|By Dana Gardner||
|August 27, 2012 06:00 AM EDT||
This edition of the HP Discover Performance podcast series examines the future of security in the enterprise. As the need to protect and manage assets extends beyond the four walls of the organization -- with the adoption of cloud and mobile -- how should the thinking about traditional security adjust?
I recently had a chance to sit down with Raf Los of HP Software to gather his perspective on the answer to that question. Los has an interesting personal perspective on the concept of “enterprise resiliency,” which I initially heard about through his blog, Following the White Rabbit. He's also on Twitter at @wh1t3rabbit. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]
Join me as we unpack with Los the concept of enterprise resiliency as the natural maturity direction for IT security in general.
Here are some excerpts from our discussion:
Gardner: Tell me a little bit about your vision. We all understand security and why it’s important, but you've developed, I think, an expanded category for security.
Los: Security, over the years, has evolved from an absolute concept of a binary decision: is it secure or is it not? As we move forward, I believe very strongly that what we’re evolving into is, as we’ve heard people talk about, risk management.
Risk management starts to include things that are beyond the security borders. As I talked to customers out here, I was having an "aha" moment. A little while ago, at one of our converged cloud chats, we were talking about how things fail. Everything fails at some point, and chaos takes over.
So rather than talking about security, which is a set of absolutes or a concrete topic, and boxing ourselves into threats from a security perspective, the evolution of that goes into enterprise resiliency. What that means is that it’s a combination of recoverability, security, performance, and all the other things that bring together a well-oiled business that can let you take a shot to the gut, get back up, and keep going.
A lot of the CISOs nowadays are set up to fail by their organizations. It’s a non-winning position, because you're put into a position where the board of directors, if you’re lucky, or your CTO or your CIO asks, "How much money do you need to secure this organization?"
That's horrible, and no matter what you say, you lose. If you say nothing, you lose. If you have $10 million, a billion dollars, there's no amount of money you can spend to make your company completely secure.
So what are you aiming for? You're aiming for a level of acceptable risk. Well, acceptable risk of what and how and how much you’re aiming for. It’s not just acceptable risk. We’re looking at acceptable risk from a security perspective, but we need to incorporate the fact that we're going to get owned.
We need to get out of our ivory towers and we need to start thinking about the fact that attacks happen and insiders happen. There are things that are going to transpire that are beyond our control and things that we cannot plan for.
Technology will fail. People and processes will fail. Our own technologies, our own minds will fail us. Our best friends will fail us. People get tempted. This is a human nature that the weakest element will always be a human being, and there's no patch for that.
So how do we move and get back to business as usual? How we get back to being a resilient business. That’s a cool concept -- that I have enterprise resiliency.
Gardner: This makes great sense to me, because we’ve been talking, over the past several years, about how security needs to be applied to different parts of the organization holistically and needs to be thought of in advance, be built in, and become part of a lifecycle.
But it makes double sense to me to expand the purview of security. It really is in making sure that there's performance resiliency, failover resiliency, backup and recovery resiliency, and data backup and duplication resiliency. So why not look at it through the resiliency lens? It makes a great deal of sense.
Los: Absolutely, and that’s exactly where this is coming from. I’ve actually given a series of talks and called it the introduction of Chief Chaos Officer. It’s not an actual role you’re going to see on monster.com, but it’s just a concept. It’s kind of like the aging Killcraft, a Chaos Monkey thing from Netflix.
Can you, as an organization, get comfortable with the fact that things will fail? In the talk that I gave, it comes from the perspective of you’ve got a lot of great security technology. You've probably got full disk encryption. You back up. You have firewalls, redundant networks, and all these things that you do.
You have procedures that you’re supposed to follow in the red book, a big red binder that sits on your incident response handler's desk, and you have all these things that are supposed to be followed.
Your people are trained, and your developers are supposedly writing better source code. These are all things that we can test through penetration testing, which means on Sunday between 7:00 p.m. and Monday 3:00 a.m. on the following four IPs, but only when we’re ready.
No patch for the human
And it’s like, okay, we've tested ourselves, we’re confident that we’re secure. I'm making kind of a scrunchy face, because that’s not really what this means. I've worked with folks who are red-team testers. I've yet to meet a red team that's failed, because, as I said, there's no patch for the human.
When you can’t penetrate a system or an organization via a new Zero-day, you'll walk in through the front door by walking and carrying flowers from the CEO's wife or something, and you'll own the organization that way.
But the question isn’t whether you'll be owned or not. What happens next is the big question, and it encompasses things like how good is your PR strategy. Do you have all the legal pieces in place? When your backup system fails or your entire data center gets wiped out by Hurricane Katrina, in a worst-case scenario, do you just sort of throw up your hands and go, "Well, that stinks? Well, we were in the cloud." Oh, your cloud just got wiped out. Now what?
Gardner: I've been speaking with a number of folks lately who hold the opinion that, at least for small-to-medium sized businesses (SMBs), going to the cloud can improve their security and resiliency sufficiently to make it a no-brainer. For enterprises, it might be a longer haul and there might be more complications and issues to manage.
Do you agree with that that the SMB can outsource some of this resiliency to the cloud provider who needs to do it and has the resources and experience to do it better than the SMBs do?
Los: There's a number of SMBs that can greatly benefit from the fact that good security talent is expensive and good security talent that can actually work towards a more resilient, more secure enterprise is very difficult to come by. It’s becoming scarce.
So small companies do the best they can with what they have their hands on. And there's certainly a ton of benefit to be gained from going to a shared model like a cloud. Does it raise the bar for everybody? I can’t say yes. On the whole, do I believe it raises the bar? Absolutely. Let's take the angle of threat intelligence.
I'm a small entity with five IP addresses on the Internet. How do I know what bad guys look like? If I have my five IP addresses in a public cloud some place, that public cloud is attacked billions of times a day and probably subscribes to numerous threat-intelligence services. They know exactly what to look for. And if they don’t, they can find out pretty quickly. They probably have a ton of resources from the security perspective.
Do I think it’s better? Absolutely. SMBs have a lot to gain by taking that step. You have to be intelligent about it. You can’t just say, "I'm going to move to the cloud and I'll be secure." Let’s be realistic about it. Get a partner that will get you there. Do due diligence on the partner that you’re choosing to work with. You still can’t run into the water with your eyes closed, but I think there's a lot of benefit to be had, absolutely.
Gardner: And as we’re learning more about the HP Converged Cloud, it’s a cloud of clouds. You have hybrid delivery. You might have a variety of sources for applications and services. You might have data in a variety of sources across a variety of organizations, running from on-premises to managed hosting to multiple cloud and SaaS providers.
Is there a way that, in addition to the security that's going on within those organizations, you can add more security at that converged cloud layer, particularly when you’re converging network storage, workload provisioning, governance, and so forth. What’s the add-on value that the HP Converged Cloud can bring resiliency-wise?
Choice, consistency, confidence
Los: Our Converged Cloud strategy focuses on three very simple words: choice, consistency, and confidence. We’re focusing on consistency and confidence here and perhaps a little bit of choice as well.
What we’re saying is that because we focus on OpenStack, because we’ve chosen to build our platform completely on OpenStack, because we’re building across a single model, a single way of operating, as [HP CEO] Meg Whitman said at Discover in June. You can build a single security operating model and you'll be able to implement it across your private, public, and hybrid models.
I don’t think it’s realistic to say every company will have a public cloud-only presence, just as I don’t think it’s realistic to say companies won’t have a public cloud presence. Most organizations will be a combination of on-premise IT, private cloud, virtual private cloud, and public cloud, all of that somehow sharing space and workload, bursting out to each other when necessary.
As I said systems fail, clouds fail, everything fails. So when we think about, and we’ve had this on our converged cloud chat, when things fail, you have to start architecting for failure and resiliency.
Because of this architecture that we’ve had, if you choose to get one other partner to back up what you have with us, pick a partner that's got the same OpenStack platform and the same models. It’s not going to be hard. There are lots of them out there.
OpenStack is a big platform. You should be able to build once, package once, deploy many times. This saves on manpower, on cost, and on having to redevelop the security wheel over and over and over again. That provides unbelievable amounts of flexibility of what you can do with your enterprise.
When one cloud or a connectivity to one cloud fails, or maybe not fails, but you get attacked in one position, you can bring up other capacity to compensate for that. That's where the true value of cloud comes in. It’s elastic computing. It’s not a marketing buzzword.
Gardner: We’re seeing a lot of highly virtualized environments. We’re talking about virtualized server instances, workloads, and network, storage. Disaster recovery (DR) technologies have evolved to the point where we're mirroring and moving entire data centers virtually from one location to another, if there's a resiliency issue like a natural disaster or a security or cyber attack that impacts an electric grid or something along those lines.
Is there a sort of a tipping point that we’re at, when it comes to higher levels of virtualization, some of the DR speeds, working with de-duplication and reducing the amount that needs to be moved in these instances, that gives us this higher level of security, simply because of the mobility in which we can now exercise for vast amounts of data and applications?
Los: I believe so. Do I have an answer for that that’s clear and crisp? No, I don’t know, and I saw a lot of that fantastic stuff. One of the things that caught my attention is we’ve broken the 100-terabyte-an-hour backup barrier. That blows my mind. I used to work in IT when we were lucky to get 100 gigs an hour and I remember 100 megabytes an hour being a challenge on those giant DLT tapes sometimes over networks.
The idea that we can take an entire cloud and because of data de-duplication, because of the way we move workloads and policies all in one fell swoop, and the way we package things once and move them, as a model, rather than everything together, moving metadata rather than the actual data, it gives us the ability to move things.
One thing that everybody needs to think about is what is this doing for our bandwidth requirements. Bandwidth is a silent thing nobody really thinks about. I've had this discussion with our networking folks. People are building clouds all over the place now and that's great, but it’s really easy to get out to a vendor, to get out to a public cloud or whatever, amass an absolute metric ton of data, and then say, "I want to move." How are you going to take your data from there to there? That’s a big question.
You need to do your homework ahead of time, make sure you know what you’re getting into, and make sure you know what technologies are being supported.
You may also be interested in:
- For Steria, cloud not so much a technology as catalyst to responsive and agile business
- With CMS 10, HP puts workload configuration data newly in hands of those who can best use it to manage services delivery
- Where cloud computing takes us: Hybrid services delivery of essential information across all types of applications
- HP Expert Chat Explores How Insight Remote Support and Insight Online Bring Automation, Self-Solving Capabilities to IT Problems
- Investing Well in IT With Emphasis on KPIs Separates Business Leaders from Business Laggards, Survey Results Show
- Expert Chat with HP on How Better Understanding Security Makes it an Enabler, Rather than Inhibitor, of Cloud Adoption
The following fictional case study is a composite of actual horror stories I’ve heard over the years. Unfortunately, this scenario often occurs when in-house integration teams take on the complexities of DevOps and ALM integration with an enterprise service bus (ESB) or custom integration. It is written from the perspective of an enterprise architect tasked with leading an organization’s effort to adopt Agile to become more competitive. The company has turned to Scaled Agile Framework (SAFe) as ...
Aug. 25, 2016 05:00 PM EDT Reads: 575
Monitoring of Docker environments is challenging. Why? Because each container typically runs a single process, has its own environment, utilizes virtual networks, or has various methods of managing storage. Traditional monitoring solutions take metrics from each server and applications they run. These servers and applications running on them are typically very static, with very long uptimes. Docker deployments are different: a set of containers may run many applications, all sharing the resource...
Aug. 25, 2016 04:00 PM EDT Reads: 1,916
DevOps at Cloud Expo, taking place Nov 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 19th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long dev...
Aug. 25, 2016 03:15 PM EDT Reads: 2,199
Internet of @ThingsExpo, taking place November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 19th Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devices - comp...
Aug. 25, 2016 02:00 PM EDT Reads: 3,543
It's been a busy time for tech's ongoing infatuation with containers. Amazon just announced EC2 Container Registry to simply container management. The new Azure container service taps into Microsoft's partnership with Docker and Mesosphere. You know when there's a standard for containers on the table there's money on the table, too. Everyone is talking containers because they reduce a ton of development-related challenges and make it much easier to move across production and testing environm...
Aug. 25, 2016 01:30 PM EDT Reads: 4,943
Cloud Expo 2016 New York at the Javits Center New York was characterized by increased attendance and a new focus on operations. These were both encouraging signs for all involved in Cloud Computing and all that it touches. As Conference Chair, I work with the Cloud Expo team to structure three keynotes, numerous general sessions, and more than 150 breakout sessions along 10 tracks. Our job is to balance the state of enterprise IT today with the trends that will be commonplace tomorrow. Mobile...
Aug. 25, 2016 01:00 PM EDT Reads: 3,256
The 19th International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Digital Transformation, Microservices and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding business opportuni...
Aug. 25, 2016 01:00 PM EDT Reads: 3,885
SYS-CON Events announced today that Venafi, the Immune System for the Internet™ and the leading provider of Next Generation Trust Protection, will exhibit at @DevOpsSummit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Venafi is the Immune System for the Internet™ that protects the foundation of all cybersecurity – cryptographic keys and digital certificates – so they can’t be misused by bad guys in attacks...
Aug. 25, 2016 01:00 PM EDT Reads: 2,592
[session] Architecting for the Cloud By @RagsS | @CloudExpo @IBMBluemix #Cloud #Docker #Microservices
As the world moves toward more DevOps and Microservices, application deployment to the cloud ought to become a lot simpler. The Microservices architecture, which is the basis of many new age distributed systems such as OpenStack, NetFlix and so on, is at the heart of Cloud Foundry - a complete developer-oriented Platform as a Service (PaaS) that is IaaS agnostic and supports vCloud, OpenStack and AWS. Serverless computing is revolutionizing computing. In his session at 19th Cloud Expo, Raghav...
Aug. 25, 2016 12:45 PM EDT Reads: 576
DevOps at Cloud Expo – being held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real results. Am...
Aug. 25, 2016 12:15 PM EDT Reads: 3,383
Modern organizations face great challenges as they embrace innovation and integrate new tools and services. They begin to mature and move away from the complacency of maintaining traditional technologies and systems that only solve individual, siloed problems and work “well enough.” In order to build...
SYS-CON Events announced today that eCube Systems, a leading provider of middleware modernization, integration, and management solutions, will exhibit at @DevOpsSummit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. eCube Systems offers a family of middleware evolution products and services that maximize return on technology investment by leveraging existing technical equity to meet evolving business needs. ...
Aug. 25, 2016 09:00 AM EDT Reads: 497
To leverage Continuous Delivery, enterprises must consider impacts that span functional silos, as well as applications that touch older, slower moving components. Managing the many dependencies can cause slowdowns. See how to achieve continuous delivery in the enterprise.
Aug. 25, 2016 08:15 AM EDT Reads: 1,532
Using new techniques of information modeling, indexing, and processing, new cloud-based systems can support cloud-based workloads previously not possible for high-throughput insurance, banking, and case-based applications. In his session at 18th Cloud Expo, John Newton, CTO, Founder and Chairman of Alfresco, described how to scale cloud-based content management repositories to store, manage, and retrieve billions of documents and related information with fast and linear scalability. He addres...
Aug. 25, 2016 07:15 AM EDT Reads: 1,902
Akana has announced the availability of version 8 of its API Management solution. The Akana Platform provides an end-to-end API Management solution for designing, implementing, securing, managing, monitoring, and publishing APIs. It is available as a SaaS platform, on-premises, and as a hybrid deployment. Version 8 introduces a lot of new functionality, all aimed at offering customers the richest API Management capabilities in a way that is easier than ever for API and app developers to use.
Aug. 25, 2016 06:00 AM EDT Reads: 1,436
SYS-CON Events announced today that Isomorphic Software will exhibit at DevOps Summit at 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Isomorphic Software provides the SmartClient HTML5/AJAX platform, the most advanced technology for building rich, cutting-edge enterprise web applications for desktop and mobile. SmartClient combines the productivity and performance of traditional desktop software with the simp...
Aug. 25, 2016 03:30 AM EDT Reads: 2,154
SYS-CON Events announced today that 910Telecom will exhibit at the 19th International Cloud Expo, which will take place on November 1–3, 2016, at the Santa Clara Convention Center in Santa Clara, CA. Housed in the classic Denver Gas & Electric Building, 910 15th St., 910Telecom is a carrier-neutral telecom hotel located in the heart of Denver. Adjacent to CenturyLink, AT&T, and Denver Main, 910Telecom offers connectivity to all major carriers, Internet service providers, Internet backbones and ...
Aug. 25, 2016 02:00 AM EDT Reads: 1,808
The burgeoning trends around DevOps are translating into new types of IT infrastructure that both developers and operators can take advantage of. The next BriefingsDirect Voice of the Customer thought leadership discussion focuses on the burgeoning trends around DevOps and how that’s translating into new types of IT infrastructure that both developers and operators can take advantage of.
Aug. 25, 2016 02:00 AM EDT Reads: 2,434
With so much going on in this space you could be forgiven for thinking you were always working with yesterday’s technologies. So much change, so quickly. What do you do if you have to build a solution from the ground up that is expected to live in the field for at least 5-10 years? This is the challenge we faced when we looked to refresh our existing 10-year-old custom hardware stack to measure the fullness of trash cans and compactors.
Aug. 25, 2016 01:15 AM EDT Reads: 1,640
This digest provides an overview of good resources that are well worth reading. We’ll be updating this page as new content becomes available, so I suggest you bookmark it. Also, expect more digests to come on different topics that make all of our IT-hearts go boom!
Aug. 25, 2016 12:45 AM EDT Reads: 4,689