The commoditization of technology has reached its pinnacle with the advent of the recent paradigm of Cloud Computing. Infosys Cloud Computing blog is a platform to exchange thoughts, ideas and opinions with Infosys experts on Cloud Computing

December 11, 2018

Navigate your Digital Transformation with a Robust HR Service Delivery Solution

Today, employees are adept at technology, ultra-social, opinionated, and continuously connected. They demand high-quality service, experience, and prefer self-service instead of having to reach out to support via phone or email. The consumerization of employee experience is leading HR departments to capitalize on HR service delivery (HRSD) solutions to realign and automate functions such as recruitment, compensation, performance evaluation, compliance, legal, and more. They are also going beyond smart-looking portals and consolidating functions to enable employees to access a modern, smart, and omnichannel experience across desktop, mobile, and a virtual assistant. Organizations deploying a robust HR solution have discovered that they were able to reduce administrative costs by up to 30%.

Why an HR service delivery solution offers more than just cost savings

Usually, the first few days at work for a new employee can be a flurry of paperwork and processes. An HRSD solution that is accessible across devices could mean shorter smooth joining formalities.  Employees, whether joining remotely or at an office can submit soft copies of their documents and this can reduce workflows from 70 to 10 steps and thus save thousands of man-hours, annually.

With an HRSD solution, organizations can do away with geography specific portals, SharePoint, and the intranet for different sets of information, and offer a single, comprehensive, and user-friendly knowledge platform that is device agnostic.  With a type-ahead feature, the platform can suggest terms so that users execute their search quickly. 

Another advantage of an HRSD solution is that employees can access context-sensitive content, tasks, and services through a Single Sign-on (SSO). A prompt feature can suggest related documents so that employees have access to all the information available. For instance, if an employee is searching for the vacation policy of the organization, information related to paid holidays, guest house facilities, leave travel allowance, etc. could pop up for the employee to review.

The traditional way of addressing HR problems is to raise a ticket. At the backend, case routing is manual, time-consuming, and person-dependent. Studies indicate that human resource personnel spend 57% of their time on repetitive tasks. Instead, information can be made available real-time via call, chatbot, or chat with a virtual agent. Larger organizations can also invest in an interactive voice response (IVR) facility which is accessible 24/7. When tickets are raised, an HRSD solution can be used to assign cases automatically depending on the skills and workload of HR personnel. This can positively impact employee experience.

Determine the success of an HRSD solution through leading and lagging indicators

Adopting an HRSD solution can be a major investment, and organizations can measure ROI through leading and lagging indicators. Two instances of leading indicators are, a self-service portal and a feedback mechanism. Studies show that 70% of issues can be resolved through a self-service knowledge portal. Accessible 24/7, it gives users greater control over information and does away with costs associated with deploying HR staff to answer calls. A feedback mechanism can be deployed by enabling users to comment and rate a document. This allows the organization to engage in continuous improvement of the information on the knowledge platform.  

Lagging indicators provide quantifiable data that proves the automation invested in by the organization is delivering ROI. For instance, increase in the use of the chat tool versus reduction in case volume demonstrates that employees effectively use the chat option to solve issues instead of raising tickets -which take longer to address. As a result, HR personnel spend less time in backend administration and more time responding to actual employee concerns.

Increase in the use of IVR versus reduction in the number of cases logged indicates that employees are able to quickly address queries over the phone instead of raising tickets. Thus, less personnel are needed to service a call center.

Measuring ROI on an HR service delivery solution

  • Organizations that implemented a knowledge portal or mobile app with personalized content found they could solve Tier 0 inquiries over 60% of the time and reduce HR administrative costs by up to 30%
  • Increased resolution of first calls reduces Tier 2 escalations. This can save up to 300k (for a client with a case volume of 25,000) as only around 8% of queries escalated to Tier 2
  • With a well-managed HRSD solution, less than 5% of employee queries escalate to Tier 3, at which, specialized professionals review and respond to cases. This allows organizations to optimize HR resources to do more value-added work
  • Increased self-service and peer-networks help case deflection. Over time, more than 60% of employee inquiries are resolved before reaching an HR personnel

·         With employee self-reliance, HR can be up to 30% more productive. Freed HR personnel can focus on higher-value strategic issues such as employee retention and workforce planning

 

So, if your organization is looking to give employees a seamless experience similar to retail, an HRSD is the answer. While the market abounds with HRSD vendors, choosing the right one requires a deeper understanding of one's requirements and the strengths of the vendor. Begin a conversation with Infosys to know how your organization can navigate its digital journey with an effective HR service delivery solution.

