Hawaiʻi's Technology Community
Our servers incorporate unicorn horn technology!
Hello, My name is Brian and I have an IT problem.
(Hi Brian)
Actually, we all do.
I started off a geeky, unsociable, and shy nerd hiding behind racks of whining fans, choking on stifling recycled air yet somehow always wearing a jacket. I enjoyed spending hours upon hours in dimly lit rooms configuring unix daemons and rebuilding systems. Sound familiar? No? I guess your 1999 was better than mine!
Last weekend I don't think I even used a computer more than a few minutes. I was too busy diving, eating out, swimming, watching aerial explosives detonate, slathering chemicals on myself at Waimea, cruising with friends, etc.. Email? Oh my phone does that. I don't even know what variants of HTML my android's browser supports. Do I care? Nope. It's a tool and as long as it does what I want pretty well.. that's good enough for me! I'm over technology, life is more interesting. The technology is my slave. I'm not going to waste much time messing with it.
...
How does your business do IT? Actually.. scratch that..
Why does your business do IT? Do you even know? You probably do... deep down inside.. somewhere - but many never ask the question. We have email and spreadsheets and servers and.. backups.. because someone said we should! Industry best practice! CRM systems are proudly paraded. "We can store over 10,000 client records and retrieve anyone's within 2 seconds". I can create bar charts from Istanbul from any of 32 different OLAP cubes! Oh yeah.. that's the stuff...
So? Has that helped your business? Has it translated directly into sales? Can you actually demonstrate that to me somehow? Even if you made more sales.. did that cover the cost of your systems.. your licenses.. your personnel.. your HVAC costs.. your extra floor space.. the distraction to your business.. the additional risk you (may) now outlay. If you're a non-profit you still need some sort of review process to ask - is it working for us?
Maybe it is working for you! I don't know your business - but I do know that if you don't have some pretty confident answers (even guesstimates?) to those questions then you're Doing It Wrong (tm).
It's really that simple.. if your IT department isn't making you money - it's costing you money - and probably far more than you realize!
"But we have to have one". Really? Why? Is your business IT? If not then.. what makes you think you are any good at something you know nothing about? Even if you do.. it may not be worth your time. I'm sure most CEOs know how to operate a lawn mower. Doesn't mean we'll see them out there mowing their corporate HQ lawns. Opportunity cost? Oh yeah.
I'm not here to talk about outsourcing though.
...
Somewhere along the way.. many of us forgot that the whole point of IT was to support our business processes. That is.. the stuff that actually makes us money. I care about visualizing sales records only if it somehow helps me understand my product.. my market.. my customers.. etc.. If it's just a pretty picture.. well that's nice but .. not interested.
Now.. I realize I'm probably mostly preaching to the choir (At least I'm picturing Dan applauding and toasting me from his lemur mug collection - if he didn't have one before he will start one now).
Okay so if we can get over our fetish for "cool stuff" and surrounding ourselves with massive SANs and fat 10GE pipes.. where does that leave us? Do we get rid of technology? Heck no, we almost certainly need IT.
But we need to remember that IT is just a tool - the bubble that holds our information which facilititates our business - and a sysadmin is fundamentally no different than a facilities manager (sorry guys, it's true!).
...
IT used to be really hard. It's easy now. COTS stuff is great. Building your own is almost always a waste now. Yeah there are exceptions - you aren't one. I know it's cool. Get over it. We simply don't need big IT departments like we used to anymore.
Perhaps we shouldn't have Information Technology departments anymore.. let's replace them with.. Information Services departments or something (okay I'm bad at making up sexy names). I do think even something as subtle as continuing to call it "IT" furthers our problematic "throw systems at the wall until they stick" mentality for resolving our broken content policies. It's not about the technology!! It's about what you do with it. Make it your slave. You should have such great IM/KM people that you're throwing resources at them to improve how your BUSINESS works - tech is merely a vehicle for it!
This is why I think many of our organisations are broken and need restructuring. Too many remain tech-driven and systems-heavy with CTOs and oft-forgotten CIOs and Process Improvement guys languishing in a forgotten corner. I think it's because we like tangibles. You can pat a server and see what your money bought. You can demo that new web sales system you spent $300k on. Even if your $1M dev project fails.. well you can point to actual.. debris?
But.. Fixing the process for your sales data reporting? Rewriting your business rules for storing personally identifiable information (PII)? You want our employees to *gasp* change how they do things? Ugh.. that sounds hard.. can't we just buy more servers? Throw some crypto at the problem?
Nope, sorry - doesn't work that way. I realized this more than ever from reactions to the recent revelation of a PII breach at UH's Parking Office.
Instantly everyone asked! Why weren't they outsourcing! Wasn't it encrypted? Who was monitoring the network? Asleep at the wheel!!
Hardly anyone else seemed to wonder.. WHY the parking office had that information? Did it resolve an actual business requirement for the parking office? I don't see how. If it did then it would have been much smarter, cheaper, and simpler to fix the business process that "required" that information. Adding encryption, using better software.. centralizing your systems - yeah those are probably smart.. but if you don't even need to store the information in the first place! Well that's a grand slam.
I'm not picking on UH though - well not too much, they did mess up. But realistically most of us have this problem - we just delude ourselves. I applaud them for their transparency in the matter - many institutions do not reveal their breaches. I'm sure they have a policy on this and it just wasn't being followed here.
We have bought into the idea that information = power and the more we can amass; the more powerful and better positioned in our market sector we will be. That we'd just cram everything onto disks or a database and we'd rejoice as the money we dumped into IT systems magically produced.. candy.. mmm. Sorry it doesn't quite work that way!
Is information power? Absolutely. It's also a risk though.
And you need a plan.
And yep, it's hard.
Get over it.
(Hi Brian)
Actually, we all do.
I started off a geeky, unsociable, and shy nerd hiding behind racks of whining fans, choking on stifling recycled air yet somehow always wearing a jacket. I enjoyed spending hours upon hours in dimly lit rooms configuring unix daemons and rebuilding systems. Sound familiar? No? I guess your 1999 was better than mine!
Last weekend I don't think I even used a computer more than a few minutes. I was too busy diving, eating out, swimming, watching aerial explosives detonate, slathering chemicals on myself at Waimea, cruising with friends, etc.. Email? Oh my phone does that. I don't even know what variants of HTML my android's browser supports. Do I care? Nope. It's a tool and as long as it does what I want pretty well.. that's good enough for me! I'm over technology, life is more interesting. The technology is my slave. I'm not going to waste much time messing with it.
...
How does your business do IT? Actually.. scratch that..
Why does your business do IT? Do you even know? You probably do... deep down inside.. somewhere - but many never ask the question. We have email and spreadsheets and servers and.. backups.. because someone said we should! Industry best practice! CRM systems are proudly paraded. "We can store over 10,000 client records and retrieve anyone's within 2 seconds". I can create bar charts from Istanbul from any of 32 different OLAP cubes! Oh yeah.. that's the stuff...
So? Has that helped your business? Has it translated directly into sales? Can you actually demonstrate that to me somehow? Even if you made more sales.. did that cover the cost of your systems.. your licenses.. your personnel.. your HVAC costs.. your extra floor space.. the distraction to your business.. the additional risk you (may) now outlay. If you're a non-profit you still need some sort of review process to ask - is it working for us?
Maybe it is working for you! I don't know your business - but I do know that if you don't have some pretty confident answers (even guesstimates?) to those questions then you're Doing It Wrong (tm).
It's really that simple.. if your IT department isn't making you money - it's costing you money - and probably far more than you realize!
"But we have to have one". Really? Why? Is your business IT? If not then.. what makes you think you are any good at something you know nothing about? Even if you do.. it may not be worth your time. I'm sure most CEOs know how to operate a lawn mower. Doesn't mean we'll see them out there mowing their corporate HQ lawns. Opportunity cost? Oh yeah.
I'm not here to talk about outsourcing though.
...
Somewhere along the way.. many of us forgot that the whole point of IT was to support our business processes. That is.. the stuff that actually makes us money. I care about visualizing sales records only if it somehow helps me understand my product.. my market.. my customers.. etc.. If it's just a pretty picture.. well that's nice but .. not interested.
Now.. I realize I'm probably mostly preaching to the choir (At least I'm picturing Dan applauding and toasting me from his lemur mug collection - if he didn't have one before he will start one now).
Okay so if we can get over our fetish for "cool stuff" and surrounding ourselves with massive SANs and fat 10GE pipes.. where does that leave us? Do we get rid of technology? Heck no, we almost certainly need IT.
But we need to remember that IT is just a tool - the bubble that holds our information which facilititates our business - and a sysadmin is fundamentally no different than a facilities manager (sorry guys, it's true!).
...
IT used to be really hard. It's easy now. COTS stuff is great. Building your own is almost always a waste now. Yeah there are exceptions - you aren't one. I know it's cool. Get over it. We simply don't need big IT departments like we used to anymore.
Perhaps we shouldn't have Information Technology departments anymore.. let's replace them with.. Information Services departments or something (okay I'm bad at making up sexy names). I do think even something as subtle as continuing to call it "IT" furthers our problematic "throw systems at the wall until they stick" mentality for resolving our broken content policies. It's not about the technology!! It's about what you do with it. Make it your slave. You should have such great IM/KM people that you're throwing resources at them to improve how your BUSINESS works - tech is merely a vehicle for it!
This is why I think many of our organisations are broken and need restructuring. Too many remain tech-driven and systems-heavy with CTOs and oft-forgotten CIOs and Process Improvement guys languishing in a forgotten corner. I think it's because we like tangibles. You can pat a server and see what your money bought. You can demo that new web sales system you spent $300k on. Even if your $1M dev project fails.. well you can point to actual.. debris?
But.. Fixing the process for your sales data reporting? Rewriting your business rules for storing personally identifiable information (PII)? You want our employees to *gasp* change how they do things? Ugh.. that sounds hard.. can't we just buy more servers? Throw some crypto at the problem?
Nope, sorry - doesn't work that way. I realized this more than ever from reactions to the recent revelation of a PII breach at UH's Parking Office.
Instantly everyone asked! Why weren't they outsourcing! Wasn't it encrypted? Who was monitoring the network? Asleep at the wheel!!
Hardly anyone else seemed to wonder.. WHY the parking office had that information? Did it resolve an actual business requirement for the parking office? I don't see how. If it did then it would have been much smarter, cheaper, and simpler to fix the business process that "required" that information. Adding encryption, using better software.. centralizing your systems - yeah those are probably smart.. but if you don't even need to store the information in the first place! Well that's a grand slam.
I'm not picking on UH though - well not too much, they did mess up. But realistically most of us have this problem - we just delude ourselves. I applaud them for their transparency in the matter - many institutions do not reveal their breaches. I'm sure they have a policy on this and it just wasn't being followed here.
We have bought into the idea that information = power and the more we can amass; the more powerful and better positioned in our market sector we will be. That we'd just cram everything onto disks or a database and we'd rejoice as the money we dumped into IT systems magically produced.. candy.. mmm. Sorry it doesn't quite work that way!
Is information power? Absolutely. It's also a risk though.
And you need a plan.
And yep, it's hard.
Get over it.
Views: 48
Comment
-
Comment by Daniel Leuck on July 26, 2010 at 7:22pm
-
I've been thinking a bit more about this stuff lately. My gut reaction is not to trust the cloud entirely.
Its a good idea not to trust anyone other than your mom entirely :-) There is always risk. The questions is what is riskier, building your own systems or using a trusted cloud provider like Amazon or Google?
There are huge advantages of scaled up security and expertise that smaller locations can't achieve, for absolute sure.. but like you they're still vulnerable.
Its true that they are vulnerable, but not like you. When thinking about the security of hosting something within your company relative to GAE (Google) or EC2 (Amazon), ask yourself these questions:
- Do you have a dedicated team of world class security experts?
- Do your processes, policies and systems undergo regular independent SAS 70 Type II security audits?
- Is your company incentivized to have the world's best security by a market cap of over $150 billion that could be lost overnight by a serious security breach?
- Do you have the experience that is gained by hosting the core IT infrastructure for hundreds of thousands of organizations including companies like Genentech and government organizations such as the city of Los Angeles?
- Are your data and systems protected by geographic redundancy with no single points of failure?
The idea that any organization, even a large organization, that does not specialize in this area, and has not invested tens of millions in infrastructure and security could provide comparable protections is pure myth.
UH had 100% control over the parking system that exposed 40,000+ social security numbers to a hacker. Control != security. Expertise, experience and independent audits == security. Economies of scale are also very much in play.
-
Comment by Paul Graydon on July 26, 2010 at 1:09pm
-
I've been thinking a bit more about this stuff lately. My gut reaction is not to trust the cloud entirely. The moment you don't have direct control over your data you have no control at all. There are huge advantages of scaled up security and expertise that smaller locations can't achieve, for absolute sure.. but like you they're still vulnerable. You're trading one security for another. You take your pick.
That said, here's the main thing I'm increasingly wondering (please excuse the brain dump):
Why is data accessible over the Internet / public network? What can be or should be accessible to the Internet should only be what is absolutely necessary for the function. Over the last 20 years corporate networks have increasingly gained Internet connectivity, and with it firewalls have become essential devices for network security, but rarely does it seem anyone asks why the connectivity is needed with the main (or secure) network at all.
In the old days to steal company data you'd need to break in to their office.
By the time we reached the start of Kevin Mitnick's era ('79-95) modems were already cropping up. It still required social engineering (con artist) tricks to find out phone numbers of the modems but it meant you no longer had to have physical access. You didn't even need to be in the same country to break in. The moment that modem got hooked up you went from mostly local thieves to worldwide with potentially instant access.
Now it's even easier, you don't even have to get a phone number, just figure out an IP address (look at e-mail headers?) and away you go. Social engineering will make getting past the firewall a lot easier, but there is plenty of low-hanging fruit out there in the form of unpatched machines, 0 day exploits and the like.
No matter what the security put in place it can never get past the simple fact that if it's not connected to the Internet, it's a lot more secure.
Private / Public networks with clear physical isolation are a lot more laborious, though, which in a roundabout way brings me back to the cloud. Getting rid of physical isolation is a security choice companies have made at some stage or another, whether they realised it or not. If you've made that acceptance is it really that hard a step to move to the cloud? You've sacrificed ultimate security in the name of convenience once, the cloud isn't that big a step from there.
-
Comment by Brian on July 8, 2010 at 12:04am
-
Thanks Dan, I appreciate the compliment.
Like the nested virtualization we mentioned earlier.. there is still that legacy part of my brain that cries foul occasionally, but I have basically swallowed the koolaid at this point ;)
A few weeks ago a coworker asked (on behalf of a friend) - what sort of IT setup would I recommend for a new company? I replied that I'd suggest they all get androids and just use google's services. Integrated calendar.. email.. collaboration.. much better security and uptime than they could manage.. everything synching and backing up to the cloud... an entire community constantly improving your IT for you from hardware to apps.. etc.. all for basically free!
You have to wonder why companies even have big telecom infrastructure anymore - why not just get everyone unlimited cell phone plans?
Are there unique situations? Sure. If you're doing video for example - local storage is really still the norm for that.
What's funny is when people use regulatory requirements like SOX as some justification for inhouse infrastructure. Yeah I'm sure you can manage those requirements better than.. someone that does it fulltime - and has made it THEIR business.
That's okay, someday the lemurs will rise up and crack the DJ in half ;)
-
-
(Lemur mug raised) Spot on. Great post. Local does not necessarily mean more secure. In fact, at most organizations, it means less secure. I'm consistently amazed by the number of local organizations that think they have better security than Google and Amazon. This is almost never the case, not because they are incompetent, but because they don't have the same incentives (billions in lost sales, tens of billions of assets to protect from lawsuits, etc.) and they don't benefit from economies of scale or enormous budgets to spend on specialists. As you said, there are special cases, but the percent of actual special cases is exceeded by the organizations that think they are special cases 10 to 1. After nearly 20 years of consulting for companies ranging from local Hawaii businesses to banks in NY, I'm still amazed at the millions I see thrown away annually due to NIH (not invented here) syndrome. Engineers love to write software, and it doesn't matter if a dozen open source and/or inexpensive commercial solutions that solve the business need are readily available. Systems engineers love to build IT infrastructure, even if it can be done cheaper, better and more securely by best of breed SaaS and cloud solutions from well established vendors.
As you mentioned, although there was clearly a significant lapse in the system, this situation is far from being unique to UH, and they were more transparent about it than most. Although I don't agree with all of their policies, there are a lot of talented, hard working techies at UH and they have made significant contributions to TechHui and the wider tech community.
- ‹ Previous
- 1
- 2
- Next ›
© 2024 Created by Daniel Leuck.
Powered by
You need to be a member of TechHui to add comments!
Join TechHui