Category Archives: Security

Podcast – Lack of Seriousness in Cybersecurity, Security thru Transparency, and Blockchain

Posted on by
Reply

Joining us this week is Mike D. Kail, previously the CTO of Cybric and Yahoo’s CIO and SVP of Infrastructure.

Highlights

  • RANT Cast on Cybersecurity Regulations from Governments
    • Security is Important but NOT a Priority
  • Culture around Security is Lacking
  • Time for Security Tech to Include UI Testing and Consider User Experience
  • Confusing on Not-Working Security Settings and Profit Motives
    • Security thru Transparency
  • Accountability of Provider in Turning off Security based on Requests
  • Definition on Distributed Ledgers / Blockchain & Scalability Challenges
  • Promise of Blockchain and Good Application for It / Digital Identity
  • Zero Trust Security Overview
  • Equifax Example and Regulations

 

Topic                                                                                           Time (Minutes.Seconds)

(Boring) Intro on Introduction Music Not Happening          0.0 – 0.59
Introduction                                                                                0.59 – 2.54
RANT Cast Overview                                                                2.54 – 3.50 (Eric Wright Podcast)
Mike’s RANT on Gov’t Legislate Security (e.g. GDPR)         3.50 – 6.26
Does Gov’t have a Responsibility?                                         6.26 – 7.40
Fix Usability for Security Tools                                                7.40 – 9.16
Impact of Facebook / Security Settings Complexity          9.16 – 17.03 (Camera Example)
Permission to Access NOT Analyze It                                    17.03 – 21.14
Distributed Ledgers / Blockchain                                           21.14 – 23.20
Promise of Blockchain                                                               23.20 – 25.05
Digital Identity & Authentication                                              25.05 – 28.02
Controlling Access to Distributed Ledgers                            28.02 – 32.36
Equifax Example                                                                         32.36 – 35.30
Will Gov’t Step in Eventually                                                    35.30 – 37.28
Wrap Up                                                                                       37.28  – END

Podcast Guest:  Mike D Kail

For the past 3 years, Mike D. Kail was Cybric’s CTO, responsible for the strategic vision and technical direction of the Cybric Platform. Prior to joining Cybric, Mike was Yahoo’s CIO and SVP of Infrastructure, where he led the IT and Global Data Center functions for the company. He has more than 25 years of IT Operations experience with a focus on highly-scalable architectures.

Previously, Mike served as VP of IT Operations at Netflix, where he was responsible for Employee Technology and various Engineering components. Before that role, Mike was VP of IT Operations at Attensity, where he was responsible for the Americas data center operations team; including managing various Big Data systems with their Hadoop cluster, HBase and MongoDB components.

He has been widely recognized for his insightful industry commentary on social media, and was recently named by the Huffington Post as one of the “Top 100 Most Social CIOs on Twitter.”

Great Fun Accessing your Infrastructure: How Secure are You?

Posted on by
Reply

How secure is your infrastructure? Not just your internal data centers, but what about your networks connecting to public clouds or hosting providers? How about your corporate data which could be anywhere in the world as you certainly have Shadow IT somewhere?

RackN believes that IT security begins with a secure foundation for provisioning not only within your data center but into your cloud environments as well. Having a single tool architected with security as a key feature allows SecOps to spend more time worrying about protecting attacks at the application and data storage layer instead of allowing attacks at the metal.  

Issue – Secure the Enterprise

  • Many enterprises fail to patch both software and hardware on a regular basis due to their inability to reliably and safely manage the process without impacting service delivery.
  • With applications and data running globally, IT has lost the ability to know with certainty where their services are operating from and how secure they are; this is true even beyond public clouds.

Impact – Business is Digital

  • All business is now digital and a majority of companies don’t have the technical staff to ensure a high level of security and simply trusting cloud providers is not enough.
  • Companies must ensure that networks are protected and that applications and hardware are updated with the latest patches; is your company doing this?

RackN Solution – Secure Foundation

  • Delivering provisioning via an automated layered approach provides IT teams a secure and repeatable process to ensure application availability regardless of location; e.g. Data Center, Hosting Provider, Public Cloud, and eventually Edge infrastructure.
  • Like any construction project security starts with a solid foundation; RackN is that foundation to build your IT infrastructure on.

The RackN team is ready to start you on the path to operations excellence:

Podcast: Paul Teich on Enterprise Security, Hardware Issues at Edge, Augmented Reality and 5G

Posted on by
Reply

In this week’s podcast, we speak with Paul Teich, Principal Analyst, Tirias Research. Paul offered his insight into several key industry trends as well as the recent Spectre and Meltdown discoveries.

