The purpose of corporate IT is to... allow company approved people to access company data using company approved apps on company approved hardware at company approved locations with company mandated security methods on the company approved IT budget and staffing level to keep the company in business and out of court.
If you want different apps - build a business case for them. If you want different hardware - build a business case for it. If you want different access - build a business case for it. If you want different X - build a business case for X.
So, in essence, our litigious society and the risk-averse enterprise culture that litigation and regulation foster are the reason why enterprise IT is, in many organizations, in the Dark Ages compared to what a tech-savvy user can do with their personal IT.
What is this "tech-savvy user" you speak of?
There is a recurring discussion on Slashdot about the wisdom of putting critical infrastructure systems on the 'Web where any "terrorist" living anywhere in the world can attack it at any time.
That is the key to this discussion.
The IT department is tasked with keeping the private company data private. One of the reasons for that is so the company does not get sued for "losing" that information (or lose an advantage to a competitor).
Once the "tech-savvy user" connects his/her "personal IT" to the Internet it can be attacked by anyone, anywhere in the world, at any time. And losing your credit card info just means a problem for you. If the company loses the credit card info of their clients / customers / partners / etc, that's a problem for a LOT of people.
IT perspective - does this thingie work for 1,000 users? Does this thingie have a license we can support? Does this thingie fit our security model? Does this thingie fit our backup/retention model? Does this thingie cause any problems with the other systems? Does this thingie have a road map for the next 3-5 years?
Almost any user can handle a single workstation. Maybe even two workstations.
It requires a different perspective when you move to 1,000 workstations for 1,000 users running 250 different apps in 10 different segments across 3 continents and 5 languages.
The niche that the company is operating in might not be the same niche that the user sees himself in. Just as there are markets for mass produced goods/services, so is there a market for customized/personalized items.
I think Gruman is advocating the customized/personalized market niche (everyone at the company uses whatever they want to use / how they want to use it / where they want to use it / etc) when the experience of most of the Slashdot readers is the opposite (thousands of workstations and users with hundreds of apps and downtime that is measured in millions of dollars).
Car analogy - your motorcycle might have better acceleration, higher top speed and be more maneuverable than the 18-wheeler but they aren't serving the same market. Nor does the motorcycle scale to the 18-wheeler level at anything near the same price point.
He's going on about the same bullshit. But he doesn't interview anyone in IT at any company that is actually IMPLEMENTING his claims.
I'd argue that Salesforce.com was the first big consumerization push into business, as the SaaS provider actively targeted business users and avoided IT in trying to get its technology adopted.
This guy cannot even tell the difference between a "device" that is "owned" by an employee of Company X and a service provided to Company X by Company Y.
Regardless of which innovation was the first to empower individual users technologically, it's clear that consumerization of IT is about user-driven technology of all sorts.
No. There's a HUGE difference between using a outside company to provide a service and allowing people to bring their own laptops into the company to connect to the company's private data.
BYOD has the distinction of being so visible and inexorable that it finally forced the consumerization trend into the open, with CIOs and IT publicly confronting an issue that many had been dealing with quietly for a while: Some technologies are truly user-centric and should be left as such.
And you STILL don't see the difference.
Why is/. linking to his articles?
There are five: mobile devices, cloud computing services, social technology, exploratory analytics, and specialty apps (that is, apps for the user's specific job, from presentation software to engineering calculators).
mobile devices cloud computing services social technology exploratory analytics specialty apps
And STILL not a single interview with an IT VP from any health care company allowing user-owned devices to connect to private data.
Someone else mentioned a typical DMZ, that's a good analogy. Just imagine a huge DMZ, a small secure area and a small fully external area. What you do today inside the DMZ is what you have to do over the bulk of your network.
Normally, the DMZ has additional attention (and software and hardware) dedicated to it because it is so vulnerable.
You might be one really smart guy... but once you put a box in the DMZ you are defending against every other person in the world with an Internet connection.
