Hybrid Cloud, Application Development & Security

i'm going to invite up our next speaker mr timothy dilbert the ceo of bmt solutions now timothy has been in software development for more than 13 years with seven years in his current position at bmt solutions during his tenure timothy has been fortunate enough to do software development in six different countries working for clients in the public sector retail utilities education and financial services development has certainly always been something timothy has been passionate about and these days he's focusing on bridging the gap between security infrastructure and development by using automation and hybrid cloud now when timothy is not sitting in front of a computer he spends time with his family especially each weekend cooking new recipes with his four-year-old

daughter avery so i'm going to invite timothy to the stage to talk about hybrid cloud application development and security

okay

i think this is too short for maintenance all right testing one two testing one two okay

right back okay great stuff hello everyone my name is timothy dilbert welcome to hybrid cloud application development and security uh the goal for today is to give you an introduction to what all these terms mean and hopefully with you leaving having an understanding of how it's applicable to you and your organizations so first of all let me start off with saying this talk is not just for the geeks don't laugh these are my people i am a geek myself obviously not very good with the clicker if your company leaders are in the building but they're not in the presentation here now is a good time to go grab them the idea here like ms jane had mentioned

is to bridge the gap between the techie guys us geeks as well as the decision makers in your company so if you're a business leader that's making decisions about budgets and i t manager that manages the team creating a strategy for your company and a vision for the future or a software developer doing the grunt work uh the idea here is to make the things that you want your business leaders to buy for you make them understand the technologies make them feel good about spending the money that they need to spend for those things and make them understand the value that these things bring to their organization so to start off with my name is timothy dilbert

i am the or i carry the title of ceo at bmt solutions that being said i do get my hands dirty from day to day i would consider myself more so than anything else a software developer so i definitely understand the underlying technologies the underside stacks that the developers in the room use on day-to-day basis i've worked in i got to get used to this i keep switching here and not up here i've worked in canada cayman islands name a few uh and industries like legal utilities education gaming and then through bmt and other third parties i've worked for companies in countries like canada cayman bermuda south africa nigeria and a few other ones i went to school in canada vancouver

canada i studied graphic design but after a few conversations with some of the professors there they mentioned to me that software developers make more money so that made that switch easy at the time my favorite platform was adobe flash and uh my favorite language was actionscript not sure if you guys remember the 2000s but just about all the great websites were built in adobe flash at the time in my opinion an absolutely brilliant brilliant platform i wish it had uh stood the test of time but alas it hasn't while i was in canada one of the things i one of the projects i worked on was big bucks footy so big bucks footy was a fantasy

football game uh this was before fantasy football became as as kind of prevalent as is now i bet you a lot of you are probably in some sort of fantasy football league or you have someone very close to you that is part of one back then it wasn't so prevalent it was one of these things that just a few people a few groups of people did my involvement on that platform was i built the ui for it so that would allow you to kind of big bucks footy would allow you to watch the fantasy football games in real time you can kind of see the ball being passed around between all the people uh you can watch the fatigue of your

players and sub people in and out and my job was to build a user interface that people used to do that sort of stuff while i was in canada i also started a company called go rent canada that was me and a friend of mine scott and that was a multi-listings apartment multi-lingual apartment listings platform so in canada or in vancouver if you're not familiar with it vancouver is a very very multicultural city absolutely fantastic place if you haven't visited i would put it on the list it's a gateway to asia it has because a lot of movies are shot in vancouver there's a lot of innovation and technology brought up from the united states there

it has a massive persian community and those in my opinion are some of the most innovative and hardworking people i've ever come across and with them they bring a lot of innovation and a lot of culture from where they're from and uh at the the end result of that is kind of like what you have here in cayman it's a very very multicultural area the idea behind the platform that me and scott had was uh we got sick of craig's list you go on there you're looking for a place to rent landlords speak various languages it's hard to find the apartment that you're looking for so we built go rent canada what it allowed people to do is it didn't matter

what language you spoke you could go on to our platform post a listing about a vacancy that you had in whatever language that you had it in and we would automatically show that in over 14 different languages so english farsi simplified chinese traditional chinese korean french german russian and i'm sure there's a lot of other ones that i'm missing out on so there you go this is my office not literally i wish it was i'm sure all of us do but i am from the cayman islands this is the place that i call home uh cayman is a fantastic place where innovation thrives it's a this country is constantly reinventing ourselves we're always out doing ourselves

and it's a place where nothing seems impossible i consider myself very lucky even though i'm born here even though i've raised here i still consider myself as i'm sure everybody else in the room that's resident here believes which is that uh we're very very fortunate to be in a country where all those things that i was saying before is genuinely the case where anything is possible these are some of the different technologies i've worked with over the years i've seen some familiar faces in the room you'll probably know me from sharepoint i've been doing that for the better part of 15 years or so i work with these when i work with these technologies it's generally connecting

desperate systems together right or some sort of integration work maybe i'm connecting systems together maybe i'm doing document management some analytics pulling data from one platform to another and crunching numbers on it automation those sort of things these days i'm primarily focused on products from the companies like what you see on here if you're not seeing microsoft don't take that the wrong way i've definitely it's still a lot available a lot of work in sharepoint it's just that these are kind of the the companies that i've been focused on lately ibm red hat open shift red hat ansible and then ibm products like mass 360 verified guardium privilege vault things like that i'm also familiar with tools in cayman

like i manage adorant and aws azure etc interestingly i heard wolfgang talk about this yesterday and he was talking about chaos engineering for those of you that looked at that and you found that interesting you should be taking a look at ansible ansible in my opinion is a great platform to do chaos engineering it allows you to create playbooks that you can kind of lightly break your environment if you will so rather than kind of going into your data center and unplugging a server and seeing if everything goes down uh maybe you just want to disable a nic on your vm host see if just if your v your various virtual machines have failed over to the next server and if they

haven't you can quickly re-enable it your downtime is only a few minutes and you've got an opportunity to kind of speak to whoever is in charge of the resiliency of your systems so but we're here to talk about development and so let's let's get on to the topic again and let's start with a very basic question what is an application for a lot of you you're probably thinking i know i already know what that is it's the app on my phone that i shout at it's the thing i complained to the help desk about or it's the wizard that times out right after you stepped away from your computer for a few minutes what what

an application boils down to however is a key phrase that i've come up with and i've been telling myself over the years and it's really helped kind of govern my thoughts whenever i'm thinking about how to architect something and and that is that an application is multiple layers of critical services packaged together and sold as a single unit so from a technology perspective you know the top layer the red part that's going to be your ui then you're moving down the stack you've got your customizations authentication and authorization apis and data stores from a business user's perspective the top layer is your specialty that's what your product does maybe you are a compliance engine right

maybe you are a great book for a school this could be file opening for a law firm whatever it is that your application does the second layer down if you've purchased this application from a third party that's the place where you go to make customizations to that step out of box application to make it better fit your company's needs if you're building a platform this is the framework that you've created to allow someone else to do the same let's skip over security for a second and move to the bottom two one reading and writing of information that's your business logic you're not developing a spreadsheet you want your application to be smart it needs to have

validation business logic checks do something to add value to whatever people are purchasing and at the bottom layer is that where your data ultimately resides maybe your data goes into some sort of back-end system maybe it interfaces with some third-party platform if you're trading maybe it's at the end of all of this it issues a trade on some sort of stock exchange or maybe it just pushes it in the back end system for you to crunch data opens files in your file opening your document management whatever it is that this this application does now i want to go back to that middle one that i skipped out though security it's important for the business leaders

in the room to take a close look at security because in my opinion this is what i think sema was also after when they were talking about their cyber security framework whether you these these are applications that you use to create offerings that you put out there in the market and you sell to other people it doesn't matter whether you've built this application or you're buying someone else's application the security element is part of your responsibility because it is included in the service that you're offering to someone else so business leaders that are in the room need to keep that need to keep conscious of that so that when you're when you're being approached when you're making decisions

on things that you're keeping that in the forefront of your mind and i think that was part of what the whole idea was when mentioning cyber security so now that is your application stack let's talk about technology a little there's two terms i want to cover that um i think it's important to kind of go over before we go too far into this so these those two terms are monolithic for and micro services these two terms are used everywhere business leaders are seeing it in their proposals your i.t managers are seeing it in the conferences that they go to and webinars they attend your developers are seeing it in their training session but almost nobody knows what it means

