Thursday, May 5, 2016

How Spain’s Mobile Experience leverages HPE location services to enrich the museum experience

The next BriefingsDirect Voice of the Customer discussion hones in on an organization in Madrid, Spain called Mobile Experience. We're about to learn how they precisely track the location of individuals using mobile devices inside of large organizations, like a museum, and then apply that to an enriched mobile user experience.

Listen to the podcast. Find it on iTunes. Get the mobile app. Read a full transcript or download a copy.

To learn how precise positioning in a store or resort – anywhere with WiFi – leads to fascinating new mobile business apps development and interactive user experience benefits, we're joined by Alvaro Garcia-Hoz, Founder and General Manager of Mobile Experience in Madrid. The discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Tell us about Mobile Experience and how you have been able to work with a Wi-Fi provider like HPE Aruba to provide this really unique and interesting location experience within a large building or campus.

Garcia Hoz: We started working for museums and we saw that there were a lot of mobile applications for museums -- but none of them were really helping the visitors during their visits. So, we decided to make an application for museumgoers, so visitors would  have a much better experience.

Garcia-Hoz
We designed this application without thinking about all the technology available at the moment. When we made the design, we discovered that one feature that we needed was an indoor-location system. So, we did deep research to try and find a way to have this location capability work properly … and we found two suppliers.

The first one had a Wi-Fi location system, and two years ago, when we started working with them, we implemented their Wi-Fi indoor-location system in the museum and it was working, but it was not working the way we were expecting. The user experience was not good enough. But then, we found HPE Aruba Beacons. They sent us a packet of beacons, and we deployed them in the museum.

We quickly discovered that the system was working really, really well, with very good accuracy. We made the deployment in less than a couple of days across the whole museum -- that is about 150 beacons. It really works, and the user experience changed totally.

Then, we called HPE Aruba and we said, “Okay guys, come to the museum to see how this is working because you're going to really be amazed.” And when they came to the museum they said, “Wow.”

After the 18 months that we had been working together, we decided to make a presentation for the media and other partners. From that moment on, we began receiving requests for proposals for other industries like retail, hospitality, and healthcare. There are hundreds of applications.
Up Your Mobile-App Ante
With Location Awareness
Gardner: How were the museums able to enhance the experience of their visitors through the technology?

Three points

Garcia-Hoz: For me there are three very basic points. The first one is that they can prepare guided tours for those visitors, depending on their specific needs. Normally, when people visit a museum, after a couple of hours, they're done and they leave the museum without knowing if they've viewed all of the exhibits. They don’t know if they missed any pieces of art or pieces of information that are important and relevant to them.

What we give the museum is the ability to prepare those guided tours depending on the amount of time a visitor wants to spend at the museum. So if you go, for instance, to the British Museum, given that we are in London, and you decide to spend two hours, the application will show you the works that the museum thinks that you cannot miss if you want to be there for two hours.

The application will guide you through the museum like an indoor GPS, while you're walking within the museum, and they will guide you through the 20 works you have to see in that museum, and then give you all the information for those exhibits.
Up Your Mobile-App Ante
With Location Awareness
The second point is that it's different information for different types of visitors. For example, since we come from Madrid, when you are visiting the Real Madrid Museum, it’s different if you are 60 years old or if you are 20 years old, because the information you want to see is very different. With this application, we give the museum the opportunity to deliver highly personalized information.
With this application, we give the museum the opportunity to deliver highly personalized information.

Gardner: Personalization is so important now that everyone is carrying a smartphone. It really changes how you can have an experience within a shopping mall, for example. Or, if you want to start providing commerce based on demographic information, you could have something on sale for one person but maybe not for another, because it wouldn't be appropriate for them. In healthcare, if you're in a hospital, a large campus, it’s very easy to get lost. There are lots of different ways that this can be used.

What are the next steps? Where do you, Aruba, and HPE go in order to create a developer following for more applications and more ability to take advantage of this very precise location capability within almost any building?

Garcia-Hoz: Aruba and HPE are helping us a lot and they're spreading the word. This technology is so new, and we're visiting very important customers. But when we start talking to them, and we are talking about Aruba Beacons, and how they can get all this information from users, we're exploring what can be done and what can’t be done.

Gardner: Where can you go to get more information on this technology?

More information

Garcia-Hoz: You can go to my website, mobileXperience.es. There, we have a lot of information about different features that can be delivered for mobile users.

Gardner: And how about developers? Are they able to use the Aruba SDK or APIs? How would the developers start to take advantage of this as a service?

Garcia-Hoz: There are two different ways of doing this. They can go directly to the Aruba SDK to have that for them and build on that, and also they can come to us -- if you already have your venue up you can use your API so you can get all these features together.

Listen to the podcast. Find it on iTunes. Get the mobile app. Read a full transcript or download a copy. Sponsor: Hewlett Packard Enterprise.

You may also be interested in:

Monday, May 2, 2016

Business unusual: How the Dell-EMC merger sends shockwaves across the global storage market

The next BriefingsDirect IT market analysis discussion explores customer impacts to the global storage market now that the $67 billion Dell-EMC merger deal appears imminent. The proposed merger, which also includes EMC’s majority control of VMware, has been controversial from the start.

A massive and complex financing apparatus, largely built on private equity debt, undergirds the deal, with privately held Dell taking over the publicly traded EMC and VMware federation. This largest IT vendor deal ever is expected to close sometime between now and October 2016.

While EMC CEO and Chairman Joe Tucci has assured the storage and IT infrastructure market that the mega deal means business as usual, many observers, including analysts from Gartner, take a different view.

We're now joined by two storage industry experts to explore how consumers of storage infrastructure can best prepare for the expected storage shockwaves from the Dell takeover of EMC and VMware.

Listen to the podcast. Find it on iTunes. Get the mobile app. Read a full transcript or download a copy.

