- AI
- ambiguity
- APIs
- architecture
- augmented reality
- books
- bureaucracy
- career
- change
- Christmas
- cloud
- collaboration
- communication
- complexity
- computer history
- corporate life
- data
- decisions
- delivery
- devops
- end user tools
- ethics
- failure
- fear
- fundamentals
- gaming
- government
- halloween
- history
- humans
- hype
- identity
- infrastructure
- innovation
- language
- leadership
- learning
- legacy
- management
- measurement
- mental health
- money
- networking
- New Year
- operations
- philosophy
- physics
- platforms
- prediction
- process
- procurement
- programming
- quantum
- reliability
- resilience
- risk
- robotics
- science
- science fiction
- security
- shadow IT
- space
- standards
- strategy
- talent
- teams
- technical debt
- technology advocacy
- testing
- thinking
- transformation
- TV
- virtues
- vision
- writing
We’re still struggling to learn forty year old lessons about cyber security
I just finished re-reading The Cuckoo’s Egg, by Clifford Stoll. It’s a classic of cyber security, telling how Stoll, as an astronomer-turned-reluctant-sysadmin, attempted to resolve a 75 cent computer billing discrepancy, only to be drawn into a story of hacking, surveillance and theft, involving the FBI, CIA and NSA.
The action in the book takes place in 1986 and 1987, so it is full of references to technology which was modern at the time, but seems quaint and old-fashioned today: 1200-baud modems, pagers and daisy wheel printers. What is striking, though, is how much of the hacking activity uses techniques which are still in use today. I won’t spoil the book for anyone who hasn’t read it, but will say that it contains examples of identity theft, credential compromise, dictionary attacks, supply chain attacks, vulnerabilities in commonly used software and privilege escalation. The pattern of behaviour would suit a cyber criminal working today: probe for assets which aren’t properly secured; gain access; take over an unused account; escalate privileges; move laterally; exfiltrate data; erase evidence. And keep on coming back and doing the same thing over and over again.
Passkeys show why standards need explaining
I got a new phone recently, with mixed emotions. Delight: it’s a shiny new gadget! Scepticism: is it really that much better than my last phone was when that was new? Regret: could I have eked my old phone out for a bit longer, even though it was getting steadily slower and more full?
And, of course, dread: can I still access all the apps that I need to access? How many of my credentials have transferred seamlessly? How many apps just need a simple re-validation? And how many will trap me in a loop of email resets, forgotten user ids, and notifications sent to devices which I don’t even own any more?
Authentication has been a mess for years. Passwords provide flimsy protection, and companies keep trying to make them stronger by making them more complex: for example, sixteen characters, including numbers and special characters, leading to the absolutely unbreakable ‘Passwordpassword123!’, written on a PostIt note and stuck to the monitor. Password managers and strong password suggestions make them marginally better, at the cost of making password managers a target for attack. Two factor authentication is stronger still, if only providers could agree on what extra factors to use and how to implement them: I currently have four different authenticators on my phone.
Are you under attack from your corporate immune system?
It was supposed to protect us.
One of the most disconcerting aspects of the recent Crowdstrike incident was that the process which caused the disruption - a rapidly deployed update to a piece of endpoint protection software - was meant to prevent disruption. Rapid deployment was intended to help us respond quickly to new threats against which we would otherwise be defenceless. Low level access to the operating system was intended to enable us to detect and deal with anomalous behaviours and subtle modes of attack. Tools such as Crowdstrike are supposed to be vital parts of our immunity against deliberate attacks and accidental failure: they are not supposed to turn on us.
It might seem that incidents such as the Crowdstrike update failure are, mercifully, rare. Most of the time, we rely on our corporate immune system to help us, not to harm us.
Eat your standards: they’re good for you
I didn’t like vegetables much when I was growing up.
This might have been due to my immature palate, or it might have been because the quality and variety of vegetables in British cuisine in the 1970s were limited. I knew that I was supposed to eat more vegetables, but why should I when there were plenty of burgers, chips and beans to go around? (Do chips and baked beans count as vegetables? Technically, yes, I suppose, but not aesthetically or nutritionally.)
I think that technologists sometimes have a similar attitude to standards. We know that we should follow them, we know that they are probably good for us, but we also feel that they cramp our style, and that they are rather less fun than they could be. This is especially the case when we have the figures of central governance, change boards and process approvals looming over us, asking us whether we have implemented our standards and whether we can prove it, the technical equivalent of asking whether we have eaten our vegetables and whether we have clean plates to show for it.
Who said that adopting the cloud was going to be fair?
It’s not fair!
The cry of the outraged sibling through the ages. Why is my older sibling allowed to go places that I’m not allowed to go? Why is my younger sibling tolerated and indulged, when I would be punished for the same behaviour?
I suspect that many enterprise technologists feel the same way about the treatment of public cloud in their organisations, compared to the treatment of their on-premise infrastructure, even though they are too professional to wail, It’s not fair!
