Swedes: Closet VRM activists?

14, June 2013 by · Leave a Comment

deadpeople560x288

A recent post by Mary Hodder on the VRM list discussed the news of the Swedish Data Inspection Board banning Google cloud services such as Docs, calendar and email over privacy concerns.  Mary writes:

It’s going to be a PR struggle to convince regular people that “personal” or personally directed services (VRM) style are different than general cloud services.. because I bet that Google would argue that Google apps are personally directed.. nothing happens unless the individual uses the services, from Google’s perspective. But the individual’s data  isn’t controlled by the individual, VRM style.

So I think this will be the pivot point.. convincing the public, as well as the companies and governments, that it’s not “personal” unless the individual controls their own data, not just the use of the product.

What is interesting to me about the privacy issues unfolding of late, especially in the wake of the PRISM revelations, is that VRM-y cloud apps already exist that address the issues raised by the Swedes and for privacy in general.  If Cole Sear were here he’d tell you the same thing:  “I see VRM apps. Floating around the cloud like regular apps.  They’re VRM except, they don’t see each other.  And they don’t say they are VRM.  They don’t even know they’re VRM.”

[Read more…]

Filed Under: Featured, Personal Clouds, Privacy, Vendor Relationship Management · Tagged: , , , , , , ,

Big Data? No. Big Signal!

8, June 2013 by · Leave a Comment

One of the best ways to understand VRM (Vendor Relationship Management) is to look at it from a more familiar perspective.  When it comes to consumer data, one of the most familiar perspectives is that of Big Data so naturally many questions about VRM are couched in Big Data terms:

  • How big is VRM data anyway?
  • How much data is (or will be) in the personal cloud?
  • Who crunches VRM data to come up with something useful?

The answers to these questions lead to one inescapable conclusion: VRM isn’t a difference in scale.  It is a difference in kind.  This isn’t Big Data.  It’s Big Signal.

[Read more…]

Filed Under: Blog, Featured, Personal Clouds, Vendor Relationship Management ·

Duking it out with miicard

17, May 2013 by · Leave a Comment

In my never-ending quest to make the world make sense, I have turned my attention to miicard.com once again.  They are pretty good, use HTTPS where it counts, don’t email my stored password around, and I even let them verify bank accounts.  But they are not without some issues.  In the interest of cutting to the chase, I’ve emailed James Varga (CEO) & Stuart Fraser (CTO) links to this post.

[Read more…]

Filed Under: Blog, Identity, Personal Clouds, Privacy, Security, Vendor Relationship Management ·

MQTT and Personal Clouds

17, May 2013 by · 4 Comments

In an email to the Personal Clouds list, Johannes wrote:

Let’s say I’d like to use MQTT to make the doorbell in my house communicate with the living room lights. I think what would have to happen is this:

  1. the doorbell and the living room lights would have to be an MQTT client each
  2. somewhere in my house I’d run an MQTT server
  3. doorbell and living room lights need to find that server, and register with it, one as a “producer” of information, one as a “consumer”
  4. some piece of code that runs the logic (“If somebody rings the doorbell like …—…, flash the living room lights in red”) must run somewhere in my house
  5. that piece of code would subscribe to appropriate topics as producer and consumer on that MQTT server

 Am I getting this about right?

My response outgrew an email so I’m posting it here.

[Read more…]

Filed Under: Blog, Personal Clouds ·

Minimal web security recommendations

14, May 2013 by · 1 Comment

For many years now, I have made an effort to contact owners of unsecure web sites and attempt to persuade them to fix the sites.  Lately as I have become increasingly involved with the Personal Clouds and Vendor Relationship Management communities, I have found many unsecure web sites within that community.  These communities are relatively new, fast growing and potentially transformative of Internet commerce and culture at large, so it’s important that security does not become a choke point for growth.  It is also my contention that the consolidation of one’s information into a personal cloud results in greater risk and therefore requires consistently strong and effective security design.  With this in mind, I offer my minimal list of requirements for any non-trivial web site.

[Read more…]

Filed Under: Identity, Personal Clouds, Privacy, Security, Vendor Relationship Management ·

Why break stuff?

28, April 2013 by · 2 Comments

If you are a project manager in charge of building your company’s new, strategic, bet-the-business application, you are probably going to look for people exceptionally skilled in designing and building complex architectures. We all know people like this. They have an almost magical ability to conceptualize an idea, lay out a precise roadmap from here to there, and then deliver the most amazing products. The ability to build something from nothing, and to so do with exceptional skill, is a rare gift. It requires a certain mindset which we all have to varying degrees, but that for a very few seems inborn and as natural as breathing. It is an orientation toward synergistic processes. And if you need security, that’s the problem.

Developing a security architecture or finding weaknesses in existing systems requires an orientation toward entropic processes. For the best security architects, this mindset seems inborn and as natural as breathing. While it is possible to have deep skill in both the synergistic and entropic domains, people are primary in one or the other. It is very similar to right or left handedness. Application people are comparable to the right-handed crowd, security people to the left-handers. Each group has varying degrees of dexterity in the non-dominant domain but true ambidexterity is extremely rare. The difference is that when you are staffing a project you don’t go out of your way to make sure there are few left-handers on the team. You may go out of your way to hire a security specialist or two but how do you identify the best candidates? Sure, you look at their track record of successful security work. But do you look for their primary orientation as synergistic or entropic? Now that you know, will you ever not look for that trait in a security specialist again?

My name is T.Rob, and I break stuff.

Filed Under: Blog, Featured ·

Why leave IBM?

20, April 2013 by · 10 Comments

Since announcing my departure from IBM, there have been many questions about the move:

“What happened?”
“Why are you leaving?”
“Is there a non-compete that keeps you from coming back and working for us?”

I want to put any speculation to rest and explain all this in one place so I can just send a link.  It’ll be easier for all concerned.  Let me take these in order.

 

What happened?

Nothing “happened”  in the sense of a precipitating event or ill will on anyone’s part.  Sorry but there is just no dirt to dish here.  If you want drama, go read The Odd is Silent and search for “Nosy Store Clerks.”

 

Why are you leaving?

Best explanation I’ve written is posted on Facebook:

IBM’s expectations of me in PLM were preventing me from spending as much time as I’d like in the WMQ community. As a PLM you are doing all sorts of behind-the-scenes work that takes time from public-facing activities and are often working on things that are unannounced and confidential and you can’t talk about at all. So it was actually difficult to do that and contribute externally. My intention is to work more in the community and be a bigger asset to WebSphere Messaging externally than I was internally.

Fact is I’m pretty good as a consultant and fairly suck as a product manager. It seemed like a good idea at the time, didn’t work out and neither I nor IBM have hard feelings about it. In fact, I’m cleared to work through ISSW so can continue to serve the same customers even as I’m out meeting new ones. It can only get better for me, for IBM and for the WMQ community out there with this move.

If you’ve worked with me as a consultant, you know when it comes to deep technical topics I’m in my element.  Give me a set of requirements to design from, or a misbehaving system to troubleshoot, or a security perimeter to penetrate, and stand back.  But whether it’s my Asperger’s, my temperament, or a deficiency in “soft skills,” or some combination of all these, I wasn’t nearly as effective as in product management as I am in a technical or teaching role.  Not that I was bad at it, but I can’t stand to toil away being merely good at one job knowing there’s another where I excel.

 

Can you work for us?

Yes!  I’m available as an independent or if you have a preferred vendor list, I have agreements with several established services firms, one of which is bound to be on your list.  As alluded to in the last section, IBM Software Services is one of the firms I’m able to sub-contract through.  In the few cases where there’s a non-compete issue, all I need to do is refer you to the IBM Software Services Practice Manager.

 

Bonus question: So why not go back to ISSW?

I’m extremely interested in Internet of Things, Personal Clouds, Vendor Relationship Management and Identity Management.  IBM doesn’t cover all these spaces and where they do they tend to specialize.    I’m a “deep generalist”.  I want to do all of these at once.  And, of those they do cover, IBM tends to work in the Enterprise space whereas some of the things that most entice me are happening in startups.

So who is my target market?  Anyone from my regular large enterprise customers all the way to the small startups at the other end of the spectrum.  And if you are located in one of the two states I have yet to visit (Alaska and Hawaii) I’ll figure out an incentive for you.

Filed Under: Blog · Tagged: , , , ,

Site launch!

16, April 2013 by · Leave a Comment

Thanks to all the people visiting the new site and inquiring.  I’ve given notice to IBM and now have a firm availability date under the new business as of May 13th.  The new site will begin to take shape very shortly with some new blog posts.  The Store and Forward blog will still get WMQ security-related news.  This blog will carry WMQ posts not related to security, plus Internet of Things, Identity Management, VRM and all the other technical topics.

Rather than setting up all new social identities for IoPT Consulting, I’ll continue to post as @tdotrob on Twitter, and onthe usual  Facebook and Google+ pages.

Filed Under: Blog ·

WebSphere MQ Security

23, March 2013 by ·

HostileNetwork_590x215

Organizations tend to progress through several maturity levels with respect to security.  The first of these is a perception of security as a very difficult discipline.  One indicator of this maturity level is that the organization knows it is weak in this area, and the expectation of possible security exposure fosters an attitude of vigilance and a willingness to engage specialists.  It pays at this level to hire the best practitioners available and then focus on skills transfer as a large component of the engagement.

Despite the myths, security controls are really not difficult to master.  Most of the work is simple configuration and a few command-line scripts.  As the organization gains some familiarity with security, the perception swings to the other extreme.  Security is now easy.  Once the configurations and command syntax are understood, the organization designs a set of controls and then implements them across the messaging network.  Once the security issues have been addressed, the organization becomes resistant to further changes.  Nobody wants to be the one to raise the security flag again.  Due to that inertia, most organizations do not proceed past this maturity level.  The primary indicators of this maturity level is confidence and a reluctance to engage specialists.  The organizations that believe most strongly in their own security are the ones most likely to under-invest and fall behind over time.

The next higher maturity level comes from a deep understanding of the many security controls and the interdependencies between them.  Although the configuration and commands are easily mastered, subtle interactions between them determine whether the resulting system is effectively secured … or not.  The complexity of the systems involved and the variety of security controls available means that the possible interactions are endless.  The result is that organizations with the deepest skills doubt the effectiveness of their security controls.  They invest more heavily in detection and recovery aspects of the system, they continuously test and probe the security, and they train their in-house staff well.  They also understand the one thing a consultant brings to the table that their permanent in-house staff cannot provide: a perspective not bound by the organization’s culture and expectations.  Organizations at this maturity level engage a particular type of specialists.  They need someone who will challenge their own highly skilled people.  They need the best.  They need IoPT Consulting.

Your certified and experienced IoPT Consulting professional provides a full range of expert WebSphere MQ security services for organizations of any size and at any maturity level.  Pick from one of the offerings below or contact us to discuss your specific requirements.

  • Free Security Health Check
    IoPT will, at no charge to you, review the configuration of selected queue managers and provide a written report noting any issues found, including recommendations for next steps as needed.
  • Regulatory Compliance
    Avoid surprises.  Get a heads-up on critical security issues before the auditor arrives.  Frank Dodd, PCI, HIPAA, FIPS, all regulatory regimes have a few things in common: authentication, authorization, accountability, and availability.  When it comes to WebSphere MQ, AMS, FTE Broker, and MQTT, these are our core competencies.
  • Security Architecture
    The best time to design security is to bake it into the application design and enable it from Unit Test all the way through to Production.

 

Filed Under: Featured ·

Meet me at IMPACT!

23, March 2013 by · Leave a Comment
Filed Under: Blog ·
« Previous Page
Next Page »