Rich here,

Travel is about as close as any of us get to a time machine.

Leave home, step into an airport, and you step out of your life, even in our hyper-connected world. Sure, you are still on email, still talking to your family over the phone or Skype/FaceTime, and still surrounded by screens spewing endless worthless updates on the tragedy du jour, but fundamentally you are cut off. From your normal life, daily patterns, and state of mind. It isn’t ‘bad’, but it is unavoidable – no matter how closely you hew to your familiar habits.

Can you guess I am writing this Summary on an airplane? Yeah, go figure.

Yesterday I finished the last trip on a string of travel that has kept me moving nearly every week since before the RSA conference in February. To be honest I haven’t really had a break since sometime before Thanksgiving. On top of the travel I have finished some of the more intense yet fulfilling research and projects of my career. It is cool to go from my first little 30-minute cloud presentation four or five years ago, to advising cloud providers on their technical security architectures and controls. I now get two weeks in a row at home before I knock out my next couple trips, with no behind-schedule project deliverables hovering on the horizon.

While travel disconnects you from your life, it also spurs innovation and creativity by placing you in new environments, making new personal connections, and providing ample time for deep thoughts. Throughout this travel binge I have been speaking to tons of security and non-security IT pros throughout the world, getting a really good feel for what is happening at multiple levels of the industry. Mostly in my focus areas of cloud and DevOps.

One thing that has popped out is that most cloud providers… aren’t. I have been seeing a ton of companies advertising themselves as Infrastructure as a Service, when they are really little more than remote hosting/colo options. They don’t included any autoscaling capabilities, and they tend to define ‘elastic’ as “click a bunch of stuff to launch a new virtual machine by hand”. Digging deep; some of them lack the fundamental technologies needed to even possibly scale to the size of an Azure, Google, Rackspace, or AWS; and a few poop their pants when I start going into the details. It is going to be interesting, and do your homework.

The next tidbit is that many large enterprises are dipping their toes into the cloud, but most of them really don’t understand native cloud architectures so they stick with these non-elastic vendors. There is nothing inherently wrong with that but they don’t get the resiliency, agility, or economic benefits of going cloud native. I call them “cloud tourists”. Everyone needs to start someplace, and who am I to judge?

But as usual there is a dark side. Non-elastic vendors are pushing not only false promises but a lot of misinformation in hopes of knocking off AWS (mostly). Factually incorrect information that misleads clients. I think I will do a blog post on it soon, either here or at because it is the kind of thing that can really cause enterprises headaches. Looking at the big analyst research, most of them fundamentally don’t understand the cloud and aren’t helping their clients.

Lastly, one of the most rewarding lessons of the past few months has been the realization that my research on the cloud and Software Defined Security is dead on target. I am working the same problems as many of the major cloud-native brands – albeit not with their scale issues. I am coming up with the same answers, and reflecting their real practices. That is always my biggest fear as an analyst – especially going hands-on again – and it is a relief to know that the work we are publishing to help readers implement cloud security and DevOps is… you know… not analyst bullshit.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Sign up for our Cloud Security Training at Black Hat!

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Gunnar’s World

Gunnar had a bunch of related links, so we putting them all together in his words:

I have one theme with a couple of links

“If you are competing with Microsoft, which is to say you are in the technology business – have a look at the track record under Satya Nadella so far – sh*t just got real.”

I love capitalism, I love it when a company left for dead comes roaring back and does something amazing. Think Apple a decade ago. It’s very early in Nadella’s tenure, but this could be very fun to watch. He won me over in the first press conference quoting T.S. Eliot, “You should never cease from exploration, and at the end of all exploring you arrive where you started and know the place for the very first time.” How refreshing and inspiring!

Research Reports and Presentations

Top News and Posts

Due to my travel and isolation news is a bit thin this week – sorry about that…

Blog Comment of the Week

This week’s best comment goes to Marco, in response to Verizon DBIR 2014: Incident Classification Patterns.

Good call out on the call center times. In a CC environment, saving seconds in the average interaction can be the justification for huge investments and changes. If you start adding seconds to the standard interaction ‘for security’ you’ll have some unpleasant conversations in front of you. I can only shudder when thinking about adding minutes … Remember: a few seconds for the individual interaction doesn’t sound like much, but when you multiply that by hundreds or thousands interactions a day, you start to see the problem.