Friday, April 29, 2016

Capgemini and HPE Team Up to Foster Behavioral Change That Brings Better Cyber Security Across Application Lifecycles

Transcript of a discussion on how new levels of collaboration and communication across disparate teams is needed to improve applications development speed and security.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: Hewlett Packard Enterprise.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you're listening to BriefingsDirect.

Today, we present a sponsored podcast discussion on improving cyber security in applications across their entire lifecycles. Increasingly, security is being integrated into software design, even as the pressure builds to bring more apps to market faster.

Furthermore, such trends as the Internet of Things (IoT), hybrid cloud services, mobile-first, and DevOps are increasing the demands and complexity of the overall development process. Key factors in improving both development speed and security include new levels of collaboration and communication across formerly disparate teams -- from those who design, to coders, to testers, and on to continuous monitoring throughout operations.

We're here now with two experts from a Capgemini and Hewlett Packard Enterprise (HPE) Alliance to learn how to create the culture, process, and technologies needed to make and keep today's applications as secure as possible.

Please join me now in welcoming our guests, Gopal Padinjaruveetil, Global Cyber Security Strategist for Capgemini. Welcome, Gopal.
Read the Latest Insights
On How to Protect
Your Enterprise Applications
Gopal Padinjaruveetil: Thank you, Dana, for having me. Excited to be here.

Gardner: We're also here with Mark Painter, Security Evangelist at Hewlett Packard Enterprise. Welcome Mark.

Mark Painter: Thank you, Dana. It’s great to be here.

Gardner: Let’s start with you Gopal. What do you see as some of the top trends that are driving the need for improved security for applications? It seems like we're in the age of "continuous everything" across the entire spectrum of applications.

Padinjaruveetil: Let me talk about a few trends with some data and focus on why application security is going to become more-and-more important as we move forward.

There's a report saying that there will be 50 billion connected devices by 2020. There was also a Cisco report that said that 92 percent of the devices today, connected devices, are vulnerable. There was an HPE study that came out last year said that 80 percent of the attacks are now happening at the application layer.

If you put together these three diverse data points coming from three different people, we see that there will be 37 billion devices in 2020 that are deemed to be vulnerable. That’s very interesting, 37 billion devices vulnerable in 2020. We need to change the way that we develop software.

Key trend

The other key trend that we're seeing is that agility is becoming a prime driver in application development, where the business would like to have functionality as early as possible. So the whole agile development methodology driving agility is becoming key, and that's posing some unique problems.

The other thing that we're seeing from a trend perspective is that apps and data are moving out of the enterprise landscape. So the concept of mobile-first, free the data, free the app, and the cloud movement are major trends that affects the application security and how applications are being developed and delivered.

The other trend is regulators. In many critical industries regulations are becoming very strict with cyber crime and advanced actors. We're seeing nation states, advanced actors, coming into the game and we're seeing advanced persistent threats becoming a reality. So that’s driving another dimension to the whole application security.

Last, but not least, is that we see a big shortage of cyber security talent in the market. Those are the trends that drives the need for a different look at application security from a lifecycle approach.

Gardner: Mark, anything to offer in terms of trends that you are seeing from HPE, perhaps getting more involved with security earlier in the process?

Painter: Gopal gave a very good and very thorough answer and he was dead-on. As he said, 80 percent of attacks are aimed at the application layer. So it actually makes sense to try to prevent those vulnerabilities.

We propose that people implement application security during the development cycle, precisely because that’s where you get the most bang for your buck. You need to do things across the entire lifecycle, and that includes even production, but if you can shift to the left, stop them as early as possible, then you save so much money in the long run in case you are attacked.

We do a study in conjunction with the Ponemon Institute every year, and since 2010, every year, it shows that attacks increase in frequency, they're harder to find, and they're also increasingly costlier to remediate. So it’s the right way to do it. You have to bake security in. You just can’t simply brush it on.

Gardner: And with the heightened importance of user experience and the need for moving business agility through more rapid iterations of software, is it intuitive to conclude that more rapid development makes it more challenging for security, or is there something about doing rapid iterations and doing security that somehow can go hand in hand, a continuous approach? Gopal, any thoughts?

Rapid development

Padinjaruveetil: There's a need for rapid applications, because we're seeing lot of innovations coming, and we welcome that. But the challenge is, how do you do security in a rapid world?

There is no room for error. One of the things from a trend perspective is IoT. One of the things I tell my clients is that if you look at traditional IT, we're operating in a virtual world, purely a virtual world. But when you talk about things like operation technology (OT), we're talking about physical things, physical objects that we're using in everyday life, like a car, your temperature monitors, or your heartbeat monitors. These are physical things.

When the physical world and the virtual world come together with IoT, that could have a very big impact on the physical layer or the physical objects that we use. For example, the safety of individuals, of community, of regions, of even countries can now be put in danger, and I think that is the key thing. Yes, we need to develop applications rapidly, but we need to develop them in a very secure way.

Gardner: So the more physical things that are connected, the more opportunity there is to go through that connection and somehow do bad things, nefarious activities. So in a sense, the vulnerability increases with the connectivity.

Padinjaruveetil: Absolutely. And that’s the fear, unless we change ways of developing software. There has to be a mindset change in how we develop, deploy, and deliver software in the new world.
There has to be a mindset change in how we develop, deploy, and deliver software in the new world.

Gardner: I suppose another element to this isn't just that bad things can happen, but that the data can be accessed. If we have more data at the edge, if we move computing resources out to the edge where the data is, if we have data centers more frequently in remote locations, this all means that data privacy and data access is also key.

How much of the data security is part of the overall application security equation, Gopal?

Padinjaruveetil: One of the things I ask is to define an application, because we have different kinds of applications. You have web services and APIs. Even though those are headless, we would consider that those are applications, and applications without data have no meaning.

The application and the data are very closely tied to each other, and what's the value? There's no real advantage for a hacker just to have an application. They're coming after the data. The private data, sensitive data, or critical data about a client or a customer is what they're coming at.

You bring up a very good point that security and privacy are the key drivers when we are talking about applications. That is what people are trying to get at, whether it's intellectual property (IP) or whether it’s sensitive data, credit card data, or your health data. The application and the data are tied at the hip, and it’s important that we look at both as a single entity, rather than just looking at the application as a siloed concept.

Solving problems

Gardner: Let’s look a little bit at how we go about helping organizations approach these problems and solve them. What is it that HPE and Capgemini have done in teaming up to solve these problems? Maybe you could provide, Gopal, a brief history of how the app security alliance with these two organizations has come about?

Padinjaruveetil: Capgemini is a services company, and HPE has great security products that they bring to the market. So, very early on, we realized that there's a very good opportunity for us to partner, because we provide services and HPE provides great security products.

One of the key things, as we move into agility or into application development, is that many of the applications have millions of lines of code. These are huge applications, and it's difficult to do a manual assessment. So, automation in an agile world and in an application world becomes important. That's a key thing that HPE is enabling, automation of security through their security products and application space. We bring the services that sit on top of the products.

When I go and talk to my clients about the HPE and Capgemini partnership, I tell them that HPE is bringing a very tasty cake, and we're bringing a beautiful icing on top of the cake. Together, we have something really compelling for the user.
At a high-level, what we're trying to do is expand the application security scope, and that basically includes three big buckets. Those are secure development, security testing, and then continuous monitoring and protection.

Gardner: Let’s go to Mark in describing that cake, I would imagine there are many layers. Maybe you could describe it for some of our listeners and readers who might not be that familiar with what those layers are. What are the major components of the transformation area around security that HPE is focused on?

Painter: At a high-level, what we're trying to do is expand the application security scope, and that basically includes three big buckets. Those are secure development, security testing, and then continuous monitoring and protection.

During the development phase, you need to build security in while the developers are coding, and for that specifically, we use a tool called DevInspect. It will actually show secure coding to a developer as he is typing his own code. That gets you much, much farther ahead of the game.

As far as security testing, there are two main forms. There is static, which is code analysis, not only for your own code, but open-source components and other things. In this day and age, you really are taking security into your own hands if you trust open-source components without testing them thoroughly. So, static gives you one perspective on application security.

Then there is also dynamic scanning, where you don’t have access to the code, and you actually attack the application just as the hacker would, so you get those dynamic results.

We have a platform that combines and correlates those results. So, you get to reduce false positives and you can trust the accuracy of your results to a much greater detail.

Sustained frequency

We also provide services, but the whole thing is that you have to do this with sustained frequency. Maybe 10 years ago, there was a stage-gate approach, in which you tested at the end of the development cycle and released it. Well, that’s simply not good enough; you have to do this on a repeatable basis.

Some people would probably consider that the developmental lifecycle ends once the product is out there in the wild, but if anything, my experience in the security industry has taught me that software plus time equals vulnerability. You can’t stop your security efforts just because something has been released. You need that continuous monitoring and protection.

This is a new thing in application security, at least if you call something that’s almost a few years old "new." With something called App Defender, you can actually put an agent on the application server and it will block attacks in real time, which is a really good thing, because it’s not always convenient to patch your software.

At HPE, we offer a combination of products that you can use yourself and we also offer hybrid solutions, because there's no such thing as one-size-fits-all in any environment.
Read the Latest Insights
On How to Protect
Your Enterprise Applications
We also offer expertise. Gopal was talking earlier about the lack of qualified candidates, and Forbes has predicted that, by 2019, a full quarter of cyber security jobs are going to be unfilled. Organizations need to be able to rely on technology, but they also need to be able to find experts and expertise when they need it. We do a lot at HPE; I will leave it at that.

Gardner: Gopal, how do these products, these layers in the cake, help with the shifting-left concept, where we move more concern about vulnerability and security deeper into the design, earlier into the coding and development process? Where do the products help with shifting left?

Padinjaruveetil: That’s a great question if you decompose or if you analyze application security as a cake. Security vulnerabilities in applications come from three specific areas. One is what I call design flaws, where the application itself is designed in a flawed manner that opens up vulnerabilities. So a bad design, in itself, causes security vulnerabilities.

The second thing is the coding flaws. Take an Apple iPhone or something like that. If you look at the design of an iPhone, the actual end product, there will be a very close match. A lot of problems we have in software industry are because there is a high level of mismatch between the design and the actual product itself as coded.

Software is coded by the developers, and if the developers aren't adding good code, there's a high possibility that that vulnerability is introduced because of poor coding.

Configuration parameters

The third thing is that the application isn't running in a vacuum. It's running on app servers and database servers and it’s going through multiple layers. There are a lot of configuration parameters, and if these configuration parameters are not set, then it leads to open vulnerability.

From a product perspective, HPE has great products that detect coding flaws. Mark talked about DevInspect. It's a great tool from a dynamics perspective, or hacking. There are great tools to look at all these three layers from a design flaw, from a configuration flaw, and a coding flaw.

As a security expert, I see that there is a great scope for tooling in the design flaw, because right now, we're talking about threat modeling and risk determination. To detect a design flaw requires a high level of human intelligence. I'm sure that in the future, there will be products that can detect design flaws, but when it comes to coding flaws, these tools can detect a coding flaw at 99 percent accuracy. So, we've seen a very good maturity in the application security areas with these products, with the different products that Mark mentioned.

Gardner: Another part of the process for development isn’t just coding, but pulling together components that have already been coded: services, SDKs, APIs, vast libraries, often in an open-source environment. Is there a way for the alliance between Capgemini and HPE to give some assurance as to what libraries or code have already been vetted, that may have already been put through the proper paces? How does the open-source environment provide a challenge, or maybe even a benefit, when done properly, to allow a reuse of code and this idea of componentized nature of development?
Another part of the process for development isn’t just coding, but pulling together components that have already been coded.

Padinjaruveetil: That’s a great point, because most of the modern applications are not valid applications. They talk with other applications. They get data from other applications, data through Web service interface, a REST API, and open source.

For example, if you want to do login, there are open-source login frameworks available. If there are things that are available, we'd like to use them, but just like custom code, open source is also vulnerable. There are vulnerabilities in open source.

Vulnerability can come from multiple things in an application. It can be caused by an API. It can be caused by an integration point, like a Web service or any other integration point. It can be caused by the device itself, when you're talking about mobile and all those things. Understanding that is a very critical aspect when we're talking about application security.

Gardner: Mark, anything to offer on this topic of open source and/or vetting code that’s available for developers to then use in their applications?

Painter: Well, it’s not an application, but it’s a good example. The Shellshock vulnerability was due to something wrong with the code of an open-source component, and that’s still impacting servers around the world. You can’t trust anybody else’s code.

There are so many different flavors of open-source components. Red Hat obviously is going to be a little better than your mom-and-pop development team, but it has to be an integrated part of your process for certain.

Cyber risk report

There is something Gopal was saying. We do a cyber risk report every year at HPE, and one of the things we do is test thousands and thousands of applications. In last year’s results, the biggest application flaw we found were basically configuration flaws. You could get to different directories than you should be able to.

Application security is not easy. If application security were easy, then we still wouldn’t be having cross-site scripting vulnerabilities that have been around almost as long as the web itself. There are a lot of different components in place. It’s a complex problem.

Gardner: So it’s important to go to partners and tried and true processes to make sure you don’t fall down into some of these holes. Let’s move on to another area, which is also quite important and difficult and challenging. That is the cultural shift, behavioral changes that are forced when a shift left happens, when you're asking people in a traditional design environment to think about security, operations, configuration management, and business-service management.

Gopal, what are some of the challenges to promulgating cultural and behavioral changes that are needed in order to make a continuous application security culture possible?

Padinjaruveetil: That’s a key aspect, because most of the application development is happening in a distributed team, and things are being assembled. So there are different teams building different things, and you're putting together the final application product and deploying it.
There are very good industry standards coming out, but the challenge is that having a policy or standard alone is not sufficient.

Many companies have now started talking about security policies and security standards, whether it’s Java development standards or .NET development. So, there are very good industry standards coming out, but the challenge is that having a policy or standard alone is not sufficient.

What I tell my clients is that any compliance without enforcement is ineffective. The example that I give is that we have traffic laws in India. If you've been to India and you look at the traffic situation there, it’s chaotic. Here, you see radar detection and automated detection of speed and things like that. So enforcement is a key area even in software development. It’s not enough to just have standards; you need to have enforcement.

The second thing I talk about is that compliance without consequence will not bring the right behavior. For example, if you get caught by a cop and he says, "Don’t do this again; I'll let you go," you're not going to change your behavior. If there's a consequence, many times that makes people change behaviors.

We need to have some kind of a discipline and compliance brought into the application development space. One of the things that I did for a major client was what I call zero tolerance. If you develop an application and if we did find a vulnerability in the application, we won't allow you to deploy it. We have zero tolerance on putting up unsecured code when we use one of these great products that HPE has.

Once we find an issue with a critical or a high issue that’s been reported, we won't let you deploy. Over a period of time, this caused a real behavioral change, because when you stop production, it has impact. It gets noticed at a very higher level. People start questioning why this deployment didn't go.

Huge change

Slowly, over a period of time, because of this compliance and because of the enforcement with consequences, we saw a huge change in behavior in the entire team, right from project managers to business analysts making sure that they are getting the security non-functional requirement correct, by the project managers making sure that the project teams are addressing it, the architect making sure the applications are designed correctly, and the testers making sure that the testing is correct. When it goes into an independent audit or something like that, the application comes out clean.

It’s not enough if you just have standards; you need to have some kind of enforcement with that.

Gardner: Mark, in order to have that sort of enforcement you need to have visibility and measurement. It seems to me that there's a lot more data gathering going on across this entire application lifecycle. And big data or analytics that we have in other areas are being brought into this fold.

Is there something about automation, orchestration, and data analytics that are part and parcel of the HPE products that could help on this behavioral shift by measuring, verifying, and then demonstrating where things are good or not so good?
Over the past 10 years in the security industry, we've changed from the idea of we're going to block every attack, to one that says the attackers are already inside your network.

Painter: One thing that HPE uses to build it in is secure coding, but also we talk about detect and response. We have an application product that integrates with our security and monitoring tool from ArcSight.

So you can actually get application information. Applications have been a typical blind spot for Security Information and Event Management (SIEM) tools, and you can actually get some of those results you are talking about from our SIEM technology, which is really cool.

Over the past 10 years in the security industry, we've changed from the idea of we're going to block every attack, to one that says the attackers are already inside your network. This is part of that detection. Maybe you didn’t find these. You can see active exploitation in other words, and then you can track it down and stop it that way.

Fifteen years ago, you had to convince people that they needed application security. You don’t have to do that know. They know they need it, but they just might not exactly know what they need to do.

It’s all about making this an opportunity for them to get security right, instead of viewing it as some sort of conflict between the need for speed and agile development and the need to release balanced against the needs of the enterprise to actually be secure and protect themselves from potential data breaches and potential data loss and all the compliance issues and now legal challenges from individual actors and all the way down the line.

Gardner: Gopal, before we close out, let’s look to the future a little bit. What comes next? Do you expect to see more use of data, measurement, and analytics, a science of development, if you will, to help with security issues, perhaps feedback loops that extend from development into production and back? How important do you think this use of more data and analytics will be to the improved automation and overall security posture of these applications?

Continuous improvement

Padinjaruveetil: You need to have data and you need to have measurements to make improvements. We want continuous improvement, but you can’t manage unless you measure. So we need to determine what are the systemic issues in application development, what are the systemic issues that we see constantly coming?

For example, if you're seeing cross-site scripting as a consistent vulnerability that’s coming across the multiple development team, we need to have some way to make sure that we're seeing patterns with the data and looking at how to reduce these major systemic errors or vulnerabilities in systems?

You will see more-and-more data collections, data measurements, and applying advanced methods to look at not just the vulnerability aspect of it, but also the behavioral aspect. That’s something that we're not doing, but I see a huge change coming where we're actually going to see the behavioral aspects being tracked with data in the application lifecycle model.
You need to have data and you need to have measurements to make improvements. We want continuous improvement, but you can’t manage unless you measure.

Gardner: Another thing to be mindful of is getting ready for IoT with many more devices, endpoints, sensors, biological sensors. All of this is going to be something coming in the next few years.

How about revisiting the skills issue before we sign off? What can organizations do about  maintaining the right skill sets, attracting the right workers and professionals, but also looking for all the options within an ecosystem, like the alliance between HPE and Capgemini. How do you see the skills problem shaking out over the next several years, Gopal?

Padinjaruveetil: If you look at many of the compliance frameworks, like NIST or ISO 27001, there's a big emphasis on control being put in place for security awareness and education. We're seeing a big drive for security education within the whole organization.

Then, we're seeing tools like DevInspect. When a developer writes bad code, if you give the feedback instantly that right now you have written a code that is bad, instead of waiting for three months or four months and doing a test, we're seeing how these tools are making changes.

So, we're seeing tools like DevInspect and helping developers to actually make themselves better code writers.

Painter: Developers are not natural security experts. They need help.

Padinjaruveetil: Yeah, absolutely.

Additional resources

Gardner: That was my last question to you, Mark. Can you suggest places that people can go for resources or how can they start to prepare themselves better for a number of the issues that we have discussed today?

Painter: It’s almost on an individual basis. There are plenty of resources on the Internet. We provide training as well. Web application security is actually one of the best places for organizations to leverage Capgemini to do their web application security testing.

The job crunch is the number one concern that enterprises have right now as part of security in the enterprise. There's a lack of qualified applicants, which says a lot when that’s a bigger concern than a data breach. We do a State of the SOC survey every year, and that was the result from the last one, which was a little surprising.

But apart from outsourcing, you need to find those developers who have an interest in security in your organization, and you need to enable them to learn that and get better, because that’s who is going to be your security person in the future, and that’s a lot cheaper and a lot more cost-effective than going out and hiring an expert.

I know one thing, and it’s a good thing. I tell my boss repeatedly that if you have good security people, you're going to have to pay them to keep them. That’s just the state of the market as it is now. So you have to leverage that and you have to rely on automation, but  even with automation, you're still going to need that expert.

We are not yet at the point where you can just click a button and get a report. You still need somebody to look at it, and if you have interesting results, then you need that person who can go and examine those. It’s the 80/20 rule. You need that person who can go to the last 20 percent. You're going to have automation, tools, and what have you to get to that first 80 percent, but you still need that 20 percent at the end.
Read the Latest Insights
On How to Protect
Your Enterprise Applications
Gardner: I'm afraid we'll have to leave it there. We've been discussing improving cyber security and applications across their entire lifecycles. We’ve learned how improving both development speed and security comes with new levels of collaboration and communication across disparate teams.

So please join me in thanking our guests, Gopal Padinjaruveetil, the Global Cyber Security Strategist for Capgemini, Mark Painter, Security Evangelist at Hewlett Packard Enterprise.

And a big thank you as well to our audience for joining us for this Hewlett Packard Enterprise-sponsored application security transformation discussion.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of business transformation discussions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: Hewlett Packard Enterprise.

Transcript of a discussion on how new levels of collaboration and communication across disparate teams is needed to improve applications development speed and security. Copyright Interarbor Solutions, LLC, 2005-2016. All rights reserved.

You may also be interested in:

Wednesday, April 27, 2016

Business in the Cloud: How Efficient Networks Help the Smallest Companies Do Brisk Business with the Largest

Transcript of a discussion on making and managing the business connections that matter most with SAP Ariba Spot Buy.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: SAP Ariba.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Our next technology innovation thought leadership discussion examines new ways for small businesses to make and manage the connections that matter to them most using cloud-based networks to bring intelligent buying and digital business benefits to any type of company.