Why is it, they ask, that they are made to jump through multiple hoops to ensure that their encryption standards and approaches to key management are watertight on cloud, while on-premise, most of their data is unencrypted? Why is it, they go on to ask, that their risk teams fret about the distance between zones and regions, when their on-premise infrastructure is crammed into twin data centres which are overdue for refurbishment? Why is it, they lament (they’re on a roll now), that everything they do must be automated and instrumented, while on-premise infrastructure is still maintained through manual processes that take weeks to complete - if they are ever completed at all?
Is your technology solution a well behaved house guest?
‘How many devices do you have in your home connected to the Internet? One? Three? Five?’
It was 2010. I was attending an internal conference within the technology department of a large bank. The leader of the digital team was illustrating the rapid expansion of the Internet, and the importance of digital customer experience.
Most people put their hands up to show that they owned a few connected devices. Most put their hands down by the time the count rose to five.
I considered my answer to the question. I had a work laptop in my bag. I had an iPhone and a work Blackberry. I had two PCs at home with a broadband connection. My wife had an iPhone too. We had six connected devices in our house (sometimes). I was at the top end of the spectrum; perhaps I even counted as an early adopter!
Infrastructure can be opaque: your cloud should be see-through
Imagine this situation. You have just been alerted to a critical security vulnerability in a piece of systems software embedded in thousands of physical and virtual servers across your on-premise technology estate. Your software provider has issued you with a patch, and you need to apply it as quickly as possible. Your business and technology stakeholders understand the gravity of the situation, and are willing to accept the disruption necessary for an emergency patching programme. It’s a race against time, between your ability to patch and the bad actors coming after your systems.
You have many problems in winning this race. Some of your systems don’t have automated testing in place, and you suspect that the patch will break at least a few of them. Many of your systems aren’t properly stateless, and restarting servers will disrupt their operations. Some of your really old systems don’t like being restarted at all, and will need careful attention.
A balance between security, convenience . . . and legacy
We talk about the Stone Age, the Bronze Age and the Iron Age, and sometimes the Digital or Information Age. Perhaps one day we will talk about the Paper Age: the time when the world was run on systems and processes and information, but those systems and processes were manual, and the information was stored on paper.
Back in the Paper age, the way you proved your identity to your bank, whether to make a deposit, withdrawal or payment, was by signing a piece of paper: a paying in slip, a cheque or a letter. Today, that seems like an incredibly primitive and insecure method of authentication. Cheque books can be stolen, signatures can be easily forged, and anyone can write a letter. And, of course, banks were subject to fraud during the Paper age, to the extent that there are many slang terms for writing bad cheques: paper hanging, cheque kiting, bouncing cheques, hot cheques and so on. But many of these forms of fraud were exploiting the same feature that gave the banking system some measure of protection: it was slow. Cheques were physically transported to central sorting facilities where they were checked, reconciled and cleared. Letters could be queried. Signatures could be manually checked.
A question of identity
It happens in the blink of an eye. You press the tip of your finger against your phone. A capacitative sensor determines the pattern of ridges and valleys in your fingeprint . An algorithm matches the pattern against a digital representation stored in a secure enclave on your mobile device. If it finds a match, it unlocks your phone (or does whatever other task you were attempting to authorise).
There are other means of authentication, such as facial recognition, PIN codes and passwords, but I think that fingerprint recognition is particularly interesting because it illustrates important differences between the ways that humans and machines and systems deal with identity. (By ‘systems’ I mean all formal, process driven methods of interaction - not just those implemented in software on computers.)
When humans think about identity we think about an individual, a person. When we say that we know someone, we mean that we know many things about them: not just their name and their profession, but aspects of their behaviour and personality. It is remarkable how quickly we form an impression of a person: even if we have only shaken hands and shared a meeting room with someone for an hour or two, we come away with some idea of what they are like. (Of course, our impressions are also subject to bias and preconceptions: the speed with which we form ideas about others is not always a good thing.) When we encounter that person again, we don’t typically feel that they need to prove their identity. We recognise them.
Cloud leadership: the Guardian
A recent LinkedIn post asked people to suggest two words of advice they would give to someone starting out in their career. I immediately knew which two words I would choose: ‘Don’t Panic’. As well as welcoming any opportunity to recognise the work of Douglas Adams, I believe that these words are relevant to all business circumstances. I can think of many challenges, crises, setbacks, failures and genuine disasters which I have faced throughout my career and, while most of them needed energy and urgency, I can’t think of a single one that would have been improved by panic.
I think that these two words should be the motto of one of the seven key leadership roles for Cloud transformation: the Guardian. The Guardian is the person who thinks about all the things that could go wrong, and how to protect their enterprise from those circumstances. They are also the person who understands that risk cannot be eliminated, only managed, and that risk mitigation measures have a cost to the enterprise, often expressed in impacts on speed and agility, as well as cost.