Enterprise hits and misses - public cloud companies jockey for position as the Capital One data breach fallout continues

Profile picture for user jreed By Jon Reed August 5, 2019
Summary:
This week - the Capital One data breach fallout continues, and cloud providers get heat. Public cloud number look good, but multi-cloud headaches remain. Agile and ERP don't mix, or do they? Your whiffs include an all-time social media fail.

at-the-seaside

Lead story -  Cloud services is not a winner-take-all market, and enterprises should applaud robust competition, by Kurt Marko

MyPOV: Kurt breaks down heady cloud services growth numbers, and makes a couple conclusions:

  1. Azure is kicking butt, and may eventually catch AWS revenues on the enterprise side.
  2. Google Cloud is "reinvigorated", exploiting strengths such as containers (and, I'd argue, TensorFlow).

Parsing Microsoft's numbers, Kurt notes some advantages taking hold:

Microsoft's SaaS business (Office 365, Dynamics 365, Teams) is much larger than AWS's budding applications business. Microsoft's PaaS, by exploiting tooling and APIs already familiar to Windows developers, is more popular, particularly among enterprises, than AWS's platform services.

As for Google, Kurt writes:

A reinvigorated Google Cloud is aggressively pursuing enterprise business. As I detailed last spring, the company is using its expertise in containers to smooth the migration of enterprise workloads to the cloud via its Anthos service.

But Kurt doesn't think we should look at cloud like a horse race. This is about multiple cloud providers gaining from the overall shift to managed services. There are two other issues to consider here: cloud security expectations - and the problem of true multi-cloud. Read on for more...

Diginomica picks - my top stories on diginomica this week

Vendor analysis, diginomica style. Here's my three top choices from our vendor coverage:

A couple more vendor picks, without the quotables:

Jon's grab bag - Stuart continues Facebook's regulatory misadventures in Europe's top court gives thumbs down to Facebook's Like button policies. Meanwhile, I got tricked lured into a debate on Facebook groups and algorithmically-driven communities (Facebook groups for enterprises - bring on the debate).

Brian's Month in Brief – July 2019 isn't so brief, but then Brian had a lot of vinegar to vent briefings to process, including Franken-algorithms, and an epic CX rant to close out the month. Finally, Barb shifts the personalization debate in We share our data for personalized experiences - but are brands delivering?

Best of the rest

Waiter suggesting a bottle of wine to a customer

Lead story - Making sense of the Capital One data debacle

MyPOV: Just as the scope of the Capital One data hack came into focus, disconcerting news came via Zack Whittaker's security beat at TechCrunch:

Israeli security firm CyberInt said Vodafone, Ford, Michigan State University and the Ohio Department of Transportation may have also fallen victim to the same data breach that saw more than 106 million credit applications and files copied from a cloud server run by Capital One by an alleged hacker, Paige Thompson, a Seattle resident, who was taken into FBI custody earlier this week.

There have already been numerous post-mortems on the hack, such as The New Stack's Capital One's Cloud Misconfiguration Woes Have Been an Industry-Wide Fear. But perhaps the most interesting comes via Krebs on Security's What We Can Learn from the Capital One Hack. Krebs interviewed more than a dozen security experts. These experts don't completely agree, but this much is clear:

According to a source with direct knowledge of the breach investigation, the problem stemmed in part from a misconfigured open-source Web Application Firewall (WAF) that Capital One was using as part of its operations hosted in the cloud with Amazon Web Services (AWS).

Usually with hacks of public clouds or open source databases, the ignorance/inexperience of the customer that didn't configure properly is the blame consensus. But here we have dissent, and, perhaps, a competitive opening for other providers such as Google?

Krebs quotes a product security manager at CloudFlare:

The impact of SSRF (Server Side Request Forgery) is being worsened by the offering of public clouds, and the major players like AWS are not doing anything to fix it. The problem is common and well-known, but hard to prevent and does not have any mitigations built into the AWS platform.

Johnson said AWS could address this shortcoming by including extra identifying information in any request sent to the metadata service, as Google has already done with its cloud hosting platform. He also acknowledged that doing so could break a lot of backwards compatibility within AWS.

Others cited the challenge of tapping into specialized AWS know-how in a tight job market. In these types of breaches, there is always blame-a-plenty. But this one may be recalled as a turning point, where cloud providers can no longer get away with saying "you didn't configure this properly." The scathing reader comments imply as much.

Other standouts

  • Agile + ERP Implementations: Why It’s a Terrible Idea - Eric Kimberling is the latest to punk criticize Agile when it comes to large scale ERP. Kimberling's issue? He believes successful ERP projects are based on a broad, standardized transformation effort. Agile doesn't make the cut: "Agile by its very nature, on the other hand, looks for smaller quick wins that may or may not tie into an overarching and longer-term digital strategy." Yes - but only if you limit the definition of Agile to the capital A. If "agile" is more about iterative projects that are tied to the discipline of regular user/customer feedback, then maybe it's time for ERP projects to change instead. Factoid: most ERP vendors I've talked with - of any size - now develop their software using agile methodologies.
  • Instant Feedback Hurts Our Performance - via Brian Sommer's recommend, check this deconstruction of "instant feedback" via apps - such as driver instruction. Turns out quick feedback loops don't necessarily bring out our best. This piece doesn't delve into HR/regular performance reviews, but the implications for that are worth considering.
  • Don't Squander the Techno Revolution - McKinsey continues its series on the far-reaching impact of AI. Gist? If we want to seize the positive impacts, and take the edge off the negative (job loss), we have our work cut out for us: "Policymakers should be preparing for a retraining effort on the scale of the 1944 GI Bill in the US."

Honorable mention

  • Apple suspends Siri response grading in response to privacy concerns - Apple does the right thing, but loses "data privacy leaders" PR luster in the process. Siri is still pretty dumb and needs to improve wants to listen; Apple craves that data - stay tuned.
  • Microsoft Retiring Skype for Business to Force Team Use - Whenever I see a headline about one of the most badly mismanaged acquisitions in history Skype, I figure it's either about deprecating features, or the forced march to Teams. Adam Mansfield of UpperEdge is on the case.
  • Personal take on multi-cloud - Vijay Vijayasankar punctures some marketers' multi-cloud hype balloons: "A lot of people would like to be in an ideal world where workloads can be sent intelligently to execute wherever it is cheapest to execute, that is still enterprise utopia." Bonus points for the unexpected lyrical reference to "Hotel California."
  • Forescout discovers poor security is making Enterprise IoT a liability - let's not leave IoT out of the security handwringing. "Many IoT devices, including surveillance cameras, are set up by default to communicate over unencrypted protocols, allowing for traffic sniffing and tampering of sensitive information." Sound familiar?

Overworked businessman

Whiffs

I forgot to get to KLM airlines last week, but surely the now-deleted Tweet from KLMIndia about airplane fatality percentages based on where you sit was one of the great social media fails of all time, right?

Our well-traveled pal Holger Mueller of Constellation Research ran into some epic security lines at Frankfurt Airport, and extracted this tone deaf reply:

I'm sure the Federal Police are eagerly standing by...

Sometimes a great headline is all you need to take someone down. I didn't even need to read the rest of Josh Bernoff's evisceration of Capital One - the headline was perfection: Why is Capital One bragging about the part of its data that wasn't stolen?

Other times, headlines drive me bonkers. Take this one from Business Insider: NASA telescope points to possibly habitable world just 31 light-years away. Now, this is kind of a cool discovery. But did anyone else trip on the "just 31 light years away" line? Isn't that kind of like saying "he just spilled 31 percent of that uranium?"

Anyhow, I Googled how far this distance is, and got this jibberish: 31 light years = 1.822e+14.

Whenever I see a little "e" next to a number, I get uncomfortable about asking my Uber driver to take me there. I did a bit of digging, and found this back of the envelope calculation - yeah, that's 620,000 travel years away from us at the moment. Doesn't seem like whoever lives there is going to make the best pen pal, eh? See you next time...

If you find an #ensw piece that qualifies for hits and misses - in a good or bad way - let me know in the comments as Clive (almost) always does. Most Enterprise hits and misses articles are selected from my curated @jonerpnewsfeed. 'myPOV' is borrowed with reluctant permission from the ubiquitous Ray Wang.

Image credit - Waiter Suggesting Bottle © Minerva Studiom, Overworked Businessman © Bloomua, at the seaside © olly - Fotolia.com - all from Fotolia.com

Disclosure - Oracle NetSuite, Zoho, Workday and Salesforce are diginomica premier partners as of this writing.

Read more on: