In this episode of Infrastructure Matters, Steven Dickens and Krista Macomber discuss zero-trust architecture and its implementation. They emphasize that zero-trust is not just a single product or tool but a concept that requires a combination of people, processes, and technologies. They also mention the importance of confidential computing in securing data in use and the need for a shared responsibility model when using cloud services. Additionally, IBM’s acquisition of Apptio and BMC’s new AMI Cloud portfolio are discussed.
Topics include:
- IBM’s acquisition of Apptio
- BMC announcing its AMI Cloud portfolio
- NetApp’s BlueXP enhancements for multi-cloud operations and cyber-resiliency
- Zero Trust Architectures
- What are they?
- How do they shift thinking and technology requirements compared to traditional, perimeter-based approaches?
- How exactly do they impact IT Infrastructure design?
- Reference architectures and services that can help in design and implementation
You can watch the video of our conversation below. Be sure to visit our YouTube Channel and subscribe so you don’t miss an episode.
Listen to the audio here:
Or grab the audio on your streaming platform of choice here:
Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.
Transcript:
Steven Dickens: Hello and welcome to episode three of Infrastructure Matters. I’m joined this week by Krista Macomber. Hey, Krista, welcome to the show.
Krista Macomber: Thanks so much, Steven, how are you doing?
Steven Dickens: Not too bad, not too bad. We’re recording on the 5th of July so fantastic to have a couple of days out. I hope you had a good time with the family, and a chance to chill out.
Krista Macomber: It was nice to get a little bit of relaxation in. I’m here in New Hampshire, so in the Boston area, and it was, unfortunately, super rainy so a little bit of a disappointment from that perspective but still good, as you say, to be able to relax and see some family and friends. How about yourself?
Steven Dickens: Same. I’m up in the sort of 100 miles north of New York so the weather wasn’t great but a chance to chill out and avoid the storms a little bit. That gives us a nice segue straight into the new section. Obviously, a quiet Newsweek last week running into the holidays. A lot of the tech vendors sort of taking the opportunity to hit pause on the press machine. But a couple of big announcements that came out that we covered here at Futurum Group were IBM making an acquisition of Apptio which was big news, dominated the cycle last week given the size of that acquisition. And then the other one was BMC announcing their AMI Cloud portfolio. I’ll dive in on both of those because I covered them pretty extensively.
Apptio’s interesting. Largest acquisition by IBM since the Red Hat acquisition back in 2019. 4.6 billion is the number we’re hearing. Interestingly, going to give IBM an integration challenge in the FinOps space. I wrote a Forbes article on this and also covered it. One of our team covered it, Todd, on the Futurum site. Really interesting that IBM’s made a series of acquisitions, most notably recently with Turbonomic, in this FinOps space where they’re really trying to get a handle on people’s cloud and hybrid cloud spend. This isn’t just a public cloud story. I think really interesting. IBM briefed us last week. I see this making a lot of sense. As I mentioned, the only asterisks to my positivity is IBM’s got three or four solutions in this space now so it’s going to be fascinating to see what they do from an integration point of view.
Krista Macomber: Absolutely, Steven. And I know we talk a little bit about touching a bit on cloud repatriation and how, as customers are migrating to the cloud, it’s not always as cheap or as inexpensive as they were initially expecting, and just the number of levers that go into that. Certainly, as you mentioned, it’ll be interesting to see how those pieces come together and what ends up coming with that portfolio.
Steven Dickens: I think IBM’s got the brand permission to be in this space, I think they’re a trusted vendor in this space. Level of neutrality from the hyperscalers, they’ve, obviously, got their own cloud offering. I don’t think even IBM are talking about that now as a competitor for AWS, Azure, and GCP. So I think CIOs are going to trust … And increasingly CFOs are going to trust IBM in this space I feel. So it’s going to be fascinating to see how not only they do the integration work because this … As I say, there’s three or four products and solutions that they’ve got in this space either that were purely in this space or that were adjacent. But I think the other piece is how they connected into their wider sort of OpenShift and answerable automation story so it’s going to be fascinating to watch. I think big bet from Arvin 4.6 billion, not the 34 billion they spent on OpenShift. And the Red Hat portfolio. But certainly a big, big statement of intent that IBM plans to double down in the FinOps space.
The other news last week, which we were involved with, was the BMC AMI Cloud portfolio coming to market. They made an acquisition of a cloud software provider in the mainframe space called Model9 a few weeks back, which we covered, that closed. BMC announced their AMI Cloud portfolio. We covered this, we did some commissioned research looking into this space. I think fascinating for me to see that there is still an opportunity for mainframe software vendors to break into the market, get some traction, and then get an exit. I think people see the mainframe space as a pretty traditional, pretty established part of the market. But Gil Peleg and the Model9 team, over the last three or four years, have done a great job of splashing into the market, gaining traction, establishing product market fit, and really sort of getting onto the radar of one of the big vendors in BMC in this space. I think it makes sense from a BMC perspective. I think they’ve got a really strong storage portfolio. Moving that into a hybrid cloud model and allowing people to put their mainframe data in the cloud makes a lot of sense.
Those were the two big news items. As I say, quiet news week. We expect the press release engine to kick off next week in full effect. I think that PR teams will take a rest again this week so maybe next week’s podcast is going to be interesting. We maybe have to record on Friday rather than the midweek.
Krista Macomber: Right. For sure, for sure.
Steven Dickens: We don’t get many pauses in the schedule but we will take it while we can.
Krista Macomber: Exactly, exactly. And I think, Steven, maybe the only other component I would add from a news perspective is … In our first episode of Infrastructure Matters that we recorded with Kimberly, we did touch on the NetApp Analyst Summit and a number of the developments that NetApp is doing pertaining to cyber resiliency and BlueXP which is essentially … Its management plan for multi-cloud operations and things of that nature. Those features are available now. So if anyone is interested, our colleague Mitch Lewis actually wrote a blog about that. And, of course, folks can go ahead and listen to our first episode of Infrastructure Matters as well for some additional context there. I think from my perspective that’s probably the other news item that I would throw in the hopper there.
Steven Dickens: Fantastic. Basically, the structure of the show here is we cover the news. Light news week this week. But then we go into a deep dive topic and get the chance to double click. And really I’m playing the supporting act here to Krista who’s going to go through on … From a zero-trust perspective. My perspective, really interesting to see how this has gone from deep technical to marketing term over the last couple of years so that’s maybe a perspective I’d like you to elaborate on. Take us away and sort of walk us through where you see zero trust and maybe how that’s evolved.
Krista Macomber: Certainly. Absolutely, Steven. You raise a couple of great points. The first point being that this is a concept that, at this point, has been around for … Really for quite some time. For several years at this point. The other point being that this is becoming a little bit of a market texture, or at minimum it is being very heavily used in vendor marketing language. We put our heads together and thought this would be a good topic. When we do speak with IT operations teams, sometimes there’s a little bit of … Not necessarily maybe confusion but just wanting to really like you say, bring this down to some of the technical and also the policy components to understand more specifically what exactly is it that we’re referring to when we think about zero-trust.
Steven Dickens: Maybe let’s start there. I mean, you’re, obviously, one of the preeminent thinkers in this space, thought leader. That’s why we’ve got you on the payroll as somebody who’s fantastic and lead knowledgeable in this space. What would your definition of zero trust be? Where would you start?
Krista Macomber: Sure. What I like to do when I have conversations about it is begin by contrasting. If this is something new where are we coming from? What is sort of the traditional model? What we see is that the traditional model for a general security architecture tends to be very what we call perimeter based. And so really what that means is that it’s very … It’s heavily dependent on the network in that once a user account or once a device is granted access inside that network, that it is then sort of trusted by default and that it has a very broad level of access whether that be to data, whether that be to applications, other components of the infrastructure.
It’s sort of this concept of you’re innocent until proven guilty. But what we’re seeing is that with ransomware, data extortion, and all of these cyber attacks just continuing to be on the rise, that we really need to shift that paradigm. And we need to shift that paradigm to assume that, in fact, no user or no device can be trusted even if it is already inside the network. So from my perspective, that’s sort of the guiding principle behind zero-trust. And I think, at the same time, also why we’re tending to hear so much about it these days with all of these cyber attacks.
Steven Dickens: So if it’s the principle of, previously you came onto a network as a device or as a user and you were trusted with flipping that to say even when you are onto a network or as a device or as a user you’re now not trusted. Is that the most simple way to think about it?
Krista Macomber: That is a simple way … A simplified way to think about it. And really what it breaks down to is that every single access request is going to be evaluated before the access is granted. There’s really this scrutiny, and the scrutiny within context of okay, what is the user account? For example, the user ID that is requesting this access, where is it located, things of that nature. That’s one way that we’re seeing this begin to be implemented. But, of course, we can talk more about … Especially following the theme of this podcast, we can certainly talk a little bit more about what that means technically, especially from an infrastructure standpoint.
Steven Dickens: Well, that was where I was going to go next. If we’ve established zero-trust as a concept, where are you seeing that be deployed in the infrastructure? This is an infrastructure podcast-
Krista Macomber: Yes.
Steven Dickens: So where are you seeing that? Is it various layers? Is it various components of the architecture? What are you seeing there?
Krista Macomber: I would say that it is at a number of different layers. So when we think about infrastructure and, in particular, my role tending to focus very closely on data protection and data security, we do tend to start with access control certainly. Even if you are going to further scrutinize this user account, you do want to make sure that the … That there is the appropriate role-based access control, multifactor authentication, and some of those best practices are implemented upfront because that certainly can help from a rogue user, an attacker from gaining access. But really what we see is we need to see that be paired with what we’re describing as a concept of least privilege. Looking at that particular user and saying, “What really is the minimum level of access that user needs, in particular, when it comes to access to things like sensitive data in order to do their job?” So really it’s sort of what exactly do they need to know? What really do they need access to? And trying to contain that particular user to just those assets that they need the access to.
Steven Dickens: So is this new capability, and features, and functions in existing solutions typically rather than … I’ll pick on firewalls as a thing that you deploy in a network. Are you seeing the zero-trust devices or is this a feature on top of an existing device?
Krista Macomber: It’s a great question. You bring up an interesting example with firewalls. So what we’re seeing is that there are … Upgrades wouldn’t be really the best way to put it, but there are what we’re calling next-generation firewalls that have capabilities such as micro-segmentation which really breaks up the network into small isolated areas to be able to limit lateral … What we called lateral access. If an attacker does gain access to that one particular area of the network, they’re controlled and then they can’t reap further havoc elsewhere in the network. That’s a great example where that is likely something that would be in addition to … Something that would be additive to what is already deployed and implemented. That, of course, can create a number of challenges, right? And we do see that there are some challenges when we think about being able to really make this vision of zero-trust a reality that typically it does require some investment in new technologies, which, of course, then requires that these new technologies be implemented alongside what is already existing.
Steven Dickens: If the target audience of this podcast is heads of infrastructure in enterprises, is that the simple way to think about this? Hey, I’m going to need to deploy the latest version of, insert name of product or solution or piece of infrastructure in order to implement zero-trust. Is it as simple as that or is it more a people process as well as tools and platform discussion?
Krista Macomber: It’s certainly people and processes as well. So to answer the technical side of things, I would say certainly taking a step back and maybe auditing the existing environment for, like I mentioned, some of these access control capabilities. Do you have maybe microsegmentation implemented within your network, where applicable, to then identify what are some of the additional capabilities or technologies that need to be implemented? So I really understand where the holes are at. So I would say it’s maybe a little bit less about keeping up with the Joneses, so to speak, and just deploying the latest, but maybe it’s more about taking stock of where are your potential holes and what is needed to fill those. And certainly, it is about, like I mentioned, the people and processes as well.
That becomes a little bit of a challenge because it means that our IT operations teams, they are going to have to work closely, for example, with their organization’s cybersecurity team, for example, to understand what are some of the likely vulnerabilities. They might even need to also include business leaders in that conversation to understand where is the critical data. Who really are the critical users? And to be able to create some guardrails around those access control parameters that I was mentioning earlier. And we do see that, in some cases, vendors are working to bring to the table some services that maybe can help with this. And I can touch on that a little bit more. Does that help to paint a little bit of a clearer picture there?
Steven Dickens: Oh, yeah, it’s interesting. And I mentioned it in the introduction here … And your dog wants to join in which is fantastic. And we’re talking about the picture-
Krista Macomber: I so apologize.
Steven Dickens: No, no. I mean, I think everybody’s tuned into pets and small children walking into shows so I think we’re good we’ll keep rolling. From my perspective, we’ve seen a lot of the vendors jump onto this term, it’s now the standard words you have to put into every product. But I was interested … And you alluded to it there as well. This is people, process, and tools, not just tools. You mentioned from a consulting point of view there. Just really interested to maybe understand what’s the holistic view that somebody should be thinking about as they think of zero-trust and how to deploy this new … Well, not new, this methodology into their network.
Krista Macomber: To answer the question maybe we should think about the fact that it is, as we’ve been alluding to, sort of a stack, right? I think we talked about that a couple of minutes ago. A zero-trust isn’t one piece of technology or one SKU that I can just go and buy and deploy and then I have a zero-trust architecture. It really is going to incorporate a variety-
Steven Dickens: Vendors would love it to be that way, wouldn’t they?
Krista Macomber: Exactly, right?
Steven Dickens: Just buy my tool then you’re done.
Krista Macomber: Exactly. And hey, I mean, that would make the job for IT operations easier too, right?
Steven Dickens: Just buy this product and you’re all done, tick.
Krista Macomber: Yes.
Steven Dickens: It’s never as simple as that.
Krista Macomber: Exactly. One maybe prime example that maybe I can bring to the table here to walk through and break this down a little bit is … So Dell has introduced what it calls Project Fort Zero. Dell talked about this at Dell Technologies World, and it’s really been developing this since last fall. What Project Fort Zero is, it’s essentially … We can think about it like a reference architecture so almost like a recipe for a zero-trust architecture. Dell is actually working to get this Project Fort Zero validated by the US Department of Defense so that way customers can really be sure that it’s checking off a number of those really critical check marks. I mean, if it meets those certifications it’s probably going to meet the security certifications of almost any industry.
What Dell is doing, in this case, is it’s working with the DOD. It also has an ecosystem of partners that it’s working with so vendors like Intel from a chip and an infrastructure perspective. Juniper and Palo Alto Networks. We’ve already been talking about networking and VMware are a number of other examples of partners that it’s incorporating. What Dell is doing is it’s essentially trying to create this framework for customers so that way they can maybe get some ideas in terms of some of the critical technologies to look at and capabilities that they should think about.
And then what Dell is doing is it’s also offering … Essentially it sounds like it’s going to be some kind of support services. And really we see that Dell already has close relationships with the number of its partners in a pretty strategic way. So then to be able to provide the guidance on how to implement and then maybe even how to think about what guardrails are being put in place when we think, for example, about those access capabilities. Hopefully, that helps to give a little bit of additional color. But that’s one example that again, maybe helps to break this down a little bit.
Steven Dickens: I think the focus on reference architecture rather than a product is what I took away from that. We chat to product marketing people and product managers every day for briefings, and I see zero trust on … It’s almost a tick-box exercise now. I think what I’ve picked up from this conversation, we need to be thinking wider than that, we need to be thinking reference architectures, people, and process as much as tools. We’re starting to think about wrapping up, but one final thing that that’s top of mind for me. We hear a lot about zero-trust, we hear a lot less about confidential computing. Consciousness is probably a topic for a podcast in its own right, but just really want to get a little perspective of where you see confidential computing and securing data in use as part of one of those reference architectures and more holistic views.
Krista Macomber: It’s a good question. And again, it’s interesting because from my perspective I tend to look at backup data quite a bit just in my role. When I think confidential computing it is a little bit of a shift just in terms of that data that is in use. But absolutely. Maybe what I would add as well is the developments of quantum computing I think probably play a role in this as well. The idea is how do we maybe encrypt that data in a secure enough way that when it is in use, right, whether that be production or whether that be to access for recovery purposes, for example, that it’s going to be secure and that it’s going to be encrypted.
And I think as an industry we’re still getting there. I know that there are a number of vendors that are working in what they call quantum safe encryption. I know AWS had an announcement we touched in our first podcast on their security conference that I attended, and sort of some of the double encryption features that AWS is introducing as one example to maybe help combat this. I think those are some of the topics that come to my mind when I think about this. But I know, Steven, for you, I know you’ve been looking at this quite a bit as well. Are there any other parallels, from your perspective, that you wanted to bring up?
Steven Dickens: Yeah. I mean, I was at Intel Vision a few weeks back. Obviously, at the chip level, there’s a lot of focus going on with custom silicon. IBM’s been doing a lot on this with quantum-safe cryptography and also confidential computing for a while. AWS with Nitro. Intel’s been investing with SGX at the chip level around these secure enclaves. I think you captured it right, we’re still earlier days on this than maybe the zero-trust part of the conversation. I think for me, we’ve long been encrypting data at rest, we’ve long been encrypting data in transit. Data in use is the final frontier. I think as solutions like AWS Nitro start to become more commonly used, I think we’re going to see this deployed more widely. For me, that’s a good thing.
We put a lot of trust in our cloud providers, but we don’t know who works for these cloud providers. The admins, right, AWS, Azure, and Google, and IBM, and Oracle, and others, fantastic people one and all but we don’t know what they’ve got access to whilst processes are running on service. And there’s a lot of threat vector there and space for people to do nefarious things. So the sooner we can lock that down holistically the better.
Krista Macomber: 100%. And I think that’s also why it’s so important when we do think about the cloud, that we do keep in mind that shared responsibility model. I know we’ve already mentioned that on this podcast, and it’s just such an important topic. Because really to your point, Steven, that means that in this example AWS does have a responsibility to bring to the table secure infrastructure but the customer is still responsible for the data, right, at the end of the day. So that includes things that we’ve been talking about today like permissions. That includes capabilities like encryption that we’ve been talking about. So it’s I think an important … It’s important to continue to beat that drum, so to speak, because it’s … As we move more and more to the cloud I think it’s something that’s going to continue to come up, especially in the context of cybersecurity.
Steven Dickens: I completely agree. And I think that’s a great way for us to sum up here. It’s been fantastic as always to chat to you, Krista. I always learn when I speak to you, I think our listeners will do the same so thank you very much for that.
Krista Macomber: Thank you so much, Steven, it was great as always.
Steven Dickens: So you’ve been listening to the Infrastructure Matters podcast. We’re still building this so please click and subscribe, do all those things you’re supposed to do, and we’ll see you on the next episode. Thanks very much for watching and listening.
Author Information
Regarded as a luminary at the intersection of technology and business transformation, Steven Dickens is the Vice President and Practice Leader for Hybrid Cloud, Infrastructure, and Operations at The Futurum Group. With a distinguished track record as a Forbes contributor and a ranking among the Top 10 Analysts by ARInsights, Steven's unique vantage point enables him to chart the nexus between emergent technologies and disruptive innovation, offering unparalleled insights for global enterprises.
Steven's expertise spans a broad spectrum of technologies that drive modern enterprises. Notable among these are open source, hybrid cloud, mission-critical infrastructure, cryptocurrencies, blockchain, and FinTech innovation. His work is foundational in aligning the strategic imperatives of C-suite executives with the practical needs of end users and technology practitioners, serving as a catalyst for optimizing the return on technology investments.
Over the years, Steven has been an integral part of industry behemoths including Broadcom, Hewlett Packard Enterprise (HPE), and IBM. His exceptional ability to pioneer multi-hundred-million-dollar products and to lead global sales teams with revenues in the same echelon has consistently demonstrated his capability for high-impact leadership.
Steven serves as a thought leader in various technology consortiums. He was a founding board member and former Chairperson of the Open Mainframe Project, under the aegis of the Linux Foundation. His role as a Board Advisor continues to shape the advocacy for open source implementations of mainframe technologies.
With a focus on data security, protection, and management, Krista has a particular focus on how these strategies play out in multi-cloud environments. She brings approximately 15 years of experience providing research and advisory services and creating thought leadership content. Her vantage point spans technology and vendor portfolio developments; customer buying behavior trends; and vendor ecosystems, go-to-market positioning, and business models. Her work has appeared in major publications including eWeek, TechTarget and The Register.
Prior to joining The Futurum Group, Krista led the data protection practice for Evaluator Group and the data center practice of analyst firm Technology Business Research. She also created articles, product analyses, and blogs on all things storage and data protection and management for analyst firm Storage Switzerland and led market intelligence initiatives for media company TechTarget.
