CTOvision Blog

The CTOvision.com blog has moved!

Bob Gourley — Sun, 14 Feb 2010 18:49:49 +0000

If you have found this post you might be looking for our new location.

The CTOvision.com blog has been operating on its own server for quite a while now, and we continue to provide content on items of interest to enterprise CTOs.

Please follow us at http://ctovision.com

Thanks!

Bob Gourley

What does the Oracle-Sun news mean for enterprise CTOs?

Bob Gourley — Wed, 22 Apr 2009 09:46:36 +0000

OK, sometimes I get emotionally attached to great technology. I need to watch that, I know humans are what is important. But science is cool too, and it gets really really exciting to watch great humans create and field great technologies. That is why I have long been a fan of both Oracle and Sun. I like many other powerhouse IT companies as well… but those are the two names dominating this week’s news and it has been the topic of dozens of conversations with other CTOs since the announcement that Oracle Buys Sun.

Here is some of the significance of the announcement, in my opinion:

- This is a $7.4B purchase. Oracle would only have done this if they realized there is incredible value for IT customers in this transaction.

- The value of Sun is in far more than just intellectual property. It is in incredible thought leadership of Sun’s talented people and terrific, visionary data center experience. It is also because of the tremendous community leadership in the open source world. And of course there is the hardware production, distribution and service. And, as emphasized in the release, Java and Solaris.

- You can believe Larry Ellison when he says” The acquisition of Sun transforms the IT industry, combining
best-in-class enterprise software and mission-critical computing
systems.” He also said “Oracle will be the only
company that can engineer an integrated system – applications to disk -
where all the pieces fit and work together so customers do not have to
do it themselves. Our customers benefit as their systems integration
costs go down while system performance, reliability and security go
up.” All of this rings true.

There are some immediate steps enterprise CIOs and CTOs should do because of this announcement:

- Continue your plans to accelerate open source software into your enterprise. Move faster now. Your risk is lower than ever.

- Understand that market dynamics are going to change. Oracle is a great company that will ensure Java and Solaris and MySQL continue to improve (with backing by and leadership of the great open source software community, of course). But understand the dynamics may change the equation when it comes to software support costs.

- Move now to lock in your service and support plans for open source Solaris, MySQL, Java Composite Applications Platform Suite (CAPS) and Java Enterprise Services (JES). Lock in at today’s rates if you can. And extend today’s rates out for more years if you can.

– The leading operating system for the Oracle database is Solaris. Since Solaris is now open and since its use is growing there are huge numbers of trained administrators with mastery over Solaris. But this is a good time to re-evaluate how many trained masters you have. If you have an enterprise suport agreement with Sun it might have training options on it that you are not using. Now is the time to max out your training. Clearly this is going to pay off for your enterprise long term. And after the aquisition is complete there is a chance that if you have not locked in your training rates that some of this cost may go up.

- With this agreement, enterprises are now faced with easy choices for identity management solutions. Sun Identity Management solutions already form about 60% of the identity management stack in the enterprise-class federal space. Oracle in their fusion middleware account for much of the rest of the enterprise-grade solutions space. Accelerate your Sun Identity Management solutions. I believe, just based on personal experience, that Oracle and their policy management capabilities are best of breed, and they can already be engineered to work with open enterprise class leaders like Sun. I imagine that will be a much smoother integration in the future. Which leads to the next key point:

- While now is the time to lock in, rapidly, your Solaris, JES, MySQL support licenses, and now is the time to take advantage of any Solaris/Java training available to you, you should also agressively review the entire Oracle Fusion Middleware stack. There are some really GREAT capabilities there.

Any thoughts on any of the above?

New Command to Focus on Cybersecurity for DoD and IC

Bob Gourley — Wed, 22 Apr 2009 07:03:28 +0000

The Wall Street Journal just ran an article titled: “New Military Command to Focus on Cybersecurity.” In it they indicate “current and former officials familiar with the plans” say a new military command will be established to coordinate the defense of Pentagon computer networks and improve US offensive capabilities in cyberwar.

WSJ also reports that Defense Secretary Gates plans to announce the creation of a new military cyber command after the rollout of the White House review.

My opinion: This WSJ article seems more balanced and accurate than the article I discussed in my post “NYT wants cyber security to be a divisive issue.”

The WSJ article is in consonance with what is going on and what should be going on. I believe NSA should be formally given the lead for defending DoD/IC systems, but defense remains a team sport, and DHS should be given the lead for defending the rest of .gov networks (while still leaning on NSA/DoD/DNI as required). And all players need to work well with industry and allies in a coordinated, fast moving way.

What does this mean for enterprise technologists? For the most part it is good news. But for day to day security operations in most enterprises, the relationships you have with other organizations will remain the same as before– for now. And the current body of best practices remains in place. You still need to understand and implement and follow the Common Audit Guidelines, for example. Doing that is going to help you and will help others too.

Triumfant real-time malware detection and remediation

Bob Gourley — Sun, 19 Apr 2009 06:52:10 +0000

As I’ve previously noted I’m on the advisory board for Trimufant (I’m at this page). I’m hoping all CTO types will check out this company (and I’m also hoping you don’t mind me blogging about a company I’m advising. After all, I’m associated with them because I believe they are a world-class outfit with a great capability).

In this post I want to bring your attention to a Triumfant press release . It is an announcement that Triumfant now provides real-time malware detection and remediation. Triumfant has long been the leading capability for discovering unexpected changes to computer endpoints, but with their new Triumfant Resolution Manager they build on their ability to deliver zero-day malware protection. This capability detects changes to state and rapidly returns the computer to the right state. This is done without signatures. How is this possible? Check out their website for more, but the way John Prisco (CEO of Triumfant) puts it: “By continuously scanning desktops and deliverying real-time automated remediation, Triumfant is able to catch zero-day attacks before they impact the end-user and enterprise and eliminate time lost waitning for third party analysis and the updating of signatures and patches.”

Triumfant will be at the RSA conference April 20-24. Please, if you go, stop by their booth and tell them I said hello.

Cheers,
Bob

My Opinion: NYT wants cyber security to be a divisive issue.

Bob Gourley — Sat, 18 Apr 2009 12:38:56 +0000

I just read an article that seems designed to keep spreading FUD (Fear, Uncertainty, Doubt) about the US government and the NSA. The article is titled “Control of Cybersecurity Becomes Divisive Issue “. It starts with an assertion stated as if it were a fact that says “The National Security Agency has been campaigning to lead the government’s rapidly growing cybersecurity programs”.

I bump into all sorts of people in the beltway, and there is a huge amount of buzz regarding cyber. There is also a huge amount of pontification and rumor and hype, and I think Risen and Lichtblau have fallen for some of that.

I guess I should not be so hard on Risen and Lichtblau. They are writing about stuff they have no real experience in (other than as writers) and their sources probably have their own biases or in some cases probably have no access to what is really going on.

Maybe I should just repeat something that all of us citizens should already know. Don’t believe everything you read.

If I were writing the article, I think I would have started it out by saying “The National Security Agency has impressive security expertise and a long history of doing the right thing. Their sensitive mission is conducted with great care and extensive oversight and they have great processes in place to continually improve what they do. They save lives and protect our privacy and do so with great honor.” I would also have, as Risen and Lichtblau did, quoted my old friend Dale Meyerrose who said “They are probably the premier cybersecurity, cyberorganization in the world.”

There are plenty of other quotes by friends in that article. All seem to agree that NSA should not be in total command of all aspects of cybersecurity. OK, there are many many options on how the nation can do this. But I really think it was wrong to start off the article with the assertion that the NSA is campaigning for anything.

The NSA has great capabilities that the nation will almost certainly take advantage of as we enhance our cyber security. That doesn’t mean they are lobbying to be in command of everything. If they were placed in total command then the country would place the right amount of checks and balances to ensure it worked well, and I would be totally fine with that. If they are not in command then the country should place the right amount of coordination mechanisms in place to ensure the mission is served well, and I would be totaly fine with that.

