Home > Blogs > VMware Accelerate Advisory Services > Monthly Archives: November 2015

Monthly Archives: November 2015

Evolving Cyber Security – Lessons from the Thalys Train Attack in France

Gene LikinsBy Gene Likins

Earlier this year, I was privileged to facilitate a round table for forty seven IT executives representing sixteen companies in the financial services industry.  As expected for a gathering of FSI IT executives, one of the primary topics on the docket was security.

The discussion started with a candid listing of threats, gaps, hackers and the challenges these pose for all in the room.  The list was quite daunting.  The conversation turned to the attempted terrorist attack on the Thalys high speed international train, traveling from Amsterdam to Paris.  A heavily armed gunman had boarded the train with an arsenal of weapons and was preparing to fire on passengers.  Luckily, several passengers managed to subdue the gunman and prevent any deaths

Immediately following the incident, the public began to question the security measures surrounding the train and the transit system in general.  Many recommended instituting airport style security measures, including presentation of identity papers, metal detectors, bag searches and controlled entry points

Given the enormous cost and the already strained police resources running at capacity, some are now calling for a different perspective on security.  As former interior minister of France Claude Gueant said,

“I do not doubt the vigilance of the security forces, but what we need now is for the whole nation to be in a state of vigilance.

As IT professionals, this should sound familiar.   So what can we glean from this incident and apply it to cyber security?

  1. Share the burden of vigilance with customers.
    72% of online customers welcome advice on how to better protect their online accounts (Source: Telesign).  One way to share the burden with customers is to recommend or require the use of security features such as Two Factor Authentication (2FA).  Sending texts of recent credit card transactions is an example of a “passive” way of putting the burden on the customer.  The customer is asked to determine if the charge is real and notify the card issuer if it’s not.  Companies should begin testing the waters of just how much customers are willing to do to protect their data.  They may be surprised.
  2. Avoid accidentally letting the bad guys in. 
    One of the common ways that online security is breached is by employees unknowingly opening emails which contain information such as “know what your peers make” or “learn about the new stock that’s about to double in price”. IT groups should continually inform their internal constituents on the nature of threats so we can all stay vigilant and look out for “suspicious characters”.
  3. Contain the inevitable breaches.
    It’s not a matter of “if”, it’s a matter of “when”. Network virtualization capabilities, such as micro‐segmentation, bring security inside the data center with automated, fine‐grained policies tied to individual workloads.  Micro‐segmentation effectively eliminates the lateral movement of threats inside the data center and greatly reduces the total attack surface.  This also buys security team’s time to detect and respond to malicious activities before they get out-of-hand.

Cyber SecurityBuilding a comprehensive security strategy should be on the agenda of all CIOs in 2016.  Cyber criminals are constantly creating new methods of threatening security, and technology is changing daily to counteract them.

VMware NSX, VMware’s network virtualization platform, enables IT to virtualize not just individual servers or applications but the entire network, including all of the associated security and other settings and rules.  This technology enables micro-segmentation and can move your security capabilities forward by leaps and bounds, but it’s only part of a holistic strategy for preventing security breaches.

To remain ahead of the threats, it requires a constant evolution of people, processes and governance, along with technology, to continuously identify and address security concerns for your organization and your customers.  For help building your security strategy, contact the experts at VMware Accelerate Advisory Services

========

Gene Likins is the Americas Director of Accelerate Transformation Services for VMware and is based in Atlanta, GA.

The rules to success are changing – but are you?

Ed HoppittBy Ed Hoppitt

We live in a world where the quickest growing transportation company owns no cars (Uber), the hottest accommodation provider owns no accommodation (Air BnB) and the world’s leading internet television network creates very little of its own content (Netflix). Take a moment to let that sink in. Each of these companies is testament to the brave new world of IT that is continuing to shape and evolve the business landscape that surrounds each of us. And the reality is that the world’s leading hypergrowth companies no longer need to own a huge inventory. They instead depend on a global platform that easily facilitates commerce for both consumers and businesses on a massive, global scale.

In order to stay relevant today, your business must be in a position to adapt, in keeping with the evolving expectations of end users. If success used to be governed by those who were best able to feed, water and maintain existing infrastructure, it is today championed by those who are least afraid of opening up new opportunities through innovation. Applications, platforms and software are all changing the business rules of success, so instigating change to adapt is no longer just part of a business plan; it’s an essential survival tool.

With this in mind, here are three essential pointers to help ensure your business is able to adapt, on demand:

1.       Embrace openness

All around us, agile start-ups and individuals are leveraging the unique confluence of open platforms, crowd-funding and big data analytics that exist around us. The pace of technology change means that no individual company need be responsible for doing everything themselves, which is why more than ever, there’s a real business need for open source. Open source helps to create a broad ecosystem of technology partners, all helping make it possible to work closer with developers to drive common standards, security and interopability within the cloud native application market.

2.       Develop scale at speed

Adrian Cockroft, one of the founders of Netflix, a poster child of the software-defined business once famously said that: “scale breaks hardware, speed breaks software and speed at scale breaks everything.” What Adrian realised was that to develop speed at scale, traditional approaches simply do not work, and new methodologies are required, allowing applications to be more portable and broken down into smaller units. New approaches to security services also allow micro service architectures to be utilised.

3.       Create a one unified platform

Open market data architectures are being increasingly used to give developers the freedom to innovate and experiment. While this is precisely what’s required to keep pace in a world of constant change, it also means that your IT infrastructure stands at risk of growing increasingly muddled, as developers become more empowered to code in their own way. This where a single unified platform holds the key, as this is what is ultimately required to best manage the infrastructure, ensuring compliance, control, security and governance, all the while giving developers the freedom to innovate.

Ask yourself a simple question, can I handle the exponential rate of change that is happening all around me? If the answer to that is not a resolute yes, it is time that you invested some thought into how you can. Uber, Air BnB and Netflix are proof that previously classic barriers to entry that once inhibited small players from gaining traction in the market place are breaking down. Nobody said that surviving in such a disruptive landscape would be easy, but with thought and planning, it needn’t be too difficult either.

If you want to find out more about this and how to transform your business in the software-defined era, take a look at what our EMEA CTO Joe Baguley has to say in this blog post.

=======

Ed Hoppitt is a CTO Ambassador & Business Solution Architect, vExpert, for VMware EMEA and is based in the U.K.

Introducing Kanban into IT Operations

les2By Les Viszlai

Development teams have been using Agile software methodologies since the late 80’s and 90’s, and incremental software development methods can be traced back to the late 50’s.

A question that I am asked a lot is, “Why not run Scrum in IT Operations?”  In my experience, operations teams are trying to solve a different problem.  The nature of demand is different for software development vs the operations side of the IT house.

Basically, Software Development Teams can:

  • Focus their time
  • Share work easily
  • Have work flows that are continuous in nature
  • Generally answer to themselves

While Operations Teams are:

  • Constantly interrupted (virus outbreaks, systems break)
  • Dealing with specialized issues (one off problems)
  • Handling work demands that are not constant (SOX/PCI, patching)
  • Highly interdependent with other groups

In addition; operational problems cross skills boundaries.

What is Kanban?

Kanban is less restrictive than Scrum and has two main rules.

  1. Limit work in progress (WIP)
  2. Visualize the workflow (Value Stream Mapping)

With only two rules, Kanban is an open and flexible methodology that can be easily adapted to any environment.  As a result, IT operations projects, routine operations/ production-support work and operational processes activities are ideally suited to using a Kanban approach.

Kanban (literally signboard or billboard in Japanese) is a scheduling system for lean and just-in-time (JIT) production. Kanban was originally developed for production manufacturing by Taiichi Ohno, an industrial engineer at Toyota.  One of the main benefits of Kanban for IT Operations is that it will establish an upper limit to the work in progress at any given process point in a system.   Understanding the upper limits of work loads helps avoid the overloading of certain skill sets or subsets of an IT operations team.  As a result, Kanban takes into account the deferent capabilities of IT operations teams

Key Terms:

Bottlenecks

Let’s look at our simple example below; IT operations is broken up into the various teams that each have specific skills sets and capabilities (not unlike a number of IT shops today). Each IT ops team is capable of performing a certain amount of work in a given timeframe (u/hr). Ops Team 4, in our example below, is the department bottleneck and we can use Kanban methodology to solve this work flow problem, improve overall efficiencies and complete end-user requests sooner.

Kanban Bottlenecks

As we said earlier, the advantage of adopting a Kanban methodology is that it is less structured than Scrum and is easier for operations teams to adopt. Kanban principles can be applied to any process your IT operations team is already running. The key focus is to keep tasks moving along the value stream.

Flow

Flow, a key term used in Kanban, is the progressive achievement of tasks along the value stream with no stoppages, scrap, or backflows.

  • It’s continuous… any stop or reverse is considered waste.
  • It reduces cycle time – higher quality, better delivery, lower cost

Kanban Flow

Break Out the Whiteboard

Kanban uses a board (electronic or traditional whiteboard) to organize work being done by IT operations.

A key component to this approach is breaking down Work (tasks) in our process flow into Work Item types.  These Work Items can be software related like new features, modifications or fixes to critical bugs (introduced into production).  Work Items can also be IT services related like; employee on-boarding, equipment upgrades/replacements etc.

Kanban Board

The Kanban approach is intended to optimize existing processes already in place.  The basic Kanban board moves from the left to the right. In our example, “New Work” items are tracked as “Stories” and placed in the “Ready” column.  Resources on the team (that have the responsibility or skill set) move the work item into the first stage (column) and begin work.  Once completed the work item is moved into the next column labeled “Done”.  In the example above a different resource was in place as an approver before the work item could move to the next category, repeating for each subsequent column until the Work Item is in production or handed off to an end-user.  The Kanban board also has a fast lane along the bottom. We call this the “silver bullet lane” and use it for Work Items of the highest priority.

How to Succeed with Kanban

In my previous experience as a CIO, the biggest challenge in adopting Kanban in IT operations was cultural.  A key factor in success is the 15 min daily meeting commitment by all teams involved.  In addition, pet projects and low priority items quickly surface and some operations team members are resistant to the sudden spotlight.  (The Kanban board is visible to everyone

Agreement on goals is critical for a successful rollout of Kanban for operations.   I initially established the following goals;

  • Business goals
    • Improve lead time predictability
    • Optimize existing processes
      • Improve time to market
      • Control costs
  • Management goals
    • Provide transparency
    • Enable emergence of high maturity
    • Deliver higher quality
    • Simplify prioritization
  • Organizational goals
    • Improve employee satisfaction (remember ops team 4)
    • Provide slack to enable improvement

In addition, we established SLA’s in order to set expectations on delivery times and defined different levels of work priority for the various teams.  This helped ensure that the team was working on the appropriate tasks.

In this example, we defined the priority of work efforts under 5 defined areas; Silver Bullet, Expedite, Fixed Date, Standard and Intangible.

Production issues have the highest priority and are tagged under the Silver Bullet work stream.  High priority or business benefit activities fell under Expedite.  Fixed Date described activities had an external dependency such as Telco install dates.  And, repeatable activities like VM builds or Laptop set-ups would be defined as Standard.  Any other request that had too many variables and undefined activities was tagged as Intangible (a lot of projects fell into this category).

I personally believe that you can’t fix what you can’t measure, but the key to adopting any new measurement process is to start simple.  We initially focused on 4 areas of measurement:

  1. Cycle Time: This measurement is used to track the total days/hours that a work item took to move through the board.  This was the time it took to move through the board once a Work Item moved out of the Ready column.
  1. Due Date Performance: Simply measures the number of Work Items that completed on or before the due date out of the total work items completed
  1. Blocked Time: This measurement was used to capture the amount of days/hours that work items are stalled in any column
  1. Queue Time: This measurement was used to track how long work items sat in the Ready column.

These measurements let us know how the Operations team performed in 4 areas:

  • How long items sit before they are started by Operations.
  • Which area/resource within IT is causing blockage for things being done.
  • How good is the team at hitting due dates and
  • The overall time it takes things to move through the system under each Work stream.

Can we use Kanban with DevOps?

The focus on Work In Progress (WIP) and Value Stream Mapping makes Kanban a great option to extend into DevOps. Deploying Work Items becomes just another step in the Kanban process, and with its emphasis on optimizing the whole delivery rather than just the development process, Kanban and DevOps seem like a natural match.

As we saw, workflow is different in Kanban than in Scrum. In a Scrum model, new features and changes are defined for the next sprint. The sprint is then locked down and the work is done over the sprint duration (usually 2 weeks). Locking down the requirements in next sprint ensures that the team has the necessary time to work without being interrupted with other “urgent” requirements.  And the feedback sessions at the end of the sprints ensure stakeholders approve the delivered work and continue to steer the project as the business changes.

With Kanban, there are no time constraints and the focus is on making sure the work keeps flowing, with no known defects, to the next step.  In addition, limits are placed on WIP as we demonstrated earlier.  This ensures that a maximum number of features or issues can be worked on at a given time. This should allow teams to focus and deliver with higher quality.  In addition, the added benefit of workflow visibility drives urgency, keeps things moving along and highlights areas of improvement.   Remember, Kanban has its origins in manufacturing, and its key focus is on productivity and efficiency of the existing system. With this in mind, Kanban by design, can be extended to incorporate basic aspects of software development and deployment.

In the end, organizations that are adopting DevOps models are looking to increase efficiencies, deploy code faster and respond quicker to business demands. Both the Kanban and Scrum methodologies address different areas of DevOps to greater and lesser degrees.

The advantages of the Kanban system for IT operations is in its ability to create accountability in a very visible system. The visibility of activities, via the Kanban board and its represented Work Items, aid in improving production flow and responsiveness to customer demand.  It also helps shift the teams focus to quality improvement and teamwork through empowerment and self-monitoring activities.

=========

Les Viszlai is a principal strategist with VMware Advisory Services based in Atlanta, GA.