Tag Archives: Stuart Boardman

Call for Submissions

By Patty Donovan, The Open Group

The Open Group Blog is celebrating its second birthday this month! Over the past few years, our blog posts have tended to cover Open Group activities – conferences, announcements, our lovely members, etc. While several members and Open Group staff serve as regular contributors, we’d like to take this opportunity to invite our community members to share their thoughts and expertise on topics related to The Open Group’s areas of expertise as guest contributors.

Here are a few examples of popular guest blog posts that we’ve received over the past year

Blog posts generally run between 500 and 800 words and address topics relevant to The Open Group workgroups, forums, consortiums and events. Some suggested topics are listed below.

  • ArchiMate®
  • Big Data
  • Business Architecture
  • Cloud Computing
  • Conference recaps
  • DirectNet
  • Enterprise Architecture
  • Enterprise Management
  • Future of Airborne Capability Environment (FACE™)
  • Governing Board Businesses
  • Governing Board Certified Architects
  • Governing Board Certified IT Specialists
  • Identity Management
  • IT Security
  • The Jericho Forum
  • The Open Group Trusted Technology Forum (OTTF)
  • Quantum Lifecycle Management
  • Real-Time Embedded Systems
  • Semantic Interoperability
  • Service-Oriented Architecture
  • TOGAF®

If you have any questions or would like to contribute, please contact opengroup (at) bateman-group.com.

Please note that all content submitted to The Open Group blog is subject to The Open Group approval process. The Open Group reserves the right to deny publication of any contributed works. Anything published shall be copyright of The Open Group.

Patricia Donovan is Vice President, Membership & Events, at The Open Group and a member of its executive management team. In this role she is involved in determining the company’s strategic direction and policy as well as the overall management of that business area. Patricia joined The Open Group in 1988 and has played a key role in the organization’s evolution, development and growth since then. She also oversees the company’s marketing, conferences and member meetings. She is based in the U.S.

1 Comment

Filed under Uncategorized

The Open Group Brings the Cloud to Cannes (Well, Let’s Hope That’s Only Metaphorically the Case)

By Stuart Boardman, KPN 

On Wednesday, April 25 at The Open Group Cannes Conference, we have a whole stream of sessions that will discuss Cloud Computing. There’s a whole bunch of interesting presentations on the program but one of the things that struck me in particular is how many of them are dealing with Cloud as an ecosystem. As a member of The Open Group’s Cloud Work Group, this is not a huge surprise for me (we do tell each other what we’re working on!), but it also happens to be a major preoccupation of mine at the moment, so I tend to notice occurrences of the word “ecosystem” or of related concepts. Outside of The Open Group in the wider Enterprise Architecture community, there’s more and more being written about ecosystems. The topic was the focus of my last Open Group blog .

On Wednesday, you’ll hear Boeing’s TJ Virdi and Kevin Sevigny with Conexiam Solutions talking about ecosystems in the context of Cloud and TOGAF. They’ll be talking about “how the Cloud Ecosystem impacts Enterprise Architecture,” which will include “an overview of how to use TOGAF to develop an Enterprise Architecture for the Cloud ecosystem.”  This work comes out of the Using TOGAF for Cloud Ecosystem project (TOGAF-CE), which they co-chair. Capgemini’s Mark Skilton kicks off the day with a session called “Selecting and Delivering Successful Cloud Products and Services.” If you’re wondering what that has to do with ecosystems, Mark pointed out to me that  “the ecosystem in that sense is business technology dynamics and the structural, trust models that….” – well I won’t spoil it – come along and hear a nice business take on the subject. In fact, I wonder who on that Wednesday won’t be talking in one way or another about ecosystems. Take a look at the agenda for yourself.

By the way, apart from the TOGAF-CE project, several other current Open Group projects deal with ecosystems. The Cloud Interaction Ecosystem Language (CIEL) project is developing a visual language for Cloud ecosystems and then there’s the Cloud Interoperability and Portability project, which inevitably has to concern itself with ecosystems. So it’s clearly a significant concept for people to be thinking about.

In my own presentation I’ll be zooming in on Social Business as a Cloud-like phenomenon. “What has that to do with Cloud?” you might be asking. Well quite a lot actually. Technologically most social business tools have a Cloud delivery model. But far more importantly a social business involves interaction across parties who may not have any formal relationship (e.g. provider to not-yet customer or to potential partner) or where the formal aspect of their relationship doesn’t include the social business part (e.g. engaging a customer in a co-creation initiative). In some forms it’s really an extended enterprise. So even if there were no computing involved, the relationship has the same Cloud-like, loosely coupled, service oriented nature. And of course there is a lot of information technology involved. Moreover, most of the interaction takes place over Internet- based services. In a successful social business these will not be the proprietary services of the enterprise but the public services of one or more market leading provider, because that’s where your customers and partners interact. Or to put it another way, you don’t engage your customers by making them come to you but by going to them.

