Investment Banking in the Cloud

On a recent flight home after our meeting with a large bank, I started reflecting on how the conversations about cloud computing with clients have changed over the last 12 to 24 months. 

In 2012 and 2013, a lot of the conversations where focused on “what is cloud computing,” “help us build a cloud strategy” or “how do we automate our infrastructure.” As we near the end of 2014 these conversations have changed drastically. Most progressive enterprises are knowledgeable about all of the different cloud service models (IaaS, PaaS, and SaaS), have researched the major vendors, have started executing on their cloud strategy, and have become experts at managing the IaaS layer. The focus now appears to be moving up the stack towards the application layer.

2015: The year of cloud applications

Many enterprises have already laid the basic foundation work for their clouds and we’re seeing a mixture of private and public clouds being implemented with a high level of automation at the infrastructure layer. Enterprises have invested a lot of time into implementing guardrails around their clouds so that developers can consume the cloud services in a secure and compliant manner. The “build it” part of the “build it and they will come” strategy is complete, now it is time to get the applications and the developers to join the party. I believe that 2015 will be the coming out party for PaaS. It remains to be seen if enterprises will buy into pure PaaS platforms, leverage PaaS capabilities via an IaaS provider, or roll their own by leveraging a collection of tools like Docker. I believe the answer is all of the above. Almost every account I go into, the client is either evaluating PaaS or doing a proof of concept with one or more PaaS platforms and their interest is far greater now than it was at the end of 2013.

Photo credit: http://danielcrane.us

DevOps is taking enterprises by storm

At the beginning of 2014, DevOps was not even in the vocabulary of many of our enterprise clients. Around mid-summer, we started seeing interest in DevOps, and now DevOps is front and center in almost every conversation. I am not sure what triggered the heightened interest, but DevOps is definitely on the CxO’s wish list right now. DevOps is where cloud was back in 2012. Most of our conversations are “what is DevOps?,” “Help us put together a strategy,” “how can we implement continuous integration and continuous delivery?,” “what tools do we need?”. Many clients have already started their DevOps journey but are not seeing the results they expected. I attribute the struggles to the following reasons:

• IT focused solely on technology and skipped the people and process part
• IT pushed operations to development without providing proper tools and service design
• The current SDLC and service management creates too many bottlenecks
• Current solutions work for a team of pioneers but do not scale organizationally

In 2015, these organizations will need to re-evaluate their SDLC and operations processes and figure out how to streamline processes and remove waste. We worked with one client to automate a lot of the manual gates in their ITIL processes so that the process still ensured high quality and reliability, but did not get in the way of rapidly deploying software. It is time for enterprises to move beyond the technology and reassess their organizational structures and operating models if they want to see the promised land that DevOps strives for: Speed to market with quality and reliability.

IT is becoming a cloud service provider

Another common theme I see is that the CxOs understand the value proposition of the cloud but they also realize that if they don’t govern it they will be repeating the sins of the past. If you go into any large organization today you will see chaos everywhere. Most technologies have been implemented with little to no consistency. This creates a lot of waste and makes it extremely difficult to make changes that allow applications to interact with each other. CxOs are taking these lessons learned and are building their own guardrails around the third party cloud solutions to offer their own flavor of cloud to their developers. To say it another way, they are becoming the AWS of their company. These organizations are creating cloud teams who pick cloud solutions, be it AWS, OpenStack, VMWare, etc., and wrap them in their own layer of abstraction in order to enforce the cloud principles that are important to them. This is extremely common in health care and financial services institutions.

From what I have seen, enterprises have made a lot of progress with this model from the technology standpoint but are struggling with the operating model. Becoming a service provider is a radical change from running a datacenter. In 2015, enterprises will have to put more focus on the people and process aspects of this transformational change

Summary

Enterprises have made a lot of progress with their cloud initiatives throughout 2014. I am impressed with how far the industry has come in just the last 12 months. The problem I see is that while enterprises have made great advancements with the technology, they are hitting walls with the people and process part of the equation. 

CxOs who have invested heavily in private and hybrid cloud infrastructures are going to be focusing heavily on getting more applications deployed to justify those investments over the last two years. 2015 is going to be a make or break year for many enterprise cloud initiatives. Enjoy your time off in this holiday season because the real hard battles start next January. Make sure those IT budgets have some big line items for organizational and process transformation.

Sophos aims for unified cloud security nirvana with Mojave acquisition

With the purchase of Mojave Networks, Sophos seeks to combine cloud security, endpoint security and advanced filtering to deliver hybrid protection for real-time scenarios. 

