"Shaped like a Blogg! or a Garden hose!"

image by Tom Woodward

I only recently realised that it’s been over a year since I posted anything here.

Sad I know.

The last 18 months have been a little hectic with moving from one company to another, and refocusing on being a husband and a father rather than on a career and living out of a suitcase.

That said there are some exciting things in the works, one of which is a book. Whilst there isn’t a lot to say about it yet, it will be based on a couple of things, Wardley Mapping and Outsourcing. I’ll also add that my co-writers and I will bring rather unique “insiders” perspective to the process; we might even start to release some drafts here.

This is part one of a guest blog I was asked to create for the Service Management Conference. you can find the original here and where it was published completely in the July issue of the itSMF Bulletin.

Why moving to the cloud can give you more control, not less.

What are the opportunities and challenges for the IT service management team in a world where more applications are moving into the cloud, offered as subscription services, from a multitude of vendors? Can you keep control and visibility?

Recently I led a discussion at an itSMF Special Interest Group meeting about IT service management in an “as-a-Service” world – a world where the way IT is procured, delivered and consumed has fundamentally changed with the advent of cloud computing. Not that cloud computing is new by any means – particularly in smaller organisations, but it is now becoming more and more prevalent in large enterprises. Or it is expected to be…

While there has been a lot of hype around “the cloud”, what became apparent at the meeting is that most information is targeted at the executives in high level overviews, or at techies in great technical detail.

Meanwhile, the IT service management team has been left in the cold. There is little clear direction on “how to” or “where to start” and too much hype versus fact. Yet it is the service management team who often has the responsibility to “make it happen”.

In our discussion, which included IT service management professionals from government, financial services and IT vendors, the concerns/queries about service management in a cloud environment were startlingly consistent across industry sectors:

•        What is the best way to monitor and report service delivery?
•        How have other organisations done it?
•        What is hybrid cloud and how do you manage it?
•        How do you manage service integration across multiple vendors?

The Australian Government defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Interestingly, the itSMF group viewed cloud as a commercial model for delivering IT, rather than a technology. And the overriding concern is that these services are not in their control.

So how does cloud impact the policies, processes and procedures service management uses to plan, deliver, operate and control IT services offered to end-users?

For me it comes down to recognising that while traditional IT procurement has changed, you can still be in control; defining a clear – but flexible – business map for how the technology, processes and people will support the business; and ensuring transparency across multiple vendors.

New Ways of IT Procurement Don’t Have to Mean You Lose Control

Much of the fear of losing control comes from the feeling that IT departments are relinquishing control to IT third parties because they no longer own the IT and can’t see, touch or grab it. Yet in many ways they have more control than ever as it is easier to increase or decrease capacity quickly in response to changes in your organisation or the market in which it operates. And, if you chose the right vendor, they should provide you with regularly updated innovative solutions and contracted service levels rather than you being locked into a technology that will start to age as soon as you implement it.

Of course it’s not simple matter of moving everything into the cloud. Sometimes legislative requirements will dictate where data can be stored or who has access to it which may force an application to be insourced. Or it may depend on the maturity of an organisation’s approach to IT – an immature organisation may refuse to outsource because it is simply fearful of doing so whereas a mature approach is open to pushing risk outside the organisation.

And not all clouds are the same. A private cloud is used by a single organisation. A community cloud is for the exclusive use of a specific community of consumers with shared concerns (eg security requirements or mission). A public cloud is for open use by the general public. And a hybrid cloud is comprised of multiple distinct cloud infrastructures (private, community or public). Whilst the debate over public vs. private cloud services rages on, in the context of the above and the relative organisational needs and maturity, they all have a place.

This feeling of a loss of control can be exacerbated by departments choosing their own systems, easily bought and delivered over the Internet. However this “shadow IT” should not be feared – instead it should be seen as an indicator that the IT department is not delivering what they need. This is why business mapping is so important.

Part 2 of this blog will cover why business mapping is critical to ensuring IT and Service Management truly support the business and how to get started.

Today I’ve been reading about McNurlin and Sprague’s “Waves of innovation” model (2009) for the changing role of IT within an organisation. It’s essentially made up of 6 waves that have been observed over time, it looks like McNurlin started with 5 and the 6th was added somewhere in 2009.

Wave 1 – Reducing Costs – began in the ’60s with a focus on automation

Wave 2 – Leveraging Investments – began in the ’70s with a focus on reusing corporate assets with systems justified on ROI and cashflow

Wave 3 – Enhancing Products and Services – began in the ’80s with the focus on IT being a revenue source through creating a strategic advantage

Wave 4 – Enhancing Executive Decision Making – began in the late ’80s with the emergence of real-time business management systems

Wave 5 – Reaching the Consumer  – began in the ’90s with using IT to communicate directly with users, completely changing the rules of engagement

Wave 6 – Partnership Supply-Chain Management – looks at integration of partners into the supply chain.

The premise is that these are observed waves and that IT is appearing to loosing some of it’s traditional responsibilities. I think that this is because the view painted treats IT capability as a uniform blob and not as discrete functions and capabilities. It doesn’t take into account that you have a spectrum of bleeding edge capabilities through to commoditised offerings at the far end and the value that each capability or service delivers sits somewhere on the “value” spectrum too.

Delivering value with IT systems requires clear understanding of the business, the services and capabilities that make it up and how IT can then support those individual pieces. This one dimensional view of IT is what holds business back from making smart decisions.

/rant

We all go through change at some point.

Changing your process to meet the new requirements of a product or service in response to market change is a relentless march forward.

Some organisations hold on to a way they do things despite the issues and inefficiencies in them. These might be because of a number of reasons including working around deficiencies in older technologies, individuals or business structures.

Technology and Service organisations spend millions, sometimes hundreds of millions, looking to find the best way to streamline a process and build that into their application(s), why then do smaller organisations  feel the need to customise these applications to meet their, potentially, less efficient processes?

Wanting to become more mature in what you do requires change, so why do companies always fight technological change?

photo credit: AndYaDontStop via photopin cc

It is awesome to see that Ian Latter’s work on bypassing all security measures to exfiltrate data via the screen is starting to be received by the InfoSec community. Today an article written by Richard Stiennon on Ian’s presentation at COSAC has been syndicated through to Forbes. Well done Ian!! this follows up on a post I did in July when I was allowed to start talking about TGXf.

As part of Ian’s presentation preparation (and in response to a number of CFP reviewers NOT READING HIS SUBMISSIONS) he also prepared a number of videos demonstrating the capability of ThruGlassXfr along with his ThruKeyboardXfr.

ThruGlassXfer Open Letter (PDF) – TGXf VER8 FPS5 GD
http://youtu.be/IXlYDYjqFLU

Android smart-phone in flight mode, downloading a PDF from Youtube via a Laptop screen
http://youtu.be/2_8GlFdlb0Y

TGXf Demo – Open Letter PDF, ANSI (Terminal) Version 1 at 8 FPS
http://youtu.be/ZrMN54Rooec
(i.e. you don’t need graphical access to steal data)

TKXf Demo – Keyboard upload of virus to hardened Windows platform
http://youtu.be/2Szza7dQZsY
(i.e. I can type a virus into Windows .. stop me)

TKXf Demo – Keyboard upload of payload via Windows to Linux
http://youtu.be/QmROf-Tx92E
(i.e. I can type any payload into anything via anything .. stop me)

TCXf Demo – Attacker exfiltration from Linux via socket over PuTTY/XPe/HP Thin Client
http://youtu.be/sMHx5VDpFjQ
(i.e. I can route anything via anything over screen and keyboard)

And my personal favourite!!!!!
TCXf Demo – IP networking over Screen and Keyboard!
http://youtu.be/PdjhevoBKbs

Yes that last one is a functional network over TGXf and TKXf…

As a Security Enthusiast I love seeing this, though I have to say as a Security Technology Vendor and IT Outsourcing and Management Supplier it causes me pause. Now I finally have that enthusiasm back to write that paper on the risks of BYOD.