Welcome!

Microservices Expo Authors: Flint Brenton, Elizabeth White, Pat Romanski, Cameron Van Orman, Jason Bloomberg

Related Topics: Microservices Expo, Containers Expo Blog, Agile Computing, @CloudExpo, Apache, Cloud Security

Microservices Expo: Article

Cybersecurity the Agile Architecture Way

We can only hope that we figure out how to solve the cybersecurity problem before the hackers take over.

Identity theft, password breaches, viruses and worms, phishing attacks, Stuxnet—the more we rely upon technology in our increasingly connected world, the greater the risk that we’ll be hacked. Even worse, it seems that the rate at which hacking stories come across the wire is actually increasing, in spite of all the hard work at all the various security organizations, both commercial and governmental. The frightening truth is, perhaps the hackers are actually winning.

The root cause of our vulnerability, of course, is the Internet itself. When the essential elements of the Internet first rolled out—TCP/IP, HTTP, and DNS, to name the most flagrant offenders—no one had any idea how important security would become or just how flawed these enabling technologies were when it came to protecting ourselves from increasingly dedicated and persistent malefactors. Today, that horse has long since left the barn. Maybe we can close the door, sure, but it might not matter anymore.

But let’s not lose perspective: we’ve been using the Internet commercially for less than twenty years. An eternity in what we innocently called Internet Time back in the day, but nevertheless, a mere eye blink in the course of human history. Better to take the long view. Extrapolating today’s trends, can we gain any insight into what the future will hold?

Our crystal ball reveals three possible scenarios. The first: Cyberpunk—hackers continue to gain the upper hand, outstripping any efforts to combat them. By 2100 hackers run the world, which has devolved into feudal tribes of hacker communities battling each other for the remaining scraps of civilization.

The second scenario: Star Trek. The forces of order and rationality overcome those of anarchy and evil, and as a result, we have no qualms about trusting our computers with our lives. Computer viruses may still appear, but we can take care of them routinely in less than 52 minutes.

Finally, scenario number three: more of the same. Hackers continue to become increasingly sophisticated in their attacks, but the forces fighting them do so as well. The advantage shifts back and forth as new attack vectors rapidly appear and are dealt with equally rapidly.

More of the same may appear to be the most likely scenario, as it lacks the science fiction overtones of the other two. In reality, however, it’s the least stable of the three, because it assumes an ongoing balance between hackers and their nemeses—an unlikely situation. The pessimists among us point to Cyberpunk as the inevitable course of events. But what we really want, of course, is to steer from more of the same toward Star Trek. After all, who wouldn’t want our grandchildren to live in the Star Trek universe?

Today’s Software Security Assurance: Heading toward Cyberpunk
Software Security Assurance
(SSA) is the process of ensuring that the software we build has adequate security. SSA involves analysis, review, and testing steps that seek to identify potential weaknesses so that the software development teams can lower the risk of potential security breaches to acceptable levels. Fundamentally, SSA describes the best ways we know how to build unhackable systems.

The problem is, it’s not good enough. And furthermore, it’s dropping further and further behind. After all, if SSA actually worked, we wouldn’t have to worry about worms and breaches and the rest. Hello Cyberpunk!

The problem with traditional SSA is that it fundamentally follows a traditional systems approach. In other words, divide and conquer: break up an arbitrarily complicated system into its component elements, analyze the security risks inherent in each component, and take steps to insure that those risks are very low—where we define “very low” in terms of our acceptable risk profile.

There are two core problems with the divide and conquer approach to SSA. The first is what we call the lottery fallacy. If you want to run a lottery with a large jackpot, you want to make sure the chance of any ticket winning is very small. And sure enough, the chance of your lottery ticket being a jackpot winner is smaller than the change of you being hit by lightning—twice. But the chance we’ll have to give away the jackpot is still quite high—and the larger the jackpot, the greater the chance we’ll have to give it away.

Dividing up a complicated system into pieces and lowering the chance of hacking each piece is tantamount to selling lottery tickets—except that hackers are smart enough to figure out how to buy millions of them at a discount. In other words, there’s a really good chance that any valuable target will be hacked no matter how good your SSA is. Yes, the recipe for our Cyberpunk scenario.

Agile Architecture: The Secret to the Star Trek Scenario
When we say Agile Architecture, we’re talking about moving away from the traditional systems approach of “business wants X so build a system that does X” to the complex systems approach of “the business wants to be more agile, so build a system that responds to change and enables the business to leverage change for competitive advantage.” In the cybersecurity context, we want to move away from traditional SSA to building systems that can deal with future attacks (even though we don’t know what they are yet), and furthermore, enable us to take the initiative to prevent future attacks from occurring in the first place. A tall order to be sure, but not quite the science fiction scenario it might sound like.

There are signs that we’ve been making progress in both areas. (I say “there are signs” because I suspect much of the work in this area is secret, so even if I knew about it I couldn’t tell you.) The first area—dealing with unknown future attacks—is essentially the zero day problem. How do we protect our systems from previously unknown attacks, during the window of vulnerability that doesn’t close until we develop a traditional countermeasure? Many approaches to zero day protection already exist, but they tend to address known types of attacks like buffer overflows and the like. In other words, such protection techniques will only work until a hacker comes up with a new type of attack—an example of the back and forth we call the more of the same scenario.

The second area—preventing future attacks—is more challenging, but also more interesting. One example is the HoneyMonkey project out of Microsoft Research. Where a Honeypot is a passive approach—essentially setting a trap for hackers—a HoneyMonkey essentially surfs the Web looking for trouble. The idea is to identify Web sites that install malware before a user happens across them with their browser.

It’s not clear whether the HoneyMonkey project led to commercially available security tools, but in any case, it was only a simplistic example of a tool that could actively seek out and prevent potential attacks. But let’s put our sci-fi hats back on and extrapolate. How would we ever get to the Star Trek scenario unless we take the active prevention approach?

The Biological Analogue
Targeting Star Trek is all well and good, but we need to separate fiction from reality if we’re ever going to beat the hackers (Heisenberg Compensator, anyone?) So, let’s move away from science fiction into the realm of biology. After all, biological systems are well-known complex systems in their own right. How then do biological systems like you and me fight off infections?

At the risk of oversimplifying what are admittedly extraordinarily complicated processes, our bodies have three primary mechanisms for preventing infections. The first is our skin. Simply having a tough barrier keeps out many attack vectors. You might think of skin as analogous to traditional SSA: necessary but not sufficient.

The second mechanism, of course, is our immune system. It’s what differentiates a healthy body from a few hundred pounds of rotting meat. What we need to beat the hackers at their own game is an immune system for our software.

But even immune systems aren’t perfect. And this biological metaphor begs the question: how do we architect and build an immune system for our software anyway? Again with the biological analogue: how did we develop our immune systems? Through millennia of natural selection. Individuals who succumb more easily to infection tend to die off, while those with better ways of fighting off the attackers survive to propagate. Rinse and repeat for, oh, hundreds of millions of years, and presto! The human immune system is the result.

The cybersecurity challenge, therefore, boils down to bringing natural selection principles into our security software development processes. The hackers are diverse, persistent, and imaginative. To fight them, our software must be agile, self-innovating, and able to evolve. The devil, of course, is in the details.

The ZapThink Take
A 1,500 word ZapFlash is hardly sufficient to lay out a revolutionary approach to architecting better security software, even if we had all the answers, which we obviously do not. But the point of this ZapFlash isn’t to solve all our cybersecurity challenges. Rather, we’re trying to make the case that traditional architectural approaches, including those of Software Security Assurance, are doomed to fail eventually—if not today, than at some point in the all-to-near future. If there’s any hope of moving any closer to the Star Trek scenario, it’s absolutely essential that we take an Agile Architecture approach to cybersecurity.

It won’t be easy. And the path from where we are today to where we need to be tomorrow isn’t smooth or continuous—that’s why we consider the move to Agile Architecture a true paradigm shift. But on the positive side, many elements of this revolution are already in place. The first step is thinking about the problem properly. We can only hope that we figure out how to solve the cybersecurity problem before the hackers take over. Or welcome to your worst Cyberpunk nightmare.