I don’t want to stretch this too far. The point here is not to insist that Social Business is a form of Cloud but rather that they have comparable types of ecosystem and that they are therefore amenable to similar analysis methods. There are of course essential parts of Cloud that are purely the business of the provider and are quite irrelevant to the ecosystem (the ecosystem only cares about what they deliver). Interestingly one can’t really say that about social business – that really is all about the ecosystem. It may not matter whether we think the IT underlying social business is really Cloud computing but it most certainly is part of the ecosystem.

In my presentation, I’ll be looking at techniques we can use to help us understand what’s going on in an ecosystem and how changes in one place can have unexpected effects elsewhere – if we don’t understand it properly. My focus is one part of the whole body of work that needs to be done. There is work being done on how we can capture the essence of a Cloud ecosystem (CIEL). There is work being done on how we can use TOGAF to help us describe the architecture of a Cloud ecosystem (TOGAF-CE). There is work being done on how to model ecosystem behavior in general (me and others). And there’s work being done in many places on how ecosystem participants can interoperate. At some point we’ll need to bring all this together but for now, as long as we all keep talking to each other, each of the focus areas will enrich the others. In fact I think it’s too early to try to construct some kind of grand unified theory out of it all. We’d just produce something overly complex that no one knew how to use. I hope that TOGAF Next will give us a home for some of this – not in core TOGAF but as part of the overall guidance – because enterprises are more and more drawn into and dependent upon their surrounding ecosystems and have an increasing need to understand them. And Cloud is accelerating that process.

You can expect a lot of interesting insights on Wednesday, April 25. Come along and please challenge the presenters, because we too have a lot to learn.

Stuart Boardman is a Senior Business Consultant with KPN where he co-leads the Enterprise Architecture practice as well as the Cloud Computing solutions group. He is co-lead of The Open Group Cloud Computing Work Group’s Security for the Cloud and SOA project and a founding member of both The Open Group Cloud Computing Work Group and The Open Group SOA Work Group. Stuart is the author of publications by the Information Security Platform (PvIB) in The Netherlands and of his previous employer, CGI. He is a frequent speaker at conferences on the topics of Cloud, SOA, and Identity. 

Comments Off

Filed under Cloud, Conference, Enterprise Architecture, TOGAF®

Enterprise Transformation, Innovation, Emergence and the Sewers of Vienna

By Stuart Boardman, KPN 

Enterprise transformation is a topic central to The Open Group’s agenda these days, so I don’t suppose the following assertion is exactly radical. The success of transformation starts by understanding the drivers for change, the goals of the transformation and the factors that can be expected to have a positive or negative influence on it.

Transformation doesn’t necessarily have to involve innovation but it often does. Sometimes innovation is itself a driver for transformation. For some organizations innovation is a fundamental part of their business model. Apple, for example, wouldn’t have survived without it. You can have the best user interface and the grooviest products but to reach a wider market or indeed to get your existing market to buy new stuff, you need to keep innovating. And to do that well you have to enjoy doing it and you have to understand how it works.

Once upon a time, giants like the old IBM and the old Microsoft didn’t need to do that, because they owned so much of the market. But that’s changed too, because, partly as a result of their own competition, there is now an ecosystem of all kinds of players (from a Google or an Apple to the huge number of startups and app developers), who can and do come out of left field with disruptive innovation. And this isn’t only true in the technology world.

These days it’s hard to read about innovation without coming across the concept of emergence. Emergent innovation develops through interaction in an ecosystem and cannot simply be explained by looking at what each individual member of the ecosystem does. This kind innovation is in a sense serendipitous and is never going to be achieved via the traditional R&D approach. It’s cheaper and faster than that and, exactly because of the way it has developed, more likely to be of immediately applicable value. Achieving transformation with emergent innovation is about the ability to recognize, adopt, adapt and “productize” that innovation. This applies equally whether the innovation is outwardly (product/service) or inwardly (operations) oriented.

Back to transformation. We need, as I said, to be able to understand the factors that will positively or negatively affect the success of our transformation. If we haven’t properly understood them, they might turn out to be very urgent drivers for (re)transformation.

At the beginning of this century mobile communications providers were trying to transform their business models and operations in order to get their share of the internet revolution. They wanted to reach a new market and to escape the trap of becoming just a “bit pipe” for other people’s value added services. The operators spent a lot of money on 3G. The equipment manufacturers spent a lot of money developing new phones and interfaces. By 2003 we already had all the necessary technological capabilities and there was no shortage of marketing but it simply didn’t take off.

Why? It wasn’t really cost, because, when the iPhone arrived a few years later and turned everything around, data was still expensive (and the phone even more so). And it wasn’t really speed or usability, because the download speed was adequate for the services on offer and there were some pretty nifty devices. It just wasn’t very interesting. There was simply not enough valuable content available to justify the outlay. So the operators just reverted to milking the reliable voice and text cow.

When the iPhone arrived, what really made the difference was the ecosystem that came with it. Suddenly there was a world of app developers producing things people didn’t know they needed but discovered were cool. And there was the App Store that made it easy to get your product to market and easy for the customer to discover it. Yes, of course it was a groovy device and a revolutionary interface but without the ecosystem it would have been restricted to a market of Apple fans and people with lots of money to spend on looking hip.