  • Spectre and Meltdown – Will this drive additional security focus?
  • Augmented Reality and AI is the holy grail of Edge and Cloud
  • Capabilities of 5G and its impact over next 10 years
  • Why is Hyper Converged Infrastructure popular?

Topic                                                                     Time (Minutes.Seconds)

Introduction                                                          0.0 –  3.06 (Texas and Texas A&M)
Spectre and Meltdown Lead to Security?      3.06 – 6.30
Industry-Wide Refresh                                       6.30 – 10.38 (At least 12 months to new silicon)
Enterprise Thoughts on Patching/Updates   10.38 – 15.03 (Profit over Security)
Major Services and Rolling Blackouts             15.03 – 16.06 (Service Patching Underway – Intel)
Security Vulnerabilities Always Exist              16.06 – 17.50
Edge ~ Highly Distributed Management        17.50 – 22.23 (Definition)
Hardware Component to Edge                        22.23 – 25.03 (Opening for ARM?)
Edge is Heterogeneous                                    25.03 – 27.48
Portability b/w Cloud and Edge Required    27.48 – 31.47 (End of Mgmt from H/W Vendors)
GPUs on the Edge                                              31.47 –  36.29 (Tesla and Nvidia Announcement)
Infrastructure Deployment in an Instant        36.29 – 40.00
Multi-Tenancy at Edge                                       40.00 – 42.50 (Jevon’s Paradox Appears Again)
Augmented Reality & AI                                    42.50 – 45.13
5G Rollout                                                            45.13 – 47.17
Hyper Converged Infrastructure – Why?       47.17 – 52.30
Wrap-Up                                                               52.30 – END

Podcast Guest
Paul Teich, Principal Analyst, Tirias Research

Paul Teich is a Principal Analyst with a technical background and over 30 years of industry experience in computing, storage, and networking. Paul’s strength is in assessing the technical feasibility and market opportunity for new technologies and developing profitable strategies to commercialize those technologies.

Paul’s prior experience includes being a key member of AMD’s Opteron server processor team in the early 2000s, which redefined 64-bit computing; product manager of a web service at the height of the first internet bubble; designer of low-cost consumer PCs before multi-PC households were common; and product manager of RISC processors used as graphics accelerators in the early 1990s, which is now back in vogue on a larger scale with deep learning.

Over the past few years Paul has spoken and moderated panels at many industry events, including IoT Dev-Con, Open Server Summit, Dell World, TiEcon Silicon Valley, NIWeek, ARM TechCon, and SXSW Interactive. Paul is quoted by an equally diverse set of industry press, including: IDG, SiliconANGLE, ComputerWorld, InfoWorld, eWeek, and Processor.com.

Paul also serves as an adviser to the EEMBC Cloud and Big Data Server Benchmarking working group (“ScaleMark”) and has been a co-organizer of the Open Server Summit’s scale-out server track. In addition, he has recently been an expert consultant in an intellectual property court case and has supported a client in front of a US government committee.

Paul holds a BS in Computer Science from Texas A&M and an MS in Technology Commercialization from the University of Texas’ McCombs School of Business. His technical accomplishments include 12 US patents and senior membership in both the ACM and the IEEE.

Podcast: Tim Crawford on Technology Choice, Patching, Edge and Competition in the Enterprise

Posted on by
Reply

In this week’s podcast, we speak with Tim Crawford from AVOA who is ranked as one of the Top 100 Most Influential Chief Technology Officers (#4) and Top 100 Cloud Expert and Influencer. He focuses on several interesting topics:

  • CIO selection of new technology for enterprise
  • Challenges for Enterprise to patch and upgrade software/hardware
  • Edge Computing – what it is, CIO thinking
  • Vendor Landscape
  • Open Source for CIOs – when to use and why

Topic                                                            Time (Minutes.Seconds)

Introduction                                                 0.0 – 0.35
Tim’s Background and Work                    0.35 – 1.55
When to select a new technology?         1.55 – 4.39 (Find Something Valuable and Try)
Signs company selected wrong              4.39 – 7.31
Security Vulnerabilities                              7.31 – 11.03 (Risk vs Reward)
Patching is a MUST? Maybe Not             11.03 – 19.40 (Patching/Upgrading are Disruptive)
Edge Computing Intro                               19.40 – 22.45
Why CIOs need to know Edge                 22.45 – 28.27 (Aircraft Example)
Is Edge diff than Cloud to CIO?                28.27 – 30.20
Does Edge need to be defined?              30.20 – 32.00 (Stop Defining & Talk How to Use Them)
Don’t need a new edge paradigm           32.00 –  34.25 (Tech vs Business Goals)
Hybrid                                                           34.25 – 36.57 (Hybrid is Heterogeneity)
Vendor Landscape Convergence            36.57 – 40.30 (Best of Breed)
Open Source and CIOs                              40.30 – 45.30 (OS is Free Like a Puppy)
Wrap-Up                                                      45.30 – END

 

Podcast Guest
Tim Crawford, AVOA

Tim Crawford is ranked as one of the Top 100 Most Influential Chief Information Technology Officers (#4), Top 100 Most Social CIOs (#7), Top 20 People Most Retweeted by IT Leaders (#5) and Top 100 Cloud Experts and Influencers. Tim is a strategic CIO & advisor to CIOs, large global enterprise organizations across a number of industries including financial services, healthcare, high-tech and major airlines. Tim’s work differentiates and catapults organizations in transformative ways through the use of technology as a strategic lever.

Tim is an internationally renowned CIO thought leader in the areas of IT transformation, Cloud Computing, Data Analytics and Internet of Things (IoT). Tim has served as CIO and other senior IT roles with global organizations such as Konica Minolta/ All Covered, Stanford University, Knight-Ridder, Philips Electronics and National Semiconductor.

Tim’s extensive experience includes strategic planning, organizational development, governance, program and portfolio management that aligns with business strategy. Additional experience includes mergers and acquisitions, business development, strategic sourcing, compliance, information security and risk management.

Tim serves on the Board of Directors for Modius and on the Advisory Board for CloudVelox. Tim holds an MBA in International Business with Honors and a Bachelor of Science degree in Computer Information Systems both from Golden Gate University.

Podcast with Chris Steffen on Security for Cloud, Edge, and the Coming of GDPR

Posted on by
1

In this week’s podcast, Chris Steffen, Technical Security Director at Cryptzone joins Rob Hirschfeld and myself to cover the latest topics in cloud, edge and data security. Chris is a well-respected cloud security expert with practical experience securing large infrastructures as well as an excellent speaker and influencer on all things security,

Key Highlights:

  • Current State of Cloud Security
  • Where & What is On-Premises?
  • Hardware Security and Lack of Industry Use
  • Coming of GDPR (General Data Protection Regulation from European Union) and Impact on US and Global Industry

Topic                                                             Time (Minutes.Seconds)

Introduction                                                    0.0 – 0.30
State of Cloud Security                                0.30 – 2.52
Complexity is Enemy of Security               2.52 – 7.36 (Illusion of On-Prem being Secure)
People are a Vulnerability                           7.36 – 9.20 (Eliminate ALL People)
Rant Cast on Mgmt & Shadow IT               9.20 – 11.57 (Rant Podcast)
Cyxtera is Data Center / Why Security?   11.57 – 15.37 (More than Data Centers)
What is On-Prem?                                        15.37 – 20.00 (Physical Access is not Security)
Let’s Secure the Hardware                         20.00 –  21.39
Why Don’t Turn on H/W Tools?                 21.39 – 24.15
Disabling Security for Time to Market      24.15 – 26.02
GDPR is Coming                                           26.02 –  31.28
Data: Privacy and Ownership                     31.28 – 34.25
Edge Infrastructure and Security              34.25 – 36.29
Data Sensitivity in Edge Areas                   36.29 – 42.28 (Data locality and gov’t reach)
Conclusion and Wrap-Up                           42.28 – END

Podcast Guest: Christopher Steffen

Christopher Steffen joined Cryptzone in October 2016 as the Technical Director to educate and promote information security and regulatory compliance as it relates to network access management and cloud computing solutions. Before joining the team at Cryptzone, Chris served as the Chief Evangelist – Cloud Security for Hewlett Packard Enterprise (HPE). He has also served in executive roles as the Director of Information Technology at Magpul Industries (a plastics manufacturing company) and as the Principal Technical Architect for Kroll Factual Data (a credit service provider). Steffen has presented at numerous conferences and has been interviewed by multiple online and print media sources. Steffen holds several technical certifications, including CISSP and CISA. Follow him on Twitter at @CloudSecChris.

Five ways I’m Sad, Mad and Scared: the new critical security flaw in firmware no one will patch.

Posted on by
Reply

There is new security vulnerability that should be triggering a massive server fleet wide upgrade and patch for data center operators everywhere.  This one undermines fundamental encryption features embedded into servers’ trusted platform module (TPM).   According to Sophos.com, “this one’s a biggie.”

Yet, it’s unlikely anyone will actually patch their firmware to fix this serious issue.

Why?  A lack of automation.  Even if you agree with the urgency of this issue,

  1. It’s unlikely that you can perform a system wide software patch or system re-image without significant manual effort or operational risk
  2. It’s unlikely that you are actually using TPM because they are tricky to setup and maintain
  3. It’s unlikely that you have any tooling that automates firmware updates across your fleet
  4. It’s unlikely that you have automation to gracefully roll out an update that can coordinate BIOS and operating system updates
  5. Even if you can do the above (IF YOU CAN, PLEASE CALL ME), it’s unlikely that you can coordinate updating both patching the BIOS and re-encrypting/rotating the data signed by the keys in the TPM

Being able to perform actions should be foundational; however, I know from talking to many operators that there are serious automation and process gaps at this layer.  These gaps weaken the whole system because we neither turn on security features embedded in our infrastructure nor automate ways to systematically maintain them.

This type of work is hard to do.  So we don’t do it, we don’t demand it and we don’t budget for it.

Our systems are way too complex to expect issues like this to be improved away by the next wave of technology.  In fact, we see the exact opposite.  The faster we move, the more flaws are injected into the system.  This is not security problem alone.  Bugs, patches and dependencies cause even more system churn and risk.

I have not given up hoping that our industry will prioritize infrastructure automation so that we can improve our posture.  I’ve seen that fixing the bottom layers of the stack makes a meaningful difference in the layers above.  If you’ve been following our work, then you already know that is the core of our mission at RackN.

It’s up to each of us individually to start fixing the problem.  It won’t be easy but you don’t have to do it alone.  We have to do this together.

Cybercrime for Profit!? Five reasons why we need to start driving much more dynamic IT Operations

Posted on by
1

Author’s call to action: if you think you already know this is a problem, then why do we keep reliving it?  We’re doing our part open with Digital Rebar and we need more help to secure infrastructure using foundational automation.

There’s a frustrating cyberattack driven security awareness cycle in IT Operations.  Exploits and vulnerabilities are neither new nor unexpected; however, there is a new element taking shape that should raise additional alarm.pexels-photo-169617.jpeg

Cyberattacks are increasingly profit generating and automated.

The fundamental fact of the latest attacks is that patches were available.  The extensive impact we are seeing is caused by IT Operations that relies on end-of-life components and cannot absorb incremental changes.  These practices are based on dangerous obsolete assumptions about perimeter defense and long delivery cycles.

It’s not just new products using CI/CD pipelines and dynamic delivery: we must retrofit all IT infrastructure to be constantly refreshed.

We simply cannot wait because the cybersecurity challenges are accelerating.  What’s changed in the industry?  There is a combination of factors driving these trends:

  1. Profit motive – attacks are not simply about getting information, they are profit centers made simpler with hard to trace cryptocurrency.
  2. Shortening windows – we’re doing better at finding, publishing and fixing issues than ever in the open.  That cycle assumes that downstream users are also applying the fixes quickly.  Without downstream adoption, the process fails to realize key benefit.
  3. Automation and machine learning – the attackers are using more and more sophisticated automation to find and exploit vulnerabilities.  Expect them to use machine learning to make it even more effective.
  4. No perimeter – our highly interconnected and mobile IT environments eliminate the illusion of a perimeter defense.  This not just a networking statement: our code bases and service catalogs are built from many outside sources that often have deep access.
  5. Expanding surface area – finally, we’re embedding and connected more devices every second into our infrastructure.  Costs are decreasing while capability increases.  There’s no turning back from that, we we should expect an ongoing list of vulnerabilities.

No company has all the answers for cybersecurity; however, it’s clear that we cannot solve this cybersecurity at the perimeter and allowing the interior to remain static.

The only workable IT posture starts with a continuously deployed and updated foundation.

Companies typically skip this work because it’s very difficult to automate in a cross-infrastructure and reliable way.  I’ve been working in this space for nearly two decades and we’re just delivering deep automation that can be applied in generalized ways as part of larger processes.  The good news is that means that we can finally start discussing real shared industry best practices.

Thankfully, with shared practices and tooling, we can get ahead of the attackers.

RackN focuses exclusively on addressing infrastructure automation in an open way.  We are solving this problem from the data center foundations upward.  That allows us to establish security practice that is both completely trusted and constantly refreshed.  It’s definitely not the only thing companies need to do, but that foundation and posture helps drive a better defense.

I don’t pretend to have complete answers to the cyberattacks we are seeing, but I hope they inspire us to more security discipline.  We are on the cusp of a new wave of automated and fast exploits.

Let us know if you are interested in working with RackN to build a more dynamic infrastructure.