Monday, March 09, 2020

Business Readiness—The Key to Surviving and Thriving in Uncertain Times
Transcript of a discussion on how companies and communities alike are adjusting to a variety of workplace threats using new ways of enabling enterprise-class access and distribution of vital data resources and applications.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Citrix.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Just as the nature of risk has been a whirling dervish of late, the counter-forces of business continuity measures have had to turn on a dime as well. What used to mean better batteries for servers and mirrored, distributed datacenters has recently evolved into anywhere, any-circumstance solutions that keep workers working -- no matter what.

Out-of-the-blue workplace disruptions -- whether natural disasters, political unrest, or the current coronavirus pandemic -- have shown how true business continuity means enabling all employees to continue to work in a safe and secure manner.

Stay with us now as we explore how companies and communities alike are adjusting to a variety of workplace threats using new ways of enabling enterprise-class access and distribution of vital data resources and applications.

And in doing so, these public and private sector innovators are setting themselves up to be more agile, intelligent, and responsive to their workers, customers, and citizens once the disaster inevitably passes.

Here to share stories on making IT systems and people evolve together to overcome workplace disruptions is Chris McMasters, Chief Information Officer (CIO) at the City of Corona, California. Welcome, Chris.

Chris McMasters: Thank you, Dana.

Gardner: We’re also here with Jordan Catling, Associate Director of Client Technology at The University of Sydney in Australia. Welcome, Jordan.

Jordan Catling: Thank you very much, Dana. I appreciate the invite.

Gardner: And we’re here with Tim Minahan, Executive Vice President of Strategy and Chief Marketing Officer at Citrix. Welcome, Tim.

Tim Minahan: Thank you for including me, Dana.

Gardner: Tim, how has business readiness changed over the past few years? It seems to be a moving target.

Stay prepared for everything

Minahan: The very nature of business readiness is not about preparing for what’s happening today -- or responding to a specific incident. It’s a signal for having a plan to ensure that your work environment is ready for any situation.
That certainly means having in place the right policies and contingency plans, but it also -- with today’s knowledge workforce -- goes to enabling a very flexible and dynamic workspace infrastructure that allows you to scale up, scale down, and move your entire workforce on a moment’s notice.

You need to ensure that your employees can continue to work safely and remotely while giving your company the confidence that they’re doing that all in a very secure way, so the company’s information and infrastructure remains secure.

Gardner: Chris McMasters, as a CIO, you surely remember the days when IT systems were brittle, not easily adjusted, and hard to change. Has the nature of work and these business continuity challenges forced IT to be more agile?

McMasters: Yes, absolutely. There’s no better example than in government. Government IT is known for being on-premises and very resistant to change. In the current environment everything has been flipped on its head. We’re having to be flexible, more dynamic in how we deploy services, and in how users get those services.

Gardner: Jordan, higher education hasn’t necessarily been the place where we’d expect business continuity challenges to be overcome. But you’ve been dealing with an aggressive outbreak of the coronavirus in China.
Catling: It’s been a very interesting six months for us, particularly in higher education, with the Australian fires, floods, and now the coronavirus. But generally, as an institution that operates over 22 locations, with teaching hospitals and campuses -- our largest campus has its own zip code -- this is part of our day, enabling people to work from wherever they are.

The really interesting thing about this situation is we’re having to enable teaching from places that we wouldn’t ordinarily. We’re having to make better use of the tools that we have available to come up with innovative solutions to keep delivering a distinctive education that The University of Sydney is known for.

Gardner: And when you’re trying to anticipate challenges, something like COVID-19, the disease that emanates from the coronavirus, did you ever think that you’d have to virtually overnight provide students stuck in one location with the opportunity to continue to learn from a distance?
Catling: We need to always be preparing for a number of scenarios. We need to be able to rapidly deploy solutions to enable people to work from wherever they are. The flexibility and dynamic toolsets are really important for us to be able to scale up safely and securely.

Gardner: Tim, the idea of business continuity including workers not only working at home but perhaps in far-flung countries where they’ve been stuck because of a quarantine, for example -- these haven’t always been what we consider IT business continuity. Why is worker continuity more important than ever?

Minahan: Globally we’re recognizing the importance of the overall employee experience and how it’s becoming a key differentiator for companies and organizations. We have a global shortage of medium- to high-skilled talent. We’re short about 85 million workers.
Companies are battling for the high ground on providing preferred ways to work. One way they do that is ensuring that they can provide flexible work environments that rely on effective workplace technologies that enable employees to do their very best work.

So companies are battling for the high ground on providing preferred ways to work. One way they do that is ensuring that they can provide flexible work environments, ones that rely on effective workplace technologies that enable employees to do their very best work wherever that might be. That might be in an office building. It might be in a remote location, or in certain situations they may need to turn on a dime and move from their office to the home force to keep operations going. Companies are planning to be flexible not just for business readiness but also for competitive advantage.

Gardner: Making this happen with enterprise-caliber, mission-critical reliability isn’t just a matter of renting some new end-devices and throwing up a few hotspots. Why is this about an end-to-end solution, and not just point solutions?

Be proactive not reactive

Minahan: One of the most important things to recognize is companies often first react to a crisis environment. Currently, you’re hearing a lot of, “Hey, we just,” like the school system in Miami, for example, “purchased 250,000 laptops to distribute to students and teachers to maintain their education.”

However, that may enable and empower students and employees, but it may be less associated with proper security measures and put both the companies’, workers’, and customers’ personal information at risk.

You need to plan from the get-go for having a very flexible, remote workplace infrastructure -- one that embeds security. That way -- no matter where the work needs to get done, no matter on what device, or even on whatever unfamiliar network -- you can be assured that the appropriate security policies are in place to protect the private information of your employees. The critical information of your business, and certainly any kinds of customer or constituent information, is at stake.

Gardner: Let’s hear what you get when you do this right. Jordan at The University of Sydney, you had more than 14,000 students unexpectedly quarantined in China, yet they still needed to somehow do their coursework. Tell us how this came about, and what you’ve done to accommodate them.

Quality IT during quarantine
Catling: Exactly right. As this situation began to develop in late January, we quite quickly began to scenario plan around the possible eventualities. A significant part of our role, as the technologists within the university, is making sure that we’re providing a toolset that can adapt to the needs of the community.

So we looked at various platforms that we were already using -- and some that we hadn’t -- to work out what do. Within the academic community, we needed the best set of tools for our staff to use in different and innovative ways. We quickly had to develop solutions and had to lean on our partners to help us out with developing those.

Gardner: Did you know where your students were going to be housed? Was this a case where you knew that they were going to be in a certain type of facility with certain types of resources or are they scattered around? How did you deal with that last mile issue, so to speak?

Catling: The last mile issue is a real tricky one. We knew that people were going to be in various locations throughout mainland China, and elsewhere. We needed to quickly build a solution capable of supporting our students -- no matter where they were, no matter what device that they were using, and no matter what their local Internet connection was like.

We have had variability in the quality of our connections even within Australia. But now we needed a solution that would cater to as many people as possible and be considerate of quite a number of different scenarios that our students and staff would be facing.

Gardner: How were you are able to provide that quality of service across so many applications given that level of variability?

Catling: The biggest focus for us, of course, is the safety and security of our staff and students. It’s paramount. We very quickly tried to work out where our people would be connecting from and tried to make sure that the resources we were providing, the connection to the resources, would be as close to them as possible to minimize the impact of that last mile.
We worked with Citrix to put together a set of application delivery controllers into Hong Kong to make sure that the access to the solutons was nice and fast. We then worked to optimize the connection from Hong Kong to Sydney to maximize the user experience.

We worked with Citrix to put together a set of application delivery controllers into Hong Kong to make sure that the access to the solution was nice and fast. Then we worked to optimize the connection back from Hong Kong to Sydney to maximize the user experience for our staff and students.

Gardner: So this has very much been a cloud-enabled solution. You couldn’t have really done this eight or 10 years ago.

Catling: Certainly not this quickly. Literally from putting a call into Citrix, we worked from design to a production environment within seven days. For me, that’s unheard of, really. Regardless of whether it’s 10 years ago or 10 weeks ago, it was quite a monumental effort. It’s highlighted the importance of having partners that both seek to understand the business problems you’re facing and coming up with innovative solutions rapidly and are able to deploy those at scale. And cloud is obviously a really important part of that.
We are still delivering on this solution. We have the capabilities now that we didn’t have a couple of months ago. We’re able to provide applications to students no matter where they are. They’re able to continue their studies.

Obviously, the solution needs to remain flexible to the evolving needs. The situation is changing frequently and we are discovering new needs and new requirements. As our academics start to use the technology in different ways, we’re evolving the solution based on their feedback to try and maximize the experience for both our staff and students.

Gardner: Tim, when you hear Jordan describe this solution, does it strike you as a harbinger of more business continuity things to come? How has the coronavirus issue -- and not just China but in Europe and in North America -- reinforced your idea of what a workplace-enhanced business continuity solution should be?

Business continuity in crisis

Minahan: We continue to field a rising a number of inquiries from customers and other companies. They are trying to assess the best ways to ensure continuity of their business operations and switch to a remote workforce in a very short period of time.

Situations like this remind us that we need to be planning today for any kind of business-ready situation. Using these technologies ensures that you can quickly adapt your work models, moving entire employee groups from an office to a remote environment, if needed, whether it’s because of virus, flood, or any other unplanned event.

What’s exciting for me is being able to use such agile work models and digital workspace technology to arm companies with new sources for growth and competitive advantage.

One good example is we recently partnered with the Center for Economics and Business Research to examine the impact remote work models and technologies have on business and economic growth. We found that 69 percent of people who are currently unemployed or economically inactive would be willing to start working if given the opportunity to work flexibly by having the right technology.

They further estimate that activating these, if you will, untapped pools of talent by enabling these flexible work-from-home models -- especially for parents, workers in rural areas, retirees, part-time, and gig workers, folks that are normally outside of the traditional work pool and reactivating them through digital workspace technologies -- could drive upward of an initial $2 trillion in economic gains across the US economy. So, the investment in readiness that folks are making is now being applied to drive ongoing business results even in non-crisis times.

Gardner: The coronavirus has certainly been leading the headlines recently, but it wasn’t that long ago that we had other striking headlines.

In California last fall, Chris McMasters, the wildfires proved a recurring problem. Tell us about Corona and why adjusting to a very dangerous environment -- but requiring your key employees to continue to work – allowed you to adjust to a major business continuity challenge.

Fighting fire with cloud

McMasters: Corona is like a lot of local governments within the United States. I came from the private sector and have been in the city IT for about four years now. When I first got there, everything was on-premises. Our back-up with literally three miles away on the other side of the freeway.

If there was a disaster and something totaled the city, literally all of our technology assets would be down, which concerned me. I used to work for a national company and we had offices all over and we backed up across the country. So this was a much different environment. Yet we were dealing with public safety, which with police and fire service, 911 service, and they can never go down. Citizens depend on all of that.

That was a wake-up call for me. At that time, we didn’t really have any virtual desktop infrastructure (VDI) going on. We did have server virtualization, but nothing in the cloud. In the government sector, we have a lot of regulation that revolves around the cloud and its security, especially when we are dealing with police and fire types of information. We have to be very careful. There are requirements both from the State of California and the federal government that we have to comply with.

