Could Blockchain be at the center of IoT security?

Blockchain can be used for many things… Blockchain technology has the potential to reduce costs, improve product offerings and increase speed for banks, according to a recent report from the Euro Banking Association (EBA). If you’d like a nice overview of blockchains and bitcoin, there’s one on Khan Academy.

Blockchains can be used to keep track of transfers and to ensure that the data collected has gone through a verification process. One of the properties is that the blockchain is a globally distributed database that anyone can add to, but whose history no-one can modify.

This feature could be very valuable for IoT applications where there is data coming in that you would like to both verify and keep for predictive analytics… IBM has been looking at this for a while, since one of the security concerns has been that nefarious data sources could either modify the incoming data or change the data history. Blockchain techniques could make that almost impossible. One of the issues when you have an abundance of data coming into the enterprise is that the length of the chain could expand to the point where maintaining the chain costs more than the data is worth so the processing of the chain would probably need to be outside the IoT sensors/devices themselves. The devices would need to have their own private/public keys though if the validation goes all the way to the edge.

A simple way to think of the block chain for data transactions…

blockchain

Where each block likely contains:

  • A timestamp
  • The hash of the previous block as a reference (except the Genesis Block)
  • A pointer to the data transactions hash
  • The block’s own hash
  • The Merkle Root – a hash of all the hashes in the block

This is definitely quite a bit of security but when needed it should be sufficient…

In a security breach, the perspective of whose responsible is shifting…

securityThe implications of boards holding Chief Executive Officers accountable for breaches will be something to watch. Recently a survey of 200 public companies shows that corporate boards are now concerned about cybersecurity and willing to hold top executives accountable.

Since the board (and the CEO that they put in place) is ultimately responsible for the results of the company, making the CEO responsible shouldn’t be a surprise.  A security breach is just one example of a business risk. not just a “technical issue,” so it should be treated in a similar fashion.  There are roles like the CISOs, CIOs, CROs that may support the CEO in their efforts to steer the ship, but if the organization runs aground, the highest levels of corporate leadership need to be held accountable — just like they are rewarded for improved corporate performance. Neither scenario is accomplished by the CEO alone.

A data breach can impact customer confidence, stock price, and the company’s reputation for a long time and those are not “technical issues.” Unfortunately, it is not a matter of “if” but “when” a security incident will occur so a formal effort must be expended to anticipate, detect, develop contingency plans to limit, and correct the situation when it occurs, as quickly and effectively as possible, reducing the impact on the customers as well as the organization itself.

That is likely one reason why in job postings today there are an abundance of openings in the security space.

Measuring the value and impact of cloud probably hasn’t changed that much over the years but…

cloud question markI was in a discussion today with a number of technologists when someone asked “How should we measure the effectiveness of cloud?” One individual brought up a recent post they’d done titled: 8 Simple Metrics to Track Your Cloud SuccessIt was good but a bit too IT centric for me.

That made me look up a post I wrote on cloud adoption back in 2009. I was pleased that my post held up so well, since the area of cloud has changed significantly over the years. What do you think? At that time I was really interested in the concept of leading and lagging indicators and that you really needed to have both perspectives as part of your metrics strategy to really know how process was being made.

Looking at this metrics issue made me think “What has changed?” and “How should we think about (and measure) cloud capabilities differently?”

One area that I didn’t think about back then was security. Cloud has enabled some significant innovation on both the positive and the negative sides of security. We were fairly naive about security issues back then and most organizations have much greater mind-share applied to security and privacy issues today – I hope!

Our discussion did make me wonder about what will replace cloud in our future or will we just rename some foundational element of it – timesharing anyone?

One thing I hope everyone agrees to though is: it is not IT that declares success or defines the value, it remains the business.

Security certificate maintenance – there must be a better way

Broken-chainOver the last few years, I’ve seen numerous instances where will maintained systems that are run by organizations with good operational records have fallen over, caused by security certificate expiration.

Just last week, Google Mail went down for a significant time when their security key chain broke (note Google’s use of SHA-1 internally – but that’s a whole other issue). Gmail is a solution that is core to an increasing % of the population, schools and businesses. Most people likely believe that Google operations are well run and world class – yet they stumbled in the same way that I’ve seen many others before.

A reliable and rigorous approach is needed for organizations to track their certificate chains that proactively warns the organization before they expire, since it will take hours to repair them once they break. There are many critical tasks that come with certificate management, and ignoring or mishandling any one of them can set the stage for Web application exploits or system downtime.

These certificates (which contain the keys) are the cornerstone to the organization’s cryptography-based defense. As the market-facing application portfolio of an organization expands, the number of certificates will also expand and the key chains can get longer with more convoluted interrelationships as well (especially if not planned and just allowed to evolve). Additionally, the suite of certificate products from vendors can be confusing. There are different levels of validation offered, numerous hash types, lengths and warranties (which actually protect the end users, not the certificate owner). It can be difficult to know what type of certificate is required for a particular application.

CSS-Security put out this high-level video about certificates and why they’re blooming in organizations (there is an ad at the end of the video about their product to help with certificate management).

Most companies still manage their certificates via a spreadsheet or some other manual process. That may be fine when you’re just getting started but it can quickly spiral out of control and addressing the problem may involve costs that are just not understood.

There are products and approaches to the enterprise certificate management. Automation tools can search a network and collect information all discovered certificates. They can assign certificates to systems and owners and manage automated renewal. These products can also check that the certificate was deployed correctly to avoid using an old certificate. Automated tools are only part of the answer and will require some manual intervention.

When purchasing one of these certificate management tools, ensure that the software can manage certificates from all CAs, since some will only manage certificates issued from a particular CA.

Service Innovations over time…

SaaSI was in an exchange with Jim Spohrer (of IBM) the other day about Service innovations and he gave me the following lists dealing with service innovations:

Top Ten Service Innovations in all of History
1. Division of Labor – an entity gets to do more of what they do best, and less of what they do less well
2. Cities – local concentration of division of labor, including security and protection
3. Writing – allows communications over distance and time
4. Written Laws – brings more objectivity into governance and justice
5. Money – brings efficiency into exchange transactions
6. Universities – local concentration of division of knowledge, including preparation of next generation
7. Democracy – collective decision making via voting (citizen -> decision)
8. Republics – two stage collective decision making via voting (citizen -> representative -> decision)
9. Checks – safer than carrying paper money
10. Banks – safe storage of money, and compound interest/loans

Top Ten Service Innovations of Last 100 years

1. Universal Education – increases capability of population, and allows more complex problem solving
2. Universal Service – even rural people can communicate, and have right to communicate efficiently
3. Rural Electrification – even rural people can have lighting and access to modern appliances
4. Credit Cards – convenience and safety
5. Loyalty Programs – incentives for usage
6. Franchises – standard service in multiple places
7. FedEx – overnight package delivery
8. Automobile Transportation – systems of filling stations, roads, laws
9. Internet & Worldwide Web – access to information
10.  Wireless Communication Networks – Radio & Television – conquest of distance and access to service

Top Ten Service Innovations of Last 10 years
(or so)
1. Amazon – market for books and things
2. eBay – market for personal stuff
3. iTunes – market for music
4. Etsy – market for home made things
5. Uber – market for rides
6. AirBnB – market for rooms
7. Smart Phones & App Economy – access to information, communications, and other mobile services, including cognitive assistants
8. MOOCs – massively open on-line courses to augment education
9.  Mutual funds – finance investments that provide benefits of diverse portfolios
10. Global IT-enabled Outsourcing – division of labor between nations and large corporations

I’d add 3D printing to this list myself, but that may be just me.

Top Ten Service Innovations that broke out in 2014
1. TransferWise – lower transaction cost of transferring money
2. Coinbase – bitcoin digital wallet
3. Apple Pay – easier to pay money out
4. Lending Club – easier method to get investments in and out (founded in 2006)
5. Quirky – inventor community (started in 2009)
6. Bill.com – small business pay bills better (started in 2008)
7. Betterment.com (investment personal assistant)
8. Kickstarter – crowd funding (I think this actually started in 2009)
9.  Amazon Echo (home assistant)
10. Google Nest (home assistant) (actually the first Nest appears to be released in 2011)

Some things to think about…
What would be on your list? What should make the list for 2015? Do these innovations have anything in common?

A Technology Radar on Software Creation

radar (technology)I recently had the opportunity to look at ThoughtWorks Technology Radar. This is a document targeted primarily at developers, describing the emerging and trending technologies that are shaping software creation. It is grounded in tools that support the issues of: DevOps, Analytics and Security.

It is clear that those who put this position paper together are passionate about keeping up with the changes in the software development space, as well as internalizing the implications on how the software creative process will be performed in the future, and happy to share these views with others.

The technologies adoption profile is captured using a radar metaphor: emerging tech. around the edge and those technologies that should be adopted closer to the center. The model is divided into quadrants dedicated to techniques, platforms, tools and languages & frameworks. I can easily see this being used in a holistic, yet targeted discussion about what this shifts can mean to an organization and its software portfolio — in addition to facilitating a discussion among technologists.

Although industry analysts publish their vision documents regularly, it’s rare that a technology services organization gives their insight into the tools they are investigating or using publicly. I’ll leave it to your imagination why that’s not done much anymore.

There are versions of their technology radar going back a few years on the site (their goal is to publish twice a year), so if you’re interested in the development space, it’s worth a look.

If there was one suggestion I could make, it would be to include a vector estimating how soon the technology will advance to the next stage. This additional dimension should cause some very valuable discussions to take place.

Abundance and the value potential of IT — things have changed…

Since I have moved to a new blog site I decided to update a post on my foundational beliefs about IT, the future and what it should mean to business.

A number of years back, I posted that the real value for business is understanding unique and separating what was abundant from what was scarce and plan to take business advantage of that knowledge.

I came up with this model to look at how things have changed:

abundanceToday, there is an abundance of data coming in from numerous sources. A range of connection options can move the data around to an abundance of computing alternatives. Even the applications available to run on the data continues to grow almost beyond understanding. Various service providers and options even exist to quickly pull these together into custom (-ish) solutions.

Yet there are elements of the business that remain scarce or at least severely limited by comparison. The attention span of personnel, the security and privacy of our environment and even actions based on the contextual understanding of what’s happening persist in being scarce. Part of every organizations strategic planning (and enterprise architecture effort) needs to address how to use the abundance to maximize the value from the scarce elements and resources – since each business may have its own set of abundant and scare components.

For IT organizations one thing to keep in mind is: almost every system in production today was built from a scarcity model of never having enough compute, data… Those perspectives must be reassessed and the implications of value for the business that may be generated reevaluated, since that once solid foundation is no longer stable. The business that understands this shift and adjusts is going to have a significant advantage and greater flexibility.