1. Hopefully a chuckle while the room fills before we begin
“ For A Moment, I Had A Feeling Of Total Security. Then Someone Said Cloud! “

2. IT Security – The Missing Piece in IT Replatforming
Introduction of Topic
IT is replatforming again, Gen 3 many call it. Today I’d like to dive into this topic as well as looking into what changes are needed to bring security into the fold.
Introduction of Presenter
Steve Opfer, formerly 15 years in IT, Programmer, Dir/VP of IT in Factory Automation before moving to the dark-side (sales)
The Darkside has some huge advantages, it allows me to see so many innovative customers, what are they doing, why!
And unfortunately I also talk to many customers who are in a wait & see mode.
M |
Steve Opfer
Enterprise Sales Director

3. IT Replatforming – Next Gen, Gen 3, …
Gen 3 or IT Replatforming is all over the press
Call it what you like, but we’re all seeing it. It has come in phases, Virtualization, Self-Service, DevOps, Rapid Release, Private Cloud, Public Cloud, Hybrid Cloud
What’s driving all of this? If you’re not either dabbling in it or have both feet in it, you might be left behind – business either moves forward or dies
I’d like to call this “What’s Next”, but really it should be called “What’s Now”

4. What’s Driving IT Replatforming?
New Features = New Revenue
The Business wants new features faster than ever
IT has Responded
Virtualization
Self Service
Development has Responded
DevOps
Rapid Releases
Cloud Test & QA
Security has [Not] Responded
Current tools built for Gen 2 data center
In many cases, asking for things to Slow down
In other cases, pushed aside in acceptance of Risk
Provisioning – Weeks to Minutes
Release Cycle – Quarters to Days
Gen 3 –Change is being driven by the Business needing new features to drive new revenue & needing these new features faster than ever to keep pace or be passed by competitors. Application change is now being measured with a stop watch, not a calendar
Yet Security professionals have both hands tied behind their back with legacy Security tools that can’t handle these speed demands, change demands – Change Breaks Security
IT Security has lost the political strength to stop this, get on the bus or don’t but the bus is leaving
Change Breaks Security

5. Legacy Traditional Data Center Basic Virtualization Bare Metal
The Gen 2 legacy DC had Bare Metal moving to Basic Virtualization. The virtualization was intended to recover some of that idle CPU & to reduce costs. There was a slow rate of change and usually a well defined perimeter to defend
But even this 1st step into virtualization was really the 1st step into Gen 3 data center or IT Replatforming

6. Modern
UCS Director
But new tools, that enable speed are rapidly changing the world IT has to support. Your internal data center looks a lot like a private Cloud whether you like that term or not.

7. Modern
UCS Director
And that world is rapidly becoming extended out to new data centers (Public Cloud) provided by 3rd parties with very dynamic, self service environments providing speed (some say cost savings) and where you no longer have control.

8. Modern
UCS Director
Maybe the Cloud is not in front of you now, maybe it’s not something you embrace, but you need to understand it. You need to understand how it affects the decisions you make today and not just in security. E.g. what does an internal IaaS versus a PaaS choice mean in the long term scheme to your Apps, your monitoring & your security. If you are forced into a Cloud move will things port or will you be forced to support multiple environments?
The decision to move to the Cloud may not be made by you, it might be made for you. And sooner than you think.

9. Security Must: Embrace Both Legacy and Modern IT
Seeks control to avoid risk
Waterfall approach
Low rate of change
Data centers / colo
Approval-driven
Stringent change control
Network-centric security
IT focused (less customer-centric)
More centralized IT operations
Embraces risk to gain agility
Fast-iteration approach
High rate of change
SDDC / cloud
Learning-driven
Little or no change control
System & app-centric security
Business focused (closer to customer)
More distributed IT operations
Legacy IT Change was a causal jog versus the Modern IT which is now a fast sprint. The rate of change is accelerating and the winners will be those who who embrace change and make the right choices. But which changes?
Sales people and the media are spouting Cloud, Cloud, Cloud or some version of this. And the word Cloud is often mis-interpreted as meaning only AWS or it’s rivals. Recently at an IANs function, dinner – I asked everyone at the table to define Cloud in their opinion, not one said Private Cloud – it was all AWS, Azure, etc.. But if you’re already embracing Virtualization, self-service, DevOps and rapid QA & Test, you’ve already embraced a Private Cloud.
The real difference between Public & Private Cloud (from a technical definition) is that “where a Public Cloud serves many organizations, a Private Cloud only serves yours”.
Regardless of what you call it or where you place it, this change is coming. A former VP of mine once told a group of us, “Either you will use this app or your predecessor will do it for you.”
But no transformation is ever immediate or absolute. Change comes over time. So let’s talk about that transformation and how it affects security.

10. Greenfield Applications Core Business Applications
IT Replatforming
Greenfield Applications
Experiments
Any New Application
High-Risk Migrations
Low-Risk Migrations
Innovation
“BUSINESS AS USUAL”
Core Business Applications
Last Legacy Project
Modern
Some of your core business App will always remain snowflakes as they are now. But those legacy applications will rapidly roll into maintenance only modes as new Cloud optimized apps take their place.
Initially this replatforming will start with experiments and innovation. Some of this innovation will show itself as Shadow IT, outside of your control and planning.
Then Greenfield applications, that offer low risk, will be targeted primarily by the technologies that support rapid development, burst optimized design and an ability to run wherever the business wants them, in your data center, in your private cloud, some ones public cloud or a hybrid version of these.
Followed by all New Application development which will embrace these concepts from the ground up and followed lastly the business core applications which will either migrate to these new standards or be frozen in time.
Legacy

11. IT Security Replatforming
Securing DevOps
Trusting Security to Protect your
High-Risk Apps Wherever they Reside
New Security Tool Research
Full IT Security
Replatforming
“BUSINESS AS USUAL”
Experiments with Public Security
Securing Low-Risk Apps
Network Security
Modern
Security has to parallel the Datacenter model or security as we know it will fall behind and/or be left out completely (Embracing Risk to Gain Agility)
While your Network Centric security will probably outlive Server security; it will eventually cover an increasingly smaller portion of your application assets.
The limited server protection you’ve already deployed with legacy security tools will almost certainly be replaced by new purpose built Agile Security tools. Your legacy security tools and many of their companies will go the way of the dinosaurs just as the VT100 did. (show of hands, who used a VT100?)
During this transformation, we need to decide how clearly we see the future for our applications as we review and experiment with new security solutions.
Do the [security] tools I’m investing in today work in any datacenter option the business may demand?
Will I be in a Public Cloud someday? Do I want to support 2 security tool sets? Will I be in a Hybrid cloud environment someday?
Will I have to support elastic bursting and contraction – does my industry have this need? Do the tools I am selecting support these demands?
How will Rapid Development’s evolution affect my decisions on infrastructure and security?
How do these tools support the rapid pace in user device demands? What is the next user device?
Do they support my existing apps and eventually my new apps with the same tool, same infrastructure and the same SMEs?
We all must make security tool decisions which do not limit the other choices we need to make or are forced to make.
Legacy
Server Security for Critical Apps

12. Legacy Application Development (traditional waterfall)J D F M A S O N
Analysis and design
Coding & implementation
Quality testing
Staging and release R1
This is the world I grew up in, where I started programming and it has lasted for decades, but time has made it process heavy and too slow to react to todays business demands.

13. Modern Application Development (agile / iterative)J D F M A S O N R1 R2 R3 R4 R5 R6 R7 R8 R9
R10
R11
R12
Modern Application Development or DevOps as it’s commonly called moves at a much faster pace. We have customers like Netflix that are releasing new images a day and rolling over all 50,000 servers every 48hours. Others like ourselves are slower, with weekly pushes of new code, but our release cycles, testing, QA and marketing concerns cause our releases to be more quarterly which by DevOps standards is slow, by traditional standards is fast.
One huge advantage of DevOps and Cloud Programming techniques such as Micro Services is that it allows you to take a risk, that a mistake, instead of hanging around for months or more, can be fixed in minutes without affecting the entire application.
Analysis and design
Coding and implementation
Quality testing
Staging and release

14. Modern Application Development (agile / iterative)J D F M A S O N
App 1
App 2 R1
R12
R11
R10 R2 R3 R4 R5 R6 R7 R8 R9
App 3
And we all know it’s not as simple as this happening to one app at a time, it’s all of them happening simultaneously.
And your security teams are tasked with securing all of them at the speed rapid development is moving. And not just when they go to production, but in Test & QA as well so security is not new just when you go to Production, but is part of the cycle from the very origins of the code.
App 4
App n
Analysis and design
Coding and implementation
Quality testing
Staging and release

15. Weaving Security & Compliance into Modern AppDev / DevopsJ D F M A S O N R1 R2 R3 R4 R5 R6 R7 R8 R9
R10
R11
R12
Core security policies already implemented, regardless of environment
Security unit-testing cases required, or code is rejected (yes, really)
All of this feeds into SIEM and GRC tools
Security has to be Upfront, “Set it & Forget it”. You can’t be chasing this rabbit, you need to be enabling it or else you’ve already lost the race.
Auto code testing is critical, but like everything else it needs to be automated such that developers don’t see it as hindrance or they won’t invoke the test.
DevOps needs to be protected throughout he cycle, from onset to production, not just after the fact. After the fact additions of Security invalidate all testing and aren’t fast enough to prevent attacks in Test & QA.
Testing security is like testing your code – it needs to be done on every cycle and from different perspectives to be effective. Security embedded in your code ensures this happens every cycle.
Code & infrastructure policies ensured using DevOps-style automation
Staging smoke tests include automated pen-testing, vulnerability assessment, policy validation, security baselines (against gold master)
Analysis and design
Coding and implementation
Quality testing
Staging and release

16. You Need Security That Embraces Both Modern and Legacy IT
Everything “behind the firewall”
Complete visibility & control
Fewer changes at slower pace
IT largely calls the shots
Natural physical segmentation
More controlled, paced cadence
Assets are everywhere
Inconsistent visibility & control
More & faster changes (by OOM)
Business units run their own IT
Physical constructs are gone (portability)
As-fast-as-automation-allows
Your new security tool choices must support what you have today and what you need to support in the future, otherwise you’ll be supporting multiple environments, multiple infrastructures and SMEs wasted on obsolete technologies as well as spending a enormous amount of capital.
My one take away from everything that’s happening around me in IT is it’s happening too fast to accurately predict even what’s around the next corner with any degree of accuracy

17. 8 Keys To Securing The Transformation of IT
Built directly into core environments
Security that operates anywhere
Context-aware operation
Orchestration of many functions
Deep automation of each function
Instant and long-term scalability
Alignment with DevOps models
API-based integration capabilities
What must-have metrics should any of your new security purchases provide you?
This is the most profound IT transformation you’re likely to see in your career… make it count!

18. or more importantly Thoughts/Comments?
Questions
or more importantly Thoughts/Comments?
I’m very interested in your thoughts, your perspective on this Gen 3, IT Replatforming – is it coming, is it here, will it endure?