 

September 30, 2018

Public Cloud Security- is it still a concern for enterprises?

Author: Jitendra Jain, Senior Technology Architect (Architecture & Design Group, Infosys)

Introduction

Cloud computing has become integral part of IT modernization in any large to small scale enterprises. It has been considered as a major milestone in the transformational journey. Cloud computing changes the way enterprises store the data, share the data and access the data for services, products and applications. Public cloud is the most widely adopted model of cloud computing. Public cloud as the same suggest available to public over the internet and easily accessible via web channel in a free mode or pay as you go mode. Gmail, O365, Dropbox are some of the popular examples of public cloud.

Public cloud provided services eliminates extra investment in infrastructure as all the required hardware, platform architecture and core operating software services is entirely owned, managed and efficiently maintained by the cloud hosting vendor.

As per mcafee research almost 76% of enterprises have adopted minimum 1 public cloud service provider, it could be any kind of cloud offerings (SaaS, IaaS, or PaaS). It shows popularity of public cloud. 


Continue reading "Public Cloud Security- is it still a concern for enterprises?" »

September 20, 2018

Multi-Cloud strategy - Considerations for Cloud Transformation Partners

While "Cloud" has become the "New Normal", recent analyst surveys indicate that more and more enterprises are adopting Multi-Cloud, wherein more than one Public Cloud provider is utilized to deliver the solution for an enterprise, for example; a solution that employs both AWS and Azure. There are various reasons for enterprises to take this route, Cloud Reliability, Data Sovereignty, Technical Features, Vendor Lock-in to being a few amongst the several reasons.
Though most of the deliberations are revolving around Multi-Cloud for enterprises, here is an attempt to bring out the considerations that a Cloud Transformation Partner needs to watch out for.


There are four core areas a Cloud Transformation Partner must focus on to ensure successful and seamless Transformation & Operation of a Multi-Cloud environment:

1. Architecture
2. Engineering
3. Operations
4. Resources

Architecture: Success of a multi-cloud strategy depends largely on defining the right architecture that can help reap the benefits of having a multi-cloud environment. Architecture decisions should be reviewed against the business demands that triggered a multi-cloud strategy and ensure they are fulfilled.

Application and Deployment architecture has address all aspects of why an enterprise is looking to adopt a multi-cloud strategy. For example, if Data Sovereignty was the key consideration; application deployment architecture should make sure that data will reside in the appropriate Cloud that suits the need. If reliability is the driver, suitable failover mechanism needs to be in place, thus making use of the multiple cloud platforms available.

Interoperability across platforms is among the critical elements to emphasize on along with portability across Cloud Service Providers (CSPs). Achieving this takes a multi layered approach and containers is emerging as a solution in the cloud native space. More details in another blog post here.

Though Cloud as a platform is stable, there is a possibility of failure with a cloud provider (and we have witnessed it in the past). Disaster Recovery (DR) solution built on multiple clouds can be a more effective solution than DR with a single cloud provider in multiple regions.

Establishing network connectivity between competitor CSPs can have its own challenges and bottle necks. Network solution should facilitate provisioning new connections when needed with desired performance across multiple clouds.

Security solutions and controls need to run natively on all clouds and work across all boundaries. Hence Cloud Security Architecture should be on top of the list for considerations in multi-cloud. More importantly, solutions for threats, breaches and fixes need to cater to multiple CSPs and have to be centrally coordinated to respond effectively.


Engineering: There will be changes to the current set of application development and engineering processes followed for a single cloud environment. Application Deployment would need careful planning in a multi-cloud environment with specific focus on developer productivity, process compliance and security implementations.

DevOps should be an integral part of agile development for cloud native & traditional applications. Attention and careful planning needs to be given to the DevOps process and tools to work seamlessly across multiple cloud platforms.

Application lifecycle management should have Platform specific testing built into the process and ensure reliable operations on each of the target platforms.


Operations: Cloud operations are more complex in a multi-cloud scenario due to the overheads that each cloud platform will bring in.

Cloud Management Platform (CMP) must support the multiple Public Clouds that are part of the solution. CMP should be capable to abstract the complexity of different Cloud stacks and models and provide a single window view to monitor, administer and manage multi-cloud ecosystem for the operators.

Oversubscription of Cloud resources needs to be watched for a multi-cloud environment. It is hard to foresee the cloud usage patterns in each of the cloud platforms, and it is very likely that one or all of the cloud platforms can get oversubscribed. Optimization of cloud resources can be a challenge and can result to increased costs. Multi-Cloud strategy may not attract the best volume discounts from a CSP and can impact the cost.

