Welcome!

Microservices Expo Authors: Pat Romanski, Liz McMillan, Simon Hill, Madhavan Krishnan, VP, Cloud Solutions, Virtusa, John Rauser

Related Topics: Cloud Security

Cloud Security: Article

Focus on Cyber-Crime Misses Real Threat

Vendors hyping cyber-crime missing potential for state sponsored threats

Security Journal on Ulitzer

Thanks to tough economic times and a generous dollop of fear-mongering from the media and opportunistic profiteers, we've all become myopically obsessed with cyber-crime.

This is not entirely a bad thing. Unless you've been living under a rock, everyone knows that technology has created unimaginable opportunity for resourceful crooks. The pitfall is in our myopia. But we've become so obsessed with cyber-crime-a "petty" offense in the grand scheme of things-that we've overlooked the bigger picture. While monetary gains are certainly a big motivator for cybercrime, increasingly cyber-criminals are acting out of political interests. Thus, it is important for IT departments to be aware that threats can come from anywhere.

A recent article in the New York Times reminded us of a conspicuously under-reported digital security threat: cyber-terrorism. Dennis Blair, the Director of National Intelligence, made the following comment in an appearance before the U.S. Congress:

"Malicious cyberactivity is occurring on an unprecedented scale with extraordinary sophistication."

U.S. Secretary of State Hillary Clinton also recently shed light on the critical nature of this global issue when she urged NATO members to modernize and strengthen their alliance to combat cyber-terrorism.

These are important reminders that all cyber-threats are not strictly for money and are certainly not all commercial. In fact, there is good reason to believe that the largest increase in systems security vulnerabilities will occur as a result of political, not criminal, activity.

Politics in this context can be defined as the creation, distribution, and maintenance of power across some group of people. On the Web, as we have seen with the alleged Chinese attacks on Google, the struggle is over the power of information.

The point is that politically motivated attacks are fundamentally different. Governments, even small ones, have vastly more resources than your average "cyber-criminal", who may actually some script-kiddie in a basement in Wisconsin. The Google attack was on a huge scale, and also highly coordinated, and was executed with, dare I say it, "military" precision.

This new brand of digital threat takes advantage of a weakness in the hierarchy of law. Most of what we're exposed to is either civil law (like lawsuits, generally) or criminal law (the kind we need police to enforce). This new form of atatck however, runs up against international law. While I am not a lawyer, the principal issues with international law are that it is both ill-defined and expensive (or impossible) to enforce.

The threat is real, and the threat is growing. Companies, organizations and governments need to be aware of commercial AND political threats to their critical digital infrastructure.

The increased nature of the geopolitical cyber-threat says something about the current, often hysterical, narrative floating around the industry about "cyber-crime". I have to admit, "cyber-crime" is getting some traction in the media, as a cyber-crime story even appeared on NPR's Fresh Air show.

Playing on the hysteria in the media, a number of competitors in our market, the Log Management space, are shamelessly hyping the dangers of cyber-crime to degrees that border on the irresponsible. Yes, it is true that we need to be aware of hackers who want to steal our data-either for monetary or political reasons. But despite what a vendor may tell you, true systems security is reliant on people, products and processes; it's not just about one single product that will magically solve all the world's security problems.

The fact of the matter is that bad things happen. You will be hacked. You may have already been hacked and not know it. A rational organization will do three things.

First, put up the best defenses you can. Make sure that you are putting the resources you already have, such as log files, to the best possible use. Start with the basics, like log management, before moving on to supplemental technologies like SIEM. Do your research and buy the best security products that suit your needs and your budget.

Second, implement the best people-processes you can. Recent studies have shown that most data-loss or security-break incidents come from people who are or have been on the inside.

Finally, you will be hacked. Accept the fact and prepare of it. Be ready to clean up and perform forensics when you do get hacked, because one way or another, it will happen.

The number and kinds of attacks on your critical IT infrastructure are increasing. While you may see attacks from one vector decrease, the number of new attack vectors in increasing. Attention by the US Government, and the Google attack from China clearly reinforce this. We must all remain vigilant, now more than ever.

More Stories By Bill Roth

Bill Roth is a Silicon Valley veteran with over 20 years in the industry. He has played numerous product marketing, product management and engineering roles at companies like BEA, Sun, Morgan Stanley, and EBay Enterprise. He was recently named one of the World's 30 Most Influential Cloud Bloggers.

@MicroservicesExpo Stories
High-velocity engineering teams are applying not only continuous delivery processes, but also lessons in experimentation from established leaders like Amazon, Netflix, and Facebook. These companies have made experimentation a foundation for their release processes, allowing them to try out major feature releases and redesigns within smaller groups before making them broadly available. In his session at 21st Cloud Expo, Brian Lucas, Senior Staff Engineer at Optimizely, discussed how by using ne...
Agile has finally jumped the technology shark, expanding outside the software world. Enterprises are now increasingly adopting Agile practices across their organizations in order to successfully navigate the disruptive waters that threaten to drown them. In our quest for establishing change as a core competency in our organizations, this business-centric notion of Agile is an essential component of Agile Digital Transformation. In the years since the publication of the Agile Manifesto, the conn...
While some developers care passionately about how data centers and clouds are architected, for most, it is only the end result that matters. To the majority of companies, technology exists to solve a business problem, and only delivers value when it is solving that problem. 2017 brings the mainstream adoption of containers for production workloads. In his session at 21st Cloud Expo, Ben McCormack, VP of Operations at Evernote, discussed how data centers of the future will be managed, how the p...
Cavirin Systems has just announced C2, a SaaS offering designed to bring continuous security assessment and remediation to hybrid environments, containers, and data centers. Cavirin C2 is deployed within Amazon Web Services (AWS) and features a flexible licensing model for easy scalability and clear pay-as-you-go pricing. Although native to AWS, it also supports assessment and remediation of virtual or container instances within Microsoft Azure, Google Cloud Platform (GCP), or on-premise. By dr...
The cloud revolution in enterprises has very clearly crossed the phase of proof-of-concepts into a truly mainstream adoption. One of most popular enterprise-wide initiatives currently going on are “cloud migration” programs of some kind or another. Finding business value for these programs is not hard to fathom – they include hyperelasticity in infrastructure consumption, subscription based models, and agility derived from rapid speed of deployment of applications. These factors will continue to...
While we understand Agile as a means to accelerate innovation, manage uncertainty and cope with ambiguity, many are inclined to think that it conflicts with the objectives of traditional engineering projects, such as building a highway, skyscraper or power plant. These are plan-driven and predictive projects that seek to avoid any uncertainty. This type of thinking, however, is short-sighted. Agile approaches are valuable in controlling uncertainty because they constrain the complexity that ste...
identify the sources of event storms and performance anomalies will require automated, real-time root-cause analysis. I think Enterprise Management Associates said it well: “The data and metrics collected at instrumentation points across the application ecosystem are essential to performance monitoring and root cause analysis. However, analytics capable of transforming data and metrics into an application-focused report or dashboards are what separates actual application monitoring from relat...
"This all sounds great. But it's just not realistic." This is what a group of five senior IT executives told me during a workshop I held not long ago. We were working through an exercise on the organizational characteristics necessary to successfully execute a digital transformation, and the group was doing their ‘readout.' The executives loved everything we discussed and agreed that if such an environment existed, it would make transformation much easier. They just didn't believe it was reali...
"Codigm is based on the cloud and we are here to explore marketing opportunities in America. Our mission is to make an ecosystem of the SW environment that anyone can understand, learn, teach, and develop the SW on the cloud," explained Sung Tae Ryu, CEO of Codigm, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"We're developing a software that is based on the cloud environment and we are providing those services to corporations and the general public," explained Seungmin Kim, CEO/CTO of SM Systems Inc., in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Many enterprise and government IT organizations are realizing the benefits of cloud computing by extending IT delivery and management processes across private and public cloud services. But they are often challenged with balancing the need for centralized cloud governance without stifling user-driven innovation. This strategy requires an approach that fundamentally reshapes how IT is delivered today, shifting the focus from infrastructure to services aggregation, and mixing and matching the bes...
"CA has been doing a lot of things in the area of DevOps. Now we have a complete set of tool sets in order to enable customers to go all the way from planning to development to testing down to release into the operations," explained Aruna Ravichandran, Vice President of Global Marketing and Strategy at CA Technologies, in this SYS-CON.tv interview at DevOps Summit at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
DevOps promotes continuous improvement through a culture of collaboration. But in real terms, how do you: Integrate activities across diverse teams and services? Make objective decisions with system-wide visibility? Use feedback loops to enable learning and improvement? With technology insights and real-world examples, in his general session at @DevOpsSummit, at 21st Cloud Expo, Andi Mann, Chief Technology Advocate at Splunk, explored how leading organizations use data-driven DevOps to close th...
We just came off of a review of a product that handles both containers and virtual machines in the same interface. Under the covers, implementation of containers defaults to LXC, though recently Docker support was added. When reading online, or searching for information, increasingly we see “Container Management” products listed as competitors to Docker, when in reality things like Rocket, LXC/LXD, and Virtualization are Dockers competitors. After doing some looking around, we have decided tha...
The nature of test environments is inherently temporary—you set up an environment, run through an automated test suite, and then tear down the environment. If you can reduce the cycle time for this process down to hours or minutes, then you may be able to cut your test environment budgets considerably. The impact of cloud adoption on test environments is a valuable advancement in both cost savings and agility. The on-demand model takes advantage of public cloud APIs requiring only payment for t...
DevOps teams have more on their plate than ever. As infrastructure needs grow, so does the time required to ensure that everything's running smoothly. This makes automation crucial - especially in the server and network monitoring world. Server monitoring tools can save teams time by automating server management and providing real-time performance updates. As budgets reset for the New Year, there is no better time to implement a new server monitoring tool (or re-evaluate your current solution)....
The benefits of automation are well documented; it increases productivity, cuts cost and minimizes errors. It eliminates repetitive manual tasks, freeing us up to be more innovative. By that logic, surely, we should automate everything possible, right? So, is attempting to automate everything a sensible - even feasible - goal? In a word: no. Consider this your short guide as to what to automate and what not to automate.
"We are an integrator of carrier ethernet and bandwidth to get people to connect to the cloud, to the SaaS providers, and the IaaS providers all on ethernet," explained Paul Mako, CEO & CTO of Massive Networks, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
From our perspective as consumers, perhaps the best thing about digital transformation is how consumerization is making technology so much easier to use. Sure, our television remote controls still have too many buttons, and I have yet to figure out the digital display in my Honda, but all in all, tech is getting easier for everybody. Within companies – even very large ones – the consumerization of technology is gradually taking hold as well. There are now simple mobile apps for a wide range of ...
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis tool. It is an extremely lightweight tool that can integrate with pretty much any build process right now," explained Andrew Siegmund, Application Migration Specialist for CAST, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.