HashiCorp Field CTO Weekly: Learning Through Pain

Volume: 107: Where IT and Security Continues to Swing from Chaos to Orchestrated

Back to Harmony!

Thank goodness the US has moved past all the acrimonious name-calling that constitutes the mid-term elections! We can finally regain peace and understanding, which dominates our constitutional republic. Thankfully, technology has made life more reliable during elections! We can get back to streaming hopeful shows like The Peripheral.

Now that I have blown out the lines with irony, I’ll return to my traditional state of wild optimism. As we (human-kind) mature, we careen from being wildly destructive into something approaching improvement. We often chase empty promises until we become disillusioned with them, and then (hopefully) we learn what is valuable and pursue that. Mozilla Ventures’ efforts to “save the soul of high tech” provides at least anecdotal evidence of recognition and a desire to correct the less savory elements of the industry. To give you a sense of what they hope to accomplish, Mozilla funds such firms as Block Party, a start-up targeted at mitigating social media bullying.

As Jake mentioned last week, winter is coming for some areas of cloud adoption. This represents one such correction of human learning. We lift and shift, we implement in wildly undisciplined ways, we overspend, we introduce too much risk, and then we start to re-evaluate and improve. This brings me to the topic of this week's newsletter. In keeping with the above thoughts, let’s begin by describing the ‘wildly undisciplined’ before looking at the healthier responses. I’ll then close with a starter conversation about platform team incentives. 

Complexity and Risk

The Hits Just Keep on Coming!

The threats coming at IT simply continue to accelerate. Most intrusions begin with some form of social engineering. As an attacker, I work to get initial access to the network so I can start hunting credentials. We hear numerous examples of phishing, but what about “typosquatting?” Typosquatting is where attackers register domains for commonly misspelled versions of widely used websites. They then mimic the site and capture login credentials. This form of attack has become a massive business, according to TechNewsWorld. In this case, attackers have created some 200 domains around 27 brands that seek to get a user to log in and download a banking trojan. While the numbers above are based on the elements targeting Android users, the Microsoft operation is anticipated to be significantly larger. While this attack is zeroed in on personal accounts and machines, it also poses a significant risk to enterprises. Here, Snyk reviews the attack vector with suggestions on prevention.

Sometimes, I don’t even need your human to give me access. Recently, VMware plugged three holes in their Workspace One Access solution. These vulnerabilities allow non-sophisticated attackers to bypass authorization gates and gain admin-level permissions without a credential or credential escalation. If you could hit Workspace One Access from a networking perspective, you could walk right in. One of the security experts who identified the vulnerability posted their POC to a public repo. The exposure was essentially plastered on digital billboards. VRealize Automation and Identity Manager were also wide open through these vulnerabilities. What if we never administered such tools through a UI at all? Given the damage is done, we better patch quickly! We might benefit from an industrialized approach to infrastructure provisioning and asset management. Something like Terraform and Packer, maybe?

You Mentioned It Might Get Better?

While time and costs drive innovation and compromise, security remains the fulcrum that balances our decision-making, especially regarding complexity. Gartner recently found that 75% of organizations want to consolidate tooling in the security space. To whit: 

“Security and risk management leaders are increasingly dissatisfied with the operational inefficiencies and the lack of integration of a heterogenous security stack,” said John Watts, VP Analyst at Gartner. “As a result, they are consolidating the number of security vendors they use.” 

While it's tempting to assume cost pushes us to consolidate, the primary driver is risk. “Sixty-five percent of surveyed organizations expect to improve their overall risk posture, and only 29% of respondents expect reduced spending on licensing.”

We’ve noticed this trend over the last couple of years. We stress the need for a security/secrets broker, simplified networking automation, and governed/attested infrastructure change. Removing tools and gates improves efficiency and simplifies audit.

As we are beginning to see some drawdown in IT concerning hiring, we are also seeing increased spending. Once again, we have a negative event with a correction on the other side. Spending more and hiring less likely coincides with the consolidation efforts from a tooling perspective. Vendors will necessarily shake out over the next few months to better predict who will get marginalized or become increasingly central. HashiCorp’s approach to centralized workflow appears to be on point for this industry move. Considering the vendor landscape uncertainty, some folks run thought exercises on what would cause particular vendors to fail (hypothetically). Here is one such assessment of ZScaler.

Platform Team Incentives

Before we close the newsletter for the week, I found this exciting write-up concerning the meritocracy incentive in IT, especially regarding data teams. In this thoughtful look at incentives, Benn thinks about how capitalistic structures may drive better outcomes in IT through an exchange of value. Current incentives tend to reflect control rather than service. When you request something from the team, excellent! Now sit and wait until we get to you. Interestingly, even with this approach, we still need more control, visibility, security, resiliency, etc. We need to see the benefits of our gates (especially manual ones). On the other hand, if we were to convert IT teams into a marketplace of competing offerings, you may experience cost decrease and service improves in response to market forces. 

Benn is careful not to go overboard here, as we still need forms of regulation and oversight, but the thought is fascinating in the spaces we play. We target a centralized buying organization that we refer to as the “Platform Team.” Ray does a fantastic write-up on our thoughts regarding Platform Teams and developer productivity, but I’ll look at this through a competitive lens. We need these kinds of teams to win huge. 

Often, these efforts begin around a single cloud. Why? Because it is easy for the rest of the org to say, “Go play, but don’t touch any of my stuff, and don’t blame me when it costs too much, or you get breached!” The difficulty comes when you see wider adoption across multi-cloud and legacy real estate. At that point, various teams must collaborate to find success. How do we accomplish that from an organizational perspective? Do we try to convince every impacted individual of the ‘rightness’ of our approach? That sounds daunting.

Let's introduce a marketplace. If the platform team can prove it removes the cost, complexity, time to market, compliance headaches, and more, then the team should earn the business. Much more to come on this topic, but this is why I often focus in leadership conversations on the cost of delivering a best practice.

I’ll conclude this Thursday edition of the Field CTO Newsletter. Have a great weekend, and I look forward to seeing you in the field!