Tag Archives: cloud

Avoid the Security Umpire Problem

Have you ever been part of a team or committee working on an initiative and found that the security or compliance person seemed to be holding up your project? They just seemed to find fault with anything and everything and just didn’t add much value to the initiative? If you are stuck with security staff that are like this all the time, that’s a bigger issue that’s not within the scope of this article to solve.  But, most of the time, it’s because this person was brought in very late in the project and a bunch of things have just been thrown at them, forcing them to make quick calls or decisions.

A common scenario is that people feel that there is no need to involve the security folks until after the team has come up with a solution.  Then the team pulls in the security or compliance folks to validate that the solution doesn’t go afoul of the organization’s security or compliance standards. Instead of a team member who can help with the security and compliance aspects of your project, you have ended up with an umpire.

Now think back to when you were a kid picking teams to play baseball.  If you had an odd number of kids then more than likely there would be one person left who would end up being the umpire. When you bring in the security or compliance team member late in the game, you may end up with someone that takes on the role of calling balls and strikes instead of being a contributing member of the team.

Avoid this situation by involving your Security and Compliance staff early on, when the team is being assembled.  Your security SMEs should be part of these conversations.  They should know the business and what the business requirements are.  They should be involved in the development of solutions.  They should know how to work within a team through the whole project lifecycle. Working this way ensures that the security SME has full context and is a respected member of the team, not a security umpire.

This is even more important when the initiative is related to virtualization or cloud. There are so many new things happening in this specific area that everyone on the team needs as much context, background, and lead time as possible so that they can work as a team to come up with solutions that make sense for the business.


The Taxonomy of IT – Part 4: Order and Family

The Order level of IT classification builds upon the previous Kingdom, Phylum and Class levels. In biology, Order is used to further group like organisms by traits that define their nature or character. In the Mammalia Class, Orders include Primates, Carnivora, Insectivora, and Cetacea. Carnivora is pretty self-explanatory and includes a wide range of animal species. However, Cetacea is restricted to whales, dolphins and porpoises and indicates more of an evolutionary development path that is consistent between them.

In IT, the concept of what we consume and how we got to that consumption model correlates to the concept of Order. So, Order focuses on how IT is consumed and why it’s consumed that way.

Business needs drive IT models, and as business needs change so does the way we leverage IT. An organization may have started out with a traditional on-premise solution that met all needs, and over time has morphed into a hybrid solution of internal and external resources. Likewise, the way users consume IT changes over time. This may be due to underlying business change, or possibly due to “generational” changes in the workforce. In either case, where IT is today does not always reflect its true nature.

Using consumption as a metric, we can group IT environments to bring to light how they have evolved, and expose their future needs. Some examples of different Orders might be:

Contra-Private – IT is mostly a private resource and is not specifically consumption driven. The IT organization uses their own internalized set of standards in order to identify the technical direction of the platforms. Shunning industry standards and trends, they often take a less-is-more approach to the tools and services they provide to the business. Ironically, their platforms tend to be oversized and underutilized.

Mandatorily-Mixed – here IT leverages a mix of internal, external, hard-built and truly consumed resources because the business demands it. IT may have less power to make foundational decisions or affect policy, but they typically will be better funded and be encouraged to work with outside groups. Often the internal/external moat is drawn around the LOB application stack, and these tend to be overly scaled.

Scale-Sourced – In this Order, IT would be incented to make efficiency and flexibility their guiding principles for decision-making. The business allows IT to determine use of and integration with outside services and solutions and relies on them to make the intelligent decisions. This Order is also user driven, with the ability to adopt new services and policies that drive user effectiveness.

The Family classification is the first real grouping of organisms where their external appearance is the primary factor. Oddly, what is probably the most visually apparent comes this deep in the classification model. Similarly within IT, we can now start grouping environments by their IT “appearance,” or more fundamentally, their core framework.

If you dissect a Honey Badger, it would probably be evident that it’s very much like other animals in the weasel family. It’s overall shape and proportions are similar to other weasels, from the smallest Least weasel to the largest Wolverine. So size is not the factor here, what is more important is the structure, and what type of lifestyle that structure has evolved to support. Therefore, in IT, Family refers to the core structure of data flow within IT systems.

Here are some examples:

Linear – IT is built along a pathway that conforms to a linear work flow. Systems are built to address specific point functions such as marketing, financials, manufacturing, etc. Each system has a definitive start and stop point, with end to end integration only. Input/output is translated between them, often by duplicated entry, scripted processes, or 3rd party translation. One function cannot begin until another has completed, thus creating a chain of potential break-points and inefficiencies.

Parallel – Workstreams can be completed concurrently, with some form of data-mashing at the end of each function. While this structure allows for users to work without waiting on others to complete their functions, it does require additional effort to combine the streams at the end.

Linked – Here, systems are linked at key intersections of workflow. Data crosses these intersections in a controlled and orderly fashion. Often, the data conversions are transparent or at least simplified. The efficiency level is increased, as dynamic information can be utilized by more than one person, however the complexities of this approach are often fraught with underlying dangers and support challenges.

Mobius – If you know the form of a Mobius strip, you get the idea here. In this form, it doesn’t matter what side of the workflow you are on, everything flows without interruption or collision. If this is delivered by more than one integrated system, then the integration is well tested and supported by all parties involved. More likely, this form is enabled by a singular system that receives, correlates, and forwards the data along its merry way.

Both the Order and Family are where we start to see the benefits of a Cloud IT architecture. Built to specification, consumed in a flexible, on-demand way, and enabling the true flow of information across all required systems may sound like nirvana. But, consider that our limiting factor in achieving this goal is not technology per se, but our ability to visualize and accept it.


Los datos están realmente seguros en un servicio Cloud?

Muchos usuarios ven el cloud como algo infalible, donde sus datos nunca van a desaparecer y su servicio siempre va a estar en línea, pero realmente es cierto?

En contra de muchas opiniones, el termino “servicios cloud”  no esta relacionado en absoluto con el término garantía de servicio, la calidad y garantía de servicio, no depende del nombre del mismo, depende directamente de la calidad, conocimiento e inversión del proveedor que lo ofrece.

Continue reading Los datos están realmente seguros en un servicio Cloud?