Show Notes
An historical perspective on how ICT has evolved over the years. The change from on-prem, to cloud, hybrid, and how things continue to change.
View Full Transcript
Episode Transcript
[00:00:06] Tom: Welcome to the DevSecOops podcast, where we explore the past, present and future of computing in the modern workplace.
[00:00:12] Scotti: Your hosts are a trio of experts from Cordant, each representing different areas within it. A bit like a nerdy A team.
[00:00:19] James: So join Tom, James and Scotty for a regular, mostly serious podcast providing you with pragmatic advice and insights into modernizing your IT environment.
Hello and welcome to today's episode. My name's James and with me I have my good friends Tom and Scott. In our collective roles, we spend a lot of time guiding clients on technology modernization, especially as it relates to digital adoption. So that can be either for customer facing platforms or internal purposes, and it tends to span a vast array of technology sets. So typically when we're working with our clients, this means diving into aspects of operational practice, software delivery, infrastructure, and of course, security. Or in other words, the classic DevSecOps ways of working. In our time doing this, we've seen an enormous amount of change that organizations have had to face into, and we also know that that pace of change seems to be ever accelerating. So in today's episode, we thought it'd be fun to step back and take a look at some of the major technology evolutions that are driving that pace of change and to discuss the impact that those have had on organizations that we work with. Tom, I'd love to start with you. You've worked with a lot of very large enterprise clients over the years, tackling mission critical run the business plat. Can you give a quick introduction to yourself and maybe offer some thoughts on the major trends you've witnessed in our industry and how they've impacted organizations that you've worked with?
[00:01:37] Tom: Yeah, thanks James, and thanks Scott. It's a pleasure to be doing this podcast with you. So I actually started my career as a, as a network engineer, which I think is not particularly unique, but sometimes I look back and wonder, how did I get here? Like the old Talking Head song, I sort of worked in network engineering, moved into small medium business service support, and then got my first crack in the big leagues, if you like. Working for Coles back in around about 2010, they were just starting on their cloud journey, but we're a very, very large VMware shop. So yeah, working with Coles, I was exposed to a lot of the operational practices and Coles actually said it themselves. The motto that went around was what does good look like? And they were constantly striving to improve their IT processes and innovate with the that they did have. So that was my sort of first exposure to it. From there, we actually all worked together for the first time around at Australia Post, so went over there as part of a security SWAT team, first and foremost working at SecurePay, doing some secure and stabilised work there before moving back into Australia Post, where we actually met James and then over to MLC before, for my sins, joining Oracle and working vendorside for a couple of years. And that was really good fun because that was an exposure to the other side. It was great to have that customer side exposure, but to also be on the vendor side and see at times the understanding and at other times the disconnect the vendors would have with the realities of what customers were going through. So I guess in that time, certainly from an evolution perspective, we've gone from everything was physical through to the virtualization boom of the early 2000s where everything was VMware through to Cloud is the answer. What is the question? And now I think we're in the age where cloud really is that stable, evolved, mature platform that give people a real alternative to virtualization, the traditional compute virtualization. But it's surprising how many customers I still see today that are running things very much like Coles was in circa 2010 as well. So every organization that I work with seems to be at a different stage of evolution and that's what makes this job fun. You know, if. If everyone had things sorted out and were perfectly up in the cloud, then it'd be a pretty boring day job, I think. So that's me and the evolution of I've seen up to now at a high level. I'll maybe pass it over to Scott. Our paths intertwined at some point during that journey as well. So I'd be keen to. Keen to get your story from. From where we weren't working together as well.
[00:04:18] Scotti: Yeah, thanks Tom, and thanks James. It is also great to be here. I had a slightly different introduction into IT and Cyber. I actually started life as a software developer. I started writing computer software when I was 16, I think missing high school to write software at home during the day. I ended up getting a job as a software developer when I was 18. I spent a lot of time writing Microsoft. Net. Actually it was Visual Basic 6. It's now showing my age a little bit and access applications, which then became net 1, net 1.1, net 2.3 and it goes on. So I spent many years writing software applications and I ended up working for some organizations that wrote software that was actually used in the real world for critical applications, specifically one that had a large chain of Custody concern. And that was where I fell in love with cyber security. I saw a whole range of cyber issues and some software products that we were building. In the end, wrote a fairly large report, got it validated by an independent third party who ended up hiring me, and then I spent the next six to seven years as an offensive security professional. So penetration testing, red teaming, purple teams across Australia and New Zealand, because I come from New Zealand originally, although Australia is definitely home now. And I would definitely say that organizations are on some interesting journeys when it comes to cyber. I see a lot of organizations still thinking that cyber is an afterthought, certainly, and I know it sounds very cliche and I'm trying to avoid those, but you still see organizations that get a pen test at the end and that's the whole sum total of their security investment. And you can definitely see that in the outcomes. From my time as a defensive security professional, I can see that a lot of organizations go out there, they go to market. One of the key things that we would see time and time again is that you would go to market, look for a piece of software, purchase something, not really even engage with the vendor around security requirements, and you would see the negative outcomes at the end of the project. Specifically, it's insecure. You've wasted 10 to 20 million dollars on implementation over four years. And in fact, the money isn't the biggest issue. It's the issues with privacy, certainly around critical infrastructure.
[00:06:41] Tom: What about yourself, James?
[00:06:43] James: Yeah, it's interesting, you know, listening to the background that you guys have had, because obviously aspects of mine have been similar, but also slightly different path. You know, I actually was originally a mechanical engineer by qualification and I found when I came out of university and I started work in the professional engineering industry, I was really surprised by how backward it was in terms of the adoption of technology.
So I found myself increasingly gravitating towards trying to do things in software and program things and find solutions with a technology base that the industry was sort of struggling with at that point and inevitably found myself more into software development and ultimately made the transition into it full time through that. So I've done a bit of everything in my day. I've done software development and delivery for large banking environments and then moved into infrastructure and solution architecture. I think the last program I did for a major bank back in the day was, you know, 35,000 concurrent user sessions and millions of dollars worth of infrastructure spanning multiple data centres. And it was enormous investment. And then from there really found my path with cloud computing and moving more into consulting. And I think that's where I started to really understand the true business impact of the sort of things that we can do with technology and the way that we can transform organizations as well. You know, it's not enough to be right from a technical point of view. You actually have to be able to bring something to the table that drives a genuine business outcome. I think that's probably been one of the biggest lessons that I've gone through in the time of my technical career. But yeah, you know, definitely going from those days of software development through to actually having to build out infrastructure and understand the various challenges and pitfalls that come along with that. What does a good network topology look like? How do we apply security consciously and not just plug it in at the end? So many organizations do. And it's interesting, you know, I look at some of the big trends that have occurred in industry over the time that I've been doing that. I think some of them have been very technical in nature. You know, you get the classic centralization, decentralization models where we're always trying to balance the notion of autonomy with that of synergies and economies of scale and every organization sort of gets attracted to one or the other. And a pendulum tends to swing back and forth over time. We've also seen things like the rise of open source software as well. There was a time in enterprise where everything was proprietary and nobody would touch open source software because there was no support agreement to now a place where we actually embrace it because we love the transparency of it. And so you see these interesting technology trends. But to me, there's one thing that really leaps out that I think has really changed our industry massively. And I think it's the real catalyst for a lot of the things we see happening today. And to me, it's absolutely the rise of digital. And by digital adoption, I really mean things like mobile technology, right? So the use of mobile phones, the expectation of consumers now of having an always on, always available go wherever they go, access to products and services, it didn't really exist eight or nine years ago. It's been an enormous transformation. And I think to me, what it's actually driven is a scenario where organizations are now actually trying to chase that transformation and they're trying to keep up, they're trying to maintain pace, they're trying to gain competitive advantage in industry by rapidly adopting technology sets. And that's obviously where challenges arise in organizations. Because it's not just a matter of buying a piece of software or plugging a system in and turning it on. There's actual organizational transformation and ways of working that has to go along with that to really drive advantage. But in terms of the opportunity, if you get that right, to actually appeal then to that customer base and to grow and evolve with them, I think is absolutely enormous. And it's one of the things that I think creates a lot of opportunity in our industry is around actually helping and guiding our clients to do that. Right.
[00:10:34] Tom: It's interesting, isn't it? It's the. From the experience perspective, the customer, now, it's almost like the tail wagging the dog. The customer drives the experience rather than the organizations themselves determine the experience that the customer will have. And in turn, because of the rise of digital within the organization, the. The business is coming to the technology rather than the other, rather than technology being a side part of the business, it's the core driver of the business's success. So, yeah, I agree totally, James. That's probably has been the biggest shift and it's sort of happened slowly over the course of my career to the point where you sort of look back and think, you know, 10, 15 years ago, we didn't even have things like iPhones and stuff like that. It's only really in the very recent past that that's all come about.
[00:11:26] James: Yeah, absolutely, Tom. I completely agree with that point of view. And I think, to me, the really interesting thing is what has been the consequence in the approach to technology in organizations. And, you know, we talk a lot about cloud computing, we talk a lot about good operational practice and security. But I think the reality when you see that sort of transformation and organizations trying to move so quickly, this is what's given rise to things like credit card it. Right. The classic view that we need to move faster. Technology's not keeping pace with us. The IT department can't keep up with us. They're not offering us the types of services that we want from a product development and delivery point of view. So what do we do? We go around them. Right. It's just natural human behaviour. And I guess the reality that we see is a lot of organizations that we go into, they might have a solid fundamental footprint in things like cloud, but they also have a lot of other things that are perhaps unmanaged or need a lot of attention. And maybe even the way they approach things such as governance and operational control need to be rebooted and revisited. I think we see this mostly really in the security space and in the security practice. Right. The consequences of those actions and risk management and operational control become incredibly important. And Scott, I imagine that you would have seen a lot of this in your time.
[00:12:43] Scotti: Yeah, I would agree, James. I think a lot of the organizations that we walk into have a very large footprint. They certainly have a lot of shadow it. There is a lot of accounts account sprawl. One of the organizations that I've been working with recently has over 100 different cloud accounts across four providers. So there is a large, there has been a large investment in cloud. Whether we would say that, say a rational investment as far as are they even using half of those resources anymore? And then the inherent risk that comes along with essentially what we would call bitrot, which is we've just, we've provisioned it, we used it for a bit, we've stopped using it, we didn't decommission it, we've left it there. We don't know if it's being used or not presents a huge risk to the organization. And I think one of the things that most, most cyber professionals struggle with is how do we enable the organization and certainly those people that are developing and building features that bring in significant revenue for the business, how do we do that in a secure way? And we see a lot of organizations doing this. Essentially, as you said, the cyber team traditionally has been a, you can only do it this way. Development teams, certainly the ones that like to operate in a very fast manner, want to do things in a timeframe which is now or yesterday, not in three or four months time. So how do we do it in a way that gives those teams the agility and the ability to do it with the secure guardrails and the organizations that get that right get a significant benefit over others in the market. And I think that's where if you get cloud right and if you get multi cloud right and also hybrid cloud right, you can really accelerate the adoption of digital but also new business features. And that's really the differentiator when it comes to any business. You're here to make money and so how do you make money? You essentially build and deploy those features faster, but also in a secure way without unnecessarily introducing new risk to the business.
[00:14:51] Tom: I think a really good quote that I heard once from Ex CISO of Telstra and I'm doing him a disservice because I can't remember his name. I don't know, Scott, if you remember, he came and presented to us when we were back at Australia Post and he said, you know, his goal is to turn security from that mindset of you can't, because to you can.
[00:15:13] James: If.
[00:15:13] Tom: And I think traditionally security has been seen as that thorn in the side, the block of the people that are there actively trying to get in your way. And that's definitely a misperception. But security has to have evolved to the point where they can be seen as an enabler. And if you do things in the right way, in fact, they're an accelerator and they certainly save you from being on the front page of the newspaper for all the wrong reasons.
[00:15:39] Scotti: I think the person you're referring to is Mike Burgess, who is also now the head of ASIO.
[00:15:44] Tom: Oh, there you go.
[00:15:45] Scotti: And you're exactly right. I think a lot of the time security is just an afterthought and the problem that I see with pretty much every customer, it doesn't matter which industry you are, what size you are. The evolution of cloud from, you know, if we think about AWS in its early days, we had EC2 and S3, so virtualized compute and essentially file storage. There weren't very few security controls, there was no encryption, there were no, none of the inherent controls that are now commonplace across all the clouds. So what's actually happened is that security is kind of caught up. But a lot of those organizations are still running infrastructure that was provisioned, you know, 10 years ago with the same models. And it hasn't, they haven't gone back and revisited that. And I use this analogy a lot. Cybersecurity is a bit like having a car. You don't just buy a car and drive it, or you might, but the wheels will eventually fall off, the engine will eventually seize. You can't just put petrol in it and expect to go. You actually have to go back, you have to get it serviced, you have to go back and look at it. And in some, some parts you might say, well, now the car is no longer fit for purpose, I actually need to upgrade. And people should apply the same principles to their cloud environments, their on prem environments, their organization as a whole.
[00:16:57] Tom: I think another great analogy there from a car perspective is I drove a Tesla for the first time recently and I came to a turn and I drove the car the same way I driven my cars for the past 25 odd years that I've been driving a car. And I came to a stop about 10 metres short of the actual turn that I was trying to turn at because of the braking that goes on as part of the electronic return system. So I think the important thing to take out of that too, we can't do the same things in the cloud that we've been doing for years on prem and expect that to be efficient and the best way to do things. And I know James is saying particularly near and dear to your heart around doing cloud ops, right? Not just trying to transcribe what you've been doing for years to the cloud and expecting that to work as efficiently as possible.
[00:17:45] James: Yeah, absolutely. I mean, obviously this is a topic that's very close to my heart. You know, I think stepping back to this notion of the trends that we've seen in our industry over, you know, let's say the last decade or so, you know, it was really fascinating, I think, to see that pivot point, particularly as it relates to security in cloud, where in the early days, you know, everybody was terrified of this shift to cloud because we didn't understand the security controls and how to apply them appropriately. And I remember back in the day, you know, the conversations around, oh, you would never put systems of record in cloud. You know, that's never going to happen. At the same time as we're all pivoting to platforms such as Salesforce. Right. So there is this real disconnect, I think, in business intent versus technology awareness and understanding. It's fascinating though, to look at it now. And I see that security and drivers towards better security are actually a real conscious benefit of moving to cloud. And I think largely because there's been so much emphasis around not just the controls themselves, but the application of those controls and the patterns that are available for people to adopt. Typically we're seeing clients who get this right are actually improving their security posture, they're improving their risk position. And Scott, I'd love to get your thoughts on this. You know, is that just a matter of the tools are better, the awareness is better. What's changed that's driven people from saying, I want to keep this on prem where I can control it in my 20 year old flat network structure, to saying, hey, in actual fact, I can do this better in cloud if I migrate my workload.
[00:19:15] Scotti: I see it as a few different points. The first one is people. I think everybody talks about a cybersecurity skills gap. I definitely think perhaps yes, there is a gap, but there's also become, there's more specialization. You find that on prem. You know, if we think back 10 years ago, there was a handful of vendors, a handful of operating systems, a handful of web technologies. Now it's every day there's a new framework for something and a new development language and a new database. And we're now at the point where there's so many different technologies, I see that it makes sense to essentially hand over responsibility of those things which aren't really beneficial. If we look at the shared security model or the shared responsibility model for cloud, it doesn't make sense for a security professional to be patching infrastructure. It doesn't make sense for them to be doing configuring, you know, hardware firewalls and switches and things like that. That's even lifecycle management of those devices. It's a lot of effort for, not a lot of return. Because if we go back to what I said earlier, we're talking about businesses delivering value to customers and then having a financial benefit as a result of that. So I think from the specialization point of view, it essentially frees up security professionals to do what they really should be doing, which is influencing the business, the organization, the employees, the staff, the partners and the customers to do things in the right way. As you said, the frameworks and the patterns already exist for people to adopt. And I think it is a really interesting concept around how cloud has made that easier. If we think about it, managing a HSM on prem, which I have had to do, Tom and I have done this, done this before. It's not a fun process. There's a lot of, you know, if you get it wrong, you basically make all the data for your entire organization irretrievable forever. That's the kind of consequence we want to avoid. So having those advanced capabilities in a way that's essentially slightly foolproof in the cloud, I think is great. And we're starting to see even more great things. And I don't want to focus specifically on encryption here, but it is a very important part of alleviating the privacy concerns. Because we think about it, encrypting data at rest essentially addresses the issue of if someone goes to a data centre, steal some hard drives, could they reconstitute that data? What does that mean for me? What does it mean for my business, my customers, my regulatory concerns? So we're seeing a lot of that being adopted. But also, how do you operate on encrypted data? So, like, the use of homomorphic encryption is going to become more important as we move forward, certainly as we start sharing more data with our partners. How can we do that in a secure way, but also still get the business benefit and drive those insights from that data? I think that's. That's certainly something that I'm going to see more of, or if the industry is going to see more of in the coming years.
[00:22:06] Tom: Yeah, As a, as an infrastructure guy at heart, you're going to have to explain homomorphic encryption to me, Scott. I'm not aware of that one.
[00:22:14] Scotti: Essentially, it's a type of encryption that allows you to evaluate the data so you can still query the data without you actually seeing what that data is. So traditionally, in a traditional IT environment, you would decrypt the data, you would have the unencrypted data. You would then operate on it. So, for example, if you wanted to query, let's say you wanted to encrypt.
[00:22:32] James: Let's.
[00:22:32] Scotti: Let's go back to the payment gateway days. If you wanted to retrieve or query card details, you would have to decrypt all the data. So you'd have to decrypt the entire table. That poses a security risk. Homomorphic encryption allows you to say, hey, retrieve me these records or show me how many of these cards belong to MasterCard without actually having to decrypt the entire table.
[00:22:54] Tom: Oh, nice. Okay, thank you. Actually, it was another, another point that you were talking to earlier as well, around the shared security model. And I think that's an interesting evolution in and of itself, because I think, James, you touched on the point where everyone was fearful of the cloud initially. We know, and we trust our own processes to keep our data secure.
It's not going to the cloud. And then it was almost as if certainly some of the cloud vendors would spruce this concept that we've built a secure cloud. The cloud is secure. We've got these secure practices. And it was almost a case of certainly not in the security realm, but some of my brethren in the brothers and sisters in the, in the infrastructure space, and probably some of the development space too, thought, well, that was the, that was a shortcut to providing security, and you could just move the data into the cloud and it would instantly become secure. I know, certainly, Scott, you and I saw the challenges of this presumptive security within the cloud, that it was just automatically secure when you moved it there. I think, I think that's something that has evolved over the last couple of years where there's an appreciation that it's not a magical button that you press and suddenly things are secure.
There is an element of responsibility on the customer as well as the cloud provider around security. But you do also have to do things differently.
[00:24:14] Scotti: I would definitely say that's the case. I'd love to say that everyone has fully understood what that transition to cloud really means. One of the things that certainly I take away most of the time when I talk to organizations, they Go, oh, we put our applications in the cloud and it should scale and it does all of these things. And then I ask them the question, well, have you tested it? And they go, what do you mean have we tested it? I go, well, how many requests a second can your application ustain over a 12 or 24 hour period? And they give me this very shocked look, as if I'm speaking a foreign language. And it's, it's really surprising working for a vendor that looks after financial services and critical infrastructure web applications. And I did this for many years. We would quite often be caught up in people that go, oh, we're under DDoS attack. And it's actually, it wasn't even a DDoS attack. It was just increased load on the website because they were having a promotion and they would, everything was down. And it's like, well, okay, we go through the whole process, would put some controls in place, would bring the systems back online, and when we would actually go back and do a post incident review with them, it would be highlighted that, you know, they thought that they could handle 100,000 requests a second, when in fact it was more like 50. And you go, well, okay, so you probably should have planned for that in advance. So one of the things that moving to the cloud actually has exacerbated as far as security goes, is instead of having a small pipe to your data centre, you've actually got a really large pipe that's now globally accessible across fast backbones. So you really need to be thinking about how your applications scale and what happens when you end up in a situation where you've got increased load and you can't service those customers. That's something that a lot of people don't understand. They just think, oh, well, I'm now in the cloud and so that will just handle all that DDOs, potential DDOs for me. What they also don't realize is your cloud provider is looking at the trillions of events per second and they're not looking at, you know, it's lost in the scale. You know, you're dealing with tens or hundreds or thousands or tens of thousands, even millions of requests a second. You're not even a blip on your cloud provider's radar until you call them.
[00:26:23] Tom: You want to avoid a DDoS, but you also want to avoid a distributed denial of responsibility which happens outside of cloud and outside of security.
[00:26:30] Scotti: That's very true.
[00:26:31] James: It's fascinating to join the dots on a few other things that we've been talking about. You know, particularly the transition of workloads from on prem systems into cloud and the way that changes the nature of their exposure or perhaps the load that they experience and the way in which we manage those. I'm really interested in this notion at the moment though. There's this huge trend towards hybrid computing models, so hybrid cloud models and even multi cloud models. And I wonder whether hybrid is actually giving us the best of both worlds or perhaps it's leaving us with a bit of the worst of both worlds in the fact that we're still managing a whole bunch of legacy and we're trying to join that to a whole bunch of other systems that are typically more customer facing in nature. If we're adopting cloud in the right way. Or maybe they're around driving innovation and the use of data analytics and AI, deep personalization for customer benefit and consumer advantage, all those sorts of things that we try to drive. I wonder Tom, you've seen some pretty large transformations in your day from organizations and you've also seen some massive data platforms back in your Oracle days as well. What's your thoughts on the whole hybrid model? Is that actually working at the moment or are we finding that it's exacerbating the skills challenge?
[00:27:42] Tom: I think it's challenge is probably the word that's right there. I think even before the hybrid world, even just the initial steps into the cloud for organizations, I think there was a rush to do that without actually determining what is it we're trying to achieve here. And I jokingly said it earlier that cloud was the answer and we were looking for the question, but that was very much the way of it when I started back in the day with the early sort of AWS movement. Yeah, I think there was a rush to be on the COVID of CIO magazine and the first large organization that moved production workloads to the cloud would have their face up there. But really the number of workloads that we had to repatriate because they were either done wrong or the cloud just wasn't ready for those as yet. I think where I've seen hybrid cloud and multi cloud done right is where you've got a mature understanding of operations, you know how things should be done and how things should be done to get the most out of the platform you're designing for. And then you do follow the horses for courses type approach to things so you understand why you're running particular workloads in particular areas. And we did a piece of work recently where we had a. We developed a very simple model around workload placement that Purely came down to the purpose of that workload. You know, there was an understanding with the on prem environment there that there was still a benefit for that organization. They're in utilities. There was still a benefit in capitalizing a certain portion of their workloads. Now if they were going to be deploying those workloads onto straight VMs and it made total sense to keep doing that on premises. Running EC2 instances or VMs within the cloud doesn't make a whole lot of sense if you're still maintaining an on prem footprint, however, where you had systems that were either customer facing or systems of innovation or large elastic data platforms, or things that you need to query beyond the borders of your on prem capacity, then that made a lot of sense to deploy those natively to the cloud. And really we haven't talked about it today, but my whole ethos is if you go to the public cloud, move up the stack as much as possible and then with your on prem, take as much of the operations and the operational benefits that you're leveraging on cloud and try and standardize those between the two environments as well. So where you are doing infrastructure as code, maintain the same infrastructure as code platforms across both your on prem and your public cloud. So yeah, it's a whole world of things you have to assess. If I take it back quickly, it's why are we running these workloads? What is the purpose and what is the right platform for those workloads? And then when we actually do look at running those workloads, how do we run that most efficiently? Not necessarily for that workload, but for the platform that we're deploying that workload to. And really all of that should, should roll up into a strategy in terms of where you're trying to get to as an organization as well. And that's probably another, another little thread you can start pulling and unravel. The whole jumper is around making sure that your, your IT strategy, because of the, because of the interplay between digital and the business now, actually aligns to your business strategy. Not just your, your technology strategy. The two very much have to align. In this day and age. It would be great if you could move up the stack entirely and not have an on prem footprint. But the realities are, for whatever reason, we still see organizations need at least some kind of on prem footprint.
[00:31:18] James: I think this notion of a workload placement model and an intentional view of where you actually run different things to understand, yes, it's horses for courses, but we're being very conscious of which horses we run on which courses per se. It's very interesting to my mind to see that a lot of enterprises still don't have this. And if I look at the evolution of cloud adoption back in the day, you were talking about sort of the early days when the CIOs wanted to get their picture in the magazine to say, hey, I exited the data centre and I've got everything in cloud and look, I've worked in some of those organizations and the real big difference back then is that things like cloud adoption frameworks and well architected frameworks and runbooks for all this stuff, it didn't exist, right? We were working it out as we go. You know, I did one of the largest enterprise transformations for cloud in Australia back over 10 years ago, right before most organizations were really facing into it. And I had amazing support on the vendor side. I had a really talented group and team of people around me in order to do that. But we were really having to work this stuff out on the fly. You know, we didn't understand the different dimensions of what it looked like to be well architected. We didn't understand how to actually implement infrastructure as a code with conscious security, static code analysis, type factors in there. All that stuff we built and we developed as we evolved. What I see now is that those frameworks and those structures exist and we're all well versed in them. You know, most people who are looking at cloud would be very familiar with things like 6R or 7R framework models. You know, do I replatform, do I rehost, do I repurpose, whatever it may be, right? I think I might have just made a new one up there with repurposed, but that's pretty good. You know, we can recycle it, nothing wrong with that.
But you know, Tom, I think to your point, we're not necessarily seeing that translate now to intentional IT strategy that's business aligned. So am I running this thing on prem because I've always done it that way and it's just too big, ugly and complex to move. Or am I running it on prem because there's actually some genuine opportunity and business advantage in doing so. And it's really interesting that, you know, there was always this expression in cloud adoption that data has gravity. So really where you shifted your data dictated where a lot of the workloads for that data ran because you wanted to keep your compute very, very close to your data. Now we see a really different world, right, where the notion of distributed computing is so much more capable. So if I want to keep my data on prem. There are now models by which I can actually bring the compute to that data and I can extend my cloud footprint into my own data centre. I can bring all of the management plane, I can bring innovative capability, I can bring analytics tools all to where my data lives without having to undertake a massive migration program. And this is some of the things that I think have not yet been fully explored by many organizations and the opportunity not fully tapped. But I think it's something that we're going to see more of. You know, I mentioned earlier this notion of distributed and decentralized models moving back and forth as we go. And really I think this is just another evolution in that trend. We tended to decentralize everything and put it all out in cloud. And now I think there may be cases where we want to centralize some of that but bring better control and better mechanisms along with that.
So by extension, this notion of hybrid cloud and multi cloud that a lot of organizations are driving into at the moment, I'm really interested to understand some of the perhaps misconceptions that might still be out there in industry and how we go about tackling them. Right. So you know, one of the first things I saw organizations wanting to take on multi cloud was around cost contention and price competitiveness, you know, and they thought they were going to play Microsoft off against Amazon and not realizing that their workloads are tiny. Right. They're not going to shift the needle on pricing. But a lot of organizations thought that it was very important from a vendor management perspective to have those different footprints. Of course, not realizing that, then they're opening themselves up to having to manage, operate and have skills in multiple clouds. And of course the other big one we see, we do a lot of work in critical infrastructure. So organizations that are subject to the Security Critical Infrastructure act and there's a lot of regulatory pressure on workload portability. And I think this is one that there's been a lot of myths over the years and a lot of misunderstandings around exactly what should be portable and on what basis it should be portable and how organizations should face into that. Tom, have you sort of experienced that in your time, organizations that are rushing to try to achieve portability in cloud and perhaps not really understanding the true motivation or implications of that?
[00:35:55] Tom: Yeah, look, maybe it's not so much portability. I think there's a concept, probably the only place I've really bumped into that is in the financial services arena and that is around the APRA regulations regarding vendor concentration. So let's say if a organization was in AWS as an example and for whatever reason that arrangement went sour, they'd have to be able to move their workloads out of that and to another cloud provider or back to on prem in a timely manner. So you know, the consideration around that is to avoid platforms that are, that are endemic to a particular cloud so that that sort of fights against the whole move up the stack. If you're talking about something that is non portable, you know, Lambda for instance, which of course you can transcribe over to other serverless platforms. But it's not as easy as just picking up say a Linux workload, moving that to another, to another location. So I haven't seen that quite as much as I have seen this Eurelia notion around. Well, I can play the vendors off against each other and maybe get some kind of financial gain or that other misconception that if I have this tiny requirement, that is I have a SQL Server, maybe it makes sense to run my SQL Server in Azure Cloud whilst I run other components in aws. Again not realizing the scope and effort that comes with establishing operational practices on a cloud platform. And we know that 82% of statistics are made up but I would say it's got to be the sort of costs of actually setting up a new platform are actually two, three times the initial platform set up because you've got all the interoperability and interrelationships and migration efforts that are involved between cloud A and Cloud B. So I think the only time that multi cloud really works is if you do do it at scale. You already have a clear understanding of your operations and you abstract that away from the operations within a particular cloud platform, for instance is you establish this is what we do for secure code analysis, for instance, this is how we deploy our infrastructure as code. This is what we do for X, this is how we store and rehydrate our data. As an example I sort of see that the organizations that are doing that successfully are the ones that are realistic, I think about not only their own capabilities but what they're actually trying to achieve at a hybrid cloud. Because I think in general the misconception about cloud and cost, let's be honest, it does come from the cloud vendors who it's a very easy tale for them to tell around move to cloud and save money. But achieving that is actually quite the journey and it does have to be done at scale and committed to by organizations undertaking that journey.
[00:38:46] James: Very well said. I think you touched on a couple of really Interesting themes there. And I do see that fear of vendor lock in as being the key driver that does set a lot of organizations down this path of multi cloud. But your point about those who do it consciously understanding what it means from an operational burden, what it means from an education perspective, and even a governance and risk control point of view are probably the ones that are more successful. Scott, I imagine that you probably see this a lot in cyber as well, you know, and it's this challenge of if I want to have equivalence across my cloud, so maybe a bit more portability, am I perhaps dumbing down what I do to avoid that vendor lock in and the adoption of proprietary systems? How do you tackle this sort of thing? Do you look for that single pane of glass ubiquitous view from security, or do you try to take advantage of what's the best each cloud native opportunity brings?
[00:39:36] Scotti: This is a really good question and I do see it a lot working for a cloud vendor. So I also worked at Oracle with Tom a lot of the time cloud vendors will say you only need our cloud, you only need our cloud security products.
What they fail to understand. Most people that adopt the cloud, right, they don't come. You're not a cyber person that decides to go into a particular cloud. You're a developer, you're an infrastructure person, you're a business person that wants to use the cloud for business purposes. You're not looking at a cyber person isn't the person that is the account owner essentially in the cloud. So what you end up seeing is, hey, we want these developer features, we want these business outcomes. We don't think about what is the security that needs to go along with that. What you often find is that you end up with one cloud and then you end up with a second cloud and before you know it you've got a third or a fourth or a fifth cloud and then you have all these different accounts and then how do you aggregate all that information across those different platforms? How do you apply those consistent controls? If you take firewalls for example, Amazon has different options to Azure which has different options to Oracle which has different options for Digital Ocean. It doesn't really matter. They're all very different, which means you need to have different skill sets. They have tried to make it slightly easier with like as Tom and yourself have said, infrastructure as code. So you can create these objects, you can do them in secure ways. There are ways to build workloads where you can just deploy it, it has a firewall built in it as one security coral as an example where it does get a bit more tricky is when you now start thinking about external third party vendors. A lot of organizations will have on prem security tools, they'll have on prem firewalls, they have on prem vulnerability management. A lot of those vendors I'll just say are a little bit behind. They weren't cloud first, they weren't cloud native tools. They have tried to say hey, we've got things that work in the cloud, but they only cover like 5 or 10%. And it's always the bit where you really have to be a specialist in all of the security control areas. So web applications development, web application firewalls, network security, there are so many different areas and it's almost impossible to find someone or even a group of individuals that know all of those areas. So how is it that you, you really need to be thinking about what are your security requirements upfront before you go into the cloud? And certainly if you're going across multi cloud because a lot of the cloud providers, so in fact I'm not aware of any where cloud providers will say hey, you've got security vulnerabilities in another cloud, well, we can ingest those. There isn't. So if you are a multi cloud provider, your really only option is to go to the security industry and the market and say what tools provide me coverage across those. But noting that it's not 100% coverage. So I would say it's almost more important to know where are the areas that aren't being covered and then look at those in more detail. So deal with it by exception.
[00:42:31] James: So it's always the unknown unknowns that are the challenge. Right. In any industry. And it's interesting that you touch on this notion of organizations increasingly looking to third party solutions. And I think there's some really good ones emerging in the cyberspace as well as other areas of operational control and governance. But I'm curious, from a pragmatic point of view, when you're engaging with clients that are in this situation, do you have some kind of reference model? Is there like a reference architecture for this stuff that says this is the set of things that I need to look at to make sure I've got a comprehensive view of this organization's footprint?
[00:43:04] Scotti: That's a super great question. The short answer is there's no one size fits all. I think for me, when if someone said, Scott, we're going to go into the cloud, we've got these clouds, this is what, these are the workloads we want to deploy in the cloud it really needs to be tailored to that companies that as you said, the way that they wish to work, the types of teams that they have, they need to be thinking about what their risk tolerance is. Risk tolerance for different organizations, certainly critical infrastructure is low versus other organizations and industries that we here at Cordant work with. You know, sometimes they have a higher risk tolerance. It all really comes down to how fast do we need to get there and what's the risk that we're willing to accept and where the risk essentially isn't acceptable, then that's when we need to start looking at security controls. That's how I would look at it from a pragmatic point of view. But I also look at it from an offensive security point of view. Coming from the hacker background, I take a very different view on things.
You don't have to have everything perfect. And in fact most organizations that go into the cloud out most, most organizations that run on prem infrastructure as you guys would know, also aren't perfect. So it's about how can we at least if we aren't going to be gold plated, how can we at least give ourselves enough time for our analysts for people to know that something's wrong so we can respond and how can we do that in a timely fashion and then get ourselves back to a safe operating environment as quickly as possible?
[00:44:32] James: So to put you on the spot in regards to then the flight to third party tools and trying to, it's not necessarily outsource risk but just the notion of I don't really know how to get a comprehensive view so I'm going to put my trust in a third party tool. I don't want to specifically pick on CrowdStrike unfortunate circumstance but you know, we see a huge trend in the IT industry right. Where everybody just goes to the top right quadrant of the Gartner model and we all pick the same things and we're all using the same tools and the same approaches and the same playbooks. I don't know, like is that putting us in a position where we're getting the best of capability or is it actually increasing our risk?
[00:45:10] Scotti: Yeah, that, that is actually. That is a tough question. That's a really tough question to answer. I'm not a huge fan of Gartner for evaluating products. It's a good yardstick but I wouldn't always default to the top right quadrant. I think a lot of the time I look to if I'm going to go out and evaluate an organization, I actually will go with my set of requirements. I will do a full pov. I won't simply just go out and buy it. I'll actually also talk to my industry peers. I think when it comes to the likes of CrowdStrike, I think I think they did a great job. They have an excellent product and as a result, yeah, okay, I'm quite forgiving if that situation. Perhaps things could be done better. But let's be fair, they protect some great organizations globally and I think they did an excellent job and they have been doing an excellent job as far as reducing the amount of risk in organizations when it comes to endpoint security. So I think the other part of that is we constantly need to be investing in cybersecurity, certainly testing cybersecurity controls, because you highlight a point where you say, if we're all running from the same playbook, how do we know that that's all there is? Well, attackers are highly motivated in finding ways around, as you said before, developers are highly motivated to get the outcome they need, which is to deploy stuff in the cloud. And if they have to go around security controls and process to do so, they will. Attackers are no different. They're highly motivated, they're very skilled at what they do. There was one incident I worked with recently where attackers were actually abusing an identity service to exhaust SMS spend. So essentially to drive up cost and essentially generate revenue. What I could assume it was very similar to what Twitter now X, formerly, whatever we call it nowadays, they had a similar issue where SMS was being triggered by bots to generate revenue for telcos in less than scrupulous countries. And so I was, I was actually witness to this. And you can actually see the attacks change over time. So I think if we are going to put our faith into playbooks, we still need to test that. And so cyber security is one of those things you have to continually invest and you have to continually evolve and continually test. And that's where as this whole point has been talking about hand over the responsibility of those things that you're not getting real value out of and have your cyber have your cyber staff spending time with people, changing the way that the business operates to do it in a more secure fashion.
[00:47:41] Tom: Maybe just picking up a thread on that one too. James is earlier you talked about moving the needle and I think where you don't go with someone that's sitting there in the top right of the quadrant, innovation comes from those other organizations that are in the other quadrants trying to break into that top quadrant. And not just on the innovation front. They tend to be more responsive to their customers needs as well. So I've been a long term advocate. Whether it's choosing a consultancy firm that's a bit smaller and more agile or choosing a vendor who's not necessarily leader in that quadrant, they've got something to catch up to. So in my mind I sort of find that they tend to be a bit more responsive to customers as well. So yeah, I'm with Scott on that one. I'm not necessarily a. Let's look at the top of the quadrant and buy that. Yeah, really bake it on the requirements of the organization. And yet interestingly, we find that some of the smaller.
I know Scott, I'm sure you find this in the security space, but certainly in the infrastructure space. Some of the smaller players are actually the ones innovating and doing the cool stuff and will work with their customers to a surprising level that you won't get with the big players or the big four consultancies or whoever it might be. There's just more of that flexibility and that understanding and that hunger to get to the top.
[00:49:02] Scotti: And interestingly, if you're going to go and look for it, there are a whole bunch of open source tools in fact in cyber security. When I started, I know we're going to go back a little bit here, but there was no official certification, there were no industry courses, there was no university certification. Now that, now there is. Similarly, if we look at cyber security tooling, there wasn't a lot of cyber security tooling in those early days. Nowadays, if you look for it often there is a free tool to help you get started. There are a whole bunch out there that, that don't actually cost anything at all. You just have to be, you just have to know where to look and be willing to learn how to use them. They can be a little bit problematic sometimes, but once again, if you're going to engage a consultancy that has skills and experience in this, it doesn't have to cost you the Gartner top right quadrant price to achieve a great security outcome.
[00:49:53] James: So looking at all these trends that we've discussed, I'm really interested to get a sense from you guys. You know, with all the effort, with all the investment, with all of the chasing that organizations have been doing to try to modernize their technology, are we actually in a better place? Tom, what are your thoughts?
[00:50:10] Tom: Very interesting. Yeah, look, I'm a massive advocate for simplicity.
So if I look back, you know, you look back through your rose tinted glasses and call up the old back in my days. But things were fairly simple, you had one data centre, a fairly cookie cutter approach to the way you did things. You could probably count on one hand the different sort of operating models people would use.
Cloud has really. It's become a canvas where people can do just about anything. And I think that the challenges that have come about as a result of that, we're appreciating now, we're understanding that. So things like the shadow it, where organizations are just bring out the credit card and deploy things anywhere, everywhere, without a consideration for security, and organizations have been caught out by that with open S3 buckets and the like. So I think certainly there are new challenges in this realm, but I think at the same time we're getting smart and the cloud has enabled things like AI that now give us tools that the likes of which we've never seen before. You know, I'm blown away by how incredible things like ChatGPT is at being able to answer complex questions in sort of natural language. None of this stuff would have been possible without the scale of cloud computing. So, yeah, I think by and large, it's certainly increased the challenges, both from a security and operational perspective. But what it's given us in return in terms of a platform for innovation and capability, and really, as organizations, and both of you have sort of touched on this during the conversation today, we shouldn't be doing that commodity stuff, the patching the servers, the things that really should be left to organisations that specialise in that sort of stuff. As a business, we want to be focusing on what delivers value to our customers and potentially our shareholders, if we're a publicly listed company. But that should be the focus of the organization, not this sort of commodity routine. And the cloud has enabled that at scale, when adopted correctly. So, yeah, I think by and large, we're definitely in a better place from a technology perspective. Whilst there are challenges, I think we're at that point now where technology is catching up to those challenges as well. And certainly I'd see in the future, if technology doesn't take over the world, then we'll be in a really, really good place in terms of both operations, security and the innovation that we can unleash as a result of the cloud.
[00:52:45] Scotti: I guess what we're talking about here is, is the innovation and all of the benefits worth the risk? I think it is. 100%. I think it is. I draw a lot of parallels between what people are talking about now and, I don't know, we all live in Australia. There's been a lot of breaches lately. There's been a lot of emphasis, certainly in the media put on organizations that don't follow decent security practices. Zain a whole bunch of those. I think what really people need to be thinking about is we're now talking like, we've been talking about cloud security for a while. We'd been talking about phishing and social media scams and, and all of those for a long time as well. And people were like, oh yeah, what does this mean? You know, you'd see, you'd see the old security education training that come through. People go, next, next, next, next, next, next, done. And they never really think about it. And now, you know, it's. I know at least four or five people this year that have been scammed. Family members, friends of family members, things like that. And so what we see now is that, you know, cloud is going to be potentially the next, next evolution of that. Where we've been talking about cloud security needing to be a thing at the moment, there's a bit of herd mentality and a bit of herd protection, so you kind of blend in amongst others that are also operating in the cloud. It is very hard to really define, well, is this endpoint belong to me or does this belong to just someone else in the cloud? But I think that's changing as well. So, as you said, the technology is also improving, certainly around the security elements on the defensive side, but, but also, so are the offensive techniques. They are becoming quite sophisticated. And what we're seeing is a lot of organizations perhaps not falling victim to being targets of choice, but just essentially being targets of opportunity. So misconfigurations have led to a breach. Right. And it just happens that you're in the cloud and you didn't secure it properly. So what I would really love to see, and I really hope does happen, is a lot of vendors working closer together. So we see certainly, like if you look at Azure and Oracle, they have interconnects. Right. So there's an official product line between those two cloud providers. I'd like to see something similar in the security space where they actually collaborate on building secure solutions together. So essentially simplifying what has already become very easy and accessible, essentially security to be consumed by people that aren't cybersecurity professionals. I'd like to see that across cloud as well.
[00:55:10] James: It's interesting, you know, I think when we start to look at this notion of where are we going from here, I think it's fairly easy to draw the conclusion that the capabilities we've got today are a massive improvement. On where we were historically, the thing I'm really interested in is are we actually really learning to leverage those to provide better products and services and capabilities for those consumers and customers that we spoke about? Right. They're the ones with the expectations and the demands for something new, something better. And really we want to extend the reach of the things that are working well. You know, I think a lot of the things we've done through the lens of digital transformation have provided enormous community benefit. It really is how do we keep the momentum up? And I think one of the things I see happening in the technology industry is I feel we all need to get a lot more industry centric in terms of understanding those industries that we service. A little bit like how in the past we used to say it needs to learn to understand the business. I think now collectively, because it is such a business enabler, we in the IT community need to actually learn to understand what are the needs of those industry verticals that we operate in. How do we best serve financial services? How do we do security of critical infrastructure when it comes to utilities? How can we provide better retail experiences or perhaps heavy industry through things like the application of AI? And we've all seen the amazing things that generative AI can do from a technology point of view. But what we probably haven't seen yet is the translation of that into some really impactful and meaningful real world outcomes. We're seeing it a bit in health. You know, I think some of the things we've seen in, you know, looking at radiography images and helping with analysis, absolutely amazing, remarkable evolutionary shifts. We're not necessarily seeing that flow through to other industries yet in really, really big ways. But I think it's inevitable and I think that will happen. It's just really a matter of applying creative thought to how the technology can actually be leveraged in a way that really does shift the needle. But I'm really interested just to get a sense from you guys as well, you know, are there trends that you're seeing or emerging capabilities that you think are going to drive the next five to 10 years in our industry and.
[00:57:19] Scotti: What might they be as far as industry trends go? I see from a vendor point of view there's a lot more consolidation. So we can see a lot of certainly the more traditional cybersecurity vendors bringing more capability to kind of COVID those areas which they weren't previously covering. As us I mentioned earlier, they were talking about on prem specific vulnerability management now extending into the cloud around cloud security management, host configuration, data security management, Those types of issues.
[00:57:46] Tom: Yeah, look, about all I can do is look in the crystal ball because there are plenty of fads around. Scotty, I don't know. When I started at Oracle, everything was about the blockchain and how blockchain was going to be the next big thing. And then it was IoT for a little while and IoT will definitely, definitely hold its place. But I think the big thing that will happen over and in the fullness of time is that we start moving away from data centres pulled together. So at the moment the cloud providers are still, you know, they still are someone else's data centre providing applications and platforms on compute. I see. And James did touch upon it, you sort of talked about distributed compute. I think I see a future where we start using that hive sort of approach, approach to computing and we decentralize even away from the cloud providers themselves to just using the abundance of technology we have globally and sharding things and using what we have there throughout the world to provide that decentralized data, decentralized compute and hand in hand. I think there's some pretty exciting stuff, not that I fully understand it, around quantum computing as well. So I, I think we're going to see another leap and another revolution in technology in the next sort of 20 years. I'll probably be retired by then, but as someone who's been brought up my entire life on technology, I'm always excited about these things and cloud was a big exciting evolution in and of itself. But I actually think the more exciting stuff is just about to happen.
[00:59:21] James: It's fascinating what you say about data centres because it's a bold prediction you've made in the sense that at the moment I think there's a lot of expansion of data centres. We're all looking at the energy consumption, massive footprint, continuous growth in this space, but it seems to be largely driven by the adoption of AI and the enormous amount of compute that AI requires. And what I find fascinating about that is as we actually move more towards the use cases for AI, I think you will then see that decentralized to be more edge based processing like you've described. So it is going to be a fascinating space to watch. And your point on quantum computing I think is absolutely, you know, to me, the really interesting space to watch over the next decade or so. You know, it's very easy when you start to look at quantum computing to focus in on the things that it can't do right now, the challenges it has. Obviously it's massively expensive in order to, to establish capability. But in terms of the types of things that it can unlock, it gives us some mechanisms to start solving problems that we haven't previously been able to solve.
And the fundamental thing that I found fascinating about quantum computing when I was looking at it was the notion that problems that don't decompose very well are well suited to quantum computing. So, in other words, if you can break a problem down into smaller parts, we can probably throw massive amounts of compute at it today and start to solve it in meaningful ways. But there are some things that just don't decompose in that way. And so it's going to unlock some really interesting capability that I think, again, comes back to the application of creative thought. From an industry point of view, it's great to have technology that's incredibly powerful and new and interesting, but what are we doing with it? And I think, to your point, Tom, about blockchain. Blockchain was another example of something that I think, think an incredibly capable technology, but so misconstrued and misused and misunderstood in application that it's been abandoned in many industries because it's just become something that nobody will touch and invest in. And it may come back, it may swing back. You know, I think notions of immutable ledges very, very attractive. What nobody seems to like is decentralized control. So it's all swings and roundabouts in our industry. But, yeah, it's going to be very, very interesting to see where some of these trends go.
[01:01:36] Tom: And maybe, Scotty, just something that sprung to mind as James was talking was, what's security's view on quantum computing? And does this render all previous cryptography useless?
[01:01:50] Scotti: That's a really good question. I think back to my time when I went to Black Hat and there was a particular vendor that talked about having quantum resilient cryptography algorithms today. And if you haven't gone and seen that YouTube clip, I highly recommend you go and watch it. It is an interesting one. I think quantum, certainly with regards to cryptography, that's where everybody really talks about it from a cyber point of view. They talk about how current encryption algorithms, essentially both the key strengths and the types of algorithms, aren't going to be resilient and resistant to quantum computing. Where I think we will get to is, you know, it's the same as everything. It's always an arms race. As we talked earlier about the cloud being coming into its own and then they're not being the requisite security controls and tooling available.
Now there is. It's going to be very similar with quantum computing. So as soon as we have quantum computing available for general purpose, if we ever get to that, hopefully we do, because that'll be awesome. I think we'll also see the same security controls and technology being applied perhaps a little bit later, but not too far later. The thing that you can't really avoid, and as you pointed out, James, you still, we still have that inherent risk today with if you have enough compute, you can essentially break certain algorithms and certain key strengths. So but you are limited to kind of nation state or someone with a large, a large amount of compute available. So today I don't see there being a huge risk as far as quantum goes to the individual user. That could change over time.
[01:03:27] Tom: Time will tell whether it's another Y2K or it's something legitimate.
[01:03:31] Scotti: That's assuming that ChatGPT hasn't taken over the problem.
[01:03:33] Tom: Okay, yes, yes.
[01:03:37] Scotti: If you could use a little help or advice with modernizing your IT environment, visit Cordant Au to start a conversation with us.
-----
This has been a KBI media production.