Friday, October 01, 2021

Traceable AI Platform Builds Usage Knowledge that Detects and Thwarts API Vulnerabilities

Transcript of a discussion on a new platform designed from the ground up to define, manage, secure, and optimize the API underpinnings for so much of what drives today’s digital business.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Traceable AI.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

The rapidly expanding use of application programming interfaces (APIs) to accelerate application development and advanced business services has created a vast constellation of interrelated services -- now often called the API Economy.

Yet the speed and complexity of this API adoption spree has largely outrun the capability of existing tools and methods to keep tabs on the services topology -- let alone keep these services secure and resilient.

Stay with us as we explore a new platform designed from the ground up specifically to define, manage, secure, and optimize the API underpinnings for so much of what drives today’s digital business.

To learn more about how Traceable AI aims to make APIs reach their enormous potential safely and securely, please welcome Sanjay Nagaraj, Chief Technology Officer (CTO) and Co-Founder at Traceable AI. Welcome, Sanjay.

Sanjay Nagaraj: Thanks, Dana, for having me.

Gardner: Why is addressing API security different from the vulnerabilities of traditional applications and networks? Why do we need a different way to head off API vulnerabilities?

Nagaraj: If you compare this to the analogy of protecting a house, previously there was a single house with a single door. You only had to protect that door to block someone from coming into the house. It was a lot easier.

Nagaraj

Now, you have to multiply that because there are many rooms in the house, each with an open window. That means an attacker can come in through any of these windows, rather than only through a single door to the house.

To extend the analogy across the API economy, most businesses today are API-driven businesses. They expose APIs. They also use third-party libraries that connect to even more APIs. All of these APIs are powering the business but are also interacting with both internal and third-party APIs.

APIs and services are everywhere. The microservices are developed to power an entire application, which is then powering a business. That’s why it is getting so complex compared to what used to be a typical network security or a basic application security solution. Before, you would take care of the perimeter for a particular application and secure the business. Now, that extends to all these services and APIs. 

And when you look at network security, that operated at a different layer. It used to be more static. You therefore had a good understanding of how the network was set up and where the different application components were deployed.

Nowadays, with rapidly changing services coming online all the time, and APIs coming online all the time, there is no single perimeter. In this complex world, where it is all APIs across the board, you must take into consideration more aspects to understand the security risks for your APIs, and -- in turn -- what your business risks are. Business is riskier when it comes to today’s security.

Because it’s so very complex, the older security solutions can’t keep up. We at Traceable AI choose to take care of security by looking at the data that comes in as part of the calls hitting the URLs. We take into consideration more context to detect whether something is an attack or some anomaly that is not necessarily malicious but may be a reconnaissance-type of attack.

All of these issues mean we need more sophisticated solutions that frankly the industry hasn’t caught up to even though developer and development, security, and operations (DevSecOps) advances have moved a lot faster. 

Gardner: And, of course, these are business-critical services. We’re talking about mission-critical data moving among and between these APIs, in and out of organizations and across their perimeters. With such critical data at hand, the reputation of your business is at stake because you could end up in a headline tomorrow.

Data is everywhere, exposed

Nagaraj: Exactly. At the end of the day, APIs are exposing data to their business users. That means the data flowing through might be part of the application, or it might be from another business-to-business API. You might be taking the user’s data and pushing it to a third-party service.

We’ve all seen the attacks on very sophisticated technology companies. These are very hard problems. As a developer myself, I can tell you what keeps me up most of the time: Am I doing the right thing when it comes to the functionality of my application? Am I doing the right thing when it comes to the overall quality of it? Am I doing the right thing when it comes to delivering the right kind of performance? Am I meeting the performance expectations of my users?

We've all seen the attacks on very sophisticated technology companies. These are very hard problems. As a developer myself, I can tell you what keeps me up most of the time: Am I doing the right thing when it comes to the functionality of my application?

What do I, as a developer, think about the security of every single API that I’m writing? At the end of the day, it’s about the data that is getting exposed through these APIs. It’s important now to understand how this data is getting used. How is this data getting passed around through internal services and third-party APIs? That’s where the risk associated with your API is.

Gardner: Given that we have a different type of security problem to solve, what was your overarching vision for making APIs both powerful and robust? What is it in your background that helped you get to this vision of how the world should be?

Nagaraj: If you dial back the clock for myself and Jyoti Bansal, my co-founder at Traceable, we built the company AppDynamics, which was on the forefront of helping developers and DevOps teams understand their applications’ performance. When that product started, there was a basic understanding of how applications performed and were delivered to the customers. Over time, we started to think about this in a different way. One of the goals at AppDynamics was to understand applications from the ground up. You had to understand how these applications with their modules and sub-modules, and with the sub-services, were interacting with each other.

Learn More 

A basic understanding was required to learn if the end-user experience was being delivered with the expected performance. That gave rise to application performance management (APM) in terms of a fuller understanding of an application’s underlying performance itself.

From an AppDynamics’ perspective, it was very important for us to know how the services were impacting each other. That means when a call gets made from service A to service B, you should understand how much time was consumed on the call and what was happening between the two, as well as how much time was spent within the service, between the services, and how much total time was spent delivering the data back to the user.

This is all in the performance context. But one of the key things we clearly knew as we started Traceable AI was that APIs were exploding. As we talked about with the API Economy, every one of the customers Traceable started to talk to asked us about more than just the performance aspects of APIs. They also wanted to know whether these APIs and applications were secure. That’s where they were having a difficult time. As much as developers like to make sure that APIs are secure, they are unable to do it simply because they don’t understand what goes into securing APIs.

That’s when we started to think about how to bring some of the learning we had in the past around application performance for developers and DevOps teams, and bring that to an understanding of APIs and services. We had to think about application security in a new way.

We started Traceable AI to find the best way to understand applications and the interactions of the applications, as well as understanding the uses. The way to do it was the technology built over the last decade for distributed tracing. By helping us trace the calls from one service to another, we were able to tap the data flowing through the services to understand the context of the data and services.

From the context and the data, you can learn who the users of these APIs are, what type of data is flowing, and which APIs are interacting with each other. You can see which APIs are getting called as part of a single-user session, for example, and from which third-party APIs the data is being pulled from or pushed to.