To help us sort through the unknown unknowns of such an unprecedented business merger in IT, please welcome Jorge Maestre, Competitive Strategist, Global Storage at Hewlett Packard Enterprise (HPE), and Craig Rice, Business Architect at Integris Solutions Group. The discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Even before this Dell acquisition of EMC was announced back in October, the storage market has been undergoing significant transformation. What have been the trends impacting the global storage business, and why did they prompt such an unprecedented merger in the first place?

Maestre: That’s a good question. Obviously, we start with flash storage. With flash as a focal point of primary storage in the data center, the technologies have evolved. Well, in the case of flash, we're not talking about an evolution; we're actually talking about a revolution. It has completely trumped what you have with spinning-disk media storage.

Maestre
You saw a lot of different opportunities for a lot of different vendors to jump in here and be the first with flash. EMC didn’t have a head start technically. That hurts, when you have vendors like Pure Storage, or ourselves at HPE obviously, or some of these other names like SolidFire and Kaminario.

And as companies are consolidating their primary storage into these flash footprints, which can be hyper-dense now, what we found is that other [infrastructure] technologies have emerged. These technologies and these trends have been here for a while, but now … they are very complementary to primary storage. You now have use cases in your data center where you can take advantage of things like hyper-converged or software-defined, or even just reinvest in file.

Now, you're looking at a data center that needs to have a completed picture. For all of EMC’s bravado, for all of their product set, for all of their ability to sell, the completed picture from them isn’t something that necessarily has always looked pretty.

We saw the result, which is the constant revenue decline. I think they're in consecutive quarters of revenue decline, and in some cases, they've taken a pretty bad hit. They've lost the midrange. The number-one product in the midrange is the HPE 3PAR. They lost that segment, and that was their staple.

They've seen VMAX revenue decline by almost 50 percent or more in the last few years, and so it has painted this picture of this huge conglomerate, monolithic company, maybe losing its way. The merger was at the right time.

Rice: I think flash is a contributing component here, but the catalyst that’s causing the greatest amount of disruption is shareholder value. Let’s take a look at what’s transpired over the past year.

Rice
We have an activist investor [Elliott Management] that’s been bullying EMC for quite some time to divest themselves from VMware. VMware is a catalyst that adds value to their storage array. We look at other organizations such as NetApp and how they had to acquire SolidFire.

We have companies such as Pure, an upstart that’s done maybe $200 million in sales and an innovating leader.

When you look at this, the whole challenge, the true disruption in storage, in the IT market then stems from shareholder value. What uniqueness do any of these mergers and acquisitions bring to the end-user customer? How does a technology change, or an innovation of flash, drive value not to IT, but to the lines of business? That’s what we've been seeing here at Integris.

Business motivations

Gardner: So clearly, there are business motivations from EMC and Dell that might not necessarily be the same motivations that their customers are facing.

EMC Chairman Joe Tucci tells everyone it’s business as usual, don’t be worried, but we saw in a recent research report from Gartner: Dell's Acquisition of EMC Will Impact Storage Customers, 10 March 2016, that this will impact customers of both vendors, no question. They suggested it could take two or four years for the storage market to settle out and for more clarity to come to that.
What Industry Experts
Say About
HPE Storage Leadership and Innovation
So, what are some of the biggest risks, as you see it, Jorge, for storage customers, with this deal in the works?

Maestre: We have to take a look at what EMC is telling people and what other people who are doing investigations on their own are finding, and we're seeing that those contradict one another. ... EMC’s business customers, their business partners, might be in a state of confusion, but I think storage is pretty solid in general.
What we have to take a look at is what EMC is telling people and what other people who are doing investigations on their own are finding, and we're seeing that those contradict one another.

There have been CRN articles, there have been Register articles that talk about what EMC is telling everyone, "This is going to be great. This is going to go well. The two companies combine. They're going to be $80 billion. We're $80 billion with a revenue, blah, blah, blah, blah." The reality is that’s not going to be the case. Both companies are seeing revenues continue to decline.

As they merge, probably there's not going to be any overlap. Just take a look at the storage portfolio. You're not going to see a lot of overlap there. EMC is going to announce a new product [in May 2016] that everyone is expecting to jump into that entry-level space. So, they're probably going to even create a displacement for Dell Compellent.

And, of course, Dell is telling people, "No matter what happens, we'll still support Compellent for five years." That’s pretty much saying, "This product is dead." Most people agree that that’s going to happen.

From a product set perspective you're not going to see too much craziness. You're going to have the same EMC salespeople selling the same stuff. They're going to be selling servers too now, which could be a good thing or a bad thing, depending on where you come from.

But what we're not seeing, and what we're not going to see, is any type of growth. There is no way there's going to be any growth. They're talking about cutting $2 billion worth of expenses just to pay for this $67 billion deal. That’s a huge number. Cutting your expenses that much in order to show an increase in revenue, assuming you don’t lose any customers, or lose any executives, as this merger becomes complete, is just a huge risk.

Not going to happen

It’s not even a risk; it’s an uncertainty. There's no way it’s going to happen. I think there is a CRN article that talks about this. In order for them to actually show revenue growth, they have to see a seven percent improvement on top of the $74 billion that would combine the two companies together. That’s where they would be today.

That’s crazy -- seven percent on top of that and from two companies whose revenues continue to decline? How is this merger all of a sudden going to stop the revenue decline, turn it around, and bring it up seven percent? We could talk about financials all day, but you have to have a compelling product set for that. They don’t have it. I just don’t see it.

Rice: I'd like to emphasize one thing that Jorge said. I have some unique insight. We are a partner that used to be exclusively EMC. We've seen the writing on the wall. We've been working with HPE and transitioning over. We have a lot of good friends that have worked at EMC for 10, 12, 15 years, and in that highly competitive sales force environment of EMC, that’s a lifetime. These key leadership positions from district managers, area managers, and engineers are leaving the company in droves.
Why are they leaving if this is such a good deal and things are going forward? I have customers asking, "What happened to Bob Smith? He has been our rep or our district manager for 10, 12 years, why did he leave and go there?" I think that just puts credence on Jorge.

Gardner: We certainly have very big and different cultures here, where EMC has always been focused on enterprise, large companies, with an aggressive sales force, a very involved sales force. Dell, on the other hand, focused more on the mid-tier, and largely a self-service culture, where people are encouraged to buy things at a commodity level.

So what does that mean for enterprises? Are they going to see the Dell culture come to the EMC market or will the EMC market go to the Dell tier? How do you see these cultures melding, particularly in sales, that inflection point between the customer and the vendor? Jorge?

Maestre: Here’s the thing. This gets a little frustrating because we're dealing with the greatest sales spin marketing company of all time. EMC is the Michael Jordan of sales spin, marketing, and everything else. Maybe not so much in product delivery and all that other stuff, but the reality is that these guys know how to talk the game.
This gets a little frustrating because we're dealing with the greatest sales spin marketing company of all time. EMC is the Michael Jordon of sales spin, marketing, and everything else.

It’s like everyone went to the Don King school of selling. They can just promote, promote, promote all day. They do a good job of being Don King-like, every single one of them. For those who don’t remember, Don King was a huge boxing promoter in the ‘80s; Google him.

So, they are all that and they are good at that. For me, it’s very frustrating, because there is nothing there. We take a look at the revenues, the product sets, and there's just nothing here. You're looking at two completely different product sets. There's nothing compelling about it.

Now take that a step further. Why are people so interested in this? Why is everyone in love with this merger? The reality is because people love EMC. It’s the badge, it’s the sales badge, it’s the resources, and it’s the fact that they make you feel good. They come to your house. They make you hot cocoa. They tuck you in at night. That’s what they do. That’s how you sell. They're great at it. Nobody does it better than them. They literally set a bar of selling that no other vendor has even attempted to approach. You have to tip your hat.

Gardner: How will that change, Jorge?

It takes resources

Maestre: Well, that’s just it. It takes resources. You have to invest in that. You have to put a lot of money behind that. You have to create a huge support infrastructure. Take a look at how each company invests in their R and D, just to put it in perspective. Dell’s numbers, public numbers are somewhere in the area of 10 percent. EMC’s numbers are somewhere in the area of 25 percent; it might be a little bit more than that.

Think about their resources. EMC is a resource-heavy company. Dell is a very lean company. They're very much an assembly-line company. Let’s push it out here, and we'll make our revenue through volume, and don’t worry about the margins. That’s what they've shown. It’s almost contradictory cultures, contradictory selling styles, and now you have to put them together.

There's an ESG report that targets EMC customers and asks how they feel about this? Seventy five percent of the people who responded to that said, "We're fine; nothing is going to change." That’s crazy.
There's no way Dell just raised $45 billion. It’s not like they went to the bank and asked for a $45 billion mortgage. They actually raised $45 billion in private equity.

[The report] is actually telling you that 25 percent of those people are concerned. Twenty five percent is a big number for people who are EMC loyals. That’s a huge number, and we have to consider that.

At the end of the day, when this is all completed, those 25 percent are right to be nervous about this. There's no way Dell just raised $45 billion. It’s not like they went to the bank and asked for a $45 billion mortgage. They actually raised $45 billion in private equity.

That means they don’t even get to say how the money gets spent. I'm sure they had to show game plans and show how things are going to work to get the money. So, of course they had a plan. And of course the private equity investors were no problem. They bought into the plan when they gave the money, but they still have to have return on that.

And that means you're not going to be resource-heavy the way EMC is today. You're not going to invest in your business the way EMC does today. You have no choice; you have to recoup it. So if we see the data, it’s already there. Dell has told people they have to cut expenses by $2 billion a year. How can you be resource-rich, resource-heavy, the way EMC is today and cut $2 billion in expenses? You just can’t. You can’t have it both ways. It’s one or the other; there's no way around this. There are a lot of EMC customers out there who are due for a major wake-up call.

Gardner: Craig, Jorge said the halcyon days of EMC sales is coming to an end, that they won’t be spending the money to have that sales force. Is that what you're seeing, and what’s wrong with going to the Dell model of a straightforward information-based, order-it-online approach to storage?

Assembly-line model

Rice: We're seeing that. Like I mentioned earlier, Dana, there are a lot of people who have been long-term tenured, the soul of EMC, and they're leaving the organization. There's nothing wrong with going to the streamlined assembly-line model. I hope they do it and I hope they do it successfully, because what that means for a partner like myself that's focusing on HPE is that they're taking value out of the equation.

Their buyers are going to come to Dell-EMC and they're going to buy solely on price. Going to Jorge’s point, in raising $45 billion in private equity, you have to do an awful lot of volume to pay back those types of people.

When you start to add value and you understand the customers’ business like we do and other HPE partners do, because of the portfolio which HPE has, it’s going to become a very clear night-and-day difference of who is going to be able to provide a business the ability and technology in the partnership to grow from 10 percent of their market share to 20 percent to 30 percent. I don’t know many businesses that just want the low price and don’t want value and don’t want a partner to help them grow their business. The Dell-EMC model is not that.

Gardner: It seems that Dell is taking a risk by not having a more sophisticated approach to sales if that’s what they need to do.
They're not just taking a risk. They're betting the whole company. They're putting everything all-in.

Rice: Oh, 100 percent. They're not just taking a risk. They're betting the whole company. They're putting everything in on black. That would be concerning to me if I were a customer looking at that. They're going to be so debt heavy, so focused on storage without innovation on compute. Storage is just not alone; you have all these applications, all these business processes that need to rely on compute.