At first, we used a government cloud, which was a little bit slower in terms of innovation because of all the regulations. But that was a first step to understanding what was ahead for us. We started this process about two years ago. At the time, we felt like we needed to push more of our assets to the cloud to give us more continuity.
At the end of the day, we realized we also needed to get the desktops up there, too: Using VDI and the cloud. And at the time, no one was doing that. We went and talked to Citrix on how that would extend to support our environment for public safety. Citrix has been there since day-one.

At the end of the day, we realized we also needed to get the desktops up there, too: Using VDI and the cloud. And at the time, no one was doing that. But we went and talked to Citrix. We flew out to their headquarters, sat with their people, and discussed our initiative, what we are trying to accomplish, and how that would extend out to support our environment for public safety. And that means all of the people out at the edge who actually touch citizens and provide emergency support services.

That was the beginning of the journey and Citrix has been there since day-one. They develop the products around that particular idea for us right up to today.

In the last two years, we’ve had quite a few fires in the State of California. Corona butts right up against the forest line and so we have had a lot of damage done by fires, both in our city and in the surrounding county. And there have been the impacts that occur after fires, too, which include mudslides. We get the whole gamut of that stuff.

But now we find that those first responders have the data to take action. We get the data into their hands quickly, make sure it’s secure on the way there, and we make that continuative so that it never fails. Those are the last people that we want to have fail.
We’ve been able to utilize this type of a platform where our data currently resides in two different datacenters in two different states. It’s on encrypted arrays at rest.

We are operating on a software-defined network so we can look at security from a completely different perspective. The old way was, “Let’s build a moat around it and a big wall, and hopefully no one gets in.” Now, instead we look at it quite differently. Our assets are protected outside of our facilities.

Those personnel riding in fire engines, in police cars, right up at the edge -- they have to be secure right up to that edge. We have to maintain and understand the identity of that person. We need to know what applications they are accessing, or should not be accessing, and be secure all along that path.

This has all changed our outlook on how we deal with things and what a modern-day work environment looks like. The money we use comes from taxes, the people pay, and we provide services for our citizens. The interesting thing about that is we’re now driving toward the idea of government on-demand.

Before, when you would come home, right after a hard day’s work, city hall would be closed. Government was open 8 to 5, when people are normally working. So, when you want to conduct business at city hall, you have to take some time off of work. You try to find one day of the week, or a time when you might sneak in there to get your permits for something and proceed with your business.

But our new idea is different. Most of our services can be provided online for people. If we can do that, that’s fantastic, right? So, you can come home and say, “Hey, you know what? I was thinking about building an addition to my house.” So you go online, file your permits, and submit all of your documents electronically to us.

The difference that VDI provides for our employees is that I can now tap into a workforce of let’s say, a single mother who has a special needs child who can’t work normal hours, but she can work at night. So that person can take that permit, look at that permit at 6 or 7 pm, process the permit, and then at 5 am the next day, that process is done. You wake up in the morning, your permit has been processed by the city and completed. That type of flexibility is integral for us to make government more effective for people.

It’s not the necessarily the public safety support, which we are concerned about. But it’s about also generally providing flexible services for people and making sure government continues to operate.

Gardner:  Tim, it’s interesting that by addressing business continuity issues and disasters we are able to move very rapidly to a government on-demand or higher education on-demand. So, what are some of the larger goals when it comes to workforce agility?

Flexibility extends the business

Minahan: The examples that Chris and Jordan just gave are what excites me about flexible work models, empowered by digital workplace technologies, and the ability to embrace entirely new business models.

I used the example from the Center of Economic Business Research and how to tap into untapped talent pools. Another example of a company using similar technology is eBay. So eBay, like many of their competitors, would build a big call center and hire a bunch of people, train them up, and then one of the competitors will build a call center down the street and steal them away. They would have rapid turnover. They finally said, “Enough is enough, we have to think of a different model.”
eBay used the same approach of providing a secure digital workspace to reach into new talent pools outside of big cities. They could now hire gig workers and re-engage them in the workforce by using a workplace platform to arm them at the edge.

Well, they used the same approach of providing a secure digital workspace to reach into new talent pools outside of big cities. They could now hire gig workers, stay-at-home parents, etc., and re-engage them in the workforce by using the workplace platform to arm them at the edge and provide a service that was formally only provided in a big work hub, a big call center.

They went from having zero home force workers to 600 by the end of last year, and they are on a path to 4,000 by the end of this year. eBay solved a big problem, which is providing support for customers. How do I have a call center in a very competitive market? Well, I turn the tables and create new pools of talent, using technology in an entirely different way.

Gardner: Jordan, now that you’ve had help from organizations like Citrix to deal with your tough issue of students stuck in China, or other areas where there’s a quarantine, are you going to take that innovation and use it in other ways? Is this a gift that keeps giving?

Catling: It’s a really interesting question. What it’s demonstrated to me is that, as technologists, we need to be working with all of our people across the organization to understand their needs and to provide the right tools, but not necessarily to be prescriptive in how they are used. This current coronavirus situation has demonstrated to us that a combination of just a few tools -- for example, the Citrix platform, Zoom, Echo, and Canvas -- means a very different thing to one person than to another person.

There’s such large variability in the way that education is delivered across the university, across so many disciplines, that it becomes about providing a flexible set of tools that all of our people can use in different and exciting ways. That extends not only to the current situation but to more normal times.

If we can provide the right toolset that’s flexible and meets the users where they are, and also make sure that the solutions provide a natural experience, that’s when you are really geared up well for success. The technology kind of fades into the background and becomes a true enabler of the bright minds across the institution.

Gardner: Chris, now that you’re able to do more with virtual desktops and delivering data regardless of the circumstances to your critical workers as well as to your citizens, what’s the next step?

Can you add a layer of intelligence rather than just being about better feeds and speeds? What comes next, and how would Citrix help you with that?

Intelligence improves government

McMasters: We’re neck deep in data analytics and in trying to understand how we can make impacts correctly by analyzing data. So adding artificial intelligence (AI) on top of those layers, understanding utilization of our resources, is the amazing part of where we’re going.

There’s so much unused hardware and processing power tied up in our normal desktop machines. Being able to disrupt that and flip it up on its end is a fundamental change in how government operates. This is literally turning it on-end. I mean, AI can impact all the way down to how we do helpdesk, how it minimizes our response times and turnaround times, to increased productivity, and in how we service 160,000 people in my city. All of that changes.

Already I’m saving hundreds of thousands of dollars by using the cloud and VDI models and at the same time increasing all my service levels across the board. And now we can add this layer of business continuity to it, and that’s before we start benefitting from predictive AI and using data to determine asset utilization.
Moving from a CAPEX model to this OPEX model for government is something very new, it’s something that public sector or a private sector has definitely capitalized on and I think public sector is ripe for doing that. So for us, it’s changing everything, including our budget, how we deliver services, how we do helpdesk support, and on to the ways that we’re assessing our assets and leveraging citizens’ tax dollars correctly.

Gardner: Tim, organizations, both public and private sector, get involved with these intelligent workspaces in a variety of ways. Sometimes it might be a critical issue such as business continuity or a pandemic.

But ultimately, as Chris just mentioned, this is about digital business transformation. How are you able to take whatever on-ramp organizations are getting into an intelligent workspace and then give them more reasons to see ongoing productivity? How is this something that has a snowball effect on productivity?

AI, ML works with you

Minahan: Chris hit the nail on the head. Certainly, the initial on-ramps to digital workspace provides employees with unified and secure access to everything they need to be productive and in one experience. That means all of their apps, all of their content, regardless of where that’s stored, regardless of what device they’re accessing it from and regardless of where they’re accessing it from.

However, it gets really exciting when you go beyond that foundation of unified experience in a secure environment toward infusing things like machine learning (ML), digital assistants, and bots to change the way that people work. They can newly extract out some of the key insights and tasks that they need to do and offer them up to employees in real-time in a very personalized way. Then they can quickly take care of those tasks and the things they need to remove that noise from their day, and even guide them toward the right next steps to take to be even more productive, more engaged, and do much more innovative and creative work.

So, absolutely, AI and ML and the rise of bots are the next phase of all of this, where it’s not just a place you go to launch apps and work securely, but a place where you go to get your very best work done.

Gardner: Jordan, you were very impressively able to get more than 14,000 students to continue their education regardless of what Mother Nature threw at them. And you were able to do it in seven days. For those organizations that don’t want to be caught under such circumstances, that want to become proactive and prepared, what lessons have you have learned in your most recent journey that you can share with them? How can they be better positioned to combat any unfortunate circumstances they might face?

Prioritize when and how you work

Catling: It’s almost becoming cliché to say, but work is something that you do -- it’s not a place anymore. So when we’re looking at and assessing tools for how we support the university, we’re focusing on taking a cloud-first approach where it doesn’t matter where a student or staff member is. They have access to all the resources they need on-demand. That’s one of the real guiding principles we should be using in our decision-making process.

Scalability is also a very important thing to us. The nature of the way that education is delivered today with an on-campus model is that demand is very peaky. We need to be mindful of how scalable and rapidly scalable a solution can be. That’s important to consider, particularly in the higher education context. How quickly can you scale up and down your environments to meet varying demands?
We can use the Citrix platform in many different ways. It's not only for us to provide applications out to students to complete coursework. It can also be used for providing secure access to data and workspaces.

Also, it’s important to consider the number of flexible ways that each of the technology products you choose can be used. For example, with the Citrix platform we can use it in many different ways. It’s not only for us to provide applications out to students to complete their coursework. It can also be used for providing secure access to data and to workspaces. There are so many different ways it can be extended, and that’s a real important thing when deciding which platform to use.

The final really important takeaway for us has been the establishment of true partnerships. We’ve had extremely good support from our partners, such as Citrix and Zoom, where they very rapidly sought to understand and work with us to solve the unique business problems that we’re facing. The real, true partnership is not one of just providing products, but of really sitting down shoulder-to-shoulder, trying to understand, but also suggesting ways to use a technology we may not be thinking of -- or maybe it’s never been done before.

As Chris mentioned earlier, virtual desktops in the cloud weren’t a big thing that many years ago. About a decade ago, we began working with Citrix to provide streams of desktops to physical devices across campus.

That was something -- that was a very unusual use of technology. So I think that the partnership is very important and something that organizations should develop and be ready to use. It goes in both directions at all times.

Gardner: Chris, now that you have, unfortunately, dealt with these last few harsh wildfire seasons in Southern California, what lessons have you learned? How do you make yourselves more like local government on demand?

Public-private partnerships

McMasters: That’s a big question. For us, we looked at breaking some of the paradigms that exist in government. They don’t have the same impetus to change as in the private sector. They are less willing to take risks. However, there are ways to work with vendors and partners to mitigate a lot of that risk, ways to pilot and test cutting-edge technologies that don’t put you at risk as you push these things out.

There are very few vendors that I would consider such partners. I probably can count them on one hand in total, and the interesting thing is that when we were selecting a vendor for this particular project, we were looking for a true partner. In our case, it was Citrix and Microsoft who came to the table. And when I look back at what’s happened in our relationship with those two in particular, I couldn’t ask for anything better.
We have literally had technicians, engineers, everyone on-site, on the phone every step of the way as we have been developing this. They took a lot of the risk out for us, because we are dealing with public dollars and we need to make sure these projects work. To have that level of comfort and stability in the background and knowing that I can rely on these people was huge. It’s what allowed us to develop to where we are today, which is far advanced in the government world.

That’s where things have to change. This kind of public-private partnership is what the public sector needs to start maturing. It’s bidirectional; it goes both ways. There is a lot of information that we offer to them; there is a lot of things they do for us. And so it goes back and forth as we develop this through this product cycle. It’s advantageous for both of us to be in it.

That’s where sometimes, especially in the public sector, we lose focus. They don’t understand what the private sector wants and what they are moving toward. It’s about being aligned on both sides of that equation -- and it benefits both parties.

Technology is going to change, and it just keeps driving faster. There’s always another thing around the corner, but building these types of partnerships with vendors and understanding what they want helps them understand what you want, and then be able to deliver.

Gardner: Tim, how should businesses better work with vendor organizations to prepare themselves and their workers for a flexible future?

Minahan: First off, I would echo Chris’s comments. We all want government on-demand. You need a solution like that. But how they should work together? There are two great examples here in The University of Sydney and the City of Corona.

It really starts by listening. What are the problems we are trying to solve in planning for the future? How do we create a digitally agile organization and infrastructure that allows us to pursue new business opportunities, and just as easily ensure business continuity? So start by listening, map out a joint roadmap together and innovate toward that.

We are collectively as an industry constantly looking to innovate, constantly looking to leverage new technologies to drive business outcomes -- whether those are for our citizens, students, or clientele. Start by listening, doing joint and co-development work, and constantly sharing that innovation with the rest of the market. It raises all boats.

Gardner: I’m afraid we’ll have to leave it there. You have been listening to a sponsored BriefingsDirect discussion on how business continuity measures have evolved on a dime to meet serious new challenges. And we have learned how true business continuity means enabling all employees to always work in a safe secure manner no matter where they find themselves or why. When you do this right, it is the gift that keeps giving and allows for many more digital transformation benefits to unfold.

So a big thank you to our guests, Chris McMasters, CIO at City of Corona, California. Thank you so much, Chris.

McMasters: Thank you.

Gardner: We have also been here with Jordan Catling, Associate Director of Client Technology at The University of Sydney in Australia. Thank you so much, Jordan.

Catling: Thank you.

Gardner: And thank you so much, Tim Minahan, Executive Vice President of Strategy and Chief Marketing Officer at Citrix.

Minahan: Thanks, Dana! Always a pleasure.

Gardner: And a big thank you lastly to our audience for joining this BriefingsDirect Business Continuity Innovation discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of Citrix-sponsored BriefingsDirect discussions.

Thanks again for listening, please pass this along to your business associates, and do come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Citrix.

Transcript of a discussion on how companies and communities alike are adjusting to a variety of workplace threats using new ways of enabling enterprise-class access and distribution of vital data resources and applications. Copyright Interarbor Solutions, LLC, 2005-2020. All rights reserved.

You may also be interested in:

Friday, March 06, 2020

As Containers Go Mainstream, IT Culture Should Pivot to End-to-End DevSecOps

A discussion on the escalating benefits from secure and robust container use and how security concerns need to be addressed early and often across the new end-to-end container deployment spectrum.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Hewlett Packard Enterprise.

Dana Gardner: Hello, and welcome to the next edition of the BriefingsDirect Voice of Innovation podcast series.

I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing discussion on the latest insights into modern IT deployment architecture strategies.

Container-based deployment models have rapidly gained popularity from cloud models to corporate data centers. IT operators are now looking to extend the benefits of containers to more use cases, including the computing edge.

Yet in order to push containers further into the mainstream, security concerns need to be addressed across this new end-to-end container deployment spectrum -- and that means security addressed during development and employment under the rubric of DevSecOps best practices.

Stay with us now as we examine the escalating benefits that come from secure and robust container use with our guest, Simon Leech, Worldwide Security and Risk Management Practice at Hewlett Packard Enterprise (HPE) Pointnext Services. Welcome, Simon.

Simon Leech: Hey, Dana. Good afternoon.

Gardner: Simon, are we at an inflection point where we’re going to see containers take off in the mainstream? Why is this the next level of virtualization?

Mainstream containers coming

Leech: We are certainly seeing a lot of interest from our customers when we speak to them about the best practices they want to follow in terms of rapid application development.
One of the things that always held people back a little bit with virtualization was that you are always reliant on an operating system (OS) managing the applications that sit on top of that OS in managing the application code that you would deploy to that environment.

But what we have seen with containers is that as everything starts to follow a cloud-native approach, we start to deal with our applications as lots of individual microservices that all communicate integrally to provide the application experience to the user. It makes a lot more sense from a development perspective to be able to address the development in these small, microservice-based or module-based development approaches.

So, while we are not seeing a massive influx of container-based projects going into mainstream production at the moment, there are certainly a lot of customers testing their toes in the water to identify the best possibilities to adopt and address container use within their own application development environments.

Gardner: And because we saw developers grok the benefits of containers early and often, we have also seen them operate within a closed environment -- not necessarily thinking about deployment. Is now the time to get developers thinking differently about containers -- as not just perhaps a proof of concept (POC) or test environment, but as ready for the production mainstream?

Leech: Yes. One of the challenges I have seen with what you just described is a lot of container projects start as a developer’s project behind his laptop. So the developer is going out there, identifying a container-based technology as something interesting to play around with, and as time has gone by has realized he can actually make a lot of progress by developing his applications using a container-based architecture.
This is often done under the radar of management. one of the things we are discussing with customers as we address DevSecOps and DevOps is to make sure you get buy-in from the executive team and enable top-down integration.

What that means from an organizational perspective is that this is often done under the radar of management. One of the things we are discussing with our customers as we go and talk about addressing DevSecOps and DevOps initiatives is to make sure that you do get that buy-in from the executive team and so you can start to enable some top-down integration.

Don’t just see containers as a developer’s laptop project but look at it broadly and understand how you can integrate that into the overall IT processes that your organization is operating with. And that does require a good level of buy-in from the top.

Gardner: I imagine this requires a lifecycle approach to containers thinking -- not just about the development, but in how they are going to be used over time and in different places.

Now, 451 Research recently predicted that the market for containers will hit $2.7 billion this year. Why do you think that the IT operators -- the people who will be inheriting these applications and microservices -- will also take advantage of containers? What does it bring to their needs and requirements beyond what the developers get out of it?

Quick-change code artists

Leech: One of the biggest advantages from an operational perspective is the ability to make fast changes to the code you are using. So whereas in the traditional application development environment, a developer would need to make a change to some code and it would involve requesting a downtime to be able to update the complete application, with a container-based architecture, you only have to update parts of the architecture.
So, it allows you to make many more changes than you previously would have been able to deliver to the organization -- and it allows you to address those changes very rapidly.

Gardner: How does this allow for a more common environment to extend across hybrid IT -- from on-premises to cloud to hybrid cloud and then ultimately to the edge?

Leech: Well, applications developed in containers and developed within a cloud-native approach typically are very portable. So you don’t need to be restricted to a particular version or limits, for example. The container itself runs on top of any OS of the same genre. Obviously, you can’t run a Windows container on top of a Linux OS, or vice versa.

But within the general Linux space that pretty much has compatibility. So it makes it very easy for the containers to be developed in one environment and then released into different environments.

Gardner: And that portability extends to the hyperscale cloud environments, the public cloud, so is there a multi-cloud extensibility benefit?

Leech: Yes, definitely. You see a lot of developers developing their applications in an on-premises environment with the intention that they are going to be provisioned into a cloud. If they are done properly, it shouldn’t matter if that’s a Google Cloud Platform instance, a Microsoft Azure instance, or Amazon Web Services (AWS).

Gardner: We have quite an opportunity in front of us with containers across the spectrum of continuous development and deployment and for multiple deployment scenarios. What challenges do we need to think about to embrace this as a lifecycle approach?

What are the challenges to providing security specifically, making sure that the containers are not going to add risk – and, in fact, improve the deployment productivity of organizations?

Make security a business priority 

Leech: When I address the security challenges with customers, I always focus on two areas. The first is the business challenge of adopting containers, and the security concerns and constrains that come along with that. And the second one is much more around the technology or technical challenges.

If you begin by looking at the business challenges, of how to adopt containers securely, this requires a cultural shift, as I already mentioned. If we are going to adopt containers, we need to make sure we get the appropriate executive support and move past the concept that the developer is doing everything on his laptop. We train our coders on the needs for secure coding.
A lot of developers are not trained as security specialists. It makes sense to put a program into place that trains coders to think more about security, especially in a container environment where you have fast release cycles.

A lot of developers have as their main goal to produce high-quality software fast, and they are not trained as security specialists. It makes a lot of sense to put an education program into place, that allows you to train those internal coders so that they understand the need to think a little bit more about security -- especially in a container environment where you have fast release cycles and sometimes the security checks get missed or don’t get properly instigated. It’s good to start with a very secure baseline.

And once you have addressed the cultural shift, the next thing is to think about the role of the security team in your container development team, your DevOps development teams. And I always like to try and discuss with my customers the value of getting a security guy into the product development team from day one.

Often, we see in a traditional IT space that the application gets built, the infrastructure gets designed, and then the day before it’s all going to go into production someone calls security. Security comes along and says, “Hey, have you done risk assessments on this?” And that ends up delaying the project.

If you introduce the security person into the small, agile team as you build it to deliver your container development strategy, then they can think together with the developers. They can start doing risk assessments and threat modeling right from the very beginning of the project. It allows us to reduce delays that you might have with security testing.

At the same time, it also allows us to shift our testing model left in a traditional waterfall model, where testing happens right before the product goes live. But in a DevOps or DevSecOps model, it’s much better to embed the security, best practices, and proper tooling right into the continuous integration/continuous delivery (CI/CD) pipeline.

The last point around the business view is that, again, going back to the comment I made earlier, developers often are not aware of secure coding and how to make things secure. Providing a secure-by-default approach -- or even a security self-service approach – allows developers to gain a security registry, for example. That provides known good instances of container images or provides infrastructure and compliance code so that they can follow a much more template-based approach to security. That also pays a lot of dividends in the quality of the software as it goes out the door.

Gardner: Are we talking about the same security precautions that traditional IT people might be accustomed to but now extending to containers? Or is there something different about how containers need to be secured?

Updates, the container way 

Leech: A lot of the principles are the same. So, there’s obviously still a need for network security tools. There’s still a need to do vulnerability assessments. There is still a need for encryption capabilities. But the difference with the way you would go about using technical controls to protect a container environment is all around this concept of the shared kernel.

An interesting white paper has been released by the National Institute of Standards and Technology (NIST) in the US, SP 800-190, which is their Application Container Security Guide. And this paper identifies five container security challenges around risks with the images, registry, orchestrator, the containers themselves, and the host OS.

So, when we’re looking at defining a security architecture for our customers, we always look at the risks within those five areas and try to define a security model that protects those best of all.
One of the important things to understand when we’re talking about securing containers is that we have a different approach to the way we do updates. In a traditional environment, we take a gold image for a virtual machine (VM). We deploy it to the hypervisor. Then we realize that if there is a missing patch, or a required update, that we roll that update out using whatever patch management tools we use.

In a container environment, we take a completely different approach. We never update running containers. The source of your known good image is your registry. The registry is where we update containers, have updated versions of those containers, and use the container orchestration platform to make sure that next time somebody calls a new container that it’s launched from the new container image.

It’s important to remember we don’t update things in the running environment. We always use the container lifecycle and involve the orchestration platform to make those updates. And that’s really a change in the mindset for a lot of security professionals, because they think, “Okay, I need to do a vulnerability assessment or risk assessment. Let me get out my Qualys and my Rapid7,” or whatever, and, “I’m going to scan the environment. I’m going to find out what’s missing, and then I’m going to deploy patches to plug in the risk.”

So we need to make sure that our vulnerability assessment process gets built right into the CI/CD pipeline and into the container orchestration tools we use to address that needed change in behavior.

Gardner: It certainly sounds like the orchestration tools are playing a larger role in container security management. Do those in charge of the container orchestration need to be thinking more about security and risk?

Simplify app separation 

Leech: Yes and no. I think the orchestration platform definitely plays a role and the individuals that use it will need to be controlled in terms of making sure there is good privileged account management and integration into the enterprise authentication services. But there are a lot of capabilities built into the orchestration platforms today that make the job easier.

One of the challenges we’ve seen for a long time in software development, for example, is that developers take shortcuts by hard coding clear text passwords into the text, because it’s easier. And, yeah, that’s understandable. You don’t need to worry about managing or remembering passwords.

But what you see a lot of orchestration platforms offering is the capability to deliver sequence management. So rather than storing the passcode in within the code, you can now request the secret from the secrets management platform that the orchestration platform offers to you.
Orchestration tools give you the capability to separate container workloads for differing sensitivity levels. This provides separation between the applications without having to think too much about it.

These orchestration tools also give you the capability to separate container workloads for differing sensitivity levels within your organization. For example, you would not want to run containers that operate your web applications on the same physical host as containers that operate your financial applications. Why? Because although you have the capability with the container environment using separate namespaces to separate the individual container architectures from one another, it’s still a good security best practice to run those on completely different physical hosts or in a virtualized container environment on top of different VMs. This provides physical separation between the applications. Very often the orchestrators will allow you to provide that functionality within the environment without having to think too much about it.

Gardner: There is another burgeoning new area where containers are being used. Not just in applications and runtime environments, but also for data and persistent data. HPE has been leading the charge on making containers appropriate for use with data in addition to applications.

How should the all-important security around data caches and different data sources enter into our thinking?

Save a slice for security 

Leech: Because containers are temporary instances, it’s important that you’re not actually storing any data within the container itself. At the same time, as importantly, you’re not storing any of that data on the host OS either.

It’s important to provide persistent storage on an external storage array. So looking at storage arrays, things like from HPE, we have Nimble Storage or Primera. They have the capability through plug-ins to interact with the container environment and provide you with that persistent storage that remains even as the containers are being provisioned and de-provisioned.

So your container itself, as I said, doesn’t store any of the data, but a well-architected application infrastructure will allow you to store that on a third-party storage array.

Gardner: Simon, I’ve had an opportunity to read some of your blogs and one of your statements jumped out … “The organizational culture still lags behind when it comes to security.” What did you mean by that? And how does that organizational culture need to be examined, particularly with an increased use of containers?

Leech: It’s about getting the security guys involved in the DevSecOps projects early on in the lifecycle of that project. Don’t bring them to the table toward the end of the project. Make them a valuable member of that team. There was a comment made about the idea of a two-pizza team.

A two-pizza team means a meeting should never have more people in it than can be fed by two pizzas and I think that that applies equally to development teams when you’re working on container projects. They don’t need to be big; they don’t need to be massive.

It’s important to make sure there’s enough pizza saved for the security guy! You need to have that security guy in the room from the beginning to understand what the risks are. That’s a lot of where this cultural shift needs to change. And as I said, executive support plays a strong role in making sure that that happens.

Gardner: We’ve talked about people and process. There is also, of course, that third leg of the stool -- the technology. Are the people building container platforms like HPE thinking along these lines as well? What does the technology, and the way it’s being designed, bring to the table to help organizations be DevSecOps-oriented?

Select specific, secure solutions 

Leech: There are a couple of ways that technology solutions are going to help. The first are the pre-production commercial solutions. These are the things that tend to get integrated into the orchestration platform itself, like image scanning, secure registry services, and secrets management.

A lot of those are going to be built into any container orchestration platform that you choose to adopt. There are also commercial solutions that support similar functions. It’s always up to an organization to do a thorough assessment of whether their needs can be met by the standard functions in the orchestration platform or if they need to look at some of the third-party vendors in that space, like Aqua Security or Twistlock, which was recently acquired by Palo Alto Networks, I believe.
No single solution covers all of an enterprise's requirements. It's a task to assess security shortcomings, what products you need, and then decide who will be the best partner for those total solutions.

And then there are the solutions that I would gather up as post-production commercial solutions. These are for things such as runtime protection of the container environment, container forensic capabilities, and network overlay products that allow you to separate your workloads at the network level and provide container-based firewalls and that sort of stuff.

Very few of these capabilities are actually built into the orchestration platforms. They tend to be third parties such as Sysdig, Guardicore, and NeuVector. And then there’s another bucket of solutions, which are more open-source solutions. These typically focus on a single function in a very cost-effective way and are typically open source community-led. And these are solutions such as SonarQube, Platform as a Service (PaaS), and Falco, which is the open source project that Sysdig runs. You also have Docker Bench and Calico, a networking security tool.

But no single solution covers all of an enterprise customer’s requirements. It remains a bit of a task to assess where you have security shortcomings, what products you need, and who’s going to be the best partner to deliver those products with those technology solutions for you.

Gardner: And how are you designing Pointnext Services to fill that need to provide guidance across this still dynamic ecosystem of different solutions? How does the services part of the equation shake out?

Leech: We obviously have the technology solutions that we have built. For example, the HPE Container Platform, which is based around technology that we acquired as part of the BlueData acquisition. But at the end of the day, these are products. Companies need to understand how they can best use those products within their own specific enterprise environments.

I’m part of Pointnext Services, within the advisory and professional services team. A lot of the work that we do is around advising customers on the best approaches they can take. On one hand, we’d like them to purchase our HPE technology solutions, but on the other hand, a container-based engagement needs to be a services-led engagement, especially in the early phases where a lot of customers aren’t necessarily aware of all of the changes they’re going to have to make to their IT model.

At Pointnext, we deliver a number of container-oriented services, both in the general container implementation area as well as more specifically around container security. For example, I have developed and delivered transformation workshops around DevSecOps.

We also have container security planning workshops where we can help customers to understand the security requirements of containers in the context of their specific environments. A lot of this work is based around some discovery we’ve done to build our own container security solution reference architecture.

Gardner: Do you have any examples of organizations that have worked toward a DevSecOps perspective on continuous delivery and cloud native development? How are people putting this to work on the ground?

Edge elevates container benefits 

Leech: A lot of the customers we deal with today are still in the early phases of adopting containers. We see a lot of POC engagement where a particular customer may be wanting to understand how they could take traditional applications and modernize or architect those into cloud-native or container-based applications.

There’s a lot of experimentation going on. A lot of the implementations we see start off small, so the customer may buy a single technology stack for the purpose of testing and playing around with containers in their environment. But they have intentions within 12 to 18 months of being able to take that into a production setting and reaping the benefits of container-based deployments.

Gardner: And over the past few years, we’ve heard an awful lot of the benefits for moving closer to the computing edge, bringing more compute and even data and analytics processing to the edge. This could be in a number of vertical industries, from autonomous vehicles to manufacturing and healthcare.
But one of the concerns, if we move more compute to the edge, is will security risks go up? Is there something about doing container security properly that will make that edge more robust and more secure?

Leech: Yes, a container project done properly can actually be more secure than a traditional VM environment. This begins from the way you manage the code in the environment. And when you’re talking about edge deployments, that rings very true.

From the perspective of the amount of resources it has to use, it’s going to be a lot lighter when you’re talking about something like autonomous driving to have a shared kernel rather than lots of instances of a VM running, for example.

From a strictly security perspective, if you deal with container lifecycle management effectively, involve the security guys early, have a process around releasing, updating, and retiring container images into your registry, and have a process around introducing security controls and code scanning in your software development lifecycle -- making sure that every container that gets released is signed with an appropriate enterprise signing key -- then you have something that is very repeatable, compared with a traditional virtualized approach to application and delivery.

That’s one of the big benefits of containers. It’s very much a declarative environment. It’s something that you prescribe … This is how it’s going to look. And it’s going to be repeatable every time you deploy that. Whereas with a VM environment, you have a lot of VM sprawl. And there are a lot of changes across the different platforms as different people have connected and changed things along the way for their own purposes.

There are many benefits with the tighter control in a container environment. That can give you some very good security benefits.

Gardner: What comes next? How do organizations get started? How should they set themselves up to take advantage of containers in the right way, a secure way?

Begin with risk evaluation 

Leech: The first step is to do the appropriate due diligence. Containers are not going to be for every application. There are going to be certain things that you just can’t modernize, and they’re going to remain in your traditional data center for a number of years.

I suggest looking for the projects that are going to give you the quickest wins and use those POCs to demonstrate the value that containers can deliver for your organization. Make sure that you do appropriate risk awareness, work with the services organizations that can help you. The advantage of a services organization is they’ve probably been there with another customer previously so they can use the best practices and experiences that they have already gained to help your organization adopt containers.

Just make sure that you approach it using a DevSecOps model. There is a lot of discussion in the market at the moment about it. Should we be calling it DevOps or should we call it SecDevOps or DevOpsSec? My personal opinion is call it DevSecOps because security in a DevSecOps module sits right in the middle of development and operations -- and that’s really where it belongs.
In terms of assets, there is plenty of information out there in a Google search; it finds you a lot of assets. But as I mentioned earlier, the NIST White Paper SP 800-190 is a great starting point to understand not only container security challenges but also to get a good understanding of what containers can deliver for you.

At the same time, at HPE we are also committed to delivering relevant information to our customers. If you look on our website and also our enterprise.nxt blog site, you will see a lot of articles about best practices on container deployments, case studies, and architectures for running container orchestration platforms on our hardware. All of this is available for people to download and to consume.

Gardner: I’m afraid we will have to leave it there. We have been exploring how container-based deployment models have gained popularity -- from cloud models to corporate data centers. And we have learned how, in order to push containers further into the mainstream security concerns need to be addressed across this new end-to-end container deployment spectrum.

So please join me in thanking our guest, Simon Leech, Worldwide Security and Risk Management Practice at HPE Pointnext Services. Thank you so much, Simon.

Leech: Thanks for having me.

Gardner: I learned a lot. And thanks as well to our audience for joining this sponsored BriefingsDirect Voice of Innovation discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of HPE-supported discussions.

Thanks again for listening. Please pass this along to your IT community, and do come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Hewlett Packard Enterprise.

A discussion on the escalating benefits from secure and robust container use and how security concerns need to be addressed early and across the new end-to-end container deployment spectrum. Copyright Interarbor Solutions, LLC, 2005-2020. All rights reserved.

You may also be interested in: