Moving to the cloud has become a necessity for most organisations. Although companies understand the benefits of the cloud, a significant proportion of them decide to return their workloads to a private environment. Why? Concerns about security and lack of control are two important explanations. In this blog we describe the most common pitfalls to avoid when shifting to the cloud. We also explain how to solve these issues and still enjoy the full potential of cloud solutions.
The cloud is an essential aspect of every business strategy that focuses on digital transformation, but it also appears to be a very difficult exercise. An IDC report recently indicated that 80% of companies are expected to repatriate workloads that were primarily part of a public cloud environment. The research states that about half of public applications are expected to repatriate to an on-premises environment over the next two years. The most important reasons are security and performance, but also costs and lack of control.
Moving to the cloud can indeed be extremely challenging for organisations. Here are some of the main pitfalls to avoid:
1. Lack of Vision
Cloud transformation may seem like a technical challenge at first sight, but it will have an impact on the entire company. It can change the way a business operates in many different areas. Think of budgets, productivity, daily operations and development. That’s why a shift to the cloud should always start at the top floor of an organisation. The IT department must be fully supported by the board and have access to all the necessary resources.
Unless the management of the company understands both the benefits and risks of moving to the cloud, this process will almost certainly fail. The cloud holds many mysteries, even for well-trained IT employees. It is a good idea to support them with advice from cloud experts and consultants, especially if you want to avoid the other pitfalls we are about to explain.
A powerful cloud strategy also involves thinking about which workloads can be moved to the public cloud and which workloads require a more private environment. The benefits of the cloud are often so attractive that companies forget to think carefully about the risks.
2. Security Risks
This brings us to the most main reason why, according to a 451 Research commissioned by Hewlett Packard Enterprise, two-thirds of the workload is still located on-premises despite the fact that a majority of companies agree that the cloud offers a positive experience. Data breaches are common news and companies invest a lot of money in the protection of their infrastructure.
Storing data and important files on external services always exposes organisations to new risks.
Of course, you can expect a cloud service provider to handle sensitive information with care and create an highly secure environment. But lack of control is a real concern for many enterprises when shifting workloads to the public cloud. Security issues can cost companies a fortune and the reputational damage can even be beyond repair.
Here are some things to consider when you switch to a public cloud strategy:
- Make clear decisions about who is supposed to have access to specific data and resources. Not all employees should be able to see all information stored in the cloud.
- Always take a risk-based approach when moving assets to the cloud. This also involves securing the devices used to access a cloud environment.
- Encryption is key to all your actions.
- Train your team to understand how to mitigate security concerns in the cloud.
3. Underestimating Costs
Cost efficiency is one of the greatest benefits of a public cloud environment, but many enterprises still underestimate the investment that is required. Providers will usually not charge any costs for the implementation of data, but the transfer can take you several weeks depending on the volume of the data. Many organisations also buy more storage space than what they need.
As the footprint of technology in all businesses continues to grow, companies need a model that develops in alignment with their technological life-cycle. In the end, a 100% public cloud strategy will not always be the most cost-efficient solution. Security is one reason to carefully consider which workloads can run in public and private cloud environments, but cost is definitely another important factor to keep in mind.
4. Compliancy and privacy issues
Security and compliancy are closely related. Especially when you are dealing with sensitive and personal data, changing regulations about privacy are a real concern. Think about the strict privacy rules that are imposed by GDPR obligations. Many enterprise lose track of their data in the public cloud and don’t know who has access. This lack of control can be a real nightmare as you don’t want to risk irregularities. Sanctions are very expensive, but once again reputational damage might be the highest price to pay.
The more data, software and tools an organisation uses, the more challenging compliancy becomes. IT must be able to monitor the tools that are used and where the data is located.
The solution: hybrid cloud
These concerns are the main motivations for companies to return their data to a more private, on-premises environment. Of course, the benefits of cloud solutions are extremely important to remain competitive and to successfully transform your business. This is why many organisations are now discovering the potential of a hybrid cloud solution.
Control is an important aspect of this hybrid cloud environment. It allows an organisation to move part of its applications to the public cloud, while another part remains private. This enables the IT department to stay in control of the most critical operations. They can manage all data and establish protocols for how particular data should be handled. A hybrid cloud environment is also a very scalable solution that will significantly lower IT costs. A purely private cloud is often extremely expensive and time consuming.
In short, hybrid cloud solutions combine the security and control of an on-premises environment with the versatility of public cloud computing. To find the best strategy for your organisation, you can seek professional assistance of a dedicated IT partner. Computacenter has the expertise to understand your needs and introduce a hybrid cloud solution that will benefit your company in the short and in the long run.
Please visit our website to discover how we can use HPE GreenLake as a consumption-based IT model to create new opportunities for your organisation.
Darwin is frequently quoted in the midst of furious discussions about change. Whether it’s the mention of “the survival of the fittest or the most adaptable” (and not forgetting many question whether either statement was made by Darwin), change consistently invokes one human emotion with the power to nullify every others – “fear”.
Information technology (IT) for all of the seemingly endless change over the past 30 years has been somewhat consistent. Technology, with every new product launch via an endless release of “features” often dictated the “potential” for human benefit. And the result, technology vendors & the IT industry told the story of the future for an eager business (and more recently social) consumer to consume.
There was a reduced need for the IT buyer or user to appraise to a granular degree how the technology delivered impact or benefit, it was almost assumed that “newer” was better resulting in an upgrade to the “next or latest version” becoming standard behaviour. The balance of power rested with the “technology industry” and the user / consumer was at times a passive recipient of endless technological advancement. But as we enter 2017 the power base is shifting (some may say has “shifted”).
The user or IT consumer is now the power broker with the ability to dismantle 30 years of elegantly crafted IT system and process via a move to hybrid systems (combining traditional with public) or fully public IT service delivery. ”Feature glut” no longer rules the day, replaced by the need for consumer realised benefits or “standard service offerings with the potential for agile evolution”. This wholesale reset of everything deemed normal in IT and business is here and here to stay. But a move away from the safe “the old way” requires courageous decision making.
But the winners, whether consumer or IT service provider may not be those to accept “safe” or “old normal” but instead those willing to “be brave” and challenge “the old or known way” to evolve to a sustainable service consumption or delivery template viable for the dynamic, digital age. The buzz words are endless with digitisation, hybrid cloud, IOT, mobility, just a few. However with “solution relevance” a key consumer buying criteria, “buzz word bingo” will no longer find an audience, instead replaced by “win win” consultative solution selling driven by the value of positive disruption and “measurable” benefits for the consumer.
“Being brave” may result in human destabilisation as the status quo is defended and protected and “risk” as existing service delivery approaches move away from safety but the benefits are not potential, they are very real and highly realisable. The gateway to a new age exposed by the digitisation drive is positively transforming IT, business and the user with all likely to embrace a sustainable, enhanced experience. But that change of experience starts with a level of bravely not everyone can muster. “Can you, will you, be brave enough”?
Until next time.
Chief Technologist: Networking, Security and Collaboration – Computacenter UK
Once a year either at the end of an old or the start of a new year, I deliver a view on the forthcoming year. Common to many industry analysts who “call” the market, it’s a view based on customer sentiment (I speak to many many customers), extensive research, market knowledge and many years of experience (an elegant way of writing “gut feel”). This year I will release the “Security 10 for 2017” earlier than normal to reduce the comparison to other market perspectives that will appear on mass in January. Important note: the views within are my own and do not constitute the views of Computacenter Group.
This overview will be slightly longer than my normal 400 – 500 words, however I hope you understand the content deserves the extra literary real estate. Happy reading.
1: IOT attacks will increase
Focus on IOT non-human devices with weak security may increase as they become the ideal candidates to be used as botnets or drones. The weaker security layers within IOT devices with less evolved security components may result in the industry acting in catch up mode as each compromise signposts the remediation required and the next likely targets. There is no easy fix in sight with between 24 and 50 million IOT connected devices expected by 2020 but security basics including changing default passwords and remaining in tune with vendor software and patch updates are mandatory first steps. Key tip when considering IOT to deliver a business outcome, start with security in mind and end with security by default.
2: DDOS mega attacks will continue and worsen
DDOS attacks haven’t gone away, in fact Akamai cite a 125% increase in year on year attacks. With an increased volume of bots enabled via compromised IOT platforms and the real world turmoil generated by the massive DYN DDOS attack in October, attackers may consider the potential for disruption second to none. DDOS protection solutions have been deploy and forget for far too long with insufficient proactive scrutiny of logs and early warning alerts that may indicate a future larger attack is pending. Now is the time to fully understand the protection delivered by the service provider as a minimum to determine the likelihood of a successful attack.
3: Rise of insider (user) driven attacks.
Sadly humans can be a weak link with non-malicious user errors and insiders encouraged, bribed or bullied into undertaking actions that compromise systems. As client and datacentre security solutions increase in capability, therefore deliver enhanced protection, the user remains the least protected vector. User awareness, education and (with emphasis on accountability and liability) is continually highlighted as essential – now is the time to act and assign the highest priority level possible to security education for end users.
4: Last minute rush for GDPR compliance
Common to other historical compliance requirements, GDPR may suffer from a yearlong “wait and see” with the result slow progress, then a crisis driven rush to design and deploy solutions. GDPR shines a light on privacy with emphasis on data that contains personally identifiable information must be secure by default. The journey to compliance starts with awareness of the key GDPR directives, quickly followed by the need to understand the type of data in existence, where it resides across the enterprise and whether it is within the scope of GDPR. GDPR assessment and remediation solutions will be a major business impacting activity through 2017.
5: Social engineering attacks may become undetectable
Social engineering attacks may become so personalised and well-crafted they may be hard to detect from a human or systems perspective. Whether it’s sales driven “Black Friday” or the Christmas “social” season updates, the endless stream of social media publicised events may act as a catalyst to drive increased volumes of “better than good enough” phishing messages with amazing offers (that sadly deliver a malware payload or redirect). Social engineering is an area positively affected by enhanced user awareness and education.
6: Ransomware may spiral out of control
2016 has proved a successful year for ransomware with ransoms increasing in size and frequency – 2017 may see attacks increase rather than decrease. Recent vendor commentary indicates as many as 54% of UK businesses have experienced some form of attack (source: malwareBytes). Ransomware authors based of the sheer volume of malware released have access to an unprecedented amount of potential human targets. Client security solution enhancement, with the arrival of specialist anti exploit solutions may slow the ransomware march but not without the assistance of greatly increased end user security education. The fear of modern ransomware will drive a review of existing endpoint security technologies to reduce or eliminate the number of “first casualties” as surely one casualty is one too many
7: Cloud computing specific attacks will increase.
With organisations moving to the cloud, dedicated attacks (compromised permissions, etc) on cloud delivered applications and workloads may become the norm based on the potential to gain the largest prize. Cloud platforms are extremely well protected but the long list of potential attack vectors including credential theft, DDOS, data theft, compromise via zero day exploits and many other general security attacks (but targeted at cloud computing) may steadily increase as enterprises accelerate their use of cloud computing solution delivery modes.
8: Credential theft will continue to rise.
A robust digital identity is fast becoming a key deliverable within modern enterprises to facilitate secure single sign on across multiple platforms. This makes a stolen credential more lucrative than ever. Digital identity and credential theft may rise to the top of the security risk agenda for many organisations with digital credentials the golden key to both known and unknown “digital enterprise locks”. Attackers are familiar with the process of stealing credentials for access or to create subsequent hidden and elevated credentials for use during an attack. A least privilege, zero trust approach to IT security must become the new normal.
9: Banking and payment system attacks will increase.
As the world moves to digital payment by default, compromise of a payment system, ATM, contactless platform or digital financial services intermediary may deliver a major shock to the confidence of the financial sector as a whole. We now have attacks on banking and payment systems that have successfully breached existing defences leveraging both known and unknown techniques. This may encourage attackers to invest further to ensure they remain one step ahead of not just those defending but equally other assailants seeking to attack first then disappear. Enhanced visibility is a must with assistance delivered by big data and machine learning enabled advanced security platforms to proactively stargaze “what could happen next” before it occurs.
10: Dedicated attacks on “HomeHub” smart technology
We are entering an era of smart home devices and intelligent digital assistants. This style of attack may exhibit nothing previously seen and include highly non standard attack modes including homes held to “thermal ransom” with heating systems shut down or the potential for unexpected orders / purchases from voice activated digital assistants that may not be detected until a later date. It is a valid assumption that “smart home” technology with wireless enabled devices, creating and accessing data continually will permeate even the most basic home / work environment. Protection of smart home / IOT platforms will evolve as adoption increases, but the initial lag may create a window of opportunity for attackers.
The “Security 10 for 2017”mentioned could be 20, 30 or 100 depending on the enterprise, vertical market and enterprise current state. A few of the perspectives mentioned may concur with other industry / market watchers and others may even deliver a totally different viewpoint. However all are areas of potential attack or compromise that should be considered to determine the likelihood of a successful attack and therefore form part of a pre-emptive protection or remediation plan for 2017.
2017 will be the year good enough security may not be “good enough”. Now is the time respond to minimize the need to react.
Until next time.
Chief Technologist Computacenter UK: Networking, Security and Collaboration
Important note: the views within are my own and do not constitute the views of Computacenter Group.
I must start this blog with an apology (sorry) – the grammatical form of the title would have me struck down by my primary school English teacher, however I can find no other way to convey my meaning. “Agile” is the current next big thing and rightly so for many organisations whether development, operations or both. If speed of development (application), accelerated time to market and potentially reduced development costs are the primary aims of the enterprise, “Agile” delivers immense value.
But the euphoria seems to drive a mushroom cloud of activity involving selected internal operational and technology areas, for example servers, storage and compute. It’s clear “Agile” discussions ignite wholesale changes in those common areas, but has been slow to affect others most notably networking & security – and there lies a problem. At present application development teams, IT operations functions and most importantly the line of business teams are proactively gravitating towards each other as the “Agile” train pulls into the station. The cultural, emotional and operational shift required to make “Agile” a reality is now very real with green shoots of benefit now starting to appear.
But I challenge the effectiveness of the current “Agile” momentum due to a major elephant remaining in the room – network readiness. At present I view first hand many organisations with “Agile” transformation a fundamental element of their corporate manifesto but continuing with a network that may be highly reliable and functional but one not lubricating or accelerating the agile journey. Does this instantly fast forward to a software defined networking discussion – my heart says no but finally my head overrules with yes. Software defined networking is NOT networking without hardware – unless everything we know is physics is to be rewritten or eliminated that will never happen. But it is networking optimised by the use of software to increase programmability (and therefore personalisation) and automation (and therefore consistency and efficiency).
The benefit software defined ideals deliver to networking outcomes are many fold but must notably security benefits, speed and consistency of change which in turn makes the network agile. Surely this must signpost a notable change of priority, to shift network transformation further up the business technology priority list to enable tangible business value – if your network is not agile “is the business truly delivering agile operational or workload outcomes”.
Agile development is here to stay and with businesses now operating at warp speed agile is helping to drive organisations into the brave new ever changing world. But a network however stable, ridden with complexity and human latency MUST now change to be the optimum transport of digital change. It’s time to ask your organisation if the network is really making the business agile – if not, now is the time for change.
Computacenter can help.
Until next time
The security market is continuing to heat up. For once it’s less aligned with the potential for immense revenues (that potential and reality has been ever present in the security arena), but more to do with an acknowledgement that do nothing results in – “nothing”.
I have enjoyed meeting numerous enterprise customers at such an early stage in the year and the consensus is the same – “not sure which elements to keep or kill, not sure if investment in traditional platforms vs. accelerated deployment of new software centric or cloud security elements is the way forward”? And for once the concerns are common and consistent (less trail blazers or total laggards than you may think).
As someone working within a company calibrated by customer desires, I am already revisiting the security vendor strategic stories of 2015 to determine how they intend to navigate customers to a better place through 2016. And I am sensing a change across the board with new messaging, revised strategies and arrow head focus on a handful of key strategic attributes. The first one is visibility. Management and visibility of security (and networking) assets and outcomes has been an age old point of concern for many years in IT. A handful of vendors have successfully placed security infrastructure and solution management at the core of their value based offering and reaped the rewards, but even those vendors haven’t emphasised with real assertion the importance of seeing all robustly enough.
And the second key attribute is one of integration. The days of multiple, siloed platforms with individual consoles, ring fenced data repositories and inconsistent interaction with other platforms may soon be the solution behaviour of a bygone age (I’m an optimist) – every vendor is now emphasising the importance of increased visibility and superior integration as the cornerstone of their solution playbooks. Thankfully integration doesn’t mean, “Single vendor” with the normal mode one that welcomes third party and even competitive interaction via open APIs or data exchange frameworks. And the end result will be one of enterprises able to see more, therefore do more, therefore defend / remediate better than ever before.
But surely (and I feel the vultures circling) capturing or seeing more without additional layers to correlate, aggregate, evaluate and accurately isolate relevant events erodes more time than it delivers value? Agreed, however at first glance, this is an area of high investment from existing vendors and new market entrants often utilising human insight to augment systems based logic to deliver the best of both worlds.
This may be an early call but I feel the future is looking brighter in the security arena (maybe because finally we can actually see it). With vendors now delivering platforms and solutions enterprise customers can embrace immediately to unlock value immediately, now really is the time for change. But not without thorough understanding of business expectations and security impact aligned with desired operational and posture centric benefits.
Until next time
Chief Technologist – Computacenter UK, Networking, Security and Digital Collaboration.
I started 2016 in bullish form with predictions for security based on the lows and highs of 2015. I touched on two on the many market catalysts set to transform both today and tomorrow’s worlds, enterprise mobility and the Internet of Things but highlighted I would mention three more. Part two of my security outline kicks off with my final three security focus areas for the first half of 2016, journey to the “cloud”, security for the SDDC and the need for intelligent people to “act smart”.
The enterprise journey to the cloud continues to be hindered by concerns robust enough to offset the unquestionable benefits. If enterprises are already challenged to secure local environments that benefit from additional levels of physical control and proximity, why would the need to secure information flowing through an external often multi tenanted service provider not highlight similar (and different) challenges. Pre 2016, it was straightforward for enterprises to deliver a blanket response “we don’t use the cloud” often citing security concerns and with no need for further explanation, but with shadow IT research validating authorised and unauthorised cloud usage exists whatever the policy, neither authority or ignorance seems to matter.
It’s therefore time to go “back to basics” and remove years of accumulated assumption of business functions and application flows and replace it with rigorous understanding. With a revisited / restated view of people, process, application flows controls and compliance expectations, “what” can be delivered via the cloud becomes clearer (“how is a whole different ball game”). Whether via internal or external assessment or audits, enterprises must obtain a robust and realistic “current state” view to calibrate the cloud trajectory and thus maximise the business benefits of cloud service delivery. This common sense view is my consistent response to mute the many often unfounded concerns of cloud service delivery or published negative cloud consequences. And I frequently pose the question “Can you really tell me now restated for now, the who, what, how of your business IT operations & applications calibrated by relevant controls”? If the answer is no, effective security for the cloud journey may have no effect at all. Time for change to make cloud service delivery a consistent, secure reality.
Following on from the cloud is the software defined datacenter (SDDC) snowball that continues to gather pace. SDDC ideals are no longer if or when for enterprise organisations with substantial workloads or IT services already delivered primarily via software elements. It’s the dynamic, frictionless, highly agile operational persona offered by a predominantly automated software driven environment that holds so much promise. But common to every “must have”, “must do”, “next big thing”, IT trend is the “what about security” question?
First off, will be a straightforward perspective – “avoid the security retrofit”, time for a security reset. Security must be the core deliverable of the SDDC outcome therefore can never be deemed an add-on or optional extra. When application dependencies and process workflows are in early draft mode (potentially in the earlier stages of the development cycle) the security expectations must be identified, qualified and externalised. Deferring security to later phases or accommodated via an assumption of inherent safety delivered by default is fundamentally flawed as applications and workloads become increasingly fluid in location and state.
A silver bullet of the SDDC ideology is the potential and proven reality of security moving always from a perimeter based ideal to an intelligent functional state as close to the workload as possible (in fact the workload is no longer a workload to be secured, but instead a “secure workload”). This new attitude to application and workload delivery must drive a “blank sheet of paper” review of security to ensure one of the most compelling benefits of the SDDC journey can be fully realised. An enterprise journey to the cloud presents the long overdue opportunity (and investment) to “get security right” – use it, don’t lose it.
And lastly its “people time”. The rise and rise and continued rise of the digital enterprise will fundamentally shift the way business services are operated, consumed and ultimately secured. We are venturing into the unknown and therefore wrestling to find answers to an endless stream of security questions. But is this state really unknown, I suggest not. The “enterprise” digital enterprise may be no more than the digital DNA already the vital fluid of the modern social network driven arena spilling over to and thus redefining the enterprise. Create and destroy data information instantaneously, join and graft multiple and previously unconnected data sources together to create new insight / new opportunities, always on, always now – isn’t this the digitisation defined “social world” already our norm.
And possibly with that Eureka moment appears an equivalent reality check, we still haven’t solved the security problem (s) in the digital social network world, in fact we at times we are not even close. And the main reason – “people”. As technology improves (both systems and security) people reduce their level of vigilance & diligence and increase their expectation that the “system will deliver protection”. Nothing could be further from the truth. I fear we may arrive at a state where there is little more that can be done from a security systems based neural or autonomic perspective. In other words, we have put as much logic and decision making in the system to determine and remediate as much as it can from a security perceptive in an acceptable timeframe. And then what or who is left in the chain as the primary attack vector, the same primary attack vector that has always existed – “people”.
Which drives me to highlight that 2016 may be the year enterprises revisit and reinforce the level of individual accountability that all system users are vigilant, diligent and aware of the security implications of their actions. Or sadly those same users may be affected by the double edged sword of compliance and personal liability. This is a step change forward from the never read acceptable use and security policies. Tough talking and a disappointing road to traverse, but the enterprise may no longer have a choice – systems cannot secure the organisation alone. With flexible working, dynamic workplaces, fluid workloads set to be a normal business state, every corporate endpoint whether human or system has the same responsibility to evaluate and maintain a company desired security state.
And this closes the security predictions overview for the first part of 2016. Whether it’s the increasingly mobile user or interaction with intelligent devices or “things” or dynamic services delivered by highly innovative new market entrants, optimum security will ensure the unquestioned benefits of this increasingly “digital” world arrive with minimal sting in the tail. I am not inferring optimum security has never been important before or isn’t delivered today by highly effective practitioners, it is and that fact it is, minimizes the negative consequences only a mouse click away. But everything we have delivered before is now under attack in a manner beyond our traditional level of understanding with the result it’s time to “deliver now” but with tomorrow’s expectations in mind. Time to change (ps, I am not advocating “patch management” for people – or am I?).
Until next time
Chief Technologist Computacenter UK, Networking, Security and Digital Collaboration.
A few months ago I scribbled about the need to develop and deploy Information Technology systems (“IT”) now with 2020 in mind. In “Arthur C Clark” style I discussed the need for a change of thinking and the importance of considering all of the interconnected elements (many quite embryonic), due to the astonishing level of business change currently affecting us all. Through 2015 it has become apparent that the year 2020 shouldn’t be deemed a distant milestone, we need whatever we envisage “IT” will deliver in 2020 – today.
Data isn’t exploding, it has already exploded and will do every second, minute, hour of every day. We may never successfully control it but many will harness it to unlock unimaginable personal and business value. The connected society will continue to be the heartbeat of everything we do (and I do mean everything) and both personal & business expectations will increase every time benefits are realised. Whether it’s the relentless march of smart devices (even I have an Apple watch), the rise and rise of the “app for everything” culture (ok, nearly everything), the Internet of things optimising our everyday existence or always available (but not always effective) Internet / device connectivity – we are now a “connected device” dependent society. Our imagination is the catalyst for digital entrepreneurship energised by the view IT “can”, but the gloss is not without a little “matt”. If digital business gain must be balanced or is tempered by digital data loss is it really at gain at all. Maybe agile security is the new must have security persona as systems that learn and evolve as threats and attacks evolve must be the only effective way forward
And that means the personal and business outcomes previously considered “too radical” or “far out there” are many of the outcomes EXPECTED today. We have been here before and dare I say it, many times through previous IT revolutions or business evolutions. Each time the step change was delivered in somewhat controlled proportions and allowed the essential but at times loose coupling of IT and business to be maintained. But it feels different now, very different. The expectations of enterprises today buoyed by the belief that software can achieve “anything” and the connected enterprise can stitch together the business fabric required, is straining traditional IT operational models, architectural frameworks and delivery outcomes. The people change impact is underplayed, often overlooked but key to the successful and long lasting evolution to a truly digital enabled enterprise. The fallacy that IT and business can run as separate entities is misguided. IT & the business must be interlocked to such an intimate and fundamental degree that even non IT bound businesses may fail to be effective without IT in the midst of the current “digital economy”.
The expectation of “IT 2020” realizable today is effecting application development and release to a profound degree. The change can no longer be avoided and even for the more traditional enterprises, accelerated/iterative development (“agile like”) and operational styles are no longer activities undertaken by “others” but essential modes required to keep up (forget about even moving ahead) with a business landscape changing at warp speed. And as the power of “IT 2020” really accelerates with the IOT/IOE quasi social experience becoming the norm, we will start to experience today the benefits of people and systems intimacy that will underpin our societal existence in 2020.
Things really are different now and for me different is good unlocking possibilities and opportunities for all. With the market change agents continuing to blaze the trail with everything from healthcare via video or personal payment systems on a watch to home energy management via a Smartphone, the IT systems of today must change to ENABLE or they will hinder change. That’s why 2020 is too late for 2020 IT – that time is now.
Until next time.
Chief Technologist, Computacenter UK – Networking, Security, UC
“Cybercrime may now be bigger than the drug trade”, quoted the City of London police commissioner Adrian Leppard.
Security breach announcements that were once a rarity in the non IT world are now BBC front page news on a regular basis. Whether it’s the attack and successful removal of data from a previous unknown (but now well known) dating site or the more recent attack and potentially successful data breach of a major consumer telecoms services provider, Cyber attacks are the norm. Is it time to accept them as a necessary by product of the relentless creation and consumption of digital data, sadly yes. But to accept they exist does not mean an acceptance that an attack should be effective when there are so many steps that can be taken to reduce the potential for success. Defending and securing IT systems are not an easy task as the approach includes people, process and systems. To keep all three security aware and congruent at all times is a challenge with that one “out of sync” moment the attack window for a hacker. Do nothing or “do something but slowly” is a sure-fire way to be the next big story on the front page of the BBC news broadcast. It’s time for new thinking, new skills and better visibility EVERYWHERE or the enterprise will NEVER be secure.
Many years ago a large IT company ran a brilliant ad campaign about the need to think differently. In the case of IT systems and Cyber security, thinking differently should include a rigorous appraisal of existing defences, a perspective on the most valuable digital assets within the organisation (and the additional protection they require) and most importantly the need for people to change the way they interact with digital systems (vigilance). To defend against an attack, it’s time to “think like an attacker” and not based on a viewpoint that attacks follow standardised behaviour, are seeking random targets and lack rigour and planning. Today’s attackers or attack teams are extremely well trained, often well funded and have razor sharp focus on the target and expected outcome. Old school thinking based on technology will fall short in this new digital age. It’s time for new school thinking based on the psychology of an attacker as that will surely deliver greater value (protection).
We are in the midst of an enterprise business landscape with an aging work population aligned with traditional IT skills needing to evolve to a revised “digital rich” skills portfolio. This new skillset is likely to be software influenced and will definitely drive the need to think differently, learn now and learn very differently. And to further compound matters the emerging work force of Generation Y and Z thinkers may not be viewing Information Technology as the “must join” profession of circa 25 years ago. Modern enterprises face the quandary of an old workforce with dated security skills, coupled with a new workforce with skills too new to make an impact – who then will solve the security challenges we currently face? Sadly the skills problem will not be resolved overnight with a major investment in academic level cyber awareness, new age security skills training on mass for existing networking and security personnel plus enhanced employee security education as a mandatory activity within all enterprises. It’s time for enterprise organisations to encourage everyone who embraces the benefits of IT to also part be of the solution to the cyber security challenge.
There has been an age old management quote highlighting the difficultly managing things that can’t be seen – so why believe it to be different with data and information technology outcomes. Digital data is now the DNA of modern enterprises with the potential to ignite ongoing success or collapse an organisation to failure. Full visibility of data from edge to core with the potential to preempt attacks or fast remediate breaches is now an essential element of the enterprise IT systems operational playbook. Breaches will occur in a digital data rich enterprise due to the challenge of continually appraising human, IT and non IT systems behaviour in context and in sync. However enhanced visibility leveraging optimised data analytics can highlight anomalies or areas for further investigation earlier with the hope it’s early enough for the correct intervention prior to a breach. And if an when a breach unfortunately occurs, “flight recorder” type data playback of the pre and post breach state will accelerate the time to triage and remediate plus reduce the potential for a mirrored attack. Many highlight “encryption everywhere” as one of the most impact full strategies for data protection and the emerging and very interesting “software defined perimeter (SDP)” approach (zero trust access control and data movement) as instant fixes. There is no doubt that both will be highly effective protection elements but only as part of a wholesale rethink of security defence, protection and breach remediation.
Enterprises MUST now change their approach and security solutions expectations. The increased use of mobile solutions, cloud computing and virtualisation are not creating a problem for security professions but instead delivering the potential to “reset” security protection and defence within the enterprise. The days of “adding more layers”, often bigger or higher than previously delivered are no more – instead it’s time to design a solution for an enterprise in a state of continual attack not in “comfortable defence”. Effective digital systems security WILL be a primary business enabler in the digital age as enterprises that fail to defend well, remediate quickly and understand attacks may not survive for long enough to fully recover.
Until next time.
Chief Technologist – Networking, Security, UC – Computacenter UK
The year 2020 has a nice ring to it.
2020 sounds like the type of year discussed in science fiction Hollywood movies as a transformational year far away in the future. But it’s not that far away, it’s five years’ time and IT services and solutions is definitely not Hollywood. Is 2020 too far away to plan for or so near it shouldn’t be feared – in my opinion it’s a resounding NO to both. 2020 and the impact of information technology on future business outcomes should be top of mind for every IT professional. If IT decisions are being made now that will deliver the technology platform for growth and change not just for today but equally over the next 5 years and beyond, 2020 vision is essential today.
At this point it may be easy to reply, “but surely not much will change in five years’ – to that statement, I can’t agree. In my opinion we will see “right size, right use” IT deliver levels of such resounding change & value over the next five years that today’s IT architectural perspective must shift and shift now. Starting with networks, in five years’ time the SDN euphoria may subside as many of today’s networks will be well on the way to a degree of fabric aligned convergence underpinned by optimised hardware that leverages automation and orchestration seamlessly. As a starter for ten all of the benefits of an intelligent programmable network dont just make cloud computing work, its fundamental to a successful cloud future. This healthy amalgam of hardware and software will deliver a friction free, dynamic application transport fabric still benefiting from the intelligence and inputs of highly competent network architects, but enhanced by software and automation. And why am I so confident of this state – “because the tangible benefits realised will be immense and too compelling to ignore”. The potential and business benefit of a network capable of changing personality (to a degree) on the fly, calibrated by real time application or user requirements will lead to the most optimum network performance level delivered “in that moment”. Surely that must be a real world business benefit that delivers material and repeatable value to any user or business.
But it doesn’t end there, 2020 must see a different security look, feel and outcome delivered by IT products, services and solutions. If organisations currently fear the in situ advanced persistent threat often in play as we speak but undetected within even the best protected enterprises across the world, by 2020 the mental acumen required to launch such an attack will be greatly reduced. Whether the attack is out tasked to a “hacker for hire”, occurs via an even more proficient malicious insider, or as a result of a seemingly harmless mistake (a laptop left on a train), the ramifications of breach or data loss will be colossal. If many believe we are on a journey starting now to digitise the enterprise, by 2020 many organisations may be exploiting their digital DNA to its full potential (often via enhanced the use of accessible data analytics platforms like Hadoop or Splunk), with the result a security breach or attack could halt an organisation short term or even permanently almost like a digital cardiac arrest. And lets not add the unknown benefits and effect of a growing internet of connected things (IOT) often unseen but very easy to access and manipulate. To that end security transformation plans today without 2020 vision top of mind may be destined to fail.
But in the midst of this 2020 chronicle of interest (networking), must do (security) there is a story of real excitement (UC) as we end this overview. UC will allow 2020 users to engage with greater productivity with 2020 users – let’s call it REAL collaboration. Unified Communications has struggled to date within the enterprise due to circa fifteen years of potential and promise but with the result for many no more than a digital dial tone. But with 2020 in mind all of that is set to change with user pervasive UC a “must have” element within any “good to great” enterprise. The social network user persona is no longer the template of the teenage smartphone user, it’s the norm for preschool children, babies (with digital tablets and intelligent toys), the digital savvy Y & Z generation, the “baby boomers” for everything from shopping to collaboration with friends abroad and retirees who just want to stay in touch. And how do they achieve this, via a smart phone capable of communicating via different communications channels (video, voice, IM, social, browser) unified together by the network unified on a single device. In short if UC is starting to work now, driven by the growth of social ideals, the smartphone and tablets within modern enterprises by 2020 as they reach critical mass, enterprise UC will be the communications glue that keeps organisations, their users and their customers – “communicating”.
This ends my short roundup on 2020 and the potential our 2020 future holds. But 2020 isn’t far away and business decisions that drive IT change (or IT change that enables business innovation) happening now without 2020 vision in mind may be built with failure by design through the core. Now is the time not just to plan, but to do – no one wants to be the victim of a digital heart attack.
Until next time.
Chief Technologist: Networking, Security & Communications.
Software defined networking (SDN) continues to be a major customer discussion within both the specialist networking and enterprise datacenter arenas. After bubbling under in the mindshare league well below cloud, virtualisation and mobility for quite a while SDN is starting to move up the ranking. However this is not without a fair degree of murmured discontent.
Enterprises, whilst digesting the technical concepts behind SDN are struggling to understand the most effective SDN solution design approach and focus in on the business problem / outcome resolved by SDN. At the highest most strategic level, there are numerous benefits that can include operation efficiencies, network agility and simplicity to name a few. But however compelling they all are, they currently do not seem compelling enough (unless a convenient infrastructure upgrade requirement is often factored into the SDN discussion). This could be the result of looking at something so hard that the some of the more obvious benefits are overlooked and in the case of SDN one said benefits is certainly security.
Networking in software (prior to SDN) had already found its home in the middle of a hypervisor as part of a virtualised compute environment, with the result some degree of understanding of the use of software in enterprise computing to realise networking outcomes is already known. But with the unrelenting growth of server virtualisation beneath a hypervisor with the resulting change to network traffic flows (much of it remaining within the hypervisor or physical host) a hidden challenge became the norm – securing virtualised workloads. The drive by many towards a virtualised enterprise changes decades of traditional design norms of physical perimeter security device placement with the requirement to reproduce a revised ideal for the virtualised workload world.
Enter software defined security (SDS) included within or as a by-product of an SDN strategy. The ability to micro segment virtual workloads using internal virtualised firewalls and controls in software with the reduced need for traffic to flow out of the virtual environment and back to determine the security state is surely a “killer outcome mobilised by SDS or SDN. And before you state it, a secure environment in a virtualised context can be realised today without the use of SDN and software defined security implementation, but SDN makes it much easier, tightly couples it with management and automation frameworks with the result reduced time to value. There are numerous software defined security approaches from standard functionality within specialist SDN overlay networks through to dedicated SDS (software defined security) solutions from specialist vendors with next generation security at the heart. And with enterprises wrestling with the urgent need to secure physical, virtual, hybrid and cloud environments working together as one, a new approach to solving this KEY enterprise IT infrastructure security challenge is surely required.
Software defined security alone isn’t the answer, SDN in isolation isn’t the answer but they are both serious and viable considerations to deliver security outcomes today aligned with problems of tomorrow. To that end, software defined security (SDS) may well be the “killer outcome” that kick starts the SDN change.
Until next time.