Image source: JD Hancock

More Stories By Jason Bloomberg

Jason Bloomberg is the leading expert on architecting agility for the enterprise. As president of Intellyx, Mr. Bloomberg brings his years of thought leadership in the areas of Cloud Computing, Enterprise Architecture, and Service-Oriented Architecture to a global clientele of business executives, architects, software vendors, and Cloud service providers looking to achieve technology-enabled business agility across their organizations and for their customers. His latest book, The Agile Architecture Revolution (John Wiley & Sons, 2013), sets the stage for Mr. Bloomberg’s groundbreaking Agile Architecture vision.

Mr. Bloomberg is perhaps best known for his twelve years at ZapThink, where he created and delivered the Licensed ZapThink Architect (LZA) SOA course and associated credential, certifying over 1,700 professionals worldwide. He is one of the original Managing Partners of ZapThink LLC, the leading SOA advisory and analysis firm, which was acquired by Dovel Technologies in 2011. He now runs the successor to the LZA program, the Bloomberg Agile Architecture Course, around the world.

Mr. Bloomberg is a frequent conference speaker and prolific writer. He has published over 500 articles, spoken at over 300 conferences, Webinars, and other events, and has been quoted in the press over 1,400 times as the leading expert on agile approaches to architecture in the enterprise.

Mr. Bloomberg’s previous book, Service Orient or Be Doomed! How Service Orientation Will Change Your Business (John Wiley & Sons, 2006, coauthored with Ron Schmelzer), is recognized as the leading business book on Service Orientation. He also co-authored the books XML and Web Services Unleashed (SAMS Publishing, 2002), and Web Page Scripting Techniques (Hayden Books, 1996).

Prior to ZapThink, Mr. Bloomberg built a diverse background in eBusiness technology management and industry analysis, including serving as a senior analyst in IDC’s eBusiness Advisory group, as well as holding eBusiness management positions at USWeb/CKS (later marchFIRST) and WaveBend Solutions (now Hitachi Consulting).

@MicroservicesExpo Stories
The nature of the technology business is forward-thinking. It focuses on the future and what’s coming next. Innovations and creativity in our world of software development strive to improve the status quo and increase customer satisfaction through speed and increased connectivity. Yet, while it's exciting to see enterprises embrace new ways of thinking and advance their processes with cutting edge technology, it rarely happens rapidly or even simultaneously across all industries.
Is advanced scheduling in Kubernetes achievable? Yes, however, how do you properly accommodate every real-life scenario that a Kubernetes user might encounter? How do you leverage advanced scheduling techniques to shape and describe each scenario in easy-to-use rules and configurations? In his session at @DevOpsSummit at 21st Cloud Expo, Oleg Chunikhin, CTO at Kublr, will answer these questions and demonstrate techniques for implementing advanced scheduling. For example, using spot instances ...
With the rise of DevOps, containers are at the brink of becoming a pervasive technology in Enterprise IT to accelerate application delivery for the business. When it comes to adopting containers in the enterprise, security is the highest adoption barrier. Is your organization ready to address the security risks with containers for your DevOps environment? In his session at @DevOpsSummit at 21st Cloud Expo, Chris Van Tuin, Chief Technologist, NA West at Red Hat, will discuss: The top security r...
DevSecOps – a trend around transformation in process, people and technology – is about breaking down silos and waste along the software development lifecycle and using agile methodologies, automation and insights to help get apps to market faster. This leads to higher quality apps, greater trust in organizations, less organizational friction, and ultimately a five-star customer experience. These apps are the new competitive currency in this digital economy and they’re powered by data. Without ...
With the modern notion of digital transformation, enterprises are chipping away at the fundamental organizational and operational structures that have been with us since the nineteenth century or earlier. One remarkable casualty: the business process. Business processes have become so ingrained in how we envision large organizations operating and the roles people play within them that relegating them to the scrap heap is almost unimaginable, and unquestionably transformative. In the Digital ...
These days, APIs have become an integral part of the digital transformation journey for all enterprises. Every digital innovation story is connected to APIs . But have you ever pondered over to know what are the source of these APIs? Let me explain - APIs sources can be varied, internal or external, solving different purposes, but mostly categorized into the following two categories. Data lakes is a term used to represent disconnected but relevant data that are used by various business units wit...
Today most companies are adopting or evaluating container technology - Docker in particular - to speed up application deployment, drive down cost, ease management and make application delivery more flexible overall. As with most new architectures, this dream takes significant work to become a reality. Even when you do get your application componentized enough and packaged properly, there are still challenges for DevOps teams to making the shift to continuous delivery and achieving that reducti...
Most of the time there is a lot of work involved to move to the cloud, and most of that isn't really related to AWS or Azure or Google Cloud. Before we talk about public cloud vendors and DevOps tools, there are usually several technical and non-technical challenges that are connected to it and that every company needs to solve to move to the cloud. In his session at 21st Cloud Expo, Stefano Bellasio, CEO and founder of Cloud Academy Inc., will discuss what the tools, disciplines, and cultural...
Enterprises are moving to the cloud faster than most of us in security expected. CIOs are going from 0 to 100 in cloud adoption and leaving security teams in the dust. Once cloud is part of an enterprise stack, it’s unclear who has responsibility for the protection of applications, services, and data. When cloud breaches occur, whether active compromise or a publicly accessible database, the blame must fall on both service providers and users. In his session at 21st Cloud Expo, Ben Johnson, C...
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
‘Trend’ is a pretty common business term, but its definition tends to vary by industry. In performance monitoring, trend, or trend shift, is a key metric that is used to indicate change. Change is inevitable. Today’s websites must frequently update and change to keep up with competition and attract new users, but such changes can have a negative impact on the user experience if not managed properly. The dynamic nature of the Internet makes it necessary to constantly monitor different metrics. O...
Agile has finally jumped the technology shark, expanding outside the software world. Enterprises are now increasingly adopting Agile practices across their organizations in order to successfully navigate the disruptive waters that threaten to drown them. In our quest for establishing change as a core competency in our organizations, this business-centric notion of Agile is an essential component of Agile Digital Transformation. In the years since the publication of the Agile Manifesto, the conn...
Many organizations are now looking to DevOps maturity models to gauge their DevOps adoption and compare their maturity to their peers. However, as enterprise organizations rush to adopt DevOps, moving past experimentation to embrace it at scale, they are in danger of falling into the trap that they have fallen into time and time again. Unfortunately, we've seen this movie before, and we know how it ends: badly.
There is a huge demand for responsive, real-time mobile and web experiences, but current architectural patterns do not easily accommodate applications that respond to events in real time. Common solutions using message queues or HTTP long-polling quickly lead to resiliency, scalability and development velocity challenges. In his session at 21st Cloud Expo, Ryland Degnan, a Senior Software Engineer on the Netflix Edge Platform team, will discuss how by leveraging a reactive stream-based protocol,...
Many organizations adopt DevOps to reduce cycle times and deliver software faster; some take on DevOps to drive higher quality and better end-user experience; others look to DevOps for a clearer line-of-sight to customers to drive better business impacts. In truth, these three foundations go together. In this power panel at @DevOpsSummit 21st Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, industry experts will discuss how leading organizations build application success from all...
The last two years has seen discussions about cloud computing evolve from the public / private / hybrid split to the reality that most enterprises will be creating a complex, multi-cloud strategy. Companies are wary of committing all of their resources to a single cloud, and instead are choosing to spread the risk – and the benefits – of cloud computing across multiple providers and internal infrastructures, as they follow their business needs. Will this approach be successful? How large is the ...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You’re looking at private cloud solutions based on hyperconverged infrastructure, but you’re concerned with the limits inherent in those technologies.
"NetApp's vision is how we help organizations manage data - delivering the right data in the right place, in the right time, to the people who need it, and doing it agnostic to what the platform is," explained Josh Atwell, Developer Advocate for NetApp, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
The “Digital Era” is forcing us to engage with new methods to build, operate and maintain applications. This transformation also implies an evolution to more and more intelligent applications to better engage with the customers, while creating significant market differentiators. In both cases, the cloud has become a key enabler to embrace this digital revolution. So, moving to the cloud is no longer the question; the new questions are HOW and WHEN. To make this equation even more complex, most ...
One of the biggest challenges with adopting a DevOps mentality is: new applications are easily adapted to cloud-native, microservice-based, or containerized architectures - they can be built for them - but old applications need complex refactoring. On the other hand, these new technologies can require relearning or adapting new, oftentimes more complex, methodologies and tools to be ready for production. In his general session at @DevOpsSummit at 20th Cloud Expo, Chris Brown, Solutions Marketi...