Container Security using Artificial Intelligence & Machine Learning (AI/ML)

The mayfly is an insect found in the Midwestern USA and Canada.  The existence of this  mayfly is ephemeral, its adult life is no more than 24 hours!  What does this have to do with containers?  Just like the mayfly a container is light-weight and has a lifespan that ranges between a few minutes and a few hours.  For instance, Netflix the online media-services provider runs over 1000 microservices in containers and most of these containers have a lifespan of 24 hours.

Why should you care about container security?  Tesla the auto-maker was in the news recently when hackers took over an unsecured Kubernetes console to run scripts to mine digital coins at Tesla’s expense.  This put at risk Tesla telemetry, mapping, and vehicle servicing data not to mention attracting unwanted bad publicity.

The short lives of containers means that it is not feasible for a DevOps or SecOps team to create a manual profile for a container.  So how should they secure containers? AI/ML based algorithms may provide a solution.   AI/ML algorithms have to be trained using large amounts of data on how the container’s behavior changes when the application environment changes.  Vendors like Sysdig will tell you that the way to train the algorithm is by using their hosted SaaS offering Sysdig Secure.  Sysdig Secure will provide DevOps with a snapshot of the container’s behavior and the DevOps or SecOps team can then create a run-time security policy for this container.  To enable this Sysdig provides a rule builder dubbed “Falco Rule Builder”.

Is Sysdig unique in using ML?  No, other competitors likeTwistLock also use ML to combine knowledge of the image and how it is deployed to understand what they term an “application’s DNA”.  This allows them to automatically build rules to compare this DNA against what a container is actually doing.

In conclusion, container security is getting so data intensive, that using AI/ML is the only logical choice.  Stay tuned for more container specific blogs.

 

 

Monitoring a Kubernetes environment using Prometheus or Sysdig

If you have a Kubernetes cluster with pods coming online and going offline at frequent intervals, it may be worth looking at Prometheus.  Prometheus the Titan in Greek mythology stole fire from the Gods and gave it to mankind.  In the same manner Prometheus the open-source monitoring and alerting instrumentation sheds light on your cloud-native applications running as microservices in containers on-premise or in the public cloud.  Prometheus collects metrics over HTTP, it doesn’t focus on logging or events.  It comes in the form of a single binary which is to be installed on your server.

Prometheus use a pull-based mechanism, has its own simple query language (not SQL), uses a text based metrics format and has a time-series database.  So what’s the catch then?  As a user of Prometheus you have to instrument your cloud-native application with Prometheus client libraries which are available for a variety of programming languages including Java, Go, Python, .NET, PHP, Ruby.  If your aim is to visualize these metrics you need another open-source tool like Grafana. The other caveat is that Prometheus may not scale well for very large environments and it does not have long term storage or anomaly detection.

If rolling your own using open-source tools is not your thing, off-the-shelf alternatives like Sysdig are worth exploring.    The name Sysdig brought to my mind an excavator digging alongside humans in containerized homes, especially since Sysdig claims to work at the Linux kernel level and below the containers…

Sysdig aims to be a single platform for monitoring, run-time detection, security and forensics.  You install a Sysdig agent in a container on each host that is to be monitored.  The Sysdig back-end can run in the cloud or on-premise.  Sysdig uses  eBPF (Extended Berkeley Packet Filter) in a passive manner.  Since eBPF runs under containers in ring 0 (kernel mode), Sysdig can capture every read/write and inter-process communication with the goal of identifying user activity within the host.

Traditionally to monitor Tomcat, Redis, Elastic search you needed sidecar containers, which are small containers containing a logging agent and running in the same Kubernetes worker pod as your application.   The sidecar container shares a volume with the application container.  The application container writes logs to the shared volume from where the logging agent in the sidecar container reads them.  Since Sysdig operates at the OS kernel level you benefit from not having to run logging agents in sidecars.

