Welcome!

Microservices Expo Authors: Jason Bloomberg, Elizabeth White, Liz McMillan, Flint Brenton, Yeshim Deniz

Related Topics: Microservices Expo, Containers Expo Blog, Agile Computing, @CloudExpo, Apache, Cloud Security

Microservices Expo: Article

Cybersecurity the Agile Architecture Way

We can only hope that we figure out how to solve the cybersecurity problem before the hackers take over.

Identity theft, password breaches, viruses and worms, phishing attacks, Stuxnet—the more we rely upon technology in our increasingly connected world, the greater the risk that we’ll be hacked. Even worse, it seems that the rate at which hacking stories come across the wire is actually increasing, in spite of all the hard work at all the various security organizations, both commercial and governmental. The frightening truth is, perhaps the hackers are actually winning.

The root cause of our vulnerability, of course, is the Internet itself. When the essential elements of the Internet first rolled out—TCP/IP, HTTP, and DNS, to name the most flagrant offenders—no one had any idea how important security would become or just how flawed these enabling technologies were when it came to protecting ourselves from increasingly dedicated and persistent malefactors. Today, that horse has long since left the barn. Maybe we can close the door, sure, but it might not matter anymore.

But let’s not lose perspective: we’ve been using the Internet commercially for less than twenty years. An eternity in what we innocently called Internet Time back in the day, but nevertheless, a mere eye blink in the course of human history. Better to take the long view. Extrapolating today’s trends, can we gain any insight into what the future will hold?

Our crystal ball reveals three possible scenarios. The first: Cyberpunk—hackers continue to gain the upper hand, outstripping any efforts to combat them. By 2100 hackers run the world, which has devolved into feudal tribes of hacker communities battling each other for the remaining scraps of civilization.

The second scenario: Star Trek. The forces of order and rationality overcome those of anarchy and evil, and as a result, we have no qualms about trusting our computers with our lives. Computer viruses may still appear, but we can take care of them routinely in less than 52 minutes.

Finally, scenario number three: more of the same. Hackers continue to become increasingly sophisticated in their attacks, but the forces fighting them do so as well. The advantage shifts back and forth as new attack vectors rapidly appear and are dealt with equally rapidly.

More of the same may appear to be the most likely scenario, as it lacks the science fiction overtones of the other two. In reality, however, it’s the least stable of the three, because it assumes an ongoing balance between hackers and their nemeses—an unlikely situation. The pessimists among us point to Cyberpunk as the inevitable course of events. But what we really want, of course, is to steer from more of the same toward Star Trek. After all, who wouldn’t want our grandchildren to live in the Star Trek universe?

Today’s Software Security Assurance: Heading toward Cyberpunk
Software Security Assurance
(SSA) is the process of ensuring that the software we build has adequate security. SSA involves analysis, review, and testing steps that seek to identify potential weaknesses so that the software development teams can lower the risk of potential security breaches to acceptable levels. Fundamentally, SSA describes the best ways we know how to build unhackable systems.

The problem is, it’s not good enough. And furthermore, it’s dropping further and further behind. After all, if SSA actually worked, we wouldn’t have to worry about worms and breaches and the rest. Hello Cyberpunk!

The problem with traditional SSA is that it fundamentally follows a traditional systems approach. In other words, divide and conquer: break up an arbitrarily complicated system into its component elements, analyze the security risks inherent in each component, and take steps to insure that those risks are very low—where we define “very low” in terms of our acceptable risk profile.

There are two core problems with the divide and conquer approach to SSA. The first is what we call the lottery fallacy. If you want to run a lottery with a large jackpot, you want to make sure the chance of any ticket winning is very small. And sure enough, the chance of your lottery ticket being a jackpot winner is smaller than the change of you being hit by lightning—twice. But the chance we’ll have to give away the jackpot is still quite high—and the larger the jackpot, the greater the chance we’ll have to give it away.

Dividing up a complicated system into pieces and lowering the chance of hacking each piece is tantamount to selling lottery tickets—except that hackers are smart enough to figure out how to buy millions of them at a discount. In other words, there’s a really good chance that any valuable target will be hacked no matter how good your SSA is. Yes, the recipe for our Cyberpunk scenario.

Agile Architecture: The Secret to the Star Trek Scenario
When we say Agile Architecture, we’re talking about moving away from the traditional systems approach of “business wants X so build a system that does X” to the complex systems approach of “the business wants to be more agile, so build a system that responds to change and enables the business to leverage change for competitive advantage.” In the cybersecurity context, we want to move away from traditional SSA to building systems that can deal with future attacks (even though we don’t know what they are yet), and furthermore, enable us to take the initiative to prevent future attacks from occurring in the first place. A tall order to be sure, but not quite the science fiction scenario it might sound like.

There are signs that we’ve been making progress in both areas. (I say “there are signs” because I suspect much of the work in this area is secret, so even if I knew about it I couldn’t tell you.) The first area—dealing with unknown future attacks—is essentially the zero day problem. How do we protect our systems from previously unknown attacks, during the window of vulnerability that doesn’t close until we develop a traditional countermeasure? Many approaches to zero day protection already exist, but they tend to address known types of attacks like buffer overflows and the like. In other words, such protection techniques will only work until a hacker comes up with a new type of attack—an example of the back and forth we call the more of the same scenario.

The second area—preventing future attacks—is more challenging, but also more interesting. One example is the HoneyMonkey project out of Microsoft Research. Where a Honeypot is a passive approach—essentially setting a trap for hackers—a HoneyMonkey essentially surfs the Web looking for trouble. The idea is to identify Web sites that install malware before a user happens across them with their browser.

It’s not clear whether the HoneyMonkey project led to commercially available security tools, but in any case, it was only a simplistic example of a tool that could actively seek out and prevent potential attacks. But let’s put our sci-fi hats back on and extrapolate. How would we ever get to the Star Trek scenario unless we take the active prevention approach?

The Biological Analogue
Targeting Star Trek is all well and good, but we need to separate fiction from reality if we’re ever going to beat the hackers (Heisenberg Compensator, anyone?) So, let’s move away from science fiction into the realm of biology. After all, biological systems are well-known complex systems in their own right. How then do biological systems like you and me fight off infections?

At the risk of oversimplifying what are admittedly extraordinarily complicated processes, our bodies have three primary mechanisms for preventing infections. The first is our skin. Simply having a tough barrier keeps out many attack vectors. You might think of skin as analogous to traditional SSA: necessary but not sufficient.

The second mechanism, of course, is our immune system. It’s what differentiates a healthy body from a few hundred pounds of rotting meat. What we need to beat the hackers at their own game is an immune system for our software.

But even immune systems aren’t perfect. And this biological metaphor begs the question: how do we architect and build an immune system for our software anyway? Again with the biological analogue: how did we develop our immune systems? Through millennia of natural selection. Individuals who succumb more easily to infection tend to die off, while those with better ways of fighting off the attackers survive to propagate. Rinse and repeat for, oh, hundreds of millions of years, and presto! The human immune system is the result.

The cybersecurity challenge, therefore, boils down to bringing natural selection principles into our security software development processes. The hackers are diverse, persistent, and imaginative. To fight them, our software must be agile, self-innovating, and able to evolve. The devil, of course, is in the details.

The ZapThink Take
A 1,500 word ZapFlash is hardly sufficient to lay out a revolutionary approach to architecting better security software, even if we had all the answers, which we obviously do not. But the point of this ZapFlash isn’t to solve all our cybersecurity challenges. Rather, we’re trying to make the case that traditional architectural approaches, including those of Software Security Assurance, are doomed to fail eventually—if not today, than at some point in the all-to-near future. If there’s any hope of moving any closer to the Star Trek scenario, it’s absolutely essential that we take an Agile Architecture approach to cybersecurity.

It won’t be easy. And the path from where we are today to where we need to be tomorrow isn’t smooth or continuous—that’s why we consider the move to Agile Architecture a true paradigm shift. But on the positive side, many elements of this revolution are already in place. The first step is thinking about the problem properly. We can only hope that we figure out how to solve the cybersecurity problem before the hackers take over. Or welcome to your worst Cyberpunk nightmare.

Image source: JD Hancock

More Stories By Jason Bloomberg

Jason Bloomberg is a leading IT industry analyst, Forbes contributor, keynote speaker, and globally recognized expert on multiple disruptive trends in enterprise technology and digital transformation. He is ranked #5 on Onalytica’s list of top Digital Transformation influencers for 2018 and #15 on Jax’s list of top DevOps influencers for 2017, the only person to appear on both lists.

As founder and president of Agile Digital Transformation analyst firm Intellyx, he advises, writes, and speaks on a diverse set of topics, including digital transformation, artificial intelligence, cloud computing, devops, big data/analytics, cybersecurity, blockchain/bitcoin/cryptocurrency, no-code/low-code platforms and tools, organizational transformation, internet of things, enterprise architecture, SD-WAN/SDX, mainframes, hybrid IT, and legacy transformation, among other topics.

Mr. Bloomberg’s articles in Forbes are often viewed by more than 100,000 readers. During his career, he has published over 1,200 articles (over 200 for Forbes alone), spoken at over 400 conferences and webinars, and he has been quoted in the press and blogosphere over 2,000 times.

Mr. Bloomberg is the author or coauthor of four books: The Agile Architecture Revolution (Wiley, 2013), Service Orient or Be Doomed! How Service Orientation Will Change Your Business (Wiley, 2006), XML and Web Services Unleashed (SAMS Publishing, 2002), and Web Page Scripting Techniques (Hayden Books, 1996). His next book, Agile Digital Transformation, is due within the next year.

At SOA-focused industry analyst firm ZapThink from 2001 to 2013, Mr. Bloomberg created and delivered the Licensed ZapThink Architect (LZA) Service-Oriented Architecture (SOA) course and associated credential, certifying over 1,700 professionals worldwide. He is one of the original Managing Partners of ZapThink LLC, which was acquired by Dovel Technologies in 2011.

Prior to ZapThink, Mr. Bloomberg built a diverse background in eBusiness technology management and industry analysis, including serving as a senior analyst in IDC’s eBusiness Advisory group, as well as holding eBusiness management positions at USWeb/CKS (later marchFIRST) and WaveBend Solutions (now Hitachi Consulting), and several software and web development positions.

@MicroservicesExpo Stories
Many organizations are now looking to DevOps maturity models to gauge their DevOps adoption and compare their maturity to their peers. However, as enterprise organizations rush to adopt DevOps, moving past experimentation to embrace it at scale, they are in danger of falling into the trap that they have fallen into time and time again. Unfortunately, we've seen this movie before, and we know how it ends: badly.
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis tool. It is an extremely lightweight tool that can integrate with pretty much any build process right now," explained Andrew Siegmund, Application Migration Specialist for CAST, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Archi...
Don’t go chasing waterfall … development, that is. According to a recent post by Madison Moore on Medium featuring insights from several software delivery industry leaders, waterfall is – while still popular – not the best way to win in the marketplace. With methodologies like Agile, DevOps and Continuous Delivery becoming ever more prominent over the past 15 years or so, waterfall is old news. Or, is it? Moore cites a recent study by Gartner: “According to Gartner’s IT Key Metrics Data report, ...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...
Without a clear strategy for cost control and an architecture designed with cloud services in mind, costs and operational performance can quickly get out of control. To avoid multiple architectural redesigns requires extensive thought and planning. Boundary (now part of BMC) launched a new public-facing multi-tenant high resolution monitoring service on Amazon AWS two years ago, facing challenges and learning best practices in the early days of the new service.
You often hear the two titles of "DevOps" and "Immutable Infrastructure" used independently. In his session at DevOps Summit, John Willis, Technical Evangelist for Docker, covered the union between the two topics and why this is important. He provided an overview of Immutable Infrastructure then showed how an Immutable Continuous Delivery pipeline can be applied as a best practice for "DevOps." He ended the session with some interesting case study examples.
All organizations that did not originate this moment have a pre-existing culture as well as legacy technology and processes that can be more or less amenable to DevOps implementation. That organizational culture is influenced by the personalities and management styles of Executive Management, the wider culture in which the organization is situated, and the personalities of key team members at all levels of the organization. This culture and entrenched interests usually throw a wrench in the work...
Without lifecycle traceability and visibility across the tool chain, stakeholders from Planning-to-Ops have limited insight and answers to who, what, when, why and how across the DevOps lifecycle. This impacts the ability to deliver high quality software at the needed velocity to drive positive business outcomes. In his general session at @DevOpsSummit at 19th Cloud Expo, Eric Robertson, General Manager at CollabNet, will discuss how customers are able to achieve a level of transparency that e...
We all know that end users experience the internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices - not doing so will be a path to eventual ...
We all know that end users experience the internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices - not doing so will be a path to eventual ...
We all know that end users experience the Internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices – not doing so will be a path to eventual b...
Docker is sweeping across startups and enterprises alike, changing the way we build and ship applications. It's the most prominent and widely known software container platform, and it's particularly useful for eliminating common challenges when collaborating on code (like the "it works on my machine" phenomenon that most devs know all too well). With Docker, you can run and manage apps side-by-side - in isolated containers - resulting in better compute density. It's something that many developer...
"DivvyCloud as a company set out to help customers automate solutions to the most common cloud problems," noted Jeremy Snyder, VP of Business Development at DivvyCloud, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
The goal of Microservices is to improve software delivery speed and increase system safety as scale increases. Microservices being modular these are faster to change and enables an evolutionary architecture where systems can change, as the business needs change. Microservices can scale elastically and by being service oriented can enable APIs natively. Microservices also reduce implementation and release cycle time and enables continuous delivery. This paper provides a logical overview of the Mi...
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...
"We're developing a software that is based on the cloud environment and we are providing those services to corporations and the general public," explained Seungmin Kim, CEO/CTO of SM Systems Inc., in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
In his session at Cloud Expo, Alan Winters, U.S. Head of Business Development at MobiDev, presented a success story of an entrepreneur who has both suffered through and benefited from offshore development across multiple businesses: The smart choice, or how to select the right offshore development partner Warning signs, or how to minimize chances of making the wrong choice Collaboration, or how to establish the most effective work processes Budget control, or how to maximize project result...
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...