Resiliency, Risk Management Add a New Dimension to Discussions about Enterprise Security
Resiliency, Risk Management Add a New Dimension toDiscussions about Enterprise SecurityTranscript of a BrieﬁngsDirect podcast from the HP Discover 2012 Conference on how ourviews of security need to be expanded beyond protecting the perimeter.Listen to the podcast. Find it on iTunes/iPod. Sponsor: HPDana Gardner: Hello, and welcome to the next edition of the HP Discover Performance podcast series. Im Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this ongoing discussing of IT innovation and how its making an impact on people’s life. Once again, were focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end users alike. This time, we’re coming to you directly from the HP Discover 2012Conference in Las Vegas. [Disclosure: HP is a sponsor of BrieﬁngsDirect podcasts.]At the event, I had a chance to sit down with Raf Los of HP Software. Raf has an interestingpersonal perspective on “enterprise resiliency,” which I initially heard about through his blog,Following the White Rabbit.Raf will now share his point-of-view, and you can also read more about “enterprise resiliency”on Rafs blog, or by following him on Twitter at @wh1t3rabbit.With that, Please join me now in welcoming Raf Los. Welcome back.Raf Los: Thank you for having me again.Gardner: Tell me a little bit about your vision. We all understand security and why it’simportant, but youve developed, I think, an expanded category for security. Tell me what youmean and where that is heading.Los: Security, over the years, has evolved from an absolute concept of a binary decision: is it secure or is it not? As we move forward, I believe very strongly that what we’re evolving into is, as we’ve heard people talk about, risk management. Risk management starts to include things that are beyond the security borders. As I talked to customers out here, I was having an "aha" moment. A little while ago, at one of our converged cloud chats, we were talking about how things fail. Everything fails at some point, and chaos takes over.So rather than talking about security, which is a set of absolutes or a concrete topic, and boxingourselves into threats from a security perspective, the evolution of that goes into enterprise
resiliency. What that means is that it’s a combination of recoverability, security, performance,and all the other things that bring together a well-oiled business that can let you take a shot to thegut, get back up, and keep going.A lot of the CISOs nowadays are set up to fail by their organizations. It’s a non-winning position,because youre put into a position where the board of directors, if you’re lucky, or your CTO oryour CIO asks, "How much money do you need to secure this organization?"Thats horrible, and no matter what you say, you lose. If you say nothing, you lose. If you have$10 million, a billion dollars, theres no amount of money you can spend to make your companycompletely secure.Acceptable riskSo what are you aiming for? Youre aiming for a level of acceptable risk. Well, acceptable risk of what and how and how much you’re aiming for. It’s not just acceptable risk. We’re looking at acceptable risk from a security perspective, but we need to incorporate the fact that were going to get owned. We need to get out of our ivory towers and we need to start thinking about the fact that attacks happen and insiders happen. There are things that are going to transpire that are beyond our control and things that we cannot plan for. Technology will fail.People and processes will fail. Our own technologies, our own minds will fail us. Our bestfriends will fail us. People get tempted. This is a human nature that the weakest element willalways be a human being, and theres no patch for that.So how do we move and get back to business as usual? How we get back to being a resilientbusiness. That’s a cool concept -- that I have enterprise resiliency.Gardner: This makes great sense to me, because we’ve been talking, over the past several years,about how security needs to be applied to different parts of the organization holistically andneeds to be thought of in advance, be built in, and become part of a lifecycle.But it makes double sense to me to expand the purview of security. It really is in making surethat theres performance resiliency, failover resiliency, backup and recovery resiliency, and databackup and duplication resiliency. So why not look at it through the resiliency lens? It makes agreat deal of sense.Los: Absolutely, and that’s exactly where this is coming from. I’ve actually given a series oftalks and called it the introduction of Chief Chaos Ofﬁcer. It’s not an actual role you’re going tosee on monster.com, but it’s just a concept. It’s kind of like the aging Killcraft, a Chaos Monkeything from Netﬂix.
Can you, as an organization, get comfortable with the fact that things will fail? In the talk that Igave, it comes from the perspective of you’ve got a lot of great security technology. Youveprobably got full disk encryption. You back up. You have ﬁrewalls, redundant networks, and allthese things that you do.You have procedures that you’re supposed to follow in the red book, a big red binder that sits onyour incident response handlers desk, and you have all these things that are supposed to befollowed.Your people are trained, and your developers are supposedly writing better source code. Theseare all things that we can test through penetration testing, which means on Sunday between 7:00p.m. and Monday 3:00 a.m. on the following four IPs, but only when we’re ready. Can you goahead and pen-test us?No patch for the humanAnd it’s like, okay, weve tested ourselves, we’re conﬁdent that we’re secure. Im making kindof a scrunchy face, because that’s not really what this means. Ive worked with folks who are red-team testers. Ive yet to meet a red team thats failed, because, as I said, theres no patch for thehuman.When you can’t penetrate a system or an organization via a new O-day, youll walk in throughthe front door by walking and carrying ﬂowers from the CEOs wife or something, and youllown the organization that way.But the question isn’t whether youll be owned or not. What happens next is the big question, andit encompasses things like how good is your PR strategy. Do you have all the legal pieces inplace? When your backup system fails or your entire data center gets wiped out by HurricaneKatrina, in a worst-case scenario, do you just sort of throw up your hands and go, "Well, thatstinks? Well, we were in the cloud." Oh, your cloud just got wiped out. Now what?Gardner: Okay, let’s go to the cloud. Ive been speaking with a number of folks lately who holdthe opinion that at least for small-to-medium sized businesses (SMBs), going to the cloud canimprove their security and resiliency sufﬁciently to make it a no-brainer. For enterprises, it mightbe a longer haul and there might be more complications and issues to manage.Do you agree with that that the SMB can outsource some of this resiliency to the cloud providerwho needs to do it and has the resources and experience to do it better than the SMBs do?Los: Theres a number of SMBs that can greatly beneﬁt from the fact that good security talent isexpensive and good security talent that can actually work towards a more resilient, more secureenterprise is very difﬁcult to come by. It’s becoming scarce.
So small companies do the best they can with what they have their hands on. And therescertainly a ton of beneﬁt to be gained from going to a shared model like a cloud. Does it raise thebar for everybody? I can’t say yes. On the whole, do I believe it raises the bar? Absolutely. Letstake the angle of threat intelligence.Im a small entity with ﬁve IP addresses on the Internet. How do I know what bad guys look like?If I have my ﬁve IP addresses in a public cloud some place, that public cloud is attacked billionsof times a day and probably subscribes to numerous threat-intelligence services. They knowexactly what to look for. And if they don’t, they can ﬁnd out pretty quickly. They probably have aton of resources from the security perspective.Do I think it’s better? Absolutely. SMBs have a lot to gain by taking that step. You have to beintelligent about it. You can’t just say, "Im going to move to the cloud and Ill be secure." Let’sbe realistic about it. Get a partner that will get you there. Do due diligence on the partner thatyou’re choosing to work with. You still can’t run into the water with your eyes closed, but I thinktheres a lot of beneﬁt to be had, absolutely.Gardner: And as we’re learning more here at Discover about the HP Converged Cloud. In asense, it’s a cloud of clouds. You have hybrid delivery. You might have a variety of sources forapplications and services. You might have data in a variety of sources across a variety oforganizations, running from on-premises to managed hosting to multiple cloud and SaaSproviders.Is there a way that, in addition to the security thats going on within those organizations, you canadd more security at that converged cloud layer, particularly when you’re converging networkstorage, workload provisioning, governance, and so forth. What’s the add-on value that the HPConverged Cloud can bring resiliency-wise?Choice, consistency, conﬁdenceLos: Our Converged Cloud strategy focuses on three very simple words: choice, consistency,and conﬁdence. We’re focusing on consistency and conﬁdence here and perhaps a little bit ofchoice as well.What we’re saying is that because we focus on OpenStack, because we’ve chosen to build ourplatform completely on OpenStack, because we’re building across a single model, a single wayof operating, as Meg said yesterday. You can build a single security operating model and youllbe able to implement it across your private, public, and hybrid models.I don’t think it’s realistic to say every company will have a public cloud-only presence, just as Idon’t think it’s realistic to say companies won’t have a public cloud presence. Most organizationswill be a combination of on-premise IT, private cloud, virtual private cloud, and public cloud, allof that somehow sharing space and workload, bursting out to each other when necessary.
As I said systems fail, clouds fail, everything fails. So when we think about, and we’ve had thison our converged cloud chat, when things fail, you have to start architecting for failure andresiliency.Because of this architecture that we’ve had, if you choose to get one other partner to back upwhat you have with us, pick a partner thats got the same OpenStack platform and the samemodels. It’s not going to be hard. There are lots of them out there.OpenStack is a big platform. You should be able to build once, package once, deploy manytimes. This saves on manpower, on cost, and on having to redevelop the security wheel over andover and over again. That provides unbelievable amounts of ﬂexibility of what you can do withyour enterprise.When one cloud or a connectivity to one cloud fails, or maybe not fails, but you get attacked inone position, you can bring up other capacity to compensate for that. Thats where the true valueof cloud comes in. It’s elastic computing. It’s not a marketing buzzword.Gardner: And when we think about the HP philosophy about cloud that it’s not lock-in, that’sit’s not tied to a single nameplate on the cloud, it seems to me that theres an opportunity toreduce risk further, when you have open fungible elasticity and bursting. If there is a trouble, aproblem that comes up, or a red light goes on, you can, according to people Ive spoken to,literally move an entire data center virtually from one location to another, reconstitute yourperimeter, and so forth.So is there an inherent beneﬁt, security and resilience, in the ecumenical bursting approach thatHP is adopting?Los: Absolutely. That’s what that whole choice part is. Thats the word that we’re using. It’schoice, consistency, and conﬁdence. We were all consumers, Meg was a consumer of ours aswell, at some point. I was a consumer before I became a vendor.Option to standardizeThis is the longest I’ve ever worked for a vendor in my life and I can’t imagine myselfanywhere else. The reason for that is because I think we give people the option to standardize onus, but if they chose to move off of us at some point, it’s okay. We’re not going to make themcompletely redevelop their platforms. That makes the reason to stay with us that much morecompelling.This is one of those things where locking somebody into a platform is a terrible idea. Vendorsused to do this years and years ago with the more proprietary platform. "Well get them on it, andthey’ll never be able to get off." Thats not smart thinking. Its just not.Gardner: It’s not resilient.
Los: It’s not resilient, because it fails everybody. It builds animosity and tension, and whensomething fails, everybody loses.Gardner: One last area I like to get into is this idea that we’re seeing highly virtualizedenvironments. We’re talking about virtualized server instances, workloads, and network storage.Disaster recovery (DR) technologies have evolved to the point where were mirroring andmoving entire data centers virtually from one location to another, if theres a resiliency issue likea natural disaster or a security or cyber attack that impacts an electric grid or something alongthose lines.Is there a sort of a tipping point that we’re at, when it comes to higher levels of virtualization,some of the DR speeds, working with de-duplication and reducing the amount that needs to bemoved in these instances, that gives us this higher level of security, simply because of themobility in which we can now exercise for vast amounts of data and applications?Los: I believe so. Do I have an answer for that that’s clear and crisp? No, I don’t know, and I sawa lot of that fantastic stuff. One of the things that caught my attention is we’ve broken the 100-terabyte-an-hour backup barrier. That blows my mind. I used to work in IT when we were luckyto get 100 gigs an hour and I remember 100 megabytes an hour being a challenge on those giantDLT tapes sometimes over networks.The idea that we can take an entire cloud and because of data de-duplication, because of the waywe move workloads and policies all in one fell swoop, and the way we package things once andmove them, as a model, rather than everything together, moving metadata rather than the actualdata, it gives us the ability to move things.One thing that everybody needs to think about is what is this doing for our bandwidthrequirements. Bandwidth is a silent thing nobody really thinks about. Ive had this discussionwith our networking folks. People are building clouds all over the place now and thats great, butit’s really easy to get out to a vendor, to get out to a public cloud or whatever, amass an absolutemetric ton of data, and then say, "I want to move." How are you going to take your data fromthere to there? That’s a big question.You need to do your homework ahead of time, make sure you know what you’re getting into, andmake sure you know what technologies are being supported. Don’t get in and know the dinosaur.This is all important stuff, and you want to have a vendor and a partner that is at the cutting edgeof technology for stuff like this.As Jeff Katzenberg, somebody who has been into cloud business since before cloud was amarketing buzzword, said, "Hi. We’re HP. We’ve been doing this for a while. Join us. The wateris ﬁne."Gardner: Very good. Im afraid well have to leave it there. We’ve been talking with Raf Los ofHP Software on his interesting personal perspectives about the evolution of security into theconcept of enterprise resiliency, and how that also impacts the move to cloud and cloud models.Thanks so much, Raf.
Los: Thank you for having me once again.Gardner: And thanks to our audience for joining this special HP Discover Performance podcast,coming to you from the HP Discover 2012 Conference in Las Vegas. Im Dana Gardner, PrincipalAnalyst at Interarbor Solutions, your host for this ongoing series of HP-sponsored discussions.Thanks again for listening, and come back next time.Listen to the podcast. Find it on iTunes/iPod. Sponsor: HPTranscript of a BrieﬁngsDirect podcast from the HP Discover 2012 Conference on how ourviews of security need to be expanded beyond protecting the perimeter. Copyright InterarborSolutions, LLC, 2005-2012. All rights reserved.You may also be interested in: • HP Expert Chat Explores How Insight Remote Support and Insight Online Bring Automation, Self-Solving Capabilities to IT Problems • Investing Well in IT With Emphasis on KPIs Separates Business Leaders from Business Laggards, Survey Results Show • Expert Chat with HP on How Better Understanding Security Makes it an Enabler, Rather than Inhibitor, of Cloud Adoption • Expert Chat with HP on How IT Can Enable Cloud While Maintaining Control and Governance • Expert Chat on How HP Ecosystem Provides Holistic Support for VMware Virtualized IT Environments