What type of innovation are they going to do? Let’s make that even a little bit cloudier. You're not going to do any innovation, but yet you sell a lot of servers because you're a volume-based business, but yet I have a partnership with a competitor. So I have competition with Cisco that's also self-compute.

Now, how can the two of you offer something you need, how can they bring out a product like Apollo or Moonshot? You need to do more than just innovate on storage; you need to innovate across whole IT spectrum.

I don’t see them doing that because they're going to be so debt-heavy, so laden, that they have to trim all these costs and expenses, and by the way, they have to do an awful lot of volume. If you're doing volume, you can make the best little widget, whatever that widget is, but how do you bring out that next product line, how do you impact the market, how do you change the industry, how do you bring out something like what HPE is doing with composable infrastructure? Where is that innovation in the Dell model?

Gardner: Clearly, this is not business as usual in the new sales force. So how can organizations that might be heavily EMC-orientated, or for smaller-sized organizations that are using a lot of Dell, protect themselves? They can hope for the best, they can hope that things don’t change for them, but what assurance can you put in place so that no matter what happens with Dell and EMC, you can, as an enterprise, still continue to do your business as usual?

Stay or move

Maestre: That’s a good question. For the Dell customers, the product set is easy to stay in or move to something else. If you choose to stay with the new Dell-EMC, there are a million ways to graduate from Dell into EMC’s portfolio, and of course, there are a million ways to get off of Dell’s portfolio easily altogether. So those customers are relatively safe. I think it’s relatively low risk.

The challenge … is not going to be technical, but it’s certainly going to be relationship-wise, and I don’t mean to disparage Dell. If it comes across disparaging, let me apologize up front for it, but Dell isn’t necessarily known for being a relationship company. You may have business processes in place, you may have contracts in place, things you get at a certain dollar-per-gig or at a certain price point. There is some risk to that, but that happens in business every day anyway. So, very little risk.

Let’s flip it over to the harder question, which are EMC shops. Forget that I work for HPE or anybody else. EMC products may work, but there's no question that it takes a lot longer to get those things set up and in place than other vendors’ products.

So, you’ve now not just made a financial investment but you have a significant time investment, a significant training investment. That’s a lot trickier. If you're not happy with this new combined Dell-EMC entity, if you're not happy with the direction, if you're not happy with the products that you are going to get going forward, you have a long road ahead of you. You're going to have to talk to some vendors and you're going to have to figure out how to migrate off. You have to figure out what your direction is. I would give those customers the same advice I give any customer.
What Industry Experts
Say About
HPE Storage Leadership and Innovation
What’s your plan? What does your world look like in three years, in two years, in one year, whatever it is? Tell me what Utopia looks like, give me that, and then we'll figure out how to make the technology fit that. I don’t think those customers should be making concessions for the technology or the technology vendor or the technology vendor story. They should be making those vendors either deliver, or move on to a vendor who can. Those are the conversations they have to start having.

In a way, this is an opportunity. EMC customers who invested in a lot of infrastructure can now look around and say, "Maybe this is an opportunity for me to shrink my infrastructure, to take advantage of the fact that it’s a buyer’s market in storage, take advantage of flash, take advantage of all these different things, and see what I can do to restart my infrastructure and get me closer to what my dream vision of my data center would look like."

It could be a long and winding road. You may want partner companies. Partners are critical. The one thing that everyone has in common is Dell. HPE, IBM, no matter who you're talking to, they're all talking about partners and how important partners are. This is the best time in the world to lean on those partners and say, "Guys, help me navigate through this."

The challenge is finding an impartial or unbiased partner. Everybody works with one specific vendor, and in that way, they're just an expansion of the vendor, but there are a lot of good ones out there. This is the best time to lean on those guys if for nothing else, then just to get their consultative advice.

Gardner: What's the time frame here, Jorge? It seems to me that we're at a point where business agility means getting new systems in place to accommodate things like user experience, big data, and Internet of Things (IoT). These are driving change very rapidly. Waiting two or three years seems  to me a very long time for making strategic decisions.

Maestre: Let’s put that in perspective. The only concept in this industry is change. Things are always going to get better. Social media has created an endless stream of data that’s going to be written all the time. IoT exacerbates that. Change is always going to be here.

Every vendor is always going to be changing in some way, shape, or form, always going to be evolving. They have to. Otherwise, they're going to be left behind. Craig brought up a good point earlier about NetApp and what happened at NetApp. Now, they are buying SolidFire, and that’s like their fifth or sixth different attempt at getting into the flash market.

So, you're certainly looking at a world where you can't be just constant. Either you stay in front of it or you're going to get left behind. The issue for EMC customers for the next two or three years is not so much the roadmap, the combined product set. Everybody agrees that there is very little overlap. No one wants to disrespect Dell here, but the reality is that there is very little in the storage world that Dell has that isn’t going to be replaced by EMC, and EMC doesn’t sell servers.

Real questions

Sure, there are some questions around VCE and Vblock, but is that going to be their investment? Why would you continue to partner with Cisco Unified Computing System (UCS) when you have servers already? Those are real questions, and that’s probably one of the points that Craig made so well before.

But the reality is that that’s not where you are going to feel the pain in the next two or three years. Where you're going to feel the pain over the next two or three years is in that thing that made EMC special, the fact that they make you feel good about your purchase and the fact that they support you, and they deliver what they say.
This is an opportunity for me to shrink my infrastructure, to take advantage of a buyer’s market in storage, take advantage of flash, and see what I can do to restart my infrastructure and get closer my dream data center.

Your EMC service is based on the people who are going to leave, the point that Craig made earlier, but not just the people who are going to leave, but what process is going to survive. You have to be a blind fool to go into this thinking that nothing is going to change; that’s ridiculous. Of course, something is going to change. Even if everything worked out in the way that Joe Tucci said it would, there would still be a lot of change, there would still have to be some concessions. So there is no question about that things are going to change.

So the one thing that made EMC great, in making all of those steps to give you what they promised, feels painless and makes you feel good. All of that is where you're going to feel the pain for the next two or three years. Craig nailed it. It’s going to take about two or three years for them to sort all that out. That’s where the problem lies and that’s where this is going to impact customers. That’s why now is a good time to maybe start thinking about going elsewhere or looking at other direction.

Gardner: How do you as a storage consumer get assurance of reducing your risk, given this complex deal?

Rice: The best thing is to make competition a key component. I've read a couple of reviews from a couple well-known organizations that say get it in writing. I worked at EMC for a while, I worked at HPE for a while over the past decade. Prior to this change, a lot of salespeople would always do that get-it-in-writing thing. “Mr. Customer, I guarantee this.” When they leave, what good is that guarantee? They're a publicly traded company. You can’t commit that in writing. Will Dell and EMC do that going forward? I don’t know.
The best way to keep them honest is to find a partner, such as Integris -- there are many other good partners as well. Evaluate some competing technologies. Competition will always keep each other honest. That’s the simplest, most efficient, and least impactful way that a prospective customer can determine it. Do I want to go with Dell-EMC? Do I want to go with HPE? Do I want to go with anyone else? Bring competition in with a partner so they can equally evaluate what they had to offer.

Reducing risk

Maestre: Find partners you can work with that are good. Integris is a good one, and there are others, but find partners who are out there who can take care of you and have your best interests at heart, whose interests aren’t aligned with another vendor’s interests.

It’s great that they resell a vendor’s product, but the best partners have expertise across multiple vendors, and that’s what you want to look for. That’s important.

The other thing is to have a plan, make a plan. One thing I know about HPE in terms of the enterprise is that we absolutely make the best product. I don’t have to give you a commercial to buy my stuff. I know that we have the best product, and you'll wind up here eventually.

Consider your perfect data center, think it through, write it down, and then start talking to people, and the people who can fit your vision those are the guys you want to talk to.  Don’t worry about what somebody else is saying, what somebody else is marketing, what somebody else is highlighting. The people who ask you to make concessions to fit their product set are probably the guys you want to walk away from. That’s the best way to reduce risk -- just essentially invest in yourself.

Listen to the podcast. Find it on iTunes. Get the mobile app. Read a full transcript or download a copy. Sponsor: Hewlett Packard Enterprise.

You may also be interested in:

Friday, April 29, 2016

Capgemini and HPE team up to foster needed behavioral change that bolsters cyber security across application lifecycles

The next BriefingsDirect discussion explores improving cyber security in applications across their entire lifecycles. Such trends as the Internet of Things (IoT), hybrid cloud services, mobile-first, and DevOps are increasing the demands and complexity of the overall development process.

Key factors to improving both development speed and security despite these new challenges include new levels of collaboration and communication across formerly disparate teams -- from those who design, to coders, to testers, and on to continuous monitoring throughout operations. The result is security being integrated into software design, even as the pressure builds to bring more apps to market faster.

Listen to the podcast. Find it on iTunes. Get the mobile app. Read a full transcript or download a copy.

We're here now with two experts from a Capgemini and Hewlett Packard Enterprise (HPE) Alliance to learn how to create the culture, process, and technologies needed to make and keep today's applications as secure as possible.

Please join me now in welcoming our guests, Gopal Padinjaruveetil, Global Cyber Security Strategist for Capgemini, and Mark Painter, Security Evangelist at Hewlett Packard Enterprise. The discussion is moderated by me, Dana Gardner, Principal Analyst at Interarbor Solutions.

Here are some excerpts:

Gardner: Let’s start with you Gopal. What do you see as some of the top trends that are driving the need for improved security for applications? It seems like we're in the age of "continuous everything" across the entire spectrum of applications.


Padinjaruveetil: Let me talk about a few trends with some data and focus on why application security is going to become more-and-more important as we move forward.

There's a report saying that there will be 50 billion connected devices by 2020. There was also a Cisco report that said that 92 percent of the devices today, connected devices, are vulnerable. There was an HPE study that came out last year said that 80 percent of the attacks are now happening at the application layer.
Read the Latest Insights
On How to Protect
Your Enterprise Applications
If you put together these three diverse data points coming from three different people, we see that there will be 37 billion devices in 2020 that are deemed to be vulnerable. That’s very interesting, 37 billion devices vulnerable in 2020. We need to change the way that we develop software.

Key trend

The other key trend that we're seeing is that agility is becoming a prime driver in application development, where the business would like to have functionality as early as possible. So the whole agile development methodology driving agility is becoming key, and that's posing some unique problems.

Padinjaruveetil
The other thing that we're seeing from a trend perspective is that apps and data are moving out of the enterprise landscape. So the concept of mobile-first, free the data, free the app, and the cloud movement are major trends that affects the application security and how applications are being developed and delivered.

The other trend is regulators. In many critical industries regulations are becoming very strict with cyber crime and advanced actors. We're seeing nation states, advanced actors, coming into the game and we're seeing advanced persistent threats becoming a reality. So that’s driving another dimension to the whole application security.

Last, but not least, is that we see a big shortage of cyber security talent in the market. Those are the trends that drives the need for a different look at application security from a lifecycle approach.

Gardner: Mark, anything to offer in terms of trends that you are seeing from HPE, perhaps getting more involved with security earlier in the process?

Painter: Gopal gave a very good and very thorough answer and he was dead-on. As he said, 80 percent of attacks are aimed at the application layer. So it actually makes sense to try to prevent those vulnerabilities.

Painter
We propose that people implement application security during the development cycle, precisely because that’s where you get the most bang for your buck. You need to do things across the entire lifecycle, and that includes even production, but if you can shift to the left, stop them as early as possible, then you save so much money in the long run in case you are attacked.

