Tuesday, January 11, 2011

From Silo to .....

The shift from being a silo focussed Enterprise, to a Deperimeterised one is NOT a simple task. The primary reason for this is that it involves a tectonic shift in all the key components of an organisation, including all those that relate to each of the major domains of People, Process and Technology, in short everything must change.
The Culture of the organisation must change from top to bottom, this shift involves moving from a "Do It Ourselves" to a "Do It Collaboratively" approach. In Information terms this means moving from keeping Information to ourselves, to sharing information with others. This leads to the need of a fundamental shift in governance systems, meaning that the systems that govern the direction of, and behaviours in an organisation often need to be reversed, and certainly re-designed. The implications of the importance of this part of the "shift" can be seen in the failure of many organisations trying to make the shift. Business Leaders making this change understandably feel nervous and as a result resort to taking up the governance reins, hoping that they will be able to effectively steer their organisation throughout the change. Empowerment is the first thing to suffer with this approach, as this behaviour is observed and replicated down through the leadership ranks, and yet Empowerment is one of the most important success factors in making this change. This results in a failure to appreciate which of the many unknown processes in an organisation are key and which can be eliminated. My own view of the failure of Michael Hammer's Re-Engineering of Enterprises in the 1980's stemmed from the basic fact that the Leaders of an organisation of any reasonable size have no way of being able to understand all of it's processes. Especially as so many of those processes are "unknown" and certainly undocumented. (The most successful re-engineering exercise I was ever involved in occurred in France, where an enlightened leader, whilst using an external consultant, insisted that all of his staff were involved in the re-engineering exercise, unfortunately the effort were supplanted by a "Top Down" change that was Global resulting in a 400% loss of productivity.) Changing the business processes of a silo based organisation to deliver the needs of a Deperimetersed one, is not a trivial exercise, and certainly not one that can be achieved incrementally. For few organisations understand all the processes that they operate, let alone the Information Assets that are key to these processes. Our inability to manage the vast amounts of information that modern Enterprises produce inevitably leads to the use of Information Technology, and here-in lies the tail that wags the Corporate Dog. Advances Information Technology has lead to an amazingly powerful tension driving organisations towards Deperimeterisation. Cloud based services, being simply the latest of these advances. Consumerisation is another of these technology mediated tensions.

I am reminded of a challenge in one of the many corporate team building exercises that I have had the pleasure of engaging in. This one had me dressed up in massive amounts of padding, connected to bungy cord and then told run up a padded aisle to see how far I could get. The weird experience of having the bungy cord decide that I had come far enough and drag me flailing back to the start must have been designed to teach me something, though I can't remember what.
in the case of the Silo based Enterprise, the bungy cord is Deperimeterisation, and no, it is not connected to the other side of the Grand Canyon but to the Moon. in the words of Eric and Ernie, "Get out of THAT without moving!"

The good news is that Mankind has demonstrated our ability to get to the Moon and back. Is your organisation ready to demonstrate the capabilities needed to achieve this shift? If it is small and agile, then likely yes, if you are in a large organisation here's hoping you have a charismatic leadership team with Vision, who believe in Empowerment.

To those expecting the word security to appear in the body of this article, on September 12th 1962 did Kennedy use the word Security in announcing the endeavour that relied upon Security at every step?

"We choose to go to the moon. We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win, and the others, too.". http://www.historyplace.com/speeches/jfk-space.htm

Will your organisation choose to go to the Moon or will it be dragged there flailing? One thing I will say is; your ability to treat Information as a valuable asset is going to be fundamental to your success, with a rethink of "Identity, Entitlement and Access Management" being a crucial early step, but that's another blog!

Sunday, January 09, 2011

Mac App Store introduces the opposite of Shop Lifting

The opposite of Shop Lifting would be called something like Wallet Snatching.

With the new functionality introduced by the 10.6.6 upgrade the Mac App Store introduces the unwary to a new means of losing their money. The App Store used by iPhone, iPod, and iPad owners has a two click to purchase interface. With Mac App Store, Apple have introduced, an arguably devious, means of increasing sales by eliminating the "Are you sure?" Click.

This seems like a minor deal, but you must remember that the Terms and Conditions of App Store basically says when you have bought it it's yours and there is NO means of getting your money back apart from going to the developer of the software.

I am not a lawyer but I believe that Apple have successfully driven a coach and horses through the sale and purchase of goods Act, which clearly states that it is the seller, not the manufacturer, who is responsible if goods do not conform to contract.

This coupled with the fact that the App Store was not built to be secure from the developers perspective is a reason for developers who value their brand and their profit to steer clear from the App Store.

A recent incident I experienced with the SlingBox App has damaged Sling Medias brand in my eyes and certainly means I will be doing no more business with them. I also aim to stop as many of my friends as possible from buying Slingboxes. This arguably all stemmed from Sling Media's use of App Store, and hiding behind the Apple's decision to ignore the Sale and Purchase of Goods Act.

CAVEAT EMPTOR is even more important when it comes to doing business with Apple.
I think that may be assuming that they are above the law!

Yippee! End to End Secure FaceBook

"A step towards being my Identity Service Provider"

In the wake of FireSheep and the ability of coffee shop squatters to harvest authentication cookies from insecure WiFi Networks, and gain "one click" access to FaceBook accounts, FaceBook have started up a new way of accessing FaceBook. With the launch of https://ssl.facebook.com/ one can now have their authentication cookie, and all other data, securely transferred to and from FaceBook. While this does not solve all of FaceBook's security issues, (after all they still use Username and Password for account access!) it is a very important step. All FaceBook users should shift to this means of accessing FaceBook. Currently, it is still in a testing phase the service will be more broadly promoted in coming months.

So to benefit from "end to end secure FaceBook" change your FaceBook bookmarks now, I have!
Now all I have to do is figure out which of the many applications I use to access FaceBook use this secure protocol.
Anyone have a list?

This is a welcome step, and if FaceBook continues in this vein, I will be happy to expand my use of them as my Identity Service Provider. Recently they are more openly about positioning themselves as an Identity Service Provider, they are choosing to gain the position by slowly on FaceBook App at a time. More importantly they have the potential to gain the trust of Enterprises as an Identity Services Provider. They are more likely to achieve this status, if they comply with all the Jericho Forum Commandments.

There are some additional services and capabilities that would help me make this step. What am I missing ?

1) A revised authentication infrastructure that eliminates the use of Username and Password as the prime method of Authentication to FaceBook

2) An easy to manage Security Dashboard that allows me simple oversight and control over my web based Identities

3) A Security Monitoring Service that has the capacity to alert me when my data is being harvested, or misused

4) A means of more finely selecting which of my data I want to share with specific services that use FaceBook Connect
(Currently it is a binary decision, often "All or Nothing", with little ability to negotiate)

5) Methods of enhanced authentication, which I can choose to use for specific services that I may choose to use FaceBook Connect with.

6) Various Methods of warning when specific events, of my choosing occur. I would see three levels "Alert Ferocity"
a) Poodle: Just giving you the heads up
b) Jack Russel: Seriously annoying until you accept the alert
c) Pit Bull: Will fight to the death to get the alert through to you, no matter the cost

7) An ability to apply varied levels of friction to information flows that I can select for different types of data, or specific data elements.
a) Open = No friction, Anyone has access
b} Closed = Limited Friction, Many have access, though it is easy to share with others
c) Combination Locked = Serious Friction, fewer have access, but it is difficult to share with others
d) Key Locked = Ultimate Friction, few have access, and I am informed when they access

8) A Transaction Dashboard that allows me oversight and control of my ALL web transactions, this service will only be possible after FaceBook has really proven their ability to look after my interests.

Clearly, I expect others, not just FaceBook, to be aiming to provide these identity services and this list equally applies to them. Some providers will have more complete and robust services, others will not provide the complete range of robust and trustworthy


Source of key elements in this blog
http://technologyreview.com/printer_friendly_article.aspx?id=27027