And even with the extra attention and software and hardware sites are cracked every day.
So.... the new plan is to take that model and apply it to your internal network? Add the additional costs of more time / software / hardware AND the increased risk of some kid in Romania cracking your INTERNAL systems?
Sorry, but I'm not seeing the business advantage or the cost savings.
He's writing about how "most companies" are allowing users to bring in their own equipment... while writing about how IT "priests" are preventing users from bringing in their own equipment.
But he isn't doing interviews with companies that are allowing users to connect to private. company data (the kind that would cause problems if leaked) via the users' own devices. Particularly companies covered by specific regulations such as health care.
Wouldn't at least one interview with the IT VP of a major hospital be appropriate by now? If nothing else, just to provide support for his claims.
First off, those articles are very badly written. And they seem to be linked to InfoWorld's recent run of articles about how IT is PREVENTING such "adoption". Strange.
Secondly, he's quoting a guy from a firm that sells products to manage phones. He is NOT quoting ANYONE from ANY company in the health care industry.
In 2010 and for much of 2011, many in IT got scared when they saw iPhones, iPads, and Android in the office, fearful these heretical devices would cause corporate collapse as the BlackBerry sanctum was sacked and untold evils followed.
What?
OK, so most companies today have moved past that initial fear and made peace with the notion that modern mobile devices were now part of their technology fabric, though driven by user demand.
It is DECEMBER 2011. That's some fast action by "most companies" in a few months.
There's a HUGE difference between allowing such devices on the UNSECURED WIRELESS NETWORK and connecting them to the servers that hold private data.
He doesn't seem to be covering that difference. And he doesn't have any quotes from companies that are doing what he claims.
Sounds like the article was written by a tool with no understanding of how enterprise IT works, and no grasp of what bringing alien, unknown systems into contact with critical infrastructure can lead to.
Or maybe he knows EXACTLY what the result will be.
Most networks/systems have "evolved" over time in an "organic" fashion. That is, things were added and then fixes where added to get everything to play together in a minimally acceptable fashion.
Now, if you can convince non-IT people that they're just as knowledgeable about IT issues as the IT people, that means that you can get a LOT of billable hours dealing with the impact of the new changes.
Say that Frank in Accounting "needs" a wireless router attached to the network so his new device (which doesn't support your standard for encryption/authentication) will work... and it needs access to the Accounting servers... because Frank "needs" it to work that way. That's a lot of re-design of the network and the servers and so forth.
So from a consultant/contractor point-of-view, this is a GREAT IDEA!!!
Just tell Frank that the IT department is being "bad" by refusing his perfectly rational and reasonable request and that he needs to work around them to maintain his productivity. Or get the IT department marginalized so that contractors can be brought in to do the work that the IT department is incapable of doing.
Yeah... then there's my job, where somebody recently pushed out a GPO update that was supposed to make internet explorer "more secure" by preventing downloads.
Yep. There are a lot of incompetent IT people out there.
The problem is that most of the non-IT people are even more incompetent at IT tasks.
And management is not very good at managing.
The problem is when you get people who just start adding restriction after restriction with no understanding of what it does not just to productivity and worker morale, but in some cases to the very applications they support.
The easy solution to this is to build a business case for whatever change you want and send it to your boss.
You boss then sends it up the ladder until it gets approved and IT makes whatever change you wanted.
It's all about money. It should be easy for you to show how you'd be more productive (in terms of $X) if you had item A at cost $B.
No, IT policy is often both foolish and stupid, and getting around it is the only way to get work done.
I have seen a lot of "foolish and stupid" IT policies. Which is why you need to communicate to the BUSINESS via the "business case" for the changes you want.
Unless you don't care about that sort of thing, in which case, yeah... feel free to do nothing until they fire you and replace you with someone who does bypass the policies.
IT should be IMPLEMENTING the policies that upper management has decided upon.
If you don't like those policies then convince upper management that you'd be more productive (in terms of $X) by writing a business case for the change(s).
As for being fired, who cares? It happens. I'd rather go into my next interview saying that I was fired for enforcing the policies rather than saying that I was fired because the systems were cracked and all kinds of company / personal data was downloaded.
You can't have encryption without authentication,...
Sure you can. Encryption by itself does not mean secure communications. Bruce Schneier has a great book on the subject, "Practical Cryptography".
... otherwise anyone can stand between you and the endpoint and impersonate the other end.
That does not mean that the transmissions are not encrypted. Just that the communications channel is compromised. But transmission between you and the MitM are encrypted. As are communications between the MitM and the site you think you're connected to.
Which gets to the core problem. The way it is currently set up depends upon too many points of failure with no way to validate any of the connections.
How do you KNOW that the site you've connected to is your bank in the USofA? Are you going to check to see that the CA issuing that certificate is not based out of Romania?
And the reason that it is set up this way is because it is EASIER for the banks to pass on any losses to the customer or business. Change that and you'll see fixes happening.
Right now your computer accepts a SINGLE source for encryption and "authentication". There should be at least 2 or 3 different checks.
Then people wanted certs cheap and now, not something high levels of integrity checking really allow for, so what agreement did exist simply went up in smoke as vendors pandered to customers over and above common sense.
Not just that. Certs are also now MARKETED as a means of verifying the web site you're connecting to.
The process you mention is one means of attempting to fill that role.
But certs were not designed as a means of verifying a web site. They're just for encryption. And for encryption they work pretty good.
The question now is how do you verify that the site at a.b.c.d is REALLY the site you think it is. Here's a hint: you cannot rely upon the certificate to validate it.
The problem with metrics is that it always sounds like a good idea when you're thinking of implementing it and few people go beyond the "this sounds like a good idea" phase to the "how can I game the metric I just thought up?" phase.
Winners understand that tech support is a stepping stone and treat it as such. Which means that they move up as soon as possible.
Tech support managers are under pressure to keep their costs down. So unless you're okay with working for less money than the others there (but still solving as many problems / answering as many calls) you will be replaced with a new, cheaper person as soon as they can find one.
The metrics are just there to justify replacing you.
One would need to create all kinds of new laws, regulations, and enforcement agencies.. none of which would be particularily cheap.
The laws and regulations would come from Congress. And they're already paid for. So giving them something productive to do... I'm JOKING! Ha ha!
But having additional people in the enforcement agencies seems like a good idea to me with the economy in the state it is in.
The most important item would be the price point.
High enough to mean a decent wage for the producers at a fixed production level (I'm thinking "mom and pop" growers.). Say $50,000 a year? $75K? Remember that is will probably be happening in the agricultural areas of the USofA. Not Silicon Valley.
But low enough that the risk/profit ratio at each of the choke points (production / certification / shipping / sales) is a deterrent to all but the dumbest criminals (because dumb criminals are easy to catch).
We'd need some serious (and factual) number crunching to come up with the exact costs. But we have computers.
The key should be turning the multi-BILLION dollar drug trade into a multi-MILLION dollar LEGAL drug trade. Real jobs for real Americans at real wages. Where doing your part to fight the War On DRUG CRIMES means BUYING AMERICAN from your local, certified, retailer.
*American flag waves in the background* *music plays*
1. Move the production from off-shore to real USofA American farmers and small businesses. Then tax them.
2. Make sure that the products from #1 are "clean" and "certified". That means jobs for government workers filling in the paperwork and running the labs. And fees.
3. Distribution. Real Americans driving real trucks. (Tax their paychecks.)
4. Sales. More taxes.
One important thing would be to maintain the same price in every market in the nation so that there is no profit in smuggling it any more.
Another would be to limit the production by each grower. You do not want mega-corps involved. This is just to fight drug-related crime. Not to drive brand marketing. No "Joe Camel" ads. No ads at all. Plain black on white labels with the product name and the growers government ID and the health warning.
And dump some of the tax profits into FREE programs to get people to stop using the products.
Most of the people out there would be fine as recreational users. Just as with alcohol.
Slashdot Mirror
How about a basic classification scheme for planets?
http://en.wikipedia.org/wiki/Class_M_planet
Except do it better. World size, composition, orbit, etc.
Then, instead of reporting about another "Earth-like" planet they could report on a class blah-blah-blah-blah planet that MAY be "Earth-like".
The purpose of corporate IT is to ...
allow company approved people to
access company data
using company approved apps
on company approved hardware
at company approved locations
with company mandated security methods
on the company approved IT budget and staffing level
to keep the company in business and out of court.
If you want different apps - build a business case for them.
If you want different hardware - build a business case for it.
If you want different access - build a business case for it.
If you want different X - build a business case for X.
What is this "tech-savvy user" you speak of?
There is a recurring discussion on Slashdot about the wisdom of putting critical infrastructure systems on the 'Web where any "terrorist" living anywhere in the world can attack it at any time.
That is the key to this discussion.
The IT department is tasked with keeping the private company data private. One of the reasons for that is so the company does not get sued for "losing" that information (or lose an advantage to a competitor).
Once the "tech-savvy user" connects his/her "personal IT" to the Internet it can be attacked by anyone, anywhere in the world, at any time. And losing your credit card info just means a problem for you. If the company loses the credit card info of their clients / customers / partners / etc, that's a problem for a LOT of people.
User perspective - does this thingie work for me?
IT perspective - does this thingie work for 1,000 users?
Does this thingie have a license we can support?
Does this thingie fit our security model?
Does this thingie fit our backup/retention model?
Does this thingie cause any problems with the other systems?
Does this thingie have a road map for the next 3-5 years?
Almost any user can handle a single workstation. Maybe even two workstations.
It requires a different perspective when you move to 1,000 workstations for 1,000 users running 250 different apps in 10 different segments across 3 continents and 5 languages.
The niche that the company is operating in might not be the same niche that the user sees himself in. Just as there are markets for mass produced goods/services, so is there a market for customized/personalized items.
I think Gruman is advocating the customized/personalized market niche (everyone at the company uses whatever they want to use / how they want to use it / where they want to use it / etc) when the experience of most of the Slashdot readers is the opposite (thousands of workstations and users with hundreds of apps and downtime that is measured in millions of dollars).
Car analogy - your motorcycle might have better acceleration, higher top speed and be more maneuverable than the 18-wheeler but they aren't serving the same market. Nor does the motorcycle scale to the 18-wheeler level at anything near the same price point.
He's posting on InfoWorld (not known for insight) and then sending the link to /. because no one reads InfoWorld's website.
If his articles were so amazing then people would be going to the original source, wouldn't they?
Instead, he's sending his links to /.
He's going on about the same bullshit. But he doesn't interview anyone in IT at any company that is actually IMPLEMENTING his claims.
This guy cannot even tell the difference between a "device" that is "owned" by an employee of Company X and a service provided to Company X by Company Y.
No. There's a HUGE difference between using a outside company to provide a service and allowing people to bring their own laptops into the company to connect to the company's private data.
And you STILL don't see the difference.
Why is /. linking to his articles?
mobile devices
cloud computing services
social technology
exploratory analytics
specialty apps
And STILL not a single interview with an IT VP from any health care company allowing user-owned devices to connect to private data.
Why is /. still linking to his articles?
"better that ten guilty persons escape than that one innocent suffer"
https://en.wikipedia.org/wiki/Blackstone's_formulation
Fascism begins when the efficiency of the Government becomes more important than the Rights of the People.
Or to put it another way ... "But the freedom for me to swing my arm ends where your nose begins".
And when the "person" being affected does not have a nose?
Because said "person" is a corporation?
The property rights of corporations have become more important than human rights.
Corporations are not people. Despite what the law would say.
Normally, the DMZ has additional attention (and software and hardware) dedicated to it because it is so vulnerable.
You might be one really smart guy ... but once you put a box in the DMZ you are defending against every other person in the world with an Internet connection.
And even with the extra attention and software and hardware sites are cracked every day.
So .... the new plan is to take that model and apply it to your internal network? Add the additional costs of more time / software / hardware AND the increased risk of some kid in Romania cracking your INTERNAL systems?
Sorry, but I'm not seeing the business advantage or the cost savings.
If InfoWorld isn't getting enough page hits on their own with badly written stories like that, why give them any more hits?
He's writing about how "most companies" are allowing users to bring in their own equipment ... while writing about how IT "priests" are preventing users from bringing in their own equipment.
But he isn't doing interviews with companies that are allowing users to connect to private. company data (the kind that would cause problems if leaked) via the users' own devices. Particularly companies covered by specific regulations such as health care.
Wouldn't at least one interview with the IT VP of a major hospital be appropriate by now? If nothing else, just to provide support for his claims.
Strange how that isn't happening.
First off, those articles are very badly written. And they seem to be linked to InfoWorld's recent run of articles about how IT is PREVENTING such "adoption". Strange.
Secondly, he's quoting a guy from a firm that sells products to manage phones. He is NOT quoting ANYONE from ANY company in the health care industry.
What?
It is DECEMBER 2011. That's some fast action by "most companies" in a few months.
There's a HUGE difference between allowing such devices on the UNSECURED WIRELESS NETWORK and connecting them to the servers that hold private data.
He doesn't seem to be covering that difference.
And he doesn't have any quotes from companies that are doing what he claims.
Or maybe he knows EXACTLY what the result will be.
Most networks/systems have "evolved" over time in an "organic" fashion. That is, things were added and then fixes where added to get everything to play together in a minimally acceptable fashion.
Now, if you can convince non-IT people that they're just as knowledgeable about IT issues as the IT people, that means that you can get a LOT of billable hours dealing with the impact of the new changes.
Say that Frank in Accounting "needs" a wireless router attached to the network so his new device (which doesn't support your standard for encryption/authentication) will work ... and it needs access to the Accounting servers ... because Frank "needs" it to work that way. That's a lot of re-design of the network and the servers and so forth.
So from a consultant/contractor point-of-view, this is a GREAT IDEA!!!
Just tell Frank that the IT department is being "bad" by refusing his perfectly rational and reasonable request and that he needs to work around them to maintain his productivity. Or get the IT department marginalized so that contractors can be brought in to do the work that the IT department is incapable of doing.
Yep. There are a lot of incompetent IT people out there.
The problem is that most of the non-IT people are even more incompetent at IT tasks.
And management is not very good at managing.
The easy solution to this is to build a business case for whatever change you want and send it to your boss.
You boss then sends it up the ladder until it gets approved and IT makes whatever change you wanted.
It's all about money. It should be easy for you to show how you'd be more productive (in terms of $X) if you had item A at cost $B.
I have seen a lot of "foolish and stupid" IT policies. Which is why you need to communicate to the BUSINESS via the "business case" for the changes you want.
IT should be IMPLEMENTING the policies that upper management has decided upon.
If you don't like those policies then convince upper management that you'd be more productive (in terms of $X) by writing a business case for the change(s).
As for being fired, who cares? It happens.
I'd rather go into my next interview saying that I was fired for enforcing the policies rather than saying that I was fired because the systems were cracked and all kinds of company / personal data was downloaded.
http://www.projectrho.com/rocket/misconceptions.php
A site devoted entirely to helping with exactly that issue.
Sure you can. Encryption by itself does not mean secure communications. Bruce Schneier has a great book on the subject, "Practical Cryptography".
That does not mean that the transmissions are not encrypted. Just that the communications channel is compromised. But transmission between you and the MitM are encrypted. As are communications between the MitM and the site you think you're connected to.
Which gets to the core problem. The way it is currently set up depends upon too many points of failure with no way to validate any of the connections.
How do you KNOW that the site you've connected to is your bank in the USofA? Are you going to check to see that the CA issuing that certificate is not based out of Romania?
And the reason that it is set up this way is because it is EASIER for the banks to pass on any losses to the customer or business. Change that and you'll see fixes happening.
Right now your computer accepts a SINGLE source for encryption and "authentication". There should be at least 2 or 3 different checks.
Not just that. Certs are also now MARKETED as a means of verifying the web site you're connecting to.
The process you mention is one means of attempting to fill that role.
But certs were not designed as a means of verifying a web site. They're just for encryption. And for encryption they work pretty good.
The question now is how do you verify that the site at a.b.c.d is REALLY the site you think it is. Here's a hint: you cannot rely upon the certificate to validate it.
That's an example of the Dunning-Kruger effect.
http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
Anyone can design a metric that they themselves cannot figure out how to game.
Winners understand that tech support is a stepping stone and treat it as such. Which means that they move up as soon as possible.
Tech support managers are under pressure to keep their costs down. So unless you're okay with working for less money than the others there (but still solving as many problems / answering as many calls) you will be replaced with a new, cheaper person as soon as they can find one.
The metrics are just there to justify replacing you.
From the question:
It's an internal app so just have the app log everything that the user does in that app.
Then, when the user calls to say there is a problem, the dev team can pull the logs from that machine and recreate the exact sequence of events.
And don't worry about the logs becoming too large. If the dev cannot figure that out then there are larger problems there.
Also, have the app check the versions of the libraries and such in the OS.
Was this really a question?
Don't most of the apps you use have some means of reporting problems back to the developers when they crash or have errors?
The laws and regulations would come from Congress. And they're already paid for. So giving them something productive to do ... I'm JOKING! Ha ha!
But having additional people in the enforcement agencies seems like a good idea to me with the economy in the state it is in.
The most important item would be the price point.
High enough to mean a decent wage for the producers at a fixed production level (I'm thinking "mom and pop" growers.). Say $50,000 a year? $75K? Remember that is will probably be happening in the agricultural areas of the USofA. Not Silicon Valley.
But low enough that the risk/profit ratio at each of the choke points (production / certification / shipping / sales) is a deterrent to all but the dumbest criminals (because dumb criminals are easy to catch).
We'd need some serious (and factual) number crunching to come up with the exact costs. But we have computers.
The key should be turning the multi-BILLION dollar drug trade into a multi-MILLION dollar LEGAL drug trade. Real jobs for real Americans at real wages. Where doing your part to fight the War On DRUG CRIMES means BUYING AMERICAN from your local, certified, retailer.
*American flag waves in the background*
*music plays*
1. Move the production from off-shore to real USofA American farmers and small businesses. Then tax them.
2. Make sure that the products from #1 are "clean" and "certified". That means jobs for government workers filling in the paperwork and running the labs. And fees.
3. Distribution. Real Americans driving real trucks. (Tax their paychecks.)
4. Sales. More taxes.
One important thing would be to maintain the same price in every market in the nation so that there is no profit in smuggling it any more.
Another would be to limit the production by each grower. You do not want mega-corps involved. This is just to fight drug-related crime. Not to drive brand marketing. No "Joe Camel" ads. No ads at all. Plain black on white labels with the product name and the growers government ID and the health warning.
And dump some of the tax profits into FREE programs to get people to stop using the products.
Most of the people out there would be fine as recreational users. Just as with alcohol.
Wow. Explosives.
Soooooo........ where are the trials for the people trying to take explosives onto the planes?
You'd think there'd be all kinds of news reports about that, wouldn't you?
People always get that bit confused. What it REALLY means is
"A person who spends money in a recklessly extravagant way."
Nice name for this program.