SLA's can vary across CSPs, this should be taken in to consideration while defining the service levels.

Overheads for managing and tracking multiple CSP contracts, billing etc. takes effort and time and needs to be planned for. A well-defined change control mechanism and a roles & responsibilities matrix are essentials in a multi-cloud environment.


Resources: Staffing needs to be planned considering the multiple cloud platforms and the varied skills that would be required. Teams need to have an appropriate mix of core cloud Horizontal skills and CSP specific vertical skills. Multi-cloud environment will demand resources in:


Cloud Horizontal Skills - Engineering skills like Cloud native development with 12 factor principles, cloud orchestration is relatively cloud provider independent. Resources will be specialists in their technical areas and will not be dependent on the Cloud platforms.

Cloud Vertical Skills - Specialists of each cloud platform will be required to extract the best out of each of the multiple cloud platforms that are used. These resources will be required at various roles ranging from architects to developers.

Agile/DevOps - Cloud development needs to be agile and should accommodate changes with the minimal turnaround time. This would need adoption of Agile/DevOps and resources with the appropriate skills to run large scale agile projects.
Cloud led transformation is a journey/ continuum for any large enterprise and hence they should choose a cloud transformation partner who has deep expertise across architecture, engineering and operations with right resources. Infosys as a leading cloud transformation partner has been working with Global 2000 enterprises on their transformations. You can find more details on the same here.

Continue reading "Multi-Cloud strategy - Considerations for Cloud Transformation Partners" »

September 3, 2018

Choosing the right Cloud Service Provider(s) and managing portability and interoperability across them

Global Enterprises are leveraging cloud as a platform to enable transformation, to drive business growth, improve business agility and enhance customer experience while delivering resilient IT systems at an optimal cost. AWS and Azure are the leading hyperscale cloud service players in the market, while others like Google Cloud, Oracle Cloud are emerging strong as well with compelling product service offerings for enterprise customers.

Choosing the right Cloud Service Provider

A cloud service provider choice is not made by enterprises solely based on cost, neither will they move from one cloud service provider to another just to achieve direct cost advantage on CSP charges. The choice of cloud service provider is made considering suitability of CSP for the workload, unique feature set offered by the CSP, visibility into the product roadmap, security & compliance adherence, flexibility in commercial agreements, pricing models and overall business strategy alignment. With the heterogeneity in the current enterprise IT landscape, globally distributed businesses with IT strategy at line of business level or country/ regional level, leads to adopting more than one cloud service provider by enterprises.

With more than one cloud service provider and an existing infrastructure landscape, enterprises end up with a multi cloud environment and applications deployed across them. With business process flowing across applications in different deployment zones, it is essential that enterprises manage the hybrid environment with due considerations involving interoperability and portability.

Interoperability

The foundation for interoperability should factor in all four layers of the IT landscape, namely: Infrastructure, platform, application and business processes while catering to the needs of all involved stakeholders which primarily includes developers, IT operations, security, application and business owners. Considerations in the interoperability design include:

  1. Abstract the complexity of the cloud platform and provided unified interface to IT developers to enable large scale adoption
  2. Provide a unified cloud orchestration & management layer for provisioning, self-service catalog, policy based orchestration, monitoring and billing & chargeback.
  3.  Create an integration platform at data and process levels across the deployment zones in a secure manner. This is to ensure business processes can be executed seamlessly across applications deployed in various zones.

Portability

Though interoperability ensures operations across multiple cloud services providers, there is need to consider portability at various levels including:

  •  Applications -  Technology stack (Programming) and application packaging to enable application development irrespective of the application deployment target. For example, application would be developed with technologies like Spring, Python, NodeJS, MySQL, MongoDB, Hadoop, Spark and packaged as Containers to ease deployment.
  •  Middleware platform - An application management runtime that brings in uniformity across cloud service providers and simplify operations and management across. Containers like Docker and container management platform like Kubernetes help deploy application in a multi cloud platform and manage in a scalable manner)
  •   Development and Management Tools - While cloud native applications bring in required agility they need right set of development and management tools to manage it.
    1.  Unified Service discovery, routing, security and management to monitor and troubleshoot micro services and applications deployed in the hybrid cloud. Cloud control plane is expected to provide service discovery & routing, security policy enforcement, identity & authorization service, tracing, logging and monitoring to run large scale hybrid cloud environments. ServiceMesh technology is in its nascent stage and focused on addressing these needs.
    2. DevOps platform to build, test, package and deploy applications in a uniform manner across cloud service providers. Tools like GitHub, Jenkins, Packer, Terraforms, CloudForms, Chef/ Puppet help realize a DevOps platform which works across public and private clouds.
  •   Security - Consistent implementation/ enforcement of security irrespective of the application deployment zone in the hybrid cloud. Unlike the traditional data center deployment model of applications into a defined network architecture, the cloud native workloads are dynamically placed across deployment zones in multiple clouds in a portable manner. This necessitates technologies that would reconfigure the infrastructure to enforce the security policies in a software defined manner. ServiceMesh attempts to address the security needs of the hybrid cloud as well and continuous to evolve.

