|By Dana Gardner||
|August 27, 2012 06:00 AM EDT||
This edition of the HP Discover Performance podcast series examines the future of security in the enterprise. As the need to protect and manage assets extends beyond the four walls of the organization -- with the adoption of cloud and mobile -- how should the thinking about traditional security adjust?
I recently had a chance to sit down with Raf Los of HP Software to gather his perspective on the answer to that question. Los has an interesting personal perspective on the concept of “enterprise resiliency,” which I initially heard about through his blog, Following the White Rabbit. He's also on Twitter at @wh1t3rabbit. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]
Join me as we unpack with Los the concept of enterprise resiliency as the natural maturity direction for IT security in general.
Here are some excerpts from our discussion:
Gardner: Tell me a little bit about your vision. We all understand security and why it’s important, but you've developed, I think, an expanded category for security.
Los: Security, over the years, has evolved from an absolute concept of a binary decision: is it secure or is it not? As we move forward, I believe very strongly that what we’re evolving into is, as we’ve heard people talk about, risk management.
Risk management starts to include things that are beyond the security borders. As I talked to customers out here, I was having an "aha" moment. A little while ago, at one of our converged cloud chats, we were talking about how things fail. Everything fails at some point, and chaos takes over.
So rather than talking about security, which is a set of absolutes or a concrete topic, and boxing ourselves into threats from a security perspective, the evolution of that goes into enterprise resiliency. What that means is that it’s a combination of recoverability, security, performance, and all the other things that bring together a well-oiled business that can let you take a shot to the gut, get back up, and keep going.
A lot of the CISOs nowadays are set up to fail by their organizations. It’s a non-winning position, because you're put into a position where the board of directors, if you’re lucky, or your CTO or your CIO asks, "How much money do you need to secure this organization?"
That's horrible, and no matter what you say, you lose. If you say nothing, you lose. If you have $10 million, a billion dollars, there's no amount of money you can spend to make your company completely secure.
So what are you aiming for? You're aiming for a level of acceptable risk. Well, acceptable risk of what and how and how much you’re aiming for. It’s not just acceptable risk. We’re looking at acceptable risk from a security perspective, but we need to incorporate the fact that we're going to get owned.
We need to get out of our ivory towers and we need to start thinking about the fact that attacks happen and insiders happen. There are things that are going to transpire that are beyond our control and things that we cannot plan for.
Technology will fail. People and processes will fail. Our own technologies, our own minds will fail us. Our best friends will fail us. People get tempted. This is a human nature that the weakest element will always be a human being, and there's no patch for that.
So how do we move and get back to business as usual? How we get back to being a resilient business. That’s a cool concept -- that I have enterprise resiliency.
Gardner: This makes great sense to me, because we’ve been talking, over the past several years, about how security needs to be applied to different parts of the organization holistically and needs to be thought of in advance, be built in, and become part of a lifecycle.
But it makes double sense to me to expand the purview of security. It really is in making sure that there's performance resiliency, failover resiliency, backup and recovery resiliency, and data backup and duplication resiliency. So why not look at it through the resiliency lens? It makes a great deal of sense.
Los: Absolutely, and that’s exactly where this is coming from. I’ve actually given a series of talks and called it the introduction of Chief Chaos Officer. It’s not an actual role you’re going to see on monster.com, but it’s just a concept. It’s kind of like the aging Killcraft, a Chaos Monkey thing from Netflix.
Can you, as an organization, get comfortable with the fact that things will fail? In the talk that I gave, it comes from the perspective of you’ve got a lot of great security technology. You've probably got full disk encryption. You back up. You have firewalls, redundant networks, and all these things that you do.
You have procedures that you’re supposed to follow in the red book, a big red binder that sits on your incident response handler's desk, and you have all these things that are supposed to be followed.
Your people are trained, and your developers are supposedly writing better source code. These are all things that we can test through penetration testing, which means on Sunday between 7:00 p.m. and Monday 3:00 a.m. on the following four IPs, but only when we’re ready.
No patch for the human
And it’s like, okay, we've tested ourselves, we’re confident that we’re secure. I'm making kind of a scrunchy face, because that’s not really what this means. I've worked with folks who are red-team testers. I've yet to meet a red team that's failed, because, as I said, there's no patch for the human.
When you can’t penetrate a system or an organization via a new Zero-day, you'll walk in through the front door by walking and carrying flowers from the CEO's wife or something, and you'll own the organization that way.
But the question isn’t whether you'll be owned or not. What happens next is the big question, and it encompasses things like how good is your PR strategy. Do you have all the legal pieces in place? When your backup system fails or your entire data center gets wiped out by Hurricane Katrina, in a worst-case scenario, do you just sort of throw up your hands and go, "Well, that stinks? Well, we were in the cloud." Oh, your cloud just got wiped out. Now what?
Gardner: I've been speaking with a number of folks lately who hold the opinion that, at least for small-to-medium sized businesses (SMBs), going to the cloud can improve their security and resiliency sufficiently to make it a no-brainer. For enterprises, it might be a longer haul and there might be more complications and issues to manage.
Do you agree with that that the SMB can outsource some of this resiliency to the cloud provider who needs to do it and has the resources and experience to do it better than the SMBs do?
Los: There's a number of SMBs that can greatly benefit from the fact that good security talent is expensive and good security talent that can actually work towards a more resilient, more secure enterprise is very difficult to come by. It’s becoming scarce.
So small companies do the best they can with what they have their hands on. And there's certainly a ton of benefit to be gained from going to a shared model like a cloud. Does it raise the bar for everybody? I can’t say yes. On the whole, do I believe it raises the bar? Absolutely. Let's take the angle of threat intelligence.
I'm a small entity with five IP addresses on the Internet. How do I know what bad guys look like? If I have my five IP addresses in a public cloud some place, that public cloud is attacked billions of times a day and probably subscribes to numerous threat-intelligence services. They know exactly what to look for. And if they don’t, they can find out pretty quickly. They probably have a ton of resources from the security perspective.
Do I think it’s better? Absolutely. SMBs have a lot to gain by taking that step. You have to be intelligent about it. You can’t just say, "I'm going to move to the cloud and I'll be secure." Let’s be realistic about it. Get a partner that will get you there. Do due diligence on the partner that you’re choosing to work with. You still can’t run into the water with your eyes closed, but I think there's a lot of benefit to be had, absolutely.
Gardner: And as we’re learning more about the HP Converged Cloud, it’s a cloud of clouds. You have hybrid delivery. You might have a variety of sources for applications and services. You might have data in a variety of sources across a variety of organizations, running from on-premises to managed hosting to multiple cloud and SaaS providers.
Is there a way that, in addition to the security that's going on within those organizations, you can add more security at that converged cloud layer, particularly when you’re converging network storage, workload provisioning, governance, and so forth. What’s the add-on value that the HP Converged Cloud can bring resiliency-wise?
Choice, consistency, confidence
Los: Our Converged Cloud strategy focuses on three very simple words: choice, consistency, and confidence. We’re focusing on consistency and confidence here and perhaps a little bit of choice as well.
What we’re saying is that because we focus on OpenStack, because we’ve chosen to build our platform completely on OpenStack, because we’re building across a single model, a single way of operating, as [HP CEO] Meg Whitman said at Discover in June. You can build a single security operating model and you'll be able to implement it across your private, public, and hybrid models.
I don’t think it’s realistic to say every company will have a public cloud-only presence, just as I don’t think it’s realistic to say companies won’t have a public cloud presence. Most organizations will be a combination of on-premise IT, private cloud, virtual private cloud, and public cloud, all of that somehow sharing space and workload, bursting out to each other when necessary.
As I said systems fail, clouds fail, everything fails. So when we think about, and we’ve had this on our converged cloud chat, when things fail, you have to start architecting for failure and resiliency.
Because of this architecture that we’ve had, if you choose to get one other partner to back up what you have with us, pick a partner that's got the same OpenStack platform and the same models. It’s not going to be hard. There are lots of them out there.
OpenStack is a big platform. You should be able to build once, package once, deploy many times. This saves on manpower, on cost, and on having to redevelop the security wheel over and over and over again. That provides unbelievable amounts of flexibility of what you can do with your enterprise.
When one cloud or a connectivity to one cloud fails, or maybe not fails, but you get attacked in one position, you can bring up other capacity to compensate for that. That's where the true value of cloud comes in. It’s elastic computing. It’s not a marketing buzzword.
Gardner: We’re seeing a lot of highly virtualized environments. We’re talking about virtualized server instances, workloads, and network, storage. Disaster recovery (DR) technologies have evolved to the point where we're mirroring and moving entire data centers virtually from one location to another, if there's a resiliency issue like a natural disaster or a security or cyber attack that impacts an electric grid or something along those lines.
Is there a sort of a tipping point that we’re at, when it comes to higher levels of virtualization, some of the DR speeds, working with de-duplication and reducing the amount that needs to be moved in these instances, that gives us this higher level of security, simply because of the mobility in which we can now exercise for vast amounts of data and applications?
Los: I believe so. Do I have an answer for that that’s clear and crisp? No, I don’t know, and I saw a lot of that fantastic stuff. One of the things that caught my attention is we’ve broken the 100-terabyte-an-hour backup barrier. That blows my mind. I used to work in IT when we were lucky to get 100 gigs an hour and I remember 100 megabytes an hour being a challenge on those giant DLT tapes sometimes over networks.
The idea that we can take an entire cloud and because of data de-duplication, because of the way we move workloads and policies all in one fell swoop, and the way we package things once and move them, as a model, rather than everything together, moving metadata rather than the actual data, it gives us the ability to move things.
One thing that everybody needs to think about is what is this doing for our bandwidth requirements. Bandwidth is a silent thing nobody really thinks about. I've had this discussion with our networking folks. People are building clouds all over the place now and that's great, but it’s really easy to get out to a vendor, to get out to a public cloud or whatever, amass an absolute metric ton of data, and then say, "I want to move." How are you going to take your data from there to there? That’s a big question.
You need to do your homework ahead of time, make sure you know what you’re getting into, and make sure you know what technologies are being supported.
You may also be interested in:
- For Steria, cloud not so much a technology as catalyst to responsive and agile business
- With CMS 10, HP puts workload configuration data newly in hands of those who can best use it to manage services delivery
- Where cloud computing takes us: Hybrid services delivery of essential information across all types of applications
- HP Expert Chat Explores How Insight Remote Support and Insight Online Bring Automation, Self-Solving Capabilities to IT Problems
- Investing Well in IT With Emphasis on KPIs Separates Business Leaders from Business Laggards, Survey Results Show
- Expert Chat with HP on How Better Understanding Security Makes it an Enabler, Rather than Inhibitor, of Cloud Adoption
The Internet of Things (IoT) is growing rapidly by extending current technologies, products and networks. By 2020, Cisco estimates there will be 50 billion connected devices. Gartner has forecast revenues of over $300 billion, just to IoT suppliers. Now is the time to figure out how you’ll make money – not just create innovative products. With hundreds of new products and companies jumping into the IoT fray every month, there’s no shortage of innovation. Despite this, McKinsey/VisionMobile data...
Dec. 1, 2015 04:00 PM EST Reads: 502
Cloud computing is unquestionably one of the driving forces of DevOps, as the automation of operations transforms enterprise software development. DevOps, however, is more than a technology trend, as it represents a move toward silo-busting, self-organizing horizontal teams that drive business velocity. At the same time, enterprise Digital Transformation represents an upheaval across the enterprise, as customer preferences and behavior drive enterprise technology decisions. This transformation ...
Dec. 1, 2015 03:45 PM EST
One of the most important tenets of digital transformation is that it’s customer-driven. In fact, the only reason technology is involved at all is because today’s customers demand technology-based interactions with the companies they do business with. It’s no surprise, therefore, that we at Intellyx agree with Patrick Maes, CTO, ANZ Bank, when he said, “the fundamental element in digital transformation is extreme customer centricity.” So true – but note the insightful twist that Maes adde...
Dec. 1, 2015 03:00 PM EST Reads: 476
Just over a week ago I received a long and loud sustained applause for a presentation I delivered at this year’s Cloud Expo in Santa Clara. I was extremely pleased with the turnout and had some very good conversations with many of the attendees. Over the next few days I had many more meaningful conversations and was not only happy with the results but also learned a few new things. Here is everything I learned in those three days distilled into three short points.
Dec. 1, 2015 03:00 PM EST Reads: 385
Most of the IoT Gateway scenarios involve collecting data from machines/processing and pushing data upstream to cloud for further analytics. The gateway hardware varies from Raspberry Pi to Industrial PCs. The document states the process of allowing deploying polyglot data pipelining software with the clear notion of supporting immutability. In his session at @ThingsExpo, Shashank Jain, a development architect for SAP Labs, discussed the objective, which is to automate the IoT deployment proces...
Dec. 1, 2015 03:00 PM EST Reads: 145
DevOps is about increasing efficiency, but nothing is more inefficient than building the same application twice. However, this is a routine occurrence with enterprise applications that need both a rich desktop web interface and strong mobile support. With recent technological advances from Isomorphic Software and others, rich desktop and tuned mobile experiences can now be created with a single codebase – without compromising functionality, performance or usability. In his session at DevOps Su...
Dec. 1, 2015 02:45 PM EST Reads: 448
Dec. 1, 2015 02:30 PM EST Reads: 271
As organizations realize the scope of the Internet of Things, gaining key insights from Big Data, through the use of advanced analytics, becomes crucial. However, IoT also creates the need for petabyte scale storage of data from millions of devices. A new type of Storage is required which seamlessly integrates robust data analytics with massive scale. These storage systems will act as “smart systems” provide in-place analytics that speed discovery and enable businesses to quickly derive meaningf...
Dec. 1, 2015 02:15 PM EST Reads: 451
SYS-CON Events announced today that Catchpoint, a global leader in monitoring, and testing the performance of online applications, has been named "Silver Sponsor" of DevOps Summit New York, which will take place on June 7-9, 2016 at the Javits Center in New York City. Catchpoint radically transforms the way businesses manage, monitor, and test the performance of online applications. Truly understand and improve user experience with clear visibility into complex, distributed online systems.Founde...
Dec. 1, 2015 12:15 PM EST
The annual holiday shopping season, which started on Thanksgiving weekend and runs through the end of December, is undoubtedly the most crucial time of the year for many eCommerce websites, with sales from this period having a dramatic effect on the year-end bottom line. Web performance – or, the overall speed and availability of a website or mobile site – is an issue year-round, but it takes on increased importance during the holidays. Ironically, it is at this time of year that networks and i...
Dec. 1, 2015 11:15 AM EST Reads: 166
Countless business models have spawned from the IaaS industry – resell Web hosting, blogs, public cloud, and on and on. With the overwhelming amount of tools available to us, it's sometimes easy to overlook that many of them are just new skins of resources we've had for a long time. In his general session at 17th Cloud Expo, Harold Hannon, Sr. Software Architect at SoftLayer, an IBM Company, broke down what we have to work with, discussed the benefits and pitfalls and how we can best use them ...
Dec. 1, 2015 10:45 AM EST Reads: 136
It's been a busy time for tech's ongoing infatuation with containers. Amazon just announced EC2 Container Registry to simply container management. The new Azure container service taps into Microsoft's partnership with Docker and Mesosphere. You know when there's a standard for containers on the table there's money on the table, too. Everyone is talking containers because they reduce a ton of development-related challenges and make it much easier to move across production and testing environm...
Dec. 1, 2015 10:00 AM EST Reads: 660
DevOps is an organizational and cultural rethink of how software-driven organizations can become organizations at velocity – agile enough to innovate and fast enough to deal with any change that comes their way. Information technology is a central enabler of DevOps, but today’s better-faster-cheaper technology is not the whole story, as tools are only as good as the people wielding them. The more fundamental story here is the organizational and cultural transformation necessary to take full adv...
Dec. 1, 2015 10:00 AM EST Reads: 102
Discussions of cloud computing have evolved in recent years from a focus on specific types of cloud, to a world of hybrid cloud, and to a world dominated by the APIs that make today's multi-cloud environments and hybrid clouds possible. In this Power Panel at 17th Cloud Expo, moderated by Conference Chair Roger Strukhoff, panelists addressed the importance of customers being able to use the specific technologies they need, through environments and ecosystems that expose their APIs to make true ...
Dec. 1, 2015 10:00 AM EST Reads: 581
ThoughtWorks has issued the latest Technology Radar, an assessment of trends significantly impacting software development and business strategy. The Technology Radar sets out the current changes in software development - things in motion to pay attention to based upon ThoughtWorks' day-to-day work and experience solving their clients' toughest challenges. "With the threat landscape still evolving, our latest edition of Technology Radar continues to focus on security and innovative approaches,...
Dec. 1, 2015 09:45 AM EST
Microservices are a very exciting architectural approach that many organizations are looking to as a way to accelerate innovation. Microservices promise to allow teams to move away from monolithic "ball of mud" systems, but the reality is that, in the vast majority of organizations, different projects and technologies will continue to be developed at different speeds. How to handle the dependencies between these disparate systems with different iteration cycles? Consider the "canoncial problem"...
Dec. 1, 2015 09:00 AM EST Reads: 485
The Internet of Things is clearly many things: data collection and analytics, wearables, Smart Grids and Smart Cities, the Industrial Internet, and more. Cool platforms like Arduino, Raspberry Pi, Intel's Galileo and Edison, and a diverse world of sensors are making the IoT a great toy box for developers in all these areas. In this Power Panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, panelists discussed what things are the most important, which will have the most profound...
Dec. 1, 2015 06:30 AM EST Reads: 515
As organizations shift towards IT-as-a-service models, the need for managing & protecting data residing across physical, virtual, and now cloud environments grows with it. CommVault can ensure protection & E-Discovery of your data - whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise.
Dec. 1, 2015 06:00 AM EST Reads: 276
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Day 2 Keynote at 17th Cloud Expo, San...
Dec. 1, 2015 05:00 AM EST Reads: 624
PubNub has announced the release of BLOCKS, a set of customizable microservices that give developers a simple way to add code and deploy features for realtime apps.PubNub BLOCKS executes business logic directly on the data streaming through PubNub’s network without splitting it off to an intermediary server controlled by the customer. This revolutionary approach streamlines app development, reduces endpoint-to-endpoint latency, and allows apps to better leverage the enormous scalability of PubNu...
Dec. 1, 2015 05:00 AM EST Reads: 362