Do 1st graders have all the answers? Convenience and risk considered.
Posted by Brian in Information Risk Management, Minds4IT, Mobile, Security on August 15, 2011
It wasn’t too long ago that installing an application took an IT professional. Now it’s so easy a first grader can do it. If you have an Android, iPhone, or Windows Phone 7 your first grader can search for an application in the marketplace or app store and install it. Not only is it easy it is also convenient. I know I’m not the first person to notice that convenience is a phenomenal sales tool. The more convenient something is the easier it is to make the sale. All companies are driven by revenue and not security. Vendors which offer a device you carry in your pocket have the ultimate convenience. On the flip side, SAP installs have been known to take years and require hundreds of IT people. This is the old model. The new model is to use a cloud solution with a web based interface which requires no install or a mobile app/web install. Floppy disks were replaced by CD/DVDs and CD/DVDs have been replaced by a connection to the internet.
The unfortunate truth about not requiring a disk (yes, I’m showing my age) to install software is it has possibly become too convenient. Ok, there’s no such thing as too convenient, but it helps me emphasize my point. One of the controls which IT savvy people have taught for years is to be careful what software you install. This helps prevent malware from making it onto your computer and is augmented by access control settings within the operating system which prompt before allowing installation. Primary examples are Windows 7 User Account Control (UAC) and OSx/Linux “sudo”. There are some differences between mobile devices and desktops and laptops. These differences primarily include the ability for location based information and additional access layers added by the platform vendors to isolate applications from the hardware.
The extreme convenience of application installation occurring under app store models is blurring the risk and leading to a change in the security model. Mobile device manufacturers are not providing root access by default, whereas desktop operating system vendors traditionally provide administrative access out of the box. Since people are tech savvy and they are used to having admin access on their laptops, they are requesting and even expecting to have it on their mobile devices. This is part of why the jailbreak and root/rom websites/blogs are proliferating. The mobile device vendors have the right idea in not granting root access to the user. It makes it much harder for malicious programs to infiltrate the device.
The question has always been one of trust. Who do you trust? The phone manufacturer or your operating system vendor? Do you trust the marketplace/app store owner? The application author? Device users may need to change their behavior to ensure they read the notifications regarding what information/hardware they are permitting the operating system, marketplace, or application to have access to.
I think we can agree the days of long setup and install times are gone. This is a great thing! Self-service and instant software acquisition is here to stay. However, the ability for users to install apps immediately using an app store is making IT departments across the globe look like they are not agile enough to meet their business’s needs. The ability for the business to execute an instant install is simultaneously increasing the risk tremendously.
To link back to the opening thoughts of this blog article… Do IT departments need to compete with 1st graders? If IT departments can’t create convenient secure installation scenarios to make tools available to business partners, then the business partners will go directly to cloud or mobile vendors. This is an opportunity. We as practitioners need to collaborate with our business partners, vendors and solution providers to create an educational feedback loop which allows the users to knowingly manage their trust relationships and security.
Secure your light bulbs!
The world is going crazy with endpoints and devices.
Everything is connected to the internet. Google recently partnered with Lighting Science Group as part of their Google@Home effort. At a recent industry event they demonstrated light bulb endpoints which are connected to the Internet via a new wireless solution controlled by your Android device. There are Blu-ray players which are connected to Netflix and Hulu. Home stereos can now integrate across the web to Rhapsody and Pandora. Even your car is connected to the internet for music and soon there will be other internet enabled functions in your vehicle.
While the ability to connect and manage various devices and endpoints via the internet and other integrated technologies, there are two things I’d like to convey related to these technologies.
1. Don’t forget security as you connect everything.
2. At Minds4IT when we say device, it means a phone, tablet, laptop, or other computer which is used interactively and when we say endpoint it is anything which you can connect to through any network.
I anticipate referencing these terms often in future articles so here are the definitions of each more succinctly:
Device is any electronic component or computer which allows input, including stereos, Blu-ray players, phones, tablets, laptops, desktops, car, etc.
Endpoint is any electronic component connected to a network which can be controlled using a device but has no direct input mechanism, including light bulbs, door lock systems, etc.
It’s important to delineate the two, as endpoints generally have minimal security built in. Endpoints rely on being connected to a secure network. If they are not secured through the network and network services then any device which can find a path to them may be able to control them. (a firewall controls the paths). Endpoints do not have the resources for a firewall and therefore need network layer protections. Whereas a device may be capable of running its own security control; such as firewall (some can, some can’t). All devices do not have the ability to control the security; but, security controls typically can be enabled within the device; therefore, provide those controls to the entire environment including the endpoints.
Endpoints sometimes evolve into devices. Printers were originally endpoints. As evolution occurred and printers became network aware, input panels, hard drives and local operating systems were added. As a result this turned the printer into a device.
An example of poor network security permitting device compromise is Firesheep. When connections to Facebook and Google were not protected by network controls any device could be used to impersonate the user. The moral is even your light bulb needs security. To ensure security of your light bulbs you ensure they only connect to your secure network. Granted, there’s probably no market for controlling your light bulbs; therefore, you are safe. But if your best friend wanted to play a cold hearted trick on you it could be a source of opportunity.
Iterative Processes create Evolution and Innovation
Documented processes and innovation are not counter opposed to each other.
At the core of the figure eight feedback loop and other management methodologies such as Six Sigma, Agile development is the concept of iterations. The more times something is performed the more opportunity to find improvements and/or better a process or the end result of a process. It is Darwin concepts applied to humans, machines, and their interactions. For example; the first time you rode a bike, unless you were a child prodigy, you were not very good at it. But through practice (iteration) you eventually got real good. You can call it what you will… practice, iteration, evolution, improvement… the basic premise is something repeated will allow the person repeating it to get better over time. I’ve found the difference between practice and iteration/evolution to be knowledge of the end result. When riding a bike you want to be able to balance and not put your feet down. When shooting a basketball, you want that basketball to go through the hoop.
With IT you sometimes don’t have hard fast definitions of success. Or the definition changes over time. You may not know exactly what the end product should be until you’ve reach the end. This is one of the problems with long complex projects. The traditional method to develop software or install large complex systems has been a technique called waterfall. You document the requirements, create a project plan, and then execute over what may be years. At the end of this multi-year effort you achieve what you set out to do! Except in the meantime the world has changed. A lot happens within two years, in both IT and business. Disruptive technologies come along, or a recession could occur. In addition, the people involved with the project learn new techniques or change the way they think about something. All of these things in addition to complexity are what I believe causes IT projects fail.
So how do you avoid this cause of failure? Iteration and evolution. The old adage has never been truer. How do you eat an elephant? One bite at a time. The key is to break any effort into small chunks. Not only to allow you to claim success, but also to permit evolution. The creators of the Agile Manifesto knew this. The creators of Scrum believe in this. These concepts are not limited to software development. They can be applied to security and infrastructure as well. For example, incident response. Every time an associate leads or participates in responding to an incident they learn a few things and get better at it. Or risk management… Each iteration of risk management a company goes through to demonstrate to management that their risks are within the company’s tolerance for risk the team will add a few risks, implement and record a few new controls, or improve existing controls to better manage the risk. Business continuity is another example. Fake outage/disaster situations are staged to allow people to iterate the process before an actual business interruption event.
What makes these examples successful in their iterative methods? How do you create a process like these examples which provides feedback and the opportunity for innovation?
The methods to do this are simple but easy to overlook. They include instrumentation. If 5 widgets were produced in 1 hour last time, then possibly we can produce 6 widgets in 1 hour next time. However, you have to be tracking the number of widgets per hour to see this and create the opportunity to achieve 6. Another method to encourage these improvements is post issue reviews. Call them post mortems, review sessions, problem review or whatever. The intention is to capture things which were performed correctly as well as items performed incorrectly so this information can be used in future similar issues. IT systems can be used to dramatically reduce the overhead and improve the abilities of these efforts. A dashboard or a problem review application.
The objective of management is to create a culture of success and evolution by embracing and promoting these opportunities for iteration/practice. Experience has taught me that it’s up to the leaders to embrace this type of culture. It starts with allowing people to make mistakes by creating the safety nets which limit the risk of those mistakes. Processes like change management which allow the necessary parties to review a change before it’s implemented to identify and promote concerns before they occur. Back out plans add the safety of a defined method to return to normal. When combined in an effective way the recipe of iterative processes enables unavoidable IT success, business success, and associate success.
The best damn ship in the Navy demonstrates the final piece in this equation. The ability to receive feedback and utilize it to improve the process during the next iteration is a key concept in this book. The author, commander of the USS Benfold, goes to the people doing the work to determine how to improve his ship and then executes those recommendations. As a manager you must focus on providing the opportunity for improvement. Utilizing the information and turning it in to actions. This builds trust with your associates, enabling the improvements to occur and creating a culture of innovation and evolution.
Opportunities
Posted by Brian in Information Risk Management, Minds4IT, Mobile on June 16, 2011
You have heard it before… “It’s not a challenge it’s an opportunity!”
What exactly does that mean?
How can this huge hurdle someone has placed in front of you be an opportunity? It’s going to be difficult, it’s going to cause change, it’s going to take a lot of time which I do not have! Time is a function of priorities. That is a discussion for another time. However, what I am going to focus on is the mobile device challenge… err opportunity. Mobile devices are part of most IT discussions, strategies, roadmaps, and challenges right now. I promise you, this is an opportunity.
If the business and/or executive management want Ipads, it’s the perfect time to ask for additional funding or additional people. Dealing with Android phones is going to require changing how smartphones are managed. Which means it’s an opportunity to request an opening of the purse strings. Your business is requesting new functionality from you. Are they willing to pay for this new functionality?
Are you the partner the business is reaching out to help solve their technology challenges? Should you be? That’s how “opportunities” happen. Your company needs you to help them enable their associates by securely implementing tablets. They do not know if the solution integrates easily or if it is running windows, and the technology probably is not a technology you are comfortable with and know well. Use this as an “opportunity” to explain these things to management and negotiate what you would need (people, money, equipment?) to meet the organization’s requirements and help them meet their goals.
Now, that’s an opportunity!
Embrace the technology, assist the business partner with defining their requirements, document the risks using good Information Risk Management, and then drive results!
This is why successful IT folks look at challenges as opportunities.
Figure Eight Feedback Loop
Posted by Brian in Information Risk Management, Minds4IT, Security on May 31, 2011
Two problems for detective and corrective security controls are education and false positives. Education refers to providing the appropriate knowledge required by users of the system or data being secured. Simply stated the people using the system or data need to know how to manage the security control to both enable the secure use and minimize the inconvenience of the control. False positives are the act of identifying risk(s) when there is no risk present. For example, identifying a legitimate Windows system file as a virus and quarantining it. Or incorrectly identifying a phone number as a social security number. They both start with three digits (XXX) and end in four digits (XXXX) and are separated by dashes.
One method of managing both of these security problems which is enabled by the IT savvy mind is what I call a Figure Eight Feedback Loop. The figure eight is created by two feedback loops next to each other which feed information to each other.
- Loop 1
- Action is triggered by automated identification of a risk. Event recorded
- System/data user is prompted, including specifics about what/what automated trigger occurred (Education)
- User is allowed to make a decision
- Decision is recorded
- Loop 2
- Automated identification and decision records from loop 1 are utilized.
- Review of identification and decision information by security resources
- Automated identification triggers are revised to reduce false positives
- New automation triggers included in loop 1
Let’s look at more concrete example to get a better grasp. As many of you know, it’s a Payment Card Industry (PCI) violation to send credit card information via unencrypted e-mail. This creates a problem if a customer sends their credit card number (CC#) in an e-mail to their financial institution. The customer service representative needs to be knowledgeable of the regulation and ensure they remove the CC# in the event they reply to the customer. To assist in resolving this problem the financial company can institute e-mail data loss prevention tools.
- Loop 1 – Host Data Loss Prevention (DLP) software on company computer scans e-mail for violations of information security policies
- E-mail DLP tool scans e-mail for credit card numbers when the user hits the Send button.
- If CC# is found prompt the user. “It looks like there is a credit card number(CC#) contained within this e-mail. It is against Payment Card Industry (PCI) – data security standards (DSS) to send CC# data via unencrypted communication. Please review the e-mail and make sure CC# is not present (No CC# present button) or hit (Cancel Sending) if you find CC# data. Thank you.”
- Decision by user after review of e-mail
- Record of possible event is recorded in system for review by security resources
- Loop 2 – Insider threat team reviews Host DLP log files to improve patterns used to identify credit card numbers
- Security team selects either samples or reviews all transactions as appropriate, to identify when associates continued to send CC#s (policy violation) and when the system falsely identified a number as a credit card number
- If policy violation then associate and associates manager are involved to understand risk to company and possibly warning or termination if severity violation warrants it
- If false positive, patterns used in identifying credit card numbers are refined to manage the situation
- New automation is loaded into loop 1
Hopefully, that example provides enough meat for us to discuss the benefits I laid out in the beginning.
- Education – The users of the system are informed what they did, why it was wrong, and how to correct it, before a violation of policy occurred. This proactive involvement in security decision making builds a positive image of security, educates the users of the system, and provides a foundation for other risk decisions.
- False positives – By educating and then utilizing the intimate knowledge of the user to determine if there is risk or not, the security resource has a much better understanding of the false positive. This enables a collection of false positives to be created and analyzed to come up with new automation methods. The control itself evolves and gets better over time.
This technique can be used for any detective or corrective control. You’ve probably already seen it and or used it, but didn’t have a name for it. Another simple example is password requirements. Most password change processes now refuse to accept characters which are forbidden by the federated systems being managed. The user is told to try again and presented a list of the possible characters they must use and are forbidden to use. This is the end state evolution of many years of figure eight feedback loops. As new creative controls are engineered these concepts need to be applied to best serve both the needs of the business partner and the Information Risk Management requirements of the security/risk organization.
Engage the IT Mind
The name Minds4IT came into existence as I contemplated what was going on in the IT industry and heard information about Generation Y and the Millennial generation. The basic premise was that the “younger” generations are different than the current generations within most management positions. They have different work ethics, have different expectations, and require a different style of resource management. This article is not going to debate how to manage these younger folks. Instead it is focused on a different approach to segmentation. The segmentation I am focusing upon is not age, it is technology awareness. This is also not to intimate that there are not many “older” people who are technology savvy. There is a tendency for educated people to be more technology aware because they are more likely to have white collar jobs and have more exposure to technology. However, the invention of the smartphone and the tablet, have raised awareness around something called “Consumerization of IT” (COIT). COIT is essentially the tendency for the consumer to drive IT choices. While the consumer is a key factor, I don’t believe they alone are going to drive IT choices.
To me there are several minds summarized by the Minds4IT brand; the IT savvy business partner, the IT savvy consumer and the IT professional. When these minds collaborate they can more efficiently solve consumer and business problems than ever before. Many IT management books and articles have been written regarding the increasing requirements to align the IT function with the business. Our premise is different as we focus on increasing the utilization of the IT minds already in the business teams and then where necessary work with the IT resources to improve the problem resolution process. In essence to quote John Heywood; “Two heads are better than one.”
While this concept is not new or unique it is more important than ever considering the trigger point which has occurred around exposure to computers. Young people have never known a world without them and we are building on the concept that this fundamentally changes how they think. That shift in thinking is the heart of the IT mind. Gone are the days when IT professionals can lament about the dumb users. Jokes about the Problem Exists Between Keyboard And Chair (PEBKAC) and idiot user (id-10-t) errors have no place. In many situations the business partners are as knowledgable regarding technology than the IT department and on top of that knowledge they have the business knowledge which is driving the increased need or use of technology. I recently heard a story from a colleague of mine regarding a CIO who had two implementations of Salesforce.com going on within his business and that these business partners were questioning their need for him and his IT department. This speaks volumes about the evolution which is occurring.
If you are reading this blog, then we are supposing you want to be part of the community driving this evolution. To drive the evolution of the technology mind you need to create the environment for success. In order to expand this evolution within your environment you must focus o on the ability to leverage the IT mind. Key focus areas include the necessary management structures, technology structures, and integrated cultures to mash together the traditional IT professional with the IT savvy business partner. What are these things and how do they play a role in the evolution of the IT environment?
A. Management structure
Trust and empower your business partners. IT members need to remember to not be the “no” people; but, be the resource people. Too many IT efforts strictly focus on creating and focusing the control within IT. This has Failure written all over it. IT focus should be on education and risk. Help the business put together an Information Risk Management strategy. Assist them with managing vendors by having a repeatable vendor management process. Recognize and assist the business with turning commodity items into X as a Service (XaaS). (Infrastructure as a Service, Platform as a Service, Software as a Service, and any other XaaS which can be moved to a vendor or cloud)
B. Technology
The increased use of technology such as community forums, social media, chat, video, etc. are ever expanding in today’s business entities. Embrace the social aspects of technology; Baby boomers aren’t interested in using Facebook until they realize they can get up to the minute status on their grandchildren’s lives. IT can create up to the minute status on projects. Enable forums for people to dialog on issues or projects. Other uses of technology include promoting and increasing the use of videos on security and enabling associates to self-provision applications. Ever thought about creating an app store to distribute various applications to the user population? It’s all the rage; Ok, seriously, the intent is to empower the associate to self-service.
C. Culture
Recognize that as many aspects of IT become commodities and can be best provided by vendors, through the use outsourcing, and economies of scale. Build a culture where these items are segmented so the IT department can partner with the business on value instead of price. By integrating both IT and the business into the team you can break down the us vs. them mentality many IT people have with their users and many associates have about IT. Collaboration and simplicity of integration is king. Both sides have knowledge and value to provide, the key is to find a way to allow them to bring that context and experience to the table equally.
Forcing Wireless Carriers to Embrace Change Control
I am excited by the progress wireless carriers are being forced to make regarding software updates! Prior to smartphones and data plans the software on a phone was not accessible from the network. Now that phones have IP addresses they have the potential to have vulnerabilities and the ability to be updated over the network. Unfortunately the concept of effective change management seems to be a relatively new to carriers.
Evidence of these ongoing challenges is apparent in the fragmentation of the Android market, as well as the length of time it took Microsoft and the various carriers to update Windows Phone 7. Apple and AT&T have been fighting these issues for years. You can look back at upgrades for iOS 2.0, 3.0, 4.0, etc. There were long time periods between when the iOS updates were released and when they were applied. To those who have been in IT for a while the issue of software updates is not a new problem. There are usually a small percentage of devices which don’t handle a software update well. Sometimes it’s a previous application that was installed which isn’t compatible. Other times it’s a shared file between two programs. It also might be artifacts left in the configuration files. The end result is always the same, the newly installed application doesn’t work, an existing program doesn’t work, or in worst case scenarios the device will no longer boot or connect to the network.
Could you imagine if this occurs on a large number of phones? The local cellular store would be overwhelmed with people. The user base would be completely frantic. (If you have ever forgotten your phone, you know how naked you feel without it.) The good news is operating system models, software programming, and testing have matured to a point where this doesn’t happen as frequently. However, it could still happen. For that reason the carriers are rightly concerned and afraid of phone updates.
I mention this because it’s indicative of security and operational maturity. The more secure and experienced an organization, the better these change processes are fleshed out, making them easier and more predictable. The time and difficulty of change control occurring in the smartphone space is sending a clear message. I believe, the manufacturers, OS vendors, and carriers are not very mature. Further increasing the risk related to vulnerabilities. If these businesses are not prepared to react quickly, then a known vulnerability will be exploitable for a much longer period of time. The critical path is usually related to testing and complexity. The more complex the environment, the more testing is required. Initial testing has to be created and validated manually as, do most changes to the testing plans. This takes significant time, until it can be automated. Also as complexity increases the likelihood of conflict increases requiring retesting after the conflict has been resolved.
The lack of maturity and continued increasing levels of complexity is driving the extended periods between updates, the long periods between when an update is released for Android, IOS, or Windows Phone and when/if all receive it. Microsoft has put together a website which describes how they released the update; demonstrating it’s the manufacturers and carriers who are delaying it from getting to phones. I suppose Apple has an advantage in this sense as they are both manufacturer of the hardware and developer of the OS, unlike Android and Windows Phone. However, that advantage is lost when they don’t have transparency. Apple is notorious for not discussing their security, vulnerabilities, and patches. I believe, this is the wrong approach. It takes a village to raise a kid and it takes an active, transparent community to keep things secure. This is why I’m ecstatic that carriers and manufacturers are finally working on change control and security within their smartphones!
Information Risk Management and Opportunities
Posted by Kelvin in Information Risk Management, Minds4IT on May 5, 2011
Within our earlier posts we have discussed how we need to focus on information security from the information risk management approach; but, now you are probably wondering how can Information Risk Management (IRM) work with my job requirements to ensure the organization’s security of information is appropriate and complete. An Information Risk Management approach gives you a strong foundation to build upon.
Maybe you are an organization that is dealing with a risk which potentially could cause the organization irreparable harm or even organizational failure. Maybe your organization has to comply with a variety of regulations from SOX to PCI DSS v2 and you are worried about the ever increasing costs of completing all of the audits. This is where Information Risk Management can not only increase the value of information security but also assist the organization in reducing the cost impact of meeting these regulations.
Let’s use the current discussion regarding mobile systems’ tracking of location information as one which could potentially cause irreparable harm to the organization. Through IRM we can determine the level of concern we have with respect to the real issue at play within our overall information security control structure. In effect we are using an information focused approach to determine where the organization needs to focus our controls and testing efforts. If we deem the mobile data a critical component of the business processes then we can implement appropriate security over our systems based on the information criticality. Our risk analysis should be ready to define the impact, the potential control failure/requirements and then finally the level of controls which should be implemented as an organization.
During the controls review there are several areas of concern which may be critical to demonstrating effective controls. Some control dynamics that come to mind are: the concept of corporate liable vs. individual liable ownership of the services and the hardware. Have you looked at the solution from the perspective of hardware independence? Have you investigated the solution from a perspective of software independence, ownership of device and what level of controls would be required with respect to the possible approaches to reducing the potential risks related to these various approaches. This is where the information security, internal auditing teams and business teams can integrate to provide real consulting approaches to reduce the risk impacts.
Does this risk management and the resulting development of appropriate controls process state that an organization should not allow these devices within their organization – no; but what it does provide is a foundation on which a management decision can be made with respect to the level of appropriate or inappropriate use of the technology within the enterprise.
Information Risk Management (IRM) can be the foundation for not only point in time management decisions; but, it can also be used to assist in the determination of what overall information controls are required to meet global control standards such as PCI, Sarbanes Oxley, ITIL, SSAE 16, etc.. Many of these standards while specific in their own right are also based on or derived from similar standards and through using the Risk Identification and Analysis approach. Management can define what controls are important to the various standards and further the level of import each of the controls. Using a control centered on the requirement to complete a Business Impact Analysis (BIA) and then the related Business Continuity Plan (BCP), we can see certain standards dictate this as a critical requirement as it drives to the ability of the organization to meet customer requirements and recover their systems within an effective timeframe. Other standards may look at the ability of the organization as a whole to recover and be a functioning entity in the event there is a situation requiring the enacting of the BCP plan. Here again we are using IRM to build the foundation necessary to allow a management decision around the level of control focus and impact of the control with respect to the intent of the standard(s) which the organization is measuring against.
Note that the ultimate goal of both scenarios discussed above is the development of support for a management decision and not an information security decision. In effect we are using Risk Management to drive our information security control solutions and through using a risk based approach we have minimized management’s typical negative approach toward Information Security. In effect we are providing a consultative approach to focus management support for the application of information security controls from the beginning of the solution to the end of the solution.
While I am certain many information security experts might look at these scenarios and say the issues are not decisions of management; but, decisions which are typically focused strictly under the purview of the information security umbrella and the organization must follow their guidance. Taking the information security only approach is a very short sighted approach and further provides additional justification for the development of a role focused upon Information Risk Management – the Chief Information Risk Officer (CIRO).
Agility comes from standardizaton
All extremely agile technology solutions have come from their ability to leverage standards. While this may seem like an oxymoron or nonsense, the truth is, the web came about because of the standard IP protocol stack. The web browser came along because of the standard HTML language. The success of the personal computer can be traced to the dominate Microsoft Windows operating system. A standard to build upon and work from is like a house’s foundation. If the foundation is flat, stable, and secure then the architect and interior designer can create masterpieces on top of it. Unique, one of kind, thought leading, representations of what someone wants. Salesforce and Facebook would not have happened if Marc Benioff and Mark Zuckerberg had to solve protocol incompatibility or browser issues. The fact that these standards existed, allowed them to apply their brains to the business/consumer problems, limiting the time/effort needed for the more remedial problems.
Let’s look at some of the standards they leveraged and the known results:
- How is the signal going to get from the computer to the internet? Ethernet.
- How is the message formed? TCP/IP.
- How is the presentation layer going to present the text and graphics to the user? HTML.
Each layer of standardization removes another point of minutia so the technology solution developer and user can focus on the technology opportunity they are really trying to solve.
When there is not a specific standard, there is competition. Using our examples above – Ethernet used to compete with token ring. TCP/IP used to compete with IPX and SNA. HTML was a revolutionary way of presenting text and graphics at the time. It solved a problem and instantly became a standard. The alternative was a desktop based application or basic text. Somewhere along the timeline of technology evolution a standard is defined and supporting the standard is a definitive reasoning or level of support which defines the standard.
Let’s use a current discussion as a basis for the process to define a standard. Companies have been trying for years to create a tablet computer that would meet the standards of the consumer requirements. Along comes Apple and their tablet solution which included a touch screen, created pinch and zoom, and now that is the standard. It’s an interface standard. All other phone, computer and related operating system companies are scrambling to catch up and innovate their own systems. With the interface standardized we are left evaluating an OS; Android, Blackberry OS, Chromium OS, IOS, Windows Phone 7, and WebOS. While there may be others these seem to be the most prevalent players in the mobile technology platform race.
I’m not going to postulate which mobile operating system is going to survive. I don’t believe in anyone’s ability to predict the future. I do believe that we need a stable and secure identity management or access control/authentication standard. The ability to leverage today’s mobile and cloud solutions are dependent upon a stable, secure and autonomous identity management solution which can provide effective seamless controls related to authentication and authorization through multiple technology layers across the internet. This is where both the career technologist and the technology aware consumer mind can partner to establish the standard. Today if you are like most people you have a login and password for between 40-100 different websites, applications, and services. This complexity is rapidly getting out of hand as users move from standard HTML access to web applications to applications requiring additional access controls at each layer of the puzzle (Operating System Access, Web Access, Application Access, Cloud Access, etc.).
No one wants to enter a secure password to make a phone call. However, I believe many people want a secure password for when they access their bank account. Once the browser or application has been logged into, there needs to be transparency. An app running on a phone should be able to use the same authentication as Javascript in the browser, which should also authenticate to the cloud. I believe phone applications will eventually overtake the browser because the ability to segment processing between the local processor and the cloud will provide the best user experience. However, the cloud and the ability to segment that processing is dependent on an autonomous access control standard. Alternatively a method to segment processing in the browser could be developed. I’m just unsure if Javascript, ActiveX, or any other standard has that capability yet.
What other standards do you feel are required for success in today’s and the future mobile and cloud worlds?