Tag: security

Enterprise Technology 2015: Heavier Apps, More PaaS, Troubled Security… and more | Sherpas in Blue Shirts

As enterprises freshen their technology mandate for 2015, they stand at the cusp of a multi-dimensional interplay of agility, flexibility, and rising security considerations. Beyond the usual SMAC stack, enterprises are also grappling with challenges to the status quo in terms of faster application development, automated IT operations, the Internet of Things, and process fragmentation.

Following are five technology trends that rose to the top of our list for the important role they will play in enterprise technology in 2015.

    1. Mobile Apps – Will Need a RethinkThe IBM-Apple partnership to tackle enterprise mobility is a significant development that validates our earlier hypothesis. However, the enterprise apps now require a rethink. These apps were conceived to be “light weight” and easy to use, focused on a specific range of capabilities. But, due to increased adoption and constant demand for additional functionality, enterprises are going against this fundamental tenet by coding in multiple features that are making mobile apps heavy and difficult to use. Yet, this same “overhead bulk” has become compulsory to provide features such as analytics across apps usage, offline access, and cloud collaboration that help enterprises perform meaningful tasks. In 2015, enterprises will need to walk a fine line between honoring the basic principles of mobile apps and the persistent demand for increased functionality.
    2. PaaS – The Needle Will Move FurtherWhile Platform-as-a-Service (PaaS) has been touted as the “next wave” since its inception, it never fulfilled its purported potential of adding meaningful value. However, enterprise technology may see that change in 2015 given the push from leading vendors such as Microsoft (Azure), IBM (Bluemix), Red Hat (OpenShift), Salesforce (Salesforce1), and AWS (Elastic Beanstalk). The PaaS business case will be enhanced by IaaS providers offering “PaaS-like” features (which is already happening), as well as PaaS platforms getting integrated with IaaS (e.g., the recent partnership between Apprenda and Piston Cloud). Although we do not believe PaaS will become the face of the cloud, we indeed expect 2015 to push its adoption within enterprises.
    3. Cyber Security and Open Source – Conundrum Won’t be SolvedThe Sony hacking scandal reiterated the importance of enterprise security – which is often taken lightly as compared to most cool next-gen initiatives – and has turned cyber security into a top priority for 2015. However, with the proliferation of Open Source Software (OSS) in enterprises, this “insecure” perception will surge. Enterprises are aggressively looking toward OSS with a host of next-generation technology areas such as cloud (OpenStack), Big Data (Hadoop), mobility, IT operations automation (Chef, Puppet), and content management (Drupal, Joomla!). With marquee B2C corporations such as Netflix, Samsung, and Facebook already having undertaken major, well-publicized OSS initiatives, other traditional enterprises will be pushed hard, despite a concern for security. Google teaming up with Samsung to include Knox (additional enterprise security features) to make Android more appealing for the enterprise is a step in answering this conundrum. However, it won’t be solved in 2015.
    4. Battle for Container Supremacy – Docker Will be ChallengedApplication development is getting a relook within enterprises with increased interest in container technology. Docker, the poster child for containers, whose open platform helps developers to build, ship, and run distributed applications, was rocketed in 2014 with competition from CoreOS. While Docker container technology is now supported by most platforms such as Amazon, Google, IBM, Microsoft, and VMware, its shortcomings are becoming visible. Developers believe Docker “replaces” virtualization but provides limited platform-type support, and its containers are becoming resource intensive. Moreover, given Docker’s early foray into container management, it will be pitted against the might of Google Kubernet and AWS, as well as nimble players such as Giant Swarm. This may dilute Docker’s focus on developing next-generation container technology, leaving an ample field for competitors to exploit.
    5. Analytics – Focus Will be on Bread and ButterWith millions of dollars invested in data analytics initiatives, 2015 will make enterprises reassess the opportunity cost and value of data. While tools such as Hadoop and NoSQL have greatly reduced the entry barriers to analytics, they have witnessed middling adoption. Enterprises still have a long way to go to embed analytics in their existing processes. Therefore, despite the Internet of Things and wearable devices taking off and generating more machine data for organizations to tap into, these new initiatives will not be an immediate priority for 2015. In 2015, enterprises will get their analytics act together to focus on existing processes, consolidation, rationalization, and targeted spending, with data management, governance, and security taking priority.

Danish physicist and Nobel Prize winner Niels Bohr once commented that, “prediction is very difficult, especially if it’s about the future.” So, please join us out on the limb. What are your predictions for 2015 enterprise technology?

Why Healthcare IT Security Must Be at the Forefront of the CIO Agenda | Sherpas in Blue Shirts

Considering the nature of regulations and the sensitivity of personal information, one would assume that IT security is a top priority in the healthcare space. However, an estimated 29 million+ patient health records have been compromised, (classified as HIPAA data breaches,) since 2009. The number of health records breached in 2013 jumped a whopping 138% over 2012. Serious security flaws have even been detected in Obamacare’s much-touted flagship health insurance exchange website, HealthCare.gov, including severe lapses spanning JSON injection, unsanitized URL redirection, user profile disclosures, cookie theft, and unprotected APIs.

An Afterthought

Healthcare IT security challenges

The pace at which IT is changing the healthcare landscape makes it a prime target for malicious activity. Industry headwinds such as big data, payer-provider convergence, BYOD, HIX, EHR/EMR, and the Internet of Things (IoT) are adding to the healthcare information security conundrum. Patient records have become increasingly common in the fraud marketplace. When combined with other data sources such as insurance and medical data, the problem assumes more alarming proportions.

And it’s not a case of absence of punitive measures. Under the new HIPAA Omnibus Rule (effective from September 2013), firms face fines of up to US$1.5 million in the event of a violation (“willful neglect that was not timely corrected”). Europe has enacted several data security measures. Even before the latest regulatory rulings, insurer WellPoint was fined US$1.7 million after its online application database exposed information concerning more than 600,000 patients.

Feeding the problem

Although CIOs often list security as a priority imperative, it just doesn’t translate into actual spending. This discrepancy can be attributed to a confluence of reasons. The problem originates in a lax culture regarding IT security. The majority of information security breaches are highly avoidable, and most lapses can be traced back to sloppy system administrator password practices, careless sharing of sensitive information, failure to change default login credentials, among others. Healthcare information security is still not a top execution priority for most personnel, and most security programs are hampered by lack of relevant expertise and attention. Regulatory inconsistencies compounds the issue, i.e., multiple agencies are involved (FTC, FDA, FCC, to name a few), and their often divergent mandates contribute to the travails of healthcare IT security stakeholders.

Healthcare IT security roadmap

Stakeholders – both buyers’ internal IT teams and third-party service partners –face an increasingly complex technology conundrum. Any mitigation strategy should incorporate leading practices utilized in similar initiatives:

  • Conduct a thorough risk-assessment to proactively identify and secure vulnerabilities
  • Establish clear level-driven permission policies (on a need-to-access basis) applicable to data, applications, and devices (keeping in mind expanding BYOD policies)
  • Institute appropriate staffing practices to make sure personnel with relevant skills are given charge of security tasks
  • Ensure adequate personnel training and sensitization toward information security
  • Implement best-in-class encryption standards
  • Collaborate with business associates (held to the same standards as HIPAA-covered entities) to establish processes and enforce standards
  • Evaluate the security strategy along a security versus accessibility paradigm
  • Drive synergy between the business and IT vision to avoid incoherent implementation resulting from disparate imperatives

Ultimately, any healthcare IT security policy has to encapsulate the individual needs and challenges of various stakeholders – patients, providers, payers, and third parties – to ensure equitable access and health information exchange for coordinated care. The unenviable task of securing healthcare information in the onslaught of exploding devices and touch points calls for a carefully thought-out and implemented approach. But first, healthcare IT security must make a monumental shift from being an afterthought to being a primary strategic imperative in any plan design.

Notes from the Interop NYC 2011 Carrier Cloud Forum | Gaining Altitude in the Cloud

I had the good fortune to participate in a lively panel discussion at this week’s Interop NYC Carrier Cloud Forum on the topic of Enterprise Expectations for Cloud Services. My co-panelists were Troy Angrignon of Cloudscaling, and Charlie Burns of Saugatuck Technology, and the moderator was Carol Wilson from Light Reading. We covered a pretty broad waterfront, discussing everything from the state of enterprise cloud adoption to enterprise perceptions of telcos/carriers as potential cloud service providers. Some of the more interesting exchanges focused on the following points:

  • The market noise is getting deafening – one of the biggest emerging obstacles to enterprise cloud adoption is actually the market confusion being created around what cloud is (and isn’t). Every enterprise IT vendor, including hardware, software or services, is pitching a cloud story, whether it actually has capabilities or not. The vendor marketing onslaught is making it extremely difficult for CIOs to separate truth from fiction, and in many cases is slowing down efforts to drive migration. The good news? This is a purely self-inflected wound from a cloud industry perspective, and it should sort itself out over time. The bad news? In the short term, some CIOs are starting to tune out, or at least very skeptical in engaging in yet another vendor discussion around cloud.
  • It’s all about business agility – on the topic of what ultimately will be the primary driver of enterprise cloud migration, there was some healthy debate around the importance of the cost efficiency value proposition to enterprises. While we all generally agreed that business agility and flexibility was going to be the dominant theme, there were differing perspectives on how important a compelling cost reduction component was going to be. Some think agility alone will be enough, while others (including me) believe that overall cost improvements of 30+ percent will be required to get the attention of enterprise CIOs and to drive wide-scale transformation, particularly in infrastructure.
  • Cloud security is often more about IT job security – Charlie Burns made the great observation that enterprise concerns around data security often have more to do with IT executives’ anxiety about their future roles, and less to do with actual cloud security. Major cloud service providers have matured quite a bit when it comes to security, and the major enterprise issue now has more to do with transparency than the actual security policies and practices being implemented by providers.
  • Significant market “white space” still exists – we agreed that enterprises view the network as a critical component of cloud services and that carriers have a strong “card to play” as enterprise cloud emerges. Rather than focusing on horizontal IaaS services, carriers may be better off identifying specific solution areas and use cases where network ownership could create strategic differentiation and advantage – for example, use cases in which high availability or bandwidth are critical. While we all recognized the challenges of carriers entering more horizontal IaaS or PaaS markets from scratch, Troy gave an interesting example of how Cloudscaling has recently helped KT launch cloud IaaS services in Asia that were priced 30 percent lower than Amazon AWS.

Thanks again to Troy, Charlie, and Carol for a great discussion!

Photo Credit: Interop Events

Where Are Enterprises in the Public Cloud? | Gaining Altitude in the Cloud

Amazon Web Services (AWS) recently announced several additional services including dedicated instances of Elastic Compute Cloud (EC2) in three flavors: on demand, one year reserved, and three year reserved. This should come as no surprise to those who have been following Amazon, as the company has been continually launching services such as CloudWatch, Virtual Private Cloud (VPC), and AWS Premium Support in an attempt to position itself as an enterprise cloud provider.

But will these latest offerings capture the attention of the enterprise? To date, much of the workload transitioned to the public cloud has been project-based (e.g., test and development), and peak demand computing-focused. Is there a magic bullet that will motivate enterprises to move their production environments to the public cloud?

In comparison with “traditional” outsourcing, public cloud offerings – whether from Amazon or any other provider – present a variety of real or perceived hurdles that must be overcome before we see enterprises adopt them for production-focused work:

Security: the ability to ensure, to the client’s satisfaction, data protection, data transfer security, and access control in a multi-tenant environment. While the cloud offers many advantages, and offerings continue to evolve to create a more secure computing environment, the perception that multi-tenancy equates to lack of security remains.

Performance and Availability: typical performance SLAs for the computing environment and all related memory and storage in traditional outsourcing relationships are 99.5– 99.9 percent availability, and high availability environments require 99.99 percent or higher. These availability ratings are measured monthly, with contractually agreed upon rebates or discounts kicking in if the availability SLA isn’t met. While some public cloud providers will meet the lower end of these SLAs, some use 12 months of previous service as the measurement timeline, while others define an SLA event as any outage in excess of 30 minutes, and still others use different measurements. This disparity leads to confusion and discomfort among most enterprises, and the perception that the cloud is not as robust as outsourcing services.

Compliance and Certifications: in industries that utilize highly personal and sensitive end-user customer information – such as social security number, bank account details, or credit card information – or those that require compliance in areas including HIPPA or FISMA, providers’ certifications are vital. As most public cloud providers have only basic certification and compliance ratings, enterprises must tread very carefully, and be extremely selective.

Support: a cloud model with little or no support only goes so far. Enterprises must be able to get assistance, when they need it. Some public cloud providers – such as Amazon and Terremark – do offer 24X7 support for an additional fee, but others still need to figure support into their offering equation.

Addressing and overcoming these measuring sticks will encourage enterprises to review their workloads and evaluate what makes sense to move to the cloud, and what will remain in private (or even legacy) environments.

However, enterprises’ workloads are also price sensitive, and we believe, at least today, that the public cloud is not an economical alternative for many production environments. Thus enterprise movement to the cloud could evolve one of several ways. In a hybrid cloud where the bulk of the production environment will be placed in a private cloud and peak demand burst to the public cloud. Or will increased competition, improved asset utilization and workload management continue to drive down pricing, as has happened to Amazon in both of the past two years? If so, will enterprises bypass the hybrid path and move straight to the public cloud as the economics prove attractive?

The ability to meet client demands, creating a comfort level with the cloud and the economics all play a role into how and when enterprises migrate to the cloud. The market is again at an inflection point, and it promises to be an exciting time.

How can we engage?

Please let us know how we can help you on your journey.

Contact Us

  • Please review our Privacy Notice and check the box below to consent to the use of Personal Data that you provide.