So then what happened? Well the mobile operators (those who could get their hands on the device) finally started getting a return on their investment in 3G. What was largely a new group of smartphone manufacturers (HTC, Samsung, LG etc.) rushed to produce their own versions. And then Google came along with Android and we finally had a really large ecosystem built around innovation.

With that came another form of emergence as the users and the app developers started discovering all kinds of things you could do with these devices and the information available on and via them. That had a negative influence on the mobile operators’ revenues, as people used a whole range of IP based services (with the Mbs paid for in their monthly bundle) to avoid the expensive voice and text services. This was something the operators had ignored, even though they’d predicted years before that it would happen, which of course was exactly what provoked the earlier attempted transformation. In other words, they failed to understand what was going on in their ecosystem and how it might affect them.

All organizations inhabit an ecosystem consisting of their customers, partners, suppliers and in many cases legal and regulatory bodies (and arguably their competitors too). Ecosystems are really the heart of this blog, so here’s a definition. An ecosystem is a collection of entities, whose members are (at least partially) interdependent. Specifically we’re looking at what Jack Martin Leith calls a Business Ecosystem. Jack’s definition is further amended by Ruth Malan to “A business ecosystem is a network of organizations that affect each other, possibly indirectly.” What we see today is that for many (maybe most) organizations the ecosystem is becoming bigger and more diffuse. Apart from the examples above, this is apparent in the extended enterprise, Cloud and social business – and the effect is amplified by emergence.

Now one of the things about an ecosystem is that not all the members are necessarily aware of each other. But as the definition makes clear, they all have an influence on and are influenced by the ecosystem as a whole. Each organization has its own view on the ecosystem, which really defines its enterprise. That doesn’t mean it can’t be affected by what goes on elsewhere in the ecosystem.

A little while ago Peter Bakker published a provocative little blog with the title “Infrastructure Architecture is way more important than Enterprise Architecture.” After a flurry of comments and replies, I understood that Peter was talking about the infrastructure of complete ecosystems. He used the example of the infrastructure of the City of New York. It consists of all the road, rail and waterways, the transportation services (passengers and freight), construction and maintenance services, energy supply, port and harbor services and planning, regulatory and licensing activities. And that’s leaving aside the electronic communications infrastructure and the voice, data and TV services that run on it. These products and services are delivered by multiple providers (commercial organizations, the city council and other public bodies), who are all part of an ecosystem, which also includes the users of the infrastructure (people and organizations including of course the providers themselves). So yes, this infrastructure is much bigger than any one of the enterprises that contributes to it and it is critical to the health of the ecosystem (the efficient functioning of the City of New York) in a way that no individual member could be – not even the City Council.

But that information isn’t much use to us unless we can do something with it. So I set off on a journey to see if I could find a way of modeling such an ecosystem as a sort of Enterprise Architecture. That probably sounds a bit grandiose but you need to see this as just a set of techniques, which could help us create a usable and meaningful overview of an ecosystem – something you can project your proposed changes onto.

It’s not about details. Even if I thought one could capture all the details, the result would be unmanageable and therefore unusable! So the detailed view is constrained to the individual enterprise from whose perspective one is viewing this.

The journey’s just begun. I’ve built the basics of the story, which is about the mythical city of Metropolis. I’m sticking to this city infrastructure example, because it’s familiar to everyone and doesn’t need too much background explanation. I’m now looking at the techniques that might be useful in achieving this. I’m looking at and have started working on Customer Journeys. If you’re interested, you can find some text here and images here.

I think it will be very useful to create a Business Model Canvas (or some similar technique of your preference) for some or all of the organizations involved. In the most cases we’d be looking at generic organization types. So for, example, there won’t be a canvas for every single bus company but the fact that there usually are multiple passenger transport companies means that competition is an important factor.

So we probably need an additional model, which is capable of taking that into account – like Tom Graves’s Enterprise Canvas. I’m also considering a service model (what are all the relevant services, how do they interact, etc.). Stafford Beer’s Viable Systems Model may be a good way to capture the system as a whole, so I’m working on that now. I’d be only too pleased to exchange ideas about the whole approach with anyone who doesn’t think I’ve taken leave of my senses – and maybe even with those who do! My thanks to Jack, Ruth, Peter, Tom and Charles for the good ideas and encouragement. Please don’t blame them, if you think it’s rubbish.

So finally – you might be wondering what this has to do with the sewers of Vienna. If you’ve seen The Third Man, you might figure it out. For those who haven’t: in the film Orson Wells plays Harry Lime, a wanted man in the Western sector of post-war Vienna. He fakes his death and disappears to the Russian controlled East – and continues his operation in the West using the sewer system to get across (under) the city avoiding all control posts and remaining effectively invisible. It’s just a somewhat lighthearted example of an innovative (one might say emergent) transformation of an infrastructure to serve a totally different purpose. And it does illustrate how you can get caught out if you don’t understand your ecosystem properly.

Stuart Boardman is a Senior Business Consultant with KPN where he co-leads the Enterprise Architecture practice as well as the Cloud Computing solutions group. He is co-lead of The Open Group Cloud Computing Work Group’s Security for the Cloud and SOA project and a founding member of both The Open Group Cloud Computing Work Group and The Open Group SOA Work Group. Stuart is the author of publications by the Information Security Platform (PvIB) in The Netherlands and of his previous employer, CGI. He is a frequent speaker at conferences on the topics of Cloud, SOA, and Identity. 

8 Comments

Filed under Enterprise Architecture, Enterprise Transformation

Open Group Security Gurus Dissect the Cloud: Higher of Lower Risk

By Dana Gardner, Interarbor Solutions

For some, any move to the Cloud — at least the public Cloud — means a higher risk for security.

For others, relying more on a public Cloud provider means better security. There’s more of a concentrated and comprehensive focus on security best practices that are perhaps better implemented and monitored centrally in the major public Clouds.

And so which is it? Is Cloud a positive or negative when it comes to cyber security? And what of hybrid models that combine public and private Cloud activities, how is security impacted in those cases?

We posed these and other questions to a panel of security experts at last week’s Open Group Conference in San Francisco to deeply examine how Cloud and security come together — for better or worse.

The panel: Jim Hietala, Vice President of Security for The Open Group; Stuart Boardman, Senior Business Consultant at KPN, where he co-leads the Enterprise Architecture Practice as well as the Cloud Computing Solutions Group; Dave Gilmour, an Associate at Metaplexity Associates and a Director at PreterLex Ltd., and Mary Ann Mezzapelle, Strategist for Enterprise Services and Chief Technologist for Security Services at HP.

The discussion is moderated by Dana Gardner, Principal Analyst at Interarbor Solutions. The full podcast can be found here.

Here are some excerpts:

Gardner: Is this notion of going outside the firewall fundamentally a good or bad thing when it comes to security?

Hietala: It can be either. Talking to security people in large companies, frequently what I hear is that with adoption of some of those services, their policy is either let’s try and block that until we get a grip on how to do it right, or let’s establish a policy that says we just don’t use certain kinds of Cloud services. Data I see says that that’s really a failed strategy. Adoption is happening whether they embrace it or not.

The real issue is how you do that in a planned, strategic way, as opposed to letting services like Dropbox and other kinds of Cloud Collaboration services just happen. So it’s really about getting some forethought around how do we do this the right way, picking the right services that meet your security objectives, and going from there.

Gardner: Is Cloud Computing good or bad for security purposes?

Boardman: It’s simply a fact, and it’s something that we need to learn to live with.

What I’ve noticed through my own work is a lot of enterprise security policies were written before we had Cloud, but when we had private web applications that you might call Cloud these days, and the policies tend to be directed toward staff’s private use of the Cloud.

Then you run into problems, because you read something in policy — and if you interpret that as meaning Cloud, it means you can’t do it. And if you say it’s not Cloud, then you haven’t got any policy about it at all. Enterprises need to sit down and think, “What would it mean to us to make use of Cloud services and to ask as well, what are we likely to do with Cloud services?”

Gardner: Dave, is there an added impetus for Cloud providers to be somewhat more secure than enterprises?

Gilmour: It depends on the enterprise that they’re actually supplying to. If you’re in a heavily regulated industry, you have a different view of what levels of security you need and want, and therefore what you’re going to impose contractually on your Cloud supplier. That means that the different Cloud suppliers are going to have to attack different industries with different levels of security arrangements.

The problem there is that the penalty regimes are always going to say, “Well, if the security lapses, you’re going to get off with two months of not paying” or something like that. That kind of attitude isn’t going to go in this kind of security.

What I don’t understand is exactly how secure Cloud provision is going to be enabled and governed under tight regimes like that.

An opportunity

Gardner: Jim, we’ve seen in the public sector that governments are recognizing that Cloud models could be a benefit to them. They can reduce redundancy. They can control and standardize. They’re putting in place some definitions, implementation standards, and so forth. Is the vanguard of correct Cloud Computing with security in mind being managed by governments at this point?

Hietala: I’d say that they’re at the forefront. Some of these shared government services, where they stand up Cloud and make it available to lots of different departments in a government, have the ability to do what they want from a security standpoint, not relying on a public provider, and get it right from their perspective and meet their requirements. They then take that consistent service out to lots of departments that may not have had the resources to get IT security right, when they were doing it themselves. So I think you can make a case for that.

Gardner: Stuart, being involved with standards activities yourself, does moving to the Cloud provide a better environment for managing, maintaining, instilling, and improving on standards than enterprise by enterprise by enterprise? As I say, we’re looking at a larger pool and therefore that strikes me as possibly being a better place to invoke and manage standards.

Boardman: Dana, that’s a really good point, and I do agree. Also, in the security field, we have an advantage in the sense that there are quite a lot of standards out there to deal with interoperability, exchange of policy, exchange of credentials, which we can use. If we adopt those, then we’ve got a much better chance of getting those standards used widely in the Cloud world than in an individual enterprise, with an individual supplier, where it’s not negotiation, but “you use my API, and it looks like this.”

Having said that, there are a lot of well-known Cloud providers who do not currently support those standards and they need a strong commercial reason to do it. So it’s going to be a question of the balance. Will we get enough specific weight of people who are using it to force the others to come on board? And I have no idea what the answer to that is.

Gardner: We’ve also seen that cooperation is an important aspect of security, knowing what’s going on on other people’s networks, being able to share information about what the threats are, remediation, working to move quickly and comprehensively when there are security issues across different networks.

Is that a case, Dave, where having a Cloud environment is a benefit? That is to say more sharing about what’s happening across networks for many companies that are clients or customers of a Cloud provider rather than perhaps spotty sharing when it comes to company by company?

Gilmour: There is something to be said for that, Dana. Part of the issue, though, is that companies are individually responsible for their data. They’re individually responsible to a regulator or to their clients for their data. The question then becomes that as soon as you start to share a certain aspect of the security, you’re de facto sharing the weaknesses as well as the strengths.

So it’s a two-edged sword. One of the problems we have is that until we mature a little bit more, we won’t be able to actually see which side is the sharpest.

Gardner: So our premise that Cloud is good and bad for security is holding up, but I’m wondering whether the same things that make you a risk in a private setting — poor adhesion to standards, no good governance, too many technologies that are not being measured and controlled, not instilling good behavior in your employees and then enforcing that — wouldn’t this be the same either way? Is it really Cloud or not Cloud, or is it good security practices or not good security practices? Mary Ann?

No accountability

Mezzapelle: You’re right. It’s a little bit of that “garbage in, garbage out,” if you don’t have the basic things in place in your enterprise, which means the policies, the governance cycle, the audit, and the tracking, because it doesn’t matter if you don’t measure it and track it, and if there is no business accountability.

David said it — each individual company is responsible for its own security, but I would say that it’s the business owner that’s responsible for the security, because they’re the ones that ultimately have to answer that question for themselves in their own business environment: “Is it enough for what I have to get done? Is the agility more important than the flexibility in getting to some systems or the accessibility for other people, as it is with some of the ubiquitous computing?”

So you’re right. If it’s an ugly situation within your enterprise, it’s going to get worse when you do outsourcing, out-tasking, or anything else you want to call within the Cloud environment. One of the things that we say is that organizations not only need to know their technology, but they have to get better at relationship management, understanding who their partners are, and being able to negotiate and manage that effectively through a series of relationships, not just transactions.

Gardner: If data and sharing data is so important, it strikes me that Cloud component is going to be part of that, especially if we’re dealing with business processes across organizations, doing joins, comparing and contrasting data, crunching it and sharing it, making data actually part of the business, a revenue generation activity, all seems prominent and likely.

So to you, Stuart, what is the issue now with data in the Cloud? Is it good, bad, or just the same double-edged sword, and it just depends how you manage and do it?

Boardman: Dana, I don’t know whether we really want to be putting our data in the Cloud, so much as putting the access to our data into the Cloud. There are all kinds of issues you’re going to run up against, as soon as you start putting your source information out into the Cloud, not the least privacy and that kind of thing.

A bunch of APIs

What you can do is simply say, “What information do I have that might be interesting to people? If it’s a private Cloud in a large organization elsewhere in the organization, how can I make that available to share?” Or maybe it’s really going out into public. What a government, for example, can be thinking about is making information services available, not just what you go and get from them that they already published. But “this is the information,” a bunch of APIs if you like. I prefer to call them data services, and to make those available.

So, if you do it properly, you have a layer of security in front of your data. You’re not letting people come in and do joins across all your tables. You’re providing information. That does require you then to engage your users in what is it that they want and what they want to do. Maybe there are people out there who want to take a bit of your information and a bit of somebody else’s and mash it together, provide added value. That’s great. Let’s go for that and not try and answer every possible question in advance.

Gardner: Dave, do you agree with that, or do you think that there is a place in the Cloud for some data?

Gilmour: There’s definitely a place in the Cloud for some data. I get the impression that there is going to drive out of this something like the insurance industry, where you’ll have a secondary Cloud. You’ll have secondary providers who will provide to the front-end providers. They might do things like archiving and that sort of thing.

Now, if you have that situation where your contractual relationship is two steps away, then you have to be very confident and certain of your cloud partner, and it has to actually therefore encompass a very strong level of governance.

The other issue you have is that you’ve got then the intersection of your governance requirements with that of the cloud provider’s governance requirements. Therefore you have to have a really strongly — and I hate to use the word — architected set of interfaces, so that you can understand how that governance is actually going to operate.

Gardner: Wouldn’t data perhaps be safer in a cloud than if they have a poorly managed network?

Mezzapelle: There is data in the Cloud and there will continue to be data in the Cloud, whether you want it there or not. The best organizations are going to start understanding that they can’t control it that way and that perimeter-like approach that we’ve been talking about getting away from for the last five or seven years.

So what we want to talk about is data-centric security, where you understand, based on role or context, who is going to access the information and for what reason. I think there is a better opportunity for services like storage, whether it’s for archiving or for near term use.

There are also other services that you don’t want to have to pay for 12 months out of the year, but that you might need independently. For instance, when you’re running a marketing campaign, you already share your data with some of your marketing partners. Or if you’re doing your payroll, you’re sharing that data through some of the national providers.

Data in different places

So there already is a lot of data in a lot of different places, whether you want Cloud or not, but the context is, it’s not in your perimeter, under your direct control, all of the time. The better you get at managing it wherever it is specific to the context, the better off you will be.

Hietala: It’s a slippery slope [when it comes to customer data]. That’s the most dangerous data to stick out in a Cloud service, if you ask me. If it’s personally identifiable information, then you get the privacy concerns that Stuart talked about. So to the extent you’re looking at putting that kind of data in a Cloud, looking at the Cloud service and trying to determine if we can apply some encryption, apply the sensible security controls to ensure that if that data gets loose, you’re not ending up in the headlines of The Wall Street Journal.

Gardner: Dave, you said there will be different levels on a regulatory basis for security. Wouldn’t that also play with data? Wouldn’t there be different types of data and therefore a spectrum of security and availability to that data?

Gilmour: You’re right. If we come back to Facebook as an example, Facebook is data that, even if it’s data about our known customers, it’s stuff that they have put out there with their will. The data that they give us, they have given to us for a purpose, and it is not for us then to distribute that data or make it available elsewhere. The fact that it may be the same data is not relevant to the discussion.

Three-dimensional solution

That’s where I think we are going to end up with not just one layer or two layers. We’re going to end up with a sort of a three-dimensional solution space. We’re going to work out exactly which chunk we’re going to handle in which way. There will be significant areas where these things crossover.

The other thing we shouldn’t forget is that data includes our software, and that’s something that people forget. Software nowadays is out in the Cloud, under current ways of running things, and you don’t even always know where it’s executing. So if you don’t know where your software is executing, how do you know where your data is?

It’s going to have to be just handled one way or another, and I think it’s going to be one of these things where it’s going to be shades of gray, because it cannot be black and white. The question is going to be, what’s the threshold shade of gray that’s acceptable.

Gardner: Mary Ann, to this notion of the different layers of security for different types of data, is there anything happening in the market that you’re aware of that’s already moving in that direction?

Mezzapelle: The experience that I have is mostly in some of the business frameworks for particular industries, like healthcare and what it takes to comply with the HIPAA regulation, or in the financial services industry, or in consumer products where you have to comply with the PCI regulations.

There has continued to be an issue around information lifecycle management, which is categorizing your data. Within a company, you might have had a document that you coded private, confidential, top secret, or whatever. So you might have had three or four levels for a document.

You’ve already talked about how complex it’s going to be as you move into trying understand, not only for that data, that the name Mary Ann Mezzapelle, happens to be in five or six different business systems over a 100 instances around the world.

That’s the importance of something like an Enterprise Architecture that can help you understand that you’re not just talking about the technology components, but the information, what they mean, and how they are prioritized or critical to the business, which sometimes comes up in a business continuity plan from a system point of view. That’s where I’ve advised clients on where they might start looking to how they connect the business criticality with a piece of information.

One last thing. Those regulations don’t necessarily mean that you’re secure. It makes for good basic health, but that doesn’t mean that it’s ultimately protected.You have to do a risk assessment based on your own environment and the bad actors that you expect and the priorities based on that.

Leaving security to the end

Boardman: I just wanted to pick up here, because Mary Ann spoke about Enterprise Architecture. One of my bugbears — and I call myself an enterprise architect — is that, we have a terrible habit of leaving security to the end. We don’t architect security into our Enterprise Architecture. It’s a techie thing, and we’ll fix that at the back. There are also people in the security world who are techies and they think that they will do it that way as well.

I don’t know how long ago it was published, but there was an activity to look at bringing the SABSA Methodology from security together with TOGAF®. There was a white paper published a few weeks ago.

The Open Group has been doing some really good work on bringing security right in to the process of EA.

Hietala: In the next version of TOGAF, which has already started, there will be a whole emphasis on making sure that security is better represented in some of the TOGAF guidance. That’s ongoing work here at The Open Group.

Gardner: As I listen, it sounds as if the in the Cloud or out of the Cloud security continuum is perhaps the wrong way to look at it. If you have a lifecycle approach to services and to data, then you’ll have a way in which you can approach data uses for certain instances, certain requirements, and that would then apply to a variety of different private Cloud, public Cloud, hybrid Cloud.

Is that where we need to go, perhaps have more of this lifecycle approach to services and data that would accommodate any number of different scenarios in terms of hosting access and availability? The Cloud seems inevitable. So what we really need to focus on are the services and the data.

Boardman: That’s part of it. That needs to be tied in with the risk-based approach. So if we have done that, we can then pick up on that information and we can look at a concrete situation, what have we got here, what do we want to do with it. We can then compare that information. We can assess our risk based on what we have done around the lifecycle. We can understand specifically what we might be thinking about putting where and come up with a sensible risk approach.

You may come to the conclusion in some cases that the risk is too high and the mitigation too expensive. In others, you may say, no, because we understand our information and we understand the risk situation, we can live with that, it’s fine.

Gardner: It sounds as if we are coming at this as an underwriter for an insurance company. Is that the way to look at it?

Current risk

Gilmour: That’s eminently sensible. You have the mortality tables, you have the current risk, and you just work the two together and work out what’s the premium. That’s probably a very good paradigm to give us guidance actually as to how we should approach intellectually the problem.

Mezzapelle: One of the problems is that we don’t have those actuarial tables yet. That’s a little bit of an issue for a lot of people when they talk about, “I’ve got $100 to spend on security. Where am I going to spend it this year? Am I going to spend it on firewalls? Am I going to spend it on information lifecycle management assessment? What am I going to spend it on?” That’s some of the research that we have been doing at HP is to try to get that into something that’s more of a statistic.

So, when you have a particular project that does a certain kind of security implementation, you can see what the business return on it is and how it actually lowers risk. We found that it’s better to spend your money on getting a better system to patch your systems than it is to do some other kind of content filtering or something like that.

Gardner: Perhaps what we need is the equivalent of an Underwriters Laboratories (UL) for permeable organizational IT assets, where the security stamp of approval comes in high or low. Then, you could get you insurance insight– maybe something for The Open Group to look into. Any thoughts about how standards and a consortium approach would come into that?

Hietala: I don’t know about the UL for all security things. That sounds like a risky proposition.

Gardner: It could be fairly popular and remunerative.

Hietala: It could.

Mezzapelle: An unending job.

Hietala: I will say we have one active project in the Security Forum that is looking at trying to allow organizations to measure and understand risk dependencies that they inherit from other organizations.

So if I’m outsourcing a function to XYZ corporation, being able to measure what risk am I inheriting from them by virtue of them doing some IT processing for me, could be a Cloud provider or it could be somebody doing a business process for me, whatever. So there’s work going on there.

I heard just last week about a NSF funded project here in the U.S. to do the same sort of thing, to look at trying to measure risk in a predictable way. So there are things going on out there.

Gardner: We have to wrap up, I’m afraid, but Stuart, it seems as if currently it’s the larger public Cloud provider, something of Amazon and Google and among others that might be playing the role of all of these entities we are talking about. They are their own self-insurer. They are their own underwriter. They are their own risk assessor, like a UL. Do you think that’s going to continue to be the case?

Boardman: No, I think that as Cloud adoption increases, you will have a greater weight of consumer organizations who will need to do that themselves. You look at the question that it’s not just responsibility, but it’s also accountability. At the end of the day, you’re always accountable for the data that you hold. It doesn’t matter where you put it and how many other parties they subcontract that out to.

The weight will change

So there’s a need to have that, and as the adoption increases, there’s less fear and more, “Let’s do something about it.” Then, I think the weight will change.

Plus, of course, there are other parties coming into this world, the world that Amazon has created. I’d imagine that HP is probably one of them as well, but all the big names in IT are moving in here, and I suspect that also for those companies there’s a differentiator in knowing how to do this properly in their history of enterprise involvement.

So yeah, I think it will change. That’s no offense to Amazon, etc. I just think that the balance is going to change.

Gilmour: Yes. I think that’s how it has to go. The question that then arises is, who is going to police the policeman and how is that going to happen? Every company is going to be using the Cloud. Even the Cloud suppliers are using the Cloud. So how is it going to work? It’s one of these never-decreasing circles.

Mezzapelle: At this point, I think it’s going to be more evolution than revolution, but I’m also one of the people who’ve been in that part of the business — IT services — for the last 20 years and have seen it morph in a little bit different way.

Stuart is right that there’s going to be a convergence of the consumer-driven, cloud-based model, which Amazon and Google represent, with an enterprise approach that corporations like HP are representing. It’s somewhere in the middle where we can bring the service level commitments, the options for security, the options for other things that make it more reliable and risk-averse for large corporations to take advantage of it.

Dana Gardner is president and principal analyst at Interarbor Solutions, an enterprise IT analysis, market research, and consulting firm. Gardner, a leading identifier of software and Cloud productivity trends and new IT business growth opportunities, honed his skills and refined his insights as an industry analyst, pundit, and news editor covering the emerging software development and enterprise infrastructure arenas for the last 18 years.

1 Comment

Filed under Cloud, Cloud/SOA, Conference, Cybersecurity, Information security, Security Architecture

Enterprise Architects and Paradigm Shifts

By Stuart Boardman, KPN

It’s interesting looking back at what people have written over the course of the year and seeing which themes appear regularly in their blogs. I thought I’d do the same with my own posts for The Open Group and see whether I could pull some of it together. I saw that the recurring themes for me have been dealing with uncertainty, the changing nature of the enterprise and the influence of information technology from outside the enterprise – and all of this in relation to the practice of enterprise architecture. I also explored the mutual influences these themes have on each other.

Unsurprisingly I’m not alone in picking up on these themes. At the risk of offending anyone I don’t mention, I note that Serge Thorn, Raghuraman Krishnamurthy and Len Fehskens have given their own perspectives on The Open Group’s Blog on some or all of these themes. And of course there’s plenty of writing on these themes going on in the blogosphere at large. In one sense I think writing about this is part of a process of trying to understand what’s going on in the world.

After some reflection, it seems to me that all of this converges in what tends to be called ”social business.” For better or worse, there is no fixed definition of the term. I would say it describes a way of working where, both within and across organizations, hierarchies and rules are being replaced by networks and collaboration. The concept of the enterprise in such a system is then definitively extended to include a whole ecosystem of customers and suppliers as well as investors and beneficiaries. Any one organization is just a part of the enterprise – a stakeholder. And of course the enterprise will look different dependent on the viewpoint of a particular stakeholder. That should be a familiar concept anyway for an enterprise architect. That one participant can be a stakeholder in multiple enterprises is not really new – it’s just something we now have no choice but to take into account.

Within any one organization, social business means that creativity and strategy development takes place at and across multiple levels. We can speak of networked, podular or fractal forms of organization. It also means a lot of other things with wider economic, social and political implications but that’s not my focus here.

Another important aspect is the relationship with newer developments in information and communication technology. We can’t separate social business from the technology which has helped it to develop and which in turn is stimulated by its existence and demands. I don’t mean any one technology and I won’t even insist on restricting it to information technology. But it’s clear that there is at least a high degree of synergy between newer IT developments and social business. In other words, the more an organization becomes a social business, the more its business will involve the use of information technology – not as a support function but as an essential part of how it does its business.  Moreover exactly this usage of IT is not and cannot be (entirely) under its own control.

A social business therefore demonstrates, in all aspects of the enterprise, fuzzy boundaries and a higher level of what I call entropy (uncertainty, rate of change, sensitivity to change). It means we need new ways of dealing with complexity, which fortunately is a topic a lot of people are looking at. It means that simplicity is not in every case a desirable goal and that, scary as it may seem, we may actually need to encourage entropy (in some places) in order to develop the agility to respond to change – effectively and without making any unnecessary long term assumptions.

So, if indeed the world is evolving to such a state, what can enterprise architects do to help their own organizations become successful social businesses (social governments – whatever)?

Enterprise Architecture is a practice that is founded in communication. To support and add value to that communication we have developed analysis methods and frameworks, which help us model what we learn and, in turn, communicate the results. Enterprise Architects work across organizations to understand how the activities of the participants relate to the strategy of the organization and how the performance of each person/group’s activities can optimally support and reinforce everyone else’s. We don’t do their work for them and don’t, if we do our work properly, have any sectional interests. We are the ultimate generalists, specialized in bringing together all those aspects, in which other people are the experts. We’re therefore ideally placed to facilitate the development of a unified vision and a complementary set of practices. OK, that sounds a bit idealistic. We know reality is never perfect but, if we don’t have ideals, we’d be hypocrites to be doing this work anyway. Pragmatism and ideals can be a positive combination.

Yes, there’s plenty of work to do to adapt our models to this new reality. Our goals, the things we try to achieve with EA will not be different. In some significant aspects, the results will be – if only because of the scope and diversity of the enterprise. We’ll certainly need to produce some good example EA artifacts to show what these results will look like. I can see an obvious impact in business architecture and in governance – most likely other areas too. But the issues faced in governance may be similar to those being tackled by The Open Group’s Cloud Governance project. And business architecture is long due for expansion outside of the single organization, so there’s synergy there as well. We can also look outside of our own community for inspiration – in the area of complexity theory, in business modeling, in material about innovation and strategy development and in economic and even political thinking about social business.

We’ll also be faced with organizational challenges. EA has for too long and too often been seen as the property of the IT department. That’s always been a problem anyway, but to face the challenges of social business, EA must avoid the slightest whiff of sectional interest and IT centrism. And, ironically, the best hope for the IT department in this scary new world may come from letting go of what it does not need to control and taking on a new role as a positive enabler of change.

There could hardly be a more appropriate time to be working on TOGAF Next. What an opportunity!

Stuart Boardman is a Senior Business Consultant with KPN where he co-leads the Enterprise Architecture practice as well as the Cloud Computing solutions group. He is co-lead of The Open Group Cloud Computing Work Group’s Security for the Cloud and SOA project and a founding member of both The Open Group Cloud Computing Work Group and The Open Group SOA Work Group. Stuart is the author of publications by the Information Security Platform (PvIB) in The Netherlands and of his previous employer, CGI. He is a frequent speaker at conferences on the topics of Cloud, SOA, and Identity. 

5 Comments

Filed under Business Architecture, Cloud, Cloud/SOA, Enterprise Architecture, Enterprise Transformation, Semantic Interoperability