CloudGovCo

#CloudServices bring new administrative challenges because of the huge number of services and the flexibility and complexity in pricing models. Without good administrative practices #CloudCosts can escalate quickly in excess of budgeted operational expenses. Key industry practices are:

• Maintain a catalogue of approved cloud services
• Establish a strategic budget for migrating to the cloud
• Continuous cost optimization
• Trend usage patterns overall
• Decompose usage down to a region, availability zone, project or service team
• Make informed decisions about acquisition of reserved instances
• Make informed decisions about the allocation or reallocation of cloud resources

Hybrid project management methods merging waterfall and agile on larger projects are becoming common, as people struggle with resistance to wholesale change.

This is not very effective.

There are two main issues:

1. The waterfall process will always be the longer pole, so projects will not take less time. Activities in a phase might be agile, but they are still working to a waterfall milestone and phase gate.

Time to launch is the most important KPI because it incorporates all cost factors. (We used to use time to market for the same reason.)

Research has shown that the cost of time is greater than the cost of effort, so project methods with concurrent activities are best because they minimise time.

2. Agile methods don’t scale. Large projects cannot be chunked successfully across a large number of agile teams. Putting aside administrative issues, the core problem is the train wreck of managing the many code branches and merging back into the main trunk.

Note that CI/CD pipelines do not use branching.  (They can but they shouldn’t.)

Research is also finding that an over-reliance on Agile can impose a 20% non-productive burden. Critical Chain method (not critical path) can be better. Six Sigma Lean/Kanban is perhaps best.

A counter-intuitive method is shown in the attached graphic from a presentation I did last year. This was developed by Toyota. Instead of using early start date as you would in critical path method, it uses the late start date. This pushes all activities up against the project deadline, with no slack time or buffers between activities. Everything is on the critical path.

This goes against everything project managers are  taught. PMs try to keep things off the critical path.

However, Toyota puts a buffer at the end of the project; thus guaranteeing finish on schedule.

The big advantage is that the method defines requirements as late as possible, so they reflect the latest needs, and the project uses the most recent technology, so it is efficient. It also reduces change orders.

It is also massively parallel (concurrent) so it reduces time to launch, thus providing faster feedback and releasing people for other projects. Because it’s parallel it uses multi-discipline project teams, which are usually more innovative and goal driven.

A lot of this has been known in continuous improvement process for decades, but it hasn’t trickled into project management. Concurrent development, for example, emerged in japan in the 1990s. Waterfall, developed in the 1950s for the USA military, has really acculturated people to linear step-1 step-2 thinking.

Recently, and possibly due to the pandemic, there has been a flurry of organizations looking for help in developing total cost of ownership (TCO) analyses for cloud migrations.

This is the wrong question, and the clue is in the name: Ownership. You don’t own any assets in the cloud, you subscribe, lease or rent them.

TCO comes from an on-premises mindset where you use a capital expense (CapX) to purchase an asset and defray it over a 10-year period, often with a midlife refresh. Cloud uses an operational expense (OpX) to pay day-to-day out-of-pocket costs for cloud services.

Cloud expenses should not be forecast beyond three years (five at most) because the technology, features, services and costs change rapidly. Instead of TCO use a three-to-five year Return on Investment (ROI).

Beside changing the operational model of the IT department, migrating to cloud causes financial headaches. Changing the financial model from CapX to OpX is challenging. Many organizations don’t want to show an increase in day-to-day operational expense because this is easily scrutinized by stakeholders. Capital investments, depreciation schedules and return on investment are harder to understand and easier to hide.

Finally, nobody should expect to save money in the cloud. Yes, this was the idea six years ago but in most cases cloud will be more expensive.

The business case for cloud is really about speedy development (time to market), scalability, resilience and availability — not cost. Except cost savings from reducing IT personnel which many organizations with unions are often reluctant to do. And, of course, reducing time to market is itself a cost savings and an open door to more innovation and opportunity.

To understand a few aspects of the cost issue, consider a solution on premises that has three tiers with separate servers. In the cloud it might have six or more using horizontal scaling groups plus load balancers and other services, plus data-transfer and monitoring costs, and more.

Now consider the case where the three tiers are virtual machines (VMs) on premises using VMware on a honking big server with maybe 32 CPUs. To begin, VMware on premises is very cost competitive with native cloud so it is difficult to show a business case on this basis.

Furthermore, this big server will be hosting many other VMs. Moving the workload for our three-tier solution to the cloud will not reduce the cost of the VMware licence or the cost of the server hardware. We will not be able to reduce expenses and take a tax break for decommissioning the hardware.

Another cost element is that by default cloud solutions should be architected for high availability using multi-zone multi-region designs. This in itself is a higher cost factor; whereas, again, this is not usually the case on premises.

Also, many organizations do not have in place effective cloud vendor-management; and do not have the capability to monitor and optimize cloud costs on a weekly basis. Nor do they have the mindset to automate to the degree desirable in cloud operations using Site Reliability Engineering (SRE).

Finally, rather than looking for cost savings, organizations should have a separate investment budget to fund a strategic transition to cloud operations over a five- to 10-year period.

This week we are offering a free eBook on developing a governance framework for cloud computing. (Link at the end.)

Cloud computing is central to digital transformation. It enables organizations to procure their IT on-demand and as-a-service, scaling up and down as required. But cloud is complex and challenging. And services are often procured ad hoc with no oversight or synergy. This eBook presents an oversight framework for the IT cloud based on five basic governance principles, and Agile and Lean practices. It doesn’t recommend but does show how to use bimodal means to leverage existing processes and map cloud governance to classical IT project governance that uses phase gates. The framework is based on best industry practices, and is mature with >60 checklists to ensure a practical and effective governance process. It will be challenging to adopt in organizations wedded to linear thinking and/or a classical waterfall environment for projects. In many cases organizations will try to redefine new and better practices so they fit into existing models of processes and cultural behaviour. https://cloudgovco.com/wp-content/uploads/2019/02/cloudGovernanceFramework.pdf

The Coronavirus is wreaking havoc on everything in our lives. It’s hard to find something that hasn’t been impacted in a major way as we attempt to limit the spread of the virus. Cloud security professionals should pay close attention to how our online needs are rapidly changing — these new adjustments are more than just necessary to make things work in the interim. The workarounds to keep our lives as normal as possible could permanently define the way we work, study, and do business from here on out.  

At Nightfall we put together a list of eight ways COVID-19 is making an impact on common things we use and interact with every day. A main takeaway should be that none of these are new problems, just that COVID-19 is shining a light on them. And in most cases, making these problems even worse.       

#1: Schools are struggling to adapt to remote instruction and facing vulnerabilities brought on by COVID

Distance learning is putting a strain on security as schools scramble to protect student data

The issue: School districts in the United States typically face big challenges with cybersecurity and protecting student data. This is often due to a lack of funding and/or allocated resources for an IT team to keep up with the district’s security needs. Accidental sources of data leaks like misconfigured systems or unsecured third- and fourth-party vendors leave school districts at high risk of security breaches in school districts.  

Wired Magazine reported on how the pandemic is amplifying these risks with the massive rush to transition to distance learning in the spring. Suddenly, millions of teachers and students relied on video chat software, lesson portals, digital message boards, and other online tools. The goal is to retain education continuity for students, but security is often an afterthought in the haste to get virtual learning resources online.  

Impact on cloud security: Many of the most popular online education resources, like Zoom, can easily become an attack vector without proper authentication and controls setup. Remote tools like VPNs that connect students to teachers and resources are also high-risk. At the end of June, the Federal Bureau of Investigation issued a security alert about the threat of ransomware to schools amidst the Covid-19 crisis. “K-12 institutions have limited resources to dedicate to network defense, leaving them vulnerable to cyber attacks,” the FBI warned, according to a ZDNet report.  

In the month of June alone, Wired reported more than 4.7 million malware incidents were detected in the education industry broadly worldwide, according to Microsoft’s Global Threat Activity tracker — more than 60% of all the corporate and institutional malware incidents reported during that time.   

As schools across the world gear up to get back to learning in the fall, it’s clear that cybersecurity should be a top priority to ensure data safety for students and business continuity for the educational institutions.

#2: Social engineering hacks are increasing by feeding on the fear of the virus and misinformation

Social engineering hacks are on the rise thanks to vulnerabilities caused by COVID-19

The issue: Social engineering hacks have always been a thorn in the side of IT departments. During times of crisis, users will rush to resources to stay informed and connected. COVID-19 has created the perfect environment for scams: the increased demand for accurate information on health and safety and government mandates has led to the explosion of misinformation about the outbreak, often coming from websites that spread malware or from other unsecured resources.  

Everyone is more dependent on the Internet now — and many of the most used platforms and apps operate in the cloud. Users face challenges almost every day, with increased DDoS attacks on public-sector websites, phishing attempts, and other threats cloaked as legitimate COVID-19 information. It’s getting harder to separate the noise from the truth. Global crises like COVID-19 easily dismantle cybersecurity standards because they put a tremendous strain on resources and increase stress and anxiety among the end users. When defenses are down, social engineering attacks go up.  

Impact on cloud security: InfoWorld reported that cyberattacks have spiked during the first half of 2020. The FBI noted that as of May 28, it had received nearly the same number of complaints for this calendar year as for all of 2019. Social distancing is highly encouraged to help stop the spread of the virus. As we remain apart, we seek out more ways to stay connected. Increasingly, this means we’re communicating in the cloud — and the cloud isn’t the safest place by default. Protecting personally identifiable information (PII) is essential. IT teams must find ways to balance access to cloud systems and apps with strong security measures.      

#3: SMBs are increased risk of compromising their cloud systems with COVID-19

Small businesses are at increased risk of cybersecurity incidents with strained budgets, especially with COVID

The issue: Small and medium-sized businesses (SMBs) typically struggle with huge technical debt, especially when it comes to cybersecurity. Running a small business means every penny counts. In many budgets, tech and cybersecurity don’t have a line item. Security Magazine reported that in December 2019, 64% of small businesses said they were planning to devote more resources to cybersecurity in 2020. But in the wake of COVID-19 and the economic downturn, these planned improvements are likely to be deprioritized.   

Impact on cloud security: The report in Security Magazine polled 383 SMB owners and managers and found that 15% experienced a major security event in 2019:  

• 7% were hacked
• 5% dealt with a virus
• 3% suffered a data breach 

SMBs moving their operations online means they bring their cybersecurity threats with them. All their attack vectors can quickly become vectors for other users if they connect to cloud apps. A strained budget that can’t support proper cloud security measures puts everyone in danger. It’s a difficult balance for SMBs who are seeking to keep their businesses afloat.      

#4: Tracking apps rushed to market pose high risk of getting hacked 

Contact tracing is still a new feature in the fight against COVID-19 — meaning security isn’t always put first

The issue: One solution to reintegrating employees back into offices and other workplaces is contact tracing apps. It’s one way to track who an infected person may have had contact with, and thus reduce the risk of spreading infection into the workplace. The problem with these apps is that they’re relatively new and have been rushed to market, leaving them open to hacks and other data leaks.   

The lack of security oversight was exposed in May, when the state of North Dakota conceded that its smartphone app, Care19, had been sending users’ location data to the digital marketing service Foursquare. Qatar’s national COVID-19 tracking app had a flaw with the most dire potential consequences: it would have allowed hackers to obtain sensitive information on more than one million users, including their names, national IDs, health status, and location data.  

Impact on cloud security: The big hurry to push the apps to market led to these and many other problems. After an app in the Netherlands exposed about 200 people’s names, email addresses and encrypted passwords, one of its co-developers said the breach was due to a rush to publicly release the app’s code.   

“The speed and scale transitioned at such a rate that they didn’t really consider security in the beginning,” said Kelvin Coleman, executive director of the National Cyber Security Alliance. “It was a topic for them, but not top of mind.”

#5: COVID-19 is straining healthcare budgets and IT resources

Healthcare IT departments are under more stress than ever

The issue: Coronavirus is surging across the U.S., with more cases confirmed and more hospitalizations reported every day. Healthcare resources everywhere are being pushed to the limit, from available hospital beds to a lack of personal protective equipment for medical professionals. As with the other industries and sectors on this list impacted by COVID-19, healthcare IT is also facing strained budgets and resources, leaving these IT departments at higher risk of a breach or cyberattack.  

Healthcare Finance News cited a Department of Health and Human Services report from June on the increase in cybersecurity breaches in hospitals and healthcare providers’ networks which may be due to COVID-19. Between the months of February and May of this year, there have been 132 reported breaches, according to the HHS. This is an almost 50% increase in reported breaches during the same time last year.  

Impact on cloud security: A lack of security oversight and rushed cloud adoption is the main contributor to the increased risk. Remote healthcare relies on apps and portals, which may not be up to required security standards. Data leaks and other vulnerabilities can spill massive amounts of protected health information (PHI) outside the organization. Temporary medical facilities are essential in the fight against COVID-19, but these were created with patient care and treatment in mind. Cybersecurity was not part of the plan in the coronavirus response. Any unsecured access point in the healthcare chain can have devastating security impact.  

“The healthcare industry has, in the past few years, been one of the most targeted industries for cybercriminals. So it’s only natural that at a time of crisis, we are seeing more and more attacks on the healthcare industry,” said Natali Tshuva, CEO and cofounder of Sternum, an IoT cybersecurity company that provides medical device manufacturers with built-in security solutions.

#6: Remote work puts more cybersecurity responsibility on end users

Many of us are working from home these days — what are the costs of data security?

The issue: Working from home has become the new norm for many, especially in the tech industry. This shift to remote work was borne out of necessity to slow the spread of COVID-19, but the reported increase in productivity among workers and potential reduced operating costs for organizations may extend these privileges well beyond the pandemic.  

Unfortunately, current work from home policies don’t always include tight security controls for ender users. Security Magazine reports 56% of employees are using their personal computers as their company’s go remote in response to COVID-19, and nearly 25% of employees working from home don’t know what security protocols are in place on their device.  

Impact on cloud security: More organizations are turning to chat and collaboration apps like Slack and Microsoft Teams. According to the Security Magazine report, 20% of workers said their IT team had not provided any tips as they shifted to working from home, and workers acknowledged they were the least cautious in using these types of services.   

The onus is to keep data and systems secure has shifted to the end user, but without proper security tools in place, the integrity of entire cloud systems is at risk. Remote workers need support from their IT departments to make security a priority every day.

#7: COVID increases security risks for the fintech industry 

Banking and finance cybersecurity firms are on higher alert due to the pandemic

The issue: The healthcare industry, fintech is suffering increased security risks from COVID-19. Reduced budgets and staffing due to the economic downturn have stretched the capacity of IT teams in this industry, with a 238% surge in cyberattacks against banks, new research claims since the pandemic began.  

According to the third edition of the Modern Bank Heists report from VMware Carbon Black, which includes input from 25 CIOS at major financial institutions, 80% of firms have experienced more cyberattacks over the past 12 months, an increase of 13% year-over-year. 

Impact on cloud security: The Modern Bank Heists report shows that 27% of all cyberattacks target either banks or the healthcare sector. These industries share a lot of the same indicators: similar detectors (PII data is used in both), strict government and industry regulations (like HIPAA or GLBA), and massive stakes in a cybersecurity breach.   

Leaked bank or health records can lead to massive exposure liability for an organization. As more systems are being backed up in the cloud, fintech companies must strengthen their data controls to prevent business-critical PII from improper access and exposure.       

#8: Incredibly high demand for online shopping strains e-commerce and shipping security

Online shopping is easing some of the pain of isolation, but demand for fast shipping and in-stock products is giving scammers more room to operate

The issue: Shipping for e-commerce orders is impacted due to increasingly high demand of online orders. It’s safer for our health to stay home and shop on our computers and mobile devices — but how does this shift impact cybersecurity?   

For shipping providers and e-commerce businesses, the goal is to sell more items and ship more packages, all at a faster rate. Security takes a backseat to the goals that drive revenue for these companies. The pandemic has upended global delivery systems as countries close their borders and companies reduce their workforces. Estimates from Facteus say consumer spending on Amazon is up 35% compared with last year.  

Impact on cloud security: COVID has touched e-commerce cybersecurity as well. The increase in delivery demand has allowed phishing emails scams to thrive. As customers turn to more websites to fill their need for groceries, medication, and other essentials, they put more of their data out into the world. A well-meaning employee could be using their cloud-connected work computer or device to place an online order, unaware of the possible data exfiltration danger lurking on untrusted sites. All it takes it one order on an unsecured site for sensitive data to be exposed.       

Curtailing COVID cybersecurity challenges

Maintaining business and security continuity during a global pandemic is a tough task. Many of us are already taxed and tired from the everyday stress of dealing with uncertain times. Cybersecurity should be a priority for all teams, in all industries. By relying on automated DLP solutions like Nightfall, your organization can relieve some of the pressure of keeping data safe. More focus on security is just good business sense.

This post originally appeared on Nightfall and is reproduced here with permission.

About Nightfall

Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack and GitHub as well as IaaS platforms like AWS. You can schedule a demo with us below to see the Nightfall platform in action.

#CloudServices bring new administrative challenges because of the flexibility and complexity in pricing models. Without good administrative practices #CloudCosts can escalate quickly in excess of budgeted operational expenses. Key industry practices are:

• Continuous cost optimization
• Trend usage patterns overall
• Decompose usage down to a region, availability zone, project or service team
• Make informed decisions about acquisition of reserved instances
• Make informed decisions about the allocation or reallocation of cloud resources

A #CostContainment policy describes automation goals for cost control in the #Cloud.

• Shutdown development workloads after hours
• Rightsize instances
• Require tags to assign costs
• Use specific expiration dates
• Eliminate inactive storage
• Comply with software licences
• Use instance sizes/types allowed by the organization
• Use discounts (claim them)
• Use lowest-cost cloud where feasible
• Use lowest-cost regions
• Understand data retrieval and export charges

There is a use case for a warm site if your organization can withstand a short business interruption from several days to a week. This is the time it will take to make the site fully operational, establish connectivity and transport and ingest data backups.

The warm site should have sufficient distance from the main site to have separate earthquake zones, power grids, water supplies, telephone central offices, etc. A rule of thumb is 50 miles minimum separation.

Using the Cloud

The cloud could serve as a warm site if you can meet several requirements:

• A means of transferring large volumes of backup data to the cloud
• A plan for client desktops to gain access, log on and authenticate

This is the best case for disaster recovery in the cloud, and we will explore this hybrid-cloud pattern more in other modules.

[Re-scheduled from an earlier missed deadline.]

2020-10-16 Forgive my anger but Covid is bad enough without a bunch of self-important epidemiologists and public health scientists issuing the Great Barringto Declaration calling for herd immunity.

They argue vulnerable people should be isolated for six months like medieval anchorites while everyone else is left to get sick and some to die. Eventually we will have herd immunity and Covid will burn itself out like the flu. This is the argument used by populists like Donald Trump and Rishi Sunak who say we must “learn to live” with the virus “and live without fear”,

Oh. Wait. There is no global immunity to the flu.

[Technical Note: the flu is an influenza virus and Covid-19 is a Coronavirus like SARS and MERS.]

Before I go on against this madness, Neil O’Brien, writing in the UK right-wing newspaper The Telegraph, has crunched the numbers and shown how utter imbecilic this is.

The Declaration gives no hint of how we might push food through the letterbox for these Covid anchorites, or what happens if herd immunity is not achieved in six months or people get re-infected.

The American Institute for Economic Research (AIER), where the declaration was signed, is a libertarian think-tank committed to “pure freedom” and wanting to see the “role of government … sharply confined”.

Don’t get infected yourself by fake science like this. Push back when you encounter people who believe this stuff.

Hybrid project management methods merging waterfall and agile on larger projects are becoming common, as people struggle with resistance to wholesale change.

This is not very effective.

There are two main issues:

1. The waterfall process will always be the longer pole, so projects will not take less time. Activities in a phase such as Development might be agile, but they are still working to a waterfall milestone and phase gate.

This doe not improve time to launch. Time to launch is the most important KPI because it incorporates all cost factors. (We used to use time to market for the same reason.)

Research has shown that the cost of time is greater than the cost of effort, so project methods with concurrent activities are best because they minimize time.

2. The second problem is that Agile methods don’t scale. Large projects cannot be chunked successfully across a large number of agile teams. Putting aside administrative issues, the core problem is the train wreck of managing the many code branches and merging back into the main trunk.

Note that CI/CD pipelines do not use branching.  (They can but they shouldn’t.)

Research is also finding that an over-reliance on Agile can impose a 20% non-productive burden. Critical Chain method (not critical path) can be better. Six Sigma Lean/Kanban is perhaps best.

A counter-intuitive method is shown in the attached graphic from a presentation I did last year. This was developed by Toyota. Instead of using early start date as you would in critical path method, it uses the late start date, which is more like Critical Chain method. This pushes all activities up against the project deadline, with no slack time or buffers between activities. Everything is on the critical path.

This goes against everything project managers (PM) are  taught. PMs try to keep things off the critical path.

However, Toyota puts a buffer at the end of the project; thus guaranteeing finish on schedule. In the best cases this will give an early delivery for the project. Russian defence projects are successfully delivering on Finish Before Planned.

The big advantage is that the Lean Kanban method shown in the graphic defines requirements as late as possible, so they reflect the latest needs, and the project uses the most recent technology, so it is efficient. It also reduces change orders.

It is also massively parallel (concurrent) so it reduces time to launch, thus providing faster feedback and releasing people for other projects. Because it’s parallel it uses multi-discipline project teams, which are usually more innovative and goal driven.

A lot of this has been known in continuous improvement process for decades, but it hasn’t trickled into project management. Concurrent development, for example, emerged in Japan in the 1990s. Waterfall, developed in the 1950s for the USA military, has really acculturated people to linear step-1 step-2 thinking.

At its worst, people think they can’t plan step 2 until they complete step 1. It also infects Agile developers who can’t estimate work until they have completed it.