it's not that it's complicated to understand it's just sometimes it can be a little tricky to explain so let's go over this and i'm going to try my best to cover this in a way that makes sense we'll start off with the monolithic architecture and for business people that are in the room i promise this is the techie part and it will be over very soon but it is important for you to understand this monolithic means that everything's self-contained and this illustration is a great example of what that mean a great representation of that everything's together packaged together almost always put on a single server most of the software you purchased in the last 10 years would be will be a

monolithic structure and the best indicator of this is that when you find a vendor that offers a service that you want the first thing your vendor says is i need a server i want my own server so that i can put my application on this and nobody else's stuff can be on there and at least in my experience this is one of the number one reasons for server sprawl you have a hundred applications in your environment you have a hundred servers there's a movement happening however to to move away from this sort of structure and move into what's called microservices so take a look at this the cube this is the same cube that was there

before it's the same application it does all of the same things as it was before you have this to your end users they have the same ui they have the same experience the same business logic that we were talking about before is there and data is still being written to the same data sources but what what you've done however is that you've taken that larger application that single server application and you've broken it down into smaller components so what was now once a single application host in a single dll hosted on a single server now becomes a collection of small applications of small services of micro services and the reason people are doing this is that these micro services are

generally hosted in something called a container i'm not going to get into the details of what a container is here now but at a high level what it means is that they're getting the same isolation that your vendor wanted to begin with that your vendor was demanding from you when they said they want their own server you your application is still opening within a small environment it's isolated from everything else and you get all those benefits without the overhead of another operating system another which also requires endpoint detection and response agents event management privilege actions management your licenses fees are going up and up and up which is where business users start caring about this

backups monitoring licensing and much more so now what was once a cube to look great this is what your applications start to look like now if you're not a technical person and you're looking at this you're probably your first response is no thank you i'll take the cube it's better to understand and if you're a developer in the room that understands microservices architecture you're probably thinking why couldn't i have come up with a better diagram than this bear with me i'm going to answer some of those questions now now first question that is on everybody's mind though is why would you want microservices architecture we talked about service brawl that you get from monolithic but in order to understand why people

would want a microservices platform let's take a look at the greatest system architect of all time mother nature because people have a hard time conceptualizing what microservice actually means let's see if we can give an example of something that you can refer to every day tonight look look in the mirror you are the oldest and most mature marco system architecture ever built the human body is a great way to understand how you could take a complex thing and break it down into a bunch of subsystems you have a nervous system a respiratory system digestive muscular we all share this same collection of subservices and even though we all share that it's obvious that this arc

it's obvious that this architecture is very versatile and scales that means that this doesn't just apply to the people that you read about netflix google et cetera it also applies to the applications at the scale and size that you're developing and just like when the systems break or you need something done within one of those systems you go see a specialist you're seeing a doctor that specializes in your area whatever it is whatever subsystem is broken the same applies to to developers by breaking your big application down into microservices you're breaking your application up into small bits of work that you can outsource to specialists rather than try to find a generalist developer that knows absolutely

everything about the product you're trying to build you can get a collection of small developers to build the specific components you're trying to extend your application with so let's go back now to the original diagram here just like the human body is built up is a system of microservices architecture in this diagram each circle represents a microservice each piece of functionality of your product i'm supposed to bring my little pointer here but i didn't so you're gonna have to bear with me as i try to explain out a few things just pointing at the screen take a look closer at the diagram it might have looked chaotic before but you can still see that your idea is

clearly defined the light bulb is very visible to you and remember that you're the most important person when it comes to whatever it is that you're trying to build and you're looking at this and you say well that's great thank you very much for the lesson and microservices technology thank you very much for all that this is a security conference what does this have to do with security and this is where business leaders can really take away some really good information each let's focus now on on the outer circles each portion of this outer circle of each one of these outer circles out outer circles sorry as a piece of functionality a new piece of functionality that you want to add to

your product each of each of these can be developed by individual developers different companies all of them can contribute to your overall idea which you can snap that functionality into your application but you can also keep them locked out of the underlying code the underlying nuts and bolts that make your unique product because of concurrency things are being developed faster and you can work with vendors that specialize in whatever small service that you're trying to create and when these companies that you've outsourced to leave and they work with your competitors they're not taking their your idea with them because they didn't have visibility into all the different pieces of functionality inside of your application they built you a specific thing they

built you a shareholder registered management system they built you an ai engine that gives you predictive analytics they didn't get into the underlying code the core piece of your functionality they didn't take your idea and they're not going to bring it to someone else now while this is the case you're still going to be developing on some sort of common framework some sort of common set of tools so let's zoom out a bit from your application and take a look at this more holistically most when you did the application that you develop and the underlying micro services that make up your application those are running on a common set of tools like object storage e-signing

maybe some sort of in in-memory database identity and access management rather than build all of these things yourself from scratch you can utilize these services that are built by others and this is where hybrid cloud starts to shine you can go on to places like amazon like azure like ibm cloud and find these services for rent if you will the problem is is that these are traditionally cloud-based we all know about the environmental reasons why in cayman it's dif it can be difficult cloud can sometimes be difficult with hybrid cloud you can pull these services these traditionally cloud services on premise and run them on your infrastructure sitting in your data center or in your office

so now you've got these robust systems that previously were running in the cloud that were something that you couldn't touch you can do you can pull down these services through platforms like openshift and run them on hardware you can look at in a jurisdiction that you feel comfortable with zoom out a little further you need you should have a multi-cloud strategy we're getting out of the technical now we're getting into the business side of this remember security is not just about protecting a teenage kid trying to hack into your laptop or some geopolitical enemy it's also about protecting the continuity of your business as you heard clouds go down cloud prices can change things can happen that affect the

availability of your services you should never and you should not be betting on a single cloud provider for those reasons betting on a single cloud provider is kind of like getting two internet connections into your building but having them both come from the same internet service provider it's just not a good idea remember ever these clouds exist and every cloud has a niche there will always be a market for your iga and president's choice type cloud providers like aws and azure they do a little bit of everything uh they have a broad product base it's more about variety than anything else but as as we talked about your application is cut up and broken up into

small services you want to be able to take some of your micro services and run them on clouds that have a specialty and a niche that you need so if you want to do image processing ai inferencing predictive analytics maybe ibm cloud is a better fit for you and you run that one component of your application up there storage aws interoperability azure you've got windows it makes a lot of sense the idea there is that you're not beholden to anyone and you need to make sure that the tools that you have to automate these things can work on every cloud provider

so going back to the original analogy of the human body being a microservices architecture if if the human body if all these different subsystems are all your different micro services identity and access management is the heart of your platform so what is identity and access management let's take a look at office 365. you go to one place you sign in once right and then you have access to all of these different systems and services that's one part of what identity and access management gives you you you should be using things like open id connect and saml to help protect not only the applications that other people build for you but also the applications that you

build yourself stop using active directory to manage your authorization and to your application active directory is great for windows not so great for ios and mac it's not compatible with a sas architecture and then sooner or later active directory becomes this boneyard of groups a d groups that nobody knows whether they're still in use what their original function were and everybody's too afraid to delete them because they don't know what it's going to break i could second i could see the it guys over there the other thing that you're going to get out of identity and access management is not is access management and review so let's take a look at the at the ring

here at the top somebody needs access to a system on your in your computer or your network they call the help desk which is the green help desk contacts the application owner so let's say somebody wants access to the finance system they speak to the finance person finance person says yes they can have access they then help desk gives the access and that's the end of that then sometime in the pa sometime in the future a few months later somebody questions you know why here's all these these people that have access to all these different systems there's an inquiry that goes into why the person was given access to it and then the application owner is

eventually contacted and there's some sort of determination that the access is no longer required the problems with this this setup here is that help desk is an unnecessary middleman because all they're doing is seeking authorization from someone else and what's also not covered in this is that using your current flow which is probably active directory the review part is not mandated it's a voluntary process that you hope people go through let's take a look at what happens when you use an identity and access management platform instead of people contacting the help desk they're going to their launch pad and they've got a list of applications they're available that they get by default and of course if you don't see something

that you need access but you need access to let's say uh docusign in this example the requester fills out an access request along with the justification and hit submit and it goes to the application owner directly that's the business use user that is in charge so take docusign out of that and let's put in something else let's say it's your register management system let's say it's your finance system let's say it's ansible tower whatever it is that application owner approves it help desk is no longer involved your paper trail is still intact and you get to the end a lot quicker what also comes with this is that you've got the review part built in

