Securosis

Menu

Research

Summary: Time and Tourists

Rich April 25, 2014 No Comments

Rich here, Travel is about as close as any of us get to a time machine. Leave home, step into an airport, and you step out of your life, even in our hyper-connected world. Sure, you are still on email, still talking to your family over the phone or Skype/FaceTime, and still surrounded by screens spewing endless worthless updates on the tragedy du jour, but fundamentally you are cut off. From your normal life, daily patterns, and state of mind. It isn’t ‘bad’, but it is unavoidable – no matter how closely you hew to your familiar habits. Can you guess I am writing this Summary on an airplane? Yeah, go figure. Yesterday I finished the last trip on a string of travel that has kept me moving nearly every week since before the RSA conference in February. To be honest I haven’t really had a break since sometime before Thanksgiving. On top of the travel I have finished some of the more intense yet fulfilling research and projects of my career. It is cool to go from my first little 30-minute cloud presentation four or five years ago, to advising cloud providers on their technical security architectures and controls. I now get two weeks in a row at home before I knock out my next couple trips, with no behind-schedule project deliverables hovering on the horizon. While travel disconnects you from your life, it also spurs innovation and creativity by placing you in new environments, making new personal connections, and providing ample time for deep thoughts. Throughout this travel binge I have been speaking to tons of security and non-security IT pros throughout the world, getting a really good feel for what is happening at multiple levels of the industry. Mostly in my focus areas of cloud and DevOps. One thing that has popped out is that most cloud providers… aren’t. I have been seeing a ton of companies advertising themselves as Infrastructure as a Service, when they are really little more than remote hosting/colo options. They don’t included any autoscaling capabilities, and they tend to define ‘elastic’ as “click a bunch of stuff to launch a new virtual machine by hand”. Digging deep; some of them lack the fundamental technologies needed to even possibly scale to the size of an Azure, Google, Rackspace, or AWS; and a few poop their pants when I start going into the details. It is going to be interesting, and do your homework. The next tidbit is that many large enterprises are dipping their toes into the cloud, but most of them really don’t understand native cloud architectures so they stick with these non-elastic vendors. There is nothing inherently wrong with that but they don’t get the resiliency, agility, or economic benefits of going cloud native. I call them “cloud tourists”. Everyone needs to start someplace, and who am I to judge? But as usual there is a dark side. Non-elastic vendors are pushing not only false promises but a lot of misinformation in hopes of knocking off AWS (mostly). Factually incorrect information that misleads clients. I think I will do a blog post on it soon, either here or at devops.com because it is the kind of thing that can really cause enterprises headaches. Looking at the big analyst research, most of them fundamentally don’t understand the cloud and aren’t helping their clients. Lastly, one of the most rewarding lessons of the past few months has been the realization that my research on the cloud and Software Defined Security is dead on target. I am working the same problems as many of the major cloud-native brands – albeit not with their scale issues. I am coming up with the same answers, and reflecting their real practices. That is always my biggest fear as an analyst – especially going hands-on again – and it is a relief to know that the work we are publishing to help readers implement cloud security and DevOps is… you know… not analyst bullshit. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Sign up for our Cloud Security Training at Black Hat! Rich quoted on Mac security in USA Today. Mort quoted at DevOps.com. Mort wrote more on DevOps myths. Favorite Securosis Posts Mort: Understanding Role Based Access Control: Advanced Concepts Mike: Friday Summary: The IT Dysfunction Issue. There may be something to this DevOps thing. I’m glad Adrian (and Rich) like the Phoenix Project. It offers a quick glimpse into the future of provisioning/delivering value to customers through technology. Rich: Pass the Hemlock. I view it a little differently, taking survival lessons from my full-time paramedic days. The patient is the one who is sick, not you. Empathize, but maintain detachment. You invest yourself into work, but at the end of the day there are things you can’t change. If that gets to you too much, move on. Rich #2: Verizon DBIR 2014: Incident Classification Patterns. Other Securosis Posts Incite 4/23/2014: New Coat of Paint. DDoS-fuscation. Favorite Outside Posts Rich: It’s time for the FCC to stand up for Americans instead of ruining the internet. I realize the U.S. political system is no longer by and for the people, but this is an incredibly anti-business stance that sacrifices all businesses to help out a few. Mort: On Policy in the Data Center: The policy problem. Mike: Choose Your Own DBIR Adventure. Kudos to our buddy Rick Holland (congrats on the new baby BTW), who between changing diapers managed a good summary of the DBIR. He even has a section about how to use the DBIR (that seems familiar – I wonder why…). But flattery via imitation aside, Rick’s perspectives on the DBIR are solid. Gunnar’s World Gunnar had a bunch of related links, so we putting them all together in his words: I have one theme with a couple of links “If you are competing with Microsoft, which is to say you are in the technology business – have a look at the track record under Satya Nadella so far – sh*t just got real.” Azure Beyond Windows Beyond

Share:
Read Post
dinosaur-sidebar

Research

view all

Sign Up for Our Newsletter

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.