How To Save IT From Drowning In Its Own Self-Containerised World (and other stories)

Anyone out there right now could be more than excused for thinking we’re drowning in security start-ups; too many “me too” vendors trying to resolve the same perceived problems – niche or broad.

Recently I met with the affable Liz Rice of Aqua Security – reverse cue the drowning gag -) to find a relatively early stage company that actually has.a more individual focus than most – in this case securing containers and notably the Kubernetes environment. This is a smart move as Kubernetes is beginning to rule the container world (no “shipping” figures here!) – see my forthcoming follow-up report with Densify for evidence of this. The point is that the DevOps community, who love Kubernetes, are not generally immersed in security. They want speed and flexibility; security – think of any gate, door, wall – just potentially – or deliberately – gets in the way. It’s the same scenario I’ve encountered over the decades when performing network optimisation testing and how to secure that network without compromising on the performance improvements being generated – it’s not a trivial task.

Aqua’s starting point is looking at the typical approach to container security – studying logs to identify malicious activity, raising alerts and stopping the machines – i.e. only after the proverbial horse has bolted, possibly weeks or months ago. As container adoption rates surge, and – additionally – cloud-native (gotta get the “c” word in there) infrastructure evolves to include Container-as-a-Service (CaaS), the security tools need to move in the same direction. A recent report from Forrester suggests that “vendors in or adjacent to the container ecosystem are all racing to show that they have relevant solutions for enterprise customers” and that enterprises should “explore both container-native and traditional security vendor solutions – innovations are coming fast and furious from both camps.” It’ll be interesting to see who wins the race, but Aqua is certainly going round the track in the right direction!

So I applaud Aqua for its focus here. Its bottom line is that a company should get the DevOps and security teams together in the same room (real or virtual) and work together to identify the potential attack vectors and assemble a container security program that is proactive in identifying and blocking potential threats. As I said, It is a reality that more enterprises are deploying containers and other tools to help build and ship applications faster – solutions designed to be easy-to-use and to improve developer agility – not with production deployments and associated security requirements in mind. Aqua’s view is right there with my own – a solution is not to slow deployments down, it’s to automate the operations and security processes around these tools so everyone wins (and gets longer holidays).

A lot of the work I’ve been doing over the past 12-18 months has been around unifying security with the rest of IT (i.e. as it should have been from the start) and thereafter automating as much of it as possible, in order to remove the “Friday afternoon error syndrome” and this focus is going to take a massive step forward this year (but I can’t talk about it right now!) so Aqua’s approach definitely feeds in that direction – I look forward to furthering the Aqua story in the near future.

Of course, a lot of end user companies out there trying to understand what “digital transformation” actually means (hopefully not as painful as Kodak found it in their own way), let alone the bringing together of “islands of IT” and automating what can be automated, need HELP. I also recently met with Mark Cook, Group CEO of Getronics, a company wot is trying to bring IT into what is very soon the be the next decade – (argh – where has the rest of this century gone – I still remember the cheap Chinese fireworks I bought to celebrate the millennium shooting off at shin height around the garden…?).

The old cliché about businesses focusing on their core business and not turning into IT shops (if you make biscuits, make and market biscuits, not Windows 10 and endpoint security) has never rang louder and more true, as many traditional companies are struggling or going under – cue more drowning gags. While the cloud is marketed as making life easier, that’s only true if you know how to manage it, as my recent report for Densify showed – some of the costs that companies are incidentally racking up are frankly shocking. So it will be interesting to see how the likes of Getronics can help get companies up to speed on their IT – in all aspects – even as the next tech start-up emerges; oh, and there’s the next – and the next… just to make that vendor/tech decision-making process all the harder (albeit often in a good way).

It’s the same challenge for investors looking to back the right tech. One interesting diversion for Getronics is its recently established Investment Services Group. This is aimed at providing the private equity community with a combination of services – digital evaluation, transformation and management thereof, that are designed to rapidly assess, value and unlock the value of acquisitions, end to end – from initial due diligence to final exit. Given my involvement in such areas, I’m especially interested in how this pans out, so here’s yet another case of “let’s revisit” and “watch this space”.