SlideShare a Scribd company logo

Resiliency, Risk Management Add a New Dimension to Discussions about Enterprise Security

Dana Gardner, profile picture
Dana Gardner

The document discusses the evolving perspective of enterprise security, shifting from a focus solely on perimeter protection to the broader concept of enterprise resiliency, which incorporates risk management, recoverability, and organizational performance. Raf Los of HP Software emphasizes the need to accept that failures will occur and to architect systems for resilience and flexibility, particularly in the context of cloud solutions that can enhance small-to-medium businesses' security. The podcast underscores the importance of innovative disaster recovery technologies and the advantages of using a converged cloud approach to improve overall organizational resiliency.

TechnologyBusiness
Related topics:
Cloud Security Insights Cyber-Security
1 of 7
Download to read offline
1
2
3
4
5
6
7
Resiliency, Risk Management Add a New Dimension to Discussions about Enterprise Security Transcript of a BriefingsDirect podcast from the HP Discover 2012 Conference on how our views of security need to be expanded beyond protecting the perimeter. Listen to the podcast. Find it on iTunes/iPod. Sponsor: HP Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance podcast series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this ongoing discussing of IT innovation and how it's making an impact on people’s life. Once again, we're focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end users alike. This time, we’re coming to you directly from the HP Discover 2012 Conference in Las Vegas. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.] At the event, I had a chance to sit down with Raf Los of HP Software. Raf has an interesting personal perspective on “enterprise resiliency,” which I initially heard about through his blog, Following the White Rabbit. Raf will now share his point-of-view, and you can also read more about “enterprise resiliency” on Raf's blog, or by following him on Twitter at @wh1t3rabbit. With that, Please join me now in welcoming Raf Los. Welcome back. Raf Los: Thank you for having me again. Gardner: Tell me a little bit about your vision. We all understand security and why it’s important, but you've developed, I think, an expanded category for security. Tell me what you mean and where that is heading. Los: Security, over the years, has evolved from an absolute concept of a binary decision: is it secure or is it not? As we move forward, I believe very strongly that what we’re evolving into is, as we’ve heard people talk about, risk management. Risk management starts to include things that are beyond the security borders. As I talked to customers out here, I was having an "aha" moment. A little while ago, at one of our converged cloud chats, we were talking about how things fail. Everything fails at some point, and chaos takes over. So rather than talking about security, which is a set of absolutes or a concrete topic, and boxing ourselves into threats from a security perspective, the evolution of that goes into enterprise
resiliency. What that means is that it’s a combination of recoverability, security, performance, and all the other things that bring together a well-oiled business that can let you take a shot to the gut, get back up, and keep going. A lot of the CISOs nowadays are set up to fail by their organizations. It’s a non-winning position, because you're put into a position where the board of directors, if you’re lucky, or your CTO or your CIO asks, "How much money do you need to secure this organization?" That's horrible, and no matter what you say, you lose. If you say nothing, you lose. If you have $10 million, a billion dollars, there's no amount of money you can spend to make your company completely secure. Acceptable risk So what are you aiming for? You're aiming for a level of acceptable risk. Well, acceptable risk of what and how and how much you’re aiming for. It’s not just acceptable risk. We’re looking at acceptable risk from a security perspective, but we need to incorporate the fact that we're going to get owned. We need to get out of our ivory towers and we need to start thinking about the fact that attacks happen and insiders happen. There are things that are going to transpire that are beyond our control and things that we cannot plan for. Technology will fail. People and processes will fail. Our own technologies, our own minds will fail us. Our best friends will fail us. People get tempted. This is a human nature that the weakest element will always be a human being, and there's no patch for that. So how do we move and get back to business as usual? How we get back to being a resilient business. That’s a cool concept -- that I have enterprise resiliency. Gardner: This makes great sense to me, because we’ve been talking, over the past several years, about how security needs to be applied to different parts of the organization holistically and needs to be thought of in advance, be built in, and become part of a lifecycle. But it makes double sense to me to expand the purview of security. It really is in making sure that there's performance resiliency, failover resiliency, backup and recovery resiliency, and data backup and duplication resiliency. So why not look at it through the resiliency lens? It makes a great deal of sense. Los: Absolutely, and that’s exactly where this is coming from. I’ve actually given a series of talks and called it the introduction of Chief Chaos Officer. It’s not an actual role you’re going to see on monster.com, but it’s just a concept. It’s kind of like the aging Killcraft, a Chaos Monkey thing from Netflix.
Can you, as an organization, get comfortable with the fact that things will fail? In the talk that I gave, it comes from the perspective of you’ve got a lot of great security technology. You've probably got full disk encryption. You back up. You have firewalls, redundant networks, and all these things that you do. You have procedures that you’re supposed to follow in the red book, a big red binder that sits on your incident response handler's desk, and you have all these things that are supposed to be followed. Your people are trained, and your developers are supposedly writing better source code. These are all things that we can test through penetration testing, which means on Sunday between 7:00 p.m. and Monday 3:00 a.m. on the following four IPs, but only when we’re ready. Can you go ahead and pen-test us? No patch for the human And it’s like, okay, we've tested ourselves, we’re confident that we’re secure. I'm making kind of a scrunchy face, because that’s not really what this means. I've worked with folks who are red- team testers. I've yet to meet a red team that's failed, because, as I said, there's no patch for the human. When you can’t penetrate a system or an organization via a new O-day, you'll walk in through the front door by walking and carrying flowers from the CEO's wife or something, and you'll own the organization that way. But the question isn’t whether you'll be owned or not. What happens next is the big question, and it encompasses things like how good is your PR strategy. Do you have all the legal pieces in place? When your backup system fails or your entire data center gets wiped out by Hurricane Katrina, in a worst-case scenario, do you just sort of throw up your hands and go, "Well, that stinks? Well, we were in the cloud." Oh, your cloud just got wiped out. Now what? Gardner: Okay, let’s go to the cloud. I've been speaking with a number of folks lately who hold the opinion that at least for small-to-medium sized businesses (SMBs), going to the cloud can improve their security and resiliency sufficiently to make it a no-brainer. For enterprises, it might be a longer haul and there might be more complications and issues to manage. Do you agree with that that the SMB can outsource some of this resiliency to the cloud provider who needs to do it and has the resources and experience to do it better than the SMBs do? Los: There's a number of SMBs that can greatly benefit from the fact that good security talent is expensive and good security talent that can actually work towards a more resilient, more secure enterprise is very difficult to come by. It’s becoming scarce.
So small companies do the best they can with what they have their hands on. And there's certainly a ton of benefit to be gained from going to a shared model like a cloud. Does it raise the bar for everybody? I can’t say yes. On the whole, do I believe it raises the bar? Absolutely. Let's take the angle of threat intelligence. I'm a small entity with five IP addresses on the Internet. How do I know what bad guys look like? If I have my five IP addresses in a public cloud some place, that public cloud is attacked billions of times a day and probably subscribes to numerous threat-intelligence services. They know exactly what to look for. And if they don’t, they can find out pretty quickly. They probably have a ton of resources from the security perspective. Do I think it’s better? Absolutely. SMBs have a lot to gain by taking that step. You have to be intelligent about it. You can’t just say, "I'm going to move to the cloud and I'll be secure." Let’s be realistic about it. Get a partner that will get you there. Do due diligence on the partner that you’re choosing to work with. You still can’t run into the water with your eyes closed, but I think there's a lot of benefit to be had, absolutely. Gardner: And as we’re learning more here at Discover about the HP Converged Cloud. In a sense, it’s a cloud of clouds. You have hybrid delivery. You might have a variety of sources for applications and services. You might have data in a variety of sources across a variety of organizations, running from on-premises to managed hosting to multiple cloud and SaaS providers. Is there a way that, in addition to the security that's going on within those organizations, you can add more security at that converged cloud layer, particularly when you’re converging network storage, workload provisioning, governance, and so forth. What’s the add-on value that the HP Converged Cloud can bring resiliency-wise? Choice, consistency, confidence Los: Our Converged Cloud strategy focuses on three very simple words: choice, consistency, and confidence. We’re focusing on consistency and confidence here and perhaps a little bit of choice as well. What we’re saying is that because we focus on OpenStack, because we’ve chosen to build our platform completely on OpenStack, because we’re building across a single model, a single way of operating, as Meg said yesterday. You can build a single security operating model and you'll be able to implement it across your private, public, and hybrid models. I don’t think it’s realistic to say every company will have a public cloud-only presence, just as I don’t think it’s realistic to say companies won’t have a public cloud presence. Most organizations will be a combination of on-premise IT, private cloud, virtual private cloud, and public cloud, all of that somehow sharing space and workload, bursting out to each other when necessary.
As I said systems fail, clouds fail, everything fails. So when we think about, and we’ve had this on our converged cloud chat, when things fail, you have to start architecting for failure and resiliency. Because of this architecture that we’ve had, if you choose to get one other partner to back up what you have with us, pick a partner that's got the same OpenStack platform and the same models. It’s not going to be hard. There are lots of them out there. OpenStack is a big platform. You should be able to build once, package once, deploy many times. This saves on manpower, on cost, and on having to redevelop the security wheel over and over and over again. That provides unbelievable amounts of flexibility of what you can do with your enterprise. When one cloud or a connectivity to one cloud fails, or maybe not fails, but you get attacked in one position, you can bring up other capacity to compensate for that. That's where the true value of cloud comes in. It’s elastic computing. It’s not a marketing buzzword. Gardner: And when we think about the HP philosophy about cloud that it’s not lock-in, that’s it’s not tied to a single nameplate on the cloud, it seems to me that there's an opportunity to reduce risk further, when you have open fungible elasticity and bursting. If there is a trouble, a problem that comes up, or a red light goes on, you can, according to people I've spoken to, literally move an entire data center virtually from one location to another, reconstitute your perimeter, and so forth. So is there an inherent benefit, security and resilience, in the ecumenical bursting approach that HP is adopting? Los: Absolutely. That’s what that whole choice part is. That's the word that we’re using. It’s choice, consistency, and confidence. We were all consumers, Meg was a consumer of ours as well, at some point. I was a consumer before I became a vendor. Option to standardize This is the longest I’ve ever worked for a vendor in my life and I can’t imagine myself anywhere else. The reason for that is because I think we give people the option to standardize on us, but if they chose to move off of us at some point, it’s okay. We’re not going to make them completely redevelop their platforms. That makes the reason to stay with us that much more compelling. This is one of those things where locking somebody into a platform is a terrible idea. Vendors used to do this years and years ago with the more proprietary platform. "We'll get them on it, and they’ll never be able to get off." That's not smart thinking. It's just not. Gardner: It’s not resilient.
Los: It’s not resilient, because it fails everybody. It builds animosity and tension, and when something fails, everybody loses. Gardner: One last area I like to get into is this idea that we’re seeing highly virtualized environments. We’re talking about virtualized server instances, workloads, and network storage. Disaster recovery (DR) technologies have evolved to the point where we're mirroring and moving entire data centers virtually from one location to another, if there's a resiliency issue like a natural disaster or a security or cyber attack that impacts an electric grid or something along those lines. Is there a sort of a tipping point that we’re at, when it comes to higher levels of virtualization, some of the DR speeds, working with de-duplication and reducing the amount that needs to be moved in these instances, that gives us this higher level of security, simply because of the mobility in which we can now exercise for vast amounts of data and applications? Los: I believe so. Do I have an answer for that that’s clear and crisp? No, I don’t know, and I saw a lot of that fantastic stuff. One of the things that caught my attention is we’ve broken the 100- terabyte-an-hour backup barrier. That blows my mind. I used to work in IT when we were lucky to get 100 gigs an hour and I remember 100 megabytes an hour being a challenge on those giant DLT tapes sometimes over networks. The idea that we can take an entire cloud and because of data de-duplication, because of the way we move workloads and policies all in one fell swoop, and the way we package things once and move them, as a model, rather than everything together, moving metadata rather than the actual data, it gives us the ability to move things. One thing that everybody needs to think about is what is this doing for our bandwidth requirements. Bandwidth is a silent thing nobody really thinks about. I've had this discussion with our networking folks. People are building clouds all over the place now and that's great, but it’s really easy to get out to a vendor, to get out to a public cloud or whatever, amass an absolute metric ton of data, and then say, "I want to move." How are you going to take your data from there to there? That’s a big question. You need to do your homework ahead of time, make sure you know what you’re getting into, and make sure you know what technologies are being supported. Don’t get in and know the dinosaur. This is all important stuff, and you want to have a vendor and a partner that is at the cutting edge of technology for stuff like this. As Jeff Katzenberg, somebody who has been into cloud business since before cloud was a marketing buzzword, said, "Hi. We’re HP. We’ve been doing this for a while. Join us. The water is fine." Gardner: Very good. I'm afraid we'll have to leave it there. We’ve been talking with Raf Los of HP Software on his interesting personal perspectives about the evolution of security into the concept of enterprise resiliency, and how that also impacts the move to cloud and cloud models. Thanks so much, Raf.
Los: Thank you for having me once again. Gardner: And thanks to our audience for joining this special HP Discover Performance podcast, coming to you from the HP Discover 2012 Conference in Las Vegas. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of HP-sponsored discussions. Thanks again for listening, and come back next time. Listen to the podcast. Find it on iTunes/iPod. Sponsor: HP Transcript of a BriefingsDirect podcast from the HP Discover 2012 Conference on how our views of security need to be expanded beyond protecting the perimeter. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved. You may also be interested in: • HP Expert Chat Explores How Insight Remote Support and Insight Online Bring Automation, Self-Solving Capabilities to IT Problems • Investing Well in IT With Emphasis on KPIs Separates Business Leaders from Business Laggards, Survey Results Show • Expert Chat with HP on How Better Understanding Security Makes it an Enabler, Rather than Inhibitor, of Cloud Adoption • Expert Chat with HP on How IT Can Enable Cloud While Maintaining Control and Governance • Expert Chat on How HP Ecosystem Provides Holistic Support for VMware Virtualized IT Environments

More Related Content

PDF
Building an enterprise security knowledge graph to fuel better decisions, fas...
Jon Hawes
 
PDF
Technology, Process, and People Combine to Smooth the Path to Enterprise Virt...
Dana Gardner
 
PDF
Cloud Computing by Industry: Novel Ways to Collaborate Via Extended Business ...
Dana Gardner
 
PDF
FuseSource Gains New Autonomy to Focus on OSS Infrastructure Model, Community...
Dana Gardner
 
PDF
Tag-Team of Workshops Provides Proven Path of Data Center Transformation, Ass...
Dana Gardner
 
PDF
Enterprise Architecture Faces Vast Promise -- or Lost Opportunity
Dana Gardner
 
PDF
Creative Solutions in Healthcare Improves Client Services and Saves Money wit...
Dana Gardner
 
PDF
HP Network Management Advances Heighten Performance While Reducing Total Cost...
Dana Gardner
 
Building an enterprise security knowledge graph to fuel better decisions, fas...
Jon Hawes
 
Technology, Process, and People Combine to Smooth the Path to Enterprise Virt...
Dana Gardner
 
Cloud Computing by Industry: Novel Ways to Collaborate Via Extended Business ...
Dana Gardner
 
FuseSource Gains New Autonomy to Focus on OSS Infrastructure Model, Community...
Dana Gardner
 
Tag-Team of Workshops Provides Proven Path of Data Center Transformation, Ass...
Dana Gardner
 
Enterprise Architecture Faces Vast Promise -- or Lost Opportunity
Dana Gardner
 
Creative Solutions in Healthcare Improves Client Services and Saves Money wit...
Dana Gardner
 
HP Network Management Advances Heighten Performance While Reducing Total Cost...
Dana Gardner
 

Similar to Resiliency, Risk Management Add a New Dimension to Discussions about Enterprise Security (20)

PDF
Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...
Dana Gardner
 
PDF
Thought Leader Interview: HP's Global CISO Brett Wahlin on the Future of Secu...
Dana Gardner
 
PDF
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Dana Gardner
 
PDF
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
Dana Gardner
 
PPTX
Its not a bug it's a feature - Seattle B sides 2019
Brian Harden
 
PDF
How Dashboard Analytics Bolster Security and Risk Management Across IT Supply...
Dana Gardner
 
PDF
The Security Industry: How to Survive Becoming Management BSIDESLV 2013 Keynote
Veracode
 
PDF
Learn More About Advances in Identity Management and It's Role in Reducing Cy...
Dana Gardner
 
PDF
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
Dana Gardner
 
PDF
December 2016 Printed Newletter
Yigal Behar
 
PDF
DevOps and Security, a Match Made in Heaven
Dana Gardner
 
PDF
Hard Truths your CISO won’t tell you.pdf
TravisMcPeak1
 
PDF
Carbon Black: Justifying the Value of Endpoint Security
Mighty Guides, Inc.
 
PPTX
Blameless system design - annotated
Douglas Land
 
PDF
January 2017 Printed Newsletter
Yigal Behar
 
PDF
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
Stéphane Nappo
 
PDF
Open Group Panel Explores Changing Field of Risk Management and Analysis in t...
Dana Gardner
 
PDF
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Dana Gardner
 
PDF
Private Cloud: Debunking Myths Preventing Adoption
Dana Gardner
 
PPTX
Security Snake Oil Cycle 2019
Dave Cole
 
Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...
Dana Gardner
 
Thought Leader Interview: HP's Global CISO Brett Wahlin on the Future of Secu...
Dana Gardner
 
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...
Dana Gardner
 
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...
Dana Gardner
 
Its not a bug it's a feature - Seattle B sides 2019
Brian Harden
 
How Dashboard Analytics Bolster Security and Risk Management Across IT Supply...
Dana Gardner
 
The Security Industry: How to Survive Becoming Management BSIDESLV 2013 Keynote
Veracode
 
Learn More About Advances in Identity Management and It's Role in Reducing Cy...
Dana Gardner
 
How to Migrate Your Organization to a More Security-Minded Culture – From Dev...
Dana Gardner
 
December 2016 Printed Newletter
Yigal Behar
 
DevOps and Security, a Match Made in Heaven
Dana Gardner
 
Hard Truths your CISO won’t tell you.pdf
TravisMcPeak1
 
Carbon Black: Justifying the Value of Endpoint Security
Mighty Guides, Inc.
 
Blameless system design - annotated
Douglas Land
 
January 2017 Printed Newsletter
Yigal Behar
 
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
Stéphane Nappo
 
Open Group Panel Explores Changing Field of Risk Management and Analysis in t...
Dana Gardner
 
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Dana Gardner
 
Private Cloud: Debunking Myths Preventing Adoption
Dana Gardner
 
Security Snake Oil Cycle 2019
Dave Cole
 
Ad

Recently uploaded (20)

PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Bridging biosciences and deep learning for revolutionary discoveries: a compr...
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Ad

Resiliency, Risk Management Add a New Dimension to Discussions about Enterprise Security

  • 1. Resiliency, Risk Management Add a New Dimension to Discussions about Enterprise Security Transcript of a BriefingsDirect podcast from the HP Discover 2012 Conference on how our views of security need to be expanded beyond protecting the perimeter. Listen to the podcast. Find it on iTunes/iPod. Sponsor: HP Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance podcast series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this ongoing discussing of IT innovation and how it's making an impact on people’s life. Once again, we're focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end users alike. This time, we’re coming to you directly from the HP Discover 2012 Conference in Las Vegas. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.] At the event, I had a chance to sit down with Raf Los of HP Software. Raf has an interesting personal perspective on “enterprise resiliency,” which I initially heard about through his blog, Following the White Rabbit. Raf will now share his point-of-view, and you can also read more about “enterprise resiliency” on Raf's blog, or by following him on Twitter at @wh1t3rabbit. With that, Please join me now in welcoming Raf Los. Welcome back. Raf Los: Thank you for having me again. Gardner: Tell me a little bit about your vision. We all understand security and why it’s important, but you've developed, I think, an expanded category for security. Tell me what you mean and where that is heading. Los: Security, over the years, has evolved from an absolute concept of a binary decision: is it secure or is it not? As we move forward, I believe very strongly that what we’re evolving into is, as we’ve heard people talk about, risk management. Risk management starts to include things that are beyond the security borders. As I talked to customers out here, I was having an "aha" moment. A little while ago, at one of our converged cloud chats, we were talking about how things fail. Everything fails at some point, and chaos takes over. So rather than talking about security, which is a set of absolutes or a concrete topic, and boxing ourselves into threats from a security perspective, the evolution of that goes into enterprise
  • 2. resiliency. What that means is that it’s a combination of recoverability, security, performance, and all the other things that bring together a well-oiled business that can let you take a shot to the gut, get back up, and keep going. A lot of the CISOs nowadays are set up to fail by their organizations. It’s a non-winning position, because you're put into a position where the board of directors, if you’re lucky, or your CTO or your CIO asks, "How much money do you need to secure this organization?" That's horrible, and no matter what you say, you lose. If you say nothing, you lose. If you have $10 million, a billion dollars, there's no amount of money you can spend to make your company completely secure. Acceptable risk So what are you aiming for? You're aiming for a level of acceptable risk. Well, acceptable risk of what and how and how much you’re aiming for. It’s not just acceptable risk. We’re looking at acceptable risk from a security perspective, but we need to incorporate the fact that we're going to get owned. We need to get out of our ivory towers and we need to start thinking about the fact that attacks happen and insiders happen. There are things that are going to transpire that are beyond our control and things that we cannot plan for. Technology will fail. People and processes will fail. Our own technologies, our own minds will fail us. Our best friends will fail us. People get tempted. This is a human nature that the weakest element will always be a human being, and there's no patch for that. So how do we move and get back to business as usual? How we get back to being a resilient business. That’s a cool concept -- that I have enterprise resiliency. Gardner: This makes great sense to me, because we’ve been talking, over the past several years, about how security needs to be applied to different parts of the organization holistically and needs to be thought of in advance, be built in, and become part of a lifecycle. But it makes double sense to me to expand the purview of security. It really is in making sure that there's performance resiliency, failover resiliency, backup and recovery resiliency, and data backup and duplication resiliency. So why not look at it through the resiliency lens? It makes a great deal of sense. Los: Absolutely, and that’s exactly where this is coming from. I’ve actually given a series of talks and called it the introduction of Chief Chaos Officer. It’s not an actual role you’re going to see on monster.com, but it’s just a concept. It’s kind of like the aging Killcraft, a Chaos Monkey thing from Netflix.
  • 3. Can you, as an organization, get comfortable with the fact that things will fail? In the talk that I gave, it comes from the perspective of you’ve got a lot of great security technology. You've probably got full disk encryption. You back up. You have firewalls, redundant networks, and all these things that you do. You have procedures that you’re supposed to follow in the red book, a big red binder that sits on your incident response handler's desk, and you have all these things that are supposed to be followed. Your people are trained, and your developers are supposedly writing better source code. These are all things that we can test through penetration testing, which means on Sunday between 7:00 p.m. and Monday 3:00 a.m. on the following four IPs, but only when we’re ready. Can you go ahead and pen-test us? No patch for the human And it’s like, okay, we've tested ourselves, we’re confident that we’re secure. I'm making kind of a scrunchy face, because that’s not really what this means. I've worked with folks who are red- team testers. I've yet to meet a red team that's failed, because, as I said, there's no patch for the human. When you can’t penetrate a system or an organization via a new O-day, you'll walk in through the front door by walking and carrying flowers from the CEO's wife or something, and you'll own the organization that way. But the question isn’t whether you'll be owned or not. What happens next is the big question, and it encompasses things like how good is your PR strategy. Do you have all the legal pieces in place? When your backup system fails or your entire data center gets wiped out by Hurricane Katrina, in a worst-case scenario, do you just sort of throw up your hands and go, "Well, that stinks? Well, we were in the cloud." Oh, your cloud just got wiped out. Now what? Gardner: Okay, let’s go to the cloud. I've been speaking with a number of folks lately who hold the opinion that at least for small-to-medium sized businesses (SMBs), going to the cloud can improve their security and resiliency sufficiently to make it a no-brainer. For enterprises, it might be a longer haul and there might be more complications and issues to manage. Do you agree with that that the SMB can outsource some of this resiliency to the cloud provider who needs to do it and has the resources and experience to do it better than the SMBs do? Los: There's a number of SMBs that can greatly benefit from the fact that good security talent is expensive and good security talent that can actually work towards a more resilient, more secure enterprise is very difficult to come by. It’s becoming scarce.
  • 4. So small companies do the best they can with what they have their hands on. And there's certainly a ton of benefit to be gained from going to a shared model like a cloud. Does it raise the bar for everybody? I can’t say yes. On the whole, do I believe it raises the bar? Absolutely. Let's take the angle of threat intelligence. I'm a small entity with five IP addresses on the Internet. How do I know what bad guys look like? If I have my five IP addresses in a public cloud some place, that public cloud is attacked billions of times a day and probably subscribes to numerous threat-intelligence services. They know exactly what to look for. And if they don’t, they can find out pretty quickly. They probably have a ton of resources from the security perspective. Do I think it’s better? Absolutely. SMBs have a lot to gain by taking that step. You have to be intelligent about it. You can’t just say, "I'm going to move to the cloud and I'll be secure." Let’s be realistic about it. Get a partner that will get you there. Do due diligence on the partner that you’re choosing to work with. You still can’t run into the water with your eyes closed, but I think there's a lot of benefit to be had, absolutely. Gardner: And as we’re learning more here at Discover about the HP Converged Cloud. In a sense, it’s a cloud of clouds. You have hybrid delivery. You might have a variety of sources for applications and services. You might have data in a variety of sources across a variety of organizations, running from on-premises to managed hosting to multiple cloud and SaaS providers. Is there a way that, in addition to the security that's going on within those organizations, you can add more security at that converged cloud layer, particularly when you’re converging network storage, workload provisioning, governance, and so forth. What’s the add-on value that the HP Converged Cloud can bring resiliency-wise? Choice, consistency, confidence Los: Our Converged Cloud strategy focuses on three very simple words: choice, consistency, and confidence. We’re focusing on consistency and confidence here and perhaps a little bit of choice as well. What we’re saying is that because we focus on OpenStack, because we’ve chosen to build our platform completely on OpenStack, because we’re building across a single model, a single way of operating, as Meg said yesterday. You can build a single security operating model and you'll be able to implement it across your private, public, and hybrid models. I don’t think it’s realistic to say every company will have a public cloud-only presence, just as I don’t think it’s realistic to say companies won’t have a public cloud presence. Most organizations will be a combination of on-premise IT, private cloud, virtual private cloud, and public cloud, all of that somehow sharing space and workload, bursting out to each other when necessary.
  • 5. As I said systems fail, clouds fail, everything fails. So when we think about, and we’ve had this on our converged cloud chat, when things fail, you have to start architecting for failure and resiliency. Because of this architecture that we’ve had, if you choose to get one other partner to back up what you have with us, pick a partner that's got the same OpenStack platform and the same models. It’s not going to be hard. There are lots of them out there. OpenStack is a big platform. You should be able to build once, package once, deploy many times. This saves on manpower, on cost, and on having to redevelop the security wheel over and over and over again. That provides unbelievable amounts of flexibility of what you can do with your enterprise. When one cloud or a connectivity to one cloud fails, or maybe not fails, but you get attacked in one position, you can bring up other capacity to compensate for that. That's where the true value of cloud comes in. It’s elastic computing. It’s not a marketing buzzword. Gardner: And when we think about the HP philosophy about cloud that it’s not lock-in, that’s it’s not tied to a single nameplate on the cloud, it seems to me that there's an opportunity to reduce risk further, when you have open fungible elasticity and bursting. If there is a trouble, a problem that comes up, or a red light goes on, you can, according to people I've spoken to, literally move an entire data center virtually from one location to another, reconstitute your perimeter, and so forth. So is there an inherent benefit, security and resilience, in the ecumenical bursting approach that HP is adopting? Los: Absolutely. That’s what that whole choice part is. That's the word that we’re using. It’s choice, consistency, and confidence. We were all consumers, Meg was a consumer of ours as well, at some point. I was a consumer before I became a vendor. Option to standardize This is the longest I’ve ever worked for a vendor in my life and I can’t imagine myself anywhere else. The reason for that is because I think we give people the option to standardize on us, but if they chose to move off of us at some point, it’s okay. We’re not going to make them completely redevelop their platforms. That makes the reason to stay with us that much more compelling. This is one of those things where locking somebody into a platform is a terrible idea. Vendors used to do this years and years ago with the more proprietary platform. "We'll get them on it, and they’ll never be able to get off." That's not smart thinking. It's just not. Gardner: It’s not resilient.
  • 6. Los: It’s not resilient, because it fails everybody. It builds animosity and tension, and when something fails, everybody loses. Gardner: One last area I like to get into is this idea that we’re seeing highly virtualized environments. We’re talking about virtualized server instances, workloads, and network storage. Disaster recovery (DR) technologies have evolved to the point where we're mirroring and moving entire data centers virtually from one location to another, if there's a resiliency issue like a natural disaster or a security or cyber attack that impacts an electric grid or something along those lines. Is there a sort of a tipping point that we’re at, when it comes to higher levels of virtualization, some of the DR speeds, working with de-duplication and reducing the amount that needs to be moved in these instances, that gives us this higher level of security, simply because of the mobility in which we can now exercise for vast amounts of data and applications? Los: I believe so. Do I have an answer for that that’s clear and crisp? No, I don’t know, and I saw a lot of that fantastic stuff. One of the things that caught my attention is we’ve broken the 100- terabyte-an-hour backup barrier. That blows my mind. I used to work in IT when we were lucky to get 100 gigs an hour and I remember 100 megabytes an hour being a challenge on those giant DLT tapes sometimes over networks. The idea that we can take an entire cloud and because of data de-duplication, because of the way we move workloads and policies all in one fell swoop, and the way we package things once and move them, as a model, rather than everything together, moving metadata rather than the actual data, it gives us the ability to move things. One thing that everybody needs to think about is what is this doing for our bandwidth requirements. Bandwidth is a silent thing nobody really thinks about. I've had this discussion with our networking folks. People are building clouds all over the place now and that's great, but it’s really easy to get out to a vendor, to get out to a public cloud or whatever, amass an absolute metric ton of data, and then say, "I want to move." How are you going to take your data from there to there? That’s a big question. You need to do your homework ahead of time, make sure you know what you’re getting into, and make sure you know what technologies are being supported. Don’t get in and know the dinosaur. This is all important stuff, and you want to have a vendor and a partner that is at the cutting edge of technology for stuff like this. As Jeff Katzenberg, somebody who has been into cloud business since before cloud was a marketing buzzword, said, "Hi. We’re HP. We’ve been doing this for a while. Join us. The water is fine." Gardner: Very good. I'm afraid we'll have to leave it there. We’ve been talking with Raf Los of HP Software on his interesting personal perspectives about the evolution of security into the concept of enterprise resiliency, and how that also impacts the move to cloud and cloud models. Thanks so much, Raf.
  • 7. Los: Thank you for having me once again. Gardner: And thanks to our audience for joining this special HP Discover Performance podcast, coming to you from the HP Discover 2012 Conference in Las Vegas. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of HP-sponsored discussions. Thanks again for listening, and come back next time. Listen to the podcast. Find it on iTunes/iPod. Sponsor: HP Transcript of a BriefingsDirect podcast from the HP Discover 2012 Conference on how our views of security need to be expanded beyond protecting the perimeter. Copyright Interarbor Solutions, LLC, 2005-2012. All rights reserved. You may also be interested in: • HP Expert Chat Explores How Insight Remote Support and Insight Online Bring Automation, Self-Solving Capabilities to IT Problems • Investing Well in IT With Emphasis on KPIs Separates Business Leaders from Business Laggards, Survey Results Show • Expert Chat with HP on How Better Understanding Security Makes it an Enabler, Rather than Inhibitor, of Cloud Adoption • Expert Chat with HP on How IT Can Enable Cloud While Maintaining Control and Governance • Expert Chat on How HP Ecosystem Provides Holistic Support for VMware Virtualized IT Environments