Session at the European Identity & Cloud Conference 2013
May 16, 2013 15:30
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Session at the European Identity & Cloud Conference 2013
May 16, 2013 15:30
Session at the European Identity & Cloud Conference 2013
May 16, 2013 15:30
Lovely. Thank you very much. I now like to introduce Mark Evans, who is going to talk about his insecurities about security that led him to choosing the cloud. So thank you very much over to you, mark. Hi everyone. Technology. Is this working? Yeah.
Yes, please. Can we have the Mark Evans presentation? There we are. That's Yeah, this isn't a technical presentation. I won't go into transplant of technical detail. This is a presentation about what happens when you're faced with a number of fairly key and significant infrastructure problems. And your only real route out is a new technology. That's appearing that hasn't got a name yet, but will eventually become known as cloud first off ride Levi Bookner you know who or what is right level button. It sounds like a firm of solicitors. It's not.
We are basically, these says on the board, the third largest construction consultancy on the planet as a construction consultancy, we are, and I'm fairly proud to say some of the best around as a practitioner with information technology we were, when I joined extremely poor. And what I'm gonna do is I'm gonna take you through what I was confronted with. It's a bit of a horror story. And then I'll finish with where you got to some of the people that we work with. We've worked on three of the recent Olympics. We didn't get grease, but it looks like we're in the running for Rio.
So I might see if they need any it help out there. But the challenge was we had a challenge of physical security, which I'll explain in the moment, data security and access security to our systems. This is our head office in Birmingham, in the UK, Birmingham 150 years ago was called the city of a thousand trades. I think it's near city of about three. It's a very poor area. It's second largest city in the UK, but you wouldn't believe to look around.
Now, this building looks impressive. However, I would draw your attention to the sort of dark line above the sign. That's our office. The rest of it is a public space. The rest of it's rented by the university of central England Birmingham university. The building is public sector. It's owned by Birmingham city council. And as I head office, we moved there because there was a lot of regeneration work happening in and around that area. And we thought that if we were there, then we'd be the go-to guys. And we want absolutely none of the business.
So we were stuck in this building think, and we have physical access issues, which I'll go on to explain. As you can imagine, having a data center in a publicly accessible building, not brilliant. This is the inside of millennium point looks fairly space. Age. Former girlfriend of mine said they looked like a multistory car park, but it boasts an iMac cinema, lots of tutorial rooms. It's a huge building, but we get lots of transient visitors. People who ha don't have an interest in the building itself or the occupants.
And we have had the BBC recording TV shows there in films because it's, it looks fairly well. It did look fairly space age. And one day I bumped into this guy. Now some of you will know who he is. Some of you won't just to give a bit of context. He was once this guy and he's sitting next to her, you can see Steve McQueen. Your Briner is part of the magnific, magnificent seven, Robert Vaughn, not something you do every day, but it was nice.
But when you consider that our head office has got a data center in this building where people who used to drink with the likes of Steve McQueen, your Briner can attend. The security becomes a bit of an issue, wonderful view of the, the car park, Birmingham city council wastes, no time whatsoever in trying to make money out of its buildings. And so we end up with things like this pop concerts.
So not only have we got transient people using facilities within the building who have obviously paid to use a building for filming TV series or whatever, we also have lots of transient visitors who just happen to turn up, who can walk into the building And we have environmental issues. I'll go on to explain no millennium point bird's eye view. We had a visit from the UK security services. I five was part of the tenants meeting and they just turned up. No one knew who they were. There were a few questions and then they exposed who they were.
And We had a very interesting conversation about physical security in the building. Now, if we've had the meeting in London, then we've probably seen someone like this guy, but as it was Birmingham, it was probably more like this. I five went on to tell us that because we were in a public building, which houses is the Birmingham science museum, which houses several universities. We were actually a very high risk terrorist target. And it's entirely coincidental that about this time, the it team started to work more from home.
We're in a situation where as a global business, our data center was accessible to anyone who happened to be walking by. It was a terrorist threat. And because of things like the science museum and the IMAX cinema, and all manner of student facilities and being very open plan, we couldn't track people coming in and out in the UK. British Telecom used to provide data links, notice a company called open reach, which we sold off from BT and their engineers are high quality, responsive work very quickly. I'm lying through my teeth. They are very slow.
We found out that Openreach have a very strange implementation plan for new data services. Part of it is get the data servicing and don't worry about the current tenants of your service. So we'd find that our main data, one of our main data links will go down quite regularly. We placed a call with open reach and it got to the point where we could say yes, our data thing's gone down. It's in a telecoms box, 871 meters from our office. It happened so often. It was just so unreliable. The building because it's public sector, doesn't get as much maintenance as you would hope.
So we have a leaking roof. And as you can imagine, mixing that with infrastructure is not the best sort of way of providing the service. And you can imagine my shock when I started to see all this and started to dig around, you can also manage, imagine my shock. When I walked into the server room, possibly on the first or second day of my employment with the company, When you're interviewed for a job, you've very rarely got an opportunity to look around the infrastructure, take on board.
And when I walked into the server room and saw that there was an active sprinkler system in there in a public building with students who may get up to high jinx and decided it'd be fun to set off the sprinklers in the entire building, I really wanted to say, well, you know, I've signed up for this job now, can I, can I resign? The risk was just tremendous. And I don't need to sort of harp on about that physical security.
It, I could, to the end note of this, of the issues we had, we've got access issues for filming and concepts. I'm trying to speed up the environmental issues. I've mentioned our neighbors, terrorist targets. We have issues with the coms leaking roof and sprinkler system, but what about access to the, to the data access to service, physical access to service. That was the extent of our security on our data center. Digital locks, the room, the one with the sprinkler system in had standard office petitioning separating it from a main meeting room. That was the extent of the security.
So what we could do, I mean, we could carry on and fingers, cross everything would be okay. You know, we could hire a guy to stand in front of the door and not let anyone in, but that's hardly practical.
So, oh, one other issue I forgot to mention Running Backups. Obviously we relied on the backups because if the sprinkler system went off, if somebody broke in and stole servers, we need a backup solution. The question is how far away is near enough. We Were pretty much in a situation where one of the other things that Birmingham's famous for is that Jr R Tokin wrote Lord of the rings there based on an area called Chol mill and going to get the back was pretty much like going to moreor.
I'm not a huge fan of the, the books myself, but if they stretched that journey over three films, and you can imagine what it was to get access to the backup media. So access serves far too easy and insecure. It was expensive to REM you within the building. They wouldn't remove the sprinkler system because it was an insurance issue. We couldn't build any solid walls because of the terms of the tendency. We couldn't remedy that.
As I said, how far is how near is far enough away. We had an outage how quickly our response and how secure as a repository. We restoring the backup information. These were all issues that we needed to resolve. And as I said, at the beginning, we had an opportunity to use this new nascent technology that no one really had a name for in terms of vendor security. Originally these slides would've been accurate. We Provide construction consultancy to some fairly sensitive organizations in the UK, the UK atomic weapons establishment. We are the quantities surveys that they use.
We are project managers, they use on their property, the UK prison service. We are the quantity surveys and the project managers that they use. And they also use our building survey services. The UK post office, every post office is pretty much a, a bank. They have security requirements, Vendor Security, active directory.
Yet, it's not really that secure. Unfortunately, as I found out contractually, I can't say much about our security such as the sensitive nature, but we use windows server active directory is our only means of security had access via VPNs. And that was a bit of a nightmare to deal with in the business. As I mentioned earlier, because construction is a very conservative with a small sea industry, access security at the time wasn't considered to be a major issue. Our clients suggested otherwise, and they called the shots. And that's the reason why we sort of sued on what we were doing.
So the concept and realization of what we were trying to achieve, there was a wishlist. A lot of it to be fair, a lot of it was driven by it. If you go to someone and ask them what they need from an it system, they have no frame of reference. You're not gonna get a trans amount of information back. I think the key to point about speaking in terms of the business understands was absolutely key. If as it practitioners that I'm presuming we all are, you go into your CEO, you go to your board, you go to your vice president for this, that, and the other. And you hit them with technological blurb.
Unless you are in a technology company, a you may as well just walk in and dance. They won't take anything from it. So we had to coach the business in terms of the things that it was likely to need from a new solution. We had to establish in their minds a requirement so that when we went to them with a cost, it wasn't so much of a shock. And they could see that it was a valid proposal. So which version of X I a S do we go for software as a service? There Was no real fit in terms of software provision at the time.
And as Nikita mentioned, there was an issue to do with data location in the same way that Mars couldn't use Google, because they had no idea where the data resided at the time, those services weren't available. But we had heard that there were some major players looking at bringing in softwares as service or, and using storage, things like that. But the real killer is the fact that the data would not be in the UK.
If you have a sensitive organization, such as the atomic weapons, establishment, or ho prison service, and they need to know that their data is in the UK, they're not gonna be happy if we can't tell them where their data is. As Nikita said, if it's in the cloud and it's spread across the world, It's Pretty much open season. And we were told in no, no uncertain terms. If our data's outside the UK, then our data is not residing with you any longer and you'll get no more work.
And At the time, the prevailing attitude with the fear in the public sector about cloud was if you are a company that's in breach of our requirements for data storage, then pretty much any governmental department will just blacklist you. So we could lose all of our public sector, our clients. So that was off the list. Platform is a service, oh, platform is a service. We don't as an organization, we don't tend to write bespoke applications. And we didn't want to go down the route of writing a sort of ERP system or whatever.
So the platform element, while it was a fairly compelling argument, the actual cost to get up and running were Just Prohibitive. So went for infrastructure. And as he says, there, it was what we have was somewhere else. And this ticked all of our boxes, because we didn't have to worry about installing tin into racks. We didn't have to worry about installing operating systems.
We could just get onto our Porwal and say, I need a line of server with 32 calls and 500 Gig of Ram or whatever, and just fire it up and know that within a few minutes it was there and it was available for us to use. It was quite compelling because it took out a lot of the, the CapEx that we probably involved in finance director was one of the first people to buy into this. Cause you could could see that we weren't buying and depreciating assets.
We did look at London, people from outside the UK may not know this, but a lot of companies are boast that they have a data center in Canary whaf and Canary Wolf is what typified, the 1980s, 1990s, financial big bang yuppies. I'm in the right area to mention this, everyone driving a Porsche Porsche. And everyone says, oh, our data centers in Canary whaf aren't we fantastic. But Canary whaf was attacked by the IRA.
In 1996, they basically parked a Lowry bomb on one of the main thoroughfares before the Olympics. It was concern that there was no guarantee of security missiles are cited on residential apartment blocks, much to the consternation of the people who lived in the apartment blocks for security. London is a very high profile city, And I prefer to embrace hide in plain sight rather than, Hey, here's our data center. You might as well just paint a large target on it and say, come on, have a go. There's Also issues of power in London. Let's say it's a major metropolis. Lots of people live there.
Lots of people want to use TVs and central heating or whatever. And the risk of brownout or even blackout was just wasn't even worth caning. So we had a wishlist and part that wishlist sort of led onto defining what we required from our service provider. We didn't want a server in a basement protected by a dog.
You know, we wanted something that was fit for purpose. We wanted physical security to be taken, taken out of our hands. We wanted someone who had an investment in their own data center to the extent that they wanted to make sure that clients will be impressed and naughty people will be kept out the data security and the systems access security obviously were given as well. The data that we use, I'll skip a couple of points. The data that we use is not a known terrorist tag. There's an area in the north of England called Yorkshire where they're very pragmatic people.
And the quote that you'll hear is Yorkshire. People say what they like and like what they say, but it's not A Sort of busy metropolitan area As such. So it's there, but it's not drawing any attention to itself. Like it would be if it was in London, the data center is not a known terrorist target.
We did, did ask I five. And after the first responses were after that, we, you know, they said, well, we've got no record. Have that been anywhere that we'd have concern about. And because of time constraints, the last three elements obviously should stand to reason data security. We can't access the service unless you're making an appointment. And then we have to turn up with all forms of ID and whatever. There's all sorts of biometric systems, which are fantastic. I did try to get winged in like Tom cruise in mission impossible down onto the date into data center.
But the guy who was lowering me down really hurt his back. So we had to knock that on the head and leave it. But the security was fantastic. They look after our backups, we buy a backup solution from them and we can call back data from Basically Any point in time. We don't have to walk off with Hobbit and do the March the more door to get the backup tapes.
A lot of this information I, I really would say is probably more filler than actual content now because of the contractual stipulations from some of our clients, it's a variation on some of these things, but we've got some fairly high level security that's kicked in now for our cloud solution. So this is a list of how we're doing things.
Now, we used to run all of these systems ourself, as you can say, it's a mixture of I NAS SLAs. We started to build our own hybrid cloud and we've taken advice from reasonably sized organizations and tried to implement best practice where possible.
But what we've start to do is we start to put processing, put systems, put service provision into the hands of experts, experts who are contractually obliged to fulfill their requirements, obviously, but I couldn't go out and hire the caliber of people to run lbs systems for the sort of budget we're talking about using cloud, using hybrid cloud, using a private I ILAs system And using the technical and expert capabilities of the people that we, we work with means that I can run a very lean it team. And we are basically just a face to the business for our providers.
My role has wandered away from sitting with a screwdriver and sitting with huge pile of floppy disks, loading windows 95 or whatever, to more of a contracts management role. And I think that's the one thing that we, we can take from cloud, give the work to people who know what they're doing after you've checked their standards and whatever, and get on with something else, get on with something actually delivers business value to the business.
And I think that by continually refreshing our attitude to the way that our systems run and continually asking questions of our providers and continually trying to get a better daylight to them that adds more value to my business than me sitting there configuring a line box or wondering why windows server crashes every 30 seconds. So there's been a change in the actual nature of the it team, as opposed to just the business in its processing. And I'll leave it there. You've heard enough from me. Thanks for your time. Thank you very Much.