Top 4 compliance lessons I learned from the movie “The Blob”

You probably know the storyline, a mysterious Blob creature crashes to earth via a meteorite and two teens (Steve McQueen & Aneta Corsaut) head out to investigate. Along the way they run into an elderly man who has a weird blob attached to his arm. They take him to the doctor’s office, and then go to find out what happened. From there, the Blob begins spreading through the town and eating everyone in its path.

The Blob, a horrifying monster from the 1950’s sci-fi era, is much like its software namesake BLOB (Binary Large Object) that lives on today in modern digital services – albeit no longer binary.

Here’s four compliance lessons I was reminded when watching The Blob:

  1. Compliance fact #1: an enterprise has the same amount of risk associated with how it handles data it receives as it does for data it is sending.   Blob fact #1: if you touch the Blob, you’ve got the Blob and there is no ‘do over’.
  2. Compliance fact #2: even if the enterprise really didn’t intend to receive the data, HIPAA and GDPR regulations require that same diligent care be given to any sensitive data no matter how it enters the enterprise. Blob fact #2: even if you didn’t intend on touching the Blob, once you’ve come in contact you’re exposed.
  3. Compliance fact #3:  often when an application needs to access a single innocuous piece of data, a large complex data structure that holds the item is returned.  Blob fact #3:  the Blob may appear to be small as it creeps under the doorway, don’t be fooled, the Blob is massive.
  4. Compliance fact #4: an application may log or otherwise save the BLOB data without ever realizing how sensitive that surrounding data is. This exposes the enterprise to risk that was not immediately apparent given the nature of the application or digital service. Blob fact #4:  While the Blob starts off small and appears innocuous, once exposed to human contact it’s painful (It’s first victim is heard moaning ‘it hurts…it hurts’). From there the viewer is convinced and frightened of the risk.

Don’t be like the townsfolk and heed the learnings from this movie: don’t overlook compliance when handling data.

The Trapize Digital Service Broker high-performance proxy provides visibility to all data that is crossing the enterprise boundary.  All elements of the BLOB are inspected, tokenized and optionally redacted.  Alerts and alarms can be attached to sensitive data that crosses the enterprise boundary in either direction so we can warn the townsfolk (I mean enterprise).

Think of Trapize as your digital “Steve McQueen” who is helping to protect your data from the risks and exposures you might not believe in before it’s too late.

Keep your enterprise in the fast lane with proactive digital service alerts

As a daily commuter and an engineer, I have often thought there is some parallel that can be drawn between traffic on the roads and the digital services being used in corporate networks.  Speed, congestion, accidents and any number of factors could impact your trip. Unlike the traffic helicopters reporting to help a driver steer clear of hazards, many in IT are caught by surprise when slow traffic or a problem is ahead.

Let me explain, I live in state where most residents view the speed limit as a suggested starting point, when the traffic is moving along at steady pace of 75MPH, everything is flowing smoothly.   However, when a few drivers decide to obey the speed limit of 65MPH, then the rhythm of the commute becomes as congested as the coffee shop line on free donut day.

Today’s most modern applications use more than one digital service.  These services are tightly choreographed to achieve whatever ultimate goal the business needs to keep running smoothly.  Like with an accident on the highway, when one service completely fails it is pretty apparent what the issue is.  Yet, when a service – or set of services – simply starts to slow down, the root cause of the failing infrastructure is harder to determine.

As digital services are consumed in an enterprise, there is an implicit service contract between the application and the external services.  Application developers often assume that if no error occurs on an external transaction, then everything is working correctly. Simply slowing down services over a small period of time can cause a catastrophic failure of an application ecosystem.  This applies to a single service slowing down or a set of services slowing down sporadically which unfortunately is occurring as more and more systems and networks become overloaded or under attack.

At Trapize, our digital services broker monitors all the services that your enterprise is using, think of us as your traffic helicopter reporting on the health of your digital traffic. We provide sophisticated monitoring of external services providing key performance metrics across a wide range of functionality. Alerts can be passed to the enterprise infrastructure or triggered in-band to the applications when services start to misbehave.

Like Sammy Hagar, I will freely admit, “I can’t drive 55”.  Enterprises need a way to ensure their services aren’t as well.

Digital service monitoring, compliance & governance “The Jetson’s”-style

Back in the golden age of cartoons – at least my golden age – there was a company called “Spacely Space Sprockets, Inc.” that employed the well-meaning, yet stressed at times George Jetson. Many an episode included the company and how they used advancements in technology to outperform their competition “Cogswell Cogs”.   When employees showed up for their hard day’s work, they only needed to push a button once to start and stop things.  To this day, I have no actual idea what they made, but I have come to realize that this is how the best technology ends up working.

If you look at the march of technology in the security space, not only has it become more sophisticated, the deployment has become increasingly frictionless. Today’s IT professionals have adopted the model of not needing to deeply understand the underlying products they support, they just need to understand the risks it might pose to the enterprise.  From there they can then implement the simplest, most cost-effective solution to mitigate that risk.

No IT professional would be expected to understand the intricacies of an operating system to deploy a virus scanner.  It would be unreasonable to expect your IT department to write custom code that opened every packet entering a system, inspect the packet for intent, then write code to apply rules to handle that particular packet.  No matter how good the tools that you give them are, “slow and costly” is not the mantra for any modern IT department.

Many API management companies would have you believe that is state-of-the-art technology for secure enterprise digital services. Their tools are designed for programmers by programmers. Implicit in this design is the fact that you need to have deep understanding of a service to properly protect your enterprise.  No matter how many cool tools and drag and drop GUI’s they provide, your IT staff better have a programming degree and be willing to dedicate a couple of months’ time to implement even the most basic solution.  An inescapable truism in the IT world is that time is directly proportional to cost and complexity of the solution being deployed.

At Trapize, our digital services broker makes you a modern-day George Jetson. The enterprise IT staff never needs to understand the service and is never exposed to sensitive company or personal information. Our catalog currently supports over 1000 of the most popular digital services in use today. Browse our catalog, pick a service, then click a button.  Monitoring, compliance, and governance with a single click of the mouse.  Not only should it be that easy, now it is.

Decoding vendor conferences

“Developer Conference,” two words that should alarm all enterprises as they begin looking for solutions to manage their growing digital transformation investments. Having been around the high-tech industry for many years, this is vendor code for: “We have built a product that is so complicated that we need to teach you how to use it before you to get any value out of it.”   There is also the slightly less daunting “Users Conference” – just a notch below the Developer Conference – where it’s unlikely you’ll be writing any custom software to effectively use a vendor’s product, here you should expect to spend a lot of time learning to configure said product correctly.

The team here at Trapize is dedicated to solving the hard problems facing businesses undergoing their digital transformation. So, if you’re looking to get a free conference vacation in a balmy location this year to learn our product, you should stop reading now. If your enterprise has $100K+ in budget surplus to get some developers working on securing each digital service you need for your digital transformation, look somewhere else. If your IT department loves the intellectual challenge of spending weeks tweaking complicated configuration, we here at Trapize do not have the product you are looking for. But, if your enterprise is looking to add compliance, governance and monitoring of the digital services you are using with a single click of the mouse, then we should definitely talk.

As we enter our public beta in the early fall, the Trapize API proxy currently supports over 2,000 of the most popular digital services in use by businesses today. We have profiled thousands of digital services and provided a powerful set of one-click controls for an enterprise to quickly control and monitor digital services crossing their perimeter.

If you would like to see a demo, reach out and let us know. It’s really, really brief – unlike those Conferences – so you can get back to enjoying your busy afternoon (golf, baseball, kid’s soccer, we won’t tell).

Cold War ethics: ‘trust but verify’ for microservices oversight of critical data flows

End-to-end encryption is becoming a popular industry trend while at the same time causing nightmares for the IT department. With the emergence of SD-WAN technology and other private routing strategies, it is getting easier for enterprises to fully direct and encrypt traffic flow between application servers within the enterprise and between an enterprise and its business partners.

While there is no argument over the need to keep private data private, the question becomes who are you keeping it private from?

Increasingly applications are being built using a distributed set of microservices. These services fall into three broad categories:

  1. microservices the enterprise built for themselves,
  2. microservices built by third party contractors hired by the enterprise, and
  3. microservices the enterprise consumes from the public cloud.

This collection of disparate microservices is making it difficult for enterprises to know what information is being exchanged as the application fragments collaborate to build a cohesive solution.

As we were beginning to form Trapize, I had a conversation with a CIO who stated their data center was built out of microservices that they mostly subcontracted out to third parties. Yet given the level of encryption between services, the CIO/IT team/enterprise had no real way of knowing or understanding the data that was flowing across – or out of – their network. While the applications worked, this enterprise had managed to create a data super-highway that was private…even to themselves.

At Trapize, we think the cold-war mantra of ‘trust but verify’ still applies. It is critical for an enterprise to understand the underlying data that is moving in and out of their network. Very few enterprises would bypass email or message scanning but many today have no visibility into the critical data flows from systems they know have access to private or sensitive data. We have built a security proxy designed to specifically address this new threat surface.  Check us out.

Overcoming ‘analysis paralysis’ to achieve digital transformation of your business

Time is the true enemy of most businesses.  This has never been more apparent than when a business begins the transformation to becoming a digital enterprise.

Cloud-based services allow businesses to pick best-in-class APIs and components for building out their digital enterprise.  However, as the shift of services transitions from being hosted within the enterprise to the cloud, legal requirements like the compliance and governance of data must still be met regardless of the location of the enterprise’s perimeter.  Unfortunately many businesses have become paralyzed as they struggle to understand the implications of bringing a digital service into the enterprise. This paralysis then amplifies the time it takes to safely on-board any digital service and results in added cost for this transformation while potentially losing opportunities to their more nimble competitors.

The Trapize Digital Services Broker (DSB) enables businesses of all sizes to quickly and safely make this transition.  The Trapize DSB includes pre-built service profiles for the most popular digital services used by businesses today.  Each profile is available for download and installation for a low annual subscription fee.  The service profiles allow businesses to transparently add compliance, governance, and performance controls in minutes.  The DSB is designed to support thousands of digital service profiles in a single distributed proxy ensuring common compliance and governance controls across the enterprise.

While we don’t have a flux capacitor – or a custom built DeLorean – to go back in time, we can help businesses catch up to their competitors by beginning their digital transformation today rather than in a distant future.

Data analytics in the forest


A common misconception about big data analytics is that if you capture everything then you can make some really, really smart decisions.  In the “forest” of data collected it is more important how you weight the individual data elements.  The processing of data into categories is a crucial first step into deriving actionable insights from data.

In a forest, it’s really more important how you look at the trees rather than being able to see everything within the forest.  At a glance you might see a bunch of diseased trees and then you could be tempted to cut down the forest.  But if you look closer you might see that only elm trees look diseased which allows you to cultivate a different plan where you can be more judicious with the use of your chain saw.

Similarly, not all data is created equal.  Personally identifiable information (PII) and corporate private data must be identified and made to standout in the forest of data.  A social security number is not just a number, it is a personal identifier, it is confidential data and it is a government ID.  Assigning important data to categories or multiple categories allows businesses to actually know what is occurring in the dense forest of data.

Data being exchanged on your digital services needs to be classified much the same way.  Edge systems that merely tokenize data to hide the underlying information will never give you an actionable view of the data forest that is leaving your enterprise.

The Trapize Digital Services Broker provides cross digital service categorization of data being exchanged in your enterprise.  Business analytics can give you insights into what kinds of data is crossing from your control to your partners or even between your own business applications.  A multi-use token vault that underlies handling of all private data in Trapize and allows a business to understand the type and how many times an exact piece of data is being exchanged.

Et tu, Brute? Are firewalls and SD-WANS enough protection when using cloud APIs?

As enterprises are rapidly transforming their businesses with cloud-based digital services that are being driven by APIs, they are starting to realize more and more, that their firewall is providing less and less protection.  Interestingly, it’s not that the firewall technology has gotten noticeably poorer, it’s that today’s data streams are bypassing this traditional security model altogether.

Enterprises are beginning to realize – many with surprise and dismay – the need to shift their security model away from sessions being managed by a firewall to a more application-centric control model like a software-defined wide area network (SD-WAN).  These new software architectures enable IT to replace older tunneling technology – like multiprotocol label switching (MPLS) – and quickly build dynamic connections with trusted partners.

All good so far. The problem now becomes: Do you trust your friends?

For businesses to achieve regulated compliance and internal governance, they need to have positive controls over all digital transactions, specifically the “5 Ws” – What, Who, When, Why, Where. At the end of the day, it doesn’t really matter if you shared corporate data with your partners via a simple HTTPS session via the firewall or routed that data over a new private connection.  The question a corporate compliance or governance officer needs to answer is: Should that data have been shared in the first place?

So, while we probably could not have helped Julius Caesar with his problems of betrayal, the Trapize proxy can help our customers ensure that as your protected data passes to and from your partners, that your business retains full control while engaging in the API economy.

Is Shadow IT going to sink your enterprise?

We’ve all heard the saying “loose lips sink ships” and now imagine how that translates to enterprise data, where sometimes exchanging sensitive data with a partner is a good thing, sometimes not so much.

Today we’re finding that corporate infrastructures at most large enterprises have sprung more than a few leaks.  This situation has been driven by the rise of cloud-based digital services, where corporate IT is under increasing pressure to open ‘pin holes’ in a firewall or add DNS exceptions to satisfy business needs.

Unfortunately, this is a risky approach that could compromise the safety and integrity of the enterprise network, particularly since the term ‘pin hole’ implies a small, manageable exception to the otherwise rigid controls that a firewall supplies.  In reality, this couldn’t be further from the actual risk introduced with this approach.

With every pin hole or exception added, a ‘digital waterway’ is created where data can flow in and out of the enterprise.  Adding another layer of complication, this data is often encrypted so centralized compliance and governance solutions have no visibility into these streams.  This has given rise to the popular term “shadow IT”, where core IT has ceded control of previously protected corporate data to the line of business application using cloud-based digital services.  All in all, a pretty perilous situation and unacceptable to regulators who provide oversight.

While some cloud security solutions gaining in popularity today think that scanning for data that has left your enterprise gives you control, we think having the right tools – a sound strategy and navigational instruments – is a safer approach.

So why are enterprises putting their data at risk?

At Trapize, we have built an in-line proxy that not only decrypts this data, ours has a packet-by-packet deep understanding of the data in an application flow.  So, as data enters or leaves the enterprise perimeter, Trapize can apply policies on a service-by-service basis.  It’s a better approach to keep your enterprise afloat.

On the horizon, a new approach for digital transformation

Yesterday I wrote about my meetings with a diverse group of IT leaders who often ask “Are ESB’s dead?”. Today I’d like to continue that topic and review the complications many are experiencing on their digital transformation journey.

At the very foundation is the need to safely exchange data and services across their organization with agility. Yet today many IT organizations are experiencing some principled headwinds – and obvious blind spots – as their cloud-based digital traffic is traversing firewalls with little IT visibility or control of the digital services being used, consumed and exchanged.

Covered in an earlier post, IT is caught without the required tools necessary to address core business functions, yet is on the hook for agile innovation from the line of business stakeholders. So, what’s an enterprise to do?

Based on my conversations, there are three clear options but all that entail some cost or risk:

  1. add connectors to external services for the ESB;
  2. write custom middleware to wrap the services;
  3. or just ignore the problem.

From experience, most organizations are doing some version of all three.  So, let’s ‘pro/con’ the opportunity cost when putting those three options in practice.

To remain compliant to the mandatory regulations, the enterprise must write a connector for each API or develop middleware wrappers for the APIs in use. The cost estimates that I’ve seen range from $200K for each connector, to $400K for middleware wrappers.  We also can’t forget the hidden cost to your organization which typically drives a 12-18 month delay in deploying new services.  Sadly, the cost in both dollars and time have led many lines of business to simply take option three, poke a hole in the corporate firewall, and assume the business risk.  Probably not a good idea.

There is a new approach on the horizon, Trapize offers an in-line proxy that provides positive control on a request-by-request basis. This approach – not only quick and affordable – is the only way to achieve true enterprise compliance.   Trapize is a digital service broker that supports many of the most popular services enterprises are using today.