Adam Shepherd

The graph represents a network of 1,329 Twitter users whose recent tweets contained “#DevOps”, or who were replied to or mentioned in those tweets, taken from a data set limited to a maximum of 18,000 tweets. The network was obtained from Twitter on Thursday, 10 January 2019 at 23:50 UTC.

The tweets in the network were tweeted over the 7-hour, 6-minute period from Thursday, 10 January 2019 at 16:29 UTC to Thursday, 10 January 2019 at 23:36 UTC.

Additional tweets that were mentioned in this data set were also collected from prior time periods. These tweets may expand the complete time period of the data.

read more

BMC has unmatched experience in IT management, supporting 92 of the Forbes Global 100, and earning recognition as an ITSM Gartner Magic Quadrant Leader for five years running. Our solutions offer speed, agility, and efficiency to tackle business challenges in the areas of service management, automation, operations, and the mainframe.

read more

It is always interesting to see how different industries are seizing the opportunity of cloud adoption as well as coping with its challenges. As far as the HR industry is concerned, a new report has asserted that enterprises have realised the cost savings of software as a service (SaaS) and are now focused on building the next steps.

The study, from Information Services Group (ISG), polled more than 250 companies, ranging in size from 1,000 to more than 20,000 employees, and found a “distinct picture of the typical journey towards maturity in HR technology.”

Approximately half of those polled who had leveraged a SaaS model said they had achieved between 10% and 30% savings in both IT and technology operations and HR administration. 15% said they had achieved savings of 30% or more in both areas. When it came to a specific technology platform – perhaps not surprisingly given the sensitive data departments work with – data security was the key feature, cited by almost three quarters (72%) as a ‘must-have.’ Ease of maintenance (69%), ease of use (66%) and depth of functionality (66%) were also highly cited.

Despite all this however, only two in five (41%) respondents agreed that they had seen measurable business improvements by adopting SaaS. The report argued this was down to a discrepancy between investment and results.

The key finding here was that HCM solutions do not address all of an organisation’s needs. SaaS providers were coming around this realisation too, the report added, investing in case management software or partnering with suitable providers to plug the gap. The report also advocated extensions through open APIs – Oracle, SAP and Workday are among the vendors who have explored this – as well as revaluating their metrics.

Part of the solution for enterprises could be to combine HR with other systems, such as ERP. More than two thirds (68%) of organisations polled said they were exploring this, with approximately half actively seeking out a platform or deployment partner.

Ultimately however, the move to what ISG describes as the fourth generation of HR technologies is a way off yet. HR Tech 4.0, as the report put it, would necessitate central governance established by a centre of excellence, full SaaS capabilities and fully automated and optimised processes.

“While organisations are accelerating HR technology capability, they have not yet made similar advances in process, service delivery and self-service technology,” said Stacey Cadigan, partner at ISG HR Technology and report co-author. “To add true business value and solve HR challenges, organisations must combine the use of SaaS with a clear HR technology strategy, optimised processes, an end-to-end experience and change management designed to ensure technology adoption and drive business outcomes.”

You can read the full report here (email required).

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Connor Jones

Bottom line: Instead of only relying on security vendors’ claims about Zero Trust, benchmark them on a series of five critical success factors instead, with customer results being key.

Analytics, Zero Trust dominated RSA

Analytics dashboards dominated RSA from a visual standpoint, while Zero Trust Security reigned from an enterprise strategy one. Over 60 vendors claimed to have Zero Trust Security solutions at RSA, with each one defining the concept in a slightly different way.

RSA has evolved into one of the highest energy enterprise-focused conferences today, and in 2019 Zero Trust was center stage in dozens of vendor booths. John Kindervag created the Zero Trust Security framework while at Forrester in 2010. Chase Cunningham, who is a Principal Analyst at Forrester today, is a leading authority on Zero Trust and frequently speaks and writes on the topic. Be sure to follow his blog to stay up to date with his latest research. His most recent post, OK, Zero Trust Is An RSA Buzzword — So What?, captures the current situation on Zero Trust perfectly. Becca Chambers’ blog post, Talking All Things Zero Trust at RSA Conference 2019, includes an insightful video of how the conferences’ attendees define Zero Trust.

With so many vendors claiming to offer Zero Trust solutions, how can you tell which ones have enterprise-ready, scalable solutions?  The following are five ways to demystify Zero Trust:

Customer references are willing to talk and case studies available

With the ambitious goal of visiting every one of the 60 vendors who claimed to have a Zero Trust solution at RSA, I quickly realised that there is a dearth of customer references. To Chase Cunningham’s point, more customer use cases need to be created, and thankfully that’s on his research agenda. Starting the conversation with each vendor visited by asking for their definition of Zero Trust either led to a debate of whether Zero Trust was needed in the industry or how their existing architecture could morph to fit the framework.

Booth staff at the following companies deserve to be commended for how much they know about their customers' success with Zero Trust: Akamai, Centrify, Cisco, Microsoft, MobileIron, Palo Alto Networks, Symantec, and Trend Micro. The team at Ledios Cyber, who was recently acquired by Capgemini, was demonstrating how Zero Trust applied to industrial control systems and shared a wealth of customer insights as well.

Defines success by their customers’ growth, stability and earned trust instead of relying on fear

A key part of demystifying Zero Trust is seeing how effective vendors are at becoming partners on the journey their customers are on.

While in the Centrify booth I learned of how Interval International has been able to implement a least privilege model for employees, contractors, and consultants, streamline user onboarding, and enable the company to continue its rapid organic growth. At MobileIron, I learned how NASDAQ is scaling mobile applications including CRM to their global sales force on a Zero Trust platform.

The most customer-centric Zero Trust vendors tend to differentiate on earned trust over selling fear.

Avoid vendors who have a love-hate relationship with Zero Trust

Zero Trust is having an energising effect on the security landscape as it provides vendors with a strategic framework they can differentiate themselves in. Security vendors are capitalising on the market value right now, with product management and engineering teams working overtime to get new applications and platforms ready for market.

I found a few vendors who have a love-hate relationship with Zero Trust. They love the marketing mileage or buzz, yet aren’t nearly as enthusiastic about changing product and service strategies. If you’re looking for Zero Trust solutions, be sure to watch for this and find a vendor who is fully committed.

Current product strategies and roadmaps reflect a complete commitment to Zero Trust

Product demos at RSA ranged from supporting the fundamentals of Zero Trust to emulating its concepts on legacy architectures. One of the key attributes to look for is how perimeterless a given security application is that claims to support Zero Trust. How well can a given application protect mobile devices? An IoT device? How can a given application or security platform scale to protect privileged credentials?

These are all questions to ask of any vendor who claims to have a Zero Trust solution. Every one of them will have analytics options; the question is whether they fit with your given business scenario. Finally, ask to see how Zero Trust can be automated across all user accounts and how privileged access management can be scaled using identity and access management (IAM) systems including password vaults and multi-factor authentication (MFA).

A solid API strategy for scaling their applications and platforms with partner successes that prove it

One of the best questions to gauge the depth of commitment any vendor has to Zero Trust is to ask about their API strategy. It’s interesting to hear how vendors with Zero Trust-based product and services strategies are scaling inside their largest customers using APIs. Another aspect of this is to see how many of their services, system integration, technology partners are using their APIs to create customized solutions for customers. Success with an API strategy is a leading indicator of how reliably any Zero Trust vendor will be able to scale in the future.

Conclusion

RSA is in many ways a microcosm of the enterprise security market in general and Zero Trust specifically. The millions of dollars in venture capital invested in security analytics and Zero Trust made it possible for vendors to create exceptional in-booth experiences and demonstrations – much the same way venture investment is fueling many of their roadmaps and sales teams.

Zero Trust vendors will need to provide application roadmaps that show their ability to move beyond prevention of breaches to more prediction, at the same time supporting customers’ needs to secure infrastructure, credentials, and systems to ensure uninterrupted growth.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Keumars Afifi-Sabet

Portworx, a provider of storage and data management software for containers, has announced a $27 million (£20.5m) series C funding round – and touted record revenue and customer growth in the process.

The company’s series C, putting its total funding at $55.5m, was co-led by Sapphire Ventures and the venture arm of Mubadala Investment Company, with new investors Cisco Investments, HPE and NetApp joining Mayfield Fund and GE Ventures in the round.

The company noted its customer base had expanded by more than 100%, with total bookings going up 50% just between the third and fourth quarters of 2018. Among the new customers are HPE, with the infrastructure giant eating its own dog food in the funding stakes by investing after purchasing the Portworx Enterprise Platform.