access management platforms are smart enough to identify outliers where it can find where a person in your company has a level of elevated access much higher than all their peers and help highlight that to people in charge so that they can take a look at that and these highlights don't just go to i.t they can go to the audit department inside of your organization so you have a separation so that everything's not beholden on i t to do these things and also the audit department can kick off what are called recertification campaigns where they're sending out emails to all the application owners and asking the application owners to confirm that that person still needs access to whatever platform they allowed

and then and during that review the application order can revoke the permission all of this being done without going on to your it team all of this being done independent and best of all this access review could also be to review access of people in your it department because lingered access elevated access also happens with those people as well let's take a look at what this now does what was once a ring that involved i think it was about eight or nine steps now becomes a four-step process number one the access is submitted by the requester the application owner number two approves it number three somebody in audit rit kicks off a recertification campaign and

number four that access is no longer required it's revoked this is all being done by non-technical people all being done on on a centralized platform with these sort of things built into it and what's also good is that you can also run these sort of things on your own i.t department as well so why should you care what does this matter what does this have to do with security because this sounds more like operations than anything else most of the hacks that people talk about that you see in the news somebody's password was cracked one of your staff his password has been cracked and hackers they're going to take the path of least resistance as much as

possible so if you have and when that happens your best layer of defense are things like the conditional access policies that you get through identity and access management platforms and good governance and of access of your systems if people are not if they're given elevated access for only exactly as long as they need it then you're exposed exposure to to other people bad actors getting that information is only exposed for exactly as long as that person needed to do their job if everybody's access sticks with their default stuff then you can help manage your risk to a data exposure a lot better through good governance another thing to remember is don't forget about your customer portals

access review okay i'll give it to you not applicable uh access request okay i'll give you that too that's also not applicable but what is is the actual technology that people use whenever they're signing into your pot your your portals in almost all cases and cayman portals are built by somebody else it's some service that you've some subscription that you signed up to you found a vendor that vendor has everything baked in they've got authentication already covered think about and now you've deployed your portal it's off it's doing great you've got lots of people on it but stop and think about what you've done all of your users are now in someone else's database using somebody else's

proprietary authentication how are you going to move those users to someone just to another platform they don't belong to you anymore basically you think you're going to find a vendor that's going to make it easy for you to transition users off off of their system now now instead what you should be taking a look at is what's called consumer identity and access management platform what this allows you now is the ability to get people signed into your platform and it creates a separation between the authentication part and the service that they're using so at an end result from your end result is that your users will go to your portal they'll get redirected to a sign-in page

they sign in they'll get tech they get taken back to your home page of your portal and they're utilizing your service they've got access to everything that you've wanted them to have access to if you lend remembering our microservices structure right an application is not any one thing it's not any one server it's not any one service if you have a portal that does 99 of what you want but you want to add that extra one percent of functionality through some other maybe custom development maybe some oth some other vendors portal to supplement the services that you need of the primary one they can also use your consumer and identity access management platform so just like in office 365 you go to

portal.office.com you sign in next step you need to get into sharepoint you click sharepoint that is a totally different service platform vendor data center in a different geographic place in the world but i bet you anybody that was in this room that isn't a software developer you probably wouldn't have known a couple redirects happen you're taken in that's what's going to happen with your customers and what it means for you as a business owner is that if you have a you have a portal that you're very proud of that you've done really well on that you've got good customer buy-in and you want to later move to another platform that's a little bit better that offers a little

better services or maybe the platform you're on right now have kind of ended up in the news and you want to distance yourself from that you can now move to another platform because the vendors that you select use the technologies i mentioned before open id connect saml write these things down make sure that you include it that is something for business leaders as well open id connect saml you should be asking your vendors whenever they're talking to them do you support this because this is a way that you can avoid yourself getting locked in with a different developer with a vendor because i tell you something if your plan is dear customer i've moved to a