Implementation of portability should consider factors like cost of implementing portability, impact due to avoidance CSP native capabilities, time to market, engineering required skills to build the platform. The enterprise may also choose to implement limited portability with considerations on factors like unique advantages of a specific CSP service, cost of porting out in the future, etc.

Summarizing, while the choice of cloud service providers is made based on the feature set, workload affinity and commercial agreement, it is essential to establish the interoperability across infrastructure, platform and application layers ensure service resiliency and unhindered operations. Also, critically evaluate portability needs while defining the cloud solution blueprint, to retain the continuous evolution path for the organization.

Infosys as a leading cloud transformation service provider has helped several clients successfully to navigate through their multi cloud adoption journey. We would be happy to share our experiences with you and help you in your journey. 

August 17, 2018

Capabilities required to build and manage a Dynamic Cloud Environment

Cloud transformation is changing the way infrastructure and platforms are built and operated in an IT landscape. It is moving from the conventional implementation of ITSM processes, wherein every infrastructure request from an end user (application developers, application owners) goes through an approval & budgeting process and long cycle time to provision, which might involve procurement as well to a simple a self-service provisioning model driven by enterprise specific product/ service catalog.  

This self-service model requires minimal or no support from the infrastructure and platform teams during provisioning but the responsibilities of platform resiliency, security, cost control and compliance remain with the platform teams. So, the platform engineering approach changes from being people and process centric to "self-service" methods with automation, controls and governance embedded in a non-intrusive way.

The platform for cloud includes 4 distinct layers:

Platform Services Layer.jpg


  1. Cloud Platform Management - Manages the catalog, handles the request process and business approval in the provisioning phase. Addresses service management, billing and cost allocation in the operational phase. 
  2. Enterprise Orchestration - Unified provisioning across multiple deployment zones and configuring the environment for application usage which application specific middleware deployment and integrating with operational & management tools.
  3. Cloud Control Plane - These are new capabilities required to address the dynamic characteristics of the cloud including workload placement, routing, tracing and security implementations.
  4. Deployment Zone - The infrastructure layer should be traditional on-premise data centers or private/ public cloud augmented with a container management platform.

Technology products are maturing in the cloud platform management and orchestration space to enable organizations to work effectively with the multi-cloud environment. For example, ServiceNow for cloud platform management (workflows in provisioning part), Terraforms for multi cloud provisioning, Chef/ Puppet/ Ansible for configuration management.  Along with maturity of technologies, there is also increased number of skilled resources to work on these maturing technologies, which enables enterprise to transform with cloud, benefitting from cloud scalability, agility and cost.

While the challenges in provisioning in a multi-cloud environment are being addressed, the effective solutions for operations of multi-cloud that goes beyond IaaS is in early stages of evolution. For example, orchestration and operations tools for containerized platform or PaaS or server-less architecture is not mature. Cloud control plane is a concept that is evolving, and focuses on the concerns around service location, routing, security and monitoring, however the supporting technologies for these are in nascent stages with limited standard support.

Enterprises who are taking the journey to multi-cloud should,

  • Look at a comprehensive cloud management and orchestration platform, preferably an integrated platform to make consumption of resources for multiple deployment zones as simple as possible for the consumers while ensuring organization controls in a policy driven manner.
  • Explore the technology stack to implement a cloud control plane which would bring in operational control over the hybrid IT landscape.

The second part of this post would lay out the schematic of the Cloud control plane and analyze standards & technologies that are evolving to meet the needs. Stay tuned!

March 19, 2018

Do I stop at Enterprise Agility?

      In Today's world, with the increase in the competition and customer demands, CRM transformation is no longer a single heroic application or module. The increasing needs of having better customer experience through connected architecture have added layers of complexity with the solution spreading across systems/ technology or modules making it cumbersome to manage and maintain the enterprise architecture. Very recently, one of our customers asked - while you have the best solution for my CX woes, do you have anything which can help manage my delivery process? Do you have a packaged offering which solves my implementation as well as execution requirements?

Continue reading "Do I stop at Enterprise Agility? " »

March 7, 2018

5 cloud migration tips for enterprises

 

The multi-fold acceleration in digital technology growth has necessitated enterprises to start their cloud adoption journey to address the needs of flexibility, agility and availability and its extended benefits of huge scalability & significant cost optimization. It has been predicted by leading analysts that 83% of enterprise workload will move to cloud by 2020 and of that 41% of enterprise workload will run on public cloud platforms. However, moving the workloads to cloud is not a swift journey. It is encircled with concerns on performance, resilience, security, cost, threat of data loss, governance among other issues. Thus, enterprises must pay attention to several key points before they embark on their cloud journey.

  1. Definition of the cloud vision: To reap the best benefits of the transformation journey, it is paramount to have a clear and defined vision. The vision definition should start with evaluating the readiness for cloud adoption, transformation goals, technology adoption to target state including risks and operational model.

     

    In addition to this, enterprise strategists should clearly communicate and educate stakeholders on the cloud vision, its relevance and why it is important for the business' success. Cloud transformation is not only a technology adoption but also an organizational change that needs to be embraced by every team. To make the journey successful, every technology, application and process owner should be educated and made comfortable to move to the chosen cloud platform. A vision update, continuous education & inclusive engagement with the employees will keep them involved, motivated and focused during the actual execution of the transformation process.

     

  2. Identify drivers at organizational level and technology level:  Drivers play an important role in defining the business case of the transformation journey. The business case is just not around the cost, it should also focus on the business value that would be delivered by cloud as the enabler. Clearly defined organization and technology level drivers with suitable measurement criteria in terms of KPIs keep the journey on track and logical. Furthermore, it helps resolve conflicts and set priorities when enterprises move forward in their cloud journey. Customer experience, business growth, business agility, cost savings and IT scalability top the list of drivers for most of the enterprises, but these could vary based on the larger vision of the organization, their current market conditions and their current state of IT.

     

  3. Choice of platform provider and integration partner: A transformation can be successfully executed by choosing the right cloud platform provider and leveraging the services of a suitable integration services provider. When it comes to choosing the right cloud platform, executing the migration, execution experience and skilled professionals are essential, as cloud transformation needs changes across people, process and technology to reap the expected benefits of cloud.

     

    Enterprises find choosing a cloud provider to be a major challenge as they need to balance between leveraging the platform capabilities of a cloud service provider and vendor lock-in. Though enterprises would prefer switching services from one cloud provider to another, this is not very practical. Emerging technologies like containers have increased portability across cloud service providers while API has increased interoperability of systems thereby reducing the barrier in cloud adoption.

     

    System Integration partners have process, tools, skilled resources and experience in executing projects that can help enterprises in decision making for cloud service providers, cloud orchestration, cloud portability, cloud migration and operations.

     

  4. Scrutinize governance and security: The change due to transformation calls for a re-look at the governance strategies and compliance to security policies. In a traditional data center, an enterprise has significant control over the infrastructure, network and implementation of processes and controls, and thereby how data is handled. But on cloud, the direct control by enterprises reduces and with major control and responsibility lies with the cloud service provider. Thus, organizations should align their governance strategies and consider strengthening the legal framework and their agreements with the service providers. Also, it is essential to involve the legal and risk teams in advance during the strategy stage, as they can guide the IT teams in terms of regulatory compliances.

     

  5. The migration strategy:

    Not every application can reap the same level of benefits by moving to cloud. Hence it is important to determine the right cloud adoption approach by considering the business (growth, agility and customer experience) and IT (resilience and cost) needs of the business functions realized in the applications. There are 3 major transformation types for the applications when they move to cloud:

  1. Applications implement unique business functions critical to business and the current implementation is mature - Move the applications to cloud with no or minimal changes.

  2. Applications do not sufficiently address the emerging needs in areas like user experience, performance and frequent feature releases - Applications are reengineered as cloud native applications.

  3. Applications are implementing generic business functions - Migrate to SaaS solutions to simplify the IT implementation and leverage the market advances in this area.

For example, when a traditional bank embarks on a journey to improve customer experience across all engagement channels, they should not only bring in new technologies and processes, but also enable the IT organization with new skills to build a new channel experience as they hold vast domain experience. Changing the way in which the bank engages with customers is important to stay relevant and competitive in the mobile first ecosystem which is enabled by emerging technologies like Cloud, Mobile and AI.

Emerging technologies are changing the way in which businesses are created and run, these technologies are opening up new business avenues, and cloud is a key enabler for realizing the whole potential. Doing successful business with them starts with well-articulated vision drivers which is understood by all, in addition to choosing right technology partners and building solutions which meets the compliance needs of the industry.


Continue reading "5 cloud migration tips for enterprises" »

September 30, 2017

Artificial Intelligence(AI) In Security Landscape

The world is becoming more and more innovative, intelligent with mesh of digitalized people, things and disruptive technologies.

At one end human brain power is being infused into machines making machines artificially intelligent for solving human problems for good; On the other end unethical hackers are instilling their intelligence in malicious worms that attack IT systems posing security threats to one and all. 

In short human brain power is mimicked into machines for both good and evil purpose.  This has given rise to long debate whether AI (Artificial Intelligence) is a force for Good or Evil; threat or opportunity for IT security?  There is no single answer to this debate. Good and Evil are like two sides of a coin; inseparable. Every invention has good and bad potential with it. Ex. be it Fire, Knife, Engine, Fuel, our beloved Internet and on and on. Good wins over Evil when we as humans strive for maximizing the positive potential of the invention and thus automatically weakening the negative potential.

With this worthy intent let's move forward to see how AI can be leveraged to its best for positive use cases. In this blog want to take up one such use case that is "Adaptive Security Model"

Adaptive Security Model is all about real-time combatting of IT security-threats by employing AI technology. It's a transition from traditional detective & preventive security models to NextGen security models which are increasingly intelligent, predictive & adaptive. These scrutinizes the real-time network traffic/activities, continuously learns based on the data patterns , classifies them normal & malicious ,raises alerts on potential attacks and adapts automatically by implementing end-point security.

Enterprises with Adaptive Security Models possesses four key competencies:

o        Preventive: precautionary policies, processes, products (e.g. firewall) to keep-away attack threats

o   Detective:  Detect the attack that bypasses the preventive layer

o   Retrospective: Deep analysis of issues which were not detected at detective layer. Preventive & detective measures would be enhanced to accommodate these learnings.

o   Predictive: Continuously learns and observes the patterns in network traffic. And keeps the security team on alert on potential anomalies/attacks.  

Machine Learning(ML) algorithms and techniques are the core to these predictive competency of adaptive security model. ML field be it in security arena or others, is too vast and continuously evolving with numerous researches. Intention in this blog is to just scratch the surface of this ML field in adaptive security context.

Out of many types of Predictive models in security context most popular ones are Network Intrusion Detection Models. These models focus on anomaly detection and thus differentiate between normal and malicious data.     

Broad two types of machine learning for anomaly detection techniques are Supervised and Unsupervised.  

o    In Supervised Machine Learning method model is trained with the dataset which contains both normal and anomalous samples which are explicitly labelled. These use classification techniques to classify data observations based on the attributes. Key algorithms for adaptive security model are decision tree, naïve Bayesian classifier, neural network, genetic algorithm, and support vector machine etc.

o      Unsupervised Machine Learning is not based on the training data. They use clustering technique to group the data of similar characteristics. It differentiates normal and malicious data based on a) based on the assumption that most of the network traffic is normal traffic and only a small amount of percentage is abnormal. b) statistical parameters variations among two clusters.

Most common unsupervised algorithms are self-organizing maps (SOM), K-means, C-means, expectation-maximization meta-algorithm (EM), adaptive resonance theory (ART), and one-class support vector machine.

Theoretically, supervised methods are believed to provide better detection rate than unsupervised methods.

 Main phases in building Predictive Models (assuming supervised ML):

Name

Description

Data Set Building

Creation of rich dataset to be used for Training the model and Testing the model. Data source may range from retrospective network traffic , past malicious attack patterns, audit logs, normal activity profile patterns , attack signatures and so on.

Predictive Attributes Selection

This is popularly known as 'Feature Engineering' for models. Dataset will have numerous attributes. Success of predictive-models depends on impactful combination of attributes or features as called in ML terminologies. Irrelevant and redundant attributes of the dataset have to be eliminated from the feature set. There are many theorems and techniques for this, PCA (Principal Component Analysis) being one of the popular technique. PCA is a common statistical method used in multivariate optimization problems in order to reduce the dimensionality of data while retaining a large fraction of the data characteristic.

