The DevOps.com Podcast

A new podcast for the new DevOps.com website hosted by Mitchell Ashley and Alan Shimel. This is the introduction episode with a review of the first articles on DevOps.com

In this episode I am once again joined by my co-host, Mitchell Ashley and our guest is Michael Sutton, VP of security research at Zscaler. The topic is APT: Advanced Persistent Threat, the security threat everyone loves to hate. Many people think that APT have been over-hyped by both the infosec media and APT vendors who have ridden the APT scare to fame and fortune (well to fortune anyway).  But APTs are real. Whether by spear phishing or water hole drive by downloads, targets are being infected with APT attacks, Once infected they are used to first infiltrate and then exfiltrate from high value networks. Some APTs are the work of nation-state entities for strategic goals, others are financial in motivation. But they are seldom random.  Michael tells what Zscaler is doing to combat APTs. Mitchell and I have our own views on this whole class of attack and it makes for a good listen.   Enjoy! 

Sort of like Dean and Jerry getting back together Mitchell Ashley and I are podcasting together again! It was like old times with Mitchell as we settle into speak about what he has been up to over the last few years. We discuss the recent AWS re:Invent conference, the cloud, IT, DevOps, etc. We only take this out for a 20 minute spin so it is a quick listen. Hope you find it as interesting and fun as we did. We will be hosting another episode next week with a special guest as we discuss APT. Here are links to some of the stuff Mitchell and I discussed: Bblog post on CIO role: http://goo.gl/fzH5K The CIO Role - From Tech Manager to IT Services Broker AWS reference architectures. - cloud bursting - https://devcentral.f5.com/articles/aws-reinvent-2013-cloud-bursting-reference-architecture-feat-pearce - cloud migration - https://devcentral.f5.com/articles/aws-reinvent-2013-cloud-migration-reference-architecture-feat-pearce#.UoZvkGRgZIA

The University of Idaho was fined over 400k by the Departmenet of HHS recently for a breach that involved a clinic operated by the university turning their firewall off for 10 months. That seems pretty obvious to security folks, but goes to show that HIPAA fines are real. I am joined in this podcast by Steve Spearman of Health Security Solutions, Billy Austin of iScan Online and Tim Woods of Firemon as we talk about what you can do to keep your firewalls up, secure your endpoints, find ePHI and avoid being the next big HIPAA story. Enjoy!

HIPAA, HITECH and other regulatory compliance mandates have given many a health care professional headaches. It is hard enough practicing health care, dealing with complex insurance regulations and running a business. Making sure you comply with the latest patient confidentiality and security laws are frankly beyond many health care providers. Who are they going to call? That is where Steve Spearman and his company Health Security Solutions comes in. Steve's company have become the HIPAA experts for health care providers throughout the country. I had a chance to speak with Steve and find out how he makes these complex regulatory compliance issues doable for the doctors. Have a listen and you can learn too!

This episode of the Open Network is with Jason Brvenik, VP of Security Strategy at Sourcefire. Jason and I speak about the recent trend in security that acknowledges that successful attacks happen and we need to put resources into response, potentially at the expense of resources dedicated to prevention. Which is more important? Jason's expertise in security gives us great insight into this question as well as some great advice for what you need to do in putting your security strategy in place. Enjoy!

One of my favorite people in the security industry is my friend Wendy Nather, Director of Security Research for 451 Research. Wendy has a new report coming out on the "real cost of security". This is somewhat of a follow up to her earlier "security below the poverty line" report. Wendy likes to look at what type of security CISO's think they need and what it actually costs. It is always educational and fun to hear what Wendy has to say. Enjoy!

I am very pleased to report that once again the good folks over at Microsoft's Trustworthy Computing Group have agreed to sponsor the Security Bloggers Network.  The SBN has a long history of working with TWC and we are happy to work with them again. Microsoft is holding their second annual Security Development Conference in San Francisco, May 14-15, 2013. The conference will feature Scott Charney, Corporate VP Trustworthy Computing, Microsoft; Edna M Conway, Chief Security Strategist Global Supply Chain, Cisco Systems; Brad Arkin, Senior Director of Security Adobe Secure Software, Engineering Team (ASSET). Conference specialty tracks target three different types of professionals: Engineers, Project Management, and Leadership. Combining keynotes from thought leaders as well as specialized breakout sessions, this conference is a can’t-miss for security professionals at any level. You can register now! I had a chance to chat with director of TWC Tim Raines. We were going to talk about the conference, but Tim and I started talking about the TWC, the world of security and what the challenges on the horizon are. By the time we were done, we never got to the conference, LOL! Anyway, I think you will find the conversation very interesting. Enjoy and if you can go to the conference.

This third in a series of podcasts about RSA 2013 and the the Alert Logic partner pavilion is with Urvish Vashi, VP of marketing at Alert Logic. Urvish gives us the behind the scenes thinking on why Alert Logic thought it was important that they exhibit with some of their leading partners at RSA this year. He also tells us that it was not difficult to convince these partners that exhibiting at RSA was good for them. In fact it was somewhat of a no brainer for them. I know Urvish for many years and he is a sharp thinker who understands the market and the technology. This is a short conversation and well worth the time to listen in.

RSA Conference is where the world gathers around information security.  This year in addition to their own exhibit, Alert Logic is also hosting a partner pavilion where 5 of the leading hosting and cloud providers in the world will be exhibiting as well. I had a chance to speak with Chris Patterson, VP of Product Management at Navisite, one of the Alert Logic Partners exhibiting. Chris is one of the driving forces behind the Navi cloud.  He also has some great insight into the state of cloud security and what market drivers are influencing the direction of future innovation. Chris shares some great insight into Navisite's offerings including not just cloud, but security, managed desktop and the state of the market. It is a great conversation and worth the listen!

RSA Conference is THE information security event of the year. My friends at Alert Logic in addition to exhibiting themselves have set up a partners pavilion this year. The pavilion features some of the leading cloud and hosting providers in the world. I had a chance to catch up with a representative from one of these partners, Sunguard Availability Services in this episode of Security.exe. Cara Camping, Product Manager, Managed Security Services for Sunguard AS is my guest. Cara talks about Sunguard's approach to security in depth, why they partner with Alert Logic and what they expect from exhibiting at RSA Conference. Below are two slides that give some detail to what Cara is talking about: Have a listen and learn about Sunguard managed security.

IBM's VP of marketing and strategy for SMB, Ed Abrams is my guest on this episode of the Open Network. Ed discusses the findings in the 2012 IBM Trends Report. The trends pointing to the future for the midmarket are very dramatic. First it seems that security is no longer an inhibitor to cloud adoption for the midmarket and SMB. This segment is moving to the cloud in a big way. Ed says that this is being done with the help of MSPs. This trend will accelerate in the months to come. Based on the findings in this report IBM is moving a lot of attention to this market. If you are servicing the SMB and midmarket, perhaps you should too!

Over the last month I have sat down with several of my friends in various tech sectors to discuss the happenings of the past year and what may lay ahead in the coming year. In this episode I speak with my friend David Wartell, VP of server backup at Idera. David is a long time player in the world of Backup and his insights into where the market is going are very insightful. Factors like the cloud, backup as a service and virtualization have turned this market upside down. This will create opportunities for new leaders to emerge. Who will be the winners and what will make them so? Listen to what David has to say to find out.

I had a chance to speak with Dr. Rich Wolski, CTO of Eucalyptus Systems. Eucalyptus open source cloud management software makes it possible to have AWS compatible private clouds and hybrid clouds. They have been getting a lot of traction lately in the very competitive open source cloud space. I spoke with Dr. Wolski about Eucalyptus, the state of the cloud and could we see in the future a Eucalyptus that works with Open Stack. His answer may surprise you. Rich Wolski is one of the pioneers of cloud computing and always a great interview. Enjoy!

Building new app marketplaces is the business of AppDirect. They are allowing companies to create instant app marketplaces for their customers. Actually there is an entire ecosystem to these app marketplaces though. From the app developers themselves who want their apps in these marketplaces, to the companies wanting to offer the marketplaces, this is a far reaching ecosystem. When you think about it, it is not just a list of apps. Billing, management and updates are all part of the equation. I had a chance to sit down and talk with Daniel Saks, co-founder and CEO, AppDirect, Jonathan Rende, Vice President of product, Appcelerator, Mike Borozdin, Director of integration development, DocuSign. These three companies are all blazing trails in delivering cloud based and mobile apps. It is an interesting conversation, running about 20 minutes. There was a slight audio problem when introducing Daniel Saks, but that is just a few seconds. Enjoy the podcast!

Nothing like a disaster to show you how important it is to plan for one. With the super storm Sandy wreaking havoc in the Northeast, many an organization is realizing that their disaster recovery plan was either out of date or even worse non-existent. Of course the lesson is a painful and costly one, but perhaps it will help others to better plan in the future. I had a chance to speak with Rachel Dines, senior analyst at Forrester for disaster recovery and business continuity. Rachel recently published the latest in a line of analysis recommending that companies need to update their planning from Disaster Recovery to Technology Resiliency. Have a listen to our conversation and right after head over to http://forr.com/BTRfree as Forrester has lowered their paywall and made a whole set of reports on DR available for free during the month of November. Don't miss this!

In the spirit of Halloween, here are some IT Horror stories courtesy of Nimmy Reichenberg of Algosec and Matthew Pascucci, security researcher and analyst. Listen in to these horror stories of what can happen if you don't follow best practices! Happy Halloween!

Recently emerged from stealth, Metacloud is bringing Managed Private Cloud-as-a-Service to you. Based on OpenStack, the managed cloud service can be run on your own equipment from any data center or location you desire. The folks behind MetaCloud team have managed some of the largest cloud instances in the world and have the experience and expertise to manage yours. Listen in as I speak with co-founders Steve Curry and Sean Lynch as they explain why even Jerry Yang, co-founder of Yahoo invested in their idea of a managed cloud future.

In the current political climate a big theme is taking personal responsibility rather than relying on the government. In security responsibility has always been a big thing. Who is responsible for security an organizations digital assets and ensuring network performance and integrity. The recent case of PACTCO v Peoples United Bank has called the whole question of security responsibility into question. Should a bank be liable of a commercial customer was tricked into giving up its online banking credentials? How can a bank know when it is actually the customer versus someone who has stolen their log in? When is the customer liable for their own negligence? My friend Jody Brazil, President of Firemon wrote a good blog article on this.I had a chance to sit down with Jody and discuss it on this episode of the open network.

Gary Brooks started CloudAccess.net when he realized that the Joomla community needed a better solution to host demo sites that people were setting up to check out Joomla. He now hosts up to 20,000 new demo sites a month and a good portion of them become permanent. Over the years Gary has added other services to his Platform-as-a-Service offering at CloudAccess.net, including data back up and DR. I had a chance to sit down with Gary and talk about his success in building a company around an open source project and what he sees as new exciting trends in the market.

Aerospike, the former Citrusleaf has announced a new round of funding, the acquisition of Alchemy DB and bold new agenda to "rocket" to the top of the NoSQL Big Data market. I sat down with SRINI V. SRINIVASAN, Founder & VP Engineering & Operations and Don Haderle, who is known as the “Father of DB2 and a technology advisor to Aerospike. Have a listed to how they see the market and how they aim to become a leader in it.

Roger Grimes put forth that very idea a while back in his InfoWorld column. Roger admittedly was making a provocative statement, but he has some strong feelings on the subject. Roger feels that the threats today have outgrown simple firewalls. Most attacks are web based using port 80 and easily bypass firewalls.The age of buffer overflows are past and so should be the age of firewalls. Next Gen Firewalls you ask? Don't bother. Roger says while they have been great marketing them, no one is actually using them. Obviously there are some people who disagree. Joining Roger and I on the panel today are Jody Brazil, President of Firemon and Andrew Braunberg, a well known security analyst. Listen in as Roger, Jody, Andrew and I discuss the future of firewalls and what role they will play. Enjoy!

Could you go for a full year living open source? Not just software or even hardware, but opens source everything? A Berlin man, Sam Muirhead is going to try and do just that. From the clothes he wears to the food he eats, to designs of tools he uses, Sam is going to try and do it all with open source. I had a chance to speak with before he embarks on his year of open source, August 1. Enjoy!

Join Dave Cullinane, former CISO of eBay, Skpe and PayPal as we discuss Allgress with Jeff Bennett, its President and COO. Allgress just launched from stealth mode where it has been working with CISOs such as Dave in bringing a more efficient and meaningful view into risk management and GRC. Whether you are using Allgress to supplement your existing GRC solution or as your sole GRC solution, Allgress has been built and tested by and for leading CISOs like Dave Cullinane. It is a great interview with some great insights from a real security luminary like Dave and great insight into an exciting new security company, Allgress! Here are Dave's and Jeff's backgrounds: Dave Cullinane Dave Cullinane is a globally recognized leader and visionary in the IT security industry. He served for five years as a vice president and Chief Information Security Officer (CISO) for eBay, where he was responsible for global fraud, risk and security strategy and programs that provided security for eBay and its many global businesses, including StubHub, InternetAuction.co, and GSI Commerce. Prior to joining eBay, Dave was the CISO for one of the largest banks in the United States. He has more than 30 years of IT security experience and is a Certified Information Systems Security Professional (CISSP) and a former Certified Business Continuity Professional (CBCP). Dave is a founding member and chairman of the board of the Cloud Security Alliance (CSA). He is the past president and chairman of the IT-ISAC, an organization dedicated to sharing security related information across companies in the IT industry. He served as a member of the IT Sector Coordinating Council and the National Council of ISACs. He is an ISSA Fellow, and was recently elected to the ISSA Hall of Fame. He serves on ASIS International's CSO Roundtable Committee and is on the Editorial Advisory Board of CSO Magazine and SC Magazine. He was awarded SC Magazine’s Global Award as Chief Security Officer of the Year for 2005 and CSO Magazine’s 2006 Compass Award as a “Visionary Leader of the Security Profession.” In 2012 he was awarded SecureWorld’s first Lifetime Achievement Award for his outstanding contributions to the advancement of the information security community. Jeff Bennett, Founder, President and Chief Operating Officer Jeff Bennett brings almost two decades of business leadership, product development, and IT security and compliance industry experience to the company. A serial entrepreneur, he has founded and led several companies, including digital defense services firms SiegeWorks and SiegeWorks International. In 2006, FishNet Security, the nation's leading provider of information security solutions that combine technology, services, support and training, acquired SiegeWorks. Following the acquisition, Bennett served as executive vice president of services at FishNet. He has served on the advisory boards of other leading security providers. Bennett holds a Bachelor of Science Degree in Business Administration from California State University at Hayward.

With all of the talk around cloud and mobile, the real killer app for security may very well be identity and access control. There are some great open source solutions around access control, but at the enterprise level more functionality and scale are needed. Fox Technologies has developed that kind of application. I had a chance to sit down and talk with Fox Technologies CEO Subhash Tantry about how Fox is helping companies with both their security and compliance needs. If you are not familiar with Fox Technologies and access control solutions, you should really have a listen. Enjoy!

The perfect storm of the cloud, big data and mobile has created the environment where we are seeing more choice and more opportunity in the database market then we have seen in a long time. In today's podcast I am joined by executives of 3 different database companies. James Phillips, co-founder of Couchbase, a leading NoSQL company, Razi Sharir, CEO of Xeround, a SaaS MySQL company and Ed Boyajian, CEO of EnterpriseDB, the company behind commercial versions of PostgreSQL database. The four of us discuss how to choose the best database for your cloud applications. It may be that you need more than one. We also discuss the current state of the market and best practices in database design and management today. We also talk about what may be ahead in the DB market. All in all a great discussion on cloud databases! Enjoy

Dave Jilk of Standing Cloud is my guest this week. We discuss what Dave calls the "cloud orchestration" layer. This is what allows apps, developers to talk to cloud infrastructures and allows one cloud to talk to another (at some level anyway). Dave and the folks at Standing Cloud have been playing in this area almost since the beginning. Enjoy!