The Borg Is attacking Earth: Will anyone get fired for hiring Big Purple?

Remember the saying “No one ever gets fired for hiring Big Blue?” At a time when technology seemed to be changing fast executives wanted to reduce risk and play it safe. This was before the cloud, and at a time when distributed computing seemed like some new age religion.

While most bloggers seem focussed on why IBM would pay $34 billion for Red Hat, I thought it might be timely to point out the recent Kubernetes vulnerability CVE 2018–1002105. This vulnerability announced by Google and credited to Darren Shepherd’s discovery, remains too new at the time of this writing to even be found in the NIST’s National Vulnerability Database.

And yet, my inbox and linkedin.com stream was full of posts and announcements from Red Hat. Before my head hit the pillow last night I was aware of the CVE, its severity, the recommended remediation, and horrible news that I would likely have to upgrade my Kubernetes clusters in production.

Wasn’t it just yesterday that we learned of Marriott’s breach that compromised 500 million customer records? My memory recollects Equifax, JP Morgan Chase, Home Depot, and Target as all having their moment of fame wrought by devastating data breaches that compromised customer data and tarnish the brands of the companies responsible.

This backdrop of security-related risks and the daily drumbeat of its presence on my back door (pun intended), makes me realize that there is probably something Red Hat does really well that IBM Cloud could use… namely security patching and realtime support of customers striving to stay one step ahead of tomorrow’s threat.

In my years with Red Hat I served the Financial Services Region. Our clients were just beginning to place critical workloads on Amazon AWS and beginning to kick the tires of Kubernetes. Now just a few years later I am aware that all too many of those same FSI (Financial Services Industry) clients now have to upgrade hundreds if not thousands of Kubernetes clusters in production. I can almost hear the proverbial pager beeping at 3am.

And when these security-related events occur these large enterprises end up dealing with many vendors. Cloud providers, operating system vendors, and yes, Kubernetes and container vendors all must scurry to demonstrate competency in solving this problem quickly. Especially since this is a production vulnerability of high severity that is now known to even the most inept hackers out there. Those hackers are scurrying too!

While cloud offers a compelling cost advantage, lower cost is not the only differentiator that will define tomorrow’s winners and losers in the cloud marketplace. Multicloud and hybrid cloud suggests that most enterprises will have many clouds. Might the purple cloud made up of big blue’s cloud, and Red Hat’s Linux and Kubernetes distro be the most secure? If brand integrity is any indication of whom is credible in this space it won’t be a hard sell.

Our industry is at the very onset of DevSecOps practice. Fewer than twenty percent of enterprises have instituted DevOps pipelines with static and dynamic vulnerability scanning. Even fewer have made adequate investments in the CISO office’s team to address the ongoing threats that compromise our business interests.

Breaches hurt the brand integrity of the companies that experience them. Executives are often fired subsequent to these types of tragedy. If brand integrity is an asset with a tangible value I have no doubt that billions of dollars of value have been lost due to these types of security flaws.

When one measures the cost of failed security practice against the slightly higher cost of a purple cloud with IBM and Red Hat, as opposed to another cloud with free Linux and Kubernetes, it is easy to justify the increased investment. IBM was built on its reputation for being a safe investment. Many a golf outing with the right decision maker has led to a procurement that went beyond the technical merits of the offering and instead relied upon the gut feel of an executive

If IBM is ever going to redefine itself in this new cloud market and reassert its position at the top of the value chain, now is that moment. While the rolling upgrades that Kubernetes affords to its container workloads is a great way to patch and remediate vulnerabilities in applications, I don’t believe there is yet a rolling upgrade for the Kubernetes cluster itself. Perhaps the talented engineers at Red Hat will invent that feature now.

I can only imagine how busy Google must be today. The Borg is threatening earth!