Keumars Afifi-Sabet

It started with DevOps. Then there was NetOps. Now SecOps. Or is it DevSecOps? Or maybe SecDevOps?

Whatever you decide to call it, too often the end result is little more than the same old siloes with shiny new names. We've become so focused on "what do we call these folks" that we sometimes forget "what is it we're trying to accomplish".

Shakespeare said that a rose would smell as sweet by any other name. Let's apply that today to the number of factions rising in the operations game. Changing your name does nothing if you don't change your core behaviours and practices.

Back when cloud first rose – pun intended – there were plenty of pundits who dismissed enterprise efforts to build private (on-premises) cloud. Because it didn't fit the precise definition they wanted to associate with cloud. They ignored that the outcome was the measure of success, not measuring up to someone else's pedantic definition. They sought agility and efficiency and speed by changing the way infrastructure was provisioned, configured, and managed. They changed behaviours and practices through the use of technology.

Today the terminology wars are focused on X-Ops and what we should call the latest arrival, security.

I know I've used the terms, and sometimes I use them all at the same time. But perhaps what we need is fewer distinctions. Perhaps I should just say you're either adopting "modern ops" in terms of behaviours and practices or you're remaining "traditional ops" and that's all there is to it.

Modern ops employ technology like cloud and automation to build pipelines that codify processes to speed delivery and deployment of applications.

And they do it by changing behaviours and practices. They are collaborative and communicative. They use technology to modernise and optimise decades old processes that are impeding delivery and deployment. They work together, not in siloed X-Ops teams, to achieve their goal of faster, more frequent releases that deliver value to the business and delight consumers.

Focusing on what to call "security" as they get onboard with modern ops can be detrimental to the basic premise that delivery and deployment can only succeed at speed with a collaborative approach. Slapping new labels on a new focused team just builds differenter siloes; it doesn't smash them and open up the lines of communication that are required to operate at speed and scale.

It also unintentionally gives permission to other, non-security ops to abdicate security responsibilities to the <SecDevOps | DevSecOps> team. Because it's in their name, right?

That's an increasingly bad idea given that application security is a stack and thus requires a full stack to implement the right protections.  You need network security and transport security and you definitely need application security. The attack surface for an app includes all seven layers and, increasingly, the stack comprising its operational environment. There is no room for silos when it comes to security.

The focus of IT as its moving through its digital transformation should be to modernise ops – from the technology to the teams that use it to innovate and deliver value to the business. Modern ops are not consumed by concern for titles, they are passionate about producing results. Modern ops work together, communicate freely, and collaborate across concerns to build out an efficient, adaptive delivery and deployment pipeline.

That will take network, security, infrastructure, storage, and development expertise working together.

In the network, we use labels to tag traffic and apply policies that control what devices can talk to which infrastructure and applications. In container clusters we use labels to isolate and restrict, to constrain and to disallow.

Labels in organisations can have the same affect.

So maybe it would be better if we just said you are either modern ops or traditional ops. And that some are in a transitional state between the two. Let's stop spending so many cycles on what to call each other that we miss the opportunity to create a collaborative environment in which to deliver and deploy apps faster, more frequently, and most of all, securely.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Preparing for the adoption of new technologies is challenging for many large enterprise organisations. That's why savvy CIOs and CTOs seek information and guidance from vendors that can assist them on the journey to achieve digital business transformation. Meanwhile, investment in artificial intelligence (AI) systems and services will continue on a high-growth trajectory.

According to the latest worldwide market study by International Data Corporation (IDC), spending on AI systems will reach $97.9 billion in 2023 – that's more than two and a half times the $37.5 billion that will be spent in 2019. The compound annual growth rate (CAGR) for AI in the 2018-2023 forecast period will be 28.4 percent.

Artificial intelligence market development

"The AI market continues to grow at a steady rate in 2019 and we expect this momentum to carry forward," said David Schubmehl, research director at IDC. "The use of artificial intelligence and machine learning (ML) is occurring in a wide range of solutions and applications from ERP and manufacturing software to content management, collaboration, and user productivity."

Artificial intelligence and machine learning are top of mind for most organisations today, and IDC expects that AI will be the disrupting influence changing entire industries over the next decade.

Spending on AI systems will be led by the retail and banking industries, each of which will invest more than $5 billion in 2019. Nearly half of the retail spending will go toward automated customer service agents and expert shopping advisors & product recommendation systems. The banking industry will focus its investments on automated threat intelligence and prevention systems and fraud analysis and investigation.

Other industries that will make significant investments in AI systems throughout the forecast include discrete manufacturing, process manufacturing, healthcare, and professional services. The fastest spending growth will come from the media industry and federal or central governments with five-year CAGRs of 33.7 percent and 33.6 percent respectively.

Investments in AI systems continue to be driven by a wide range of use cases. The three largest use cases — automated customer service agents, automated threat intelligence and prevention systems, and sales process recommendation and automation — will deliver 25 percent of all spending in 2019. The next six use cases will provide an additional 35 percent of overall spending this year.

The use cases that will see the fastest spending growth over the 2018-2023 forecast period are automated human resources (43.3 percent CAGR) and pharmaceutical research and development (36.7 percent CAGR). However, eight other use cases will have spending growth with five-year CAGRs greater than 30 percent.

Decision-makers across all industries are now grappling with the question of how to effectively proceed with their AI journey.  That's why the largest share of technology spending in 2019 will go toward services, primarily IT services, as firms seek outside expertise to design and implement their AI projects.

Hardware spending will be somewhat larger than software spending in 2019 as firms build out their AI infrastructure, but purchases of AI software and AI software platforms will overtake hardware by the end of the forecast period with software spending seeing a 36.7 percent CAGR.

Outlook for AI applications development growth

On a geographic basis, the United States will deliver more than 50 percent of all AI applications development spending throughout the forecast period, led by the retail and banking industries. Western Europe will be the second-largest geographic region, led by banking and discrete manufacturing.

China will be the third-largest region for AI spending with retail, state or local government, and professional services vying for the top position. The strongest spending growth over the five-year forecast period will be in Japan (45.3 percent CAGR) and China (44.9 percent CAGR).

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Keumars Afifi-Sabet

It’s the way software used to be purchased, and often still is. A CEO, or GM, or line-of-business owner calls into IT, and the security and compliance teams, to let them know that they are purchasing a new piece of software to drive innovation in how they deliver their products or services. Because the software needs to be customised, integrated and controlled in the company’s on-prem or cloud environment, the IT team needs to deploy it and the security team needs to secure it.

The problem is that IT, security, and compliance are already behind. As the “Defenders” of the business, they must now apply multiple other third-party products to that application in order to to gain fine-grained control over who accesses it and what data they can access. While a growing body of regulations state that security and privacy must be implemented “by design,” they didn’t design the application that the “Builders” delivered. At this point, everything they do is fundamentally an afterthought.

The conundrum of the defender

The job of the Defender is a difficult one, because security and privacy as an afterthought creates both complexity and vulnerability. The complexity comes especially from security products needing to be customised in order to function in lockstep with the application whose data they are protecting. The larger and more complex the application to protect, the more you have to invest to configure and maintain the products that secure it.

Vulnerabilities arise because between the application and the security products meant to protect it, there are seams—gaps in communication, coordination, and capability that occur naturally when two systems that are constantly evolving occupy two different infrastructure spaces. It is those seams that endlessly produce new exposure every day.

More vulnerabilities lead to more security products, which lead to more complexity, and you can see where this is going. Large enterprises own an average of between 50-70 security products, and lack the personnel and resources to marshal those products to deal with the sometimes hundreds of thousands of open vulnerabilities that have been created by the patchwork.

Where this is reflected in the business is that spending on cybersecurity increases every year, but that spending appears to be doing nothing to stem the tide of data breaches and privacy exposures, which are expanding at an even faster rate.

Enter the builders

The perspective of the developer, the Builders of applications, has changed. More and more, requirements around managing performance, reliability, and scalability have migrated into development processes as dev-ops and cloud infrastructure have gone mainstream. Security has followed suit, as progressive developers and dev-ops teams have adopted the mantra that the secret to fighting this battle is to get more involved in security upfront.

The initial steps in this movement have been focused on decreasing the coding of vulnerabilities, meaning that tools have been introduced into the application assembly line that analyse code for security weaknesses and prompt developers to address those weaknesses before applications get released.

This is a huge step, as those code vulnerabilities, if not caught ahead of time, are what lead to the dreaded “security patch.” Patches are software afterthoughts which IT often finds very painful to apply, as it can mean taking a system down for maintenance or other contortions that are highly disruptive to the business.

