Welcome!

Microservices Expo Authors: Pat Romanski, Matt Brickey, Elizabeth White, Christoph Schell, Liz McMillan

Related Topics: Microservices Expo, Containers Expo Blog, Agile Computing, @CloudExpo, Apache, Cloud Security

Microservices Expo: Article

Cybersecurity the Agile Architecture Way

We can only hope that we figure out how to solve the cybersecurity problem before the hackers take over.

Identity theft, password breaches, viruses and worms, phishing attacks, Stuxnet—the more we rely upon technology in our increasingly connected world, the greater the risk that we’ll be hacked. Even worse, it seems that the rate at which hacking stories come across the wire is actually increasing, in spite of all the hard work at all the various security organizations, both commercial and governmental. The frightening truth is, perhaps the hackers are actually winning.

The root cause of our vulnerability, of course, is the Internet itself. When the essential elements of the Internet first rolled out—TCP/IP, HTTP, and DNS, to name the most flagrant offenders—no one had any idea how important security would become or just how flawed these enabling technologies were when it came to protecting ourselves from increasingly dedicated and persistent malefactors. Today, that horse has long since left the barn. Maybe we can close the door, sure, but it might not matter anymore.

But let’s not lose perspective: we’ve been using the Internet commercially for less than twenty years. An eternity in what we innocently called Internet Time back in the day, but nevertheless, a mere eye blink in the course of human history. Better to take the long view. Extrapolating today’s trends, can we gain any insight into what the future will hold?

Our crystal ball reveals three possible scenarios. The first: Cyberpunk—hackers continue to gain the upper hand, outstripping any efforts to combat them. By 2100 hackers run the world, which has devolved into feudal tribes of hacker communities battling each other for the remaining scraps of civilization.

The second scenario: Star Trek. The forces of order and rationality overcome those of anarchy and evil, and as a result, we have no qualms about trusting our computers with our lives. Computer viruses may still appear, but we can take care of them routinely in less than 52 minutes.

Finally, scenario number three: more of the same. Hackers continue to become increasingly sophisticated in their attacks, but the forces fighting them do so as well. The advantage shifts back and forth as new attack vectors rapidly appear and are dealt with equally rapidly.

More of the same may appear to be the most likely scenario, as it lacks the science fiction overtones of the other two. In reality, however, it’s the least stable of the three, because it assumes an ongoing balance between hackers and their nemeses—an unlikely situation. The pessimists among us point to Cyberpunk as the inevitable course of events. But what we really want, of course, is to steer from more of the same toward Star Trek. After all, who wouldn’t want our grandchildren to live in the Star Trek universe?

Today’s Software Security Assurance: Heading toward Cyberpunk
Software Security Assurance
(SSA) is the process of ensuring that the software we build has adequate security. SSA involves analysis, review, and testing steps that seek to identify potential weaknesses so that the software development teams can lower the risk of potential security breaches to acceptable levels. Fundamentally, SSA describes the best ways we know how to build unhackable systems.

The problem is, it’s not good enough. And furthermore, it’s dropping further and further behind. After all, if SSA actually worked, we wouldn’t have to worry about worms and breaches and the rest. Hello Cyberpunk!

The problem with traditional SSA is that it fundamentally follows a traditional systems approach. In other words, divide and conquer: break up an arbitrarily complicated system into its component elements, analyze the security risks inherent in each component, and take steps to insure that those risks are very low—where we define “very low” in terms of our acceptable risk profile.

There are two core problems with the divide and conquer approach to SSA. The first is what we call the lottery fallacy. If you want to run a lottery with a large jackpot, you want to make sure the chance of any ticket winning is very small. And sure enough, the chance of your lottery ticket being a jackpot winner is smaller than the change of you being hit by lightning—twice. But the chance we’ll have to give away the jackpot is still quite high—and the larger the jackpot, the greater the chance we’ll have to give it away.

Dividing up a complicated system into pieces and lowering the chance of hacking each piece is tantamount to selling lottery tickets—except that hackers are smart enough to figure out how to buy millions of them at a discount. In other words, there’s a really good chance that any valuable target will be hacked no matter how good your SSA is. Yes, the recipe for our Cyberpunk scenario.

Agile Architecture: The Secret to the Star Trek Scenario
When we say Agile Architecture, we’re talking about moving away from the traditional systems approach of “business wants X so build a system that does X” to the complex systems approach of “the business wants to be more agile, so build a system that responds to change and enables the business to leverage change for competitive advantage.” In the cybersecurity context, we want to move away from traditional SSA to building systems that can deal with future attacks (even though we don’t know what they are yet), and furthermore, enable us to take the initiative to prevent future attacks from occurring in the first place. A tall order to be sure, but not quite the science fiction scenario it might sound like.

There are signs that we’ve been making progress in both areas. (I say “there are signs” because I suspect much of the work in this area is secret, so even if I knew about it I couldn’t tell you.) The first area—dealing with unknown future attacks—is essentially the zero day problem. How do we protect our systems from previously unknown attacks, during the window of vulnerability that doesn’t close until we develop a traditional countermeasure? Many approaches to zero day protection already exist, but they tend to address known types of attacks like buffer overflows and the like. In other words, such protection techniques will only work until a hacker comes up with a new type of attack—an example of the back and forth we call the more of the same scenario.

The second area—preventing future attacks—is more challenging, but also more interesting. One example is the HoneyMonkey project out of Microsoft Research. Where a Honeypot is a passive approach—essentially setting a trap for hackers—a HoneyMonkey essentially surfs the Web looking for trouble. The idea is to identify Web sites that install malware before a user happens across them with their browser.

It’s not clear whether the HoneyMonkey project led to commercially available security tools, but in any case, it was only a simplistic example of a tool that could actively seek out and prevent potential attacks. But let’s put our sci-fi hats back on and extrapolate. How would we ever get to the Star Trek scenario unless we take the active prevention approach?

The Biological Analogue
Targeting Star Trek is all well and good, but we need to separate fiction from reality if we’re ever going to beat the hackers (Heisenberg Compensator, anyone?) So, let’s move away from science fiction into the realm of biology. After all, biological systems are well-known complex systems in their own right. How then do biological systems like you and me fight off infections?

At the risk of oversimplifying what are admittedly extraordinarily complicated processes, our bodies have three primary mechanisms for preventing infections. The first is our skin. Simply having a tough barrier keeps out many attack vectors. You might think of skin as analogous to traditional SSA: necessary but not sufficient.

The second mechanism, of course, is our immune system. It’s what differentiates a healthy body from a few hundred pounds of rotting meat. What we need to beat the hackers at their own game is an immune system for our software.

But even immune systems aren’t perfect. And this biological metaphor begs the question: how do we architect and build an immune system for our software anyway? Again with the biological analogue: how did we develop our immune systems? Through millennia of natural selection. Individuals who succumb more easily to infection tend to die off, while those with better ways of fighting off the attackers survive to propagate. Rinse and repeat for, oh, hundreds of millions of years, and presto! The human immune system is the result.

The cybersecurity challenge, therefore, boils down to bringing natural selection principles into our security software development processes. The hackers are diverse, persistent, and imaginative. To fight them, our software must be agile, self-innovating, and able to evolve. The devil, of course, is in the details.

The ZapThink Take
A 1,500 word ZapFlash is hardly sufficient to lay out a revolutionary approach to architecting better security software, even if we had all the answers, which we obviously do not. But the point of this ZapFlash isn’t to solve all our cybersecurity challenges. Rather, we’re trying to make the case that traditional architectural approaches, including those of Software Security Assurance, are doomed to fail eventually—if not today, than at some point in the all-to-near future. If there’s any hope of moving any closer to the Star Trek scenario, it’s absolutely essential that we take an Agile Architecture approach to cybersecurity.

It won’t be easy. And the path from where we are today to where we need to be tomorrow isn’t smooth or continuous—that’s why we consider the move to Agile Architecture a true paradigm shift. But on the positive side, many elements of this revolution are already in place. The first step is thinking about the problem properly. We can only hope that we figure out how to solve the cybersecurity problem before the hackers take over. Or welcome to your worst Cyberpunk nightmare.

Image source: JD Hancock

More Stories By Jason Bloomberg

Jason Bloomberg is the leading expert on architecting agility for the enterprise. As president of Intellyx, Mr. Bloomberg brings his years of thought leadership in the areas of Cloud Computing, Enterprise Architecture, and Service-Oriented Architecture to a global clientele of business executives, architects, software vendors, and Cloud service providers looking to achieve technology-enabled business agility across their organizations and for their customers. His latest book, The Agile Architecture Revolution (John Wiley & Sons, 2013), sets the stage for Mr. Bloomberg’s groundbreaking Agile Architecture vision.

Mr. Bloomberg is perhaps best known for his twelve years at ZapThink, where he created and delivered the Licensed ZapThink Architect (LZA) SOA course and associated credential, certifying over 1,700 professionals worldwide. He is one of the original Managing Partners of ZapThink LLC, the leading SOA advisory and analysis firm, which was acquired by Dovel Technologies in 2011. He now runs the successor to the LZA program, the Bloomberg Agile Architecture Course, around the world.

Mr. Bloomberg is a frequent conference speaker and prolific writer. He has published over 500 articles, spoken at over 300 conferences, Webinars, and other events, and has been quoted in the press over 1,400 times as the leading expert on agile approaches to architecture in the enterprise.

Mr. Bloomberg’s previous book, Service Orient or Be Doomed! How Service Orientation Will Change Your Business (John Wiley & Sons, 2006, coauthored with Ron Schmelzer), is recognized as the leading business book on Service Orientation. He also co-authored the books XML and Web Services Unleashed (SAMS Publishing, 2002), and Web Page Scripting Techniques (Hayden Books, 1996).

Prior to ZapThink, Mr. Bloomberg built a diverse background in eBusiness technology management and industry analysis, including serving as a senior analyst in IDC’s eBusiness Advisory group, as well as holding eBusiness management positions at USWeb/CKS (later marchFIRST) and WaveBend Solutions (now Hitachi Consulting).

@MicroservicesExpo Stories
"At the keynote this morning we spoke about the value proposition of Nutanix, of having a DevOps culture and a mindset, and the business outcomes of achieving agility and scale, which everybody here is trying to accomplish," noted Mark Lavi, DevOps Solution Architect at Nutanix, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
If you read a lot of business and technology publications, you might think public clouds are universally preferred over all other cloud options. To be sure, the numbers posted by Amazon Web Services (AWS) and Microsoft’s Azure platform are nothing short of impressive. Statistics reveal that public clouds are growing faster than private clouds and analysts at IDC predict that public cloud growth will be 3 times that of private clouds by 2019.
"Outscale was founded in 2010, is based in France, is a strategic partner to Dassault Systémes and has done quite a bit of work with divisions of Dassault," explained Jackie Funk, Digital Marketing exec at Outscale, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
From personal care products to groceries and movies on demand, cloud-based subscriptions are fulfilling the needs of consumers across an array of market sectors. Nowhere is this shift to subscription services more evident than in the technology sector. By adopting an Everything-as-a-Service (XaaS) delivery model, companies are able to tailor their computing environments to shape the experiences they want for customers as well as their workforce.
"We focus on SAP workloads because they are among the most powerful but somewhat challenging workloads out there to take into public cloud," explained Swen Conrad, CEO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"DivvyCloud as a company set out to help customers automate solutions to the most common cloud problems," noted Jeremy Snyder, VP of Business Development at DivvyCloud, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I think DevOps is now a rambunctious teenager – it’s starting to get a mind of its own, wanting to get its own things but it still needs some adult supervision," explained Thomas Hooker, VP of marketing at CollabNet, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...
There is a huge demand for responsive, real-time mobile and web experiences, but current architectural patterns do not easily accommodate applications that respond to events in real time. Common solutions using message queues or HTTP long-polling quickly lead to resiliency, scalability and development velocity challenges. In his session at 21st Cloud Expo, Ryland Degnan, a Senior Software Engineer on the Netflix Edge Platform team, will discuss how by leveraging a reactive stream-based protocol,...
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...
For over a decade, Application Programming Interface or APIs have been used to exchange data between multiple platforms. From social media to news and media sites, most websites depend on APIs to provide a dynamic and real-time digital experience. APIs have made its way into almost every device and service available today and it continues to spur innovations in every field of technology. There are multiple programming languages used to build and run applications in the online world. And just li...
If you are thinking about moving applications off a mainframe and over to open systems and the cloud, consider these guidelines to prioritize what to move and what to eliminate. On the surface, mainframe architecture seems relatively simple: A centrally located computer processes data through an input/output subsystem and stores its computations in memory. At the other end of the mainframe are printers and terminals that communicate with the mainframe through protocols. For all of its appare...
"Peak 10 is a hybrid infrastructure provider across the nation. We are in the thick of things when it comes to hybrid IT," explained Michael Fuhrman, Chief Technology Officer at Peak 10, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Data reduction delivers compelling cost reduction that substantially improves the business case in every cloud deployment model. No matter which cloud approach you choose, the cost savings benefits from data reduction should not be ignored and must be a component of your cloud strategy. IT professionals are finding that the future of IT infrastructure lies in the cloud. Data reduction technologies enable clouds — public, private, and hybrid — to deliver business agility and elasticity at the lo...
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - we've lost control, we've given up cost to a certain extent, and then security, flexibility," explained Steve Conner, VP of Sales at Cloudistics,in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I will be talking about ChatOps and ChatOps as a way to solve some problems in the DevOps space," explained Himanshu Chhetri, CTO of Addteq, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In their Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, and Mark Lav...
"NetApp's vision is how we help organizations manage data - delivering the right data in the right place, in the right time, to the people who need it, and doing it agnostic to what the platform is," explained Josh Atwell, Developer Advocate for NetApp, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Five years ago development was seen as a dead-end career, now it’s anything but – with an explosion in mobile and IoT initiatives increasing the demand for skilled engineers. But apart from having a ready supply of great coders, what constitutes true ‘DevOps Royalty’? It’ll be the ability to craft resilient architectures, supportability, security everywhere across the software lifecycle. In his keynote at @DevOpsSummit at 20th Cloud Expo, Jeffrey Scheaffer, GM and SVP, Continuous Delivery Busine...
"We do one of the best file systems in the world. We learned how to deal with Big Data many years ago and we implemented this knowledge into our software," explained Jakub Ratajczak, Business Development Manager at MooseFS, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.