Words can hardly describe how neat this technology is. I’m excited and enthused for many reasons, including the potential power of this technology to help us all make better decisions and of course to bring even more fun to our lives. Watch and let your imagine go… Think of the wonderful ways we can interact with data to do good things in the world.
Other thoughts: Look for the dynamic, moving newspaper. Yet again there is more evidence that Hollywood is driving enterprise technology.
Leave a Comment » | 
chief technology officer, Computer Security, CTO, Disruptive IT, Enterprise, knowledge, Technology Leadership, The Future of Technology, Thin Client, virtual world | 
Permalink
Posted by Bob Gourley
Have you ever been sucked into the false debate over how much IT spending should be spent on security? I used to all the time. Some folks point to a rule of thumb that goes something like “ten percent of the IT budget should be applied to security.” That old school formula may well be part of the reason we got into the mess we are currently in. It contributes to thoughts that lead you to think security can be separated. By my way of thinking, 100% of the budget goes to security and functionality and that is the calculus.
Really, security is about ensuring information confidentiality, availability and integrity. And those constructs are totally connected to functionality of IT. I try whenever possible to use the term security and functionality in the same context just to underscore that point.
For example, the goal I continually push regarding security in the federal space is not just one dealing with security. I put it this way: “Security and functionality of all federal IT will be increased by two orders of magnitude in the next 24 months.” Putting the goal this ways also underscores that it is not security vs. functionality. Both need to increase.
This goal also cries out for the need for metrics in security and functionality. For functionality there are many customer focused survey methods that can help collect the right metrics. For security, I think one metric stands out above all others: Detected unauthorized intrusions. There are many other important metrics for other dimensions of the security problem, but that one is key. So, a goal that expects both security and functionality of federal enterprise IT to improve by two orders of magnitude will expect customer survey satisfaction to go through the roof, and will expect detected intrusions to drop significantly. If there were 50,000 detected intrusions in 2008, there should be less than 5000 in 2010.
That is a dramatic goal. What makes me think it is achievable? In part the dramatic action being put in place today in the federal space. And in part by dramatic new technologies and approaches like private clouds and thin client computing and enhanced identity management and authorization methods. But of more importance and more relevance than all of that, in my opinion, is the coordinated action and leadership underway by CIOs and CISOs and the security experts in the federal space today.
As evidence of this incredible positive action I’d like to bring your attention to a release by a Consortium of US Federal Cybersecurity Experts on Consensus Audit Guidelines. Details of this effort are at http://www.sans.org/cag/
The Consensus Audit Guidelines provide the twenty most important controls and metrics for effective cyber defense and continuous FISMA compliance. These controls and metrics include:
Critical Controls Subject to Automated Measurement and Validation:
Inventory of Authorized and Unauthorized Hardware.
Inventory of Authorized and Unauthorized Software.
Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
Secure Configurations of Network Devices Such as Firewalls and Routers.
Boundary Defense
Maintenance and Analysis of Complete Security Audit Logs
Application Software Security
Controlled Use of Administrative Privileges
Controlled Access Based On Need to Know
Continuous Vulnerability Testing and Remediation
Dormant Account Monitoring and Control
Anti-Malware Defenses
Limitation and Control of Ports, Protocols and Services
Wireless Device Control
Data Leakage Protection
Additional Critical Controls (not directly supported by automated measurement and validation):
Secure Network Engineering
Red Team Exercises
Incident Response Capability
Data Recovery Capability
Security Skills Assessment and Training to Fill Gaps
The site at http://www.sans.org/cag provides more details on each, including detailed descriptions of the controls, how to implement them, how to measure them, and how to continuously improve them. The site also spells out the fact that this is a work in progress and processes are in place to ensure this great effort remains relevant and maximizes our ability to protect ourselves.
What should CTOs think about this guidance? As for me, I most strongly endorse it. In my mind the appropriate implementation of these controls will reduce unauthorized intrusions in any enterprise.
The deeply respected community leader Alan Paller said it this way:
“This is the best example of risk-based security I have ever seen,” said
Alan Paller, director of research at the SANS Institute. “The team that was
brought together represents the nation’s most complete understanding of
the risk faced by our systems. In the past cybersecurity was driven by
people who had no clue of how the attacks are carried out. They created an
illusion of security. The CAG will turn that illusion to reality.”
Please give these controls a read, and please help get them into the hands of the security and functionality professionals in your enterprise.
Leave a Comment » | CCSA, CERT, chief technology officer, Cloud, Computer Security, CTO, Cyber Initiative, Cyber War, CyberTrust, Disruptive IT, FDCC, Hathaway, Identity Management, Information Warfare, Network Security, standards, Technology Leadership, Thin Client, Triumfant | Permalink
Posted by Bob Gourley
I’ve written a bit here about new display technologies that are so thin they are disruptive to our current way of work.
In October 2007 I wrote “Enterprise Requirements Come From Hollywood” where OLED (organic light emitting diode) TV’s were discussed. I mentioned the fact that once again Hollywood got it right first, with superthin displays in sci-fi and fantasy movies helping to drive user expectations and requirements. I’ve also written about thin clients, especially the game-changing infrastructure components for thin clients from Sun Microsystems. The servers supporting thin clients provide dramatic positive benefits for any IT enterprise.
And in January 2009 I wrote:
Flexible computers will arrive in production this year for early
adopters and many CTOs will use them in labs to assess applicability
for massive deployment in the coming years. These flexible computers
are the ultimate thin clients. Backends/servers/architectures
developed for the cloud perfectly suit ultra thin, flexible computing
devices. For more on this hot topic, start at the site of the Flexible Display Center at ASU.
One company poised to take advantage of the technologies of flexible displays is Plastic Logic. They are a Silicon Valley startup producing a paper-pad-thin device that is designed for business reading. For now, their offerings are focused on the business user and information can get into the device either by users sending it to the device or by content providers.
The Plastic Logic Reader is officially still in development. It will
enter the market later in 2009 via pilots and trials (I hope to get
one) and then be commercially available in 2010. Complete features
lists are not available but it supports a wide range of document types,
including: PDF, DOC, DOCX, XLS, XLSX, PPT,
PPTX, JPEG, PNG, TEXT, HTML, BMP, RTF, and ePub.
Users will hold this reader like they hold a piece of paper and read documents provided via wireless communications. The device weighs ounces not pounds, is thinner than a Macbook Air, and has a battery that lasts days vice hours. For more see this video of Plastic Logic CEO Richard Archuleta from the Fall 2008 Demo conference:
My suggestion to any enterprise-class CTO is to check out their website
and find ways to get their capability into your lab and into the hands
of your users.
I’d also suggest thinking through how these devices can fit into the rest of your enterprise, and I’d suggest you (actually, I suggest all of us) start formulating our desires for enterprise capabilities on this device. For example, what encryption will be used? How will it do identity management? How will it to access control? How will it work with a Sun Ray environment?
Leave a Comment » | chief technology officer, CTO, Disruptive IT, Enterprise, Identity Management, Thin Client | Permalink
Posted by Bob Gourley
I’ve just posted a draft paper on my site on the topic of Cloud Computing and DoD’s Net Centric Operations. My intent with this paper is to keep beating it up till it is in condition to publish, and I would value your comments on the paper. Please check it out at:
13Jan2009_Computing_and_Net_Centric_Operations.pdf
One of the things I learned while pulling together this info is that honest people disagree, sometimes vehemently, on exactly what the term Cloud Computing means. For that reason I recommend anyone writing or briefing the topic start with a definition right up front. For the purposes of the paper I’m working on for DoD I mention two ways to look at the term. For most users, they view anything done elsewhere as “cloud” computing. For most technologists and architects they view “cloud computing” as a much more elegant term which implies new ways of providing capability on demand by use of virtualized resources, pools of storage and other scalable computational resources.
Note, I’m very thankful to the dozens of friends and associates who have already commented on this paper. Most initial dialog I had on the paper was via Twitter, which once again proved to me the value of that cloud based capability.
Bob
Leave a Comment » | Adobe, AFCEA, chief technology officer, Cloud, collaboration, Computer Security, CTO, Cyber Initiative, Disruptive IT, DOD, Enterprise, Network Security, Technology Leadership, Thin Client | Tagged: Cloud Computing, CTO, DOD, Virtualization | Permalink
Posted by Bob Gourley
2008 was a year of rapid changes for Chief Technology Officers. We should expect 2009 to move even faster. Where will the biggest trends take us? I offer some considerations below. Please
look these over and give me your thoughts. Push back if you have
disagreement.
First, my overall advice for CTOs in 2009… Just like the new thin interfaces you will be testing in your lab… be flexible. Now here are some more thoughts on what's in store for CTO s in 2009:
Thoughts/comments/suggestions? Please let me know what you think.
13 Comments | chief technology officer, Cloud, collaboration, Computer Security, Connect, CTO, Cyber Initiative, Cyber War, Dell, Disruptive IT, endeca, Enterprise, Facebook, Great CTOs, Identity Management, Mashup, microsoft, Netbooks, Network Security, Open Source, Social Computing, Sun, Sun Ray, Technology Leadership, The Future of Technology, Thin Client, Twitter, Vision, Web 2.0, Web Services, Web/Tech, Weblogs | Permalink
Posted by Bob Gourley
The idea of light-weight, low-cost, but very powerful laptops designed for a smaller feature set than traditional laptops has been around for a decade or so. But all indications are that something has changed in the market place. Due to a convergence of many factors, netbooks are growing in sales. These factors include the continual improvement in wireless speeds, the more widespread availability of wifi, the continued drop in cost of hardware, the continued increase in performance of open source operating systems and open source applications, the unstoppable move to more thin-client solutions, and the dramatically increased capabilities of cloud computing services (including the entire web2.0 megatrend and of course the continued innovations of Google in the cloud computing and online applications space).
I just did a few searches on Amazon and Bestbuy for netbooks devices, and pulled up entries for small notebooks like the Acer Aspire One, an 8.9-inch mini laptop that runs Linux Lite and sells for under $300.00. It has plenty of capability and is very lightweight. It comes loaded with applications, including open source office automation packages (I think I would want to download the most recent version of open office if I purchased this). It also comes with a built in camera and is ready for high end video chat.
Will I buy one? There are clearly some of these in my future, I just don't know when. I have a MacBook and I really like it for everything I need in a laptop. I use it around the house and on travel. And, although it is over a year old now, it doesn't need replacement. When it does, however, I'm going to be asking myself why I would want to pay $1000 more for a Mac instead of a couple hundered for a Netbook. So much of what I do I do on the cloud anyway, and the many things I do locally can be done using the free Open Office.
If we assume the same sort of trades are being considered by other buyers, a conclusion starts to emerge. Netbooks are going to be a very disruptive force in the market.
And what is the market saying so far about this trend? Acer is reporting huge success with their netbooks approach, their sales have been growing significantly. They just reported a 78.8 percent growth rate over the same quarter in 2007. And this is during a huge market downturn. HP and Dell are reporting unit sales growth of 13.5 percent and 10.7 percent, respectively. Apple is just about flat.
If you are an enterprise CTO, what should you do with this information? For one, you should consider how to use laptops/netbooks like these in your organization. If done right, you can enhance the security of your enterprise by moving more of your data and applications to secure clouds, and you can also add security features to your netbooks and field a significant enhancement to your security posture. And, since the cost of these devices is far less than traditional laptops you can equip more of your workforce and save money at the same time, which is a very virtuous thing in this economic environment.
Note: I've previously written about several devices that qualify as netbooks, including:
Thin Client Laptops: Functionality, Security, Mobility A review of high end, enterprise quality wireless stateless thin clients using the Sun Microsystems approach;
and
The Future Is Changing Again A review of the One Laptop Per Child (OLPC) initiative.
I also recommend a recent article at Economist.com called Small is Beautiful.
And, thanks to a friend on Twitter, I just got pointed to a post at GigaOm titled: Why Netbooks are Greener Than Laptops
7 Comments | chief technology officer, Cloud, Computer Security, CTO, Disruptive IT, Enterprise, Google, Identity Management, innovation, Netbooks, Open Source, Sun Ray, Thin Client, Web 2.0, Web Services, Web/Tech | Permalink
Posted by Bob Gourley
If you are a technologist, please take a moment to download the PDF of the report by the U.S. Commission on Cybersecurity. This report, titled Securing Cyberspace for the 44th Presidency, is the best proclamation of the challenges of cyber I have read. It is also a roadmap that will help any trying to navigate these very tough issues.
I've been involved in things cyber for a long time. My deepest
involvement began in December 1998, almost 10 years ago to the day.
In all that time I've seen lots of studies and lots of papers and many
treatments of the issues. But I've never seen one that captures the
complexities and the need for specific actions as well as this one.
I'd really recommend you read every word, if you want to be considered literate in this field. But if it will be a little while till you get to it, here are some key points:
The three major findings are: 1) Cybersecurity is now a major national security problem for the U.S., 2) Decisions and actins must respect privacy and civil liberties, and 3) only a comprehensive national security strategy that embraces both the domestic and international aspects of cybersecurity will make us more secure.
The report makes a few points about the Bush Administration's Comprehensive National Cybersecurity Initiative (CNCI). In general the give credit to that initiative, and call it good. I agree, it is a great activity I've previously written about that is led by one of the most effective people in government today and has done great work. But as the comission points out, the work of the CNCI is good but not sufficient.
The biggest shock for me in this study: The amount of funding on R&D for cyber security. I have been looking into the many activities underway, and maybe that look made me deceive myself into thinking it was a well funded effort. According to the comission, however, they estimate that the total R&D funding in the federal government for cybersecurity is about $300million. Less than two-tenths of one percent of the total federal R&D.
The report has a great section on identity manangement.
I am convinced the organizational approaches outlined in the study are the right ones as well. There is only one place in our government where we can lead solutions to this challenge. Where is that? Hey read the report!
What else do I recommend CTOs do besides read the report? I think one way we can all help the cybersecurity effort is to think through which standards bodies are the most important to engage with regarding security. A few are here:
http://www.ctovision.com/2008/05/standards-organizations-ctos-should-track.html
5 Comments | AFCEA, Barak Obama, CCSA, CERT, chief technology officer, Computer Security, CTO, Cyber Initiative, Cyber War, CyberTrust, CyLab, DHS, DIA, Disruptive IT, DNI, DOD, Enterprise, FDCC, Hathaway, Identity Management, knowledge, microsoft, Network Security, ODNI, OMB, Open Source, R&D, standards, Sun, Sun Ray, Technology Leadership, Thin Client | Permalink
Posted by Bob Gourley
I run a small strategic consulting business, Crucial Point LLC.
My core business requires lots of hands on work and time of myself and partners and associates, and like in many other businesses, the less time I spend on admin for myself the more time I can spend being productive. I also need to watch costs and need to be as agile and mobile as possible. One of the approaches I have taken to address those needs is to maximize my use of Google Apps and other related Google capabilities.
Here is some more background on how I use them:
E-mail to my company is really handled by Google Apps. If you send a note to contact @ crucialpointllc .com, or any other active address at that domain, it is handled by the Google e-mail servers. I access the e-mail like you access your gmail. I get it through a browser and can access it anywhere. I can also use a client package to download the mail when I want to. And I use that on my blackberry when I'm on the move (which is just about always).
The e-mail for Crucial Point LLC is also well integrated with other capabilities like Google Calendar, and that calendar is also synchronized with my blackberry. My contacts are also synchronized between my blackberry and my gmail based mail contacts.
I use Google Docs at the site as well. This allows me to create, edit, read and collaborate over spreadsheets, documents and presentations. On most of my computers I run open office and on a couple I have Microsoft office and both of those packages work pretty well with Google Docs, but I try to default to Google Docs for reasons of mobility, security and sharing. I also use embedded forms to collect key info and process it in secure spreadsheets on my site. I get an alert when any of these forms are used. For example, when a company has a request for a tech assessment I refer them to my tech assessment request form at the bottom of the "what we do" page on my site.
At this time I don't really use Google's video or chat capabilities. But maybe in the future?
The Google Sites feature is pretty good too and I've used it a couple times to establish collaborative environments for topics like developing a strategic plan for a client. By using sites I was able to invite in just the right folks for collaborative work. I'm currently working on my new site for my Crucial Point LLC webpage and am doing that in Google Sites, so that will allow an even tighter integration and easier ability for me to edit my main public facing page from anywhere anytime. [Late Entry: my main site at http://www.crucialpointllc.com is now driven by Google Sites]
I can give e-mail addresses and account access to my business partners and can also invite in external folks to collaborate with me.
I also use Google's GrandCentral for key phone services, and I look forward to increasing levels of integration with other Google capabilities there.
I use these and many other Google services for many reasons, but the most important reasons have to do with reducing the risk to my small business. It is a fact of life that all computers fail, eventually, and we all relearn that lesson far too frequently (My almost brand new iMac failed not long ago and had to be totally replaced. Cleaning up the hard drive was no problem and my business continued ahead full steam since I'm leveraging a cloud). These services also make me more agile since I can access them anywhere and can rapidly configure/tailor them to meet my changing needs. They also help me keep the important stuff secure and the sharable stuff shared. I know I'm also saving energy by leveraging their cost effective/green data centers, but for a small company like mine I really have no idea how much/little I'm saving there.
For bigger firms there are far more capabilities, like integrations into Salesforce.com. I don't think I'll be using those capabilities anytime soon. But I plan on continuing to watch them.
(By the way, just as a disclaimer, Google is not a client of mine, but I sure wish they were, that would be cool).
9 Comments | chief technology officer, Cloud, collaboration, Computer Security, CTO, Enterprise, Google, Social Computing, Technology Leadership, The Future of Technology, Thin Client, Web 2.0 | Permalink
Posted by Bob Gourley
FYI, in case your schedule will allow us to connect in person I wanted
to update you on a few events I plan on being at over the next few
weeks.
The Advanced Technical Intelligence Association TECHINT conference will
be held 9-11 Dec 2008. This conference focuses on the technical
dimensions of intelligence, and has a theme of "integrated
performance." The theme refers to the need to integrate capabilities
from all the agencies engaged in national security to better perform in
meeting our national security challenges. On 9 Dec I'll be speaking
at a panel on the real and growing threat in cyber space. There will
be no blogging or tweeting from the conference. But if you are going
to be there please drop me a note and lets connect in person there.
For info see http://masint.org
The AFCEA Solutions conference on Cyberspace will be held 10-11 Dec
2008 at the Ronald Reagan Center in DC. This conference will be
focusing on the challenges and solutions of cyberspace related to
national security. Speakers include Secretary of Homeland Security the
Honorable Michael Chertoff, The Deputy Secretary of Defense the
Honorable Gordon England, Assistant Secretary of Defense for Networks
and Information Integration the Honorable John Grimes, Ms. Melissa
Hathaway, senior adviser and cyber coordination executive for the
Director of National Intelligence, LTG Keith Alexander, Director of the
National Security Agency, Deputy Assistant Secretary of Defense for
Information and Identity Assurance Mr. Bob Lentz and Deputy Assistant
Secretary of Defense for Information Management Mr. David Wennergren.
I'll be speaking on a panel on Wednesday at 1530 on formulating a
common response.
The US Army Intelligence Warfighting Summit will be held 15-17 Dec
2008. This one will also be a conference where blogging and use of
twitter is not appropriate due to the sensitivity of info discussed.
However, I would appreciate knowing if you will be going so we can
connect there in person. Speakers will include the most senior Army
intelligence leadership, plus Vice Admiral Bob Murrett from NGA, LTG
Alexander from NSA, and Scott McNealy from Sun Microsystems. For more
on the event see: http://www.ncsi.com/iws08/index.shtml
So, if you are going to any of these please let me know.
And please follow me on Twitter so I can send you a few bursts from the AFCEA conference. I'm at http://www.twitter.com/bobgourley
Cheers.
2 Comments | AFCEA, chief technology officer, Computer Security, CTO, Cyber Initiative, Cyber War, DHS, DIA, Disruptive IT, DNI, Enterprise, Gourley, Identity Management, Thin Client, Twitter, Weblogs | Permalink
Posted by Bob Gourley
My last several briefings, including one yesterday at the FIAC, have addressed some of the dramatic changes underway in the IT world. That briefing is attached here: Download FIACGourleyBrief.pdf
The conference had a focus on information assurance, computer security, network security and Chief Information Assurance Officers (CISO) in the federal space. So I not only updated my briefing with the latest tech trends but changed it to focus on lessons learned from industry on compliance monitoring and automation of remediation and related topics.
2 Comments | chief technology officer, Cloud, collaboration, Computer Security, CTO, Cyber Initiative, DHS, Disruptive IT, DNI, DOD, Enterprise, Facebook, FDCC, General Musings, Great CTOs, Identity Management, Network Security, R&D, Social Computing, Technology Leadership, The Future of Technology, Thin Client, Web 2.0, Web Services, Web/Tech | Permalink
Posted by Bob Gourley
