Thursday, September 12, 2013

Thought Leader Interview: HP's Global CISO Brett Wahlin on the Future of Security and Risk

Transcript of a BriefingsDirect podcast on how increased and more sophisticated attacks are forcing enterprises to innovate and expand security practices to not only detect, but predict system intrusions.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.
Follow the HP Protect 2013 activities next week, Sept. 16-19.


Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.

Gardner
Once again, we're focusing on how IT leaders are improving security and reducing risk as they adapt to the new harsh realities of doing business online.

I'm now joined by our co-host for this sponsored podcast series, Paul Muller, Chief Software Evangelist at HP Software. Welcome back, Paul. How are you today?

Paul Muller: Dana, very well. It's great to be back, and I'm looking forward to today’s conversation.

Gardner: Yes, we have a big discussion today. We're joined by HP’s Global Chief Information Security Officer (CISO) to learn about how some of the very largest global enterprises like HP are exploring all of their options for doing business safely and continuously. So with that, let's welcome our guest, Brett Wahlin, Vice President and Global CISO at HP. Welcome, Brett. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Brett Wahlin: Thank you, Dana.

Gardner: Brett, there's been a lot of discussion, of course, about security and a lot of discussion about big data. I'm very curious as to how these are related.

It seems to me that I've read and heard quite a bit about how big data can be used to improve security and provide insights into what's going on within systems and even some greater analysis capabilities. Is that what you're finding and hearing from other CISOs -- that there is a great tool in big data that’s related to security?

Wahlin: Yes, big data is quite an interesting development for us in the field of security. If we look back on how we used to do security, trying to determine where our enemies were coming from, what their capacities were, what their targets were, and how we're gathering intelligence to be able to determine how best to protect the company, our resources were quite limited.

Wahlin
We've found that through the use of big data, we're now able to start gathering reams of information that were never available to us in the past. We tend to look at this almost in a modern-warfare type of perspective.

If you're a battlefield commander, and you're looking at how to deploy defenses, how would you deploy those offenses, and what would be the targets that your enemies are looking for? You typically then look at gathering intelligence. This intelligence comes through multiple sources, whether it's electronic or human signals, and you begin to process the intelligence that's gathered, looking for insights into your enemy.

Moving defenses

This could be the enemy’s capabilities, motivation, resourcing, or targets. Then, by that analysis of that intelligence, you can go through a process of moving your defenses, understanding where the targets may be, and adjusting your troops on the ground.

Big data has now given us the ability to collect more intelligence from more sources at a much more rapid pace. As we go through this, we're looking at understanding these types of questions that we would ask as if we were looking at direct adversaries.

We're looking at what these capabilities are, where people are attacking from, why they're attacking us, and what targets they're looking for within our company. We can gather that data much more rapidly through the use of big data and apply these types of analytics.

We begin to ask different questions of the data and, based on the type of questions we're asking, we can come up with some rather interesting information that we never could get in the past. This then takes us to a position where that advanced analytics allows us to almost predict where an enemy might hit.

That’s in the future, I believe. Security is going from the use of prevention, where I'm tackling a known bad thing, to the point where I can use big data to analyze what's happening in real time and then predict where I may be attacked, by whom, and at what targets. That gives me the ability to move the defenses around in such a way that I can protect the high-value items, based on the intelligence that I see coming in through the analytics that we get out of big data.

Muller
Muller: Brett, you talk a lot about the idea of getting in front of the problem. Can you talk a little bit about your point of view on how security, from your perspective as a practitioner, has evolved over the last 10-15 years?

Wahlin: Certainly. That’s a great question. Years ago, we used to be about trying to prevent the known bad from happening. The questions we would ask would always be around, can it happen to us, and if it does, can we respond to it? What we have to look at now is the fact that the question should change. It should be not, "Can it happen to us," but "When is it going to happen to us?" And not, "Can we respond to it," but "How can we survive it?"

If we look at that type of a mind-shift change, that takes us back to the old ways of doing security, where you try to prevent, detect, and respond. Basically, you prevented the known bad things from happening.

This went back to the days of -- pick your favorite attack from years ago. One that I remember is very telling. It was Code Red, and we weren’t prepared for it. It hit us. We knew what the signature looked like and we were able to stop it, once we identified what it was. That whole preventive mechanism, back in the day, was pretty much what people did for security.

Fast forward several years, and you get into that new era of security threats highlighted by attacks like Aurora, when it came out. Suddenly, we had the acronyms that flew all over, such as APT -- advanced persistent threats -- and advanced malware. Now, we have attacks that you can't prevent, because you don’t know them. You can't see them. They're zero-days. They're undiscovered malware that’s in your system already.

Detect and respond

That changed the way we moved our security. We went from prevent to a big focus on not just preventing, because that becomes a hygiene function. Now, we move in to detect-and-respond view, where we're looking for anomalies. We're looking for the unknown. We're beefing up the ability to quickly respond to those when we find them.

The evolution, as we move forward, is to add a fourth dimension to this. We prevent, detect, respond, and predict. We use elements like big data to understand not only how to get situational awareness, where we connect the dots within our environment, but taking it one step further and being able to predict where that next stop might land. As we evolve in this particular area, getting to that point where we can understand and predict will become a key capability that security departments must have in future.

Gardner: A reminder to our audience, follow the HP Protect 2013 activities next week, Sept. 16-19. Now, Brett, how long you have been at HP and where had you been before that?

Wahlin: I've been at HP for approximately eight months. Prior to joining HP, I was the CSO at Sony Network Entertainment. My role there was to put the security in place after the infamous PlayStation breach. Prior to that, I was also the CSO at McAfee. I did a stint as CSO at Los Alamos Laboratory.
One of the elements that we look at, of course, is how to add all this additional complexity and additional capability into security and yet still continue to drive value to the business and drive costs out

Years ago, I got my start doing counterintelligence for the US Army during the Cold War. So we had a lot of opportunity to drive and practice the intelligence gathering and analytics components to which I'm referring around the big-data conversation.

Gardner: I hear you talking about getting more data, being proactive, and knowing yourself, as an organization, in order to be better prepared for attacks. It sounds quite similar to what we have been hearing for many years from the management side of the things, the operations side, to know yourself to be able better maintain performance standards and therefore be able to quickly remediate when something went wrong.

Are we seeing a confluence between good IT management practices and good security practices, and should we still differentiate between the two?

Wahlin: As we move into the good management of IT, the good management of knowing yourself, there's a hygiene element that appears within the correlation end of the security industry. One of the elements that we look at, of course, is how to add all this additional complexity and additional capability into security and yet still continue to drive value to the business and drive costs out. So we look for areas of efficiencies and again we will draw many similarities.

As you understand the managing of your environments and knowing yourself, we'll begin to apply known standards that we'll really use in the governance perspective. This is where you will take your hygiene, instead of looking at a very elaborate risk equations. You'll have your typical "risk equals threat times vulnerability times impact," and what are my probabilities.

Known standards

It gets very confusing. So we're trying to cut cost out of those, saying that there are known standards out there. Let's just use them. You can use the ISO 27001, NIST 800-53, or even something like a PCI DSS. Pick your standard, and that then becomes the baseline of control that you want to do. This is knowing yourself.

With these controls, you apply them based on risk to the company. Not all controls are applied equally, nor should they be. As you apply the control based on risk, there is evaluation assessment. Now, I have a known baseline that I can measure myself against.

As you began to build that known baseline, did you understand how well you're doing from a hygiene perspective? These are all the things that you should be doing that give you a chance to understand what your problem areas are.

As you begin to understand those metrics, you can understand where you might have early-warning indicators that would tell you that that you might need to pay attention to certain types of threats, risks, or areas within the company.
There are two types of organizations -- those that have been hacked and those that know they're being hacked.

There are a lot of similarities as you would look at the IT infrastructures, server maintenance, and understanding of those metrics for early warnings or early indicators of problems. We're trying to do the same security, where we make it very repeatable. We can make it standards-based and we can then extend that across the company, of course always being based on risk.

Muller: There is one more element to that, Dana, such as the evolution of IT management through, say, a framework like ITIL, where you very deliberately break down the barriers between silos across IT.

Similarly, I increasingly find with security that collaboration across organizations -- the whole notion of general threat intelligence – forms one of the greatest sources of potential intelligence about an imminent threat. That can come from the operational data, or a lot of operational logs, and then sharing that situational awareness between the operations team is powerful.

At least this works in the experience that I have seen with many of our clients as they improve security outcomes through a heightened sense of what's actually going on, across the infrastructure with customers or users.

Gardner: Paul, as you’re traveling around and talking with a lot of organizations, do you sense that they're sharing Brett’s perception that risk is sort of the über concept, and that security and performance management fall under that? Or are they still sort of catching up to that concept, or even resisting it?

Muller: There's sort of a veiled security joke. There are two types of organizations -- those that have been hacked and those that know they're being hacked.

One of the greatest challenges we have in moving through Brett’s evolution that he described is that many executives still have the point of view that I have a little green light on my desktop, and that tells me I don’t have any viruses today. I can assume that my organization is safe. That is about as sophisticated a view of security as some executives have.

Increased awareness

Then, of course, you have an increasing level of awareness that that is a false sense of security, particularly in the financial services industry, and increasingly in many governments, certainly national government. Just because you haven't heard about a breach today, that doesn’t mean that one isn't actually either being attempted or is, in fact, being successful.

One of the great challenges we have is just raising that executive awareness that a constant level of vigilance is critical. The other place where we're slowly making progress is that it's not necessarily a bad thing to share negative experiences.

The culture 10 or 15 years ago was that you don’t talk about a breach; you bury it. Increasingly, we see companies like Heartland Payment Systems quite famously getting out there and being a big believer in sharing the patterns of breach that occurred to help others be more aware of how and when these things occur, but also increasingly sharing threat intelligence.

For example, if you're one bank and someone is attempting to break into your systems using a known pattern of attack, it's highly likely they're trying to do it with your peers. Given that your defenses between your peers and yourself might be slightly less than that between you and the outside world, it's a good idea to share that ahead of time. Getting back to Brett’s point, the heightened sense of threat intelligence is going to help you predict and respond more reliably.
We have to understand which ones of these we need to pay attention to and have the ability to not only correlate amongst ourselves at the company, but correlate across an industry.

Wahlin: Absolutely. We look at the inevitability of the fact that networks are penetrated, and they're penetrated on a daily basis. There's a difference between having unwanted individuals within your network and having the data actually exfiltrated and having a reportable breach.

As we understand what that looks like and how the adversaries are actually getting into our environment, that type of intelligence sharing typically will happen amongst peers. But the need for the ability to actually share and do so without repercussions is an interesting concept. Most companies won't do it, because they still have that preconceived notion that having somebody in your environment is binary -- either my green light is on, and it's not happening, or I've got the red light on, and I've got a problem.

In fact, there are multiple phases of gray that are happening in there, and the ability to share the activities, while they may not be detrimental, are indicators that you have an issue going on and you need to be paying attention to it, which is key when we actually start pointing intelligence.

I've seen these logs. I've seen this type of activity. Is that really an issue I need to pay attention to or is that just an automated probe that’s testing our defenses? If we look at our environment, the size of HP and how many systems we have across the globe, you can imagine that we see that type of activity on a second-by-second basis.

We have to understand which ones of these we need to pay attention to and have the ability to not only correlate amongst ourselves at the company, but correlate across an industry.

HP may be attacked. Other high-tech companies may also be attacked. We'll get supply-chain attacks. We look at various types of politically motivated attacks. Why are they hitting us? So again, it's back to the situational awareness. Knowing the adversary and knowing their motivations, that data can be shared. Right now, it's usually in an ad-hoc way, peer-to-peer, but definitely there's room for some formalized information sharing.

Information sharing

Muller: Especially when you consider the level of information sharing that goes on in the cybercrime world. They run the equivalent of a Facebook almost. There is a huge amount of information sharing that goes on in that community. It's quite well structured. It's quite well organized. It hasn’t necessarily always been that well organized on the defense side of the equation. I think what you're saying is that there's opportunity for improvement.

Wahlin: Yes, and as we look at that opportunity, the counterintelligence person in me always has to stand up and say, "Let's make sure that we're sharing it and we understand our operational security, so that we're sharing that in a way that we're not giving away our secrets to our adversaries." So while there is an opportunity, we also have to be careful with how we share it.

Muller: You, of course, wind up in the situation where you could be amplifying bad information as well. If you were paranoid enough, you could assume that the adversary is actually deliberately planting some sort of distraction at one corner of the organization in order to get to everybody focused on that, while they quietly sneak in through the backdoor.

Wahlin: Correct.

Gardner: Brett, returning to this notion of actionable intelligence and the role of big data as an important tool, where do you go for the data? Is it strictly the systems, the systems log information? Is there an operational side to that that you tap more than the equipment, more than the behaviors? What are the sources of data that you want to analyze in order to be better at security?
Let's make sure that we're sharing it and we understand our operational security, so that we're sharing that in a way that we're not giving away our secrets to our adversaries.

Wahlin: The sources that we use are evolving. We have our traditional sources, and within HP, there is an internal project that is now going into alpha. It's called Project HAVEn and that’s really a combination of ArcSight, Vertica, and Autonomy, integrating with Hadoop. As we build that out and figure out what our capabilities are to put all this data into a large collection and being able to ask the questions and get actionable results out of this, we begin to then analyze our sources.

Sources are obvious as we look at historical operation and security perspective. We have all the log files that are in the perimeter. We have application logs, network infrastructure logs, such as DNS, Active Directory, and other types of LDAP logs.

Then you begin to say, what else can we throw in here? That’s pretty much covered in a traditional ArcSight type of an implementation. But what happens if I start throwing things such as badge access or in-and-out card swipes? How about phone logs? Most companies are running IP phone. They will have logs. So what if I throw that in the equation?

What if I go outside to social media and begin to throw things such as Twitter or Facebook feeds into this equation? What if I start pulling in public searches for government-type databases, law enforcement databases, and start adding these? What results might I get based on all that data commingling?

We're not quite sure at this point. We've added many of these sources as we start to look and ask questions and see from which areas we're able to pull the interesting correlations amongst different types of data to give us that situational awareness.

There's still much to be done here, much to be discovered, as we understand the types of questions that we should be asking. As we look at this data and the sources, we also look at how to create that actionable intelligence.

Disparate sources

The type of analysts that we typically use in a security operations center are very used to ArcSight. I ingest the log and I see correlations. They're time-line driven. Now, we begin to ask questions of multiple types of data sources that are very disparate in their information, and that takes a different type of analyst.

Not only do we have different types of sources, but we have to have different types of skill sets to ask the right questions of those sources. This will continue to evolve. We may or may not find value as we add sources. We don’t want to add a source just for the heck of it, but we also want to understand that we can get very creative with the data as it comes together.

Muller: Brett makes a great point. There are actually two things that I think are important to follow up on here. The first is that, as it's true of every type of analytics conversation I am having today, everyone talks about the term "data scientist." I prefer the term "data artist," because there's a certain artistry to working out what information feeds I want to bring in.

Maybe "judgment" might be a better word in the context of security, a certain judgment or stylistic question in terms of what data feed I want to bring in. It's that creativity in terms of looking at something that doesn’t seem obvious from the outside, but could be a great leading indicator of potential threat.

The other element is that, once we've got that information, one of the challenges is that we don’t want to add to the overhead or the burden of processing that information. So it's being able to increasing apply intelligence to, as Brett talked about, mechanistic patterns that you can determine with traditional security information. Event management solutions are rather mechanistic. In other words, you apply a set of logical rules to them.
When you're looking at behavioral activities, rules may not be quite as robust as looking at techniques such as information clustering.

Increasingly, when you're looking at behavioral activities, rules may not be quite as robust as looking at techniques such as information clustering, where you look for hotspots of what seem like unrelated activities at first, but turn out later to be related.

There's a whole bunch of science in the area of crime investigation that we've applied to cybercrime, using some of the techniques, Autonomy for example, to uncover fraud in the financial services market. That automation behind those techniques increasingly is being applied to the big-data problem that security is starting to deal with.

Gardner: I was thinking that, too, Brett, when you were describing this opportunity to bring so much different information together. Yes, you would get some great benefits for security and risk purposes, but to Paul’s point, you also might have unintended consequences in terms of being able to better understand processes, operational efficiencies, and seeing market opportunities that you couldn’t see before.

Have you plumbed that at all? I know it's been a short time since you've been at HP, but are there ancillary paybacks that would be of a business interest in addition to being a security benefit?

Wahlin: Yes. As we further evaluate these data sources and the ability to understand, I believe that the insight into using the big data, not only for security, but as more of a business intelligence (BI) type of perspective has been well-documented. Our focus has really been on trying to determine the patterns and characteristics of usage.

Developing patterns

While we look at it from a purely security mindset, where we try to develop patterns, it takes on a counter-intelligence way of understating how people go, where people go, and what do they do. As people try to be unique, they tend to fall into patterns that are individual and specific to themselves. Those patterns may be over weeks or months, but they're there.

Right now, a lot of times, we'll be asked as a security organization to provide badge swipes as people go in and out of buildings. Can we take that even further and begin to understand where the efficiency would come in based on behaviors and characteristics with workforces. Can we divide that into different business units or geography to try to determine the best use of limited resources across companies? This data could be used in those areas.

The unintended consequence that you brought up, as we look at this and begin to come up with patterns of individuals, is that it begins to reveal a lot about how people interact with systems -- what systems they go to, how often they do things -- and that can be used in a negative way. So there are privacy implications that come right to the forefront as we begin to identify folks.

That that will be an interesting discussion going forward, as the data comes out, patterns start to unfold, patterns become uniquely identifiable to cities, buildings, and individuals. What do we do with those unintended consequences?
There are always situations where any new technology or any new capability could ultimately be used in a negative fashion.

It's almost going to be sort of a two-step, where we can make a couple of steps forward in progress and technology, then we are going to have to deal with these issues, and it might take us a step back. It's definitely evolving in this area, and these unintended consequences could be very detrimental if not addressed early.

We don’t want to completely shut down these types of activities based on privacy concerns or some other type of legalities, when we could actually potentially solve for those problems in a systematic perspective, as we move forward with the investigation of the usage of those technologies.

Muller: The concern that Brett raises is the flip side of a conversation I've been having surprisingly frequently, and it’s partly as a result of heightened awareness of some of the reported intelligence gathering activities associated with national governments around the world and the concerns as relates to privacy.

The flip side of this that we need to keep in mind is that, going back to the unintended consequences conversation, every technology that we introduce, whether it's the car, cell phone, or pocket camera, all can have obviously great positive effects. We can put them to great use. There are always situations where any new technology or any new capability could ultimately be used in a negative fashion by bad people, or sometimes even unintentionally.

The question we always need to bear in mind here is, as Brett talks about it, what are the potential unintended consequences? How can we get in front of those potential misuses early? How can we be vigilant of those misuses and put in place good governance ahead of time?

There are three approaches. One is to bury your head in the send and pretend it will never happen. Second is to avoid adopting a technology at all for fear of those unintended consequences. The third is to be aware of them and be constantly looking for breaches of policy, breaches of good governance, and being able to then correct for those if and when they do occur.

Closed-loop cycle

Gardner: Just briefly, if the governance can be put in place, and privacy protections maintained, the opportunity is vast for a tight closed-loop cycle -- of almost a focus group -- in real time of what employees are doing with their systems, what applications they use, and how.

This can be applied to product development and, for a company like HP in the technology product development field, it could be a very, very powerful and valuable data, in addition, of course, to being quite powerful for security and risk-reduction purposes.

So it’ll be a very interesting next few years, certainly with HAVEn, Vertica and HP’s security businesses. They're probably a harbinger of what other organizations will be doing. Going back to HP, Brett, tell us a bit about what you think HP is doing that will set the stage and perhaps help others to learn how to get started in terms of better security and better leveraging of big data as a tool for better security.

Wahlin: As HP progresses into the predicted security front, we're one of, I believe, two companies that are actually trying to understand how to best use HAVEn as we begin the analytics to determine the appropriate usage of the data that is at our fingertips. That takes a predictive capability that HP will be building.
The lagging piece of this would be the actual creation of agile security.

We've created something called the Cyber Intelligence Center. The whole intent of that is to develop the methodologies around how the big data is used, the plumbing, and then the sources for which we actually create the big data and how we move logs into big data. That's very different than what we're doing today, traditional ArcSight loggers and ESMs. There are a lot of mechanics that we have to build for that.

Then, as we move out of that, we begin to look at the actual actionable intelligence creation to use the analytics. What questions should we ask? Then, when we get the answer, is it something we need to do something about? The lagging piece of this would be the actual creation of agile security. In some places, we even call it mobile security, and it's different than mobility. It's security that can actually move.

If you look at the war-type of analogies, back in the day, you had these columns of men with rifles, and they weren’t that mobile. Then, as you got into mechanized infantry and other types of technologies came online, airplanes and such, it became much more mobile. What's the equivalent to that in the cyber security world, and how do we create that.

Right now, it's quite difficult to move a firewall around. You don’t just unplug or re-VLAN a network. It's very difficult. You bring down applications. So what is the impact of understanding what's coming at you, maybe tomorrow, maybe next week? Can we actually make a infrastructure such that it can be reconfigured to not only to defend against that attack, but perhaps even introduce some adversarial confusion.

I've done my reconnaissance. It looks like this. I come at it tomorrow, and it looks completely different. That is the kill chain that will set back the adversary quite a bit, because most of the time, during a kill chain, it's actually trying to figure out where am I, what I have, where the are assets located, and doing reconnaissance through the network.

So there are a lot of interesting things that we can do as we come to this next step in the evolution of security. At HP, we're trying to develop that at scale. Being the large company that we are, we get the opportunity to see an enormous amount of data that we wouldn’t see if we are another company.

Numerous networks

For example, HP has millions of IP addresses and subnets that are out there. We have to try to account for and figure out what's happening on any one of these networks. This gives us insight to the types of traffic, types of application configurations, types of interconnects between different subnets, types of devices, anything from printers all the way through unreleased operating systems.

How do you deal with things such as manufacturing supply chains, that are all connected to these networks. Those types of inputs begin to create the methodologies that feed into the an upcoming cyber intelligence center.

Gardner: Paul, it almost sounds as if security is an accelerant to becoming a better organization, a more data-driven organization which will pay dividends in many ways. Do you agree that security is still necessary, still pertinent, now that it's perhaps forcing the hand of organizations to modernize in ways that they may not have done, if we weren’t facing such a difficult security environment?

Muller: I completely agree with you. Information security and the arms race, quite literally the analogy, is a forcing function for many organizations. It would be hard to say this without a sense of chagrin, but the great part about this is that there are actually technologies that are being developed as a result of this. Take ArcSight Logo as an example, as a result of this arms race.
Just as the space race threw up a whole bunch of technologies like Teflon or silicon adhesives that we use today, the the security arms race is generating some great byproducts.

Those technologies can now be applied to business problems, gathering real-time operational technology data, such as seismic events, Twitter feeds, and so forth, and being able to incorporate those back in for business and public-good purposes. Just as the space race threw up a whole bunch of technologies like Teflon or silicon adhesives that we use today, the the security arms race is generating some great byproducts that are being used by enterprises to create value, and that’s a positive thing.

Gardner: Last word to you, Brett, before we sign off. Do you concur on this notion of security as an imperative, but that has a greater longer term benefit?

Wahlin: Absolutely. The analogy of the space race is perfect, as you look at trying to do the security maturation within an environment. You begin to see that a lot of the things that we're doing, whether it's understanding the environment, being able to create the operational metrics around an environment, or push into the fact that we've got to get in front of the adversaries to create the environment that is extremely agile is going to throw off a lot of technology innovations.

It’s going to throw off some challenges to the IT industry and how things are put together. That’s going to force typically sloppy operations -- such as I am just going to throw this up together, I am not going to complete an acquisition, I don’t document, I don't understand my environmental -- to clean it up as we go through those processes.

The confusion and the complexity within an environment is directly opposed to creating a sense of security. As we create the more secure environment, environments that are capable of detecting anomalies within them, you have to put the hygienic pieces in place. You have to create the technologies that will allow you to leapfrog the adversaries. That’s definitely going to be both a driver for business efficiencies, as well as technology, and innovation as it comes down.

Gardner: Well, very good. I'm afraid we will have to leave it there. We've been exploring how IT leaders are improving security and reducing risks as they adapt to new and often harsh realities of doing business in cyber land and we have been learning through an example of HP and how it's adapting its well.

So with that please join me in thanking our cohost, Paul Muller, the Chief Software Evangelist at HP Software. Thanks so much, Paul.

Muller: It's a pleasure, Dana.

Gardner: And I would like to thank our supporter for this series HP Software and remind our audience to carry on the dialog with Paul through his blog, tweets, and The Discover Performance Group on LinkedIn.You can also follow more HP security ideas on these products and research blogs.

Then lastly, a huge thank you to our special guest, Brett Wahlin, Vice President and Global Chief Information Security Officer at HP. Thanks so much, Brett.

Wahlin: Thank you, Dana, and thanks, Paul.

Gardner: And you can gain more insight and information on the best in IT performance management at HP.com/go/discoverperformance and you can always access this and other episodes in ongoing HP Discover Performance podcast series on iTunes under BriefingsDirect.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for this ongoing discussion of IT innovation. Thanks again for listening and comeback next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.
Follow the HP Protect 2013 activities next week, Sept. 16-19.


Transcript of a BriefingsDirect podcast on how increased and more sophisticated attacks are forcing enterprises to innovate and expand security practices to not only detect, but predict system intrusions.  Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

Wednesday, September 11, 2013

BYOD Trend Brings New Security Challenges for IT: Allowing Greater Access While Protecting Networks

Transcript of a BriefingsDirect podcast on how Dell Software is helping to bring standardized and flexible approaches to making BYOD a positive new force for enterprise productivity.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Dell Software.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions and you're listening to BriefingsDirect.

Gardner
Today, we present a sponsored podcast discussion on bringing clarity to bring your own device (BYOD) support, management, and security.

While so-called BYOD isn't necessarily new -- IT departments, after all, have been supporting mobile "road warriors" since the 1980s, the rising tide of end users seeking the use and support of their consumer devices is certainly something quite new. It’s so new that IT departments are grasping for any standard or proven approaches that make BYOD access of enterprise resources both secure and reliable.

The task is dauntingly complex, and new and unforeseen consequences of BYOD are cropping up regularly, from deluged help desk to app performance snafus to new forms of security breaches.

We're here now with a panel to explore some of the new and more-effective approaches for making BYOD both safe and controlled. Please join me in welcoming our guests, Jonathan Sander, Director of IAM Product Strategy at Dell Software. Welcome, Jonathan.

Jonathan Sander: Hi, Dana. Thanks.

Gardner: We're also here with Jane Wasson, Senior Product Marketing Manager for Mobile Security at Dell Software. Welcome, Jane.

Jane Wasson: Thanks, Dana.

Gardner: It’s good to have you both with us. As I mentioned, road warriors have been looking to their IT department to help them in the field for decades, but there just doesn’t seem to be any standard operating procedures for supporting BYOD.

You can't just buy it in a box. It’s not shrink wrapped in any way. I wonder why the means to make widespread BYOD perform well is so scattered and so uncooked. Jane, why are we at this point now? People really want a solution and they can’t get one.

Wasson: IT did a great job of supporting mobile workers with laptops and early mobile devices for quite some time, but much of that was with IT-controlled systems. IT chose the devices. They chose the software, the applications, that would run on those laptops.

What we're seeing increasingly now is that mobile workers are using their personally purchased mobile devices -- cellphones, smart phones, and tablets -- to access their e-mail, calendar, corporate e-mail, corporate calendar, and IT has been able to support that securely and very successfully for them across a wide variety devices and operating systems.

Ease and speed

What we're seeing now that’s a little bit different is increasingly those mobile workers like the ease of use and the speed at which they can get to their email and their calendar apps with those mobile devices. They now want IT to extend that so that they can get the same access to enterprise apps and resources on mobile devices that they've enjoyed on their IT controlled laptops over the years.

Wasson
That creates a new challenge for IT. All of a sudden, rather than having a controlled set of devices and a controlled environment, that they can manage, they have a variety of devices that end users have purchased. IT had no control over that choice and what’s already loaded on those devices.

They're trying to figure out, given that environment, how to securely enable access to enterprise apps and resources and give those end users that speed of access that they want and the ease of access that they want, but still maintain security.

They don't want their back-end networks infected with malware. They don't want to have rogue users finding laptops or mobile devices and being able to access enterprise systems. It’s a huge challenge for IT support groups.

Gardner: Do you have any sense of how big a wave this is? Are there numbers or data that indicate what portion of users are trying to go in the BYOD direction?

Wasson: Industry analysts are now seeing that more than 50 percent of workers are using personal mobile devices in some capacity to access those networks. Increasingly, they're asking to access not just email and calendar, but also enterprise apps and resources.

Gardner: Jonathan, as with many shifts in IT that didn’t originate with the IT department, it seems that there are some unintended consequences here. What’s happening now that we've got this tug, this pull, in the BYOD direction? What are IT folks who are tasked in making this viable finding?

Sander: There are a lot of consequences, and understanding all of them is still in process. That’s part of the problem. Of all the problems that people are going to have as a result of BYOD are TBD. One of the ones that's most apparent right away is security. The approaches that people have taken in the past to lock down anything that’s related to mobile have all centered on exactly what Jane pointed out. They were in charge of the device in some fashion. They had a foot in that door and they could use some kind of lock down.

Sander
I was sitting with someone at one of the big financial firms in New York City the other day. We asked them about their BYOD strategy and he took a humorous approach to it. He said, "Yes, we have a really well-defined BYOD strategy. As long as the device is the one we assign to you and uses the software that we approved and control all the policy on, you can bring it." I think that that’s not too uncommon.

A lot of the firms that are very security sensitive have worked it out. On the other end of the scale, I've talked to people who say that BYOD is not something that is they are doing but rather is being inflicted on them. That’s the language they put it in. It relates back to that security problem, because when they're looking at trying to understand how their data is going to be present on these devices and what impact that will have on their risk standpoint, it's almost impossible to quantify.

History of breaches

If you look at the history of breaches, even with the controlled laptops that they had, you had laptops being stolen with tons of data on them. You know what happens the first time you get one of those breaches stemming from someone leaving their cellphone in the backseat of a taxi cab? These are things that are keeping people up at the night.

Add to this that a lot of times the security approaches they have taken have all been leveraging the fact that there is a single vendor that is somehow responsible for a lot of what they do. Now, with the explosion of the variety of devices and the fact that they have no control over what their employee might purchase to bring in, that notion is simply gone. With it went any hope of a standard, at least anytime soon, to help secure and lock down the data on all these different devices.

Gardner: Another aspect of this is the diversity of the variables. There is web access, native apps, a variety of different carriers, different types of networks within those carriers, and all these different plans.

I suppose it’s difficult to have just a standard operating procedure. It seems like there have to be dozens of standard operating procedures. Is that what they're finding in the field, and how does any organization come to grips with such diversity?
How do you insert any control into that scenario at all? It gets very complex, very quickly.

Sander: You're absolutely right. Diversity, first and foremost, is the challenge. There are also a lot of other trends that are bringing more diversity into IT at the same time, and then BYOD just becomes one dimension of diversity.

You mentioned web control. If you're assuming that this is a web application that they're rolling out on their own, that's one thing. If it’s a cloud app, what happens when you have somebody using a cloud app on a BYOD device? How do you insert any control into that scenario at all? It gets very complex, very quickly.

Gardner: Let’s look at some specific types of starting points, putting in the blocking and tackling necessary to start to get a handle on this. Jane, what should companies be doing, in terms of setting up some building blocks, the means to tackle the reliability, security, and diversity?

Wasson: The good news is that being able to support remote workers is not new, because most companies already have policies in place to manage remote workers. What’s new is that, rather than the devices that are accessing the enterprise apps and resources being IT controlled, those devices are no longer IT controlled.

Very often, the policies are there. What they need to do is rethink those policies in light of a mobile worker, a mobile device, environment with so much of the same capability. You have to be able to know which devices are connecting to the network. Are those devices harboring malware that could infect your network? Are those devices locked down, so that authentication is necessary to get into your network?

There are a number of best practices that IT organizations already have in place for their managed laptop devices. The question is how to take those policies and now apply those policies to a mobile worker who's bringing their own devices.

Forced authorization

You need to find technologies basically that allow you to force authentication on those mobile users before they can access your network. You need to find technologies that can help you interrogate those mobile devices to make sure that they're not going to infect your network with anything nasty. You need to find the technologies that allow you to look at that traffic, as it’s coming onto your network, and make sure that it's not carrying malware or other problems.

Very often, IT departments have a good handle on what they need to do. It’s a question for their environment how best to integrate mobile device management technologies so that they can support these mobile workers to provide them the access they need and do it in a way that does not introduce a lot of risk to the enterprise.

Gardner: I think I heard you say that those areas that you described would fall under this category of mobile device management. If that’s the case, without going to the buzz words too deeply, what should people think of? How should they have a vision around what mobile device management should actually do?

Wasson: What mobile device management needs to do for them is what laptop device management has done for them in the past. The key things to think about there are looking at when you're actually deploying those devices. Maybe you have end users that are purchasing personal units, and maybe you don't know initially. Maybe you don't have the same level of knowledge about that unit or ways to track it.
A mobile device management platform needs to do those functions for the IT support organization across mobile operating systems.

What you can do is introduce technologies onto your network, so that when your users log into the network or authenticate onto the network, the device is queried, so that you are able to do some level of tracking of that device. You're able to potentially provide self-service portals, so that employees have the ability to download enterprise mobile applications onto that device.

You have the ability to very simply load onto those devices agents that can automatically query devices and make sure that they're configured to meet your security requirements.

There are technologies available to do mobile device management and provide that level of oversight, so that you can inventory devices. You can have a level of knowledge and management over configuration and software applications. And you do have the ability to control, at some level, the security settings on those devices. A mobile device management platform needs to do those functions for the IT support organization across mobile operating systems.

Gardner: I should imagine, Jonathan, that an organization that’s had experience with managing laptops and full clients, as well as thin clients and zero clients, would have a leg up on moving into mobile device management. Is that the case?

Sander: To Jane’s point, they should have policies in place that are going to apply here, so that in that sense they have a leg up. They definitely need the technology in place to deliver on it, and that’s on the device layer.

On the application layer, the data layer, the place where all the intellectual property (IP) for an organization sits in most cases, those layers should be -- the word "should" is tricky -- pretty well secured already. The idea is that they have already been on there on laptops, trying to get in from the outside, for a while and there should be some level of lock-down there.

Layered defense

If you have a healthy layered defense in place so that you can get the access to people outside of your walls, then your mobile access people coming in with their own devices, in a lot of cases, are just going to look like a new client on that web application.

The trick comes when you have organizations that want to take it to the next level and supply some sort of experience that is different on the mobile device. That might mean the paranoid version, where I want to make sure that the user on the mobile device has a lot less access, and I want that to be governed by the fact that they are on the mobile device. I need to take that into account. But there is also the very proactive view that you don’t have to be paranoid about it, and you can embrace it.

I worked with a large energy company that decided to embrace these devices. They decided that if they're going to use them well, they might as well squeeze some more productivity out of them. They were going to roll out apps that specifically deliver their data, but the challenge they faced then was that they then had to make sure the data were secure in those channels too.

So they had to be very specific about that, and that involved new areas of policy but also having the technology be smart enough to answer those challenges, as well, because being proactive like that means taking on some new security context, and it’s a new risk.

Gardner: Jane, I have also heard that you need to think about networks in a different way. With some relevance to the past, network containment has been something organizations have done for remote branches. They've used VPNs with the end devices, fat clients, if you will. How does network containment mature for BYOD support?
The good news is that IT departments have a lot of experience with managing networks and managing their network securely.

Wasson: The good news is that IT departments have a lot of experience with managing networks and managing their network securely. What’s different here is that now you have a mobile device that is the conduit coming into the network. Whereas in the past, folks had been using primarily laptop VPN clients, that paradigm changes a little for the mobile world. Mobile users like the convenience and the ease of being able to use mobile applications.

The challenge for IT departments is how to create a simple user experience for mobile device to access the back-end network and how to make sure that for the mobile user not only is it simple and easy, but they are authenticating to that network for security.

Also because with that mobile user it’s a personal device and they control what mobile service they are using, IT groups need to care a lot about the networks from which the user is accessing the corporate environment.

For example, you want to make sure that you're using an encrypted SSL VPN connection to go back into your corporate data centers. It needs to not only be encrypted as SSL VPN, but you also want to make sure that it's a very easy and simple experience for your mobile user.

What IT groups need to be looking for is that very simple mobile worker experience that allows you to very quickly authenticate onto the network and establish encrypted SSL VPN into the networks, so that you don't have to worry about interception on a wi-fi network or interception on a mobile service network in a public place.

Access control

The need for network access control, so that once you know that users are coming in securely, once you know they are authenticated onto the network, you can easily enable them to access the correct enterprise applications and resources that they should have privileges for.

The challenge there for IT is that you want to make sure that it’s easy for IT to provision. You want a technology that recognizes that you have mobile users coming and allows you to very easily provision those users with the privileges you want them to have on your network and make sure that they are coming in over secure networks. There are lots of implications for networks, there but there are solutions to help address that.

Gardner: Now, another way to skin this cat, I suppose, and which also makes it different with mobile devices is there is not just an on-off switch in terms of access. If you want to make security adjust to the modern environment, you need to start having a granular approach. Jonathan, how does access control over your assets and resources -- not a complete black-and-white or on-and-off -- but at a more graduated or a granular level, help with BYOD and security?

Sander: It goes back to that idea of trying to be either both paranoid or proactive about the whole BYOD sphere. When you're trying to figure out what data you want people to have access to, you're not just going to take into account some rigid set of rules based on who they are.
Context is king in a lot of cases these days, when you are trying to figure out a good approach to security.

At least most organizations are not going to do that, partially because coming up with those rules itself can be challenging, but also because a lot of times what counts most to these people are not the roles and the rules but rather context.

Context is king in a lot of cases these days, when you are trying to figure out a good approach to security. What better context to be aware of then one person sitting at a desk behind all of corporate protection accessing a system versus the same person on their tablet in a Starbucks.

These are clearly two different risk categories. If they want to get access to the same data, then you're probably going to do slightly different things to have things happen. At that Starbucks, like Jane said, you're going to have to make sure you have a very secure channel to communicate on. And you might want to ask them to do extra layers of authentication or perhaps go through an extra step of approval. Or maybe somebody on the inside needs to confirm that this person should have access to that data on the outside.

What that’s going to mean, Dana, is that you are going to have lots of different layers of security but they all need to be very well connected to one another. They need to be able to share data, share that context, and in that sharing, be able to create the right circumstance to have a secure access to whatever data is going to make the efficiency for that person be maximized. Maybe they're in the Starbucks because they are on a road trip that is incredibly important to meeting the top-line goals for your company.

It may not just be a convenience. It often sounds, when you talk about these BYOD and mobile questions, as if we're enabling somebody to be lazy. All I can say is that when I find myself on business trips, working at Starbucks is not lazy. It’s a necessity.

Not a luxury

It’s not exactly comfortable sitting there and trying to work around noise, traffic, and everything else. Typically, I'm not doing it as a luxury and I don’t think anybody else that does it is doing it that way either, in most cases. So, finding ways to enable that is a big deal.

Gardner: We could spend a whole other hour talking about the productivity benefits that come when BYOD is done correctly, but in listening to you both it occurs to me that there are positive, unintended consequences here. When you do go mobile first, with your network containment activities, with your connected security around access control, and when you've elevated management to mobile device management, you're probably an organization with better policies and with better means or security in total.

Am I off-base here, or is there a more robust level within an IT organization when they embrace BYOD in mobile and mobile first becomes really a just better way of doing IT?

Wasson: The key thing here is that end users are moving to mobile. Workers are moving to mobile because they like the speed and ease of use of the mobile environment.
IT organizations that embrace that are going to be ahead of the game of being able to secure those networks.

IT organizations that embrace that are going to be ahead of the game of being able to secure those networks, relative to organizations that don't embrace it and have mobile workers end-gaming them by using apps that are more likely to introduce malware onto the networks.

IT support organizations that provide that easy, secure access into enterprise, not just the calendar and email apps, but into the enterprise apps and resources, are more likely to have happy end users that are using secure technologies, as opposed to end-gaming IT and using technologies that introduce more risk into IT environment.

Sander: I agree that the worst consequence of not doing the mobile first is that you're going to have people end-gaming IT. You're going to have shadow IT spring up in lines of business. You're going to have smart end users simply figuring it out for themselves. Believe me, if you don’t proactively lock it down, there are lots of ways to get it as mobile devices. Those companies that do think mobile first are the ones that are going to innovate their way out of those problems.

They're the ones who are going to have the right mentality at the outset, where they formulate policy with that in mind and where they adopt technology with that in mind. You can see that happening today.

I see companies that have taken advantage of a mobile platform and tried to make sure that it is going to boost productivity. But the very first thing that happens, when they do that, is they get a huge push back from security, from the risk people, and sometimes even from executive-level folks, who are a little more conservative in a lot of cases, and tend to think in terms of the impact first. Because they want to push into that mobility mindset, that pushback forces them to think their way through all the security impacts and get over those hurdles to get what they really want.

The idea is that, if you do it well, doing good security for mobility and BYOD on the first try, getting that good security, becomes an enabler as more waves of it hit you, because you've already got it figured out. When the next line of business shows up and wants to do it seriously, you've got a good pattern there which completely discourages all of that shadow IT and other nonsense, because if you can give them good answers, and they want them.

Be an enabler

They don’t want to figure out ways around you. They want you to be an enabler. I was reading recently how security has to go from being the "department of no" to the "department of how," because a lot of times, that’s really what it boils down to. If you're simply going to say no, they're going to figure out a way around you. If you tell them how to do it in a secure fashion, they'll do that. That’s why they're asking in the first place. They want you to enable them.

Gardner: Maybe we should move beyond theory and vision into some practicality. Do we have any examples or anecdotes of organizations that have taken this plunge, embraced BYOD, perhaps with some mobile first mentality thrown in, and what are the results? What did they get?

Wasson: One potential example of this is educational institutions. Educational institutions are probably some of the earlier adopters for using mobile platforms to access their back-end systems, and yet educational institutions also are very often required by law not to make inappropriate sites and things available to students.

We've seen educational institutions deploying mobile device management platforms, and in this case our KACE K3000 Mobile Management platform with our mobile security solutions, such as our Mobile Connect application on devices, and Secure Remote appliances, enabling secure SSL VPN connection. What we're seeing is that the IT organizations have the level of control over those devices that they need.

They can still give the freedom to the end user to choose those devices, yet they have the ability to manage those devices, manage security settings on those devices, authenticate those devices before they connect to the educational institution data centers, and automatically establish encrypted secure SSL VPN.
They can still give the freedom to the end user to choose those devices, yet they have the ability to manage those devices.

They're able to query the traffic to make sure that traffic isn’t coming from or going to inappropriate sites and making sure that there's no malware on the network. And they're able to gain control and security of the mobile students, while still enabling those students to use their personal devices and the tools of their choice.

Gardner: Jonathan, any other examples from your perspective on when you do this well, how it can work?

Sander: The first one that comes to mind is a healthcare system we were working with. They were in a unique position in that they actually had a high percentage of doctor ownership. What I mean by that is that a lot of people who had an executive stake in the healthcare system were themselves doctors.

The doctors clearly wanted to use mobile devices as much as possible. They wanted to enable themselves to work on the run. They were running between hospitals. They were doing lots of different things where it's not a luxury to be on the tablet, but more of a necessity. So they challenged their IT folks to enable that.

Just as with this situation in other places, the first push back was from security. We worked with them, and the results were very similar to what Jane describes from a technology standpoint. Dell was able to supply them with mobile-device management and network controls. They had a really good single sign-on platform as well. So the doctors weren’t constantly logging in again and again and again, even though they switched context and switched devices.

Productivity gain

What they gained from that was a huge amount of productivity from the doctors. In this case, coincidentally, they gained big in the executive team’s eyes for IT, because as I mentioned, a lot of them happened to be doctors. That was a good feedback loop. As they made that constituency very happy, that also fed directly into their executive team.

In this particular case they got a double benefit, not just happy users, but happy executives. I guess it’s one of those, "I'm not just a president, but also user" type of things, where they were able to benefit twice from the same work.

Gardner: I don't think we can, in any way, expect this BYOD trend to be a flash in the pan. I think it’s going to be here for quite some time, here to stay really.

But as we look to the future, are there some developments that we should expect that would reward organizations for being proactive with the way they go at BYOD, more from a systemic and strategic and well thought-out approach rather than knee-jerk or reactive?
As smartphones have become more prevalent in the marketplace, increasingly hackers and cyber terrorists are recognizing that that’s a great new platform to go after.

I'm thinking about security and malware, whether that might be something that’s going to change in anyway? Any thoughts Jane on where the security equation might shift in the future?

Wasson: Today much of the malware is targeting PCs and laptops, but now, as smartphones have become more prevalent in the marketplace, increasingly hackers and cyber terrorists are recognizing that that’s a great new platform to go after.

We're seeing an increase development of malware to go after mobile devices as a conduit to get into back-end networks. We should absolutely expect that that’s going to continue. We're seeing a trend towards more targeted attacks. As technologies to protect are developed, it’s going to be very important to find those technologies that specifically protect from targeted attacks.

The thing that’s becoming increasingly important is to make sure that your security technologies aren't just looking at the reputation of who is trying to get into the network and protocols, but is actually looking at the actual traffic packets themselves. It's important to be able to identify those targeted attacks, advanced persistent threats, or malware that’s hidden within your traffic, because in the network at large, the presence of malware is only growing.

For mobile platforms, historically it wasn’t as big a problem. Now that we see more of them out there, they're becoming a more important target. So it’s very important for IT support organizations to get ahead of this.

They need to recognize that where they had previously focused mostly on what’s happening with PC laptop traffic, they really need to focus a lot more on making sure that they have good strategies and good policies in place also to address that mobile traffic.

Broadening reach

Gardner: We've been talking, of course, about how BYOD impacts employees and users within the enterprise. I suppose we should also broaden this out to consider that mobile commerce is going to impact supply chain, partners, and end users. Consumers will be going through mobile applications increasingly to do business with various organizations.

This, again, goes beyond just the device for the employee to the devices for all the points that connect enterprises and customers. Any thoughts on how that might evolve in the future, Jonathan?

Sander: Most everything we've talked about has been taking patterns and scripts that people are pretty familiar with from an IT security standpoint, changing a couple of the players, and running them the way that they have. It’s either your applications, as you have had them, and you are going to run the security play with mobile device as the endpoint, and you try to figure that out.

But there are also trends where we have our user base and now we are going to move our applications out into the cloud. How do we do that? One of the things that we can look to for the future of BYOD is that we need to figure out what does it mean to have BYOD devices, cloud-based applications, and almost no touch points for us to get in there.
A lot of organizations, thankfully for them, are not there yet, but they really need to be thinking about that.

All of the patterns that we are used to, all of the scripts that we follow from a security standpoint, assume at least half the conversation is a heavy touch point for us. We're going to have the ability to get in there and put the shim in, or do whatever it is that’s necessary to understand it. But if that lies mostly outside of our hands, what does that mean? How do I really get a handle on that? A lot of organizations, thankfully for them, are not there yet, but they really need to be thinking about that.

We talk about thinking mobile first. People who are thinking mobile first with their end-user community, when they are in their private planning meetings trying to figure out the next phase, need to figure out what this looks like, whether it’s a world that has IT almost completely out of the equation, but still somehow responsible for it.

Gardner: I suppose we should be thinking about mobile and cloud first from now on.

Sander: That’s where it’s going to go.

Gardner: We're running close to our time, but let’s get a little bit more on Dell’s vision, given this future track, what we're seeing in the current landscape for BYOD, and the acquisitions and the strategic move from Dell Software. Let’s hear what you have in mind in terms of how one should go about, as an IT organization, getting a better handle on this. Let’s start with you, Jonathan.

Sander: Our overall vision for security and we would definitely apply this to the BYOD sphere as well, is approaching it from a connected viewpoint. The word "connected" has a very specific context here.

You often hear talk from Dell and others about converged solutions, where essentially you bring a whole bunch of technologies into one solution, usually a box of some kind, and you deliver it as such.

Moving parts

Security is never going to look like that. Security is always going to have a lot of different moving parts, and that’s because essentially security needs to map itself to the needs of the infrastructure that you've built. That’s going to be dictated by organic growth, mergers and acquisitions, and everything in between.

We think about it as being a connected set of solutions. The focus of that is to make sure that we can deliver on all these different points that are necessary to build up the right context and the right controls, to make security meaningful in a context like BYOD, but not do it in a way that makes too many demands of the infrastructure. The way you get benefit from that is by having these connected pieces attached at the right points. You then get both the protection of going inside-out and outside-in.

Inside-out is the way you normally think about security in a lot of cases, where you build the controls for the things you are in charge of. You make sure that, as they go out into the world, they're heavily secured using all the themes you have at your disposal.
Security is always going to have a lot of different moving parts, and that’s because essentially security needs to map itself to the needs of the infrastructure that you've built.

Outside-in is the traditional bad guys trying to get into your little world scenario. We want to make sure that the connected security solutions that we deliver can do both of these things, not only protect you from any insider threats and all of the things that can crop up from the way you build your technology that you are going to use to propel the business, but also protect you from the threats from the outside as well.

Gardner: Last word to you, Jane. What would you add to what Jonathan said in terms of Dell Software’s vision for making BYOD secure?

Wasson: The good news is that our vision basically supports IT in helping to enable the mobile worker to get that simple, secure, fast access to enterprise apps and resources. The way that we are doing this is by providing mobile-friendly technologies, IT friendly technologies, that give both the ease of use and simplicity that mobile users need.

For example, our Mobile Connect App acts both as a VPN client and also a policy-enforced network access control app client, so that you have that simple one click access into the corporate data center that is secured by encrypted SSL VPN, with our Secure Remote Access appliances.

You also have the support for IT to reduce complexity, because we make it very easy to create those policies, automatically enforce those policies, and implement network access control and security throughout the network.

Gardner: Well, great. I'm afraid we'll have to leave it there. You've been listening to a sponsored BriefingsDirect podcast discussion on bringing clarity to BYOD support, management, and security. And we have seen how IT departments are grasping for any proven or standardized approach that makes BYOD access of resources secure and reliable.

And we've learned how Dell Software is helping to bring standardized and flexible approaches to making BYOD and perhaps mobile first a positive new force to enterprise productivity.

So thanks to our guests for joining. We've been here with Jonathan Sander, the Director of IAM Product Strategy at Dell Software. Thanks so much, Jonathan.

Sander: Thank you, Dana.

Gardner: And thank you also to Jane Wasson, the Senior Product Marketing Manager for Mobile Security at Dell Software. Thanks, Jane.

Wasson: Thanks, Dana.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks also to our audience for joining us, and don’t forget to come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Dell Software

Transcript of a BriefingsDirect podcast on how Dell Software is helping to bring standardized and flexible approaches to making BYOD a positive new force for enterprise productivity. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in:

Tuesday, September 10, 2013

Unum Group Architect Charts a DevOps Course to a Hybrid Cloud Future

Transcript of a BriefingsDirect podcast on how Unum Group has benefited from a better process around application development and deployment using HP tools.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.

Gardner
Once again, we're focusing on how IT leaders are improving their services' performance to deliver better experiences and payoffs for businesses and end users alike, and this time we're coming to you directly from the recent HP Discover 2013 Conference in Las Vegas.

Our next innovation case study interview highlights how employee benefits provider Unum Group has been building a DevOps continuum and is exploring the benefits of a better process around applications development and deployment. And we are going to learn more about how they've been using certain tools and approaches to improve their applications delivery.

So join me in thanking our guests for being here. We're joined by Tim Durgan, an Enterprise Application Architect at Unum Group. Welcome, Tim.

Tim Durgan: Thank you, Dana.

Gardner: We're also here with Petri Maanonen, Senior Product Marketing Manager for Application Performance Management at HP Software. Welcome, Petri. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]

Petri Maanonen: Hello, Dana.

Gardner: Let's talk a little bit about what's important for your company. You're a large insurer. You're in the Fortune 500. You're one of the largest employee benefits providers in the U.S. and you have a big presence in the UK as well. What are some of the imperatives that have driven you to try to improve upon your applications delivery?

Durgan: Even though, as you said, we're one of the largest employee benefits providers in the United States, we began to realize that there were smaller companies starting to chip away in segments of the market.

Durgan
It became imperative to deliver products more rapidly to the market, because delivery was a multi-year effort, which was unacceptable. If it took that long from concept to delivery, there would be a completely new market dynamic at play.

We started to look at application architectures like service-oriented architecture (SOA) to deliver agility, process automation, and rules automation -- all very mainstream approaches. We discovered pretty quickly that to use those approaches effectively you needed to have a level of governance.

Governance initiative

We had an SOA governance initiative that I led and we brought in technology from HP to aid us with that. It was the Business Service Management (BSM) suite of tools, the Systinet Repository, and some partner products from HP.

What we discovered very quickly is that in enterprise architecture, where I am from in the company, bringing in an operational tool like monitoring was not hailed as, "Thanks for helping us." There was this organizational push back. It became very clear to me early on that we were operating in silos. Delivery was doing their efforts, and we would throw it over the wall to QA. QA would do their job, and then we would ultimately move it out to a production environment and operational aspects would take over.

It really dawned on me early on that we had to try to challenge the status quo around the organization. That's what started to get me focused on this DevOps idea, and HP has a number of products that are really allowing that philosophy to become a reality.

Gardner: Tell me what you think that philosophy is. Does it differ from perspective and position within organizations as an enterprise architect, sort of a über role over some of these groups? How do you define DevOps?

Durgan: I have a couple of principles that I use when I talk about DevOps, and I try to use titles for these principles that are a little disruptive, so people pay attention.

For instance, I'll say "eliminate the monkeys," which essentially means you need to try to automate as much as possible. In many companies, their development process is filled with committees of people making decisions on criteria that are objective. Machines are very good at objective criteria. Let's save the humans for subjective things.
We want to put a product out quickly, but if it's going to fail, we would love to know it's going to fail very quickly, not make millions of dollars in investments.

That's what I talk about when we say eliminate the monkeys, get people out of the middle. It's really interesting, because as an architect, I recognize the automation of business process. But somehow I missed the fact that we need to automate the IT process, which in a lot of ways, is what DevOps is about.

Another principle is "fail fast." If you're going to deliver software fast, you need to be able to fail fast. As an example that I presented here at the conference last year -- which I knew most of the HP people loved -- was Palm. I'm sure they wished they had failed faster, because that was a pretty painful lesson, and a lot of companies struggle with that.

Unum does. We want to put a product out quickly, but if it's going to fail, we would love to know it's going to fail very quickly, not make millions of dollars in investments.

Another one is visibility throughout. I will say monitoring is a team sport. In a lot of companies, there are 50 or 60 monitoring tools. Each team has a monitoring tool. You have to have a secret decoder ring to use each monitoring tool.

While diversity is normally a great thing, it isn't when it comes to monitoring. You can't have the ops guy looking at data that's different from what the developer is looking at. That means you're completely hopeless when it comes to resolving issues.

Working collaboratively

My last one is "Kumbaya." A lot of IT organizations act competitively. Somehow infrastructure believes they can be successful without development and without QA and vice versa. Business sees only IT. We are a complete team and we have to work collaboratively to achieve things.

So those are really the ways I think about DevOps at the company.

Gardner: Petri, when you hear words like "process automation for IT" and a common view of the data across IT groups, it must be music to your ears?

Maanonen: Oh, sure. And the team has been very accurately capturing the essence of how DevOps needs to be supported as a function and of course shared among different kinds of teams in silos.

Maanonen
If you look at HP, we've been supporting these various teams for 15 years, whether it has been testing a performance of an application or monitoring from the end-user perspective and so forth. So we've been observing from our customers -- and Unum is a brilliant example of that -- them growing and developing their kind of internal collaboration to support these DevOps processes. Obviously the technology is a good supporting factor in that.

Tim was mentioning the continuous delivery type of demands from the business. We have been trying to step up, not only by developing the technology, but actually bringing very quickly supportive software-as-a-service (SaaS) types of offerings, Agile Manager and Performance Anywhere for example. Then, customers can quickly adopt the supporting technology and get this collaboration and a DevOps cycle, the continuous improvement cycle, going.

Gardner: Now, of course, this isn't just a technology discussion. When you said Kumbaya, obviously this is about getting people to see the vision, buy into the vision, and then act on the vision. So tell me a little bit more, Tim, about the politics of DevOps.
We are a complete team and we have to work collaboratively to achieve things.

Durgan: So you are going to ask me politics for this public interview. At Unum there is none, first of all, but I hear there is at other companies. I think the problem that a lot of companies have, and Unum as well, is that unfortunately we all have individual expectations and performance. We all have a performance review at the end of the year and we have things that we need to do. So it is, as you mentioned, getting everybody to buy into that holistic vision, and having these groups all sign up for the DevOps vision.

We've had good success in the conversation so far at Unum. I know we've talked to our Chief Technology Officer, and he's very supportive of this. But because we're still on the journey, we want data, metrics, and some evidence to support the philosophy. I think we're making some progress in the political space, but it's still a challenge.

I'm part of the HP BSM CAB (Customer Advisory Board), and in that group is, they talk about these other different small monitoring products trying to chip away at HP's market. The product managers, will ask, "Why is that? And I say that part of the problem is BSM is pitching enterprise monitoring.

The assumption is that a lot of organizations sign on to the enterprise monitoring vision. A lot of them don't, because the infrastructure team cares about the server, the application team cares about the app, and the networking team cares about the network. In a lot of ways, that's the same challenge you have in DevOps.

Requests for visibility

But I hear a lot of requests from the infrastructure and application teams for that visibility into each other's jobs, into their spaces, and that's what DevOps is pitching. DevOps is saying, "We want to give you visibility, engineer, so that you can understand what this application needs, and we want to give you visibility, developer, into what's happening in the server environment so you can partner better there."

There is a good grassroots movement on this in a lot of ways, more than a top-down. If you talk about politics, I think in a lot of cases it has to be this “Occupy IT” movement.

Gardner: What are some of the paybacks that are tangible and identifiable when DevOps is done properly, when that data is shared and there is a common view, and the automation processes gets underway?

Maanonen: What we hear from our customers, and obviously Unum is no exception to that, is that they're able to measure the return on investment (ROI) from the number of downtime hours or increased productivity or revenue, just avoiding the old application hiccups that might have been happening without this collaborative approach.

Also, there's the reduction of the mean time to resolve the issues, which they see in production and, with more supportive data than before, provide the fix through their development and testing cycles. That's happening much faster than in the past.
There is a good grassroots movement on this in a lot of ways, more than a top-down.

Where it might have been taking days or weeks to get some bugs in the application fixed, this might be happening in hours now because of this collaborative process.

Gardner: Tim, what about some of the initiatives that you're bound to be facing in the future, perhaps more mobile apps, smaller apps, the whole mobile-first mentality, and then more cloud options for you to deploy your apps differently, depending on what the economics and the performance and other requirements dictate. Does DevOps put you in a better position vis-à-vis what we all seem to see coming down the pike?

Durgan: It is, if you think about movement to the cloud, which Unum is very much looking at now. We're evaluating a cloud-first strategy. My accountability is writing this strategy.

And you start to think about, "I'm going to take this application and run it on a data center I don’t own anymore. So the need for visibility, transparency, and collaboration is even greater."

It’s a philosophy that enables all of the new emerging needs, whether it’s mobile, cloud, APIs, edge of the enterprise, all those types of phenomena. One of the other major things  we didn’t touch on it earlier that I would contend is a hurdle for organizations is, if you think about DevOps and that visibility, data is great, but if you don’t have any idea of expectations, it’s just data.

What about service-level management (SLM) and ITIL process, processes that predated ITIL, just this idea of what are the expectations, performance, availability, what have you for any aspect of the IT infrastructure or applications? If you don’t have a mature process there, it’s really hard for you to make any tangible progress in a DevOps space, an ALM space, or any of those things. That’s an organizational obstacle as well.

Make it real

One of the things we're doing at Unum is we're trying to establish SLAs beginning in dev, and that’s where we take fail fast to make it real. When I come to the conference and presented it, I had a lot of people look surprised. So I think it's radical.

If I can’t meet that SLA in dev, there's no way I am going to magically meet it in production without some kind of change. And so that’s a great enhancement. At first people say, that’s an awful lot of burden, but I try to say, "Look, I'm giving you, developer, an opportunity to fail and resolve your problem Monday through Friday, versus it goes to production, you fail, and you're here on the weekends, working around the clock."

That, to me is just one of those very simple things that is at the heart of a DevOps philosophy, a fail fast philosophy, and a big part of that development cycle. A lot of the DevOps tooling space right now is focused on some ALM on the front end, HP Agile Manager, and deployment.

Well, those are great, but as an application architect, I care about design and development. I think HP is well-positioned to do some great things with BSM, which has all that SLA data, and integrate that with things like the Repository, which has great lifecycle management. You start having these enforcement points and you say, "This code isn't moving unless it meets an SLA." That decision is made by the tool, objective criteria, decided by the system. There's no need to have a human involved. It's a great opportunity for HP to really do some cutting-edge and market-leading stuff.
Cloud and mobile are coming into play and are increasing the velocity of the applications and services being provisioned out to the end users.

Maanonen: We see that the cloud and mobile, as you mentioned, Dana, are coming into play and are increasing the velocity of the applications and services being provisioned out to the end users. We see that this bigger and larger focus, looking from the end user perspective of receiving the service, whether it’s a mobile or a cloud service, is something that we've been doing through our technology as a unifying factor.

It's very important when you want to break the silos. If the teams are adopting this end-user perspective, focusing on the end user experience improvement in each step of the development, testing, and monitoring, this is actually giving a common language for the teams and enhancing the chances of improved collaboration in the organization.

Durgan: That's a really good point. You start to hear this phrase now, the borderless enterprise, and it’s so true. Whether it’s mobile, cloud, or providing APIs to your customers, brokers, or third parties, that's the world we now live in. So we need to increase that quality and that speed to market. It’s no longer nice to have; You've got to deliver on that stuff.

If you don’t adopt DevOps principles and do some of these things around failing fast and providing holistic visibility and shared data, I just don't see how you change the game, how you move from your quarterly release cycle to a monthly, weekly, or daily release cycle. I don’t see how you do it.

Gardner: Here at HP Discover, we're hearing a lot about HAVEn, a platform that’s inclusive of many data and information types, with scale and speed and provisioning.

We're also hearing about Converged Cloud, an opportunity to play that hybrid continuum in the best way for your organization. And we heard some interesting things about HP Anywhere, going mobile, and enabling those endpoints at an agnostic level.

But after all, it’s still about the applications. If you don't have good apps -- and have a good process and methodology for delivering those apps -- all those other benefits perhaps don't pay back in the way they should.

Strong presence

So what’s interesting to me is that HP may be unique in that it has a very strong presence in the applications test, dev, deployment, fostering Agile, and fostering DevOps that the other competitors that are presenting options for mobile or for cloud don't have. So that’s a roundabout way of saying how essential it is to make people like Tim happy to the future of HP?

Maanonen: Tim has been pointing out that they're coming from a traditional IT environment and they're moving to the cloud now very fast. So you can see the breadth of the HP portfolio. Whatever technology area you're looking at, we should be pretty well-equipped to support companies and customers like Unum and others in different phases of their journey and the maturity curve when they move into cloud, mobile, and so forth. We're very keen to leverage and share those experiences we have here over the years with different customers.

Yesterday, there were customer roundtable events and customer advisory boards, where we're trying to make the customers share their experiences and best practices on what they've learned here. Hopefully, this podcast is giving an avenue to the other customers to hear what they should explore next.

But the portfolio breadth is one of the strengths for HP, and we're trying to stay competitive in each area. So I am happy that you have been observing that in the conference.
The portfolio breadth is one of the strengths for HP, and we're trying to stay competitive in each area.

Gardner: Last word to you, Tim. What would you like to see differently -- not necessarily just from a product perspective, but in terms of helping you cross the chasm from a siloed development organization and a siloed data center and production organization? What do you need to be able to improve on this DevOps challenge?

Durgan: The biggest thing HP can do for us is to continue to invest in those integrations of that portfolio, because you're right, they absolutely have great breadth of the offerings.

But I think the challenge for HP, with a company the size they are, is that they can have their own silos. You can talk to the Systinet team and talk to the BSM team and say, "Am I talking to the same company still?" So I think making that integration turnkey, like the integrations we're trying to achieve, is using their SOA Repository, their Systinet product as the heart of an SOA governance project.

We're integrating with Quality Center to have defects visible in the repository, so we can make an automated decision that this code moves because it has a reasonable number of defects. Zero is what we'd like to say, but let's be honest here, sometimes you have to let one go, if it’s minor. Very minor for any Unum people reading this.

Then, we are integrating with BSM, because we want that SLA data and that SLM data, and we are integrating with some of their partner products.

There’s great opportunity there. If that integration can be a smoother thing, an easier thing, a turnkey type operation, that makes the portfolio, that breadth something that you can actually use to get significant traction in the DevOps space.

Gardner: Well, great. I'm afraid we will have to leave it there. We've been learning about how Unum Group has been working toward a DevOps benefit and how they've been using HP products to do so.

So join me in thanking our guests, Tim Durgan, Enterprise Application Architect at Unum Group. Thank you, Tim.

Durgan: Thank you, Dana.

Gardner: And also Petri Maanonen, Senior Product Marketing Manager for Application Performance Management at HP Software. Thank you, Petri.

Maanonen: Thank you, Dana.

Gardner: And I'd like to thank our audience as well for joining us for this special HP Discover Performance Podcast coming to you from the recent HP Discover 2013 Conference in Las Vegas.

I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of HP sponsored discussions. Thanks again for joining, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast on how Unum Group has benefitted from a better process around application development and deployment using HP tools. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in: