Thursday, January 11, 2018

When companies focus too much on risk

When we think about security in the context of DevSecOps, an important mantra is that we need to move from thinking about providing absolute security to thinking about managing risk in the context of business outcomes. Move from “Just say no” to saying yes to small risks if the tradeoffs appear to be worth it.

Let me illustrate this principle (in addition to a couple of other things) with an example that’s not drawn from the IT world. 

Right before the holidays, I took a last minute quick trip to speak at and attend a couple of events being held next to the airport outside San Francisco. Loaded the bags up and off I went. As I was being dropped off at the airport, I pull out my driver’s license so I won’t be fumbling around with my wallet, get out of the car, and head into the terminal.

Somehow, in the course of 50 feet, space aliens made off with my license. Call the limo company. Driver takes a look. No luck. I still have absolutely no idea what happened. 

Now, normally, frequent traveler me has a travel folio with passport, spare credit cards, cash, and other potentially useful travel backups. But because this was just a quick trip I figured I didn’t need it.

Lesson #1: You may not think you need a backup. Until you do.

(See also. It’s just a small code change. We don’t need to re-run the test suite.)

Crap. Visions of my trip mashed up with mushroom clouds seemed appropriate. But I wandered over to the security line anyway.

Much to my surprise, my missing license turned out not to be a particularly serious problem. Yes, I had other ID although nothing government issued. I had my boarding pass on my phone. I have TSA Pre. And they gave me a thorough pat down and they inspected and detected my luggage very carefully. I was both impressed and surprised that I was able to hop on my flight.

I thought I had dodged a bullet.

Land SFO. Take shuttle bus to hotel. I won’t name the hotel. Let’s just say it’s a lower end chain I wouldn’t normally stay at but, as I said, this was a very last minute trip and with my usual chains either sold out or going for $700 a night I figured I could put up with the relative dump for a couple of nights.

They have my reservation that I made online. Give them my credit card.

“ID please."

I tell my story. Consternation. “Umm, do you have a passport?"

Well, no. But I can show you any number of cards. Here’s my company badge with a photo. You can easily look me up online. 

Nope. It was starting to look as if I’d have to start dialing various friends in the Bay area to see if they had a spare couch I could use.

At this point, what I really wanted to say was: “Look. If I wanted to concoct some complicated scam for free hotel nights that somehow involved having 1.) an online reservation, 2.) a wallet full of cards including the credit card used to make the reservation, 3.) an official looking company ID, but 4.) no government-issued photo ID, I’m pretty sure it would be at an exotic resort and not an SFO fleabag."

To bring us back to the original topic, sure, you can always impose more hard and fast rules but you really need to think about whether inflexibly imposing those rules is the best approach for the business. 

Lesson #2: Think about whether potential risks justify the costs of eliminating them (which you can never fully do anyway)

In the end, I was able to check in. I didn’t say what I was thinking and we reached an agreement whereby I could pay cash, including a security deposit. (Fortunately, the dollar amount was small enough that I was able to withdraw what I needed from the ATM in the lobby.) Luckily, I did have my company ID with a photo; I don’t think they’d have let me stay with no photo ID at all—my face being all over the Web notwithstanding. 

So I do give some small amount of credit to the local manager for bending, however slightly, to what I have to assume are quite rigid corporate rules.

Lesson #3: Empower employees to do the right thing as much as possible

I was also pleasantly surprised how easy and relatively inexpensive ($25) it was to replace my driver’s license on the Massachusetts DMV site. Which brings us to our last lesson.

Lesson #4: If your policies and customer experience fail to meet the standards set by both the TSA and the Massachusetts DMV, I’m pretty sure you’re doing something wrong


Podcast: Talking Kubernetes community at CloudNativeCon

Wrapping up the week at CloudNativeCon, I sat down with Google’s Paris Pittman, Heptio’s Jorge Castro, and Microsoft’s Jaice Singer DuMars to talk about their roles as Kubernetes community leads. Kubernetes has become so successful in large part because of the strength of its community. In this podcast, we talk about mentorship, getting involved, and being a welcoming community. 

Listen to the MP3 [26:56]

Listen to the OGG [26:56]




Thursday, January 04, 2018

Podcast: HashiCorp's Armon Dadgar on "secret sprawl" and Vault

5gFsC5pv 400x400

HashiCorp co-founder and CTO Armon Dadgar and I recorded this podcast at CloudNativeCon in Austin. In this podcast, we talk about the problem of secrets management, the changing nature of threats, the need to be secure by default, HashiCorp's Vault project, and Vault on Red Hat’s OpenShift.

The Vault project

OpenShift blog post on Vault integration

Listen to MP3 [17:40]

Listen to OGG [17:40]

Wednesday, January 03, 2018

Podcast: Heptio's Joe Beda talks Kubernetes

Leader beda 168x168

Heptio's CTO, Joe Beda, made the first public commit to Kubernetes. In this podcast he talks about ark (an open source project for Kubernetes disaster recovery), what made Kubernetes take off, why companies are moving so quickly on cloud-native, and where Kubernetes is headed.

From Joe’s perspective, companies realize that they’re at an inflection point and they have a sense of urgency about how they need to move quicker than in the past. That’s one of the factors that have driven container adoption at a faster pace than, say, virtualization even though the latter was arguably less disruptive to existing processes and infrastructure.

The next phase will be making the most effective use of Kubernetes clusters once they’re in place. Integrating them with other systems. Delivering value to customers on top of them. 

  • ark, a utility for managing disaster recover of Kubernetes clusters from Heptio, as discussed on the podcast

Listen to podcast in MP3 [12:42]

Listen to podcast in OGG [12:42]

Podcast: Kris Borchers of the JS Foundation

At CloudNativeCon in Austin, the Executive Director of the JS Foundation, Kris Borchers, sat down with me to talk about a variety of JS Foundation projects such as architect, jQuery, and JerryScript. We also discussed why JavaScript has been so successful; Kris chalks it up in part to its approachability and argues that, even if it’s not a perfect language, what language is? We also talked about the community which he describes as very energetic and always tweaking the ecosystem around the language (of which jQuery provides a great example).

Listen to the podcast [17:21] MP3

Listen to the podcast [17:21] OGG

Cloud-native data management with Kasten CEO Niraj Tolia


Kasten recently emerged from stealth and has released kanister, an extensible open-source framework for application-level data management on Kubernetes--as well as a commercial offering that builds on it. In this podcast, CEO Niraj Tolia discusses the increased need to manage storage used with Kubernetes at scale, the challenges of complex distributed apps, and the need for app-centric approaches that make infrastructure "boring" (to use my colleague Clayton Coleman's term).

 Listen to podcast in MP3 format [12:19]

 Listen to podcast in OGG format [12:19]

Blogging update

I realize that most people these days find posts by following social media links rather than using RSS or otherwise subscribing to blogs. But, just in case, anyone has been wondering why I’ve been pretty much inactive of late on this site, here goes.

I’ve actually been writing (and podcasting, albeit in spurts) as much as ever this past year but the bulk of that writing is increasingly spread across a variety of other channels and that’s likely to continue to be the case. You should encounter the links if you follow me on twitter (@ghaff). You can also go to my Bitmasons website where you’ll find links to most of the channels I publish on. (Occasional pieces will also be on The Register this year.) I may start publishing monthly digests here. We’ll see. 

Furthermore, although this has long mostly been a professional site, I’m splitting out (hopefully expanded) food, photography, and travel content to a new Wordpress site, which will hopefully kickoff in the coming weeks. 

Podcasts from CloudNativeCon/kubecon

Frederick Branczyk on Prometheus, metrics for cloud-native [13:14] MP3

Frederick discusses Prometheus including the goals of the project, a focus on simplicity, the distinction between metrics and logging, what's new in 2.0, and what's coming.

Marc Holmes of Chef Software on automation in a containerized cloud-native world [11:07] MP3

Chef Software's Marc Holmes talks about the global shift from automating infrastructure to automating applications, establishing a foundation for chaos engineering, and shifting security left.

Ben Sigelman of LightStep on OpenTracing, monitoring, and the challenges of distributed systems [19:41] MP3

Ben Sigelman worked on Dapper and Monarch at Google. He's now the co-founder of LightStep. At CloudNativeCon in Austin, we took the opportunity to cover a wide range of issues including the key challenges of distributed systems, the sometimes confusing monitoring/logging/tracing/etc. landscape, how monoliths evolve to microservices, Conway's Law, OpenTracing, and more.

Talking Jaeger with Yuri Shkuro and Pavo Loffay [11:08] MP3

Jaeger is an OpenTracing compatible open source distributed tracing system that came out of Uber. In this podcast, I sat down with Yuri Shkuro of Uber and Pavo Loffay of Red Hat to discuss the state of Jaeger, what problems it solves, where it fits with the broader cloud-native ecosystem, the Jaeger community, and where it's headed.

See also:

Cloud-native data management with Kasten CEO Niraj Tolia

Kris Borchers of the JS Foundation

Heptio's Joe Beda talks Kubernetes

HashiCorp's Armon Dadgar on "secret sprawl" and Vault