This overall context is what we wanted to understand. That’s where we started, and we built on the existing tracing technology to deliver an open-source platform, called Hypertrace. Developers can easily use it for all kinds of tracing use cases, including performance. We have quite a few customers that have started to use it as an open-source resource.

But the goal for us was to use that distributed tracing technology to solve application security challenges. It all starts with so many customers saying, “Hey, I don’t even know where my APIs exist. Developers seem to be pushing out a lot of APIs, and we don’t understand where these APIs are. How are they impacting our overall business in terms of security? What if some of these things get exposed, what happens then? If you must do a forensic analysis of these, what happens then?”

See it to secure it with tracing

We said, “Let’s use this technology to understand the applications from the ground up, detect all these APIs from the ground up.” If the customers don’t understand where the APIs exist, and what the purpose of these APIs are, then they won’t be able to secure them. For us, the basic concept was bringing the discovery of these applications and APIs into focus so that customers can understand it. That’s the vision of where we started.

Then, based on that, we said, “Once they discover and understand what APIs they have, let’s go further to understand what the normal behavior of these APIs are.”

Once APIs are published there are tools to document those APIs in the form of an OpenAPI or a Swagger spec. But if you talk to most enterprises, there are rarely maintained records of those things. What developers do very well is ship code. They ship good functionality; they try to ship bug-free code that performs well.

But, at the same time, the documentation aspects of it are where it gets weak because they’re continuously shipping. Because the code is changing continuously, from a continuous integration/continuous delivery (CI/CD) perspective, the developers are not able to continuously keep the spec documentation up-to-date, especially as it continuously gets deployed and redeployed into production.

The whole DevSecOps movement needs to come together so the security practitioners are embedded with the developer and DevOps teams. That means the security folks have to have a continuous understanding of the security practices to ensure the APIs that are coming online are understood.

The whole DevSecOps movement needs to come together so the security practitioners are embedded with the developer and DevOps teams. That means the security folks have to have a continuous understanding of the security practices to ensure the APIs that are coming online continuously are understood.

Our customers now also are expecting our solution to help them automate these things. They want to automatically understand the risks of APIs -- which APIs should be blocked from being deployed into production and which APIs should be monitored more. There needs to be a cycle of observing these APIs on a continuous basis. It’s very, very critical.

From our perspective, once we build this ongoing understanding of the APIs – as we discover and build an understanding of the APIs – we then want to protect those APIs before they get into production.

The inability to properly protect these APIs is not because some small company doesn’t have the technology skills or the proper engineering. It’s not about developers not having the right kind of training. We are talking about capable companies like Facebook, Shopify, and Tesla. These are technology-rich companies that are still having these issues because the APIs are continuously evolving. And there are still siloed pieces of development. That means in some cases they might understand the dependencies of the services, but in a lot of cases they don’t fully understand the dependencies and the security implications because of those dependencies.

This reality exposes a lot of different types of attacks, such as business logic attacks, as you and Jyoti talked about in your previous conversations. We know why those are very, very critical, right?

Learn More 

How do you protect against these business logic vulnerabilities? The API discovery and understanding the API risk are very key. Then, on top of those, the protection aspects are very, very key. So, that was where we started. This is part of the vision that we have built out.

Because of the way our new platform has been built, we enable all these understandings. We want to expose these understandings to our customers so they can go and hunt for different types of attacks that may be lurking. They can also use and analyze this information not just for heading off prospective attacks but to help influence all the different types of development and security activities.

This was the vision we began with. How do you bring observability into application security? That’s what we built. We help evolve their overall application security practices.

Gardner: In now understanding your vision, and to avoid a firehose of data and observations, how did you design the Traceable platform to attain automation around API intelligence? How did you make API observability a value that scales?

Continuous comprehension

Nagaraj: One of the key aspects of building a solution is to not just throw data at your customers. That means you’re correcting the data; you’re not just presenting a data lake and asking them to slice and dice and analyze it using manual processes. The goal from the get-go for us was to understand the APIs and to categorize them in useful ways.

That means we must understand which APIs are external-facing, which are internal-facing, and where the sensitive data is. What amount and type of sensitive data is getting carried through these APIs? Who are the users of these APIs? What roles do they have with an API?

We are also building a wealth of insights into how the APIs themselves behave. This helps our customers know what to focus on. It is not just about the data. Data forms a basis for all these other insights. It’s not about presenting the data to the customers and saying, “Hey, go ahead and figure things out yourself.” 

We bring insights that enable the security and operations teams -- along with the developers and DevSecOps teams -- to know what security aspects to focus on. That was a key principle we started to build the product on.

The second principle is that we know the security and operations teams are very swamped. Most of the time they are under-resourced in terms of the right people. It was therefore very important that the data we present to those teams is actionable. The types of protection we provide from detection of anomalies must have very low levels of false positives. That was one of the key aspects of building our solution as well.

A third guiding principle for us, from the DevSecOps team’s perspective, is to give them actionable data to understand the code that is being deployed even when the services are deployed in a cloud-native fashion. How do you understand at the code level, which ones are making a database call and where that data is flowing to? How do you know which cloud-based APIs are making third-party API calls to know if there are vulnerabilities? That is also very important to manage.

We have taken these principles very seriously as we built the solution. We bring our deep understanding of these APIs together with artificial intelligence (AI) and machine learning (ML) on top of the data to extract the right insights -- and make sure those are actionable insights for our users. That is how we built the platform from the ground up. Because continuous delivery (CD) is how applications are deployed today, it’s very important that we are continuously providing these insights.

We have taken these principles very seriously as we built the solution. We bring our deep understanding of these APIs together with AI and ML on top of the data to extract the right insights -- and make those actionable for our users.

It’s not enough to just say, “Hey, here are your APIs. Here are the insights on top of those, and here is where you should be focusing from a risk perspective.” We must also continuously adjust and gain new insights as the APIs evolve and change.

 There was one last thing we set out to do. We knew our customers are in a journey to microservices. That means we must provide the solution across diverse infrastructures, for customers fully in a cloud-native microservices environment as well as customers making their journey from legacy, monolithic applications; and everything in-between. We must provide a bridge for them to get to their destinations regardless of where they are.