We do a study in conjunction with the Ponemon Institute every year, and since 2010, every year, it shows that attacks increase in frequency, they're harder to find, and they're also increasingly costlier to remediate. So it’s the right way to do it. You have to bake security in. You just can’t simply brush it on.

Gardner: And with the heightened importance of user experience and the need for moving business agility through more rapid iterations of software, is it intuitive to conclude that more rapid development makes it more challenging for security, or is there something about doing rapid iterations and doing security that somehow can go hand in hand, a continuous approach? Gopal, any thoughts?

Rapid development

Padinjaruveetil: There's a need for rapid applications, because we're seeing lot of innovations coming, and we welcome that. But the challenge is, how do you do security in a rapid world?

There is no room for error. One of the things from a trend perspective is IoT. One of the things I tell my clients is that if you look at traditional IT, we're operating in a virtual world, purely a virtual world. But when you talk about things like operation technology (OT), we're talking about physical things, physical objects that we're using in everyday life, like a car, your temperature monitors, or your heartbeat monitors. These are physical things.

When the physical world and the virtual world come together with IoT, that could have a very big impact on the physical layer or the physical objects that we use. For example, the safety of individuals, of community, of regions, of even countries can now be put in danger, and I think that is the key thing. Yes, we need to develop applications rapidly, but we need to develop them in a very secure way.

Gardner: So the more physical things that are connected, the more opportunity there is to go through that connection and somehow do bad things, nefarious activities. So in a sense, the vulnerability increases with the connectivity.

Padinjaruveetil: Absolutely. And that’s the fear, unless we change ways of developing software. There has to be a mindset change in how we develop, deploy, and deliver software in the new world.
There has to be a mindset change in how we develop, deploy, and deliver software in the new world.

Gardner: I suppose another element to this isn't just that bad things can happen, but that the data can be accessed. If we have more data at the edge, if we move computing resources out to the edge where the data is, if we have data centers more frequently in remote locations, this all means that data privacy and data access is also key.

How much of the data security is part of the overall application security equation, Gopal?

Padinjaruveetil: One of the things I ask is to define an application, because we have different kinds of applications. You have web services and APIs. Even though those are headless, we would consider that those are applications, and applications without data have no meaning.

The application and the data are very closely tied to each other, and what's the value? There's no real advantage for a hacker just to have an application. They're coming after the data. The private data, sensitive data, or critical data about a client or a customer is what they're coming at.

You bring up a very good point that security and privacy are the key drivers when we are talking about applications. That is what people are trying to get at, whether it's intellectual property (IP) or whether it’s sensitive data, credit card data, or your health data. The application and the data are tied at the hip, and it’s important that we look at both as a single entity, rather than just looking at the application as a siloed concept.

Solving problems

Gardner: Let’s look a little bit at how we go about helping organizations approach these problems and solve them. What is it that HPE and Capgemini have done in teaming up to solve these problems? Maybe you could provide, Gopal, a brief history of how the app security alliance with these two organizations has come about?

Padinjaruveetil: Capgemini is a services company, and HPE has great security products that they bring to the market. So, very early on, we realized that there's a very good opportunity for us to partner, because we provide services and HPE provides great security products.

One of the key things, as we move into agility or into application development, is that many of the applications have millions of lines of code. These are huge applications, and it's difficult to do a manual assessment. So, automation in an agile world and in an application world becomes important. That's a key thing that HPE is enabling, automation of security through their security products and application space. We bring the services that sit on top of the products.

When I go and talk to my clients about the HPE and Capgemini partnership, I tell them that HPE is bringing a very tasty cake, and we're bringing a beautiful icing on top of the cake. Together, we have something really compelling for the user.
At a high-level, what we're trying to do is expand the application security scope, and that basically includes three big buckets. Those are secure development, security testing, and then continuous monitoring and protection.

Gardner: Let’s go to Mark in describing that cake, I would imagine there are many layers. Maybe you could describe it for some of our listeners and readers who might not be that familiar with what those layers are. What are the major components of the transformation area around security that HPE is focused on?

Painter: At a high-level, what we're trying to do is expand the application security scope, and that basically includes three big buckets. Those are secure development, security testing, and then continuous monitoring and protection.

During the development phase, you need to build security in while the developers are coding, and for that specifically, we use a tool called DevInspect. It will actually show secure coding to a developer as he is typing his own code. That gets you much, much farther ahead of the game.

As far as security testing, there are two main forms. There is static, which is code analysis, not only for your own code, but open-source components and other things. In this day and age, you really are taking security into your own hands if you trust open-source components without testing them thoroughly. So, static gives you one perspective on application security.

Then there is also dynamic scanning, where you don’t have access to the code, and you actually attack the application just as the hacker would, so you get those dynamic results.

We have a platform that combines and correlates those results. So, you get to reduce false positives and you can trust the accuracy of your results to a much greater detail.

Sustained frequency

We also provide services, but the whole thing is that you have to do this with sustained frequency. Maybe 10 years ago, there was a stage-gate approach, in which you tested at the end of the development cycle and released it. Well, that’s simply not good enough; you have to do this on a repeatable basis.

Some people would probably consider that the developmental lifecycle ends once the product is out there in the wild, but if anything, my experience in the security industry has taught me that software plus time equals vulnerability. You can’t stop your security efforts just because something has been released. You need that continuous monitoring and protection.

This is a new thing in application security, at least if you call something that’s almost a few years old "new." With something called App Defender, you can actually put an agent on the application server and it will block attacks in real time, which is a really good thing, because it’s not always convenient to patch your software.

At HPE, we offer a combination of products that you can use yourself and we also offer hybrid solutions, because there's no such thing as one-size-fits-all in any environment.
Read the Latest Insights
On How to Protect
Your Enterprise Applications
We also offer expertise. Gopal was talking earlier about the lack of qualified candidates, and Forbes has predicted that, by 2019, a full quarter of cyber security jobs are going to be unfilled. Organizations need to be able to rely on technology, but they also need to be able to find experts and expertise when they need it. We do a lot at HPE; I will leave it at that.

Gardner: Gopal, how do these products, these layers in the cake, help with the shifting-left concept, where we move more concern about vulnerability and security deeper into the design, earlier into the coding and development process? Where do the products help with shifting left?

Padinjaruveetil: That’s a great question if you decompose or if you analyze application security as a cake. Security vulnerabilities in applications come from three specific areas. One is what I call design flaws, where the application itself is designed in a flawed manner that opens up vulnerabilities. So a bad design, in itself, causes security vulnerabilities.

The second thing is the coding flaws. Take an Apple iPhone or something like that. If you look at the design of an iPhone, the actual end product, there will be a very close match. A lot of problems we have in software industry are because there is a high level of mismatch between the design and the actual product itself as coded.

Software is coded by the developers, and if the developers aren't adding good code, there's a high possibility that that vulnerability is introduced because of poor coding.

Configuration parameters

The third thing is that the application isn't running in a vacuum. It's running on app servers and database servers and it’s going through multiple layers. There are a lot of configuration parameters, and if these configuration parameters are not set, then it leads to open vulnerability.

From a product perspective, HPE has great products that detect coding flaws. Mark talked about DevInspect. It's a great tool from a dynamics perspective, or hacking. There are great tools to look at all these three layers from a design flaw, from a configuration flaw, and a coding flaw.

As a security expert, I see that there is a great scope for tooling in the design flaw, because right now, we're talking about threat modeling and risk determination. To detect a design flaw requires a high level of human intelligence. I'm sure that in the future, there will be products that can detect design flaws, but when it comes to coding flaws, these tools can detect a coding flaw at 99 percent accuracy. So, we've seen a very good maturity in the application security areas with these products, with the different products that Mark mentioned.

Gardner: Another part of the process for development isn’t just coding, but pulling together components that have already been coded: services, SDKs, APIs, vast libraries, often in an open-source environment. Is there a way for the alliance between Capgemini and HPE to give some assurance as to what libraries or code have already been vetted, that may have already been put through the proper paces? How does the open-source environment provide a challenge, or maybe even a benefit, when done properly, to allow a reuse of code and this idea of componentized nature of development?
Another part of the process for development isn’t just coding, but pulling together components that have already been coded.

Padinjaruveetil: That’s a great point, because most of the modern applications are not valid applications. They talk with other applications. They get data from other applications, data through Web service interface, a REST API, and open source.

For example, if you want to do login, there are open-source login frameworks available. If there are things that are available, we'd like to use them, but just like custom code, open source is also vulnerable. There are vulnerabilities in open source.

Vulnerability can come from multiple things in an application. It can be caused by an API. It can be caused by an integration point, like a Web service or any other integration point. It can be caused by the device itself, when you're talking about mobile and all those things. Understanding that is a very critical aspect when we're talking about application security.

Gardner: Mark, anything to offer on this topic of open source and/or vetting code that’s available for developers to then use in their applications?

Painter: Well, it’s not an application, but it’s a good example. The Shellshock vulnerability was due to something wrong with the code of an open-source component, and that’s still impacting servers around the world. You can’t trust anybody else’s code.

There are so many different flavors of open-source components. Red Hat obviously is going to be a little better than your mom-and-pop development team, but it has to be an integrated part of your process for certain.

Cyber risk report

There is something Gopal was saying. We do a cyber risk report every year at HPE, and one of the things we do is test thousands and thousands of applications. In last year’s results, the biggest application flaw we found were basically configuration flaws. You could get to different directories than you should be able to.

Application security is not easy. If application security were easy, then we still wouldn’t be having cross-site scripting vulnerabilities that have been around almost as long as the web itself. There are a lot of different components in place. It’s a complex problem.

Gardner: So it’s important to go to partners and tried and true processes to make sure you don’t fall down into some of these holes. Let’s move on to another area, which is also quite important and difficult and challenging. That is the cultural shift, behavioral changes that are forced when a shift left happens, when you're asking people in a traditional design environment to think about security, operations, configuration management, and business-service management.

Gopal, what are some of the challenges to promulgating cultural and behavioral changes that are needed in order to make a continuous application security culture possible?

Padinjaruveetil: That’s a key aspect, because most of the application development is happening in a distributed team, and things are being assembled. So there are different teams building different things, and you're putting together the final application product and deploying it.
There are very good industry standards coming out, but the challenge is that having a policy or standard alone is not sufficient.

Many companies have now started talking about security policies and security standards, whether it’s Java development standards or .NET development. So, there are very good industry standards coming out, but the challenge is that having a policy or standard alone is not sufficient.

What I tell my clients is that any compliance without enforcement is ineffective. The example that I give is that we have traffic laws in India. If you've been to India and you look at the traffic situation there, it’s chaotic. Here, you see radar detection and automated detection of speed and things like that. So enforcement is a key area even in software development. It’s not enough to just have standards; you need to have enforcement.

The second thing I talk about is that compliance without consequence will not bring the right behavior. For example, if you get caught by a cop and he says, "Don’t do this again; I'll let you go," you're not going to change your behavior. If there's a consequence, many times that makes people change behaviors.

We need to have some kind of a discipline and compliance brought into the application development space. One of the things that I did for a major client was what I call zero tolerance. If you develop an application and if we did find a vulnerability in the application, we won't allow you to deploy it. We have zero tolerance on putting up unsecured code when we use one of these great products that HPE has.

Once we find an issue with a critical or a high issue that’s been reported, we won't let you deploy. Over a period of time, this caused a real behavioral change, because when you stop production, it has impact. It gets noticed at a very higher level. People start questioning why this deployment didn't go.

Huge change

Slowly, over a period of time, because of this compliance and because of the enforcement with consequences, we saw a huge change in behavior in the entire team, right from project managers to business analysts making sure that they are getting the security non-functional requirement correct, by the project managers making sure that the project teams are addressing it, the architect making sure the applications are designed correctly, and the testers making sure that the testing is correct. When it goes into an independent audit or something like that, the application comes out clean.

It’s not enough if you just have standards; you need to have some kind of enforcement with that.

Gardner: Mark, in order to have that sort of enforcement you need to have visibility and measurement. It seems to me that there's a lot more data gathering going on across this entire application lifecycle. And big data or analytics that we have in other areas are being brought into this fold.

Is there something about automation, orchestration, and data analytics that are part and parcel of the HPE products that could help on this behavioral shift by measuring, verifying, and then demonstrating where things are good or not so good?
Over the past 10 years in the security industry, we've changed from the idea of we're going to block every attack, to one that says the attackers are already inside your network.

Painter: One thing that HPE uses to build it in is secure coding, but also we talk about detect and response. We have an application product that integrates with our security and monitoring tool from ArcSight.

So you can actually get application information. Applications have been a typical blind spot for Security Information and Event Management (SIEM) tools, and you can actually get some of those results you are talking about from our SIEM technology, which is really cool.

Over the past 10 years in the security industry, we've changed from the idea of we're going to block every attack, to one that says the attackers are already inside your network. This is part of that detection. Maybe you didn’t find these. You can see active exploitation in other words, and then you can track it down and stop it that way.

Fifteen years ago, you had to convince people that they needed application security. You don’t have to do that know. They know they need it, but they just might not exactly know what they need to do.

It’s all about making this an opportunity for them to get security right, instead of viewing it as some sort of conflict between the need for speed and agile development and the need to release balanced against the needs of the enterprise to actually be secure and protect themselves from potential data breaches and potential data loss and all the compliance issues and now legal challenges from individual actors and all the way down the line.

Gardner: Gopal, before we close out, let’s look to the future a little bit. What comes next? Do you expect to see more use of data, measurement, and analytics, a science of development, if you will, to help with security issues, perhaps feedback loops that extend from development into production and back? How important do you think this use of more data and analytics will be to the improved automation and overall security posture of these applications?

Continuous improvement

Padinjaruveetil: You need to have data and you need to have measurements to make improvements. We want continuous improvement, but you can’t manage unless you measure. So we need to determine what are the systemic issues in application development, what are the systemic issues that we see constantly coming?

For example, if you're seeing cross-site scripting as a consistent vulnerability that’s coming across the multiple development team, we need to have some way to make sure that we're seeing patterns with the data and looking at how to reduce these major systemic errors or vulnerabilities in systems?

You will see more-and-more data collections, data measurements, and applying advanced methods to look at not just the vulnerability aspect of it, but also the behavioral aspect. That’s something that we're not doing, but I see a huge change coming where we're actually going to see the behavioral aspects being tracked with data in the application lifecycle model.
You need to have data and you need to have measurements to make improvements. We want continuous improvement, but you can’t manage unless you measure.

Gardner: Another thing to be mindful of is getting ready for IoT with many more devices, endpoints, sensors, biological sensors. All of this is going to be something coming in the next few years.

How about revisiting the skills issue before we sign off? What can organizations do about  maintaining the right skill sets, attracting the right workers and professionals, but also looking for all the options within an ecosystem, like the alliance between HPE and Capgemini. How do you see the skills problem shaking out over the next several years, Gopal?

Padinjaruveetil: If you look at many of the compliance frameworks, like NIST or ISO 27001, there's a big emphasis on control being put in place for security awareness and education. We're seeing a big drive for security education within the whole organization.

Then, we're seeing tools like DevInspect. When a developer writes bad code, if you give the feedback instantly that right now you have written a code that is bad, instead of waiting for three months or four months and doing a test, we're seeing how these tools are making changes.

So, we're seeing tools like DevInspect and helping developers to actually make themselves better code writers.

Painter: Developers are not natural security experts. They need help.

Padinjaruveetil: Yeah, absolutely.

Additional resources

Gardner: That was my last question to you, Mark. Can you suggest places that people can go for resources or how can they start to prepare themselves better for a number of the issues that we have discussed today?

Painter: It’s almost on an individual basis. There are plenty of resources on the Internet. We provide training as well. Web application security is actually one of the best places for organizations to leverage Capgemini to do their web application security testing.

The job crunch is the number one concern that enterprises have right now as part of security in the enterprise. There's a lack of qualified applicants, which says a lot when that’s a bigger concern than a data breach. We do a State of the SOC survey every year, and that was the result from the last one, which was a little surprising.
Read the Latest Insights
On How to Protect
Your Enterprise Applications
But apart from outsourcing, you need to find those developers who have an interest in security in your organization, and you need to enable them to learn that and get better, because that’s who is going to be your security person in the future, and that’s a lot cheaper and a lot more cost-effective than going out and hiring an expert.

I know one thing, and it’s a good thing. I tell my boss repeatedly that if you have good security people, you're going to have to pay them to keep them. That’s just the state of the market as it is now. So you have to leverage that and you have to rely on automation, but  even with automation, you're still going to need that expert.

We are not yet at the point where you can just click a button and get a report. You still need somebody to look at it, and if you have interesting results, then you need that person who can go and examine those. It’s the 80/20 rule. You need that person who can go to the last 20 percent. You're going to have automation, tools, and what have you to get to that first 80 percent, but you still need that 20 percent at the end.

Listen to the podcast. Find it on iTunes. Get the mobile app. Read a full transcript or download a copy. Sponsor: Hewlett Packard Enterprise.

You may also be interested in: