ESG Blogs

“Backing up and recovering VMs” is not solved. There are lots of options in market, and the dynamics seem to shift by the day:

The unified (physical plus virtual) backup solutions are trying to take back share from the virtualization-specific folks, now that some of them are catching up (or passing) on VM protection methods and recoverability features.

The virtualization-specific backup solutions are protecting their share from the unified folks (above) and the hypervisor vendors (below), while continuing to innovate and differentiate.

The hypervisor vendors are offering their own backup solutions, instead of just the VADP/VSS APIs that enable their ecosystems.

There are some disruptive startups that are forcing folks to reconsider everything they know about “backup” via advanced appliances that warp one’s imagination of consolidated protection, copy-data management, etc.

And everything that any of them are doing … are now or soon could be also going to the cloud (if the cloud-backup providers don’t beat them to it)

So, as IT organizations of all sizes continue their maturation from simply “consolidation” to the “private cloud” and the “software-defined-whatever,” 2014 promises to be even more interesting.

To celebrate that, here is a list of some of my virtualization protection posts, just from the 2nd half of 2013:

I started my high tech career in 1987, when I arrived at EMC fresh out of business school. The CEO at that time was Richard Egan, the “E” in EMC. At each quarterly meeting, Mr. Egan would get up in front of the entire company, review the quarterly objective he had set forth for the company at the previous meeting, and grade the company on its ability to meet stated goals. This review kept the company focused on metrics and accountable for its stated objectives.

When I watched the President’s State of the Union speech earlier this week, I expected a similar type of review and status update on cybersecurity. After all, President Obama highlighted cybersecurity in his 2013 State of the Union when he stated:

Despite well over a decade of sales success, antivirus technology has never been beloved in the security marketplace. Security professionals do not have immense faith in antivirus (AV) products to stop modern malware, and average users have never enjoyed the notifications, scans, and updates that go along with protecting a computer from roughly 6,000 new malware variants per day.

It’s no secret, BYOD and mobile devices are changing the way we work, play, and communicate with each other. As a result, the demand for wireless networks is very strong and ESG's IT spending intentions research survey data indicates that expanding wireless networks is one of the top-five most-cited network priorities for organizations. The timing is perfect to talk about expanding the WLAN as the volume of new mobile wireless devices entering the workplace always tend to spike after the holidays. Many of those in IT that I speak to have stated it is not uncommon to have over a thousand new devices hit the wireless network in January. IT then has to struggle to ensure there is adequate connectivity for all these new devices (especially in the executive wing), mitigate the risk, and spend a lot of time associated with managing the onboarding process. For those in higher education, this scenario plays out at the start of every school year as well.

In the last post here, we looked at a number of investments in the general area of big data, and compared the fit with some data points ESG’s just collected research on for our 2014 IT Spending Intentions research report.

If you missed the first part of the story, check it out here: whate28099s-coming-next-in-big-data-show-me-the-money-part-1/index.html" style="font-size: 1.2em; line-height: 1.25;">http://www.esg-global.com/blogs/whate28099s-coming-next-in-big-data-show-me-the-money-part-1/

My guess is many of you don’t know this but some do – five years ago, I was diagnosed with diabetes. If you ask me what type – based on current medical definitions – I’m Type II. The way I think of it is: the type of diabetes doesn’t matter – what matters is I need to have an external source of Insulin to live – it is neither option, nor is it curable (yet). In some ways, it is no big deal really. We need air, water, food to survive as it is, and insulin is just another thing I need to take each day, right?

Of course the main difference is our human systems are autonomous – they automagically adjust to changes in requirements – sleep creates one workload type, running a few miles at the gym another. When your pancreas stops making insulin, then your autonomous systems try to compensate and unfortunately fail – sugar levels build up and your system takes all your food and your system sends it back out – literally starving to death while still eating and consuming (and craving) sugar (all the ingredients – carbs, protein, and fats). I lost 35 pounds in 3 weeks and ended up in the emergency room for the first time in my life with a blood sugar level just shy of 1,000. If I wasn’t basically healthy otherwise … well who knows. What I did learn is that Insulin is not an optional ingredient in the quest for one more day on the planet.

It’s highly likely that cloud security will be one of the hot topics at this year’s RSA Security Conference coming up in February. Yes, there will surely be a lot of rhetoric and hype, but this is a very important topic for our industry to discuss as cloud computing continues to gain momentum with enterprise organizations.

While information security is still the primary concern around cloud computing, enterprise organizations aren’t holding back on deployment, albeit with non-sensitive workloads for the most part.

Every New Year, there is a rush of predictions for what will happen in the year to come. Vendors want to demonstrate their thought leadership, PR teams and journalists love the story angle, and IT executives are looking for insights on future directions. Nothing wrong with all that, but does it really give us a clear picture of what is to come in 2014?

It’s still early but 2014 is shaping up to be highlighted by M&A activity. The VMware/AirWatch marriage is the latest example.

So why was VMware willing to spend $1.5+ billion for an MDM leader? The easy answer is that the world is going mobile – new application development is focused on mobile or web applications alone while PCs are moving closer to mainframe status. AirWatch immediately bolsters VMware’s play for endpoint computing as well with mobile complementing virtual desktop technology.

The days of IT handing out a standard device across the company and maintaining a perimeter fence with known holes are fading fast. Employee preferences and modern applications are driving alternative device types while data security makes national news on a nightly basis these days. The opportunity to embrace alternative computing devices is massive and the requirement to simultaneously tighten policy and control is a must have for organization that are serious about their mobility efforts.

If you’ve read my blog with any regularity, you know that the cybersecurity skills shortage is a topic that is near-and-dear to me. Forget about things like the threat landscape, mobile security, and cloud security; if we don’t have enough skilled security professionals, we are all in trouble.

I’ll be presenting on this topic at the RSA Conference next month but here’s a bit of very troubling data in the meantime. ESG asked 315 security professionals working at enterprise organizations (i.e., more than 1,000 employees) whether they were familiar with multiple types of malware techniques. Overall, the results were pretty dismal. For example:

About this time last year, I published a report on cloud service management (Enabling IT’s Transformation to Cloud Service Provider) where I outlined the software components needed to become a cloud service provider on-premises. Primary capabilities include orchestration and automation but also things like CMDB, federation, and chargeback. Like everything in this industry, there has been a lot of change in the past year, which I will cover in detail in the update to the CSM report later this quarter. In the meantime, I thought it would be useful to write about some of the trends I’m seeing in this space:

· Hybrid Isn’t Even Table Stakes – Last year I thought it was goodness when I saw a CSM company building functionality that supported an IT department being able to manage on-premises ‘private cloud’ and off-premises ‘public cloud.’ Over the past year that has evolved to requiring the ability to manage multiple cloud types in on- and off-premises. For example, a company may have an MS Azure cloud as well as a VMware cloud on-premises and public cloud off-premises with a VMware cloud and AWS resources on Amazon’s cloud. This means that the CSM software has to be able to manage all of these resources and be able to provide a unified dashboard, rationalize pricing methods, and potentially a way to move workloads seamlessly between clouds.

Last week IBM announced their intent to spend another $1.2B on expanding their SoftLayer-based cloud data centers to 15 new data centers around the world in 2014. This brings the total data center count to 40 data centers globally in 13 countries. SoftLayer has over 22,00 customers and was acquired by IBM in 2013 for a reported $2B. Why does this matter? There are few reasons why this matters for IBM and for their customers:

I posted a blog earlier this week on the endpoint security market transition that ESG anticipates in 2014. ESG research already indicates that change is in the air --62% of security professionals working at enterprise organizations (i.e., more than 1,000 employees) believe that traditional endpoint security software is not effective for detecting zero-day and/or polymorphic malware commonly used as part of targeted attacks today.

This week I was invited to go to the NFL offices in New York to hear about a partnership announcement between the NFL and Extreme Networks. I’ll get to the announcement in a minute. But, first how cool is it to have a press conference in the same room – actually the same table -- that all 32 teams and Rodger Goodell sit at to discuss the future of the NFL. Plus the 47 Super Bowl rings on display in the lobby was definitely a photo-op moment. Now back to how this relates to technology…

Extreme Networks is the NFL’s preferred vendor for Wi-Fi network analytics. You may say to yourself, what exactly does that mean. To the NFL it means a vastly improved customer experience in the stadium on game day. Consider for a moment an NFL stadium on game day – did you envision a huge stadium packed with 60 or 70 thousand screaming fans. Sounds about right -- okay, now consider the fact that virtually all the fans have some form of smartphone or wireless device that they will use to stay connected while at the game. As one of the speakers at the press conference pointed out, that is like enabling Wi-Fi for a small city a dozen or more (if lucky) times per year. Only it is in an area a fraction of the size of most cities – and packed with the two things that impact Wi-Fi signals the most – concrete and water (humans are roughly 60-65% water- a human brain 85% water-(I looked it up). This is typically reffered to as high-density WiFi. If it so difficult, why do they do this?

As virtualization and cloud technologies become more pervasive in enterprise data centers, it has become clear that the network needs to change to better enable the business. For years large complex environments have struggled to overcome lengthy network and network services provisioning times. Software-defined networks (including network virtualization) have become a beacon of hope to enable organizations to overcome these issues with legacy networks and become an active enabler for modern data center environments.

Well here we are halfway through January and you can’t cross the street without hearing about a malware attack or security breach somewhere – Neiman Marcus, Target, Yahoo, Yikes!

When my non-technical friends ask me what they should expect moving forward, I’m not exactly a beacon of hope. My usual response is something like, “get used to it, things will likely get worse.”

Googles announcement yesterday that they are buying Nest for $3.2B was a surprise to me. Not because Nest isn’t a good purchase or doesn’t fit with Google’s offerings. On the contrary – it is a perfect fit from where I sit because Google has always had a two tier cloud offering. One tier is the cloud that Google continues to build out and the other is the endpoint. And despite what everyone is saying about Google entering the home with Nest – Google has been embedded in the home for quite a while and in quite a few ways.

Google has been running on our PCs since before we were ‘mobile’ and has extended onto our mobile devices. Google has had several attempts at our TVs/media centers with GoogleTV and most recently Chromecast. Google has invaded many homes in the central part of the US with their fiber optic-based broadband networks – giving Google access to entertainment consumption as well as allowing them to be the ISP for residential homes, giving them visibility to ALL Internet traffic from people’s homes.

It is widely agreed that the security software market is over $20 billion worldwide and that endpoint security software (aka antivirus) makes up the lion’s share of this revenue. After all, AV is an endpoint staple product bundled on new PCs, required as part of regulatory compliance, and even available for free from reputable providers such as Avast, AVG, and Microsoft.

Yup, AV software is certainly pervasive but traditional endpoint security vendors will face a number of unprecedented challenges to their comfy hegemony in 2014 for several reasons:

1. Security professionals are increasingly questioning AV effectiveness. According to ESG research, 62% of security professionals working at enterprise organizations (i.e., more than 1,000 employees) believe that traditional endpoint security software is not effective for detecting zero-day and/or polymorphic malware commonly used as part of targeted attacks today. To quote Lee Atwater, ‘perception is reality’ when it comes to AV.
2. Many organizations are already moving beyond AV. ESG research also indicates that over half (51%) of large organizations are planning to add new layers of endpoint security software in order to detect/prevent advanced malware threats. This means that enterprise companies aren’t waiting for AV vendors to catch up but rather spending on new endpoint defenses – likely with new vendors.
3. The industry is turning up the heat. The AV market has been a cozy oligopoly dominated by a handful of vendors. This market is coming unglued as a combination of new threats and user perceptions is opening the door to an assortment of upstarts. The list includes smaller firms like Bit9, Cylance, Malwarebytes, and Triumfant as well as 800-pound gorillas like Cisco (with Sourcefire FireAMP, IBM (with Trusteer), and RSA Security (with ECAT). Oh, and let’s not forget red hot FireEye’s acquisition of Mandiant or Palo Alto’s purchase of Morta. These two firms are intent on leaving AV vendors in the dust as they pursue the title of “next-generation security company” (whatever that means).

I’m sure lots of CISOs spent this week meeting with their teams, reviewing their 2013 performance, and solidifying plans for 2014. Good idea from my perspective. The CISOs I’ve spoken with recently know exactly what they have to do but aren’t nearly as certain about how to do it.

At a high level, here’s what I’m hearing around CISO goals and the associated challenges ahead this year:

1. Improve risk management. This translates into threat/vulnerability measurement, threat prevention, and ongoing communication with the business mucky mucks. The problem here is that their networks are constantly changing, scans are done on a scheduled rather than real-time basis, and the threat landscape is dangerous, sophisticated, and mysterious.

The holidays are over, time to get back to work. Many of you may have made resolutions to improve your life, always a worthy effort, and are now attempting to make them habits (or have already forgotten them!) Here are my practical suggestions if you want to make big data an increasingly valuable part of your business strategy, but aren't sure how to begin.

As an industry veteran, I’ve witnessed my share of IT transformations. Yup, I’m old enough to remember the transitions from mainframes to mini-computers, to client/server computing, to Internet computing, etc. Each of these IT tectonic shifts also led to changes in the balance of power within the industry. IBM owned business computing in the 1970s with its 370 mainframe but the transition to client/server gave rise to a number of new stars like HP, Microsoft, Oracle, and Sun.

The current security industry is going through a similar transition. Security “mainframe” products like network firewalls and endpoint antivirus software are giving way to new types of products and services that combine real-time security intelligence, endpoint/network defenses, and security analytics/forensics. Why? Enterprises simply can’t continue to rely on security technologies that are becoming less-and-less effective and easily circumvented by an army of hacktivists, cyber crooks, and nation states.

I’ve had a whole year now to meet many of the passionate folks who help lead great companies that make up the cloud technology community and have talked to numerous customers who are at different stages of their cloud implementations. I’m betting there is little breaking news here but I think it is still pointing out a few trends from last year that I think will persist in 2014:

1. Cloud = Public Cloud, nope, Private Cloud, nope, wait, Hybrid Cloud. Actually I think we are going to finally get back to the name ‘cloud’ and we’ll talk about it being on premises or off or both. While some technology companies only have a part of the ‘cloud’ solution and therefore can only talk about the part they have products and services for – there will be cloud companies that will be making sure they have good answers for the whole spectrum of delivery models and architectures and my bet on growth is with them.
2. Cloud Service Providers – this year we’ll see CSPs offer more choice when it comes to services and platforms. CSP service catalogs will get richer and more diverse with a wide spectrum of pricing models. CSPs will be providing more tools or using partnerships to migrate apps to a cloud platform. I also think we’ll see more CSPs offering continued innovations in terms of baremetal services and containerized services. While baremetal has been around for a bit, the containerized stuff is interesting. One implementation I’ve seen takes a monster VM and carves it up into sub-VMs. Another allows a VM to move from cloud to cloud regardless of the virtualization technology, and yet another allows the VM to dynamically adjust in size no matter how it was provisioned (imagine the $ savings this could mean over hard sizing).
3. Cloud Service Management – this is a wide spectrum of software components that sit above the hypervisor and handle orchestration and automation but also a whole lot more (governance, chargeback, SSO, federation, etc.). This past year we saw an explosion in this space. I started the year monitoring 22 companies and ended the year with over 30. Plus this year saw many CSPs come out with their own custom versions of CSP software such as Tier 3 which was acquired by CenturyLink. Also can’t forget to mention ServiceMesh being acquired by CSC and Dell’s purchasing Enstratius. This next year there will be more consolidation in this space as well as continued progression in terms of features and capabilities – e.g., IT workload supply chain management, inter-cloud/multi-cloud management, and continued innovation in operational analytics.
4. Cloud Brokerages – this has been talked about for quite a while but this year I saw one company in particular doing what seems like a brilliant move in this space. Instead of focusing on creating a portal that masks the underlying service providers – these guys are the consumers of the cloud services and act as the agent from the CSP and end customers' perspectives. They make money by purchasing more and more services and they give the customer – migration, monitoring, and management services. Managed public cloud would be another way of thinking of it – only they have the skills to help migrate applications to the cloud.
5. Managed Cloud – VARs and some interesting SaaS providers as well are providing managed private cloud. Simply put, they take the customer's data center – add cloud stuff to it (chargeback, service catalog, self-provisioning) and let the customer worry about provisioning and using the cloud resources instead of monitoring and managing them – on-premises. My gut is this will evolve to include public/hybrid as well.
6. Security - We’ll see more cloud breaches and outages. Some of this will be just the rule of numbers at work (more clouds, more data in the clouds) and some of it is where we are in the maturity curve. Stuff is changing fast and not everyone is up to speed. That said we’ll also seem a continued improvement in cloud standards, security, and compliance offerings. The regulations are adapting to cloud and providers are driving the market hard for this business. Healthcare in particular has the whole Meaningful Use incentives driving more data sharing and you can be sure the major healthcare technology companies are not sitting still.
7. Cloud Storage – usually not a very interesting topic – but when you think of all the mature and rich set of capabilities and the data growth rates still on a very vertical trajectory – storage companies will continue to move their IP to cloud platforms. Plus with the prices of memory continuing to come down – all the providers will have to have either pure SSD options or hybrid SSD and large/slow storage options. Oh and long term archive with compliance, search, analytics, etc., will be interesting to watch this year.
8. Migrations – Some new players this last year in this space with some major announcements from several that have been doing this a while. Appzero, CloudVelocity, Racemi are just a few examples of companies tackling this problem. Plus the cool technology that Cloud TP announced late in the year – PaaSLane – which actually looks at your application code and makes recommendations on what cloud services need to replace existing code and how long it will take to do.
9. PaaS – last year PaaS got a nice kick in the pants from companies like Pivotal and GE and I think we’re just getting started. It would be interesting to see partnerships from the cloud platforms to do the same thing as OpenStack only for PaaS.
10. IoT - The Internet of Things is one of the most exciting and scary areas to me (as a guy who did doc work in privacy risk). Right now people are focusing on the connected home, car, and instrumenting our bodies but what happens when all those devices become a cloud of their own? and of course when all that data is stored in a cloud somewhere that (Bad Guys, Governments, Corporations) can harvest? Yet the allure of IoT is so compelling in terms of how these intelligent devices can improve our lives - whether it be our health, our learning, or our fortunes - IoT is going to be one of the most interesting phenomena's to watch and participate in this coming year.

I’m sure I forgot a thing or two … like Software-defined Everything and ITaaS – these are still chugging along with companies converting from their virtualized application stovepipes to shared resources and to a service orientation. This year will be a great year for cloud companies – and this year will be more about the success and failures the enterprise has in cloud than it will be about all kinds of new stuff. We’ve already seen a lot of innovation – now it is time to execute and see what really works and how it helps businesses be more agile and more successful.

I hope my cybersecurity colleagues enjoyed their holiday these past few weeks. It was surely well deserved as the year 2013 will be remembered as a whirlwind of activity featuring successful IPOs and scary security incidents. Given this, it’s likely that security professionals spent the last few weeks with one eye on family and holidays and another on emerging details about the massive breach at Target.

So what’s in store for the information security industry in 2014? On the surface, it should be a happy new year across the board for security technology vendors, MSSPs, and professional service firms. That said, there is a lot of work ahead as enterprise organizations figure out how to transform an army of point tools and manual processes into a cohesive security strategy.