Tag Archives: reflect

Free Kubernetes security tools broaden enterprise choices

Kubernetes security tools have proliferated in 2018, and their growing numbers reflect increased maturity around container security among enterprise IT shops.

The latest additions to this tool category include a feature in Google Kubernetes Engine called Binary Authorization, which can create whitelists of container images and code that are authorized to run on GKE clusters. All other attempts to launch unauthorized apps will fail, and the GKE feature will document them.

Binary Authorization is in public beta. Google will also make the feature available for on-premises deployments through updates to Kritis, an open source project focused on deployment-time policy enforcement.

Aqua Security also added to the arsenal of Kubernetes security tools at IT pros’ disposal with an open source utility, called kube-hunter, which can be used for penetration testing of Kubernetes clusters. The tool performs passive scans of Kubernetes clusters to look for common vulnerabilities, such as dashboard and management server ports that were left open. These seemingly obvious errors have taken down high-profile companies, such as Tesla, Aviva and Gemalto.

Users can also perform active penetration tests with kube-hunter. In this scenario, the tool attempts to exploit the vulnerabilities it finds as if an attacker has gained access to Kubernetes cluster servers, which may highlight additional vulnerabilities in the environment.

Fernando Montenegro, analyst, 451 ResearchFernando Montenegro

These tools join several other Kubernetes security offerings introduced in 2018 — from Docker Enterprise Edition‘s encryption and secure container registry features for the container orchestration platform to Kubernetes support in tools from Qualys and Alert Logic. The growth of Kubernetes security tools indicates the container security conversation has shifted away from ways to secure individual container images and hosts to security at the level of the application and Kubernetes cluster.

“Containers are not foolproof, but container security is good enough for most users at this point,” said Fernando Montenegro, analyst with 451 Research. “The interest in the industry shifts now to how to do security at the orchestration layer and secure broader container deployments.”

GKE throws down the gauntlet for third-party container orchestration tools

The question for users, as cloud providers add these features, is, why go for a third-party tool when the cloud provider does this kind of thing themselves?
Fernando Montenegroanalyst, 451 Research

Google’s Binary Authorization feature isn’t unique; other on-premises and hybrid cloud Kubernetes tools, such as Docker Enterprise Edition, Mesosphere DC/OS and Red Hat OpenShift, offer similar capabilities to prevent unauthorized container launches on Kubernetes clusters.

However, third-party vendors once again find themselves challenged by a free and open source alternative from Google. Just as Kubernetes supplanted other container orchestration utilities, these additional Kubernetes management features further reduce third-party tools’ competitiveness.

GKE Binary Authorization is one of the first instances of a major cloud provider adding such a feature natively in its Kubernetes service, Montenegro said.

“[A gatekeeper for Kubernetes] is not something nobody’s thought of before, but I haven’t seen much done by other cloud providers on this front yet,” Montenegro said. AWS and Microsoft Azure will almost certainly follow suit.

“The question for users, as cloud providers add these features, is, why go for a third-party tool when the cloud provider does this kind of thing themselves?” Montenegro said.

Aqua Security’s penetration testing tool is unlikely to unseat full-fledged penetration testing tools enterprises use, such as Nmap and Burp Suite, but its focus on Kubernetes vulnerabilities specifically with a free offering will attract some users, Montenegro said.

Aqua Security and its main competitor, Twistlock, also must stay ahead of Kubernetes security features as they’re incorporated into broader enterprise platforms from Google, Cisco and others, Montenegro said.

M-Files cloud subscription turns hybrid with M-Files Online

To reflect the desire for flexibility, and regulatory shifts in the enterprise content management industry, software vendors are starting to offer users options for storing data on premises or in a cloud infrastructure.

The M-Files cloud strategy is a response to these industry changes. The information management software vendor has released M-Files Online, which enables users to manage content both in the cloud and behind a firewall on premises, under one subscription.

While not the first ECM vendor to offer hybrid infrastructure, the company claims that with the new M-Files cloud system, it is the first ECM software provider to provide both under one software subscription.

“What I’ve seen going on is users are trying to do two things at once,” said John Mancini, chief evangelist for the Association of Intelligent Information Management (AIIM). “On one hand, there are a lot of folks that have significant investment in legacy systems. On the other hand, they’re realizing quickly that the old approaches aren’t working anymore and are driving toward modernizing the infrastructure.”

Providing customer flexibility

It’s difficult, time-consuming and expensive to migrate an organization’s entire library of archives or content from on premises to the cloud, yet it’s also the way the industry is moving as emerging technologies like AI and machine learning have to be cloud-based to be able to function. That’s where a hybrid cloud approach can help organizations handle the migration process.

Organizations need to understand that cloud is coming, more data is coming and they need to be more agile.
John Mancinichief evangelist, Association of Intelligent Information Management

According to a survey by Mancini and AIIM, and sponsored by M-Files, 48% of the 366 professionals surveyed said they are moving toward a hybrid of cloud and on-premises delivery methods for information management over the next year, with 36% saying they are moving toward cloud and 12% staying on premises.

“We still see customers that are less comfortable to moving it all to the cloud and there are certain use cases where that makes sense,” said Mika Javanainen, vice president of product marketing at M-Files. “This is the best way to provide our customers flexibility and make sure they don’t lag behind. They may still run M-Files on premises, but be using the cloud services to add intelligence to your data.”

M-Files cloud system and its new online offering act as a hub for an organization’s storehouse of information.

“The content resides where it is, but we still provide a unified UI and access to that content and the different repositories,” Javanainen said.

M-Files Online screenshot
An M-Files Online screenshot shows how the information management company brings together an organization’s content from a variety of repositories.

Moving to the cloud to use AI

While the industry is moving more toward cloud-based ECM, there are still 60% of those in the AIIM survey that want some sort of on-premises storage, according to the survey.

“There are some parts of companies that are quite happy with how they are doing things now, or may understand the benefits of cloud but are resistant to change,” said Greg Milliken, senior vice president of marketing at M-Files. “[M-Files Online] creates an opportunity that allows users that may have an important process they can’t deviate from to access information in the traditional way while allowing other groups or departments to innovate.”

One of the largest cloud drivers is to realize the benefit of emerging business technologies, particularly AI. While AI can conceivably work on premises, that venue is inherently flawed due to the inability to store enough data on premises.

M-Files cloud computing can open up the capabilities of AI for the vendor’s customers. But for organizations to benefit from AI, they need to overcome fears of the cloud, Mancini said.

“Organizations need to understand that cloud is coming, more data is coming and they need to be more agile,” he said. “They have to understand the need to plug in to AI.”

Potential problems with hybrid clouds

Having part of your business that you want more secure to run on premises and part to run in the cloud sounds good, but it can be difficult to implement, according to Mancini.

“My experience talking to people is that it’s easier said than done,” Mancini said. “Taking something designed in a complicated world and making it work in a simple, iterative cloud world is not the easiest thing to do. Vendors may say we have a cloud offering and an on-premises offering, but the real thing customers want is something seamless between all permutations.”

Regardless whether an organization is managing through a cloud or behind a firewall, there are undoubtedly dozens of other software systems — file shares, ERP, CRM — which businesses are working with and hoping to integrate its information with. The real goal of ECM vendors and those in the information management space, according to Mancini, is to get all those repositories working together.

“What you’re trying to get to is a system that is like a set of interchangeable Lego blocks,” Mancini said. “And what we have now is a mishmash of Legos, Duplos, Tinker Toys and erector sets.”

M-Files claims its data hub approach — bringing all the disparate data under one UI via an intelligent metadata layer that plugs into the other systems — succeeds at this.

“We approach this problem by not having to migrate the data — it can reside where it is and we add value by adding insights to the data with AI,” Javanainen said.

M-Files Online, which was released Aug. 21, is generally available to customers. M-Files declined to provide detailed pricing information.

Reflect adds color to Puppet DevOps tools

Data visualization specialist Reflect enlivens the growing Puppet DevOps tool portfolio, but it’s unclear if Puppet’s wares will catch enterprise customers’ attention in a busy marketplace.

The purchase of Reflect, a startup company based in Portland, Ore., shows that Puppet has little choice but to reinvent itself as containers pull users’ attention away from traditional configuration management, analysts said. Data visualization, a way to portray data so that it’s easily understood by people, will also be increasingly important as microservices architectures expand and IT management complexity skyrockets.

“The ability to paint pretty pictures [of data] is not just a ‘nice to have’ feature,” said Charles Betz, analyst at Forrester Research. “It’s important as microservices become more difficult to visualize and manage.”

Puppet didn’t specify¬† its plans to integrate Reflect’s software with its Puppet Enterprise, Puppet Discovery and continuous delivery tools, but competitors in DevOps pipeline tools, such as Electric Cloud and XebiaLabs, recently added monitoring and visualization features to illustrate the health of pipelines. It’s a safe bet Puppet DevOps tools must also move in that direction, Betz said.

“Puppet has non-trivial data stores already, a lot of it systems configuration data that’s very close to the metal in Puppet Enterprise’s core data repository,” he said.

Puppet CEO Sanjay MirchandaniSanjay Mirchandani

Puppet lacks a data warehouse or data analytics offering to feed into Reflect’s visual tools, but company CEO Sanjay Mirchandani declined to say whether another acquisition or internal IP will fill in that layer of the architecture.

Containers, infrastructure as code invade configuration management’s turf

Enterprise IT shops are overwhelmed by a wall of marketing noise from vendors that want to be their one-stop shop for DevOps. But one vendor or one tool won’t necessarily solve technical problems in infrastructure automation, said Ernest Mueller, director of engineering operations at AlienVault, an IT security firm based in San Mateo, Calif., which plans to reduce its use of Puppet’s configuration management tools.

“As we move to Docker and immutable infrastructure deployments, our goal is to cut the lines of Puppet code we use in half,” Mueller said. “We’re trying to shift configuration management left — adding it at the end just creates problems, because if you try to do the same configuration operation on a thousand different servers, it’s bound to fail on one of them.”

Mueller monitors upgraded capabilities from vendors such as Chef and Puppet, and is interested in a CI/CD process for infrastructure as code. Puppet’s reusable manifests appeal to Mueller more than Chef’s community-maintained cookbooks, but competitor Chef InSpec’s continuous integration-style security and compliance testing intrigues him for infrastructure code.

Overall, though, infrastructure as code testing and deployment still needs a lot of development, and tools are still emerging to help, Mueller said.

“You can’t just apply an application CI/CD tool to infrastructure code,” he said. “In our application unit tests, for example, the best practice is never to call a public API, but what if the code is creating an Amazon Machine Image? The nature of infrastructure as code means there’s no one answer for CI/CD today, and figuring out how to stitch together multiple tools takes a lot of work, without a good reference architecture.”

We’re more interested in [CI/CD tools] like Netflix’s Spinnaker, which plugs in well to Kubernetes. … Distelli is good for heavy Puppet users, [but] there’s just a proliferation of tools to consider.
Andy Domeierdirector of technology operations, SPS Commerce

Presumably, the Puppet DevOps portfolio means it will expand its CI/CD tools’ integrations and coverage beyond Puppet Enterprise code, but right now Continuous Delivery for Puppet Enterprise doesn’t cover other infrastructure as code tools such as HashiCorp’s Terraform, which Mueller’s shop also uses.

A former Puppet user that switched to Red Hat’s Ansible infrastructure automation tool said despite Puppet’s acquisitions he likely won’t re-evaluate its CI/CD tools.

“We’re more interested in things like Netflix’s Spinnaker, which plugs in well to Kubernetes [for container orchestration],” said Andy Domeier, director of technology operations at SPS Commerce, a communications network for supply chain and logistics businesses based in Minneapolis. Spinnaker is a multi-cloud continuous delivery platform open sourced by the same company that made Chaos Monkey.

“Distelli is good for heavy Puppet users, but I wish it had been around earlier. Now there’s just a proliferation of tools to consider.”

Puppet and Chef face game of DevOps musical chairs

As containers and container orchestration tools begin to replace the need for server-level automation in enterprise data centers, configuration management tool vendors such as Puppet and Chef have refocused on higher-ordered IT infrastructure and application automation. Chef has attacked the space with its homegrown Chef Automate, Chef Habitat and Chef InSpec tools, which add application-focused IT automation to complement the company’s configuration management products. Puppet has expanded its product portfolio through acquisition under Mirchandani, who took over as CEO in 2016. Puppet bought CI/CD and container orchestration vendor Distelli in 2017 and rereleased some of Distelli’s software as Continuous Delivery for Puppet Enterprise, which performs continuous integration testing and continuous deployment tasks for Puppet’s infrastructure as code, in early 2018.

“Puppet hasn’t had much choice but to develop a strategy that moves into some adjacencies — otherwise Kubernetes is an existential threat,” Betz said.

In addition to Chef, Electric Cloud and XebiaLabs, a Puppet DevOps bid must fend off a horde of competitors from Red Hat to Docker to AWS and Microsoft Azure, and all seek revenues in a relatively small market, Betz said. Forrester estimates the total DevOps tools market size at $1 billion, compared to $2 to $3 billion for application performance monitoring, another relatively niche space. Both those markets are dwarfed by the market for IT service management tools, which Forrester estimates to be an order of magnitude bigger.

“It’s a game of musical chairs, and many of those chairs will be suddenly pulled out, especially if the economy even hiccups,” Betz said. “There’s no question this market will further consolidate.”

IBM keeps pace with evolving IBM business partners

IBM has tasked itself with refocusing its channel strategy to reflect the modern challenges facing IBM business partners and push indirect business activities to outpace its internal business growth.

The vendor last week introduced an ecosystem model to benefit its traditional channel base, while simultaneously encouraging partnerships with more cutting-edge players in the market, such as ISVs, developers, managed service providers and cloud services providers. The revamped strategy streamlines benefits, tools and programs to better engage, enable and incentivize partners.

According to the vendor, partners will soon find it easier and faster to do business with IBM, including business around software-as-a-service offerings. IBM also revised its rules of engagement and said it would shift more accounts to partner coverage.

“IBM has spent the last several years transforming everything about [itself] from a hardware … a software and a services [perspective]. We know it has become very clear that the ecosystem (both our core channel partners and the new ecosystem that we are going after this year) … is requiring us to change,” said John Teltsch, general manager of global IBM business partners.

John Teltsch, general manager of global IBM business partnersJohn Teltsch

IBM currently works with about 19,000 partners worldwide. Over the past several years, the company has transformed itself from hardware-focused vendor to embrace software, services and cloud computing. The transition has included a heavy investment in cognitive computing, an area that IBM has urged partners to incorporate into their offerings.

With this latest shift in IBM ecosystem strategy, the company has set its sights on even greater market dominance in a range of technology categories.

“The growth they are looking to get is huge,” said Steve White, program vice president of channels and alliances at IDC.

Adapting to digital disruption

As we continue to move more of our hardware and software to ‘as a service’ type offerings … we need to leverage this new ecosystem and our core set of partners as they evolve and change their businesses.
John Teltschgeneral manager of global IBM business partners

Teltsch said the revamped strategy recognizes the changes that digital transformation has wrought on customers and IBM business partners alike. “We need to adjust how we engage our partners, as the digital disruption continues to impact every part of our clients, our partners and our distributors’ way of going to market,” he said. “As we continue to move more of our hardware and software to ‘as a service’ type offerings … we need to leverage this new ecosystem and our core set of partners as they evolve and change their businesses.”

Although firmly committed to expanding the IBM ecosystem, Teltsch acknowledged that executing the new strategy has its challenges.

For one thing, IBM must evolve internally to help its traditional partners adopt modern business models. For example, Teltsch said, many of IBM’s hardware partners are moving from selling solely hardware to offering managed services. “We have a lot of partners that are looking for our help as they transform their own businesses and modernize themselves into this digital world. As we are changing internally … we are helping [partners globally] modernize themselves,” he said.

Ginni Rometty, chairman, president and CEO, IBM
Ginni Rometty, chairman, president and CEO of IBM, discusses Watson with IBM business partners at PartnerWorld Leadership Conference 2017.

IBM to lower barrier of entry for new partners

Another challenge IBM faces is changing how it brings new IBM business partners into the fold. Teltsch said he aims to lower the barrier of entry, especially for “the new generation of partners … that don’t traditionally think of IBM today, or think of IBM as too large, too complex [and] not really approachable.”

“We have to simplify and lower the barrier of entry for all of [the] new partners, as well as our existing core partners to come into IBM,” he added.

To help address these challenges, IBM plans to adjust its tools, certifications, systems and contracts, Teltsch said. Additionally, the vendor will continue building out its digital capabilities to better meet the needs of core partners and the expanding IBM ecosystem.

White said he thinks IBM is trying to do the right thing through its channel refocus, yet he noted that IBM’s massive size makes for a complex shift. However, partners will likely appreciate the clarity the vendor adds to its channel strategy, he said.

According to Teltsch, the new ecosystem strategy is slated to go into effect April 10.