Welcome!

Microservices Expo Authors: Jason Bloomberg, Elizabeth White, Liz McMillan, Pat Romanski, Kevin Jackson

Related Topics: Microservices Expo, Containers Expo Blog, Agile Computing, @CloudExpo, Apache, Cloud Security

Microservices Expo: Article

Cybersecurity the Agile Architecture Way

We can only hope that we figure out how to solve the cybersecurity problem before the hackers take over.

Identity theft, password breaches, viruses and worms, phishing attacks, Stuxnet—the more we rely upon technology in our increasingly connected world, the greater the risk that we’ll be hacked. Even worse, it seems that the rate at which hacking stories come across the wire is actually increasing, in spite of all the hard work at all the various security organizations, both commercial and governmental. The frightening truth is, perhaps the hackers are actually winning.

The root cause of our vulnerability, of course, is the Internet itself. When the essential elements of the Internet first rolled out—TCP/IP, HTTP, and DNS, to name the most flagrant offenders—no one had any idea how important security would become or just how flawed these enabling technologies were when it came to protecting ourselves from increasingly dedicated and persistent malefactors. Today, that horse has long since left the barn. Maybe we can close the door, sure, but it might not matter anymore.

But let’s not lose perspective: we’ve been using the Internet commercially for less than twenty years. An eternity in what we innocently called Internet Time back in the day, but nevertheless, a mere eye blink in the course of human history. Better to take the long view. Extrapolating today’s trends, can we gain any insight into what the future will hold?

Our crystal ball reveals three possible scenarios. The first: Cyberpunk—hackers continue to gain the upper hand, outstripping any efforts to combat them. By 2100 hackers run the world, which has devolved into feudal tribes of hacker communities battling each other for the remaining scraps of civilization.

The second scenario: Star Trek. The forces of order and rationality overcome those of anarchy and evil, and as a result, we have no qualms about trusting our computers with our lives. Computer viruses may still appear, but we can take care of them routinely in less than 52 minutes.

Finally, scenario number three: more of the same. Hackers continue to become increasingly sophisticated in their attacks, but the forces fighting them do so as well. The advantage shifts back and forth as new attack vectors rapidly appear and are dealt with equally rapidly.

More of the same may appear to be the most likely scenario, as it lacks the science fiction overtones of the other two. In reality, however, it’s the least stable of the three, because it assumes an ongoing balance between hackers and their nemeses—an unlikely situation. The pessimists among us point to Cyberpunk as the inevitable course of events. But what we really want, of course, is to steer from more of the same toward Star Trek. After all, who wouldn’t want our grandchildren to live in the Star Trek universe?

Today’s Software Security Assurance: Heading toward Cyberpunk
Software Security Assurance
(SSA) is the process of ensuring that the software we build has adequate security. SSA involves analysis, review, and testing steps that seek to identify potential weaknesses so that the software development teams can lower the risk of potential security breaches to acceptable levels. Fundamentally, SSA describes the best ways we know how to build unhackable systems.

The problem is, it’s not good enough. And furthermore, it’s dropping further and further behind. After all, if SSA actually worked, we wouldn’t have to worry about worms and breaches and the rest. Hello Cyberpunk!

The problem with traditional SSA is that it fundamentally follows a traditional systems approach. In other words, divide and conquer: break up an arbitrarily complicated system into its component elements, analyze the security risks inherent in each component, and take steps to insure that those risks are very low—where we define “very low” in terms of our acceptable risk profile.

There are two core problems with the divide and conquer approach to SSA. The first is what we call the lottery fallacy. If you want to run a lottery with a large jackpot, you want to make sure the chance of any ticket winning is very small. And sure enough, the chance of your lottery ticket being a jackpot winner is smaller than the change of you being hit by lightning—twice. But the chance we’ll have to give away the jackpot is still quite high—and the larger the jackpot, the greater the chance we’ll have to give it away.

Dividing up a complicated system into pieces and lowering the chance of hacking each piece is tantamount to selling lottery tickets—except that hackers are smart enough to figure out how to buy millions of them at a discount. In other words, there’s a really good chance that any valuable target will be hacked no matter how good your SSA is. Yes, the recipe for our Cyberpunk scenario.