different platform i need you to re-register this is what you're going to get

now let's let's take a break from that and let's go on to automation automation's going to be a key part of allowing you to better your security posture in general you should try to do as much automation as possible automate your internal tasks external provisioning de-provisioning and change management and you need to make sure that you don't pick a technology stack that is dependent on any single cloud provider you're not in a good position if you're on azure and you're relying on all the different automation features that exist at asher and azure alone what happens if you need to leave azure what happens if you are purchased by someone else and they're on aws where is all that

automation gone where has that gotten you none of these companies are beholden to you so don't be beholden to them they're great companies but use the technology stacks that make sense for you spread your application out and build up an automation using frameworks that are not beholden to anyone these are things like ansible terraform openshift don't use technology stacks that only work with a single provider and as far as the other thing to consider here and this might seem like a pretty radical idea change management so think about a ransomware attack everything's gone you're done you need to rebuild your environment everyone here thinks they already have the answer to that just go back just go

to your backups most hacks ransomware hacks people don't don't uh set off the bomb as soon as they get through your doors instead what they're doing is they leave a breadcrumb a breadcrumb of vulnerabilities all around your network and then tackle you and go after you at a time that makes most sense for them and that means that those vulnerabilities might be in your backups because some hackers can be pretty patient i've heard stories about hackers encrypting backups so you meanwhile you thought wow okay i'm still protected i'm backing up my systems often but when you go to restore your systems you're then realizing your backups are encrypted and you can't utilize them because i i will

cayman's no different than anywhere else in the world you're probably not looking at or using or checking your backups until you need to and then even if that's not the case for you there's always the chance that sleeping inside of that that backup is that same vulnerability that puts you in the bad spot to begin with so all you're all you're doing is setting yourself up for a replay

last but not least is that you need a secret vault privilege access management is something is a buzzword that's going around cayman most people have an idea of it uh it's you know you're rotating the passwords okay and you're rotating the passwords on these are supposed to be icons i noticed using a custom font that's not a good idea maybe i'll go images next time you've you're probably rotating the password on your local server you're rotating the passwords on your linux environments maybe you're doing your certificates as well your client ids and and client secrets etc your access tokens refresh tokens but are you re are you rotating the passwords on your data stores because that's what hackers want access

once they get pat once a hacker gets past your first line of defense they're going for your data because that's where your money is that's where your value is so you should be using things to rotate the passwords on your database servers on your ftp servers on your file shares etc so that when your application is accessing data from your database it's using the latest password available that was given to that server rather than using a common password that not only you know but every developer that used to work for your company knows as well

so what do i do my wife warned me that i should change that photo i when i asked her why she said it's because he looks better than me i told her that it doesn't help me because it doesn't matter what photo i put up there it's probably always going to be the case i help i help companies create development strategies includes multi-cloud i'm generally talking to people about avoiding vendor lock-in which is what you need to do this is what you should write down and automating anything and everything the use of the sort of strategy it doesn't if you take the what do i do part out of this slide and you just look at the bullet points

these are the things that you need that i've tried and you should try to take away from this talk is to help you better position your company it doesn't matter who does it for you these are the things that you should do that will help increase your security posture right multi-cloud avoid vendor lock-in automate as much as you can because that's going to help you come back and then break and then uh you know developing try to your best to break down the barriers between your decision makers infrastructure and developers thank you very much for your time um does anybody have any questions okay well you're not all sleeping so that's a good thing sure

you did say that we need to diversify the our cloud strategy but how do you balance that with um getting skill sets with persons who are exposed to all these different technologies well it's a balancing act there right first of all diversifying your cloud strategy can mean using services that are common to all clouds like object storage yeah blob storage it doesn't matter what cloud it is it all works the same yeah but when it comes to the examples i gave where you're saying well you need ai which is a specialty of one cloud provider over another yeah your introduction to that is probably going to involve a specialist yeah so your specialist can help you through

that but at the same time remember that i view and i think would be good for you to view i view the cloud as a stock market it's the place that i go and i shop for the best price based on what i need so if i have an application a large application and it needs artificial intelligence sql backend i need some blob storage and a number of other different technologies i'm going to surf the cloud for whatever price that makes sense and if that means spreading it across four different clouds it doesn't matter to me because there is a commonality between these services on the different clouds they all sell different stuff but you need to go to the one that

specializes and the best price for whatever small service you need yeah anybody else all right well thank you very much and take care [Applause]

you