While the cloud offers a compelling cost advantage, lower cost is not the only differentiator that will define tomorrow’s winners and losers in the cloud marketplace. Might the purple cloud — made up of Big Blue’s cloud and Red Hat’s Linux and Kubernetes distro — be the most secure? 

Remember the saying, “No one ever gets fired for hiring Big Blue”? At a time when technology seemed to be changing fast, executives wanted to reduce risk and play it safe. This was before the cloud and at a time when distributed computing seemed like some new-age religion.

While most bloggers seem focused on why IBM would pay $34 billion for Red Hat, I thought it might be timely to point out the recent Kubernetes vulnerability, CVE 2018-1002105. This vulnerability — announced by Google and credited to Darren Shepherd’s discovery — remains too new at the time of this writing to even be found in the NIST’s National Vulnerability Database.

And yet, my inbox and linkedin.com stream were full of posts and announcements from Red Hat. Before my head hit the pillow last night, I was aware of the CVE, its severity, the recommended remediation, and horrible news that I would likely have to upgrade my Kubernetes clusters in production.

Wasn’t it just yesterday we learned of Marriott’s breach that compromised 500 million customer records? My memory recollects Equifax, JP Morgan Chase, Home Depot, and Target as all having their moment of fame wrought by devastating data breaches that compromised customer data and tarnished the brands of the companies responsible.

This backdrop of security-related risks and the daily drumbeat of its presence on my back door (pun intended) makes me realize there is probably something Red Hat does really well that IBM Cloud could use — namely, security patching and real-time support of customers striving to stay one step ahead of tomorrow’s threat.

In my years with Red Hat, I served the Financial Services Region. Our clients were just beginning to place critical workloads on Amazon AWS and beginning to kick the tires of Kubernetes. Now, just a few years later, I am aware that all too many of those same FSI (Financial Services Industry) clients now have to upgrade hundreds if not thousands of Kubernetes clusters in production. I can almost hear the proverbial pager beeping at 3 a.m.

When these security-related events occur, these large enterprises end up dealing with many vendors. Cloud providers, operating system vendors, and, yes, Kubernetes and container vendors all must scurry to demonstrate competency in solving this problem quickly; especially since this is a production vulnerability of high severity that is now known to even the most inept hackers out there. Those hackers are scurrying too!

While the cloud offers a compelling cost advantage, lower cost is not the only differentiator that will define tomorrow’s winners and losers in the cloud marketplace. Multicloud and hybrid cloud services suggest most enterprises will have many clouds. Might the purple cloud — made up of Big Blue’s cloud and Red Hat’s Linux and Kubernetes distro — be the most secure? If brand integrity is any indication of whom is credible in this space, it won’t be a hard sell.

DevSecOps is a culture and process to ensure continuous security.

Our industry is at the very onset of DevSecOps practice. Fewer than 20 percent of enterprises have instituted DevOps pipelines with static and dynamic vulnerability scanning. Even fewer have made adequate investments in the CISO office’s team to address the ongoing threats that compromise our business interests.

Breaches hurt the brand integrity of the companies that experience them. Executives are often fired following these types of tragedy. If brand integrity is an asset with a tangible value, I have no doubt that billions of dollars of value have been lost due to these types of security flaws.

When one measures the cost of failed security practice against the slightly higher cost of a purple cloud with IBM and Red Hat, as opposed to another cloud with free Linux and Kubernetes, it is easy to justify the increased investment. IBM was built on its reputation for being a safe investment. There have been many golf outings where a decision maker made a procurement that went beyond the technical merits of the offering and instead relied upon the gut feeling of an executive.

If IBM is ever going to redefine itself in this new cloud market and reassert its position at the top of the value chain, now is that moment. While the rolling upgrades that Kubernetes affords to its container workloads is a great way to patch and remediate vulnerabilities in applications, I don’t believe there is yet a rolling upgrade for the Kubernetes cluster itself. Perhaps the talented engineers at Red Hat will invent that feature now.

I can only imagine how busy Google must be today. The Borg is threatening earth!

For more, take a look at our latest DevSecOps Essentials course.

DevSecOps essentials

One response to “Will Anyone Be Fired for Hiring Big Purple?”

  1. Just like in the early days of OpenStack, people were clamoring to get on board because it allowed an open source and completely transparent way of hosting infrastructure. However, in the early days of OpenStack, operations, upgrades and governance were all custom implementations. There was no easy button for upgrades. Now, years later, OpenStack is stable, easily upgradeable and has plenty of reference architectures for operations and governance. I see the CNCF already trying to make decisions that would keep them out of the same mistakes made by their OpenStack brethren but also still bogged down early with challenges in security, persistent storage, networking, and governance. I feel confident each one of these will eventually work itself out and Kubernetes will be as boring as OpenStack has become, but, by then, will there be a new shiny object like Kubernetes has become?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get actionable training and tech advice

We'll email you our latest articles up to once per week.