With massive breaches affecting everything from retail establishments to Hollywood stars, one has to wonder if there is a better way to protect data in transit and at rest, and if anyone has discovered a process to make that become a reality.

Sophos, known for its desktop security products and cloud-based security services, is aiming to build a more secure cloud byacquiring Mojave Networks, a San Mateo, California-based startup that came to market with cloud-based security solutions.

Mojave fills an important hole in the Sophos product lineup, which only just recently moved into cloud-based security. With the acquisition, Sophos aims to integrate Mojave's primary services into a unified cloud security platform -- those services include cloud-based network security, cloud-based app security and Mobile Device Management (MDM).

The combination of Mojave's offerings with Sophos's cloud, mobile cloud protection systems and its network/end-user/server protection products (appliances, virtual appliances and software) should help Sophos to deliver cloud-based security that is always up to date and can deal with the latest unified threats.

Other companies looking to play in the unified, cloud-based security space include Cisco, Symantec, Dell, and numerous antivirus vendors. However, IT pros have long had to turn to cloud services vendors, along with firewall vendors and antimalware vendors, to hobble together a solution that offers something akin to a complete security solution. If Sophos can pull off the integration of Mojave into its cloud security offerings, the company may be able to offer the unified security nirvana that so many are seeking.

The advantages offered by security services unification cannot be underestimated. First and foremost is the ideology of a unified security dashboard, which eases deploying security across multiple platforms, devices and connections. What's more, better reporting naturally follows a unified management system, where all the bits and pieces of security are well aware of each other and can offer a better look at how things are secured.

Nevertheless, what security vendors claim and what the real-world challenges do not always jibe, which begs the question: What should unified security offer and why?

• Antimalware: One of the first elements to look for in a security package is how it deals with malware. Better products include everything from link scanners to antivirus tools to real-time (cloud-based) updates.
• Antiphishing: One of today's biggest security problems is phishing, where embed links in emails can be used to launch malicious websites that gather information or install spyware on systems. Beyond educating end-users not to open suspicious emails, it is critical to have a service (or software) that detects phishing attempts and puts a stop to them.
• Content filtering: One of the best ways to limit a user from visiting a malicious site is by leveraging content filtering, where websites are blocked based upon ratings/content and so forth. If a user cannot access a malicious site, security is vastly improved.
• MDM: For organizations that place workers in the field, it is critical to have control of the devices they use remotely or while traveling. A good MDM system will enforce passwords, keep data encrypted and provide a way to either wipe a lost device or help to locate it.
• SQL injection protection: Many breaches come from a blunt force attack, where malicious code is inserted into a database, forcing the database to return results that may reveal private information. A device or cloud service should be in place to prevent that from happening.
• Advanced Persistent Threat (APT) protection: APTs are one of the latest maladies to impact network security. Those engineered attacks may knit together many smaller attacks on what may seem to be unrelated systems to sneak malware past traditional security products. Unified security can effectively combat APTs by putting the pieces back together, validating or blocking the code.
• Antispam: Spam can be a major security problem for most any email user. Preventing spam from entering the network proves to be a key capability to protect end users and their resources, and it is best done before the email enters the network.
• Firewall: Multiple firewalls can provide layers of protection. A unified offering can tie together a next-generation firewall at the edge of the network with a locally installed desktop firewall to plug any potential holes. However, local firewalls need to be managed to be effective, and that is where a unified security package comes into play.
• Intruder detection and prevention: Keeping unauthorized users out proves to be one of the better ways to prevent data loss and compromises. An effective security system is able to work hand in hand with security directories, firewalls and VPNs to make sure the user is actually the intended user. This works better when managed under a unified system, which could also leverage two-factor authentication and enterprise level LDAP/ADS type directories.
• Wi-Fi security: Hotspot connectivity is often overlooked. Whether or not that hotspot is internal or located in a coffee shop isn't the real issue -- the real issue is how the traffic travels via the hotspot. Encryption combined with SSL or VPN services becomes a must-have to protect data in the ether; a unified security package should provide the software to secure Wi-Fi traffic and detect when traffic is traveling in the clear (unprotected).

Only by combining the above into a centrally managed offering can one hope to achieve true unified security. After all, security is made up of many moving pieces, and without management some of those pieces are bound to fail.

Hopefully, by Sophos combining what were once separate security offerings into a unified platform, the company can lead the way for competitors to identify those same threats and help to bring forth multiple competitive offerings that can only improve security.