Disruptive IT

What does the Oracle-Sun news mean for enterprise CTOs?

Posted on

OK, sometimes I get emotionally attached to great technology.  I need to watch that, I know humans are what is important.  But science is cool too, and it gets really really exciting to watch great humans create and field great technologies.  That is why I have long been a fan of both Oracle and Sun.  I like many other powerhouse IT companies as well… but those are the two names dominating this week’s news and it has been the topic of dozens of conversations with other CTOs since the announcement that Oracle Buys Sun.

Here is some of the significance of the announcement, in my opinion:

– This is a $7.4B purchase.  Oracle would only have done this if they realized there is incredible value for IT customers in this transaction.

– The value of Sun is in far more than just intellectual property.  It is in incredible thought leadership of Sun’s talented people and terrific, visionary data center experience.  It is also because of the tremendous community leadership in the open source world. And of course there is the hardware production, distribution and service.  And, as emphasized in the release, Java and Solaris.

– You can believe Larry Ellison when he says” The acquisition of Sun transforms the IT industry, combining
best-in-class enterprise software and mission-critical computing
systems.” He also said  “Oracle will be the only
company that can engineer an integrated system – applications to disk –
where all the pieces fit and work together so customers do not have to
do it themselves. Our customers benefit as their systems integration
costs go down while system performance, reliability and security go
up.”  All of this rings true.

There are some immediate steps enterprise CIOs and CTOs should do because of this announcement:

– Continue your plans to accelerate open source software into your enterprise.  Move faster now.  Your risk is lower than ever. 

– Understand that market dynamics are going to change.  Oracle is a great company that will ensure Java and Solaris and MySQL continue to improve (with backing by and leadership of the great open source software community, of course).  But understand the dynamics may change the equation when it comes to software support costs.  

– Move now to lock in your service and support plans for open source Solaris, MySQL, Java Composite Applications Platform Suite (CAPS) and Java Enterprise Services (JES).   Lock in at today’s rates if you can.  And extend today’s rates out for more years if you can.

– The leading operating system for the Oracle database is Solaris. Since Solaris is now open and since its use is growing there are huge numbers of trained administrators with mastery over Solaris.  But this is a good time to re-evaluate how many trained masters you have.  If you have an enterprise suport agreement with Sun it might have training options on it that you are not using.  Now is the time to max out your training.  Clearly this is going to pay off for your enterprise long term.  And after the aquisition is complete there is a chance that if you have not locked in your training rates that some of this cost may go up.

– With this agreement, enterprises are now faced with easy choices for identity management solutions. Sun Identity Management solutions already form about 60% of the identity management stack in the enterprise-class federal space.  Oracle in their fusion middleware account for much of the rest of the enterprise-grade solutions space.  Accelerate your Sun Identity Management solutions.  I believe, just based on personal experience, that Oracle and their policy management capabilities are best of breed, and they can already be engineered to work with open enterprise class leaders like Sun.  I imagine that will be a much smoother integration in the future.  Which leads to the next key point:

– While now is the time to lock in, rapidly, your Solaris, JES, MySQL support licenses, and now is the time to take advantage of any Solaris/Java training available to you, you should also agressively review the entire Oracle Fusion Middleware stack.  There are some really GREAT capabilities there.      

Any thoughts on any of the above?

This entry was posted in chief technology officer, Computer Security, Disruptive IT, Enterprise, Identity Management, Oracle, Sun.

New Command to Focus on Cybersecurity for DoD and IC

Posted on

The Wall Street Journal just ran an article titled:  “New Military Command to Focus on Cybersecurity.”   In it they indicate “current and former officials familiar with the plans” say a new military command will be established to coordinate the defense of Pentagon computer networks and improve US offensive capabilities in cyberwar.

WSJ also reports that Defense Secretary Gates plans to announce the creation of a new military cyber command after the rollout of the White House review.   

My opinion:  This WSJ article seems more balanced and accurate than the article I discussed in my post “NYT wants cyber security to be a divisive issue.”  

The WSJ article is in consonance with what is going on and what should be going on.  I believe NSA should be formally given the lead for defending DoD/IC systems, but defense remains a team sport, and DHS should be given the lead for defending the rest of .gov networks (while still leaning on NSA/DoD/DNI as required).  And all players need to work well with industry and allies in a coordinated, fast moving way.

What does this mean for enterprise technologists?  For the most part it is good news.  But for day to day security operations in most enterprises, the relationships you have with other organizations will remain the same as before– for now.   And the current body of best practices remains in place.  You still need to understand and implement and follow the Common Audit Guidelines, for example.  Doing that is going to help you and will help others too.   

This entry was posted in Alexander, CERT, chief technology officer, Computer Security, Cyber Initiative, Cyber War, CyberTrust, Disruptive IT, Enterprise, Network Security, The Future of Technology.

A CTO’s views on the new Fed CTO

Posted on Updated on

Aneesh-Chopra.jpgI’m very pleased with the pick of Aneesh Chopra as the Federal Government’s CTO.  I wish I could add more context than that, and was thinking of a quick biographical sketch of Aneesh and some ideas on why this is great news.  Then I read Tim O’Reilly’s post at OReilly Radar, and frankly I just totally agree with everything Tim said.  Please check out his post at:

http://radar.oreilly.com/2009/04/aneesh-chopra-great-federal-cto.html

Here is an excerpt that particullarly resonated with me:

“Chopra has been focused for the past three years on the specific technology challenges of government. Industry experience does little to prepare you for the additional complexities of working within the bounds of government policy, competing constituencies, budgets that
often contain legislative mandates, regulations that may no longer be relevant but are still in force, and many other unique constraints. In his three year tenure as Secretary for Technology for the Commonwealth of Virginia, Chopra has demonstrated that he has these skills. In fact, last year, the National Association of State Chief Information Officers ranked Virginia #1 in technology management. ” Read the rest of this entry »

This entry was posted in Aneesh Chopra, chief technology officer, CTO, Disruptive IT, Enterprise, Great CTOs, Technology Leadership, Vivek Kundra.

May I have your views on the future of IT?

Posted on Updated on

If all goes well I’ll get a speaking part at the next DoDIIS Worldwide Conference at Orlando 17-21 May 2009.  I love this conference.  It is attended by great folks, many of whom are technologists with a deep background in a favorite mission area. The greatest systems integrators come to the conference.  And the technology companies that exhibit at the conference are also great, with many demonstrating cutting edge, disruptive technologies that make for an intellectually stimulating time.

I submitted a proposal to deliver a presentation at a breakout session on megatrends in the IT world and some assessments on the future of IT. Read the rest of this entry »

This entry was posted in chief technology officer, Computer Security, CTO, Disruptive IT, DoDIIS, Enterprise, Technology Leadership, The Future of Technology.

You Really Have to See This: From MIT Media Lab

Posted on

Words can hardly describe how neat this technology is.  I’m excited and enthused for many reasons, including the potential power of this technology to help us all make better decisions and of course to bring even more fun to our lives.  Watch and let your imagine go… Think of the wonderful ways we can interact with data to do good things in the world. 

Other thoughts:  Look for the dynamic, moving newspaper.  Yet again there is more evidence that Hollywood is driving enterprise technology.

This entry was posted in chief technology officer, Computer Security, CTO, Disruptive IT, Enterprise, knowledge, Technology Leadership, The Future of Technology, Thin Client, virtual world.

Video for the Enterprise CTO

Posted on

I enjoy learning from and interacting with great CTO teachers face to face, which is why direct meetings are an incredibly important part of life.  But that model does not scale well.  There is no way any human can begin to schedule enough time/meetings/conferences/interactions to tap into all the great teachers there.  

Social media can help in a couple ways.   For example, when used properly, it can help you connect with and learn from others in a way that is non-obtrusive to them.  It can also help you determine who has credibility in their field, which can be of use at times.  Social media can also help you find the best works to read and study which is another way learning from the masters but also in dealing with information overload. 

I’ve just integrated another way of learning from the masters into the site at http://ctovison.com The site is now leveraging a YouTube channel designed specifically for enterprise CTOs.  It also embeds automated searches on YouTube focused on Information Technology and provides simple ways to kick off your own search.

Here is how it works and what the social media connection is:  A video I find that I believe to be relevant to enterprise CTOs (like, for example, Nicholas Carr talking about “The Big Switch” or a product demo for a hot technology like Plastic Logic)  is tagged as a “favorite” on YouTube.  Then it will automatically be available as the first choice of a video in the player I have embedded on the front page at http://ctovison.com  That player and other videos, including all that are relevant to searches on terms like “Information Technology” are also on the new CTOvideo page at http://www.ctovision.com/cto-video.html  

Additionally, the sidebar of the blog now has videos the Google and YouTube search algorithms think are relevant to the content. 

How can you help drive the content of the video displayed?  As always I really appreciate your feedback, via any path that is easy for you.  You can send e-mail or leave comments on any post suggesting any video.  You can also connect to me on Twitter or Facebook and we can interact on the topic there.   And if you have a YouTube account we can connect there.  I’m http://www.youtube.com/user/ctovision

 

This entry was posted in chief technology officer, Cloud, Computer Security, CTO, Cyber Initiative, Disruptive IT, Enterprise, Google, Social Computing, Video, YouTube.

Vivek Kundra: Still the Alpha CTO and now the First Fed CIO

Posted on Updated on

Vivek_Kundra.jpgToday’s news on Vivek Kundra’s role in the federal space made me think of another CTO, Yuvi Kochar. Yuvi, the CTO of the Washington Post, is a great connector of CTOs who leads the informal collective of the Washington Area CTO Roundtable.  Although I had heard Vivek speak a time or two, the first really deep interactions I had with
Vivek were through Yuvi’s work in service to the tech community and I much appreciate that.

For a quick update on Vivek from a CTO perspective see: Read the rest of this entry »

This entry was posted in Apps for Democracy, chief technology officer, Cloud, collaboration, Computer Security, CTO, CTO Principles, Disruptive IT, Enterprise, Great CTOs, Mashup, Technology Leadership, Vivek Kundra.

Open Source Databases

Posted on

All indications are the next significant growth segment for open source software will be in databases. This follows the trend of open source operating systems (Open Solaris and Linux). 

Two open source databases of note are Hadoop and MySQL
Hadoop is not for everyone. It is a very powerful open source software focused on highly scalable distributed computing. It implements the MapReduce distributing computing metaphor in use at some very large computer powerhouses. In general, I don’t believe it will be of immediate use to the average enterprise, it is for the big guys with high end problems.  My recommendation is that all CTOs at least download it at home and try it out just for familiarity (I’m running Hadoop on my home systems now so I can kick the tires and will be writing more about it in coming posts). But I don’t recommend every enterprise everywhere adopt it. 
MySQL, on the other hand, should be of interest to any enterprise, big or small.  I’m a MySQL user and really enjoy it. I’m not alone in that regard. MySQL has over 11 million installations and is the driver behind most major web technologies today. It is the database for a variety of development platforms including popular software bundles like LAMP, BAMP, MAMP, SAMP, and WAMP Popular websites using MySQL include Facebook, Zappos, Cox Communications, NASA, Flickr, Wikipedia, Google and YouTube. The Obama campaign was also run with technology based on MySQL. 
How much does MySQL cost? It is available for free under the GNU General Public License, which is a great way to get and use software. Enterprises like support, and support costs money. How much will support for MySQL cost? I don’t know, since I’ve never required enterprise support, but from what I understand the cost is about 20% the cost of support for proprietary systems. MySQL lacks some features of the higher end high cost enterprise systems, but at such a reduced cost it will increasingly be the alternative of choice for solutions that don’t require every feature of a massive ERP-type capability.
Additionally, MySQL can result in better reliability and more uptime, which should also be factored into your TCO calculations. 
In your engineering trades you will likely find that MySQL will run more calculations per second on lower cost hardware, and, adminstration/services costs are also significantly lower.
So, those are cost reasons to move to MySQL. Other, perhaps more important reasons include: 
  • It is easy to learn and easy to administrate 
  • It helps prevent vendor lock-in and companies that will try to place you over the barrel 
  • Security is built in and in my opinion there will continue to be fewer vulnerabilities in MySQL because of its open source model 
  • There are very large numbers of developers supporting MySQL, so it is easy to find highly qualified developers and administrators. 
The big providers like Oracle, Sybase, Microsoft and IBM continue to roll out improvements and advanced features and and they have powerful capabilities that will likely be with us for a long long time. But my recommendation is that every CTO check out MySQL and use it everywhere you can. It will help you deliver more functionality faster and for a much more economical cost. 
Comments?

This entry was posted in chief technology officer, Cloud, Computer Security, CTO, Disruptive IT, Enterprise, General Musings, IBM, Open Source.

Enhancing Security and Functionality At The Same Time

Posted on

Have you ever been sucked into the false debate over how much IT spending should be spent on security?  I used to all the time.  Some folks point to a rule of thumb that goes something like “ten percent of the IT budget should be applied to security.”  That old school formula may well be part of the reason we got into the mess we are currently in.  It contributes to thoughts that lead you to think security can be separated.  By my way of thinking, 100% of the budget goes to security and functionality and that is the calculus.

Really, security is about ensuring information confidentiality, availability and integrity. And those constructs are totally connected to functionality of IT.   I try whenever possible to use the term security and functionality in the same context just to underscore that point. 

For example, the goal I continually push regarding security in the federal space is not just one dealing with security.  I put it this way:  “Security and functionality of all federal IT will be increased by two orders of magnitude in the next 24 months.”  Putting the goal this ways also underscores that it is not security vs. functionality.  Both need to increase. 

This goal also cries out for the need for metrics in security and functionality.  For functionality there are many customer focused survey methods that can help collect the right metrics.  For security, I think one metric stands out above all others:  Detected unauthorized intrusions.  There are many other important metrics for other dimensions of the security problem, but that one is key.  So, a goal that expects both security and functionality of federal enterprise IT to improve by two orders of magnitude will expect customer survey satisfaction to go through the roof, and will expect detected intrusions to drop significantly.  If there were 50,000 detected intrusions in 2008, there should be less than 5000 in 2010.  

That is a dramatic goal.  What makes me think it is achievable?  In part the dramatic action being put in place today in the federal space.  And in part by dramatic new technologies and approaches like private clouds and thin client computing and enhanced identity management and authorization methods.  But of more importance and more relevance than all of that, in my opinion, is the coordinated action and leadership underway by CIOs and CISOs and the security  experts in the federal space today.

As evidence of this incredible positive action I’d like to bring your attention to a release by a Consortium of US Federal Cybersecurity Experts on Consensus Audit Guidelines.  Details of this effort are at http://www.sans.org/cag/

The Consensus Audit Guidelines provide the twenty most important controls and metrics for effective cyber defense and continuous FISMA compliance.   These controls and metrics include:

Critical Controls Subject to Automated Measurement and Validation:

  1. Inventory of Authorized and Unauthorized Hardware.

  2. Inventory of Authorized and Unauthorized Software.

  3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.

  4. Secure Configurations of Network Devices Such as Firewalls and Routers.

  5. Boundary Defense

  6. Maintenance and Analysis of Complete Security Audit Logs

  7. Application Software Security

  8. Controlled Use of Administrative Privileges

  9. Controlled Access Based On Need to Know

  10. Continuous Vulnerability Testing and Remediation

  11. Dormant Account Monitoring and Control

  12. Anti-Malware Defenses

  13. Limitation and Control of Ports, Protocols and Services

  14. Wireless Device Control

  15. Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

  1. Secure Network Engineering

  2. Red Team Exercises

  3. Incident Response Capability

  4. Data Recovery Capability

  5. Security Skills Assessment and Training to Fill Gaps

The site at http://www.sans.org/cag provides more details on each, including detailed descriptions of the controls, how to implement them, how to measure them, and how to continuously improve them.   The site also spells out the fact that this is a work in progress and processes are in place to ensure this great effort remains relevant and maximizes our ability to protect ourselves.  

What should CTOs think about this guidance?  As for me, I most strongly endorse it. In my mind the appropriate implementation of these controls will reduce unauthorized intrusions in any enterprise. 

The deeply respected community leader Alan Paller said it this way:

“This is the best example of risk-based security I have ever seen,” said
Alan Paller, director of research at the SANS Institute.  “The team that was
brought together represents the nation’s most complete understanding of
the risk faced by our systems. In the past cybersecurity was driven by
people who had no clue of how the attacks are carried out. They created an
illusion of security. The CAG will turn that illusion to reality.”
 

Please give these controls a read, and please help get them into the hands of the security and functionality professionals in your enterprise.

This entry was posted in CCSA, CERT, chief technology officer, Cloud, Computer Security, CTO, Cyber Initiative, Cyber War, CyberTrust, Disruptive IT, FDCC, Hathaway, Identity Management, Information Warfare, Network Security, standards, Technology Leadership, Thin Client, Triumfant.

A Blog I Like: Haft of the Spear

Posted on

Michael Tanji brings a perspective forged in years of intelligence work and a successful stint protecting information in the financial sector.  He is a well published author who focuses on national security issues and is also a thought leader in the computer security domain.

At Haft of the Spear he writes primarily about technology related/enabled national security issues, which includes a heavy dose of information warfare. 

Read HOTS at: http://haftofthespear.com/

Next week I write about Nicholas Carr and his Rough Type blog.

This entry was posted in Computer Security, Cyber Initiative, Cyber War, Disruptive IT, Great CTOs, Information Warfare, Technology Leadership, Web 2.0, Web Services, Web/Tech, Weblogs and tagged .