Computer Security
The CTOvision.com blog has moved!
If you have found this post you might be looking for our new location.
The CTOvision.com blog has been operating on its own server for quite a while now, and we continue to provide content on items of interest to enterprise CTOs.
Please follow us at http://ctovision.com
Thanks!
Bob Gourley
What does the Oracle-Sun news mean for enterprise CTOs?
OK, sometimes I get emotionally attached to great technology. I need to watch that, I know humans are what is important. But science is cool too, and it gets really really exciting to watch great humans create and field great technologies. That is why I have long been a fan of both Oracle and Sun. I like many other powerhouse IT companies as well… but those are the two names dominating this week’s news and it has been the topic of dozens of conversations with other CTOs since the announcement that Oracle Buys Sun.
Here is some of the significance of the announcement, in my opinion:
– This is a $7.4B purchase. Oracle would only have done this if they realized there is incredible value for IT customers in this transaction.
– The value of Sun is in far more than just intellectual property. It is in incredible thought leadership of Sun’s talented people and terrific, visionary data center experience. It is also because of the tremendous community leadership in the open source world. And of course there is the hardware production, distribution and service. And, as emphasized in the release, Java and Solaris.
– You can believe Larry Ellison when he says” The acquisition of Sun transforms the IT industry, combining
best-in-class enterprise software and mission-critical computing
systems.” He also said “Oracle will be the only
company that can engineer an integrated system – applications to disk –
where all the pieces fit and work together so customers do not have to
do it themselves. Our customers benefit as their systems integration
costs go down while system performance, reliability and security go
up.” All of this rings true.
There are some immediate steps enterprise CIOs and CTOs should do because of this announcement:
– Continue your plans to accelerate open source software into your enterprise. Move faster now. Your risk is lower than ever.
– Understand that market dynamics are going to change. Oracle is a great company that will ensure Java and Solaris and MySQL continue to improve (with backing by and leadership of the great open source software community, of course). But understand the dynamics may change the equation when it comes to software support costs.
– Move now to lock in your service and support plans for open source Solaris, MySQL, Java Composite Applications Platform Suite (CAPS) and Java Enterprise Services (JES). Lock in at today’s rates if you can. And extend today’s rates out for more years if you can.
– The leading operating system for the Oracle database is Solaris. Since Solaris is now open and since its use is growing there are huge numbers of trained administrators with mastery over Solaris. But this is a good time to re-evaluate how many trained masters you have. If you have an enterprise suport agreement with Sun it might have training options on it that you are not using. Now is the time to max out your training. Clearly this is going to pay off for your enterprise long term. And after the aquisition is complete there is a chance that if you have not locked in your training rates that some of this cost may go up.
– With this agreement, enterprises are now faced with easy choices for identity management solutions. Sun Identity Management solutions already form about 60% of the identity management stack in the enterprise-class federal space. Oracle in their fusion middleware account for much of the rest of the enterprise-grade solutions space. Accelerate your Sun Identity Management solutions. I believe, just based on personal experience, that Oracle and their policy management capabilities are best of breed, and they can already be engineered to work with open enterprise class leaders like Sun. I imagine that will be a much smoother integration in the future. Which leads to the next key point:
– While now is the time to lock in, rapidly, your Solaris, JES, MySQL support licenses, and now is the time to take advantage of any Solaris/Java training available to you, you should also agressively review the entire Oracle Fusion Middleware stack. There are some really GREAT capabilities there.
Any thoughts on any of the above?
New Command to Focus on Cybersecurity for DoD and IC
The Wall Street Journal just ran an article titled: “New Military Command to Focus on Cybersecurity.” In it they indicate “current and former officials familiar with the plans” say a new military command will be established to coordinate the defense of Pentagon computer networks and improve US offensive capabilities in cyberwar.
WSJ also reports that Defense Secretary Gates plans to announce the creation of a new military cyber command after the rollout of the White House review.
My opinion: This WSJ article seems more balanced and accurate than the article I discussed in my post “NYT wants cyber security to be a divisive issue.”
The WSJ article is in consonance with what is going on and what should be going on. I believe NSA should be formally given the lead for defending DoD/IC systems, but defense remains a team sport, and DHS should be given the lead for defending the rest of .gov networks (while still leaning on NSA/DoD/DNI as required). And all players need to work well with industry and allies in a coordinated, fast moving way.
What does this mean for enterprise technologists? For the most part it is good news. But for day to day security operations in most enterprises, the relationships you have with other organizations will remain the same as before– for now. And the current body of best practices remains in place. You still need to understand and implement and follow the Common Audit Guidelines, for example. Doing that is going to help you and will help others too.
Triumfant real-time malware detection and remediation
As I’ve previously noted I’m on the advisory board for Trimufant (I’m at this page). I’m hoping all CTO types will check out this company (and I’m also hoping you don’t mind me blogging about a company I’m advising. After all, I’m associated with them because I believe they are a world-class outfit with a great capability).
In this post I want to bring your attention to a Triumfant press release . It is an announcement that Triumfant now provides real-time malware detection and remediation. Triumfant has long been the leading capability for discovering unexpected changes to computer endpoints, but with their new Triumfant Resolution Manager they build on their ability to deliver zero-day malware protection. Read the rest of this entry »
My Opinion: NYT wants cyber security to be a divisive issue.
I just read an article that seems designed to keep spreading FUD (Fear, Uncertainty, Doubt) about the US government and the NSA. The article is titled “Control of Cybersecurity Becomes Divisive Issue “. It starts with an assertion stated as if it were a fact that says “The National Security Agency has been campaigning to lead the government’s rapidly growing cybersecurity programs”.
I bump into all sorts of people in the beltway, and there is a huge amount of buzz regarding cyber. There is also a huge amount of pontification and rumor and hype, and I think Risen and Lichtblau have fallen for some of that. Read the rest of this entry »
The Number One Reason To Move To Open Source: Security
I just read Bill Vass’s latest blog entry titled: “The No. 1 Reason to Move to Open Source is to IMPROVE Security”
Bill opens this article with:
If you are like me, and you have been involved in cryptography and Cyber Security for a long time, it’s obvious to you that commercial open source code is more secure. As a matter of fact, in the late 90s, many of the Intelligence agencies mission systems and the DoD tactical systems moved to open source ONLY to improve security. Today, the majority of the critical systems in the Intelligence agencies (the people that care most about Cyber Security) run on open source operating systems like Solaris and Linux. The same is true of places like the FAA, IRS, and a whole lot of other organizations that care
about security.We have a saying in the world of Cyber Security: Security through obscurity, isn’t.
May I have your views on the future of IT?
If all goes well I’ll get a speaking part at the next DoDIIS Worldwide Conference at Orlando 17-21 May 2009. I love this conference. It is attended by great folks, many of whom are technologists with a deep background in a favorite mission area. The greatest systems integrators come to the conference. And the technology companies that exhibit at the conference are also great, with many demonstrating cutting edge, disruptive technologies that make for an intellectually stimulating time.
I submitted a proposal to deliver a presentation at a breakout session on megatrends in the IT world and some assessments on the future of IT. Read the rest of this entry »
Responding Strategically to Cyber Attacks
The last 12 months has seen a significant amount of progress in our
nation’s awareness of cyber threats and in our collective actions to
address the security of our IT systems. However, a huge amount of work remains
to be done.
In a cyber context, the situation is a little like the one Winston Churchill described when he said: “This is not the end. It is not even the beginning of the
end. But it is, perhaps, the end of the beginning.” We in the cyber world have taken some serious blows, and we are shoring up our defenses. But there is a long long way to go before our
objectives are met.
With this post I want to provide a snapshot of some of the progress of late.
1) CNCI: The Comprehensive National Cybersecurity Initiative provided a kickstart to many elements of the federal enterprise and facilitated coordination action by multiple agencies. It was also an important evolution for Congress. The changes to the federal budget and the intentions of agencies was very positive. It is my opinion that the CNCI made a lasting positive difference in reducing unauthorized access into the federal enterprise and in enhancing resiliency of our systems. For more info see:
2) The CSIS report and related actions/studies: This 8 Dec 2008 report is the result of hard work and collective study by some of the best brains in the cyber security world. Commissioners on the study are a who’s-who of security and the quality of this report is a direct reflection of this fact. The report offers recommendations on multiple hard areas and should be referenced by anyone making decisions in the IT arena. A recent related development is the posting by SANS of the Common Audit Guidelines. This is a fantastic step towards providing guidelines to enhancing security and functionality. Read the rest of this entry »
You Really Have to See This: From MIT Media Lab
Words can hardly describe how neat this technology is. I’m excited and enthused for many reasons, including the potential power of this technology to help us all make better decisions and of course to bring even more fun to our lives. Watch and let your imagine go… Think of the wonderful ways we can interact with data to do good things in the world.
Other thoughts: Look for the dynamic, moving newspaper. Yet again there is more evidence that Hollywood is driving enterprise technology.
CTOvision Blog 