What I would not be fine with is if we keep kicking the can down the road and keep a model where we are slow to react and cannot mount as vigorous of a defense as we should.

A hypothetical question to ask ourselves: Which path would the Russian Business Network, a criminal group described by Verisign as “the baddest of the bad”, want us to take? They would probably want to see us fiddle around for as long as possible without taking clear action. As for me, I want clear, decisive action that moves us forward. And I don’t see anything coming from NYT that will help us embark on that path.

A CTO’s views on the new Fed CTO

Bob Gourley — Sat, 18 Apr 2009 10:05:03 +0000

I’m very pleased with the pick of Aneesh Chopra as the Federal Government’s CTO. I wish I could add more context than that, and was thinking of a quick biographical sketch of Aneesh and some ideas on why this is great news. Then I read Tim O’Reilly’s post at OReilly Radar, and frankly I just totally agree with everything Tim said. Please check out his post at:

http://radar.oreilly.com/2009/04/aneesh-chopra-great-federal-cto.html

Here is an excerpt that particullarly resonated with me:

“Chopra has been focused for the past three years on the specific technology challenges of government. Industry experience does little to prepare you for the additional complexities of working within the bounds of government policy, competing constituencies, budgets that
often contain legislative mandates, regulations that may no longer be relevant but are still in force, and many other unique constraints. In his three year tenure as Secretary for Technology for the Commonwealth of Virginia, Chopra has demonstrated that he has these skills. In fact, last year, the National Association of State Chief Information Officers ranked Virginia #1 in technology management. “

To me that points to the number one quality you want in a CTO. A CTO must get results. A CTO in any large organization has a tough time getting things done, so when you find someone who has gotten results the way Aneesh Chopra has you have found a real champion.

I used to call Vivek Kundra “the Alpha CTO” because of his open collaboration with other CTOs and the leadership by example he gave all of us during his time as CTO of DC. But now what do I do? Vivek is still a great guy who will get results, but now there is another great guy who will get results who has the title CTO. Anyway, it is good to see Aneesh Chopra in place and I know all of us CTOs wish him well.

The Number One Reason To Move To Open Source: Security

Bob Gourley — Fri, 17 Apr 2009 21:39:15 +0000

I just read Bill Vass’s latest blog entry titled: “The No. 1 Reason to Move to Open Source is to IMPROVE Security“

Bill opens this article with:

If you are like me, and you have been involved in cryptography and Cyber Security for a long time, it’s obvious to you that commercial open source code is more secure. As a matter of fact, in the late 90s, many of the Intelligence agencies mission systems and the DoD tactical systems moved to open source ONLY to improve security. Today, the majority of the critical systems in the Intelligence agencies (the people that care most about Cyber Security) run on open source operating systems like Solaris and Linux. The same is true of places like the FAA, IRS, and a whole lot of other organizations that care
about security.

We have a saying in the world of Cyber Security: Security through obscurity, isn’t.

Then after providing a good overview of many of the factors that contribute to the enhanced security of open source, he closes with some facts from the US Government’s National Vulnerability Database. The facts are clear about this: Proprietary software products have a much higher security risk than their open source equivalents.

Please check out his article and judge for yourself. And if you are a technologists think of the many great options you have for enhancing the use of open source in your enterprise. You can even use it in combination with closed source/proprietary to enhance the security posture of your enterprise.

More later.

May I have your views on the future of IT?

Bob Gourley — Thu, 16 Apr 2009 20:12:44 +0000

If all goes well I’ll get a speaking part at the next DoDIIS Worldwide Conference at Orlando 17-21 May 2009. I love this conference. It is attended by great folks, many of whom are technologists with a deep background in a favorite mission area. The greatest systems integrators come to the conference. And the technology companies that exhibit at the conference are also great, with many demonstrating cutting edge, disruptive technologies that make for an intellectually stimulating time.

I submitted a proposal to deliver a presentation at a breakout session on megatrends in the IT world and some assessments on the future of IT. My thesis is that assessments on the future of technology can contribute to sound decisions today. Since it is a DoDIIS conference I’ll try to keep that focused on the future of IT relevant to DoDIIS. Since I’ve been keeping a briefing up on that topic for a while I think I should be able to pull together a relevant talk that should provide good food for thought.

But here is the hard part. This is the sort of briefing that is out of date the instant it is printed. It is always in need of a tech refresh.

So, I have a favor to ask. Can I ask your views on the topic of the future of enterprise IT?

Please take a look at the slides below. And send me a note with any feedback, pointers or criticisms. I would really appreciate any suggestions.

Thanks,
Bob

090413_The_Future_of_IT.pdf

See Inside a Google Data Center and a Google Server

Bob Gourley — Mon, 06 Apr 2009 06:01:14 +0000

Google has recently provided some unprecedented views into their data center operations and have even revealed current details of their server board. In the past they have only released information on old designs (like the 80 PC rack given to the computer history museum). It seems like every time photos would pop up of server parts it would end up being of a previous generation of equipment. For the most part, folks like me have only dreamed of being able to see inside a real Google data center and seeing real operational, current generation Google equipment.

Now, thanks to Google, there is loads of info that can be used to satisfy a CTO’s curiosity.

We now know that rumors of Google leveraging advanced shipping container constructs (the idea created by Sun Microsystems) are true. A Google datacenter like the one in the video holds about 45 containers, and each of those can hold 1160 servers. Since the designs are in shipping containers there are some easy to engineer cooling efficiencies

For a video tour inside a Google datacenter watch the clip below:

Google designs its own web severs so it can optimize performance and
enhance energy efficiency. The unique
design includes a powersupply that has a battery integrated
right in so the power supply is also an uninterpretable power supply
(UPS). For a deep video view of the server itself see:

Widespread Cyber Espionage: More evidence and what to do about it

Bob Gourley — Mon, 30 Mar 2009 07:03:08 +0000

This week the New York Times and CNET ran a story by John Markoff titled “Vast Spy System Loots Computers in 103 Countries“

It reads in part:

A vast electronic spying operation has infiltrated computers and has
stolen documents from hundreds of government and private offices around
the world, including those of the Dalai Lama, Canadian researchers have
concluded. In a report to be issued this weekend, the researchers said that the
system was being controlled from computers based almost exclusively in
China, but that they could not say conclusively that the Chinese
government was involved.

The researchers, who are based at the Munk Center for International
Studies at the University of Toronto, had been asked by the office of
the Dalai Lama, the exiled Tibetan leader whom China regularly
denounces, to examine its computers for signs of malicious software, or
malware.

Their sleuthing opened a window into a broader operation that, in less
than two years, has infiltrated at least 1,295 computers in 103
countries, including many belonging to embassies, foreign ministries
and other government offices, as well as the Dalai Lama’s Tibetan exile
centers in India, Brussels, London, and New York.

The full report is available here: “Tracking GhostNet: Investigating a Cyber Espionage Network.“

The report itself is well worth a read by any technologist and by most technology users. We should all know what we are up against.

Another technical view of the research is available at “Snooping Dragon“

I’d also like to offer my opinion that many or even most of the attack vectors can be reduced or mitigated by smart technologists. And other attack vectors can be reduced or mitigated by smart users trained to recognize when they are being fooled by social networking attacks.

For more on how to reduce threat vectors see:

Enhancing Security and Functionality at the Same Time

This only touches on the technological paths into your systems, but it is a great start.

I would also like to offer the opinion that attack paths can be reduced by the smart use of open source technologies. Open source technologies have fewer vulnerabilities. They must also be smartly managed and must be well patched (although some few vulnerabilities are detected, when they are detected they need to be addressed right away). But, the use of foundational secure systems like SE Linux and Trusted Open Solaris is a smart way to reduce your attack surface.