Agile Architecture: The Secret to the Star Trek Scenario
When we say Agile Architecture, we’re talking about moving away from the traditional systems approach of “business wants X so build a system that does X” to the complex systems approach of “the business wants to be more agile, so build a system that responds to change and enables the business to leverage change for competitive advantage.” In the cybersecurity context, we want to move away from traditional SSA to building systems that can deal with future attacks (even though we don’t know what they are yet), and furthermore, enable us to take the initiative to prevent future attacks from occurring in the first place. A tall order to be sure, but not quite the science fiction scenario it might sound like.

There are signs that we’ve been making progress in both areas. (I say “there are signs” because I suspect much of the work in this area is secret, so even if I knew about it I couldn’t tell you.) The first area—dealing with unknown future attacks—is essentially the zero day problem. How do we protect our systems from previously unknown attacks, during the window of vulnerability that doesn’t close until we develop a traditional countermeasure? Many approaches to zero day protection already exist, but they tend to address known types of attacks like buffer overflows and the like. In other words, such protection techniques will only work until a hacker comes up with a new type of attack—an example of the back and forth we call the more of the same scenario.

The second area—preventing future attacks—is more challenging, but also more interesting. One example is the HoneyMonkey project out of Microsoft Research. Where a Honeypot is a passive approach—essentially setting a trap for hackers—a HoneyMonkey essentially surfs the Web looking for trouble. The idea is to identify Web sites that install malware before a user happens across them with their browser.

It’s not clear whether the HoneyMonkey project led to commercially available security tools, but in any case, it was only a simplistic example of a tool that could actively seek out and prevent potential attacks. But let’s put our sci-fi hats back on and extrapolate. How would we ever get to the Star Trek scenario unless we take the active prevention approach?

The Biological Analogue
Targeting Star Trek is all well and good, but we need to separate fiction from reality if we’re ever going to beat the hackers (Heisenberg Compensator, anyone?) So, let’s move away from science fiction into the realm of biology. After all, biological systems are well-known complex systems in their own right. How then do biological systems like you and me fight off infections?

At the risk of oversimplifying what are admittedly extraordinarily complicated processes, our bodies have three primary mechanisms for preventing infections. The first is our skin. Simply having a tough barrier keeps out many attack vectors. You might think of skin as analogous to traditional SSA: necessary but not sufficient.

The second mechanism, of course, is our immune system. It’s what differentiates a healthy body from a few hundred pounds of rotting meat. What we need to beat the hackers at their own game is an immune system for our software.

But even immune systems aren’t perfect. And this biological metaphor begs the question: how do we architect and build an immune system for our software anyway? Again with the biological analogue: how did we develop our immune systems? Through millennia of natural selection. Individuals who succumb more easily to infection tend to die off, while those with better ways of fighting off the attackers survive to propagate. Rinse and repeat for, oh, hundreds of millions of years, and presto! The human immune system is the result.

The cybersecurity challenge, therefore, boils down to bringing natural selection principles into our security software development processes. The hackers are diverse, persistent, and imaginative. To fight them, our software must be agile, self-innovating, and able to evolve. The devil, of course, is in the details.

The ZapThink Take
A 1,500 word ZapFlash is hardly sufficient to lay out a revolutionary approach to architecting better security software, even if we had all the answers, which we obviously do not. But the point of this ZapFlash isn’t to solve all our cybersecurity challenges. Rather, we’re trying to make the case that traditional architectural approaches, including those of Software Security Assurance, are doomed to fail eventually—if not today, than at some point in the all-to-near future. If there’s any hope of moving any closer to the Star Trek scenario, it’s absolutely essential that we take an Agile Architecture approach to cybersecurity.

It won’t be easy. And the path from where we are today to where we need to be tomorrow isn’t smooth or continuous—that’s why we consider the move to Agile Architecture a true paradigm shift. But on the positive side, many elements of this revolution are already in place. The first step is thinking about the problem properly. We can only hope that we figure out how to solve the cybersecurity problem before the hackers take over. Or welcome to your worst Cyberpunk nightmare.

Image source: JD Hancock

More Stories By Jason Bloomberg

Jason Bloomberg is the leading expert on architecting agility for the enterprise. As president of Intellyx, Mr. Bloomberg brings his years of thought leadership in the areas of Cloud Computing, Enterprise Architecture, and Service-Oriented Architecture to a global clientele of business executives, architects, software vendors, and Cloud service providers looking to achieve technology-enabled business agility across their organizations and for their customers. His latest book, The Agile Architecture Revolution (John Wiley & Sons, 2013), sets the stage for Mr. Bloomberg’s groundbreaking Agile Architecture vision.

Mr. Bloomberg is perhaps best known for his twelve years at ZapThink, where he created and delivered the Licensed ZapThink Architect (LZA) SOA course and associated credential, certifying over 1,700 professionals worldwide. He is one of the original Managing Partners of ZapThink LLC, the leading SOA advisory and analysis firm, which was acquired by Dovel Technologies in 2011. He now runs the successor to the LZA program, the Bloomberg Agile Architecture Course, around the world.

Mr. Bloomberg is a frequent conference speaker and prolific writer. He has published over 500 articles, spoken at over 300 conferences, Webinars, and other events, and has been quoted in the press over 1,400 times as the leading expert on agile approaches to architecture in the enterprise.

Mr. Bloomberg’s previous book, Service Orient or Be Doomed! How Service Orientation Will Change Your Business (John Wiley & Sons, 2006, coauthored with Ron Schmelzer), is recognized as the leading business book on Service Orientation. He also co-authored the books XML and Web Services Unleashed (SAMS Publishing, 2002), and Web Page Scripting Techniques (Hayden Books, 1996).

Prior to ZapThink, Mr. Bloomberg built a diverse background in eBusiness technology management and industry analysis, including serving as a senior analyst in IDC’s eBusiness Advisory group, as well as holding eBusiness management positions at USWeb/CKS (later marchFIRST) and WaveBend Solutions (now Hitachi Consulting).

@MicroservicesExpo Stories
If you cannot explicitly articulate how investing in a new technology, changing the approach or re-engineering the business process will help you achieve your customer-centric vision of the future in direct and measurable ways, you probably shouldn’t be doing it. At Intellyx, we spend a lot of time talking to technology vendors. In our conversations, we explore emerging new technologies that are either disrupting the way enterprise organizations work or that help enable those organizations to ...
In 2014, Amazon announced a new form of compute called Lambda. We didn't know it at the time, but this represented a fundamental shift in what we expect from cloud computing. Now, all of the major cloud computing vendors want to take part in this disruptive technology. In his session at 20th Cloud Expo, Doug Vanderweide, an instructor at Linux Academy, discussed why major players like AWS, Microsoft Azure, IBM Bluemix, and Google Cloud Platform are all trying to sidestep VMs and containers wit...
The taxi industry never saw Uber coming. Startups are a threat to incumbents like never before, and a major enabler for startups is that they are instantly “cloud ready.” If innovation moves at the pace of IT, then your company is in trouble. Why? Because your data center will not keep up with frenetic pace AWS, Microsoft and Google are rolling out new capabilities. In his session at 20th Cloud Expo, Don Browning, VP of Cloud Architecture at Turner, posited that disruption is inevitable for comp...
For organizations that have amassed large sums of software complexity, taking a microservices approach is the first step toward DevOps and continuous improvement / development. Integrating system-level analysis with microservices makes it easier to change and add functionality to applications at any time without the increase of risk. Before you start big transformation projects or a cloud migration, make sure these changes won’t take down your entire organization.
There's a lot to gain from cloud computing, but success requires a thoughtful and enterprise focused approach. Cloud computing decouples data and information from the infrastructure on which it lies. A process that is a LOT more involved than dragging some folders from your desktop to a shared drive. Cloud computing as a mission transformation activity, not a technological one. As an organization moves from local information hosting to the cloud, one of the most important challenges is addressi...
"We are a monitoring company. We work with Salesforce, BBC, and quite a few other big logos. We basically provide monitoring for them, structure for their cloud services and we fit into the DevOps world" explained David Gildeh, Co-founder and CEO of Outlyer, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"When we talk about cloud without compromise what we're talking about is that when people think about 'I need the flexibility of the cloud' - it's the ability to create applications and run them in a cloud environment that's far more flexible,” explained Matthew Finnie, CTO of Interoute, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
What's the role of an IT self-service portal when you get to continuous delivery and Infrastructure as Code? This general session showed how to create the continuous delivery culture and eight accelerators for leading the change. Don Demcsak is a DevOps and Cloud Native Modernization Principal for Dell EMC based out of New Jersey. He is a former, long time, Microsoft Most Valuable Professional, specializing in building and architecting Application Delivery Pipelines for hybrid legacy, and cloud ...
For most organizations, the move to hybrid cloud is now a question of when, not if. Fully 82% of enterprises plan to have a hybrid cloud strategy this year, according to Infoholic Research. The worldwide hybrid cloud computing market is expected to grow about 34% annually over the next five years, reaching $241.13 billion by 2022. Companies are embracing hybrid cloud because of the many advantages it offers compared to relying on a single provider for all of their cloud needs. Hybrid offers bala...
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
Companies have always been concerned that traditional enterprise software is slow and complex to install, often disrupting critical and time-sensitive operations during roll-out. With the growing need to integrate new digital technologies into the enterprise to transform business processes, this concern has become even more pressing. A 2016 Panorama Consulting Solutions study revealed that enterprise resource planning (ERP) projects took an average of 21 months to install, with 57 percent of t...
Microservices are increasingly used in the development world as developers work to create larger, more complex applications that are better developed and managed as a combination of smaller services that work cohesively together for larger, application-wide functionality. Tools such as Service Fabric are rising to meet the need to think about and build apps using a piece-by-piece methodology that is, frankly, less mind-boggling than considering the whole of the application at once. Today, we'll ...
In his session at Cloud Expo, Alan Winters, an entertainment executive/TV producer turned serial entrepreneur, presented a success story of an entrepreneur who has both suffered through and benefited from offshore development across multiple businesses: The smart choice, or how to select the right offshore development partner Warning signs, or how to minimize chances of making the wrong choice Collaboration, or how to establish the most effective work processes Budget control, or how to ma...
Hybrid IT is today’s reality, and while its implementation may seem daunting at times, more and more organizations are migrating to the cloud. In fact, according to SolarWinds 2017 IT Trends Index: Portrait of a Hybrid IT Organization 95 percent of organizations have migrated crucial applications to the cloud in the past year. As such, it’s in every IT professional’s best interest to know what to expect.
Both SaaS vendors and SaaS buyers are going “all-in” to hyperscale IaaS platforms such as AWS, which is disrupting the SaaS value proposition. Why should the enterprise SaaS consumer pay for the SaaS service if their data is resident in adjacent AWS S3 buckets? If both SaaS sellers and buyers are using the same cloud tools, automation and pay-per-transaction model offered by IaaS platforms, then why not host the “shrink-wrapped” software in the customers’ cloud? Further, serverless computing, cl...
Containers, microservices and DevOps are all the rage lately. You can read about how great they are and how they’ll change your life and the industry everywhere. So naturally when we started a new company and were deciding how to architect our app, we went with microservices, containers and DevOps. About now you’re expecting a story of how everything went so smoothly, we’re now pushing out code ten times a day, but the reality is quite different.
In the decade following his article, cloud computing further cemented Carr’s perspective. Compute, storage, and network resources have become simple utilities, available at the proverbial turn of the faucet. The value they provide is immense, but the cloud playing field is amazingly level. Carr’s quote above presaged the cloud to a T. Today, however, we’re in the digital era. Mark Andreesen’s ‘software is eating the world’ prognostication is coming to pass, as enterprises realize they must be...
A common misconception about the cloud is that one size fits all. Companies expecting to run all of their operations using one cloud solution or service must realize that doing so is akin to forcing the totality of their business functionality into a straightjacket. Unlocking the full potential of the cloud means embracing the multi-cloud future where businesses use their own cloud, and/or clouds from different vendors, to support separate functions or product groups. There is no single cloud so...
Colocation is a central pillar of modern enterprise infrastructure planning because it provides greater control, insight, and performance than managed platforms. In spite of the inexorable rise of the cloud, most businesses with extensive IT hardware requirements choose to host their infrastructure in colocation data centers. According to a recent IDC survey, more than half of the businesses questioned use colocation services, and the number is even higher among established businesses and busin...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...