Kubecon NA is done, the Christmas calendars are open, and me and my peers start to think about what the world of cloud native will look like next year.
2024 saw Kubernetes turn 10, and it’s fitting (to me at least!) that when Kubecon EU lands in London early 2025, we will mark 10 years of Jetstack (acquired by Venafi in 2020, and now part of CyberArk.)
So with 2024 coming to a close, I thought I’d take a moment to reflect on where we are as a community and where I think the market is going in 2025.
1. Waiting for disruption where we build
Earlier in my career, the platform technologies most of my peer group congregated around were OpenStack, Cloud Foundry and Heroku. I vividly remember someone at an early Kubecon posting a picture of an empty OpenStack booth with a single word: ‘disruption’.
Tech goes in cycles and is constantly re-inventing itself. Given the point of maturity we’ve reached, I keep testing myself on where the disruptors to our ecosystem come from, and how they will impact our industry.
No one has a crystal ball, but I am seeing early movements in a couple of areas:
- On prem AI: A typical customer thought process goes something like “We’re buying GPUs and are nervous about leaking data and IP. What AI stacks come with our hardware vendor, and how do we optimize our hardware for AI use cases for low latency and consuming models locally.” I feel we’ll see this trend strengthen as the real AI budgets start to kick in next year, and the cost of scaling in the cloud starts to be realized.
- Cloud platform services: Vercel is a great example of this. Dev cool kids love next.js, and the speed, scale and all-encompassing benefits that come with their platform and how it powers fast development. Whether this disrupts traditional cloud vendors or cloud native as we know it is yet to be seen, but these types of platforms are certainly capturing the imagination in a way serverless failed to. There are a number of web platforms like this designed for AI use cases, which I think will also play into the trend.
Every market gets disrupted, so it’s not a question of if but when. When Kubernetes came along, Linux wasn’t replaced, it just became less visible. I see the same thing happening with K8s as it becomes the ‘operating system of the cloud’, and the enabler for a raft of completely new experiences.
2. Things get worse before they get better with AI and platform engineering
Every new technology paradigm goes through their “trough of disillusionment”, and right now, AI and platform engineering seem to be going through that moment.
If we consider the potential of AI development & platform engineering - two of the biggest trends in cloud native, the promise is that by adopting them we will make our teams10x more productive. However, recent research from DORA suggests that although individual productivity is getting better as developers use AI for coding, delivery stability and code throughput are actually getting worse.
As if this wasn’t enough, research from Cornell University has also suggested engineers using AI introduce more security holes than they would otherwise and also overestimate their confidence in the code they write.
AI and platform engineering clearly offer major long-term benefits, but the complexity of operationalizing them inside a business is highly challenging and far from being fully resolved. Additionally, we are also opening security challenges we’ve not had to consider before.
So, although I think we’ll get there in the end, it seems clear we’re going to have to figure out how to assimilate these new ways of working into our businesses systematically and securely.
3. Security and platform collide
There was a marked difference between the recent Kubecon and others in the conversations around security. A few of my observations:
- We learned that the Cloud Native Security Con will be combined with Kubecon
- There were many more security focused vendors at the expo
- I met a new class of persona, the ‘Cloud Native Security Architect’
I think CISOs have recognized that cloud native platforms are the future of IT infrastructure and are building new types of teams to ramp up their engagement.
I’ve been heartened by talking to several savvy security people with an engineering focus dead set on making their developer’s lives easier by building security INTO the workflow of their cloud native platforms. This trend is backed up by Puppet’s 2024 state of Platform Engineering survey which suggests that security is now a part of platform engineering from the start.
These security engineers also have the foresight to understand that security at cloud native scale will be challenging and costly. Venafi’s recent survey suggested that the number one challenge they face across compute environments is security inconsistencies between on-premises and public cloud.
What can enterprises do about this? Well, anecdotally I’m seeing security deploy scalable, ‘cloud native friendly’ tooling for platform teams to consume locally and then govern those tools with polices that are managed centrally using existing security products. This trend of managing centrally and deploying locally is helping their engineers move quickly but do it securely. It’s also removing the need to retrofit heavyweight tooling that is not designed for cloud native environments. I’ve personally seen this model work in the case of Venafi’s Firefly workload identity issuer.
Overall, I expect to see a real growth in security roles focused on platform engineering, and I am excited to see how cloud security architects will embrace a spirit of ‘security engineering’ that is different to ‘traditional infosec’.
Conclusion
The pressure on platform engineers and security teams is already intense. An informal poll at Kubecon told me that people feel the effects of a couple of tough economic years. Many people were worried about underinvestment in headcount leading to an inability to offer a good service to internal customers. On top of this, they are finding it hard to keep up with the pace of evolution and suffer from a lack of product management collaboration as they think about ‘platform as product’.
There’s no question that the expectations around AI, platform engineering and security are going to get even more intense next year. Therefore, how to properly operationalize these technologies is something we’re going to have to figure out quickly in 2025 before we start to realize the benefits. If we don’t get this right, we risk internal friction, more security problems, and burning out the teams we rely on to lead us into this new world.