Gardner: Yes, Traceable AI recently released your platform’s first freely available offering in August. Now that it’s in the marketplace, you’re providing a strong value to developers, by helping them to iterate, improve, and catch mistakes in their APIs design and use. Additionally, by being able to define vulnerabilities in production, you’re also helping security operations teams. They can limit the damage when something goes wrong.

By serving both of those two constituencies, you’re able to bridge the gap between them. Consequently, there’s a cultural assimilation value between the developers and the security teams. Is that cultural bond what you expected?

Reduce risk with secure interactions

Nagaraj: Absolutely. I think you said it right. In a lot of cases, these organizations are rapidly getting bigger and bigger. Typically, today’s microservices-based, API-driven development teams have six to eight members building many pieces of functionality, which eventually form an overall application. That’s the case internally at Traceable AI, too, as we build out our product and platform.

And so, in those cases, it’s very important that there is an understanding around how API requests come into an overall application. How do they translate across all the different services deployed? What are the services – defined as part of those small teams -- and how are they interacting with each other to deliver a single customer’s request? That has a huge impact on understanding the overall risk to the application itself.

The overall risk in a lot of cases is based on a combination of factors driven by all the APIs being exposed to those applications. But knowing all the APIs interacting with these services -- and the data that’s going through these services -- is very important to get a holistic understanding of the application, and the overall application infrastructure, to make sure you’re delivering security at an application level.

Learn More 

It’s no longer enough just to say, “Yes, we are secure. We’re practicing all the secure-coding practices.” You must also ask, “But what are the interactions with the rest of the organization?” That’s why it was essential for us to build what we call API Intelligence from the ground up based on the actual data. We attain a deeper understanding of the data itself.

That intelligence now helps us say, “Hey, here are all the APIs used across your organization. Here’s how they’re interacting with each other. Here’s how the data goes between them. Here are the third-party APIs being accessed as part of those services.”

We get that holistic understanding. That broad and inclusive view is very important because it’s just not about external APIs being accessed. It includes all the internal APIs being built and used, as well, from the many small teams.

Customers often tell me after using our solution that their developers are shocked there are so many APIs in use. In some cases, they thought they were duplicate APIs. They never expected those APIs to show up as part of any single service. It feels good to hear that we are bringing that level of visibility and realization. 

Next, based on our API Intelligence, comes the understanding of the risks. And that is so very important because once the developers understand the risks associated with a particular API, the way they go about protecting them also becomes very important. It means the vulnerabilities are going to get prioritized and then the fixes are going to be prioritized the right way, too. The ways they protect the APIs and put in the guards against these API vulnerabilities will change.

At the end of the day, the goal for us is to bring together the developers and the DevOps and security teams. Whether you look at them as a single team or separate teams, it doesn’t matter for an organization. They all must work together to make security happen. We wanted to provide a single pane of glass for them to all see the same types of data and insights.

Gardner: I have been impressed that the single pane view can impact so many different roles and cultures. I also was impressed with the interface. It allows those different personas to drill down specific to the context of their roles and objectives.

Tell us how that drilling down capability within the Traceable AI user interface (UI) gives the developers an opportunity to compress the time of gaining an understanding of what’s going on in API production and bring that knowledge back into pre-production for the next iteration?

Ounce of pre-production prevention

Nagaraj: One of the key things in any development lifecycle is the stages of testing you go through. Typically, applications get tested in the development and quality assurance (QA) stages along the way.

But one of the “testing” opportunities that can get missed in pre-production is to learn from the production data itself. That is what we are addressing here. As a developer, I like to think that all the tests being written in my pre-production environment cover all the use cases. But the reality is that the way customers use the applications in production can be different than expected. And the type of data that flows through can be different too.

This is even more true now because of API-driven applications. With API-driven applications, the developer has an intent of how their APIs are used, and most of their tests mimic that intent. But once you give the APIs to third-party developers – or hackers -- they might see the same APIs that the developer sees yet use them in unintended ways. Once they gain an understanding of how the API logic has been built internally the external users might be able to get a lot more information than they should be able to.

If we understand the true risks associated with these APIs in use, we can present that in-production-use knowledge back into pre-production. That means decisions about which APIs need to be protected differently can be made by using the right kinds of controls.

This is where it gets complex. This means that rather than treating production and pre-production as silos, the thought process is to bring the production learning and knowledge to help improve the application’s  security posture in pre-production because we know how certain APIs are actually being used.

If we understand the true risks associated with these APIs in use, we can present that in-production-use knowledge back into pre-production, such as users accessing APIs they aren’t supposed to be accessing. That means decisions about which APIs need to be protected differently can be made by using the right kinds of controls.

The core benefit to customers is that they can understand their API risks earlier so that they can protect their APIs better.

Gardner: The good news is there’s new value in post-production and pre-production. But who oversees bringing the Traceable AI platform into the organization? Who signs the PO? Who are the people who should be most aware of this value?

APIs behavior in a single pane of glass

Nagaraj: Yes, there are typically various types of organizations at work. It’s no longer a case of a central security team making all the decisions. There are engineering-driven, DevOps teams that are security-conscious. That means many of our customers are engineering leaders who are making security their top priority. It means that the Traceable AI deployment aspects also come to pre-production and production as part of their total development lifecycle.

One of the things we are exploring as part of our August launch is to make the solution increasingly self-service. We’ve provided low friction way for developers and DevOps teams to get value from Traceable AI in their pre-production and production systems, to make it part of their full lifecycle. We are heavily focused on enabling our customers to have easy deployment as a self-service experience.

On the other hand, when the security and operations teams need to encourage the developers or DevOps teams to deploy Traceable AI, then, of course, that ease-of-use experience is also very important.

A big value for the developers is that they get a single pane of glass, that means they are seeing the same information that the security teams are seeing. It is no longer the security people saying, “There are these vulnerabilities which is a problem;” or, “There are these attacks we are seeing,” and the developers don’t have the same data. Now, we are offering the same types of data by bringing observability from a security perspective to provide the same analysis to both sides of the equation. This makes everyone into a more effective team solving the security problems.

Gardner: And, of course, you’re also taking advantage of the ability to enter an organization through the open-source model. You have a free open-source edition, in addition to your commercial edition, that invites people to customize, experiment, and tailor the observability to their particular use cases -- and then share that development back. How does your open-source approach work?

Nagaraj: We built a distributed tracing platform, which was needed to support all the security use cases. That forms a core component for our platform because we wanted to bring in tracing and observability for API security.

That distributed tracing platform, called Hypertrace, as part of the Traceable AI solution, will enable developers to adopt the distributed tracing element by itself. As you mentioned we are making it available for free and as open source.

We’ve also launched a free tier of the Traceable AI security solution which includes the basic versions of API discovery, risk monitoring, and basic protection, for securing your applications. This is available to everybody.

Our idea was we wanted to democratize access to good API security tools, to help developers easily get the functionality of API observability and risk assessment so that everyone can be a pro-active part of the solution. To do this we launched the Free tier and the Team tier, which includes more of the functionality that our Enterprise tier includes.

Learn More 

That means, as a DevOps team, you’re able to understand your APIs and the risks associated with them, and to enable basic protections on those APIs. We’re very excited about opening this up to everyone.

But the thing that excites the engineer in me is that we are making our distributed tracing platform source code available for people to go build solutions on top of. They can use it in their own environments. At the end of the day, the developers can solve their own business problems. We are in the business of helping them solve the security problems, and they can solve their other business needs.

For us, it is about how do we secure their APIs. How do we help them understand their APIs? How can they best discover and understand the risks associated with those APIs? And that’s our core. We are putting it out there for developers and DevOps teams to use.

Gardner: Sanjay, going back to your vision and the rather large task you set out for yourselves, as Traceable AI becomes embedded in organizations, is there an opportunity for the API economy to further blossom?

How big of an impact do you expect to have over the next few years, and how important is that for not only the API economy, but the whole economy?

Economy thrives with continuous delivery

Nagaraj: From an API economy perspective, it’s thriving because of the robust use of these APIs and the reuse of services. Any time we hear news about APIs getting hacked or data getting lost, there is an inclination to say, “Hey, let’s stop the code from shipping,” or, “Let's not ship too many features,” or, “Let's make sure it is secure enough before it ships.”

But that means the continuous delivery benefits powering the API economy are not going to work. We, as a community of developers, must come up with ways of ensuring security and privacy so we can continue to maintain the pace of a continuous software development life cycle. Otherwise, this will all stall. And these challenges will only get bigger because APIs are here to stay. The API economy is here to stay. APIs will be continuously evolving, and they will be delivering more and more functionality on a continuous basis.

The only way we can get better at this is by bringing in the technology that enables the continuous delivery of code that is secured in pre-production and not just at runtime.

The only way we can get better at this is by bringing in the technology that enables the continuous delivery of code that is secured in pre-production and not just at runtime. And that’s the goal from our perspective, to build that long-term and viable solution for enterprises.

Gardner: I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on how the rapidly expanding use of APIs to advance business services has created a complex constellation of interrelated services.

And we’ve learned how an AI-enabled security capability in a new platform from Traceable AI is designed from the ground up to discover,  secure, and optimize the API underpinnings of today’s digital businesses for teams across the full lifecycle of development.

So, a big thank you to our guest, Sanjay Nagaraj, Chief Technology Officer and Co-Founder at Traceable.ai. Thank you so much, Sanjay.

Nagaraj: Thanks a lot.

Gardner: And a big thank you as well for our audience for joining this BriefingsDirect API resiliency discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of Traceable AI-sponsored BriefingsDirect interviews.

Thanks again for listening. Please pass this along to your business community and do come back for our next chapter.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Traceable AI.

Transcript of a discussion on a new platform designed from the ground up specifically to define, manage, secure, and optimize the API underpinnings for so much of what drives today’s digital businesses. Copyright Interarbor Solutions, LLC, 2005-2021. All rights reserved.

You may also be interested in:

Thursday, September 09, 2021

How HPE Pointnext Complete Care Transforms Edge-to-Cloud Support to Enable Business-Wide Outcomes

Transcript of a discussion on how complexity and fast-changing dynamics of digital businesses are pushing enterprises to seek a complete and holistic way to support all their technology.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Hewlett Packard Enterprise Pointnext Services.

Dana Gardner: Hello, and welcome to the next edition of the BriefingsDirect Voice of Tech Services Innovation podcast series. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for this ongoing discussion on how IT services and support have entered a new era.

Today’s diversity of hybrid IT models and environments demands that IT services and support accommodate more digital variables than ever. Nonetheless, the burgeoning complexity and fast-changing dynamics of digital businesses are pushing enterprises to seek a complete and holistic way to support all their technology -- from every edge to every cloud -- in one bold stroke.

That’s the market driver behind a new pan-IT services offering from Hewlett Packard Enterprise (HPE) Pointnext Services called HPE Pointnext Complete Care. The all-inclusive approach moves past product-based experiences of support to an all-IT-environment-wide experience. It both reaches back to provide legacy and product support and extends to the intelligence-driven and proactive optimization of all digital business services.

Stay with us now as we examine how HPE Pointnext Services has developed solutions to satisfy this broad new definition of complete IT tech support.

To learn more about bringing what amounts to a warm blanket of support across the entire IT environment we’re joined by Gerry Nolan, Director of Operational Services Portfolio at HPE Pointnext Services. Welcome back, Gerry.

Gerry Nolan: Hi, Dana. Great to be with you.

Gardner: Gerry, how has the world changed since HPE Datacenter Care arrived back in 2012? I guess we can no longer define IT by a datacenter metric -- it’s now gone much broader and wider.

Nolan: You said it, Dana. I feel a bit old thinking that 2012 was just yesterday. But back then the momentum was all around IT consolidation, the move to virtualization, and customers moving to x86 platforms.

IT’s not 2012 anymore

Nolan

At the time, studies showed that average downtime was about 97 minutes per year, with the average cost at $8,000 a minute. The most common cited reason for failure was the hardware, along with people making mistakes. At the time, about 50 percent of the downtime was caused by hardware failure and 50 percent by human error.

Today, studies show that the world is a totally different place. Now it’s all about hyper converged infrastructure (HCI), hybrid IT, and cloud computing in all its various forms. The move to edge is a significant trend. And, of course, the move to digital transformation has been accelerated by the COVID-19 pandemic. And that means it’s all about IT as an experience and bringing differentiated experiences to the market.

Look at areas outside of IT. If you think about buying a car and how Tesla has transformed that experience or going on a vacation and how web sites such as Airbnb or Booking.com have totally transformed that. The experiences define those use cases -- and IT is no different.

In 2020, studies showed that downtime is even more scary -- with the average cost of a minute of downtime up from $8,000 to $17,000. With the move to digital, any downtime or impact to your digital platform has massive implications not just with the direct revenue and orders impact, but they can seriously damage your reputation and brand for years.

With the move to digital, any downtime or impact to your digital platform has massive implications not just with the direct revenue and orders impact, but they can seriously damage your reputation and brand for years.

An IDC study that jumped out at me last year, for example, says having a support experience around IT shouldn’t be viewed like it was back in 2012, as an insurance policy. Today it’s more important to think about partnership agreements that drive better service-level agreement (SLAs) and overall performance. It’s about driving the business forward and enabling the business.

IDC found the enterprises that had these types of agreements saved an average of 634 hours of unplanned downtime. And 200 hours of that were the benefit of the proactive nature of using artificial intelligence (AI) and other tools, as well as having access to smart people who help mitigate against the bad things from happening.

So, yes, the world really has changed a lot since we first introduced HPE Datacenter Care back in 2012.

Gardner: Sure, so we’ve seen the change of vendor and support relationships to more of a partnership in supporting the full business. But there’s been a progression to getting to what we now call HPE Pointnext Complete Care. And one of those big steps was with HPE Pointnext Tech Care. How did that fit into the progression? How should we think about this as an evolution?

Nolan: Yes, we are transforming the overall support experience for our customers. The first step out of the gate was differentiating the experience with our HPE products by crafting a new, totally transformed support experience called HPE Pointnext Tech Care. We launched that in April on our HPE Server product line. It will be fully available across all products by August.

Time to transform how we work

It transforms and uplifts the user experience when dealing with HPE products by bringing to bear a whole range of new aspects, including a new digital platform, to allow customers much easier access to both the knowledge they need as well as multiple ways of accessing our experts around the world. They can do that through video, chat, moderated forums, and live conversations. It also embeds AI, so the telemetry built into our products feeds back to the mothership and then delivers a wide array of dashboards, alerts, insights, and recommendations back to the customers.

As a result, the users have a beautiful, rounded, broader suite of capabilities that allows them to gain more information to more easily self-solve and self-serve. But, of course, they also have broad access to knowledge and expertise when and how they need it. That’s what HPE Pointnext Tech Care, which replaces HPE Foundation Care and HPE Proactive Care, is all about.

For those familiar with those services, which have been around for many years, HPE Pointnext Tech Care is the new, single product support experience for all HPE products. We’re very proud of it and we’re getting great feedback from our initial customers. They love that they can go to a single portal and see these dashboards. They now have many ways of accessing our experts, and, of course, everyone’s different. Some people like to talk live to experts, while others like to watch videos or go to moderated forums to talk with peers and other customers. Our experts are also in those forums responding and providing links to various articles.

It’s a very rich -- and we believe -- transformative experience that takes support to the next level. And, with HPE Pointnext Complete Care, we’re going to elevate that even more by taking support beyond the products and looking at the entire environment.

Gardner: Another big differentiator for HPE Pointnext Services is that this not just for HPE support -- this is pan-vendor support. You’ve been agnostic in supporting -- with one throat to choke, if you will -- a vast universe of technology. How does HPE Pointnext Complete Care advance that concept of all under the same support umbrella?

Nolan: Yes, we’ve been doing that for years, adding significant multivendor capabilities. With HPE Pointnext Complete Care, it focuses further on providing a complete support experience for the customer. That includes whatever capabilities exist -- both from inside of HPE or some of our partners – and brings all of that into a complete, single framework for the client. That means covering the customers’ complete IT environment, however they define it, by acting as their single point of contact for whatever they define as their IT. In these days, of course, that can be quite a wide and varied scope.

For example, a casino I recently talked to is actively acquiring new companies in different parts of the world. They’re bringing onboard those companies, all with their own IT setups. The chief information officer (CIO) is looking to bring all of that together under a single framework with a single partner to work with them. They want to evolve to control what they have, as well as take it all to a more standard framework.

Another company that jumps to mind is a large international bank looking to move to an increasingly hybrid IT structure, with some on-premises cloud services to support their legacy IT. They’re migrating from that legacy to an x86, container-based, heavily automated private cloud. They need a single partner to help them through that digital transformation and through that evolution. The goal is to help them operate and manage their old, while also taking care of all of that new technology.

HPE Pointnext Complete Care brings it all under one umbrella to give the customer a single team and a single point of contact. Whatever IT they have, they can work with that single partner to optimize the entire environment.

There are many aspects to HPE Pointnext Complete Care in terms of helping a customer in those different use cases. It’s not just HPE products. It’s many different IT technologies. Today that includes things such as hyper-converged, edge, and Internet of Things (IoT). There’s a lot of open source use, and a plethora of other software including some of the new automation tools.

HPE Pointnext Complete Care brings all of that under one umbrella to give the customer a single team and a single point of contact. So whatever they have in their IT -- wherever their IT is -- they can work with that single partner to operate and optimize that entire environment.

Gardner: The timing seems perfect because, as you mentioned, there’s so much more complexity to providing a business service that ultimately reaches back into multiple service providers, using multiple technologies.

Nolan: Exactly.

Gardner: We need those services to be robust. If there are issues, there’s no time to point fingers but instead to find the root causes and assign responsibility for fixing it. You need to look at the whole picture, and the speed element is something here that strikes me as essential.

Nolan: Absolutely.

Gardner: It seems to me that we’re looking at an awfully complex undertaking. How do you mitigate the complexity?

Comprehend complexity and manage it

Nolan: Yes, customers are challenged. We’re still in the pandemic. We’ve learned a lot from our customers as they have worked through all the various implications. The response has elevated the whole move to digital, as I mentioned. It’s really important that customers have a strong handle on the digital aspects of their businesses.

Whether you’re ordering coffee, buying a car, or doing some banking, you’re working with some level of digital platforms these days. Therefore, that becomes a critical aspect of enabling the business. We want to make sure we can help customers set up, run, and optimize their digital platforms – and that’s something HPE Pointnext Complete Care is set up to do.

Risk mitigation is critical. We see customers challenged with just trying to get ahead of issues before those issues cause downstream impact to their businesses. They want access to expertise and best practices. They are obviously always looking to get the best bang for the buck because customers are still under tight cost constraints.

They also have struggles due to the finger-pointing that comes with managing multiple vendors and as they bring on more open source software and automation tools. There are more and more companies involved, and so more and more and different relationships to manage. All of this can be challenging.

If you’re struggling with bandwidth and budget while trying to mitigate risk -- all these factors build to create challenges across all of those dimensions. Having a single point of contact is something we see customers challenged with -- and something they value a lot.

We also see organizations aim to reduce their carbon footprint and achieve new corporate-wide sustainability goals. So, that’s something we’re also building into the HPE Pointnext Complete Care value. Working with our financial services organization within HPE allows customers to benefit from their programs. They can monetize old hardware, and we can buy that hardware back and give the customer a payment that they can then invest in newer technologies -- more carbon friendly and sustainable approaches. So, we’re excited about how we can help customers across all these different dimensions.

Gardner: As a recap from our earlier discussion when HPE Pointnext Tech Care came out back in the spring, one of the things that was very impressive to me was the use of technology to better manage – technology. At HPE Pointnext Services, you’re using technology to trace and discover IT assets and use that data to gain a complete view of what’s going on in an organization.

Working with our financial services organization within HPE allows customers to benefit, too. They can monetize old hardware. HPE will buy it back so they can invest in newer technologies -- more carbon friendly and sustainable approaches.

It’s allowing not just break-fix reactions but the capability to get out in front and to be proactive on maintenance, patching, and to quickly identify anomalies to head them off before they become breakdowns. So, the advent of the technology that you’re able to use to satisfy these problems is also very powerful, and HPE Pointnext Tech Care demonstrated that. 

Nolan: Absolutely, well said.

Gardner: All right, let’s go to HPE Pointnext Complete Care in more detail. This has just arrived. People are trying to wrap their heads around it. What’s the grand vision for HPE Pointnext Complete Care now that we’ve moved through this evolution from HPE Pointnext Tech Care and better understand the IT environment that we’re in?

A warm blanket of IT support

Nolan: I view the HPE Pointnext Complete Care experience as that “warm blanket” of support that we can put around the entire customer’s IT environment. The beauty of the framework is we’re going to be delivering and evolving this over the coming months to provide a modular approach. That means we can provide flexibility across an extensive and growing menu of capabilities. 

Whether it’s looking at your security, compliance, or performance – this includes all the different aspects of your IT. It means managing your assets, be it hardware or the software licenses. And then we provide the innovative solutioning tools to our partners as well as our own staff to enable personalization for each of those different customer use cases I mentioned.

Yet every customer is different. They’re all starting from a different point on their journey. We will wrap around all those requirements that the customer has a single framework, a single team, a single contract, and a single invoice.

Everything needs to be simpler for the customer, even as their use cases have gotten more complex. It requires the wealth of HPE’s capabilities across all the technology -- or in the multi-vendor space. We have a massive capability globally to fix and repair non-HPE products. So, whether it’s Dell servers, or IBM systems, or Brocade switches, or NetApp storage arrays -- customers are often surprised that we can provide the same level of support on their non-HPE technology as their HPE technology.

We will keep investing in the digital platforms to bring forward all the AI and telemetry and make it more broadly available, as well as enriching the dashboards, alerts, and insights provided to customers that have the HPE Pointnext Complete Care framework. We will constantly make it better and help customers manage the lifecycle -- not just provide support.

If customers need to look at their strategy plans, we can bring in our strategy consultants. If they have a need for flexibility around payment plans or to monetize their older assets, we can partner with our financial services colleagues and bring them to the table. All of this can be done through a single HPE Pointnext Complete Care framework. It delivers a complete, end-to-end suite of value to cover all needs. That’s what makes our vision quite exciting for me. 

Gardner: When I first learned about HPE Pointnext Complete Care, I said to myself, “Wow, this is pretty ambitious.” And one of the things I wondered is how you’re able to manage being all inclusive -- providing a single point of contact -- yet at the same time personalize and customize the support experience for every customer. How are you able to pull that off, Gerry, to be  all-inclusive and simplified, but also customized and tailored to each company?

Nolan: That’s one of the beautiful things about HPE Pointnext Complete Care. We have a big benefit in that we’ve been doing this for – and I’m embarrassed because I’ve been here most of these -- 40 years. We’ve been doing support of customer’s technology -- whether it’s HP, HPE, or non-HPE technologies -- for a very long time. We’ve built up amazing global capabilities, whether it’s supply chain or expert teams that specialize in different areas like SAP HANA or security or VMware or Linux or automation or containers -- name your tech topic. We built up deep teams of experts that we can draw upon.

HPE Pointnext Complete Care is a big toolbox of capabilities across the company. We have teams that can readily help customers regardless of where they are on their journey. We're able to do this due to the sheer breadth of capabilities available to us.

If you can imagine, HPE Pointnext Complete Care is this big toolbox of capabilities across the company, as well as working with our partners, and that helps speak to a customer. You can view that customer in their own unique scenario. It’s very helpful when you can turn around and talk to your consulting colleagues and bring in some strategy or help for the customer who has a desire to move to cloud. They may need some help figuring out, “How do I architect a good solution for all my various workloads?”

Because we know that not every workload is going to work in the cloud, we know that customers don’t typically throw out all their old technology. They want to keep their old technology but also get the most from it for as long as possible while they move to the newer models. And we have teams within our organization that can readily help customers regardless of where they are on that journey.

Again, we’re able to do this due to the sheer breadth and depth of the capabilities available to us. It allows us to turn up and develop what appears a custom-built solution for each customer. But, in fact, we’re leveraging capabilities that have been built up over 40-plus years. We’re putting them together uniquely for each client and we have the flexibility to do that. We are not tied to any one model, whether it’s on-premises, off-premises, hybrid cloud, IoT, edge, and containers.

We don’t have any specific bias to pushing a customer in one direction. We have so many tools in our toolkit, we do the best for that customer and give them the outcome that best satisfies their unique needs with HPE Pointnext Complete Care. That’s the value proposition and the beauty of the framework. We pick and choose the tools, assets, and capabilities and we map those to each individual client.

Gardner: Let’s chunk this out a bit. What are the major modules in HPE Pointnext Complete Care? How should we think about it in terms of how it’s constructed and architected?

Personalized, customer-centric care

Nolan: Because we’ve been doing this for a while, we carry forward into HPE Pointnext Complete Care all those proven key elements that customers love and are already delivering value. That includes key elements like having an assigned team with named individuals that work with the customer. That’s the first thing we will do with an HPE Pointnext Complete Care customer. 

While we’re onboarding them, we enhance that by adding new roles into that assigned team and providing new profiling capabilities. We get to know that customer’s business, their key objectives and priorities, and then we build that into the plan and make sure anyone interacting with that customer has full visibility to what’s important to that specific customer.

For example, say I’m working with you, the customer, and you have a big customer event next week. We’re going to make sure that the entire HPE team working with you is ready to support you in that big event. We are going to make sure we mitigate all possible risks, and we’re going to have extra staff on hand to support you during that event. It’s important to have that level of detail of profiling. So, that assigned team is the first critical element.

In the broader scope, with HPEPointnext Complete Care, we’re expanding the products and software that we can cover in the customer framework agreement. That helps to enhance the incident management capabilities. When bad things do happen – because, at the end of the day, hardware will at some point fail, or somebody will make a mistake -- we make sure we can mitigate that. Whenever bad things occur, we’re enhancing the way that we manage those incidents. It makes for the best possible experience.

And, of course, we’re expanding the menu of new support capabilities; things like, broader services for open-source assets. We see many customers challenged with deploying the different varieties of open source products. And the move to automation and containers is accelerating the push to use of open source. Many of our customers are saying, “Boy, this is hard. It’s more complex than we imagined. It sounded, easy, fast, and cheap, but it’s none of those things.”

There are many benefits to moving to open source, but it is quite challenging. So that’s an area we’re going to help customers with. We have a lot of open source expertise within our company. We’re going to ramp that up with the launch of HPE Pointnext Complete Care to offer customers a single point of contact for all their open source tools.

And then, aligned with that, is our big focus on software in general. We see customers -- especially coming out of COVID – who had companies such as Microsoft, Oracle, and others open up access to free licenses. But now, coming out of the pandemic, those vendor companies rightfully are saying, “Well, gee, we need to monetize this now. We need to audit what software is being used by our customers.” And, of course, those customers in many cases are struggling to know what software is in their estate. They have huge estates, now with remote software to enable their global remote workforce, and in many cases that’s gotten out of control. We see customers who don’t know what software they have. Nor do they have a good handle on the associated costs, compliance issues, and security risks.

We help customers find all their software licenses. We show them via different dashboards what's being used. They can also see compliance risks, as well as where they're spending too much. They can even manage their software estate.

As a result, another HPE Pointnext Complete Care module we’re launching focuses on software asset management (SAM). We help customers find all their software licenses. We show them via different dashboards what’s being used. They can also see where they have security and compliance risks, as well as what they’re spending -- and perhaps where they’re spending too much. It shows how they could save money via recommendations in those dashboards. If they’d like, we can even do the management of their software estate thanks to the new SAM capabilities in HPE Pointnext Complete Care.

Those are some of the new exciting modules. It’s a long list, but those are a couple that jump to mind in terms of some of the new exciting capabilities we’re now introducing.

Gardner: As a global organization, HPE is helping each of these companies deal with these issues. That means what you learn in one part of world from one type of company can be applied to everybody else. There’s a vast amount of data gathered, and that can be applied and reapplied. It’s a very exciting time.

Gerry, let’s talk about your go-to-market strategy. This isn’t just an HPE-only entry point. What are you doing to make HPE Pointnext Complete Care available across a channel partner ecosystem?

Harness the power of partnerships

Nolan: HPE, like so many big companies, relies on our trusted partners around the world. We have an awesome network of partners, and we’re very excited with HPE Pointnext Complete Care to be opening that experience up to our channel partners.

Many partners have the desire to create an experience like HPE Pointnext Complete Care and deliver it to their end customers. But they may not have the full suite of capabilities. So, combining our capabilities with their capabilities, they all might be able to directly quote proposals to their end customers.

That would include HPE Pointnext Complete Care plus their own value. That’s a new capability available with HPE Pointnext Complete Care. We provide a new solutioning platform, which channel partners can directly access themselves. They can create proposals, basically on their own, and then bring in all the value of HPE plus their own value and be compensated to do that. So, it’s good for the customer, it’s good for the channel partner, and, of course, it’s jointly good for us as well. So, everybody wins.

Gardner: We’ve addressed the vast IT heterogeneity and how HPE Pointnext Complete Care will address that. But looking a little bit closer to home, within the HPE family of products, this has also given you an opportunity to unify around your HPE GreenLake as-a-service economics. You can put that umbrella over your product lines, such as Nimble storage, Cray for HPC, Ezmeral, and Aruba for networking and edge. So, tell us how HPE Pointnext Complete Care not only unifies a vendor ecosystem but unifies the HPE ecosystem and procurement models as well?

Nolan: One of the reasons we chose the name HPE Pointnext Complete Care is we are delivering that complete experience of bringing together a consistent, single point of support for the customer across all our products. I’m excited to say that, “Yes, we’re expanding the scope of HPE Pointnext Complete Care.”

So it includes all the products you just mentioned. Whether you have Nimble in your environment or HPE’s new container platform, called Ezmeral, or Cray, or even Aruba on the edge -- all of that can be included alongside your servers, storage, and the non-HPE everything you have under a single HPE Pointnext Complete Care contract.

And, of course, the other nice thing about HPE Pointnext Complete Care is HPE GreenLake, our as-a-service-offering model for those customers who want to buy their IT -- whether it’s on-premises or a colocation – and pay on an as-you-go basis, with a monthly bill for whatever they use. HPE GreenLake is the solution. In every HPE GreenLake engagement, at the heart of it, also has HPE Pointnext Complete Care. HPE Pointnext Complete Care carries the part that delivers the support and optimizes the performance of all that IT.

HPE GreenLake, we’re very excited to say, is called the “cloud that comes to you” because it delivers all the benefits of hybrid IT but with HPE Pointnext Complete Care in that expanded scope for support. We cover all the products you mentioned, all the elements of HPE GreenLake, and we’ll be adding to that as we learn and get more feedback from customers. We’re pretty excited.

Gardner: It’s near the end of summer 2021, and this is new to the market. But do you have any early adopters or beta customers that you can look to and say, “Yes, we’ve been describing this, but here’s how it’s working in practice?” Where is this being used first, and what are they getting for it?

A case in point takes flight

Nolan: A recent example comes to mind. A major aircraft manufacturer is struggling with a large, complex IT environment. By the nature of their business, it’s a very sensitive IT environment. They need to work with clusters and proven partners. We in 2021 signed a five-year engagement with that organization.

HPE is their sole IT support provider. We’re providing HPE Pointnext Complete Care coverage for their entire IT environment, including support for more than 20 different vendors. That means all types of hardware and software -- way beyond just the HPE products. It includes managing all their software licenses, a very large software estate across their environment. It includes helping them operate all the IT operations -- from planning through to support. We will take on the relationships with their other vendors, and we’ll provide that customer a single view, a single dashboard, and map to their key performance indicators (KPIs).

We're providing HPE Pointnext Complete Care coverage for their entire IT environment, including support for more than 20 different vendors. That means all types of hardware and software. It includes helping them operate all the IT -- from planning to support. We provide a single dashboard view and a map to the KPIs.

It’s an exciting engagement. And, of course, every customer will be measuring the value this way -- the idea of aligning with the customer on what KPIs are. Then we’ll constantly review and update those with the customer as we jointly make progress together.

This large deal is a good proof-point. It has most of the elements of HPE Pointnext Complete Care that I’ve been talking about. We are in discussions with many other customers in similar types of use case scenarios, where HPE Pointnext Complete Care provides that single point of contact across their complete IT estate. And, of course, we’re bringing to bear that complete suite of value.

Gardner: Is there a crawl, walk, run approach to HPE Pointnext Complete Care? How do you get started? How do you learn more?

Nolan: You can absolutely start with a small HPE Pointnext Complete Care contract, perhaps for one key part of your infrastructure or environment, and then grow from that over time. It’s totally flexible. I encourage anyone who believes that this might be an experience that would help them to engage through their authorized channel partner or directly with an HPE account manager representative.

There’s also a wealth of information on the HPE.com website in the HPE Pointnext Services area. We would love to come in and just discuss what’s going on in the customer’s environment. What are some of their challenges? What are some of their desired IT estate goals? And then just figure out, how we can help. And if we can help them and put together something that works for them.

Gardner: Gerry, what comes next? It sounds to me when you combine HPE GreenLake and HPE Pointnext Complete Care that we’re reverse engineering from the business outcomes back to what the IT requirements as services are. We’re revolutionizing IT. Even the economics of IT shift.

How does the advent of HPE Pointnext Complete Care work with some of these other trends to reinvent IT? Are we really looking at something that’s substantially different?

The IT solution revolution

Nolan: As vendors, we really need to continually step-up the game. As we’re trying to do here, we need to bring more value to customers who in turn are having to do that with their end customers. This spans the entire IT lifecycle – from helping customers with strategy, all the way through to operating and managing the IT estate.

It’s no longer good enough to just provide support, the sort of break-fix support. Instead, we must provide an end-to-end lifecycle experience for all IT, where we’re bringing in advice, help, insights, recommendations, and, of course, best-in-class support. For us, that includes continued investment in scaling up our people and building new solutions, as well as extending our AI and machine learning (ML) to bring about entirely new types of insights.

We can stop the bad things from happening before they happen. And technologies like augmented reality (AR) will help elevate the experience, allowing us to better support remote sites and every type of computing and business edge. We already support customers on ships, on oil rigs, and on the tops of mountains. There’s nowhere our support can’t go.



We’re constantly innovating and coming up with new solutions, which is why we’re making these investments. We see these as critical as the customers do. Business doesn’t stop, innovation doesn’t stop, and we’re going to stay ahead. That’s what we’re trying to do with HPE Pointnext Complete Care.

Gardner: Yes, you’re changing the relationship with your customers. It’s truly a partnership. When they succeed, you succeed, and vice-versa -- and you’ll need to work together to make that continue. It’s an exciting opportunity.

I’m afraid we’ll have to leave it there. You’ve been exploring how today’s diversity of hybrid IT models and environments demand that IT services and support accommodate more digital variables than ever.

And we’ve learned how HPE Pointnext Services has developed solutions to satisfy this broad new definition of complete IT tech support. It’s a coverage that amounts to a “warm blanket” of support across the entire IT environment.

So, please join me in thanking our guest, Gerry Nolan, Director of Operational Services Portfolio at HPE Pointnext Services. Thank you so much, Gerry.

Nolan: Thank you, Dana. It’s been great.

Gardner: And a big thank you also to our audience for joining this sponsored BriefingsDirect Voice of Technology Services Innovation discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this ongoing series of HPE Pointnext-supported discussions.

Thanks again for listening. Please pass this along to your IT community, and do come back next time. 

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Hewlett Packard Enterprise Pointnext Services.

Transcript of a discussion on how complexity and fast-changing dynamics of digital businesses are pushing enterprises to seek a complete and holistic way to support all their technology. Copyright Interarbor Solutions, LLC, 2005-2021. All rights reserved.

You may also be interested in: