Click here to close now.

Welcome!

Microservices Journal Authors: Carmen Gonzalez, Yeshim Deniz, Jayaram Krishnaswamy, XebiaLabs Blog, Roger Strukhoff

Related Topics: Security, Java, Microservices Journal, Virtualization, Web 2.0, Cloud Expo

Security: Article

The Future of Security in the Enterprise

Raf Los: Extend IT security to its mature state of enterprise resiliency

This edition of the HP Discover Performance podcast series examines the future of security in the enterprise. As the need to protect and manage assets extends beyond the four walls of the organization -- with the adoption of cloud and mobile -- how should the thinking about traditional security adjust?

I recently had a chance to sit down with Raf Los of HP Software to gather his perspective on the answer to that question. Los has an interesting personal perspective on the concept of “enterprise resiliency,” which I initially heard about through his blog, Following the White Rabbit. He's also on Twitter at @wh1t3rabbit. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Join me as we unpack with Los the concept of enterprise resiliency as the natural maturity direction for IT security in general.

Here are some excerpts from our discussion:

Gardner: Tell me a little bit about your vision. We all understand security and why it’s important, but you've developed, I think, an expanded category for security.

Los: Security, over the years, has evolved from an absolute concept of a binary decision: is it secure or is it not? As we move forward, I believe very strongly that what we’re evolving into is, as we’ve heard people talk about, risk management.

Risk management starts to include things that are beyond the security borders. As I talked to customers out here, I was having an "aha" moment. A little while ago, at one of our converged cloud chats, we were talking about how things fail. Everything fails at some point, and chaos takes over.

So rather than talking about security, which is a set of absolutes or a concrete topic, and boxing ourselves into threats from a security perspective, the evolution of that goes into enterprise resiliency. What that means is that it’s a combination of recoverability, security, performance, and all the other things that bring together a well-oiled business that can let you take a shot to the gut, get back up, and keep going.

A lot of the CISOs nowadays are set up to fail by their organizations. It’s a non-winning position, because you're put into a position where the board of directors, if you’re lucky, or your CTO or your CIO asks, "How much money do you need to secure this organization?"

That's horrible, and no matter what you say, you lose. If you say nothing, you lose. If you have $10 million, a billion dollars, there's no amount of money you can spend to make your company completely secure.

Acceptable risk

So what are you aiming for? You're aiming for a level of acceptable risk. Well, acceptable risk of what and how and how much you’re aiming for. It’s not just acceptable risk. We’re looking at acceptable risk from a security perspective, but we need to incorporate the fact that we're going to get owned.

We need to get out of our ivory towers and we need to start thinking about the fact that attacks happen and insiders happen. There are things that are going to transpire that are beyond our control and things that we cannot plan for.

Technology will fail. People and processes will fail. Our own technologies, our own minds will fail us. Our best friends will fail us. People get tempted. This is a human nature that the weakest element will always be a human being, and there's no patch for that.

So how do we move and get back to business as usual? How we get back to being a resilient business. That’s a cool concept -- that I have enterprise resiliency.

Gardner: This makes great sense to me, because we’ve been talking, over the past several years, about how security needs to be applied to different parts of the organization holistically and needs to be thought of in advance, be built in, and become part of a lifecycle.

But it makes double sense to me to expand the purview of security. It really is in making sure that there's performance resiliency, failover resiliency, backup and recovery resiliency, and data backup and duplication resiliency. So why not look at it through the resiliency lens? It makes a great deal of sense.

Los: Absolutely, and that’s exactly where this is coming from. I’ve actually given a series of talks and called it the introduction of Chief Chaos Officer. It’s not an actual role you’re going to see on monster.com, but it’s just a concept. It’s kind of like the aging Killcraft, a Chaos Monkey thing from Netflix.

Can you, as an organization, get comfortable with the fact that things will fail? In the talk that I gave, it comes from the perspective of you’ve got a lot of great security technology. You've probably got full disk encryption. You back up. You have firewalls, redundant networks, and all these things that you do.

You have procedures that you’re supposed to follow in the red book, a big red binder that sits on your incident response handler's desk, and you have all these things that are supposed to be followed.

Your people are trained, and your developers are supposedly writing better source code. These are all things that we can test through penetration testing, which means on Sunday between 7:00 p.m. and Monday 3:00 a.m. on the following four IPs, but only when we’re ready.

No patch for the human

A
nd it’s like, okay, we've tested ourselves, we’re confident that we’re secure. I'm making kind of a scrunchy face, because that’s not really what this means. I've worked with folks who are red-team testers. I've yet to meet a red team that's failed, because, as I said, there's no patch for the human.

When you can’t penetrate a system or an organization via a new Zero-day, you'll walk in through the front door by walking and carrying flowers from the CEO's wife or something, and you'll own the organization that way.

But the question isn’t whether you'll be owned or not. What happens next is the big question, and it encompasses things like how good is your PR strategy. Do you have all the legal pieces in place? When your backup system fails or your entire data center gets wiped out by Hurricane Katrina, in a worst-case scenario, do you just sort of throw up your hands and go, "Well, that stinks? Well, we were in the cloud." Oh, your cloud just got wiped out. Now what?

Gardner: I've been speaking with a number of folks lately who hold the opinion that, at least for small-to-medium sized businesses (SMBs), going to the cloud can improve their security and resiliency sufficiently to make it a no-brainer. For enterprises, it might be a longer haul and there might be more complications and issues to manage.

Do you agree with that that the SMB can outsource some of this resiliency to the cloud provider who needs to do it and has the resources and experience to do it better than the SMBs do?

Los: There's a number of SMBs that can greatly benefit from the fact that good security talent is expensive and good security talent that can actually work towards a more resilient, more secure enterprise is very difficult to come by. It’s becoming scarce.

So small companies do the best they can with what they have their hands on. And there's certainly a ton of benefit to be gained from going to a shared model like a cloud. Does it raise the bar for everybody? I can’t say yes. On the whole, do I believe it raises the bar? Absolutely. Let's take the angle of threat intelligence.

I'm a small entity with five IP addresses on the Internet. How do I know what bad guys look like? If I have my five IP addresses in a public cloud some place, that public cloud is attacked billions of times a day and probably subscribes to numerous threat-intelligence services. They know exactly what to look for. And if they don’t, they can find out pretty quickly. They probably have a ton of resources from the security perspective.

Do I think it’s better? Absolutely. SMBs have a lot to gain by taking that step. You have to be intelligent about it. You can’t just say, "I'm going to move to the cloud and I'll be secure." Let’s be realistic about it. Get a partner that will get you there. Do due diligence on the partner that you’re choosing to work with. You still can’t run into the water with your eyes closed, but I think there's a lot of benefit to be had, absolutely.

Gardner: And as we’re learning more about the HP Converged Cloud, it’s a cloud of clouds. You have hybrid delivery. You might have a variety of sources for applications and services. You might have data in a variety of sources across a variety of organizations, running from on-premises to managed hosting to multiple cloud and SaaS providers.

Is there a way that, in addition to the security that's going on within those organizations, you can add more security at that converged cloud layer, particularly when you’re converging network storage, workload provisioning, governance, and so forth. What’s the add-on value that the HP Converged Cloud can bring resiliency-wise?

Choice, consistency, confidence

Los: Our Converged Cloud strategy focuses on three very simple words: choice, consistency, and confidence. We’re focusing on consistency and confidence here and perhaps a little bit of choice as well.

What we’re saying is that because we focus on OpenStack, because we’ve chosen to build our platform completely on OpenStack, because we’re building across a single model, a single way of operating, as [HP CEO] Meg Whitman said at Discover in June. You can build a single security operating model and you'll be able to implement it across your private, public, and hybrid models.

I don’t think it’s realistic to say every company will have a public cloud-only presence, just as I don’t think it’s realistic to say companies won’t have a public cloud presence. Most organizations will be a combination of on-premise IT, private cloud, virtual private cloud, and public cloud, all of that somehow sharing space and workload, bursting out to each other when necessary.

As I said systems fail, clouds fail, everything fails. So when we think about, and we’ve had this on our converged cloud chat, when things fail, you have to start architecting for failure and resiliency.

Because of this architecture that we’ve had, if you choose to get one other partner to back up what you have with us, pick a partner that's got the same OpenStack platform and the same models. It’s not going to be hard. There are lots of them out there.

OpenStack is a big platform. You should be able to build once, package once, deploy many times. This saves on manpower, on cost, and on having to redevelop the security wheel over and over and over again. That provides unbelievable amounts of flexibility of what you can do with your enterprise.

When one cloud or a connectivity to one cloud fails, or maybe not fails, but you get attacked in one position, you can bring up other capacity to compensate for that. That's where the true value of cloud comes in. It’s elastic computing. It’s not a marketing buzzword.

Gardner: We’re seeing a lot of highly virtualized environments. We’re talking about virtualized server instances, workloads, and network, storage. Disaster recovery (DR) technologies have evolved to the point where we're mirroring and moving entire data centers virtually from one location to another, if there's a resiliency issue like a natural disaster or a security or cyber attack that impacts an electric grid or something along those lines.

Is there a sort of a tipping point that we’re at, when it comes to higher levels of virtualization, some of the DR speeds, working with de-duplication and reducing the amount that needs to be moved in these instances, that gives us this higher level of security, simply because of the mobility in which we can now exercise for vast amounts of data and applications?

Los: I believe so. Do I have an answer for that that’s clear and crisp? No, I don’t know, and I saw a lot of that fantastic stuff. One of the things that caught my attention is we’ve broken the 100-terabyte-an-hour backup barrier. That blows my mind. I used to work in IT when we were lucky to get 100 gigs an hour and I remember 100 megabytes an hour being a challenge on those giant DLT tapes sometimes over networks.

The idea that we can take an entire cloud and because of data de-duplication, because of the way we move workloads and policies all in one fell swoop, and the way we package things once and move them, as a model, rather than everything together, moving metadata rather than the actual data, it gives us the ability to move things.

One thing that everybody needs to think about is what is this doing for our bandwidth requirements. Bandwidth is a silent thing nobody really thinks about. I've had this discussion with our networking folks. People are building clouds all over the place now and that's great, but it’s really easy to get out to a vendor, to get out to a public cloud or whatever, amass an absolute metric ton of data, and then say, "I want to move." How are you going to take your data from there to there? That’s a big question.

You need to do your homework ahead of time, make sure you know what you’re getting into, and make sure you know what technologies are being supported.

You may also be interested in:

More Stories By Dana Gardner

At Interarbor Solutions, we create the analysis and in-depth podcasts on enterprise software and cloud trends that help fuel the social media revolution. As a veteran IT analyst, Dana Gardner moderates discussions and interviews get to the meat of the hottest technology topics. We define and forecast the business productivity effects of enterprise infrastructure, SOA and cloud advances. Our social media vehicles become conversational platforms, powerfully distributed via the BriefingsDirect Network of online media partners like ZDNet and IT-Director.com. As founder and principal analyst at Interarbor Solutions, Dana Gardner created BriefingsDirect to give online readers and listeners in-depth and direct access to the brightest thought leaders on IT. Our twice-monthly BriefingsDirect Analyst Insights Edition podcasts examine the latest IT news with a panel of analysts and guests. Our sponsored discussions provide a unique, deep-dive focus on specific industry problems and the latest solutions. This podcast equivalent of an analyst briefing session -- made available as a podcast/transcript/blog to any interested viewer and search engine seeker -- breaks the mold on closed knowledge. These informational podcasts jump-start conversational evangelism, drive traffic to lead generation campaigns, and produce strong SEO returns. Interarbor Solutions provides fresh and creative thinking on IT, SOA, cloud and social media strategies based on the power of thoughtful content, made freely and easily available to proactive seekers of insights and information. As a result, marketers and branding professionals can communicate inexpensively with self-qualifiying readers/listeners in discreet market segments. BriefingsDirect podcasts hosted by Dana Gardner: Full turnkey planning, moderatiing, producing, hosting, and distribution via blogs and IT media partners of essential IT knowledge and understanding.

@MicroservicesExpo Stories
Public Cloud IaaS started it's life in the developer and startup communities and has grown rapidly to a $20B+ industry, but it still pales in comparison to how much is spent worldwide on IT: $3.6 trillion. In fact, there are 8.6 million data centers worldwide, the reality is many small and medium sized business have server closets and colocation footprints filled with servers and storage gear. While on-premise environment virtualization may have peaked at 75%, the Public Cloud has lagged in ado...
Dave will share his insights on how Internet of Things for Enterprises are transforming and making more productive and efficient operations and maintenance (O&M) procedures in the cleantech industry and beyond. Speaker Bio: Dave Landa is chief operating officer of Cybozu Corp (kintone US). Based in the San Francisco Bay Area, Dave has been on the forefront of the Cloud revolution driving strategic business development on the executive teams of multiple leading Software as a Services (SaaS) ap...
Microsoft is releasing in the near future Azure Service Fabric as a preview beta. Azure Service Fabric is built to run microservices - a complex application consisting of smaller, interlocked components that enables updating components without disrupting service. Microsoft has used this over the past few years internally for many of its own applications and the new release is for general use, a new product. OSIsoft is an early adopter of this system and run with it to expand into the explo...
ProfitBricks, the provider of painless cloud infrastructure IaaS, today released its SDK for Ruby, written against the company's new RESTful API. The new SDK joins ProfitBricks' previously announced support for the popular multi-cloud open-source Fog project. This new Ruby SDK, which exposes advanced functionality to take advantage of ProfitBricks' simplicity and productivity, aligns with ProfitBricks' mission to provide a painless way to automate infrastructure in the cloud. Ruby is a genera...
ProfitBricks, the provider of painless cloud infrastructure for IaaS, today announced the release of a Node.js SDK written against its recently launched REST API. This new JavaScript based library provides coverage for all existing ProfitBricks REST API functions. With additional libraries set to release this month, ProfitBricks continues to prove its dedication to the DevOps community and commitment to making cloud migrations and cloud management painless. Node.js is an open source, cross-pl...
ProfitBricks has launched its new DevOps Central and REST API, along with support for three multi-cloud libraries and a Python SDK. This, combined with its already existing SOAP API and its new RESTful API, moves ProfitBricks into a position to better serve the DevOps community and provide the ability to automate cloud infrastructure in a multi-cloud world. Following this momentum, ProfitBricks has also introduced several libraries that enable developers to use their favorite language to code ...
ProfitBricks, the provider of painless cloud infrastructure IaaS, announced the launch of its new DevOps Central and REST API, along with support for three multi-cloud libraries and a Python SDK. This, combined with its already existing SOAP API and its new RESTful API, moves ProfitBricks into a position to better serve the DevOps community and provide the ability to automate cloud infrastructure in a multi-cloud world. Following this momentum, ProfitBricks is also today introducing several l...
What exactly is a cognitive application? In her session at 16th Cloud Expo, Ashley Hathaway, Product Manager at IBM Watson, will look at the services being offered by the IBM Watson Developer Cloud and what that means for developers and Big Data. She'll explore how IBM Watson and its partnerships will continue to grow and help define what it means to be a cognitive service, as well as take a look at the offerings on Bluemix. She will also check out how Watson and the Alchemy API team up to off...
The 17th International Cloud Expo has announced that its Call for Papers is open. 17th International Cloud Expo, to be held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, APM, APIs, Microservices, Security, Big Data, Internet of Things, DevOps and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding bu...
The 5th International DevOps Summit, co-located with 17th International Cloud Expo – being held November 3-5, 2015, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the...
SYS-CON Events announced today the DevOps Foundation Certification Course, being held June ?, 2015, in conjunction with DevOps Summit and 16th Cloud Expo at the Javits Center in New York City, NY. This sixteen (16) hour course provides an introduction to DevOps – the cultural and professional movement that stresses communication, collaboration, integration and automation in order to improve the flow of work between software developers and IT operations professionals. Improved workflows will res...
So I guess we’ve officially entered a new era of lean and mean. I say this with the announcement of Ubuntu Snappy Core, “designed for lightweight cloud container hosts running Docker and for smart devices,” according to Canonical. “Snappy Ubuntu Core is the smallest Ubuntu available, designed for security and efficiency in devices or on the cloud.” This first version of Snappy Ubuntu Core features secure app containment and Docker 1.6 (1.5 in main release), is available on public clouds, ...
There is no quick way to learn Jython API but to experiment with it. The easiest way is to start with Jytutor extension for XL Deploy. Now you can also use the code snippet for exposing jython/python context in XL Deploy environment by running it directly in Jytutor Here’s how you can go ahead with that Download the Jytutor extension referring to the Jytutor Blog or from the following link https://github.com/xebialabs-community/xld-jytutor-plugin/releases Shutdown your XL Deploy server...
79% of new products miss their launch date. That was the conclusion of a CGT/Sopheon Survey in which the impact of such market misses were also explored. What it didn't dig into was the reason why so many products and projects miss their launch date. When we start digging into the details with respect to applications, we can find at least one causal factor in the delivery process, specifically that portion which focuses on the actual move into production, from which consumers (internal and...
Security is one the more prominent of the application service categories, likely due to its high profile impact. After all, if security fails, we all hear about it. The entire Internet. Forever. So when one conducts a survey on the state of application delivery (which is implemented using application services) you kinda have to include security. Which of course, we did.
The world's leading Cloud event, Cloud Expo has launched Microservices Journal on the SYS-CON.com portal, featuring over 19,000 original articles, news stories, features, and blog entries. DevOps Journal is focused on this critical enterprise IT topic in the world of cloud computing. Microservices Journal offers top articles, news stories, and blog posts from the world's well-known experts and guarantees better exposure for its authors than any other publication. Follow new article posts on T...
The concept and subsequent adoption of 'Containerization'' is growing at a rapid speed with the support of almost every other major player in the industry. This concept is much more efficient than the Virtualization which has been a major option for Infrastructure optimization in the past decade. The following factors distinguish a Container from a Virtual Machine. Containers contain Only the Application Specific libraries and binaries. They do not include a guest operating system. Rather ...
Chef and Canonical announced a partnership to integrate and distribute Chef with Ubuntu. Canonical is integrating the Chef automation platform with Canonical's Machine-As-A-Service (MAAS), enabling users to automate the provisioning, configuration and deployment of bare metal compute resources in the data center. Canonical is packaging Chef 12 server in upcoming distributions of its Ubuntu open source operating system and will provide commercial support for Chef within its user base.
In 2015, 4.9 billion connected "things" will be in use. By 2020, Gartner forecasts this amount to be 25 billion, a 410 percent increase in just five years. How will businesses handle this rapid growth of data? Hadoop will continue to improve its technology to meet business demands, by enabling businesses to access/analyze data in real time, when and where they need it. Cloudera's Chief Technologist, Eli Collins, will discuss how Big Data is keeping up with today's data demands and how in t...
Choosing between BIG-IP and LineRate isn't as difficult as it seems.... Our recent announcement of the availability of LineRate Point raised the same question over and over: isn't this just a software-version of BIG-IP? How do I know when to choose LineRate Point instead of BIG-IP VE (Virtual Edition)? Aren't they the same?? No, no they aren't. LineRate Point (and really Line Rate Precision, too) is more akin to an app proxy while BIG-IP VE remains, of course, an ADC (Application Delivery ...