It makes sense to write more secure code, because coding is what developers do. But many developers are doing more. Now tools are becoming available that developers can embed into applications that give security, compliance, and risk-management visibility into and control over the flows of data.

These tools are not an afterthought, they are part of the application—a forethought. Most of the complexity that an IT-delivered security product introduces is avoided because the utility of the application is delivered along with security, and everything is on the same page and in the same context.

More powerfully, the seams between the application and its security products which fuel the runaway train of vulnerabilities disappear. We see at ALTR that when an application developed using the programmable model is delivered, it has tools to manage data in a changing world of security, compliance, and risk delivered along with it. Data security and governance has been “programmed in”.

Programmable as cloud-native

With the ability to monitor data access, govern it, and selectively protect data even from developers themselves wired into applications, there is another door that swings wide open: application portability.

Many companies, from traditional manufacturing all the way to software companies themselves, are looking for ways to leverage the economics and flexibility of cloud infrastructure. For most of these companies, the number 1 and number 2 concerns as to going to infrastructure that they don’t control are security and compliance.

But when a development team wires in tools to allow for the control of data regardless of where the application is deployed, the business is free to determine the best infrastructure for the application in question based on performance, cost, reliability and other IT priorities. Cloud options from platform-as-a-service all the way to serverless architecture, where IT doesn’t have to maintain any of the infrastructure stack, are all on the table.

Through this lens the economic benefits of programmable data security come completely into focus. Adopting this approach, by way of example, ALTR has been able to help a business optimise its digital footprint based on delivery of technology services, not on the security of them. Also, there are some additional savings that these organisations realise in the consolidation of security products, because many existing products are tied to the infrastructure in which they are deployed, from physical network appliances to cloud-provider-specific tools.

A programmable future

The world of connected computing that we find ourselves in today is a result of more than 20 years of focus on speed, efficiency, and convenience. While developers and the security teams supporting them have gotten serious about data security, the fundamental approach, and the legacy applianceware that supports that approach, is often still stuck in the world of the afterthought.

By considering data security and implementing tools to provide it at the very conception point of the application that creates the data, we finally accomplish what we needed all along: security and privacy by design. When Builders and Defenders work closely together, we see new levels of data protection implemented in organisations around the world.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Many companies are moving to a new way of delivering service to customers based on microservices. Rather than building huge and monolithic apps, microservices uses small and interconnected application components instead. These modern applications tend to be easier to update and expand than those traditional applications, as replacement services can be slotted in using APIs rather than requiring full rewrites.

To support this design approach, developers are making more use of cloud and containers. According to the Continuous Intelligence Report for 2019, the percentage of companies adopting containers has grown to 30 percent. Cloud services can host tens or thousands of containers based on how large the application needs to be, while the number of containers can be raised or lowered depending on demand. This makes containers complex to manage. For companies that run their critical applications on these new services, managing all this infrastructure is a huge challenge.

To administer this new infrastructure, companies are adopting Kubernetes as a way to orchestrate their IT. In the CI Report, the percentage of companies adopting Kubernetes ranged from 20 percent for businesses running on AWS alone, through to 59 percent for those running on a combination of AWS and Google Cloud Platform.

For companies running on AWS, GCP and Azure, the adoption of Kubernetes was up to more than 80 percent. For multi-cloud environments, Kubernetes helps to streamline their operations and respond more quickly to changes in demand.

Monitoring Kubernetes

So far, Kubernetes has helped companies turn the idea of multi-cloud into a reality. By being able to run the same container images across multiple cloud platforms, IT teams should be able to maintain  control over their IT and maintain leverage when it comes to pricing.

However, Kubernetes is still a developing technology in its own right. While it provides a strong foundation for developers to build and orchestrate their applications’ infrastructure, there are some gaps when it comes to maintaining, monitoring and managing Kubernetes itself.

Kubernetes pods, nodes and even whole clusters can all be destroyed and rebuilt quickly in response to changes in demand levels. Rather than looking at infrastructure, effectively monitoring what is running in Kubernetes involves looking at the application level and focusing on each Service and Deployment abstraction instead. Monitoring therefore has to align with the way Kubernetes is organised, as opposed to trying to fit Kubernetes into a previous model.

It is also important to understand the different forms of data that might be captured. Log data from an application component can provide insight into what processes are taking place, while metric data on application performance can provide insight into the overall experience that an application is delivering.

Joining up log and metric data should give a complete picture of the application, but this task is not as easy as it sounds. It can be near impossible to connect the dots between metrics on a node to logs from a pod in that node. This is because the metadata tagging of the data being collected is not consistent. A metric might be tagged with the pod and cluster it was collected from, while a log might be categorised using a different naming convention.

To get a true picture of what is taking place in an application running on Kubernetes involves looking at all the data being created and correlating this information together. Using metadata from the application alongside the logs and metrics information coming in, a consistent and coherent view of what is taking place across all the containers being used can be established. This involves collecting all the metadata together and enriching it so that consistent tagging and correlation can be carried out.

Bringing all the data together

Looking at Kubernetes,  it’s easy to see why the number of companies utilising it are on the rise. However, currently developers can have multiple different tools in place to take data out of container instances and bring that information back for analysis and monitoring, which can be hard to scale. For log data collection, Fluent Bit processes and forwards on data from containers; similarly, Fluentd provides log and event data collection and organisation. The open source project Prometheus provides metrics collection for container instances, while Falco provides a way to audit data from containers for security and compliance purposes.

Each of these tools can provide an element of observability for container instances, but ideally they should be combined to get a fuller picture of how containers are operating over time. Similarly, automating the process for gathering and correlating data across multiple tools can help make this information easier to use and digest.

Bringing all these different sets of data together not only provides a better picture of what is taking place in a specific container or pod; the merged data can be used alongside other sources of information too. By gathering all this data together in real time, as it is created, you can see how your company is performing over time. This continuous stream of intelligence can be used to see how decisions affect both IT infrastructure and business performance.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Bobby Hellard

Keumars Afifi-Sabet

OVH has announced it is changing its name to OVHcloud to mark the company’s 20th birthday – and double down on its ambitions.

The move was announced at OVH's annual jamboree, renamed this year from #OVHSummit to #OVHcloudSummit.

The company has long-held a goal to provide an alternative to the cloud hyperscalers for the European market. OVHcloud cites clarity as the primary reason for changing name: the company claims more than 70% of its revenue is ‘focused on cloud solutions.’ “By adopting the name OVHcloud, the group is aligning its identity with its business development strategy, in order to support its international growth,” the press materials note.

OVHcloud’s primary marketing is an acronym around the ‘smart’ cloud: any solution needs to be simple to implement, multi-local, accessible and predictable, reversible and open, and transparent. It is the reversibility – to ensure organisations avoid bill shock and vendor lock-in, which is particularly key, according to CEO Michel Paulin.

In a recent interview with CIO India (cached), Paulin outlined the rationale, while not naming names. “Many cloud players make it difficult or impossible for their customers to move their data out of the cloud. However we believe that customers should be free to move the data out as and when they want,” said Paulin. “The concept of reversibility is not just beneficial for the customers in the long term but will also make the multi-cloud strategy feasible.”

Writing for this publication in February, Paulin expanded further on his company’s multi-cloud ethos. “From speaking to our customers, combining on-premise and cloud infrastructure with a multi-cloud strategy has allowed them to connect to networks in a totally isolated and secure way, via numerous points of presence around the world,” Paulin wrote.

“What’s more, I’ve noticed how it has allowed organisations to shift to the cloud at their own pace and take a flexible approach – all while responding to their strategic objectives,” Paulin added. “This means businesses can control and run an application, workload, or data on any cloud based on their individual technical requirements.”

OVHcloud is looking at various industries, as well as smaller businesses, to help it differentiate. The company’s Cloud Web hosting product line, for instance, is aimed at developers and agencies. At the other end of the scale the company is promising an enriched bare metal portfolio for its enterprise solution base to provide greater performance and automation capabilities.

While Paulin noted in a statement that the company wants its brand to reflect the reality of cloud around the world, industry watchers may be wary of such nomenclature. In the much more nascent blockchain space, companies have been adding the buzzword to their name before changing their mind. The most recent was Blockchain Power Trust, which changed its name last week to Jade Power Trust after the company officially ceased cryptocurrency mining operations.

You can view the full #OVHcloudSummit keynote here (English version).

Picture credit: OVHcloud/Screenshot

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Bobby Hellard