Summary: Time and TouristsBy Rich
Travel is about as close as any of us get to a time machine.
Leave home, step into an airport, and you step out of your life, even in our hyper-connected world. Sure, you are still on email, still talking to your family over the phone or Skype/FaceTime, and still surrounded by screens spewing endless worthless updates on the tragedy du jour, but fundamentally you are cut off. From your normal life, daily patterns, and state of mind. It isn’t ‘bad’, but it is unavoidable – no matter how closely you hew to your familiar habits.
Can you guess I am writing this Summary on an airplane? Yeah, go figure.
Yesterday I finished the last trip on a string of travel that has kept me moving nearly every week since before the RSA conference in February. To be honest I haven’t really had a break since sometime before Thanksgiving. On top of the travel I have finished some of the more intense yet fulfilling research and projects of my career. It is cool to go from my first little 30-minute cloud presentation four or five years ago, to advising cloud providers on their technical security architectures and controls. I now get two weeks in a row at home before I knock out my next couple trips, with no behind-schedule project deliverables hovering on the horizon.
While travel disconnects you from your life, it also spurs innovation and creativity by placing you in new environments, making new personal connections, and providing ample time for deep thoughts. Throughout this travel binge I have been speaking to tons of security and non-security IT pros throughout the world, getting a really good feel for what is happening at multiple levels of the industry. Mostly in my focus areas of cloud and DevOps.
One thing that has popped out is that most cloud providers… aren’t. I have been seeing a ton of companies advertising themselves as Infrastructure as a Service, when they are really little more than remote hosting/colo options. They don’t included any autoscaling capabilities, and they tend to define ‘elastic’ as “click a bunch of stuff to launch a new virtual machine by hand”. Digging deep; some of them lack the fundamental technologies needed to even possibly scale to the size of an Azure, Google, Rackspace, or AWS; and a few poop their pants when I start going into the details. It is going to be interesting, and do your homework.
The next tidbit is that many large enterprises are dipping their toes into the cloud, but most of them really don’t understand native cloud architectures so they stick with these non-elastic vendors. There is nothing inherently wrong with that but they don’t get the resiliency, agility, or economic benefits of going cloud native. I call them “cloud tourists”. Everyone needs to start someplace, and who am I to judge?
But as usual there is a dark side. Non-elastic vendors are pushing not only false promises but a lot of misinformation in hopes of knocking off AWS (mostly). Factually incorrect information that misleads clients. I think I will do a blog post on it soon, either here or at devops.com because it is the kind of thing that can really cause enterprises headaches. Looking at the big analyst research, most of them fundamentally don’t understand the cloud and aren’t helping their clients.
Lastly, one of the most rewarding lessons of the past few months has been the realization that my research on the cloud and Software Defined Security is dead on target. I am working the same problems as many of the major cloud-native brands – albeit not with their scale issues. I am coming up with the same answers, and reflecting their real practices. That is always my biggest fear as an analyst – especially going hands-on again – and it is a relief to know that the work we are publishing to help readers implement cloud security and DevOps is… you know… not analyst bullshit.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Sign up for our Cloud Security Training at Black Hat!
- Rich quoted on Mac security in USA Today.
- Mort quoted at DevOps.com.
- Mort wrote more on DevOps myths.
Favorite Securosis Posts
- Mort: Understanding Role Based Access Control: Advanced Concepts
- Mike: Friday Summary: The IT Dysfunction Issue. There may be something to this DevOps thing. I’m glad Adrian (and Rich) like the Phoenix Project. It offers a quick glimpse into the future of provisioning/delivering value to customers through technology.
- Rich: Pass the Hemlock. I view it a little differently, taking survival lessons from my full-time paramedic days. The patient is the one who is sick, not you. Empathize, but maintain detachment. You invest yourself into work, but at the end of the day there are things you can’t change. If that gets to you too much, move on.
- Rich #2: Verizon DBIR 2014: Incident Classification Patterns.
Other Securosis Posts
Favorite Outside Posts
- Rich: It’s time for the FCC to stand up for Americans instead of ruining the internet. I realize the U.S. political system is no longer by and for the people, but this is an incredibly anti-business stance that sacrifices all businesses to help out a few.
- Mort: On Policy in the Data Center: The policy problem.
- Mike: Choose Your Own DBIR Adventure. Kudos to our buddy Rick Holland (congrats on the new baby BTW), who between changing diapers managed a good summary of the DBIR. He even has a section about how to use the DBIR (that seems familiar – I wonder why…). But flattery via imitation aside, Rick’s perspectives on the DBIR are solid.
Gunnar had a bunch of related links, so we putting them all together in his words:
I have one theme with a couple of links
“If you are competing with Microsoft, which is to say you are in the technology business – have a look at the track record under Satya Nadella so far – sh*t just got real.”
I love capitalism, I love it when a company left for dead comes roaring back and does something amazing. Think Apple a decade ago. It’s very early in Nadella’s tenure, but this could be very fun to watch. He won me over in the first press conference quoting T.S. Eliot, “You should never cease from exploration, and at the end of all exploring you arrive where you started and know the place for the very first time.” How refreshing and inspiring!
Research Reports and Presentations
- Reducing Attack Surface with Application Control.
- Leveraging Threat Intelligence in Security Monitoring.
- The Future of Security: The Trends and Technologies Transforming Security.
- Security Analytics with Big Data.
- Security Management 2.5: Replacing Your SIEM Yet?
- Defending Data on iOS 7.
- Eliminate Surprises with Security Assurance and Testing.
- What CISOs Need to Know about Cloud Computing.
- Defending Against Application Denial of Service Attacks.
- Executive Guide to Pragmatic Network Security Management.
Top News and Posts
Due to my travel and isolation news is a bit thin this week – sorry about that…
- Attackers Exploit the Heartbleed OpenSSL Vulnerability to Circumvent Multi-factor Authentication on VPNs.
- Q & A: Speaking DevOps and Threat Modeling with the author of Threat Modeling: Designing for Security.
- Report urges building resilience to future cyber shocks. This from an insurance company, so take note.
Blog Comment of the Week
This week’s best comment goes to Marco, in response to Verizon DBIR 2014: Incident Classification Patterns.
Good call out on the call center times. In a CC environment, saving seconds in the average interaction can be the justification for huge investments and changes. If you start adding seconds to the standard interaction ‘for security’ you’ll have some unpleasant conversations in front of you. I can only shudder when thinking about adding minutes … Remember: a few seconds for the individual interaction doesn’t sound like much, but when you multiply that by hundreds or thousands interactions a day, you start to see the problem.