Sysdig gives you KPIs which they refer to as “golden signals” for the Kubernetes cluster.  These KPIs are in the areas of availability, performance, forensics and compliance.  The forensics KPIs become useful for instance if you want to go back in time before a violation occurred and observe who shredded a bash history.  From a compliance perspective Sysdig helps you detect compliance violations.  The policy engine uses Calico to write detailed policy rules at the file, process or container level.   There is a relatively good ecosystem around Sysdig as you can send alerts from Sysdig via email or to Slack, PagerDuty, ServiceNow, Splunk, Syslog, Google security command center or the AWS security hub.

While I’d planned to talk about the VMware response to Kubernetes, monitoring seemed more interesting to me today, hence this article.  Monitoring in a Kubernetes environment is an emerging area and you can expect to see more commercial alternatives to Sysdig in the months to come.

Cloud-native apps, containers and Kubernetes

In my previous article we discussed the move away from monolithic applications to cloud-native applications using microservices.  These new applications are polyglot, written using a variety of languages and frameworks. With this new model you can  change any microservice without having to rebuild your entire (previously monolithic) application.  However if you are an enterprise with over 500 servers and are moving to containers, you would turn to tools like Docker to “cointainerize” an application, ship it, run it. Docker is installed on the host OS which could be Ubuntu Linux or some other flavor of Linux.

Customers like Business Insider who use containers and Docker can now create a local development environment that can be shipped to development, QA, production while being assured that the same stack is running everywhere.   Lyft the ride-share vendor moved away from a monolithic application to a micro-services architecture using Docker and now find that when running tests they no longer need to clear a database, they just knock down the container re-start it and it is in the same place as before but in less than 5 minutes, something which wasn’t possible using Virtual Machines.   Yelp the online review company uses Docker to run Cassandra an open-source NoSQL database management system in containers.

An over-simplified analogy would be that Docker helps you create and roll-out toys.  However what if you want the toy to do more, what if you want to deploy the toys beyond just one location, what if you wanted the equivalent of a puppet-show?  This is where a puppet-master would come in.  Kubernetes is that puppet-master!

Docker is all about running micro-services in containers on a single machine.  Docker doesn’t help when you want to run containers in a cluster of nodes, across data-centers with fail-over, networking and storage.  This is where an open-source Docker container orchestration tool like Kubernetes is needed.

With Kubernetes you can use open-source tools like Graylog and Apache Kafka to collect and digest logs from containers.  For monitoring containers, you could have your applications post metrics to a time-series data store like InfluxDB and use an open-source dashboard tool like Grafana to visualize these metrics.

From a storage perspective if you are a VMware shop, you could use VMware vSAN.  If you are a DellEMC or NetApp storage shop you could use the Container Storage Interface(CSI) driver running in a Kubernetes pod within a Kubernetes worker node to enable storage provisioning of your legacy EMC or NetApp shared storage.

Does the move to cloud-native applications, containers, Docker, Kubernetes mean that you no longer need hypervisors and related licensing from VMware?  Not if VMware has anything to say about it.  That is a topic for my next article.  Stay tuned.

Cloud-native applications, Microservices and Containers

In days bygone when terms like “cloud-native” were not part of IT lexicon, a traditional eCommerce application might have had a client application (traditional web app using HTML) talking to a server process where the web application could consist of modules like Identity, Catalog, Ordering, Basket, Marketing and Location.  All these server processes would use a single relational database.  Over time companies realized that monolithic application made maintenance cumbersome and the introduction of new functionality challenging.

In addition, traditional client web applications were joined by Mobile apps, Single Page Applications (SPA) web apps.  In this new model, the web application communicated via an API gateway to individual microservices for tasks like identify, Catalog, Ordering, Basket, Marketing and Locations.  Rather than relying on a single Relational database, this cloud-native application now had each micro-service using its own data store which could be anything ranging from a Relational to a NoSQL database.  These microservices in turn communicated with an event bus which acted as a publish/subscribe channel.

These micro-services were written using a variety of language and frame-works and ended up being packaged in light-weight containers rather than in virtual machines.  Now that each micro-service was maintained independently there was more efficient life cycle management of the entire application.

Containers were an evolution of virtual machines (VM).  Unlike a VM the containers didn’t install anything on the Operating system, they had shorter lifetimes, increased densities per host and a containerized application could start up almost instantly.

Security concerns around containers gave rise to an ecosystem of companies like TwistLock who identifies the expected behavior of a container and creates a white-list of processes, networking activities and storage practices so that any deviation from the baseline could be flagged as potentially malicious behavior.

Other ecosystem vendors like Polyverse took advantage of the fact that a container could start in a fraction of a second to relaunch containerized applications in a “good state” every few seconds.  This meant that a potential hacker wouldn’t have enough time to exploit an application running in the container.  Reminds you of jewel thieves using multiple getaway cars doesn’t  it?  Stay tuned for more on containers, Docker, Kubernetes next..

Workload Micro-segmentation – Much ado about nothing?

Once upon a time when pony-tailed grey beards ruled enterprise IT departments, network security meant deploying firewalls, Virtual Private Networks (VPN), Intrusion Detection Systems (IDS), vulnerability scanners.  The advent of phishing emails using social media and other new forms of attacks meant that once a corporate workload was compromised the contagion could spread if unchecked.  It became critical to detect abnormal behavior in an application workload.

Just as the rich build themselves panic rooms or safe rooms within their mansions to seclude themselves in the event of a home invasion, in the same manner, network security teams decided to segment their sprawling networks to isolate intrusions and prevent contagion throughout the corporate network.

The millennials from VC-funded startups came to these grey beards, avocado toast in one hand and $4 coffee in another, and preached the value of “fine grained” segmentation in their product offerings vs the previous “coarse grained” segmentation.  Their approach they claimed delivered segmentation without the need to manually “touch” every VLAN, firewall and Access Control List (ACL) along the way.

The grey beards listened to this and asked – Won’t your approach require agents on the hosts?  Installing agents will result in an internal tug-of-war between our server teams, network teams and security teams.  Along came another set of VC-funded startups to your door and they touted “agent-less” application-aware segmentation as the new nirvana.

Not to be outdone, VMware representative came to your door and touted their ability to do NSX based workload micro-segmentation based on VM names, VM attributes, user identities, vCenter objects like data centers, hosts, port groups.  They insisted that this approach is agnostic to the physical location of a VM or the underlying network.

They dazzled you with their deep pockets and mentioned acquisitions that only VMware big money can buy – Nicira (the $1.26B acquisition which resulted in NSX), Airwatch (the $1.5B acquisition which gave VMware the ability to secure mobile devices), Velocloud (the $449M acquisition which gave VMware the ability to offer SD-WAN to branch offices), CloudHealth ($500M acquisition) and Wavefront (streaming analytics platform to help optimize developer clouds), Heptio ($550M for Kubernetes know-how) and Carbon Black ($2.1B acquisition for end-point security).

You thought to yourself: Having deep pockets and the ability to acquire pricey art by Picasso, Monet, Van Gogh does not an artist make… How much of this acquired stuff actually works well with each other?

In the VMware approach to micro-segmentation, to create security groups and firewall rules for existing applications you need Application Rule Manager (ARM), to identify what %age of your traffic is east-west versus north-south you need vRealize Network Insight (vRNI) which is a stand-alone product.  Navigating VMware NSX licensing is a fun process in itself.

The point I’m making is that there is no one vendor or product that fits all.  I suggest you gloss through the vendor marketing decks, short list vendors, ask for a Proof-of-Concept (POC) for your specific use-case.  Ask about interoperability, licensing, reference customers in your industry.   Workload micro-segmentation is a must-have but how you end up deploying it is up to you.

Blockchain and its implications

What do mangoes, diamonds and orangutans have in common?  A technology called blockchain. How is that, you ask?  Read-on..

What is blockchain?

Banks which were the trusted middleman of yore gave way to virtual middlemen – exchanges like eBay.  As technology and human aspirations evolve eBay might give way to OpenBazaar (based on Ethereum blockchain) which cuts out the middleman and connects buyers directly to sellers.

The Economist describes blockchain as “a shared, trusted, public ledger that everyone can inspect, but which no single user controls.”  Bettina Warburg describes blockchain as a public registry, a decentralized database which stores a record of assets and transactions across a peer to peer network. Transactions are secured via cryptography, the transaction history is locked in blocks of data which are cryptographically linked and secured.  Record are replicated on every computer using the network.

Think of blockchain as a global platform which stores ownership of assets like home titles, financial contracts etc.. A blockchain has 3 components: a distributed network, a shared ledger and digital transactions

What are use cases for blockchain?

Binding contracts which don’t need a third party enforcer. Today you can contest a charge on your personal credit card but what if you want this level of personal enforcement without a credit card?  This is where blockchain could help.

Another use case relevant to our times is in identifying the source of food contamination during a food safety recall.  Governments can use blockchain as a tool against money laundering by criminal enterprises.

Blockchain provides a way to combat real-estate fraud in emerging markets where unscrupulous people may alter property records thus defrauding legitimate buyers. If property records were “tamper proof” and stored in a block chain then it becomes easier for a title insurer to access the records so they may clear a title.  Buyers could buy property sight unseen knowing that they are less likely to be defrauded.

Today a music content creator doesn’t have the flexibility to change prices for music by tiers of consumers as middlemen like youtube or spotify set the rules. By cutting out the middleman, blockchain empowers the music creator and improves the content creator’s chances of personally profiting from their creation.  Case in point: Imogene Heap released her music on the blockchain

Retail use cases for blockchain

Walmart used blockchain to track the movement of Mexican mangoes in 2.2 sec vs 7 days in trials. This could help greatly when there is an e coli or salmonella outbreak that could seriously impact children or adults with weakened immune systems by helping retail giants like Walmart identify the source of contaminated food before it does its damage.

Eco friendly implications of block chain?

As a consumer, you could potentially ensure that the palm oil used to fry your chips is not derived from a place like Borneo or Sumatra where orangutans are slaughtered mercilessly to clear the forest so palm trees may be planted.

You could confirm that the diamonds you bought for an engagement ring are not “blood diamonds”– mined in a war zone to finance an insurgency using gullible child soldiers as canon fodder.

As a chocoholic you could confirm that dark chocolate bought in an upscale chocolatier is not tainted by cadmium or lead from being sourced in countries which don’t have lead-free gasoline

You can rest easy knowing that the shrimp you bought at a seafood store wasn’t derived from slave labor in Thailand.

Manufacturers of pet food can quickly identify the source of contamination in tainted and potentially poisonous pet-food before unsuspecting animals pay the price.

As you see, the potential benefits are endless.  Blockchain might yet prove to be the technology that changes our world beyond our wildest dreams..

What to ask IBM Watson?

On an uncharacteristically cloudy California afternoon looking out at gathering rain clouds I wondered what do IBM Watson – the artificial intelligence platform – and my favorite characters Sherlock Holmes and Dr. Watson have in common?  Unlike Sherlock Holmes who was introduced to the world over 125 years ago by Sr. Arthur Conan Doyle, the world came to know about IBM Watson primarily after the TV show Jeopardy.  Today you read about IBM Watson being used in every possible vertical market – from banking to finance.  Excuse me for using the tiresome cliche “when you have a hammer everything looks like a nail” but to avoid exactly that let’s look at what problems are better suited for IBM Watson over others. Watson works by collecting large amounts of data (articles, blogs, tweets, research data), generating dozens of hypothesis around this data, ranking various candidates for answers and answering with the first candidate if the confidence level is high enough.

Attribution: By Sidney Paget (1860-1908) (Strand Magazine) [Public domain], via Wikimedia Commons

Watson excels in Natural Language Processing (NLP).  An example of a question relevant to our times and posed in natural language would be: Is White House Press Secretary Sean Spicer accurate when he states that Donald Trump drew “the largest audience ever to witness an inauguration, period, both in person and around the globe”

Any question that requires active learning, that uses context based search, or that uses inference chaining would be eminently suited for IBM Watson.  You could also potentially use Watson for predictive analytics, to answer a question relevant to merchandisers “Are stay at home dads more likely to buy beer when they step out to buy diapers for the infants in their care?”   A data scientist who thinks about these matters might explain that Watson has some predictive analytics capability because it uses CHi-squared Automatic Interaction Detection (CHAID) algorithms.  For now we’ll leave the why and focus on the what.

On the other hand, topics like inductive reasoning may be better suited for tools other than Watson.  What is inductive reasoning you ask? The statement “All performers want to perform before large crowds like those at Presidential inaugurations, Elton John is a performer so Elton John must want to perform at Trump’s inauguration” would be an example of deductive reasoning even if Sir Elton John would disagree with the final conclusion.

Conversely the statement: Garth Brooks is a performer, Garth Brooks “prays” for Trump, so all performers must be praying for Trump. In this statement there is no logical movement from the initial premise to the final conclusion.  This would be an example of inductive reasoning.

Just as Dr. Watson wonders how Sherlock Holmes arrives at his seemingly fantastic conclusions you might wonder what internal reasoning is used by IBM Watson to arrive at its conclusions?  The IBM WatsonPaths solution graph might give you some clues.  More on Watson on another rainy afternoon.

 

Musings on Cognitive systems & Artificial Intelligence

Some would describe cognitive systems as systems which are not programmed, they   understand, reason and learn.  In these respects they are similar to the human brain.  Artificial intelligence which is usually associated with machine learning could be viewed as a subset of Cognitive systems

The physicist Stephen Hawking states “The primitive forms of artificial intelligence we already have proved very useful. But I think the development of full artificial intelligence could spell the end of the human race.”

The general thinking is that today AI is not self-aware, it has no consciousness and is far from being a sentient being.  However before you get too comfortable, consider this.  If we assume that the first step towards reaching self-awareness is to achieve “creativity” we should pause to reflect on the fact that scientists at Columbia University taught robots to paint on canvas– of the robots so trained PX18 stood out in its artistic abilities as you see here.

[Included with permission from Hod Lipson of Columbia University]

If creativity has been breached and the next step is self-awareness, consider this:  Roboticists at the Rensselaer Polytechnic Institute in New York have built a trio of robots that were put through the classic ‘wise men puzzle’ test of self-awareness – and one of them passed.

Think about IBM Watson for a minute, Watson appeared on the TV show Jeopardy and was posed a question: “Iron fitting on the hoof of a horse or a card-dealing box in a casino.”  Watson responded with the correct answer: “What is shoe?” 

Reflect on this for a moment.  The word shoe was used as a pun, a way to confuse Watson – a pun being defined as the use of a word in an ambiguous way so as to draw parallels between two concepts.  The implication to humanity according to Thomas L Friedman (a columnist for the NY Times) is: A “Cognitive computer was faster than 2 humans in identifying a pun posed in natural language!”

One of the many successors to Watson is IBM’s Watson Explorer a tool which uses natural language processing, can provide search, indexing and a 360 degree view of entities to its user.  A Japanese insurance company Fukoku Mutual Life Insurance, is reportedly replacing 34 human insurance claim workers with “IBM Watson Explorer,” starting January 2017.

So to our fearless leader who proclaimed that he would build “ a great, great wall on our southern border”  to stem the flow of manufacturing jobs,  I must break the news it is not just blue-collar jobs but also white-collar jobs that will need to refocus to ensure gainful employment for all.  Stemming the tide of technology isn’t a realistic option, it is too late to close Pandora’s box now. Cognitive systems and AI are here to stay, now the question before humanity is – How will we use them for our collective betterment?

[Engraving based on a painting by FS Church]

My name is Kai and this is my story..

I was born Feb 29, 2016 in a leap year which happens once in 4 years! A runt in a litter sired by my father a Great Dane and my mother a mix of Border Collie and Great Pyrenees.  I vaguely recall my siblings being all white-and-black  pups like me.  It was warm and cozy being together but like anything in life it didn’t last long…  My human owners couldn’t deal with us so we were soon to be adopted by others.

I can never understand this human fascination with “owning” an animal you call a “pet”.  It reminds me of two fleas arguing over who owns the dog!  You are no more owners of animals as you are of this beautiful planet all of us call home.  Granted 7 billion of you humans have infested this planet and destroyed pretty much all other life forms in your obsession to “own” every square meter of land but I have no interest in your follies..  This is primarily my story.

I was put up for adoption by a volunteer rescue group Pawsitive Connections in front of a PetSmart store.  A kindly teenage girl who became my human sister, came to help out with the vague intention of accumulating volunteer points for school and she ended up sitting with me in my cage.. At the end of the day as no one had adopted me she carried me home and I recall her mother and she discussing in hushed tones on the ride home how to break the news to her dad – a cynical middle aged man whose motto was “one dog in our home is enough – we can’t afford another!”  The official story was that I was a “foster” but we all knew I had no intention of leaving! My human sister christened me Kai – don’t ask me what it means, I wouldn’t know! All I know is that responding to the word Kai equated to belly rubs and treats!

For the first few days in my new home, I missed my siblings and their warm bodies.. but then I bonded with the 8 year old black Labrador  mix Angel who resided at the home.  Angel become my friend, protector and “mother-figure” all rolled into one.  I ate from her food bowl, chewed her toys, slept on her bed and she would move away with a resigned air and nary a complaint.  My grumpy human father ended up walking me every morning muttering about getting late to work  or about having to walk two dogs every morning..  Little did he realize then how much he had to be thankful for, a reason to exercise his heart, a warm home to come home to, a human family, Angel and yours truly!

During my walks, I basked in the joy of every falling leaf, every scampering squirrel.  I found the rising sun fascinating and the moon and stars wonderful.  I never met a dog I didn’t like (or try to hump) nor a human I disliked.  I jumped on every passersby much to my grumpy human father’s annoyance..  I ran wild in empty spaces and tennis courts in the mornings, I loved the freedom of playing in the grass.   Angel was often too tired to run or play with me.  I made friends with a boxer Levi who like me enjoyed playing rough.  Angel would periodically look up from munching on grass (what’s up with that??) and snap at the boxer to indicate her displeasure when he was too rough with me.. In her heart I was Angel’s baby and she never let anyone forget it..  Covered in doggie drool I walked home contentedly..

Seven months flew by and one Sunday morning in November,  I ran away from my human father chasing a squirrel all over the park..  An oncoming speeding car hit me and I was thrown on the side of the road.. an hour passed in a painful blur, the girl whose car hit me apologized then left hurriedly in tears.  A kindly human gave my human father a ride to the vet where my father couldn’t get me attended to immediately as he didn’t have his wallet!  Half an hour later my human mother showed up with a credit card by which time I could feel myself beginning to leave my earthly body.  15 min with the vet trying CPR on me and I was gone.. My human family wrapped me in their arms with nary a blanket (the vet’s office didn’t have any spares to loan) and drove home in tears..

My human family grieved over me, argued with the vet online about the delay in attending to me but as you humans say “it is all water under the bridge”.  I left this world in body but lingered in spirit.  A few days later my human family received a handwritten holiday card from their online dog food supplier Chewy from whom they bought  vegetarian kibble (I couldn’t eat another animal, can you?) and wrote back to them as in acknowledgement mentioning my passing.  Tiffany at Chewy sent over a beautiful bouquet of roses and Peruvian lilies in my memory.  Today the flowers gave my teenage human sister solace as she arranged them in a vase a tear running down her cheek.  I miss her too and wish I could tell her I’m at peace now!

I enjoyed the short 7 months of my life.  I was a free spirit, I ate what I liked, I ran where I liked, played with whichever dog I liked and lived life on my own terms.  To quote the legendary Frank Sinatra: “I’ve lived a life that’s full, I’ve traveled each and every highway, But more, much more than this, I did it my way” To my grumpy human father and his family all I can say is – Lighten up a little and start living life!  It was fun living with you, but we all have to go some day, some sooner than others.  Would you rather that I  survived the accident but could never run again?   What type of a life would that be for me?  If you are second guessing that fateful day remember Omar Khayyam’s words – The moving finger writes; and having writ, moves on: nor all thy piety nor wit shall lure it back to cancel half a line, nor all thy tears wash out a word of it.

To other humans who read this my advise to you is:

Don’t waste your lives chasing something beyond the rainbow waiting to be happy till you find it, stop brutalizing weaker animals for food or “sport”, live life as I did with joy each day, find wonder in everything, enjoy this tiny blue planet you share with so many billions of creatures, be compassionate to all.  We will all become dust one day.. when that happens wouldn’t you prefer that your lives had some meaning and someone somewhere will think fondly of you and recall that you left this earth a tiny bit better than you found it?  And while you are about it, why not adopt a dog from a shelter or rescue group?  You won’t find a better friend or a more joyful companion!

Movin’ on up… SAN switching to DevOps automation, workload generation to application performance monitoring

I’m reminded of the Jeffersons theme song “movin’ on up” as I read the latest news in the technology world.  Every vendor appears to be  moving on up and wants a bigger piece of the proverbial pie.   SAN switching vendor Brocade aims to move up into automation of DevOps by acquiring StackStorm, workflow generator vendor LoadDynamix merges with application performance monitoring vendor Virtual Instruments..  These developments are a sign that vendors are not content to stick to their niche but  keen to expand into new areas and deliver additional value.

Brocade has managed a steady $2.25Billion in annual revenues as of 2015.  However jaded storage analysts looked at these earnings with a “okay but where are the growth prospects?”.. Brocade demonstrates out-of-the-box thinking by moving beyond its comfort zone of Fibre Channel and Ethernet switching into DevOps automation and orchestration – a world previously dominated by products like Puppet, Chef, Ansible.  From what I hear configuration mgmt. tools like Puppet and Chef work at a node level, they execute code against a node, updated state information is then sent to an upstream device like a Chef server or PuppetDB , then other nodes converge with updated data.  These multiple steps result in added latency. StackStorm acts as an uber orchestrator by orchestrating runs of automation tools like Chef or Puppet on different nodes.  It should come as no surprise that while numerous customers downloaded and used the open-source tool from StackStorm only a few like Target, Netflix and MasterCard paid for the enterprise version.  The pressure to show revenue from paying customers might have caused StackStorm to take Brocade up on its offer of a buy-out. With Brocade thinking out of the box Cisco won’t be content to remain a mere investor in PuppetLabs but might take a more serious interest in being the single pane of glass for orchestration and automation.

On a different note, LoadDynamix is a vendor with an appliance that generates network load and can be used to model workflows.  An IT dept. can use it to make an objective comparison of multiple storage solutions to identify the one that best meets their needs. A storage vendor could also use LoadDynamix products to emulate the effect of mount storms from NFS clients.   On the other side of the spectrum, Virtual Instruments is a vendor that targeted a niche untapped by SAN vendors – namely troubleshooting latency exhibited by applications running in virtual environments.  They do this  by capturing and monitoring application flows all the way from multiple hypervisors down to the storage.   Since both vendors have non-overlapping technology offerings there is scope for innovation after they merge.  This should cause Cisco and Brocade to take notice..