Archive

Archive for the ‘Innovation’ Category

Hypervisors Are Becoming a Commodity…Virtualization Is a Feature?

November 14th, 2007 No comments

Marketfeature2 A couple of weeks ago I penned a blog entry titled "The Battle for the HyperVisor Heats Up"
in which I highlighted an announcement from Phoenix Technologies
detailing their entry into the virtualization space with their
BIOS-enabled VMM/Hypervisor offering called HyperCore.

This drew immediate parallels (no pun intended) to VMware and Xen’s plans to embed virtualization capabilities into hardware.

The marketing continues this week with interesting announcements from Microsoft, Oracle and VMware:

  1. VMware offers VMware Server 2 as a free virtualization product to do battle against…
  2. Oracle offering "Oracle VM" for free (with paid support if you
    like) which claims to be 3 times as efficient than VMWare — based on
    Xen.
  3. Microsoft officially re-badged its server virtualization technology as Hyper-V (nee Veridian)
    detailing both a stand-alone Hyper-V Server as well technology integrated into W2K8 Server.

It seems that everyone and their mother is introducing a virtualization platform and the underpinning of commonality between basic functionality demonstrates how the underlying virtualization enabler — the VMM/Hypervisor — is becoming a commodity.

We are sure to see fatter, thinner, faster, "more secure" or more open Hypervisors, but this will be an area with less and less differentiation.  Table stakes.  Everything’s becoming virtualized, so a VMM/Hypervisor will be the underlying "OS" enabling that transformation.

To illustrate the commoditization trend as well as a rather fractured landscape of strategies, one need only look at the diversity in existing and emerging VMM/Hypervisor solutions.   Virtualization strategies are beginning to revolve around a set of distinct approaches where virtualization is:

  1. Provided for and/or enhanced in hardware (Intel, AMD, Phoenix)
  2. A function of the operating system (Linux, Unix, Microsoft)
  3. Delivered by means of an enabling software layer (nee
    platform) that is deployed across your entire infrastructure (VMware, Oracle)
  4. Integrated into the larger Data Center "Fabric" or Data Center OS (Cisco)
  5. Transformed into a Grid/Utility Computing model for service delivery

The challenge for a customer is making the decision on whom to invest it now.  Given the fact that there is not a widely-adopted common format for VM standardization, the choice today of a virtualization vendor (or vendors) could profoundly affect one’s business in the future since we’re talking about a fundamental shift in how your "centers of data" manifest.

What is so very interesting is that if we accept virtualization as a feature defined as an abstracted platform isolating software from hardware then the next major shift is the extensibility, manageability and flexibility of the solution offering as well as how partnerships knit out between the "platform" providers and the purveyors of toolsets.

It’s clear that VMware’s lead in the virtualization market is right inline with how I described the need for differentiation and extensibility both internally and via partnerships. 

VMotion is a classic example; it’s clearly an internally-generated killer app. that the other players do not currently have and really speaks to being able to integrate virtualization as a "feature" into the combined fabric of the data center.  Binding networking, storage, computing together is critical.  VMware has a slew of partnerships (and potential acquisitions) that enable even greater utility from their products.

Cisco has already invested in VMware and a recent demo I got of Cisco’s VFrame solution shows they are serious about being able to design, provision, deploy, secure and manage virtualized infrastructure up and down the stack, including servers, networking, storage, business process and logic.

In the next 12 months or so, you’ll be able to buy a Dell or HP server using Intel or AMD virtualization-enabled chipsets pre-loaded with multiple VMM/Hypervisors in either flash or BIOS.  How you manage, integrate and secure it with the rest of your infrastructure — well, that’s the fun part, isn’t it?

I’ll bet we’ll see more and more "free" commoditized virtualization platforms with the wallet ding coming from the support and licenses to enable third party feature integration and toolsets.

/Hoff

Why Security Should Embrace Disruptive Innovation — and Become Innovative In the Process

October 24th, 2007 No comments

Innovationrotated
One of the more interesting things I get to do in my job is steer discussions with customers and within industry on the topic of innovation.  After all, the ‘I’ word is in my official title: Chief Architect, Security Innovation.  You don’t often see those two words utilized in union.

Specifically, I get my jollies discussing with folks up and down the stack how "Information Security" can and should embrace disruptive technology/innovation and actually become innovative in the process.

It’s all a matter of perspective — and clever management of how, what and why you do what you do…and as we’ve discovered, how you communicate that.

Innovation can simply be defined as people implementing new ideas to creatively solve problems and add value.  How you choose to define "value" really depends upon your goal and how you choose to measure the impact (or difference as some like to describe it) on the business you serve.  We don’t need to get into that debate for the moment, however.

Disruptive technology/innovation is a technology, product or service that ultimately overturns the dominant market leader, technology or product.  This sort of event can happen quickly or gradually and can be evolutionary or revolutionary in execution.  In many cases, the technology itself is not the disruptive catalyst, but rather the strategy, business model or marketing/messaging creates the disruptive impact.

It’s really an interesting topic and an important one at this period in time; we’ve got a rough patch to hoe in the "Information Security" world.  The perception of what we do and what value we add is again being called into question.  This is happening because while the business innovates to gain competitive advantage, we present bigger bills that suckle profit away from the bottom line without being viewed as contributing to the innovative process but rather strictly as a cost of doing business.

I’m delivering my keynote at the Information Security Decisions conference on this very topic. The focus of the presentation will demonstrate that how even with emerging disruptive innovations that have profound impact upon what we do such as SaaS, the consumerization of IT and virtualization, "Information Security" practitioners and managers can not only embrace these technologies in a prescribed and rational manner, but do so in a way that provides alignment to the business and turns disruptive technology into an opportunity rather than a curse.

If you’re in Chicago on November 5th at the ISD conference, come throw stuff at me…they’ve got a great cast of speakers queued up: Bruce Schneier, Howard Schmidt, Eugene Spafford, David Litchfield, Dave Dittrich, David Mortman, Stephen Bonner, Pete Lindstrom, and many more.  It’ll be a good conference.

/Hoff

I Know It’s Been 4 Months Since I Said it, but “NO! DLP is (Still) NOT the Next Big Thing In Security!”

August 24th, 2007 5 comments

Evolution3
Nope.  Haven’t changed my mind.  Sorry.  Harrington stirred it up and Chuvakin reminded me of it.

OK, so way back in April, on the cusp of one of my normal rages against the (security) machine, I blogged how Data Leakage Protection (DLP) is doomed to be a feature and not a market

I said the same thing about NAC, too.  Makin’ friends and influencin’ people.  That’s me!

Oh my how the emails flew from the VP’s of Marketing & Sales from the various "Flying V’s" (see below)  Good times, good times.

Here’s snippets of what I said:


Besides having the single largest collection of vendors that begin with
the letter ‘V" in one segment of the security space (Vontu, Vericept,
Verdasys, Vormetric…what the hell!?) it’s interesting to see how
quickly content monitoring and protection functionality is approaching
the inflection point of market versus feature definition.

The "evolution" of the security market marches on.

Known by many names, what I describe as content monitoring and
protection (CMP) is also known as extrusion prevention, data leakage or
intellectual property management toolsets.  I think for most, the
anchor concept of digital rights management (DRM) within the Enterprise
becomes glue that makes CMP attractive and compelling; knowing what and
where your data is and how its distribution needs to be controlled is
critical.

The difficulty with this technology is the just like any other
feature, it needs a delivery mechanism.  Usually this means yet another
appliance; one that’s positioned either as close to the data as
possible or right back at the perimeter in order to profile and control
data based upon policy before it leaves the "inside" and goes "outside."

I made the point previously that I see this capability becoming a
feature in a greater amalgam of functionality;  I see it becoming table
stakes included in application delivery controllers, FW/IDP systems and
the inevitable smoosh of WAF/XML/Database security gateways (which I
think will also further combine with ADC’s.)

I see CMP becoming part of UTM suites.  Soon.

That being said, the deeper we go to inspect content in order to
make decisions in context, the more demanding the requirements for the
applications and "appliances" that perform this functionality become.
Making line speed decisions on content, in context, is going to be
difficult to solve. 

CMP vendors are making a push seeing this writing on the wall, but
it’s sort of like IPS or FW or URL Filtering…it’s going to smoosh.

Websense acquired PortAuthority.  McAfee acquired Onigma.  Cisco will buy…

I Never Metadata I Didn’t Like…

I didn’t even bother to go into the difficulty and differences in classifying, administering, controlling and auditing structured versus unstructured data, nor did I highlight the differences between those solutions on the market who seek to protect and manage information from leaking "out" (the classic perimeter model) versus management of all content ubiquitously regardless of source or destination.  Oh, then there’s the whole encryption in motion, flight and rest thing…and metadata, can’t forget that…

Yet I digress…let’s get back to industry dynamics.  It seems that Uncle Art is bound and determined to make good on his statement that in three years there will be no stand-alone security companies left.  At this rate, he’s going to buy them all himself!

As we no doubt already know, EMC acquired Tablus. Forrester seems to think this is the beginning of the end of DLP as we know it.  I’m not sure I’d attach *that* much gloom and doom to this specific singular transaction, but it certainly makes my point:

  August 20, 2007

Raschke_2EMC/RSA Drafts Tablus For Deeper Data-Centric Security
The Beginning Of The End Of The Standalone ILP Market

by
Thomas Raschke

with
Jonathan Penn, Bill Nagel, Caroline Hoekendijk

EXECUTIVE SUMMARY

EMC expects Tablus to play a key role in
its information-centric security and storage lineup. Tablus’ balanced
information leak prevention (ILP) offering will benefit both sides of
the EMC/RSA house, boosting the latter’s run at the title of
information and risk market leader. Tablus’ data classification
capabilities will broaden EMC’s Infoscape beyond understanding
unstructured data at rest; its structured approach to data detection
and protection will provide a data-centric framework that will benefit
RSA’s security offerings like encryption and key management. While
holding a lot of potential, this latest acquisition by one of the
industry’s heavyweights will require comprehensive integration efforts
at both the technology and strategic level. It will also increase the
pressure on other large security and systems management vendors to
address their organization’s information risk management pain points.
More importantly, it will be remembered as the turning point that led
to the demise of the standalone ILP market as we know it today.

So Mogull will probably (still) disagree, as will the VP’s of Marketing/Sales working for the Flying-V’s who will no doubt barrage me with email again, but it’s inevitable.  Besides, when an analyst firm agrees with you, you can’t be wrong, right Rich!?

/Hoff

 

Security Innovation?

August 11th, 2007 8 comments

3701mindinnovator_cover
I migrated to a new job recently.  My previous job was "Chief Security Strategist."  Sounds linear, logical and pompous.  If you know me at all, the title doesn’t exactly fit me well.  I’m a fuzzy-logic, paint with a broad brush, and a reasonably palatable fellow.

My new title, which I created, is Chief Architect, Security Innovation.  I like this title because it means I think about things in a manner that implies they are going to be built.   It’s also  somewhat of an odd title, because when most people think of security, the last thing they expect to hear is the word "innovation" bolted onto the end of it.

Normally, one might expect to find words and phrases like "speed bump, insurance, pain, slow, firewall, policies, police, annoying, abrasive, and cost-center" associated with security.  But innovation?

Nobody really believes that security can be innovative, do they?  I do.

I like this word, what it stands for and what it means to security and the people who try and make a difference when implementing it with passion, and it is the focus of this post.  I think the reason security isn’t thought of as being innovative is that the people making the decisions don’t let themselves innovate!

Read on.

I’m driven by a fanatic gravitational attraction to change and enjoy being a catalyst for new thought, different ways of thinking and encouraging people to push harder and smarter in order to produce better output for any given input.  I like to solve problems; usually in the simplest way possible.  Often times, the simplest answers are the hardest to come by.  I don’t think it’s a question of "thinking outside the box."  I think it’s more an issue of allowing oneself to pretend there isn’t a box at all.

Some people mistake what I described above as a focus on being more efficient, but to me, efficiency is a by-product of innovation and innovative methods of problem solving.

People approach problem solving in many different ways.  Some like to noodle on a problem space and reason logically over a period of time, considering all empirical elements and paths leading to what may be multiple solutions and then choosing one as the recommended response.

Others like to drive to a solution as quickly as possible, thin-slicing their way to a terminus using instinct, intuition and adjacency to arrive at an answer a priori.

I’ll ask you to think about how you approach problem solving within the scope of your career. Since most of the folks who read this blog are in some manner security focused, think about your last complex security problem set as you read this.  Did you take your time or were you pushed (or push yourself) to snap-to and deliver a solution?

Guy Kawasaki’s blog
turned me on to a really fascinating manifesto by Matthew May titled "Mind of the Innovator: Taming the Traps of Traditional Thinking" and is a really great follow-on to his book titled "The Elegant Solution."Elegantsolution

"Mind of the Innovator…" provides a frank and compelling perspective on how people solve problems, and is illustrated by describing the seven deadly sins people commit when challenged.

The thing that really intrigued me about this piece is that anyone can arrive at a solution.  However, simple, elegant and creative solutions to problems usually don’t arrive easily and without complex thought distilled.  Worse yet, humans are generally horrible creatures of habit and revert to mental muscle memory to arrive at an answer and that’s not good creative problem solving, either.

I do hope Guy forgives me, but rather than try and imitate his summary of these sins, I am going to re-post his version here because, as usual, he’s done a fantastic job in doing so.

From Guy’s blog, here is a summary of Matthew May’s 7 deadly sins of problem solving:

  1. Shortcutting. Leaping to solutions in an
    instinctive way or intuitive way—i.e. the “blink” method of
    problem-solving—seldom leads to an elegant solution because deeper,
    hidden causes don’t get addressed. Watch CSI and House: first they
    collect the evidence, then diagnose, and then solve. It’s never the guy
    or the disease you initially suspect.

  2. Blindspots. Blindspots are the umbrella term
    for assumptions, biases, and mindsets that we cannot see through or
    around. Our brain does a lot of “filling in” for us because it’s a
    pattern maker and recognizer. Ths cn b hrd fr ppl t cmprhnd, hwvr, mst
    cn ndrstntd ths sntnc wth lttl prblm. But clear thinking involves more
    than simply filling in spaces in words.

  3. Not Invented Here (N.I.H.). NIH means that you
    refuse to consider solutions that are from external sources. It means
    “If we didn’t come up with it, it won’t work. It is of no use.” Next
    time you’re waiting for an elevator, watch someone walk up and hit the
    button even though it’s already lit. We often don’t trust others’
    solutions!

  4. Satisficing. Ever wonder why some solutions
    lack inspiration, imagination, and originality? It’s because by nature
    we satisfice—satisfy plus suffice. We glom on to what’s easy and stop
    looking for the optimal solution. What’s the least number of “sticks”
    you need to move to make this Roman numeral equation correct? XI + I =
    X If you answered anything but zero, you satisficed. Look at it upside
    down.

  5. Downgrading. Downgrading is the close cousin of
    satisficing but with a twist: a formal revision of the goal or
    situation. Reason? No one likes to fail. Result? We fall short of the
    killer app, so we pick the one that allows us to declare victory. Next
    time you’re playing hockey or football, try winning the game by hitting
    the outside of the post or taking the ball down to the one-yard line.

  6. Complicating. Why do we overthink, complicate,
    and add cost? And why do we ALL do it so intuitively, naturally, and
    (here’s the killer) consistently? Answer: we’re hardwired that way. Our
    brains are designed to drive hoarding, storing, accumulating, and
    collecting-type behavior. We are by nature “do more/add on” types.
    Don’t believe it? Watch the customers at Costco or Sam’s Club buy
    thirty-six rolls of toilet paper.

  7. Stifling. We do naturally do the “Yeah, but..”
    dance in which we stifle, dismiss, and second-guess ideas. It’s
    ideacide, pure and simple. And it’s not just others’ ideas we stifle;
    we often do it to our own and kick ourselves later when someone else
    “steals” our great idea. Remember how Decca Records rejected the
    Beatles? “Guitar bands are on the way out.”

So, the next time you’re asked to solve a problem, don’t fall victim to these traps.

As an overly simple example, perhaps next time you’re faced with a security problem to solve, think different; instead of deploying that $50,000 firewall as an autonomic solution to protect a web-based application because that’s what we’re programmed to do, fix the application’s input validation instead and use an ACL in a router? 

Just a thought.  Think.

/Hoff

Categories: Innovation Tags: