'm very curious about what you said a second ago, when you're shifting the mindset of a security community, and you are obviously at the helm of that team, what are the cultural steps and things that you've done to be able to foster this type of agility and velocity?

>> So we have a second level risk management control team.

>> Okay.

>> So when I started, the first thing... And happily, they're right below where I work. So every weekday, "Hey guys, how are you doing? What's going on? Here's what my response is, tell me what you guys are doing." And it just so happens like me... And I just want to say happy Veterans Day today.

>> Yes.

>> Indeed.

>> So like me, the two folks I work in risk management are also veterans. So we go through, and with that rapport, what are you guys looking for? What do you want? What if I just told you, "Here's all the security controls for the organization. This is how I'm going to meet them. Here's what we're doing. There you go. Would you like to have further information of what I want to do before we even enact it?" So changing the minds, get them part of it, let them see it, and actually do some of their work for them. It's a lot up front, but now that work has evened out and the way that we can achieve a velocity of approvals is unheard of. So now we're changing it and it's just my security team now, wonderful guy brought them over from the risk team, used to actually sit next to these guys. His name is Todd DuPriest, he now does everything. I provide him guidance. He's worked for me the past few years. And here's the wonderful thing. He started two years ago with no Kubernetes knowledge. He's now on a training path, learning more about that, working with various-

>> How about that?...

>> our vendor that we have with the security technology, leveraging and learning more about the admission controller, which I personally think is underutilized to prevent a lot of things. And he drives innovation in that security side with the individual he's got today. So Ryan does a lot of our network policies. How do we do it? How do we codify it? Because that's all GitOps. Again, no touch on the platform. And the wonderful is we have one guy who is a veteran, or actually let me take a step back. Our one security guy is actually deployed right now because he's in the Naval Reserve.

>> Oh, no.

>> Wow.

>> So when he comes back, he actually fills out. And so when Matt comes back, we're looking forward to the fun times that we're going to have back as he goes through and really ramps up, because he's a developer by heart. So now we have somebody with a risk mind, somebody who is a security or platform-focused originally, and now we have a developer. So that's how we look at the mindset and we start building an ecosystem of different talent, and that's how we now further increase the velocity beyond what I could do.

>> So what technologies are you leveraging to build out this stack, to make it easy for these others to come in and use the platform?

>> So I got to be careful with certain vendors that I say. So we do use a specific vendor for our Kubernetes stack. So we do fleet management, which to me is critical. So as we write all the configuration files for a cluster build, it goes into a repository. As soon as it's approved, we start to push out the cluster builds. That is our direction moving forward that the team is working on. Today, it's a very simple one-line command that we run that does that, but we're looking to get that all through the zero-touch through get-offs. Wonderful place to do it. Golden source of truth. The benefit we get is somebody makes a manual change, it doesn't match the golden source, it's automatically reverted within 15 minutes.

>> So there's no drift. It's doing basically drift detection and keeping it? Yeah.

>> All sorts. All sorts. And the best part is we're not learning new stuff, we're just learning the way to adapt what we have. Use the best piece that we have, the best technology we have is our brains. So how do we make it easy for us, our customers? Let's face it, Kubernetes is difficult. Security is even more difficult than Kubernetes, but we need to translate that and make that as easy as possible.

>> Right. I was going to say, you talked about being able to talk to risk management and talk to the security folks and managing risk. A lot of people, you go around and you see some of the booths here, it's all about CVEs and stuff like that. How do you see the balance between risk and CVEs, and how you're automating that as well?

>> Ah. So the interesting point is when we look at that, by immediate, when somebody says, "You have a lot of CVEs," okay, where do you want me to focus? What's the worst of the worst? We don't have infinite resource. So where is the worst that I need to focus on? So as I look at that, does the CVE have an exploit? In Kubernetes, can I reach it outside the cluster? If I can't reach it, does that adjust the risk lower? I don't store data, so does that adjust the risk one way or the other? So that's where we have to start shifting the mind frame. And as I talked to other vendors in the Kubernetes security space, what I go is, "Hey, I want to see a FICO score, a risk score," just like a credit card. But I look at it more as a reverse. The higher the number, the worse we are. So show me what the cluster looks like. And then for every application we deploy, show me what that application's own risk score is. Because the application teams will look at it and go, why are you lower than me? So now it's kind of a healthy little competition.

>> Oh yeah.

>> So I kind of like that. So hey... And then when you get into that, now you start to look at, do we want to do an award session for, here's the application team that has managed their risk the most as we have defined it. So our risk champion is this.

>> And they can celebrate that. Oh, smart. Yeah, yeah.

>> Post it, make it known.

>> Yeah.

>> Here's what they did, put their story into the corporate newsletter. Let everyone see it. Because we're managing the risk, let the business run. As we talk financial, it's all about risk. CVE numbers are going to continue to increase, but where do we focus? That's the key to make sure things are at an acceptable level.

>> There's a lot of little details there, but what I love that you've highlighted throughout the entire course of this interview is the psychology behind all of it. Whether that's elevating the team, elevating these risk champions, whatever that might be. Let's talk a little bit about governance and guardrails, policy as code. Tell me all about it.

>> So this is what I really enjoy as we've started. And for some people, this may not be a new concept. However, in our own repository, everything has to be code. So what encryption do we want to use? What is the separation for namespaces, right? So as we talked about network policies, even egress policies, it's all defined as code. It goes through checks and it's a get out process that rolls it out across the board. So now, as we have that, we look at our fleet management and we then put policy into that going, "Anything that doesn't have an egress, here's a default policy automatically enacted." So until the application teams update their own policies, their egress, where they need to talk to outside the cluster, it doesn't happen. So now they take some ownership of, how do they maintain the risk? We provide the flow to make it easy for them. So we have enhancements coming on the way to make it even easier to where here's a text file, one entry per line. We'll take care of the rest, reformat it behind the scenes, and just make it as a vapor into the platform.

>> That's pretty cool. It makes a lot of sense. And especially in a world where trust is absolutely imperative, this has got to be one of the bumpers on the bowling lane that gives people confidence.

>> It is. And one of the things that... It's nice that you speak about trust, right?

>> Yeah.

>> So as we work with them, how do we digitally sign now? Because we go from zero touch to now we go into a zero trust security model. How do we digitally sign? How do we manage their certificate rotation? Application teams shouldn't have to worry about this. So taking that off their hands on having that 100% automated for them, now what you get is application teams that see your value, they talk to other teams. This now becomes what I call security sells your product. It's proven. You show what the key risk indicators are and what I like to call, and I haven't heard anyone say this yet, but what I like to call key governance indicators. Are we and what percentage of the policies do we meet, and how is that automatically remediated? Nobody should have to do this stuff, automatically. Write the code, test it, let it all be natural.

>> Yeah, I think it's really good point, Brian. This is awesome. All right, so you've been a fantastic guest on the show so far today. I have one final question for you. When we are sitting at KubeCon in 2026, what do you hope?

>> Salt Lake.

>> It is Salt Lake. We're going back.

>> We're going back to Salt Lake.

>> How fun. Okay, great. I was actually wondering-

>> So cold again and snow, but-

>> Yeah, we had snow last time. That was kind of nice. Yes. When we're there, or in Amsterdam even, in the spring, what do you hope to be able to say then that you can't yet say today?

>> So what I hope to be able to say, and if everything works out for 2026, I hope to say I'm a speaker.

>> Oh yeah. Love this for you. Yeah.

>> So I did speak at Red Hat OS Commons yesterday about GitOps, the value it provides for customers and security. And now I'm hoping to expand and really show people security is not just, oh, it's something that we think is painful.

>> Yeah.

>> But if we look at it the right way as code, you actually achieve more because now you're changing the hearts and the minds. Why worry about it? It just happens.

>> Well, I love that. CNCF, I hope you all are listening to that. We would love to see Brian on the stage in Amsterdam or Salt Lake next year. It's very exciting. Thank you so much for being on the show with us today.

>> Thank you guys for having me.

>> Yes, it's been a pleasure. And thank you, Rob. Great to be back-

>> Thank you....

>> on the desk with you. And thank all of you for tuning in to our continuous three days of coverage here from Atlanta, Georgia at KubeCon. My name's Savannah Peterson. You're watching theCUBE, the leading source for enterprise tech news.