Portworx also took the opportunity to unveil the latest flavour of its platform, Portworx Enterprise 2.1. New features include enhanced disaster recovery as well as a role-based security option, with organisations able to access controls on a per-container volume basis integrated with corporate authorisation and authentication.

The opportunity for Portworx and other companies of their ilk is a big one. As this publication noted in September, a study from the company noted more than two thirds of companies were ‘making investment’ in containers, noting that the enterprise had caught up. Ronald Sens, director at A10 Networks, noted at the time that while Kubernetes is “clearly becoming the de facto standard”, certain areas, such as application load balancing, are not part of their service.

“Kubernetes alone is not sufficient to handle critical data services that power enterprise applications,” said Murli Thirumale, CEO and co-founder of Portworx in a statement. “Portworx cloud-native storage and data management solutions enable enterprises to run all their applications in containers in production.

“With this investment round the cloud-native industry recognises Portworx and its incredible team as the container storage and data management leader,” Thirumale added. “Our customer-first strategy continues to pay off.”

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Digitisation has dramatically changed how work gets done. Business-critical apps and data are a keystroke away, no matter where an employee is or what time it is. Perhaps it is this familiarity with data that makes employees feel so connected to it that, when they switch jobs, they often take some of it with them. Maybe it’s why most of them don’t think this is a criminal act.

Whatever the reasoning for this willful exfiltration of data, a lack of security can impact an organisation’s growth and ability to retain a competitive advantage. But with more visibility into insider threats, organisations can drive bad actors out and improve their overall security posture.

Below are the top five events that organisations monitor cloud applications for and how paying attention to them can help to promote good security hygiene within a company.

Look at login activity

Dig into who is logging in, from where and when, is likely to turn up some surprises related to application interaction. Terminated users who have not been properly deprovisioned may be able to gain access to sensitive data after employment, in the case of a departed employee, or at the end of a contract with a third party. Login activity can also tell you a user’s location, hours, devices and more – all of which can uncover potential security incidents, breaches or training opportunities.

Organisations can keep data safe from those who shouldn’t have access anymore, like a former employee or contractor, by monitoring for inactive user logins. Login activity can also tell you whether employees are logging in after hours or from a remote location. This may be an indicator of an employee working overtime – but it may also be a red flag for a departing employee, logging in after hours to steal data, or of compromised credentials.

Examine what’s being exported

Exporting reports is an easy way for employees to extract large amounts of sensitive data from Salesforce and other cloud applications. Users can run reports on nearly anything within Salesforce, from contacts and leads to customers. And those reports can be exported for easy reference and analysis.

The other side of the coin is that this ability can also make a company vulnerable to data theft and breaches. Departing employees may choose to export a report of customers, using the list to join or start a competitive business.

But if a company is monitoring for exports, this activity helps to:

• Secure sensitive customer, partner and prospect information, which will increase trust with your customers and meeting key regulations and security frameworks (e.g., PCI-DSS).
• Find employees who may be taking data for personal or financial gain and stop the exfiltration of data before more damage occurs.
• Lessen the severity and the cost of a data breach by more quickly spotting and remediating the export activity.
• Find likely cases of compromised credentials and deactivate compromised users.

Research all reports being run

Companies focus their security efforts on which reports are being exported, but simply running a report could create a potential security issue. The principle of least privilege dictates that people only be given the minimal amount of permissions necessary to complete their job – and that applies to data that can be viewed. But many companies grant broad access across the organisation, even to those whose job does not depend on viewing specific sensitive information.

Job scope is an important consideration in which reports are appropriate. If you look at which reports have been run, top report runners and report volume, you can track instances where users might be running reports to access information that’s beyond their job scope. Users may also be running – but not necessarily exporting – larger reports than they normally do or than their peers do.

A third benefit comes from monitoring for personal and unsaved reports, which can help close any security vulnerability created by users attempting to exfiltrate data without leaving a trail. Whether it’s a user who is attempting to steal the data, a user who has higher access levels than necessary, or a user who has accidentally run the report, monitoring for report access will help you spot any additional security gaps or training opportunities.

Keep track of creation and deactivation

Creating and deactivating users is a part of managing users. Organisations can monitor for deactivation – which, if not done properly after an employee leaves the organisation, may result in an inactive user gaining access to sensitive data or an external attacker gaining hold of their still-active credentials. For this and other cloud applications, a security issue may also arise when an individual with administrative permissions creates a “shell,” or fake user, under which they can steal data. After the fact, they can deactivate the user to cover their tracks.

Monitoring for user creation is an additional step security teams can take to keep an eye on any potential insider threats. And by keeping track of when users are deactivated, you can run a report of deactivated users within a specific time frame and correlate them with your former employees (or contractors) to ensure proper deprovisioning. Monitoring for creation and/or deactivation of users is also required by regulations like SOX and frameworks like ISO 27001.

Check changes in profiles and permissions

What a user can and can’t do in cloud applications is regulated by profiles and permissions. For example, in Salesforce, every user has one profile but can have multiple permissions sets. The two are usually combined by using profiles to grant the minimum permissions and access settings for a specific group of users, then permission sets to grant more permissions to individual users as needed. Profiles control object, field, app and user permissions; tab settings; Apex class and Visualforce page access; page layouts; record types; and login hours and IP ranges.

Permission level varies by organisation. Some give all users advanced permissions; others grant only the permissions that are necessary for that user’s specific job roles and responsibilities. But with over 170 permissions in Salesforce, for instance – and hundreds or thousands of users – it can be difficult to grasp the full scope of what your users can do in Salesforce.

Monitor that data

Digital transformation has brought about great freedom and productivity, enabling employees to work from anywhere at any time. Cloud-based business apps have become the norm, with data flowing to and fro along a countless number of endpoints connected to employees with different levels of responsibility.

To oversee all this activity, many companies today are monitoring user interactions with cloud apps and data. This creates greater visibility, which helps both your organisation and your customers have greater peace of mind that security measures are in place to protect data.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Alibaba Cloud has taken the opportunity provided by its most recent Beijing Summit to elaborate on its near 10-year history – and explore a more integrated and intelligent future.

The company noted that its cloud arm was ‘becoming the main business focus of Alibaba Group’ and that cloud adoption was ‘expected to continue and become more immersive in the traditional sectors across China.’  

“Alibaba has championed cloud computing in China over the past 10 years and has been at the forefront of rapid technology development,” said Jeff Zhang, CTO at Alibaba Group and president of Alibaba Cloud. “In the future, our highly compatible and standards-based platform will allow SaaS partners to onboard easily and thrive.

“The offerings will also be enriched by our continued investment in research through the Damo Academy, [which] will align data science with the development of our products,” Zhang added. “To empower all participants in our ecosystem, we will boost the integrated development of technology, products and services on our open platform.”

The event saw three primary products announced: the SCC-GN6, claimed to be the most powerful super-computing bare metal server instance issued by the company to date; a cloud-native relational database service, PolarDB, and SaaS Accelerator, a platform for partners to build and launch SaaS applications as well as utilise Alibaba’s consultancy.

The past six months have seen a period of expansion for Alibaba Cloud. A new data centre complex in Indonesia was launched in January, while the London site opened its doors in October. The company says its IaaS dominance in China is such that it commands a larger market share than the second to eighth largest players put together.

Synergy Research noted in June that the top five cloud infrastructure players in China were all local companies, while across the whole of Asia Pacific (APAC) Alibaba ranked second, behind AWS. In October, data and analytics firm GlobalData noted how Alibaba was gaining across APAC as a whole, saying it was a ‘force to be reckoned with’ and ‘betting big on emerging markets such as India, Malaysia and Indonesia while competing with others in developed markets.’

Asia Pacific remains a region of vastly differing expectations when it comes to cloud computing, as the Asia Cloud Computing Association (ACCA) found in its most recent Cloud Readiness Index report. Those at the top end, such as Singapore and Hong Kong, have overall rankings – based on connectivity, cybersecurity and data centre infrastructures among others – ahead of the US and UK. India, China and Vietnam meanwhile, the bottom three nations, scored lower than 50%.

China itself, according to the ACCA report, had made progress despite retaining its modest ranking from 2016, but its lowest scoring areas – power sustainability and broadband quality – reflected the issues of nationwide adoption of cloud technologies across such a vast area. The report did note that the Chinese government “continues to devote considerable fiscal resources to the development and improvement of infrastructure… a move that will undoubtedly pay off in the next few years.”

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.