Classifier Model Construction

Build and train the model based on one or more algorithms. Test the model with test data. Model should classify the data as Normal Class OR Anomaly(malicious) class.

Test and Optimize the Model

 

The performance of the model depends on two parameters, malicious activities detection rates (DR) and false positives (FP).

DR is defined as the number of intrusion instances detected by the system divided by the total number of the intrusion instances present in the test dataset.

FP is instances of false alarms raised for something that is not really an attack. Model Optimization should target  to maximize the DR and minimize the FP.

Employ the Model for real-time network traffic

Model performance in production will depend on the accuracy and maturity of the trained model. Model should be maintained to-be up-to-date with repeated re-training of the model. Retraining should accommodate changing attack patterns and activities. 

 

Multiple industry leaders are striving towards providing solutions for smart adaptive security architecture for enterprises. Infosys too has strong presence in this space.

Conclusion:

Whatever is the technology revolution there's no silver bullet to future-proof the security. Security fencing has to be always one level up against some of the most devious minds. Though innovative AI based Predictive-Adaptive Models are gaining momentum, security hackers & predators too are advancing in maliciously attacking these models. We have to wait and watch which intelligence reigns...The Threat or The Protection J.

September 25, 2017

Microservices and Secrets management - How to comply with security must-dos

Microservices - The light of every modern developer's life:

Microservices is now becoming the most preferred method for creating distributed and components-based applications on cloud. This architectural style allows developers to develop, deploy, test and integrate modular components with much ease. When an application is built using the microservices model, smaller modular services are created instead of one autonomous monolithic unit. These modular services are then tied down together with the help of HTTP or REST interfaces. But this distributed model results in proliferation of interfaces and the communication between them generates several secrets management challenges. Some application secrets that need to be secured in a microservices deployment model are:

  • Environment variables - If not secured can pose security risk and affect the smooth running of processes.
  • Database credentials - Usernames and strong passwords to connect to a resource.
  • API keys - API keys must be used for restricted access to applications.
  • SSL/TLS certificates - SSL or TLS certificates are essential to avoid data or security breaches.

Secrets management in monolithic applications world:

In a monolithic application, secrets are stored in various places like:

  • Application code and configuration files
  • Passed as environment variables
  • Stored in data bags and databases tables
  • Scripts and machine images
  • Gaps in secrets management in a monolithic model: 

  • Some if the gaps can be summarized as below

    • Secrets sprawl - On several occasions, companies are unaware of being compromised.
    • Decentralized secrets - Secrets become confined to the limited operators with no repository to store them ; If a secret is compromised, it cannot be easily revoked or rotated.
    • Limited auditing - Limited or no insight into who is accessing a secret ; Limited logging makes it difficult to track who has access to confidential data.

      Microservices requires a robust secret management system:

      Microservices brings with it a host of security and secrets management challenges.

      • Each microservices modular has its own database and credentials, thereby increasing the number of secrets to be managed.
      • Several developers & operators and applications have access to the database, thus making certificate management, credential storage, API keys etc. extremely difficult to manage.
      • With automated deployment in Micro Services, there are additional credentials for creation of resources (mostly in cloud), access to code and artifact repository, machine credentials to install components, etc.

      There is a need for centralized secrets management system so that enterprises adopting a microservices model can effectively manage secrets and handle security breaches by adhering to these must-dos:

      • Secure storage of various type of secrets (API Token, Keys, Certificates, username & passwords)
      • Reliable API based access to secrets
      • Dynamic secret distribution for automated encryption and authentication of keys
      • Full Audit of access to secrets.
      • Multi-level role based access to secrets
      • Centralized revocation of secrets and redistribution

      Diagram below illustrates how centralized secret management helps manage a large repository of secrets:

      How to keep your microservices secrets safe without compromising on security and automation?

      • A secrets hierarchy design should account secrets isolation per application, environment and a fail-proof revocation of secrets when required.
      • To further strengthen the secrets structure, access policies and role based mappings need to be built to support emergencies by making them version controlled and automated.

      Let's take a look at some secrets management scenarios and examples:

      • Servers on which microservices needs to be deployed with certificates - On cloud, as the servers come and go, a centralized certificate management system helps generate certificates on the fly, thus allowing immediate deployment to servers. Certificate keyStore and trustStore need to be secured with passwords which can be kept safe and retrieved from a secrets management solution. A PKI secret backend and generic secrets storage comes in handy to automate all of these with minimum risk to security.
      • Microservices and applications need access to their own database or data stores. It makes sense to isolate the database/data access credentials using a generic secrets storage to maintain renewal, rotation and revokes easily as per requirement.
      • When automated environment provisioning needs access to a software installable repository - For example, an Apache server provisioning can be automated with an Apache software installable accessed from a software repository. The repository can be accessed using generic credentials or an API key. A centralized secrets management solution is the right place to store these credentials and achieve automation with no compromise on security.

      In conclusion: to simplify and automate secrets management, solutions are available from Cloud providers like AWS KMS, Azure Key Vault and from specialized security solution like Hashicorp Vault. The paradigm shift with respect to secrets management needs to be understood by enterprises adopting microservices, to ensure that their transformation journey provides the agility as required in the most secure manner possible.


      Continue reading "Microservices and Secrets management - How to comply with security must-dos" »

      August 24, 2017

      Managing vendor product licenses during large scale migration to cloud

      Public Cloud Services are mature and enterprises are adopting cloud to achieve cost optimization, introduce agility and modernize the IT landscape. But public cloud adoption presents a significant challenge in handling the existing vendor licensing arrangements. Commercial impact varies based on cloud delivery model from IaaS to SaaS and the licensing flexibility. The business case for cloud transformation needs careful consideration on existing software licenses.

      Based on our experiences we see software licensing and support by software vendors are at varying stages of maturity. At times, software licensing model can become expensive while moving to cloud. Typically, on premise licenses are contracted for number of cores, processor points or users, whereas the definition of core in virtualized/ cloud world is different.

      While enterprises assess the licenses when undertaking the cloud journey, they should carry out a high-level assessment of risks associated with licenses while formulating the business case.

      Before formulating a business case it's important to consider the following aspects into the enterprises license transition strategy:

      ·         Conduct due-diligence of major software vendors to identify any absolute 'show stoppers' for the use of their products such as:

      o   Support level in new platform services, license portability and license unit derivation mechanism in cloud.

      o   Commercial impact for re-use on multi-tenant cloud platform.

      o   Flexibility to reassign licenses as often as needed.

      o   Mechanism to check and report compliance on public cloud in an ongoing basis across product vendor licenses.

      ·         Inventory management of licences and the commercials around these licences.

      ·         'Future state' services and application stacks should balance between license cost and performance requirements.

      o   Negotiate unfriendly product licensing bound to socket or physical hardware level.

      o   Evaluate existing licensing terms and conditions for increase in licensing costs.

      o   Evaluate / check for mitigation controls and options on public cloud.

      o   Plan ahead for the cost implications for reusing converged stack or appliance based licenses on public cloud.

      o   Translate the on-premise licenses to public cloud (virtual core).

      o   Cloud Service Provider includes operating system licenses - examine the option to reduce the same from existing vendor agreements.

      o   Leverage the continuous availability capability of public cloud platforms to eliminate disaster recovery licenses and costs associated with it.

      Approaches to overcome public cloud licensing challenges:

      To overcome the licensing challenges associated, IT teams can optimize target state architecture, solution blueprints and frameworks with considerations on license/ cost models. Few approaches like:

      ·         Re-architect existing solutions leveraging event driven Service, Function as a Service, PaaS, Containers and Micro-Services to achieve agility and significantly license cost reduction.

      ·         Enterprises should consider dedicated hosts or instances / bare-metal options when socket level visibility is required for complying with license usage on public cloud but also weigh the cost impact of these machine types.

      ·         Embark on Open Source for platforms like database, application server and web servers.

      ·         If traditional deployment of platform must be moved to cloud, consider creating a pool of platform services rather than services for individual application requirements like common database services. For example: Line of business can consume business applications through centralised platform services across business units in order to achieve greatest cost and agility benefits.

      ·         Consider solutions with bundled license under usage based pricing models like SaaS, PaaS, Market Place and Public Cloud Native Services.

      In reusing "on-premise" licenses, all major software vendors are changing license policies to allow flexibility to port the licenses to cloud but it is not uniform nor all-inclusive yet. Options like vendor allows certain product licenses on cloud but not all, another vendors may allow all on public cloud; and while some vendors allows porting onto authorized cloud environments only.

      In summary, migrating like for like will have an impact to licensing costs on public cloud. Understanding the current licensing agreements / models, optimizing application architectures to cloud; negotiating a position with vendors that will be suitable for cloud along with compliance processes in the target state model should hold the organization in good stead. With the cloud native services and open source innovation continues to grow rapidly, enterprises can mitigate traditional licensing constraints by leveraging these technology innovations.