ESG Blogs

So, with the Christmas presents unwrapped, and yet with New Year resolutions still to be self-negotiated, it's about time for me to put forth my predictions for infrastructure in 2018.  

We live in a truly fascinating era of technology. Multiple avenues of innovation, such as blockchain, machine learning, and artificial intelligence, are poised to fundamentally transform business. Will it happen over night? No. Will it happen in 2018? To a degree. But more importantly, 2018, and probably 2019, will be about preparing for these new innovations by transforming IT to compete in the digital age. The bottom line is that in five years or so, the more digitally adept businesses will have already won, and it will be too late for a company to redefine itself. In other words, the time for IT transformation is now. It is this urgent need for transformation that provides the background for my 2018 predictions for enterprise storage.  

As 2018 rolls in, we're here to make predictions for cloud platforms. Unfortunately, I'm not here to come up with a present of a crystal ball that predicts all the exciting news to come, so I'm a bad Santa.

However, I do want to discuss some major trends that are underway, and how they may become important in 2018.

1. Multi-Cloud. Do you want to use multiple clouds based on each one being a best of breed, or perhaps as a specific way for hedging your bets? What are the costs when you realize each has a different set of APIs? Do you redo your work N times over?

In part 2 of the video with Kenna Security, CEO Karim Toubba continued to explain why and how vulnerability and risk management have a fundamental place within a security operations and analytics platform architecture (SOAPA). Our discussion focused on:

• The cybersecurity skills shortage. Anyone who's read my blogs knows this is a frequent topic of mine as I believe the cybersecurity skills shortage represents an existential risk to all our online safety. Karim agrees that it’s a problem and believes we need to apply compute cycles and artificial intelligence algorithms to process, analyze, and act upon the growing mountain of security data.

Networking is a conservative area, but it has been undergoing many changes in the last few years. Here are some of my thoughts for 2018. I include an obligatory discussion of SD-WAN since I like to cover it, but who can avoid talking about the cloud (and the cloud is a major driver for SD-WAN)?

I will focus on what you ought to look at and perhaps it will affect your purchase, architecture or deployment decisions.

1. SD-WAN - We will probably see a choice of deployment models between three different deployment methods (DIY, Managed Service Provider, Major Telcos), which may change the way the products evolve and are used.

Most people have a few New Year’s resolutions – lose some weight, exercise more, spend more time with the family, etc. Based upon ESG research and many discussions with cybersecurity professionals, here’s a list of New Year’s resolutions for enterprise CISOs:

1. Lead the effort to make cybersecurity part of the organizational culture. ESG/ISSA research indicates that 24% of organizations claim that business managers still don’t understand or support the right level of cybersecurity. In 2018, CISOs must alter this cybersecurity ignorance and apathy. How? Make a concerted effort to gain the CEO's support. Establish regular communications with all line-of-business managers. Work to better quantify risk in ways that business managers can understand and act upon. Get involved with business process initiatives before software developers begin writing code. Push HR for more hands-on training. Walk the floor and meet employees on a regular basis. CISOs must push as hard as they can in 2018. Those that make a difference can have a personal impact on risk mitigation across the organization. Those that fail should be ready to seek other employment in 2019.

Citrix has always been a company that provides the glue between disparate enterprise resources. This goes back many years. From app virtualization and VDI, application delivery controllers, or file sync and share, it served as glue to fill in areas where other companies lacked an adequate solution, or provided a multi-vendor solution where other companies, due to a single vendor focus, failed to provide an adequate answer.

As traditional vendors opened to interoperate in a multi-vendor environment, Citrix’s DNA allowed it to stay innovative, even as other firms introduced competing products, such as in remote desktop access.

I attended their Industry Analyst Meeting in Santa Clara, CA, and came away with a view to try to put a framework around their offerings.

Karim Toubba, CEO of Kenna Security, stopped by the ESG studio to discuss SOAPA and its application to vulnerability management. In part 1 of our video, Karim and I discuss:

1. The problem with vulnerability management. Vulnerability management is one of the most mature categories of cybersecurity technology so I pressed Karim on why it applies to a new architecture like SOAPA. His response was intriguing – the issue is sorting through all the data as enterprises are dealing with millions of vulnerabilities across a full technology stack from host systems to applications to cloud workloads. SOAPA and new types of data analytics can help organizations process and manage the data, making it more useful for decision making.

Juniper held its NXTWORK conference in San Francisco last week. There were some announcements that showed this firm's continued evolution to be cloud-centric and to integrate security into its offerings.

As part of the recently published research report from ESG and the information systems security association (ISSA) titled, The Life and Times of Cybersecurity Professionals, 343 infosec pros were asked to identify the cybersecurity actions their organizations have taken over the past few years. This list serves as a good foundation for what we can expect in 2018. 

The top responses were as follows:

Mobility and cybersecurity. While those two areas may have very different roles inside an IT organization and business, they both play integral parts in identity and access management. Given that, I’m always getting asked, “Who owns IAM?”

Here is my summary video from HPE's latest Madrid installment of its Discover user event series. It's a little different from the usual ESG On Location video format inasmuch as I spent the vast majority of my camera time interviewing HPE execs and customers, rather than my ESG colleagues. The customer interviews were done for HPE and will appear on its channels over the coming weeks. Meantime, in this summary video you'll find sample "snippets" from some of the HPE exec interviews (with full versions to follow soon), together with a comment from me about mega-events in general, and then specifically my key takeaway from Discover in Madrid.

More and more people are proactively protecting their personal identities. But it’s not only individuals that must take steps to keep their identities safe. Companies must also be vigilant about protecting corporate identities. Between fraud and identity theft, and bad actors committing nefarious acts while impersonating a company’s CEO, the integrity of a company can easily be compromised.

Over the past few weeks, dozens of people have reached out to me with their cybersecurity predictions for 2018. Some prophecies are fairly obvious (ransomware will continue in 2018) while at the other extreme, some people are pushing doomsday forecasts aimed at garnering press hits (i.e., the US will suffer a cyber-attack in 2018 that knocks out the power grid for a substantial amount of time).

When it comes to identity and access management (IAM), the cloud, mobility initiatives, and app dev are driving chaos. Security risks are on the rise due to the expanded perimeter, and though IT operations shoulders a great deal of IAM responsibility, who actually owns identity and access management?

The answer isn’t clear-cut. It actually depends on a number of things, including: an organization’s maturity, its security posture, and how aggressively the company is pursuing identity and access management strategies.

Everyone is busy writing their cybersecurity predictions for 2018 and while I haven’t published my list yet, here’s an easy call – the cybersecurity skills shortage will continue to be an existential threat in 2018. 

As a review, here are a few data points that lead me to this conclusion:

• 45% of organizations claim to have a problematic shortage of cybersecurity skills in 2017. By the way, 46% of organizations claimed to have a problematic shortage of cybersecurity skills in 2016, so things are not improving.

With growing numbers of people using personal devices for work, most organizations no longer have ultimate control over their employees' devices. Today, it’s essential for CISOs and other security professionals to provide their employees with safe and secure access to the corporate data, applications, and devices they need to perform their jobs. Across industries, organizations are dealing with this challenging lack of corporate control, combined with the necessity of ensuring security, and providing employees with easy access.

As I discussed in Motive, Means, and Opportunity for Evaluating HCI Performance, performance is a key HCI buying criteria.

It’s time for Juniper NXTWORK in San Francisco next week. At this time of the year between Thanksgiving and Christmas and New Year, it’s the tail end of the conference season and announcements.

What may be in store?

What presents may be in store from Juniper? It’s hard to say, but some earlier announcements on bots provide a hint on how their vision of Self-Driving Networks may start to get realized.

Their trio of new bot-apps: The AppFormix HealthBot for telemetry, Contrail TestBot for auditing, and PeerBot for peering monitoring were recently announced for beta, for availability in the first half of 2018. This may be a hint of things to come.

Last week, I wrote a blog describing how 2018 will be the year of advanced prevention. Now we’ve had technologies for blocking cyber-attacks and malware for decades (i.e., antivirus software, firewalls, IPS, etc.), so what exactly is advanced prevention? I believe advanced prevention sits at the intersection of two other cybersecurity trends:

1. Software-defined security functionality. Software-defined everything makes it easier to deploy, configure, and scale security controls.
2. Artificial intelligence. AI uses algorithms to comb through mountains of data to increase detection/blocking efficacy, provide granular risk scoring, and fine-tune decision making. 

As we say goodbye to 2017 and hello to 2018, it's time again for my yearly predictions for Systems Management, PaaS, and DevOps. I've posted a video with my predictions below but here are the key points that I talk about in the video.

• Continued growth in how systems management teams and large vendors approach hybrid cloud - As I discussed in my 2017 video, we can approach hybrid cloud from an infrastructure up or a cloud down orientation. Choosing an approach radically changes how system management is done and both customers and vendors have to make some decisions on how they approach hybrid.

Synchronoss is excited about having Glenn Lurie as its new CEO—and no wonder. With some business “speed bumps” at Synchronoss, Lurie’s leadership experience and business relationships (after all, he was AT&T’s Mobility and Consumer Operations President and CEO) will give Synchronoss an opportunity to tune its focus in the market, and potentially create significant partnerships with technology, media, and telecommunications (TMT) ecosystems. Lurie clearly recognizes the multiple market opportunities Synchronoss has right in front of it, and is able to swiftly connect the dots between Synchronoss innovation, TMT ecosystems, and the digital transformation increasing numbers of companies are undergoing. 

I’ve written a lot about the cybersecurity skills shortage lately, based upon data from a new research report titled, The Life and Times of Cybersecurity Professionals, a collaborative effort done by ESG and the information systems security association (ISSA). The report indicates that:

• 70% of cybersecurity professionals believe that their organizations have been impacted by the cybersecurity skills shortage.

The most exciting announcement during AWS re:Invent for cloud computing infrastructure foundation was Fargate. There were a slew of new announcements and I don't want to de-emphasize the other ones too much, but this one was the most interesting to me.

First, a bit of background. There's lot of confusion on VMs, containers, and functions. Here are the differences:

The key thing is that the VMs allow a server to run as one big piece (OS + whatever apps are installed), containers allow applications (which includes providing microservices, but no OS, but the underlying system beneath the container layer provides the Linux interface) to run, and serverless is a place to run code (or functions). Each stage enables slicing a workload into smaller pieces.

At AWS re:Invent 2017, AWS continued to show the domination it has over the public cloud market. During Andy Jassy's keynote, he talked about AWS now having an $18 billion run rate with 42% growth. That's impressive in both the size and the continued growth at that size, which should be a bone chilling statistic for competitors. It extends beyond financials, with AWS showing share numbers to be over 44% of the market and more than the next 12 competitors combined.

Man, talk about the proverbial firehose. AWS re:Invent 2017 proved to be a wide open torrent of announcements from AWS and the partner ecosystem alike, making recap blogs such as this a bit of a mission impossible. For starters, AWS’s security announcements included:

This year was my first re:Invent and it was an impressive event. There were over forty-three thousand people in attendance and the show occupied a number of hotels along the Vegas strip. It wasn’t just that there were a lot of people there, it was that there were a lot of people who wanted to be there – after attending hundreds of trade shows and user group events you get to know the difference. There was a buzz and excitement at the show that reminded me of early VMworld and TechEd shows. Sessions were sold out and queues were long as people waited for the doors to open. All the attendees I spoke to had specific reasons for attending; many were in the process of moving to a cloud first strategy and were there to learn.

I attended a session at AWS re:Invent titled “Planning for your advanced AWS networking architectures” that was held by Matt Lehwess and Nick Matthews, who were rightfully dressed as networking wizards.

Without going into the details of the presentation, I have a few “meta” comments:

It’s so easy to set up networking in a public clouds (you set up VPCs and elastic load balancers without the need to purchase and configure hardware) that we are tempted to experiment with different architectures to see what happens.

However, one needs to still plan appropriately. There are several issues that cannot be ignored.