To learn more about the business of doing more commerce in the digital economy using cloud-based networks, please join me in welcoming our guests, Bob Rosenthal, Chairman and CEO of JP Promotional Products, Inc. in Ossining, New York. Welcome to BriefingsDirect, Bob.

Bob Rosenthal: Hi, Dana. Thank you.

Gardner: We’re also here with Anne Kramer, CEO at Ergo Works, Inc. in Palo Alto, California. Welcome, Anne.

Anne Kramer: Thank you very much.

Gardner: First let’s hear a little bit about your companies. Bob, what is JP Promotional Products? What do you do?

Rosenthal: JP Promotional Products is a distributor of imprinted promotional products. Anything you can put an imprint or logo on. We've had this company with my daughter for about 12 years now and we sell to small companies, large companies, anyone who buys promotional products from us.

Gardner: Why is being digital, being on business networks, an important part of the way you find new clients?

Rosenthal: What this has given us is the ability to find the size of client that we could not ordinarily find. We're getting into large corporations, and it is very difficult for a small company to get access to a large entity. Being on a network like SAP Ariba and leveraging services like Ariba Discovery has gotten us into some of these very large corporations.

Gardner: Anne, tell us about Egro Works.

Kramer: Ergo Works is a small, woman-owned company based in Palo Alto, California. We're a full-service ergonomics company. We offer workstation evaluations and consulting, a complete line of ergonomic furniture, accessories and computer peripherals, as well as installation services. So, I would call it solution selling.

Gardner: And do you also share Bob’s challenge of trying to be seen and heard in a busy world, by big companies that perhaps don’t know about small vendors?

Kramer: Absolutely. It’s a challenge to get an audience with this group. They generally have established vendors, and trying to knock down those doors is challenging at best.

Gardner: We know that many of the buyers of goods are looking for increased automation. They're looking for intelligence in that network and the partnerships and ecosystem that they play in. So they want to find people like you that have goods and services for them. What was it that you had to do in order to then be seen and heard, be and recognized among them?

Rosenthal: We joined Ariba Discovery, and that gave us the ability to search for leads as well as respond to matched leads. As a matter of fact, one of the first ones I got was about a half an hour after I paid for Ariba Discovery. It was a Fortune 100 Company. They were looking for a thousand pair of imprinted socks, something I knew we could do. It was a no-brainer. We established our relationship with the procurement manager. They never bought the socks, but we have a relationship now, and without Ariba Discovery, there was no way we could have done that.

Gardner: And is geography a barrier for you or you can do business with anyone, anywhere?

Rosenthal: We can do business with anyone, anywhere. The bulk of it is in the Continental US. We can ship to England or Canada and we do bring some product in from China as well.

Gardner: And for you, Anne, tell us about what you needed to in order to find clients.

Challenge of growing

Kramer: We're located in Palo Alto, which is ground zero in Silicon Valley for ergonomics. So, we are well poised in that regard. Nonetheless, the challenge of growing a small business is ever present.

One way that we've overcome that is to participate in online marketplaces. Specifically, what we're excited about now, and why I'm here today, is the Ariba Spot Buy Program. This is going to give us a direct access to large companies that have been challenging for us to get into. It’s an exciting opportunity. Unlike other marketplaces that are geared to one-off end users, Ariba is geared toward large corporations; so we're very excited.

Gardner: Can you give us a bit more about background and understanding of Ariba Spot Buy? These are not the usual contracts that are ongoing and repeatable, but are instances where there is a need, an ad-hoc need perhaps, in a large organization. A purchasing department has been tasked with doing this or maybe people directly in the company have got the authority to find and buy things on their own.

Kramer: That’s very well put. For example, we are currently an Ariba supplier with  several clients and we offer a static catalog. We often provide or make recommendations for products that are off catalog, and Ariba Spot Buy allows companies to buy products from vendors that they don’t currently have a contractual relationship with.

The niche that we're in is a relatively small niche. So it may not warrant a company wanting to put together a catalog. This is an opportunity for them to buy these products, yet stay compliant within the Ariba ecosystem.
So that’s what Ariba Spot Buy does. It allows companies to buy products that they don’t currently have a contractual relationship with.

Gardner: Now, of course, a big approach to finding things nowadays is through search on the web and having a good website, and getting good rankings on the search engines is a big part of that. But it strikes me that you're small, you're not going to get the kind of traffic on your website that might elevate you in those search results, and you are also highly customizable. So you're not just putting a big billboard up on the Internet, so to speak, and say, here we are.

You're offering custom types of things, with promotional products in your case, Bob, and you probably want to hear a lot about each customer and tailor your services to them. How do you overcome the challenge of not being able to put a billboard up on the Internet, but also maintain the advantage of having highly customized products, Bob?

Rosenthal: Our own website has hundreds of thousands of items on it. It’s an industry-based website. If you're searching for almost any product, you'll find it on our site.

In terms of how we got people to our site, we did invest some money a few years ago. We decided to go with what’s called Local Search. We put money into being on the first page in New York State, the Tri-State area, and that’s gotten us a few large accounts.

What we're looking for in Ariba Spot Buy is to bring in more business because a lot of our products are last minute. Someone will remember at the last minute, "Oh, I'm doing a trade show next week; I need a thousand widgets to give away. I forgot to buy them. I don't want to go through a contract." That's where I think Ariba Spot Buy will help us because we can deliver products in 24 hours if we have to.

Network advantage

Gardner: So there is an advantage to being in a business network versus just the worldwide wild web?

Rosenthal: Right. What that gets us is more targeted corporations, hopefully larger entities. Where a small corporation might buy 100 pieces, the big corporation is going to buy thousands of pieces. That’s why we've joined Ariba Discovery and are looking at Ariba Spot Buy.

Gardner: And I suppose, as someone in a selling position, you're also getting a lot more information about who you're selling to, given that they're in the network and you can see and access more about what they're looking for?

Rosenthal: That’s true, and where that helps is that we tend to add a lot of creativity to it. If we know who you are and what you do, we can make recommendations for certain kind of products. If you're a tractor company exhibiting at a show, maybe we'll suggest a squeeze toy in the shape of a tractor. Knowing who you are and where you are helps us with our creativity in suggesting products.
The ability to be on Ariba Spot Buy will give us the ability to interact with our customer to then have the opportunity to sell these more custom products and get into project-based opportunities.

Gardner: And for you, Anne, in the same vein, trying to be seen, heard, and understood in the Worldwide Web is perhaps a bit more daunting than on a business network. How do you overcome that need to customize and tailor your goods and services?

Kramer: Certain products lend themselves more to selling on the web than others, and same with online marketplaces. The visibility with  Ariba Spot Buy will give us the opportunity to interact with our customers to offer them custom products and get into project-based opportunities.

Gardner: We're also seeing from SAP Ariba the desire to bring more collaboration embedded and automated into these applications and services. Also, with Guided Buying, they're allowing the sellers to be part of an intelligence network, so that buyers can be led through the process and automation can be brought to bear. How do these new technological advantages affect you as a small businesses particularly, Anne?

Kramer: Technology helps us with new ways to bring our products to market and expose our offerings to a larger audience. That’s really the biggest benefit. 

In addition, it helps us to expand our current relationships with our Ariba buyers. They can now buy off-catalog, which is a win-win. Technology also impacts the products that we sell. As technology changes, the products change in response to the latest mouse design or the material that a wrist rest is covered in, maybe it's anti-microbial for instance. So technology has a huge impact on direct and indirect part of our business. 

Running the business

Gardner: Of course, it's important for small businesses to have visibility into cash flow, when to expect payments, and how to bill accurately and appropriately. Any thoughts, Bob, on how this business network for you also adds to your own ability to run your business properly?

Rosenthal: In terms of technology, the biggest issue with us is the logo. Anyone can say they want a Bic pen. Where the technology should help us is in getting the art files from one point to the other and knowing, as far as things like cash flow, who we're dealing with, that it's a large corporation. Some use POs, some don't, for these type of buys. It gives me more comfort that we are going to get paid.

It's difficult to ask General Motors for a deposit for a $1,000 order, but we might ask the insurance broker down the street for that. So that comfort level of knowing we should be paid on a certain date is a big advantage.

Gardner: Anne, the same thing. Business visibility is important. Is there something about a business-network approach that's beneficial to you in being able to run your business well?

Kramer: Well, specifically what I am excited about with Ariba Spot Buy is that all the purchases are made using a credit card, which we love because it helps us control our cash flow. We don't have to go chasing after past-due invoices, and that time can be better spent selling more products. We love the fact that it's all credit-card based.
What I am excited about with Ariba Spot Buy is that all the purchases are made using a credit card, which we love because it helps us control our cash flow.

Gardner: Are there any specific examples of actual customers that you found through the Ariba Discovery process in this online marketplace that would illustrate some of these points? You don't have to name them necessarily, but maybe walk us through how it's worked and how that's different from the other approaches that you've had to find in customers, Bob?

Rosenthal: Well, the big account that we got, which I can't name, has turned into a huge account for us. We've established a relationship with the procurement people, and I think that relationship has built this business with them over the last 18 months, because they have a confidence level in us, and we are confident in them that, a) we're going to get paid, and paid on time, and b) it's a continuing relationship.

We do a lot of one-offs. We get a hit on our website, I need something tomorrow, can you get it? We never hear from the people again but we get an order, which is great; we do a lot of that. But we also try and establish relationships and that's what we get out of Discovery so far.

Gardner: As a small-business person myself, I know that you don't want to push that rock up the hill every month. You want to have the recurring dependable revenue; it's super important, right?

Kramer: Right. Ariba Spot Buy is an opportunity for ongoing and repeat business from companies participating in this technology.

Gardner: But this allows you to get the best of both worlds, which you can discover and find new interesting clients, but you can also maintain a steady flow from, from your installed base.

Kramer: That's right. This technology offer us an opportunity to engage new corporate customers and get paid quickly with credit card payments.

Gardner: Well, great. I'm afraid we will have to leave it there. You’ve been listening to a BriefingsDirect thought leadership podcast discussion examining new ways for small businesses to better match their services with sellers, particularly a small organization selling to a large organization, and using SAP Ariba business networks to accomplish that.

Please join me in thanking our guests, Bob Rosenthal, Chairman and CEO of JP Promotional Products in Ossining, New York. Thank you, Bob, and if people want to learn more about your organization, how might they do that?

Rosenthal: Our website is or feel free to call us at 1-800-920-3451.

Gardner: We have also been joined by Anne Kramer, CEO at Ergo Works in Palo Alto, California. Thank you, Anne. And how could organizations learn more about your company?

Kramer: They could go to our website at or our toll free number 866-ASK-ERGO.

Gardner: And also a big thank you to our audience for joining us for this SAP Ariba-sponsored business innovation thought leadership discussion.

I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator. Thanks again for listening, and do come back next time.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: SAP Ariba.

Transcript of a discussion on new ways for small businesses to better match their services with sellers using SAP Ariba business networks. Copyright Interarbor Solutions, LLC, 2005-2016. All rights reserved.

You may also be interested in:

Thursday, April 21, 2016

Intralinks Uses Hybrid Cloud to Blaze a Compliance Trail Across the Regulatory Mine Field of Data Sovereignty

Transcript of a discussion on how data sovereignty regulations force enterprises to consider new approaches to data, intellectual property, and cloud collaboration services.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: Hewlett Packard Enterprise.

Dana Gardner: Hello, and welcome to the next edition of the Hewlett Packard Enterprise (HPE) transformation interview series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing discussion on IT transformation and innovation -- and how it's making an impact on people's lives.

Our next hybrid computing IT case study discussion explores how regulations around data sovereignty are forcing enterprises to consider new approaches to data, intellectual property, and cloud collaboration services.

As organizations move beyond their on-premises data centers, regulation and data sovereignty issues have become as important as the technical requirements for their infrastructure and applications.

To learn how organizations have been able to get the best of data control and protection -- along with business agility -- from hybrid cloud models, we're joined Richard Anstey, CTO at Intralinks, and he's based in London. Welcome, Richard.
HPE Cloud
HPE Helion
Click Here to Learn More
Anstey: Thank you, Dana. Nice to be here.

Gardner: Tell us about the trends that make data sovereignty so important as a consideration when organizations look at how and where to manage, house, and store their data.

Anstey: This is becoming a much more important topic. It has obviously been in the news very much recently in association with the Safe Harbor regulation having been effectively annulled by the European courts.

This is the regulators catching up with the Internet. The Internet has been somewhat unregulated for a long time, and quite rightly, the national and regional authorities are putting in place the right protections to ensure that citizens’ data are looked after and treated with the respect they deserve.

So it's becoming more important for companies to understand the regulatory environment, even those organizations that did not previously feel that they were subject to such regulation.

Gardner: So the pendulum seems to have swung from the Wild West Internet toward greater security oversight.  Do we expect more laws across more jurisdictions to make placement of data more restricted? Are we seeing this pendulum swing more toward regulation?

Anstey: Yes, it’s certainly swinging that way, and the big one for the European Region of course is the General Data Protection Regulation (GDPR), which is the European Commission initiative to unify the regulations, at least across the European Union. But the pendulum is swinging toward a greater level of regulation.

Gardner: How about in Asia-Pacific (APAC) and North America, what’s happening there?

Global issue

Anstey: Post-Snowden, this has become much more of an issue globally, and certainly across APAC there have been some very specific regulations in place for sometime, Singapore Banking Authority being the famous one, but globally this is becoming much more of an important issue for companies to be aware of.

Gardner: So while the regulatory atmosphere is becoming more important for companies to keep track of, its also more onerous for them as businesses to comply. The Internet is still a very powerful tool and people want to take advantage of cloud models and compliant data lifecycle models. Tell us about Intralinks, and about how organizations can have the best of both protected data and cloud models.

Anstey: Intralinks is in the fortunate position of having been offering cloud services in highly regulated environments for almost 20 years now. Back when we were founded, which by the way was really before most people would do their shopping online, Intralinks was operating things called Virtual Data Rooms to facilitate very high value, market-moving transactions through effectively a cloud service. We didn’t call it cloud at that time; we called it software as a service (SaaS).

But Intralinks has come from this environment. We've always been operating in highly regulated environments, and so we're able to bring that expertise that we have built up over the last 20 years or so to bear on solving this problem for a wider range of organizations as the regulation really steps in to control a greater part of the services delivered over the Internet today.

Gardner: In a nutshell, how is it that you're able to do, in a highly regulated environment, what people think of as putting everything in a cloud?
Physical location may be one thing to think about, but there's another thing called logical location.

Anstey: Well, in a nutshell, it may be tricky, because there's lot to it. There's a lot of technology that goes into this. And there are a lot of dimensions around which you need to consider this problem. It's not just about the physical location of data. Although that may be important, there are other dimensions. Physical location may be one thing to think about, but there's another thing called logical location.

The logical location is defined as the location of the control point of the encryption as opposed to the location of highly encrypted data, which many people would argue is somewhat irrelevant. If it's sufficiently encrypted, it doesn't matter where it is. The location of the key is actually more important than who controls that key, and more important than where your encrypted data lives.

In fact, we all implicitly accept that principle. When you use your online bank, you don't know the route that that information takes between your home computer and the bank. It may well be routed across the Atlantic, based on conditions of the Internet. You just don't know, and yet we implicitly accept that because it's encrypted in transit, it doesn't really matter what route it takes.

So there is the physical location and the logical location, but there is still also the legal location, which might be to what jurisdiction this information pertains. Perhaps it pertains to a citizen of a certain country, and so there is a legal location angle to consider.

And there is also a political location to consider, which may be, for example, the jurisdiction under which the service provider is operating and where the headquarters of that service provider is.

Four dimensions

There are four dimensions already, but there is another one as well, which is the time dimension. While it may be suitable for you to share information with a third party in perhaps a different jurisdiction for a period of time, the moment that business agreement comes to an end, or perhaps the purpose or the project for which that information was being used has come to an end, you also need to be able to clear it up.

You need to tidy up and remove those things over time and make sure that just because that particular information-sharing activity was valid at one point, it doesn't mean that that’s true forever, and so you need to take the responsibility to clear it up. So there are technologies that you can bring to bear to make that happen as well.

Gardner: It sounds as if there is a full spectrum, a marketplace, of different solutions and approaches to suit whatever particular issues an organization needs in order to satisfy the regulatory, audit, and other security requirements.

Tell us about how you have been working with HPE to increase this marketplace and solve data sovereignty issues as they become more prominent in more places.

Anstey: The thing that HPE really helps us with is the fact that while we've been able for quite a long time to have data centers in multiple regions -- as the regulation and the requirements of our customers grow -- we need to be even more agile with bringing new workloads up and running in different locations.

With HPE Helion OpenStack we're able to spin up a new environment -- a new data center perhaps, or a new service -- to run in a new location far more quickly and more cost effectively than we would otherwise be able to if we were starting from the ground-up.
HPE Cloud
HPE Helion
Click Here to Learn More
Gardner: So it's important to not just be able to take advantage of cloud conceptually, but to be able to move those cloud data centers, have the fungibility, if you will, of a cloud infrastructure, a standardized approach that can be accepted in many different data-center locations, many different jurisdictions.

Is that the case, and what can we expect for the depth and reach of your services? Are you truly global?

Anstey: We are certainly truly global. We've been operating right across the world for a number of years now. The key elements that we require from this infrastructure are things like workload portability and the ability to plug into additional service providers at any time we need to be able to create a truly distributed platform.

In order to do that, you need some kind of cloud operating system, and that's what we feel we get from the HPE Helion OpenStack technology. It means that we have become much more portable to move our services around whenever we need to.

Gardner: When you're an organization and you know that there's that data portability, that there's a true global footprint for your data that you can comply with the regulations, what does that do for you as a business?

How does this, from a business perspective, benefit your bottom line? How does it translate into business terms?

Enormous uncertainty

Anstey: The key thing to realize is that there has been an enormous amount of uncertainty, and in a way, the closure of the Safe Harbor agreement has been a good thing in that there was always some doubt over its applicability and its suitability. If you'll forgive the pun, there was a cloud hanging over it. When you remove that, you still have to get a little bit more certainty, of ... "Well, that thing definitely doesn't work and so we need to have a different structure."

Nevertheless, what happens in that environment of uncertainty is that people start to play it safe and they start to think, "This cloud thing is a bit scary. Maybe we should just do it all ourselves, or maybe we should only consider private cloud deployments." When you do that, you cut off the huge options and agility that's available from using the cloud to its full extent.

What would be a bad thing is if, as the pendulum swings, as you described, toward regulation, people retreat and give up and say, "This Internet thing, we don’t want to do that. We're going to reverse the trends and the huge technological advances that we've been able to leverage over the last 10 years of growth of cloud."

We believe that by building technology in the way that we are able to construct it, with all of those options associated with ways in which you can demonstrably prove that you are responsibly looking after data over time, you don't have to sacrifice the agility of the cloud in order to adhere to the regulations as they come in.
The net is cast wider and wider for the regulation, to the point where any company that deals with personal data and needs to use that data for legitimate business purposes will now be covered by regulation.

Gardner: We've talked about data sovereignty from a geographic perspective, but how about vertical industries? Are there certain industries that require that global reach, but also need to be highly regulated?

Anstey: The vast majority of the global banks are our customers already. We also have a very large footprint in the life sciences, which often has a similar nature in terms of the level of regulation, especially if you're dealing with patient data in the field of clinical trials, for example.

But the reality is that, as this pendulum swings, the net is cast wider and wider for the regulation, to the point where any company that deals with personal data and needs to use that data for legitimate business purposes will now be covered by regulation. This isn't just guidance now.

When we get through to the next level of EU regulation, there are some serious fines, including criminal penalties for executives and fines of up to two percent of global revenue, which really makes people wake up. It will make a far wider group of companies wake up than the previous ones who knew that they were operating in a strict regulatory framework.

Gardner: So in other words, this probably is going to pertain to many more industries than they may have thought. This is really something that’s going to hit home for just about everybody.

Anstey: Absolutely. Every industry becomes a regulated industry at that point, when to do business you need to handle the type of data that gets covered by the regulation, especially if you are operating in the EU, but as we described, with more to follow.

Gardner: I'm afraid we will have to leave it there. We've been exploring issues around data sovereignty and how it's forcing enterprises to consider new approaches to data, intellectual property and cloud collaboration.
HPE Cloud
HPE Helion
Click Here to Learn More
We have heard from Intralinks, based in New York, about how they have developed Virtual Data Rooms and are working with HPE to extend their services to virtually any market around the world.

So a big thank you to our guest, Richard Anstey, CTO at Intralinks. Thank you, Richard.

Anstey: Thank you very much.

Gardner: And a big thank you as well to our audience for joining us for this Hewlett Packard Enterprise transformation and innovation interview. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of HPE-sponsored discussions. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Get the mobile app. Download the transcript. Sponsor: Hewlett Packard Enterprise.

Transcript of a discussion on how data sovereignty regulations force enterprises to consider new approaches to data, intellectual property, and cloud collaboration services.
Copyright Interarbor Solutions, LLC, 2005-2016. All rights reserved.

You may also be interested in: