NEW TECH: Can Project Furnace secure DX — by combining serverless computing and GitOps?

By Byron V. Acohido

Assuring the privacy and security of sensitive data, and then actually monetizing that data, — ethically and efficiently — has turned out to be the defining challenge of digital transformation.

Today a very interesting effort to address this complex dilemma is arising from the ferment, out of the UK. It’s called Project Furnace, an all-new open source software development platform.

Related: The need to fold ‘SecOps’ into ‘DevOps’

I had the chance to sit down with Furnace Ignite’s co-founders: John Blamire, chief operating officer, and Danny Waite, chief technology officer,  for a pre-launch briefing.

They walked me through how Project Furnace began as a quest to improve the output of SIEM (security information and event management) systems.

However, beyond improving legacy appproachs to network security, Blamire and Waite explained why they firmly believe Furnace could ultimately accelerate the design and implementation of all smart software — the next generation of apps destined to run everything from our shopping experiences to our driverless cars and our smart homes and cities. Here are takeaways from our meeting:

DX context

Furnace, in essence, seeks to aid and abet digital transformation, or DX, the ongoing digitization of essentially all human endeavors into a machine-readable format that can be automatically acted upon. DX is the wider context, here, in the sense that DX is made possible because of the rise of “datafication” — the processes by which we’ve come to rapaciously collect and store mind-boggling amounts of data from web forms, social media, mobile apps, surveillance cameras, IoT sensors and the like.

In 2016, Waite was assigned the task of coming up with a much better way to extract actionable threat intelligence from the legacy SIEM systems that have anchored network defenses at many  enterprises for the past decade and a half.

Over the past few years, the effectiveness of SIEMs has lagged behind the rising complexity of business networks. In short, due to the rise of DX, enterprises today find themselves scrambling to deal with a glaring shortage of experienced security analysts needed to make sense of data pouring into a typical SIEM from dozens of security products, such as firewalls, endpoint protection and threat hunting systems.

Waite

Waite kept hitting brick walls — until inspiration hit him to try blending the core attributes of two leading-edge trends: serverless computing and GitOps. Think of serverless computing as yet another, nuanced iteration of cloud services. It allows software developers to build and test new applications without having to first provision and then maintain servers on which to do so, thereby avoiding hefty infrastructure provisioning expenses.

And GitOps is a way for software developers and IT operations specialists to more efficiently keep track of changes made in the latest iteration of an application that’s under development. They do this directly within the code itself, instead of having to rely on a third-party management console or a dashboard, which adds complexity and can slow down development.

Catering to personas

Without getting any deeper into the technical weeds, my understanding of Furnace is that it is a new type of cloud-based software development platform that leverages the best attributes of both serverless computing and GitOps. It does this in a way that should be irresistible for company software developers, and their compatriots on the operations side of the house, to try out.

Once Furnace begins to achieve some grassroots traction in “DevOps,” then security analysts will presumably be incentivized to jump on board, too. These security experts are currently burdened with endless management tasks, spinning out of SIEMS; they, too, will start using Furnace to do things such as improve their threat models. Here’s how Waite puts it:

“We’ve created a set of constructs that come together for those three personas, the dev guys, the ops guys and the security guys to use to build applications that can ingest large amounts of data, process it, enrich it, store it and then, most importantly, act upon it. So in a very lightweight, efficient and effective manner, they are able to tap into all of the benefits of serverless computing and GitOps.

“We talk about Furnace as a platform, but it’s also a framework, in which developers, or anybody who wants to, can add intelligence to the platform. The formats, templates and guidelines are fully open, by default, and we’ve set them so that anyone can actually add functionality.

“Furnace is also language agnostic, so the framework gets out of the way. We’re not trying to stipulate that a developer or a security guy has to write things in a certain way. It doesn’t ask people to set up huge environments; it doesn’t ask people to learn loads of different DevOps constructs.

“You create a template application in seconds and start building your own modules.You’re able to start creating value within your data, literally within minutes, and that is the bold step-change that we’re talking about.”

Wider horizons

As Furnace achieves credibility at the grassroots level, its capacity to foster software development flexibility and innovation much quicker and cheaper than current approaches will rise to the fore, John Blamire added. He says this will help to assuage skepticism on the part of company officials who control the purse strings – and who are quite naturally adverse to steering away from the huge investments they’ve made over the past decade in SIEM-centric defenses.

Says Blamire: “Imagine one day in walks one of your development guys who’s heard of this thing called Furnace, and he goes over to the Ops manager and says, ‘I’ve just found this thing, it costs nothing to run, it’s cloud enabled, there’s a whole bunch of applications we can plug into it, very quickly, and we can run this in parallel with our current tool.’

Blamire

“And then the Ops manager turns around and says, ‘Well that’s all well and good, but how much is this thing going to cost me to provision and to build up the infrastructure around it?’ And the dev guy goes, ‘Nothing. It’s serverless, it’s language agnostic, so we can use our native coding skills, and we can actually reduce the infrastructure required to do this.’ ”

While the idea for Furnace comes from a security perspective, and early adopters are expected to come from the SIEM community, Blamire envisions much wider horizons. He believes Furnace could conceivably help unclog complexity choke-points that today hinder the development of any type of software designed to extract value from large data streams.

Related: Uber hack illustrates ripe DevOps attack vectors

“Ultimately, you may be looking at data streams from a security point of view, but you may also want to look at facility management – at all the devices in a highly connected building. Or you may also want to better understand the organic components of your business, such as the flow of people in and out of your facility,” Blamire says. “Furnace provides a way to bring in all of this data, from some of the same sources, not just for security, but for use in a number of different ways . . . Suddenly, you can get all of the benefits of serverless computing, straight away.”

Can Furnace truly streamline the convoluted steps companies today must take to make datafication pay off? We’ll see. It would be a good thing if it can achieve most of what its founders envision. In concept, Furnace fits hand-in-glove with the broader notion of baking security deep inside of the coming generation of smart apps. And that’s a good thing, indeed.


Acohido

(Editor’s note: Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone