Solution Concept–Cloud brokerage…

http://docandersen.podbean.com
https://docandersen.wordpress.com
http://scottoandersen.wordpress.com
My Amazon author page!!!!
http://www.safegov.org

There are a number of solution concepts that I have looked at for cloud in the past five years. All of them starting with broad sweeping technology change and a “new way to do things.”

I wonder about that. Organizations don’t like to do things differently. They have built to where they are and frankly they do not require change nor often do they like it.

Personally I like to look at the glass as neither half-full or half-empty as my son always says “its just a glass of water.” The presence of air is simply a reality regardless of the amount of water in the glass.

So based on that it is a glass of water these many solution concepts. The reality of BPaaS, IaaS, SaaS and PaaS is that they represent change. As much a new way of doing things as anything else.

That new way of doing things has a cost. Not a cost simply because it is new and new things cost more than old things. Rather than there is an added abstraction layer that in the end makes for more complexity while at the same time reducing complexity.

Cloud implementations for many organizations represent a circular argument. There are risks to implementing and moving your solution to the cloud. There are risks to staying where you are. Change is a funny thing, sometimes you choose not to change (in this case move to the cloud) while everyone around you chooses to change (move to the cloud). In effect your organization ends up stuck between the two situations in the end. You are late to the game.

The solution concept that I find most interesting today is that of cloud brokerage. I look at the overall concept as proposed by NIST and I think it’s a start. But its only a start. The concept of aggregated services presented in a unified fashion represents only a part of what the market will eventually want. Brokerage is so much more than that. I wrote a Safegov article about Cloud Brokers as the new DMZ about 6 months ago. That is only the tip of the proverbial iceberg.

I believe eventually brokers will represent safe havens for companies. A secure location call it a cloud locker where your company can connect to the locker and then interact with the world from this new safe location. Certainly they will be constantly attacked but the advantage of constant attacks is that your security team gets better at fending off the attacks over time.

This “cloud-broker” solution concept is quite expansive. It goes well beyond what NIST defined. It creates much of what I wrote about in my book the Syncverse (now two years ago). The concept of a cloud based solution focused on delivering secure assets to users without flooding them with security.

So close.

.doc

Scott Andersen

IASA Fellow.

Cleaning my lab and wandering OS world…

http://docandersen.podbean.com
https://docandersen.wordpress.com
http://scottoandersen.wordpress.com
My Amazon author page!!!!
http://www.safegov.org

I am decommissioning my Windows Home Server this weekend. I’ve had one for more than 5 years. I just don’t need/use it anymore. It’s a great backup system but I moved to Carbonite for online and Western Digital for home backups so its redundant.

It’s the end of an era.

Interesting change in my lab. I’ve moved away from servers and into the end user world. Chromebook, Ubuntu, Windows XP, 7 and 8.1 all running in VM’s. I even have an Android VM. I suspect I should go get a Windows Phone VM as well. I haven’t to date, but perhaps I should.

The reason for the moves is as much an exploration as it is an evaluation of the potential reality of security. Its also a little personal curiosity. The Android OS appears in more and more devices. From the Kindle to the new Samsung Tablet series. Androids has a nice touch UI that makes it easy to use and simple.

Chrome has become a very interesting browser platform and the new versions of the ChromeOS and the Chromebooks are frankly highly useful. Many years ago Oracle tried to change the world with the Netbook concept. Microsoft even released a competitive netbook (I still have one from Asus). The new Chromebooks really offer a nice experience, incredibly fast and frankly replaceable. You can effectively destroy one, pick up another one and be up and running in less than 55 seconds.

Ubuntu has captured a nice and easy look and feel both for the desktop and the server version. Redhat still has a very nice look and feel as well, but the Ubuntu stuff has come a long way in the past two years.

iOS7 is also a significant upgrade. It is easier to use which is hard since iOS has always been incredibly easy to use. The newest is quite impressive. The interesting thing Apple has done with the new iPAD air (beyond the incredible commercials) is improved the battery life. It is truly now a media device that can go 9 or more hours running without needing a battery. What am I going to do with all my extra external batteries?

Finally – Windows 8.1. I would love to say my former personal favorite is an improvement but it isn’t a whole lot better than Windows 7. It certainly does a better job with touch computing, but the devices aren’t as touch supportive as the Android and iOS tablets are. If you add in Office 2013, then the solution suddenly starts to have legs, but without the Office connection Windows 8.1 continues to be lackluster. I do now have four boxes running Windows 8.1 in the house (the boys computers) and frankly I would walk back to Windows 7 in a heart beat (are you listening Redmond?).

The point to all of this reflection is that we do have OS choices now. Its really important to take a few minutes and determine which choice is best for you. Each has its strengths (and the strengths are often significant) and each has a weakness.

Choose wisely – cola nut or uncola nut!

.doc

Scott Andersen

IASA Fellow.

Still working on the office of tomorrow

http://docandersen.podbean.com
https://docandersen.wordpress.com
http://scottoandersen.wordpress.com
My Amazon author page!!!!
http://www.safegov.org

Continuing my thoughts on the Office of Tomorrow. I have a couple of things that I am curious about. The first is the reality of connection.

Back in my first IT job (now more than 20 years ago) I had a chance to visit a customer’s video conferencing room. It was a huge room filled with for all intents and purposes a TV Station. Four camera’s and an actual satellite connection so that they could have a reasonably live video meeting.

Most of that you can do over Lync today. Or better yet use the incredible CISCO Tele-presence system. You can do it over WebEx and you can do it on any of other conferencing systems. Does that in the end change the reality of connection?

The network meeting companies all advertise that you can reduce the cost of meetings by having people meet virtually. From interactive whiteboards to much better local video cameras there are a number of changes that have made the process better than the TV studio of 20 years ago.

But there are still a few things missing in the virtual meeting.

First off is cultural acceptance of remote. Personally if I have to get something done I am more likely to finish it at home than at work. I get interrupted constantly during the day when I am in the office. The other side of virtual is punctuality. I’ve noticed that when you have in person meetings and your day is stacked you end up running late for the meetings. There is then the reality of sitting on virtual hold while you wait for the one person you need to kickoff the meeting.

So cultural is two fold with virtual meetings. The first is the reality of people not accepting virtual attendees. The second is the reality of time. I still think the concept of a virtual presence device would fit in well to this overall play but that is well, out there.

.doc

Scott Andersen

IASA Fellow.

The ultimate portable office

http://docandersen.podbean.com
https://docandersen.wordpress.com
http://scottoandersen.wordpress.com
My Amazon author page!!!!
http://www.safegov.org

Is the office of the future, portable? When we talk about cloud computing solutions portability is one of the key functions that cloud providers can support. For the office of the future is portability the big thing?

First off portability is an interesting problem in and of itself. What does portable mean? Is it a rolling bag with 20 pounds of gear or a small bag with 2 pounds of gear?

The portable office would need the following:

  • Fax (which you can get for your cellular connected device)
  • Printer (color is best of course, just in case)
  • Scanner (again color)
  • compute resources
  • network resources
  • entertainment for when you aren’t working

To paraphrase George Carlin the list above is the stuff you need for a portable office. That doesn’t mean you lug all of that with you wherever you go. Just that having those components at your hotel makes traveling easier.

When you are in the office you can actually cut down to a good laptop/tablet and your cellular phone to handle all of the items on the list except the printer. Normally if you urgently need a printer you can duck into Kinko’s or the business center of your hotel.

Still having your own printer with you is of value if you do a lot of documents or need to have an emergency backup of your slides (just in case of a Murphy incident).

I keep fax on there only because insurance companies and banks still rely heavily on the technology. The concept of faxing will decline over the next two to three years. Today most larger financials actually scan your incoming fax into an editable format. In the end the fax is simply an easy mode of transport.

Finally getting to entertainment. What a change that field has undergone in the past five years. You can watch virtually any video, TV Show or sporting event easily on your personal productivity device. You are no longer bound to where you are or for that matter what time it is. On my last trip I sat in the airport waiting for my plane (delayed 2 hours) but it didn’t bother me. I had my iPad and many more than 2 hours of entertainment. Plus I had a movie saved on the device for the actual flight. It is a brave new world.

In the end your portable office could be that backpack with 2 pounds of gear. You no longer need the larger bag (except you may want it back in the hotel room just in case).

To think I once lugged 40 pounds of portable office gear to Malaysia four times in one year.

.doc

Scott Andersen

IASA Fellow.

Cyber Overkill…

http://docandersen.podbean.com
https://docandersen.wordpress.com
http://scottoandersen.wordpress.com
My Amazon author page!!!!
http://www.safegov.org

I’ve talked a lot about Cyber Security solutions for the past week. Its been on the top of mind for that time period. I did however want to take a break from the what’s possible in Cyber to talk about a different Cyber Security problem.

Cyber Overkill.

Or sometimes its more of a backlash. Where something happens either to your organization or to a peer organization and you implement harsh security rules to present the problem.

Cyber Security solutions like any other solution applied to and used to manage anything has a tipping point. The point where it becomes harder to do your job than the energy and time you can invest in that particular job.

That balancing act is what makes a good security person overall. They don’t sit in an office and create policies they move out to the field and try the policy before implementing it.

Still I know a lot of good Cyber people. They are incredible at what they do, but in the heat of battle they like anyone would tend towards over reaction. The good news is that when they do this it tends to solve the short term problem.

The bad news is it cuts into productivity.

Back in the day Smoking Breaks, coffee breaks the water cooler and hallway conversations used to be productivity sucks. They really weren’t if you look at how people work. Staring at the same screen for 20 minutes is no matter what a productivity suck.

People need social interaction. They need to connect with other people doing the same things. When they are forced to sit and wait for something to happen they ultimately will find ways around that problem.

Years ago I used to design policies for large companies to be applied when the computer booted. How do you get around that? Easily, you never boot your computer. You put it in hibernate or sleep mode. Then you never get the annoying boot screen.

You as the user are not impacted by the security rules. The organization you work for is however at risk because that machine lives in a state that may be two – ten days old. When your organization is moving at cloud speed that can be a devastating reality.

.doc

Scott Andersen

IASA Fellow

The office of tomorrow impacted by Cyber…

http://docandersen.podbean.com
https://docandersen.wordpress.com
http://scottoandersen.wordpress.com
My Amazon author page!!!!
http://www.safegov.org

What will the office of tomorrow entail? Will we support remote workers in a way that makes it less critical to be in the office? Instead of walls of cubes and offices the workplace becomes a collection of personal digital representatives. If you are in your cube you can connect toe the virtual presence devices. If you are remote you dedicate some of your connect to your VPD.

When you connect from home that virtual world connection will change as well. Logitech just brought out a new conferencing system that connects to your computer and allows you to connect to Lync, Webex and a couple of other conferencing systems. Ebeam let’s you turn part of your wall (painted with Idea paint) or a whiteboard into an interactive conference whiteboard. You can also use your windows, iPad or Android Tablet as a portable conferencing whiteboard.

Will the workforce of tomorrow work in their PJ’s?

Into this flow Cyber Security. If the workforce of tomorrow is in fact virtual how do we deal with home networking issues? Recently there have been any number of press discussions of the security and lack of updates for home routers.

It is a balancing act. Enabling the workforce of tomorrow without forcing them to have specific technologies in their home. It is a bright future, the office of tomorrow, but there are some kinks that need to be ironed out before it’s the perfect world solution.

It comes back to that concept I proposed yesterday (safely getting data that invokes governance ) of the users mobile device. Eventually data that will require governance could be tagged at the meta data level. This tagging would be adaptive (you’ve created new information from merging two old files that now requires governance) and you would then automatically capture that data and move it. You would need to leave a stub to that information on the users device (as they may create it and then touch it again later for edits etc).

That will require better quality tools on the Tablet and Cellular device than we have today by the way.

.doc

Scott Andersen

IASA Fellow.

Cyber, BYOD and MY changed data…

http://docandersen.podbean.com
https://docandersen.wordpress.com
http://scottoandersen.wordpress.com
My Amazon author page!!!!
http://www.safegov.org

security concept for blog

Yesterday I talked a little about this security concept of myself and smart device connecting to the cloud and once there creating a new document that meets the organizational governance requirements and needs to be removed from my smart device and placed in the document repository of my organization.

I could, given the current state of things email said document to the Document Management system but that requires action by me. I suspect we would be better off evaluating the concepts of containers on the device.

In that scenario the data would be held in two places the first being the on-premise or cloud based organizational data store. The second place would be the mobile or smart device. When data is manipulated on the smart device the save process will force it into the container and the container will sync it back to the original store as a modification.

It would reduce the overall requirement for the user to actually engage and ultimately “send” the report in. The other side of this is of course something I’ve talked about many times. The reality of stepping on my personal bandwidth. I’ve made a joke in a few meetings recently (want to reduce organizational bandwidth requirements? Implement a BYOD policy and then don’t allow for that to be expensed, and don’t allow users to connect their personal device to the company wi-fi). The problem remains that in fact my bandwidth on my smart device is much less than on my home network or office connection.

The reality of device security will shape the next 2-3 years of IT. What do we do with all that data that is consumed on smart devices?

Will we see devices with secure stores directly on the device? A store that can only be accessed by a password, a finger print and eventually a gesture known only to the user? That would make the first part of the equation much stronger. Then simply have that chip securely communicate with the organizational on-premise or cloud based data management system.

.doc

Scott Andersen

IASA Fellow

Cyber Security and a Governance problem

http://docandersen.podbean.com
https://docandersen.wordpress.com
http://scottoandersen.wordpress.com
My Amazon author page!!!!
http://www.safegov.org

I haven’t thought a lot about a couple of things until recently when it came to security. Yesterday I realized that while I had been thinking about a problem I wasn’t in the end thinking the entire problem through.

Cyber Security or the protection of digital assets has a number of components. One of these is the broad concept of “securing things.” Another consideration is the governance policies that apply to information.

You can take two pieces of information and in combining them create a new piece of information that in the end has a higher classification than either of the first two pieces of information.

The thing I realized yesterday is that you can in the end do that on your mobile device. While containers are interesting and HTLM5 presents a number of options for remote solutions and wiping those in the event of device loss we still have the broad problem of what happens when IP is created that falls into the governance policies of the organization.

This could be information lifecycle management issues or IP management issues that result in a great idea that in the end has no path into a formal KM or Document management system. Certainly the user could email or using a web page drop the information into the system but there has to be a better way.

A system that automatically notes you’ve created something that should be stored and places that IP into the library with your name on it.

First that solves a problem I’ve been chasing for 12 years (getting people to submit IP) by removing the IP from the device automatically. Second it offers an interesting reality the concept of device data backup.

The problem is how would you do it. An application on the remote device or a piece of hardware would be bound by the same bandwidth as the device. That means once the IP is created unless you are shutting down the users’ access (phone/data) to upload the document. The usage of a device is only as relevant as the data it can consume. If you, in creating this new solution make the device useless the user will react to that.

There has to be an easy way to keep the IP on that device connected to the IP management system (secure or knowledge).

.doc

Scott Andersen

IASA Fellow.

I have a sorry dream…

http://docandersen.podbean.com
https://docandersen.wordpress.com
http://scottoandersen.wordpress.com
My Amazon author page!!!!
http://www.safegov.org

I hear from Cyber experts all the time that every device is hackable. I believe that from the broadest perspective but then I also look at the various hackable devices and I have to say why?

Why would someone want to hack a Smartwatch. Limiting processing and memory, limited ability to run anything other than the phone connection. Sure you can then hack the smart phone, but TO GET TO THE SMARTWATCH YOU ALREADY HAD TO HACK THERE PHONE. I guess if you realize your Smartwatch is hacked, you should probably crater your phone.

Of course we could and should implement better device security for Bluetooth than simply key pairs. There certainly has to be an easy way to create a bond between devices that doesn’t involve a hackable set of numbers. Mayhap mini-DNA readers on each device and a drop of blood required to pair them?

Honestly Cyber Security comes back to the same business concepts as just about everything else. Certainly there are risks in the world and based on those risks we should be very careful. But there are costs beyond the risks that we need to be careful of. Building Cyber towers to protect peas isn’t a great idea. Creating adaptive Cyber Security systems that are aware of threats and react to them in a managed fashion is a much better path.

It comes down in the end to the balance. You can’t secure something unless it is already being used. You can’t protect users from doing things they shouldn’t do. What you need to do is protect users who didn’t do anything and crater the machines of those that do something.

To steal from MLK – I have a dream. Someday security, business, enterprise and technology solutions will work together to create more productive employees and managers. This world will be a better place for all.

.doc

IASA Fellow

Privacy, Governance and more Cyber Security

http://docandersen.podbean.com
https://docandersen.wordpress.com
http://scottoandersen.wordpress.com
My Amazon author page!!!!
http://www.safegov.org

Cyber Security has a number of professionals engaged in the world and those numbers are growing. From the concepts of privacy, governance and security (digital and physical) the field is growing by leaps and bounds.

The problem is the hackers are still ahead.

You can provide a solution that has moving data. No one knows where the data is or will be. You could although not today even create a network that looks more like 30 straws put into a milkshake for sharing. Each straw representing a unique data pipe. Your security solution being that no one knows which pipe is being used at any one time and the pipes are switched randomly. Of course the cost of a such a solution would be incredible.

Eventually we will have systems that consider other models as well. Partial data flow, again using two or more pipes creating data packages that are useless without the other half the package. Combine that with multiple paths and randomize both the path and the data packets and for a time Hackers would be behind. Key is they would be behind for a time. The weakness in any security system remains the human being.

So we chase down the path of any number of solutions. Intel has embedded security on its processors. That is a great starting point and gives you end point protection to a degree. Companies implement governance policies for the management of, production of and ultimately storage of intellectual property. Of course the reality of IP management is if you secure it too tightly the flow of IP will begin to fade.

Of course we shall not forget privacy. The broad concept that I am and should be allowed to exist without disruption. The fastest growing crime in the world? Identity theft the ultimate form invasion of privacy. I know enough about you to convince someone else I am you.

I have a friend who talks about the tootsie roll effect of security (hard outer shell – soft chewy center). He says we should consider making security from the edge to the core. Defense in depth it is often called.

Personally I am beginning to believe that security should in fact be dynamic. Literally at times an over reaction for a small transgression and ignore a larger one. The adversary should never know where the data is (opening thought) and should never know when or how hard they are going to get hit.

.doc

Scott Andersen

IASA Fellow