Elastic’s Shay Banon: Why we went beyond our search roots—and stood up to ‘bully’ AWS

The search company has expanded into the APM and security markets and opened a new open source battlefield with the industry’s dominant cloud company, AWS.

Elastic’s Shay Banon: Why we went beyond our search roots—and stood up to ‘bully’ AWS
TotoKita / Getty

Elastic, the software company that offers a range of popular search, logging, security, observability, and analytics products, is either a gold-standard open source success story or an embodiment of the issues of commercial open source, depending on who you speak to.

headshot shay banon 300x300 Elastic

Elastic CEO Shay Banon.

Best known for its open source Elasticsearch, Logstash, and Kibana products—commonly known as the ELK stack—which can be purchased as a managed service called Elastic Cloud, Elastic rode the success of these technologies to a 2018 IPO and a market cap approaching $15 billion as of October 2021. It since has expanded into new markets, including application performance management (APM), observability, and security information event management (SIEM).

Despite this progress, the company has found itself recently embroiled in distracting rows over its open source credentials and a very public licensing fight with the dominant cloud provider, Amazon Web Services (AWS).

InfoWorld sat down with Shay Banon, the Elastic CEO and cofounder, and original author of Elasticsearch. The below conversation has been edited for clarity and brevity.

Elastic’s move into security

InfoWorld: Where are you looking to take Elastic next?

Banon: We started with what we call Enterprise Search. Then we got into logging, the ELK stack, and now security, where we have really made significant investments over the last year. Those are the three main solutions that we focus on, but the power of our platform is still there. If you look at the core of what we do, then digital transformation, moving to the cloud, all of these things result in data increases the likes of which I have never seen before. We at the core believe that the best way to explore that is through search.

I remember five years ago talking about our ability to look around corners and we bought an APM company [Opbeat], and everybody said why the hell are you doing that? Why are you getting into a different product line? Focus on logging; Splunk is not doing that. What we saw was our users trying to make Elastic store APM data, because they wanted to see them together.

This is what is happening in the observability market. I think observability is going to be one of the hottest trends in the market, because I think it’s going to play a bigger and bigger role in security.

The other area is security. We were starting to be used for SIEM, and I know we didn’t invent that; Splunk was already there in moving from logging to security. To be honest, we were a bit slow to get into the SIEM market. We were being used in security use cases, but we were slow to get into the market because we didn’t have any security DNA.

When I got into security, I really didn’t understand why the market is so fragmented. I think a big part of it is top-down selling. It’s not like CISOs aren’t smart, but they’re not practitioners, so you can go in and more easily communicate to them that they need certain protection.

I could see that there was tension between the security team and developers, operations, devops teams. Security didn’t trust them, and it was the same story as before with operators and developers.

This is where I think our biggest opportunity is in the security market. To be one of the companies that brings the trends that caused dev and ops to come together and bring it to security.

InfoWorld: What’s the connective tissue between search and these big trends that you’re seeing in observability and security?

Banon: Two things. The first one is that I think it’s all about data. If you think about the ability to have some level of behavioral, machine learning model that’s running on the endpoint, to protect from malware, you train them on data that comes from a million endpoints, within your data center, on the cloud, or something along those lines. Even if you are running all of these protections, security and the infrastructure are so complicated today that you still want to have a place where you store all of your security data and be able to search it. That’s what threat hunting is: They wake up every morning and search.

We recently bought an endpoint security company [called Endgame] for the same reason that we did the APM part, because it was obvious that this market is going to expand and we have to have people that come in and start to stretch us as a company. After we bought Endgame, people externally, but also internally, were asking why the hell we are getting into endpoint security. I love that, because it forces us to stretch.

[Second,] the other important part has nothing to do with search and that is our foundation in building communities which are free and open—and we say “free and open” because of the open source nonsense—but we are probably one of the largest free and open companies today that plays in the security market.

I think that we can make a big difference in this market because all of our rules are in the open, we are working on open-sourcing our endpoint, which is going to be significant—and we obviously need to do it in a very careful and respectful way to security professionals out there, and to our customers. We’re working on creating communities around it, a bottom-up adoption model within the security market that is not typically done by companies our size. Security is our biggest growing business at Elastic, so I am excited about it.

The open source licensing battle: Elastic vs. AWS

Elastic has been locked in a war of words and eventually litigation with AWS since 2015, after the cloud vendor launched its own managed Elasticsearch service without collaborating with Elastic, the original creator of that software.

Elastic isn’t alone here, with fellow open source company MongoDB switching to a controversial Server Side Public License (SSPL) in 2018 to fend off competition from AWS, and Cloudflare recently announced an object storage product of its own to counteract what it sees as “bonkers” pricing from AWS for moving data to an external source, otherwise known as data egress.

In a January blog post, Banon outlined how the company was changing its license for Elasticsearch from Apache 2.0 to a dual Elastic License and Server Side Public License (SSPL), a change “aimed at preventing companies from taking our Elasticsearch and Kibana products and providing them directly as a service without collaborating with us.” AWS has since renamed its now-forked service as OpenSearch.

InfoWorld: How do you feel about that licensing decision now that the dust has settled?

Banon: At a very high level, our approach—and Cloudflare’s approach and a few other companies’ approach—is similar, which is like if there’s a bully in the schoolyard. I still remember the day that I stood up to them, and eventually we became good friends, but if I didn’t stand up to them, they would not have been a good friend of mine and I probably would have had a more miserable high school experience. At some point you need to stand up and say enough is enough.

We stood up to [AWS] by changing the license. I did not want to change the license. I thought we could build a very successful business without necessarily having to change the license, but it got to a point where I felt like we need to draw a line, because it kept on getting blurred and that blurriness is very exhausting.

Amazon salespeople would sell Amazon Elasticsearch. Is this the Elasticsearch that we all know? Yes. Is this the one that Elastic develops? Yes. The answers are true, but very blurry. We decided to create a firm line and then the fork happened, and I’m so happy, because now it’s a clean slate between us since they finally changed the name.

It’s not only about Elastic by the way, it’s about trying to get AWS to go through the same process that Microsoft went through, and they were not going in that direction.

InfoWorld: OK, but how do you respond to criticisms that you turned your back on your contributors, or that this decision boiled down to AWS making more money from Elasticsearch than Elastic?

Banon: There are definitely people who believe in open source at a level of passion that I will never be able to match, because I believe in communities, I believe in developers and creators—I believe in these core principles; I never believed in an open source license.

We’ve always said at Elastic that if a company can pay us, they should pay us to use the software. At the end of the day, at Elastic, who developed 99% of the code base? Our employees. When we started Elastic, that was one of the clear mission statements of the company: We want to hire the developers, give them a job, because I was there working weekends and nights and it’s just not fair for the developers of open source.

The fact that some people say that we took away the contributions of someone, I struggle a bit with that. I understand where it’s coming from, but I struggle a bit with that statement, for two reasons.

First is that we developed 99%—and yes, every small pull request or contribution matters, and it should—but from a pure open source perspective, we never took it away. If the license is there for AWS to go and take the software and abuse it, then we can change the license. It is open at a level that allows any company to go and do that, and companies have been doing it for a long time. Not just AWS. Elasticsearch powers most of the SIEMs out there, but we don’t see money out of it; they just embed it. Fine. There were startups and cloud services running Elastic as a service, not a problem, but it got to a point with AWS that you had to make a stand.

Our license is very open and very simple. Basically, it just says if you’re going to take the software and provide it as is, as a service, you’re not allowed to do it. You can run it, you can embed it, you can do all of these things very similar to the previous license, but not as a service.

The beauty of open source is that anybody can go download the software and run it themselves. It’s amazing. Then when you develop something, you have direct connections to your users, because they can just go download the software and run it themselves and ask questions. Now, most developers don’t download the software; they run it on cloud, so you just lost the connection that you have as a company with your developers, and that’s what we felt like we were missing. That completely changes the equation of open source.

InfoWorld: Are you able to draw a line under the AWS dispute yet?

Banon: No, not yet. Hopefully in the next five years.

I’m thinking about Elastic and what we do in five to 10 years. My hope is that what we’ve done, what Cloudflare are doing, and having MongoDB and other companies on this journey will help get AWS to take the Microsoft route. What would happen is that you would have a few cloud providers that compete between themselves on the core cloud services, but leave some of the SaaS components and capabilities to others to be built on top of it.

On the other side, my commitment is to run as good of a service on Google Cloud, Microsoft Azure, and AWS.

InfoWorld: Did you get any reaction from the community when you changed the licensing that made you pause for thought?

Banon: Quantitatively, I shouldn’t care. Qualitatively, it’s tough.

People whom I have worked with for years have been upset by this change. I think as you insert time into some of these equations, people will be less upset and they’ll see that we’re still huge contributors to Apache Lucene, and as the new license gets adopted, hopefully that [feeling of upset] will change.

InfoWorld: What else would you like to achieve in that next five to 10 years?

Banon: We have a saying at Elastic, which is to be humble and ambitious. I try to be humble, but I’m also very ambitious. I want the company to grow, I enjoy the company hitting 2,000 people; I can’t wait to hit 3,000 then 5,000 people. I love building communities, I enjoy building companies that have so many employees and still manage to be nice and respectful and distributed. I also want to grow our revenue, our top line, and everything that comes with building a successful business.

From a product perspective, hopefully we’re a company that still maintains what we do today, which is built on a foundation of a very strong search platform. We have enterprise search, we have observability, we have security. Now security and observability are going to slowly start to merge together, which is great for us because it’s the same platform, the same data, everything.

More than anything, I want to build a company that is nimble so that when things happen, we’ll be able to go and react to them, by never giving up on our community and that connection between developers and practitioners.

Copyright © 2021 IDG Communications, Inc.