Showing posts with label Dave Lounsbury. Show all posts
Showing posts with label Dave Lounsbury. Show all posts

Tuesday, March 10, 2015

Cybersecurity Standards: The Open Group Explores Security and Safer Supply Chains

Transcript of a live panel discussion at last month's The Open Group San Diego 2015.

Welcome to a special BriefingsDirect presentation and panel discussion from The Open Group San Diego 2015, which ran Feb. 2 through Feb. 5. Download a copy of the transcript. This follows an earlier discussion from the event on synergies among major Enterprise Architecture frameworks with The Open Group.

The latest discussion, examining the both need and outlook for Cybersecurity standards among supply chains, is moderated by Dave Lounsbury, Chief Technology Officer, The Open Group; with guests Mary Ann Davidson, Chief Security Officer, Oracle; Dr. Ron Ross, Fellow of the National Institute of Standards and Technology (NIST), and Jim Hietala, Vice President of Security for The Open Group. [Disclosure: The Open Group is a sponsor of BriefingsDirect podcasts.]

Here are some excerpts:

Dave Lounsbury: Mary Ann Davidson is responsible for Oracle Software Security Assurance and represents Oracle on the Board of Directors for the Information Technology Information Sharing and Analysis Center, and on the international Board of the ISSA.

Lounsbury
Dr. Ron Ross leads the Federal Information Security Management Act Implementation Project. It sounds like a big job to fulfill, developing the security standards and guidelines for the federal government.

This session is going to look at the cybersecurity and supply chain landscape from a standards perspective. So Ron and Mary Ann, thank you very much.

Ron Ross: All of us are part of the technology explosion and revolution that we have been experiencing for the last couple of decades.

I would like to have you leave today with a couple of major points, at least from my presentation, things that we have observed in cybersecurity for the last 25 years: where we are today and where I think we might need to go in the future. There is no right or wrong answer to this problem of cybersecurity. It’s probably one of the most difficult and challenging sets of problems we could ever experience.

Ross
In our great country, we work on what I call the essential partnership. It's a combination of government, industry, and academia all working together. We have the greatest technology producers, not just in this country, but around the world, who are producing some fantastic things to which we are all "addicted." I think we have an addiction to the technology.

Some of the problems we're going to experience going forward in cybersecurity aren't just going to be technology problems. They're going to be cultural problems and organizational problems. The key issue is how we organize ourselves, what our risk tolerance is, how we are going to be able to accomplish all of our critical missions and business operations that Dawn talked about this morning, and do so in a world that's fairly dangerous. We have to protect ourselves.

Movie app

I think I can sum it up. I was at a movie. I don’t go to movies very often anymore, but about a month ago, I went to a movie. I was sitting there waiting for the main movie to start, and they were going through all the coming attractions. Then they came on the PA and they said that there is an app you can download. I'm not sure you have ever seen this before, but it tells you for that particular movie when is the optimal time to go to the restroom during the movie.

I bring this up because that's a metaphor for where we are today. We are consumed. There are great companies out there, producing great technologies. We're buying it up faster than you can shake a stick at it, and we are developing the most complicated IT infrastructure ever.

So when I look at this problem, I look at this from a scientist’s point of view, an engineering point of view. I'm saying to myself, knowing what I know about what it takes  to -- I don't even use the word "secure" anymore, because I don’t think we can ever get there with the current complexity -- build the most secure systems we can and be able to manage risk in the world that we live in.

In the army, we used to have a saying. You go to war with the army that you have, not the army that you want. We’ve heard about all the technology advances, and we're going to be buying stuff, commercial stuff, and we're going to have to put it together into systems. Whether it’s the Internet of Things (IoT) or cyber-physical convergence, it all goes back to some fairly simple things.

http://www.oracle.com/us/corporate/press/executives/016331.htm
Davidson
The IoT and all this stuff that we're talking about today really gets back to computers. That’s the common denominator. They're everywhere. This morning, we talked about your automobile having more compute power than Apollo 11. In your toaster, your refrigerator, your building, the control of the temperature, industrial control systems in power plants, manufacturing plants, financial institutions, the common denominator is the computer, driven by firmware and software.

When you look at the complexity of the things that we're building today, we've gone past the time when we can actually understand what we have and how to secure it.

That's one of the things that we're going to do at NIST this year and beyond. We've been working in the FISMA world forever it seems, and we have a whole set of standards, and that's the theme of today: how can standards help you build a more secure enterprise?

The answer is that we have tons of standards out there and we have lots of stuff, whether it's on the federal side with 853 or the Risk Management Framework, or all the great things that are going on in the standards world, with The Open Group, or ISO, pick your favorite standard.

Hietala
The real question is how we use those standards effectively to change the current outlook and what we are experiencing today because of this complexity? The adversary has a significant advantage in this world, because of complexity. They really can pick the time, the place, and the type of attack, because the attack surface is so large when you talk about not just the individual products.

We have many great companies just in this country and around the world that are doing a lot to make those products more secure. But then they get into the engineering process and put them together in a system, and that really is an unsolved problem. We call it a Composability Problem. I can have a trusted product here and one here, but what is the combination of those two when you put them together in the systems context? We haven’t solved that problem yet, and it’s getting more complicated everyday.

Continuous monitoring

For the hard problems, we in the federal government do a lot of stuff in continuous monitoring. We're going around counting our boxes and we are patching stuff and we are configuring our components. That's loosely called cyber hygiene. It’s very important to be able to do all that and do it quickly and efficiently to make your systems as secure as they need to be.

But even the security controls in our control catalog, 853, when you get into the technical controls --  I'm talking about access control mechanisms, identification, authentication, encryption, and audit -- those things are buried in the hardware, the software, the firmware, and the applications.

Most of our federal customers can’t even see those. So when I ask them if they have all their access controls in place, they can nod their head yes, but they can’t really prove that in a meaningful way.

So we have to rely on industry to make sure those mechanisms, those functions, are employed within the component products that we then will put together using some engineering process.
So we have to rely on industry to make sure those mechanisms, those functions, are employed within the component products that we then will put together using some engineering process.

This is the below-the-waterline problem I talk about. We're in some kind of digital denial today, because below the water line, most consumers are looking at their smartphones, their tablets, and all their apps -- that’s why I used that movie example -- and they're not really thinking about those vulnerabilities, because they can't see them, until it affects them personally.

I had to get three new credit cards last year. I shop at Home Depot and Target, and JPMorgan Chase is our federal credit card. That’s not a pain point for me because I'm indemnified. Even if there are fraudulent charges, I don't get hit for those.

If your identity is stolen, that’s a personal pain point. We haven't reached that national pain point yet. All of the security stuff that we do we talk about it a lot and we do a lot of it, but if you really want to effect change, you're going to start to hear more at this conference about assurance, trustworthiness, and resiliency. That's the world that we want to build and we are not there today.

That's the essence of where I am hoping we are going to go. It's these three areas: software assurance, systems security engineering, and supply-chain risk management.

My colleague Jon Boyens is here today and he is the author, along with a very talented team of coauthors, of the NIST 800-161 document. That's the supply chain risk document.

It’s going to work hand-in-hand with another publication that we're still working on, the 800-160 document. We are taking an IEEE and an ISO standard, 15288, and we're trying to infuse into that standard. They are coming out with the update of that standard this year. We're trying to infuse security into every step of the lifecycle.

Wrong reasons

The reason why we are not having a lot of success on the cybersecurity front today is because security ends up appearing either too late or by the wrong people for the wrong reasons.

I'll give you one example. In the federal government, we have a huge catalog of security controls, and they are allocated into different baselines: low, moderate, and high. So you will pick a baseline, you will tailor, and you'll come to the system owner or the authorizing official and say, "These are all the controls that NIST says we have to do." Well, the mission business owner was never involved in that discussion.

One of the things we are going to do with the new document is focus on the software and systems engineering process from the start of the stakeholders, all the way through requirements, analysis, definition, design, development, implementation, operation, and sustainment, all the way to disposal. Critical things are going to happen at every one of those places in the lifecycle

The beauty of that process is that you involve the stakeholders early. So when those security controls are actually selected they can be traced back to a specific security requirement, which is part of a larger set of requirements that support that mission or business operation, and now you have the stakeholders involved in the process.

Up to this point in time, security operates in its own vacuum. It’s in the little office down the hall, and we go down there whenever there's a problem. But unless and until security gets integrated and we disappear as being our own discipline, we now are part of the Enterprise Architecture, whether it’s TOGAF® or whatever architecture construct you are following, or the systems engineering process. The system development lifecycle is the third one, and people ask what is acquisition and procurement.
Unless we have our stakeholders at those tables to influence, we are going to continue to deploy systems that are largely indefensible not against all cyber attacks but against the high-end attacks.

Unless we have our stakeholders at those tables to influence, we are going to continue to deploy systems that are largely indefensible not against all cyber attacks but against the high-end attacks.

We have to do a better job getting at the C-Suite and I tried to capture the five essential areas that this discussion has to revolve around. The acronym is TACIT, and it just happens to be a happy coincidence that it fit into an acronym. But it's basically looking at the threat, how you configure your assets, and how you categorize your assets with regard to criticality.

How complex is the system you're building? Are you managing that complexity in trying to reduce it, integrating security across the entire set of business practices within the organization? Then, the last component, which really ties into The Open Group, and the things you're doing here with all the projects that were described in the first session, that is the trustworthiness piece.

Are we building products and systems that are, number one, more penetration resistance to cyber attacks; and number two, since we know we can't stop all attacks, because we can never reduce complexity to where we thought we could two or three decades ago. Are we building the essential resiliency into that system. Even when the adversary comes to the boundary and the malware starts to work, how far does it spread, and what can it do?

That's the key question. You try to limit the time on target for the advisory, and that can be done very, very easily with good architectural and good engineering solutions. That's my message for 2015 and beyond, at least from a lot of things at NIST. We're going to start focusing on the architecture and the engineering, how to really affect things at the ground level?

Processes are important

Now we always will have the people, the processes, the technologies kind of this whole ecosystem that we have to deal with, and you're going to always have to worry about your sys admins that go bad and dump all the stuff that you don't want dumped on the Internet. But that's part of system process. Processes are very important because they give us structure, discipline, and the ability to communicate with our partners.

I was talking to Rob Martin from Mitre. He's working on a lot of important projects there with the CWEs, CVEs. It gives you the ability to communicate a level of trustworthiness and assurance that other people can have that dialogue, because without that, we're not going to be communicating with each other. We're not going to trust each other, and that's critical, having that common understanding. Frameworks provide that common dialogue of security controls in a common process, how we build things, and what is the level of risk that we are willing to accept in that whole process.

These slides, and they’ll be available, go very briefly into the five areas. Understanding the modern threat today is critical because, even if you don't have access to classified threat data, there's a lot of great data out there with Symantec and Verizon reports, and there's open-source threat information available.

If you haven't had a chance to do that, I know the folks who work on the high assurance stuff in The Open Group RT&ES. look at that stuff a lot, because they're building a capability that is intended to stop some of those types of threats.

The other thing about assets is that we don't do a very good job of criticality analysis. In other words, most of our systems are running, processing, storing, and transmitting data and we’re not segregating the critical data into its own domain where necessary.
Complexity is something that’s going to be very difficult to address because of our penchant for bringing in new technologies.

I know that's hard to do sometimes. People say, “I’ve got to have all this stuff ready to go 24×7,” but when you look at some of the really bad breaches that we have had over the last several years establishing a domain for critical data, where that domain can be less complex, which means you can better defend it, and then you can invest more resources into defending those things that are the most critical.

I used a very simple example of a safe deposit box. I can't get all my stuff into the safe deposit box. So I have to make decisions. I put important papers in there, maybe a coin collection, whatever.  I have locks on my house on the front door, but they're not strong enough to stop some of those bad guys out there. So I make those decisions. I put it in the bank, and it goes in a vault. It’s a pain in the butt to go down there and get the stuff out, but it gives me more assurance, greater trustworthiness. That's an example of the things we have to be able to do.

Complexity is something that’s going to be very difficult to address because of our penchant for bringing in new technologies. Make no mistake about it, these are great technologies. They are compelling. They are making us more efficient. They are allowing us to do things we never imagined, like finding out the optimal time to go to the restroom during a movie, I mean who could have imagined we could do that a decade ago.

But as with every one of our customers out there, the kinds of things we’re talking about flies below their radar. When you download 100 apps on your smartphone, people in general, even the good folks in cybersecurity, have no idea where those apps are coming from, where the pedigree is, have they been tested at all, have they been evaluated, are they running on a trusted operating system?

Ultimately, that's what this business is all about, and that's what 800-161 is all about. It's about a lifecycle of the entire stack from applications, to middleware, to operating systems, to firmware, to integrated circuits, to include the supply chain.

The adversary is all over that stack. They now figure out how to compromise our firmware so we have to come up with firmware integrity controls in our control catalog, and that's the world we live in today.

Managing complexity

I was smiling this morning when I talked about the DNI, the Director of National Intelligence in building their cloud, if that’s going to go to the public cloud or not. I think Dawn is probably right, you probably won’t see that going to the public cloud anytime soon, but cloud computing gives us an opportunity to manage complexity. You can figure out what you want to send to the public cloud.

They do a good job through the FedRAMP program of deploying controls and they’ve got a business model that's important to make sure they protect their customers’ assets. So that's built into their business model and they do a lot of great things out there to try to protect that information.

Then, for whatever stays behind in your enterprise, you can start to employ some of the architectural constructs that you'll see here at this conference, some of the security engineering constructs that we’re going to talk about in 800-160, and you can better defend what stays behind within your organization.

So cloud is a way to reduce that complexity. Enterprise Architecture, TOGAF, all of those architectural things allow you to provide discipline and structure and thinking about what you're building: how to protect it, how much it’s going to cost and is it worth it? That is the essence of good security. It’s not about running around with a barrel full of security controls or ISO 27000 saying, hey, you’ve got to do all this stuff, or this guy is going to fall, those days are over.

Integration we talked about. This is also hard. We are working with stovepipes today. Enterprise Architects typically don't talk to security people. Acquisition folks, in most cases, don't talk to security people.
The message I'm going to send everyday is that we have to be more informed consumers. We have to ask for things that we know we need.

I see it everyday. You see RFPs go out and there is a whole long list of requirements, and then, when it comes to security, they say the system or the product they are buying must be FISMA compliant. They know that’s a law and they know they have to do that, but they really don't give the industry or the potential contractors any specificity as to what they need to do to bring that product or the system to the state where it needs to be.

And so it's all about expectations. I believe our industry, whether it's here or overseas, wherever these great companies operate, the one thing we can be sure of is that they want to please their customers. So maybe what the message I'm going to send everyday is that we have to be more informed consumers. We have to ask for things that we know we need.

It’s like if you go back with the automobile. When I first started driving a long time ago,  40 years ago, cars just had seatbelts. There were no airbags and no steel-reinforced doors. Then, you could actually buy an airbag as an option at some point. When you fast-forward to today, every car has an airbag, seatbelt, steel-reinforced doors. It comes as part of the basic product. We don't have to ask for it, but as consumers we know it's there, and it's important to us.

We have to start to look at the IT business in the same way, just like when we cross a bridge or fly in an airplane. All of you who flew here in airplanes and came across bridges had confidence in those structures. Why? Because they are built with good scientific and engineering practices.

So least functionality, least privilege, those are kind of foundational concepts in our world and cybersecurity. You really can't look at a smartphone or a tablet and talk about least functionality anymore, at least if you are running that movie app, and you want to have all of that capability.

The last point about trustworthiness is that we have four decades of best practices in trusted systems development. It failed 30 years ago because we had the vision back then of trusted operating systems, but the technology and the development far outstripped our ability to actually achieve that.

Increasingly difficult

We talked about a kernel-based operating system having 2,000, 3,000, 4,000, 5,000 lines of code and being highly trusted. Well, those concepts are still in place. It’s just that now the operating systems are 50 million lines of code, and so it becomes increasingly difficult.

And this is the key thing. As a society, we're going to have to figure out, going forward, with all this great technology, what kind of world do we want to have for ourselves and our grandchildren? Because with all this technology, as good as it is, if we can’t provide a basis of security and privacy that customers can feel comfortable with, then at some point this party is going to stop.

I don't know when that time is going to come, but I call it the national pain point in this digital denial. We will come to that steady state. We just haven't had enough time yet to get to that balance point, but I'm sure we will.

I talked about the essential partnership, but I don't think we can solve any problem without a collaborative approach, and that's why I use the essential partnership: government, industry, and academia.
But the bottom line is that we have to work together, and I believe that we'll do that.

Certainly all of the innovation, or most of the innovation, comes from our great industry. Academia is critical, because the companies like Oracle or Microsoft want to hire students who have been educated in what I call the STEM disciplines: Science, Technology, Engineering -- whether it's "double e" or computer science -- and Mathematics. They need those folks to be able to build the kind of products that have the capabilities, function-wise, and also are trusted.

And government plays some role -- maybe some leadership, maybe a bully pulpit, cheerleading where we can -- bringing things together. But the bottom line is that we have to work together, and I believe that we'll do that. And when that happens I think all of us will be able to sit in that movie and fire up that app about the restroom and feel good that it's secure.

Mary Ann Davidson: I guess I'm preaching to the converted, if I can use a religious example without offending somebody. One of the questions you asked is, why do we even have standards in this area? And of course some of them are for technical reasons. Crypto it turns out is easy for even very smart people to get wrong. Unfortunately, we have reason to find out.

So there is technical correctness. Another reason would be interoperability to get things to work better in a more secure manner. I've worked in this industry long enough to remember the first SSL implementation, woo-hoo, and then it turns out 40 bits wasn't really 40, bits because it wasn’t random enough, shall we say.

Trustworthiness. ISO has a standard -- The Common Criteria. It’s an ISO standard. We talk about what does it mean to have secure software, what type of threats does it address, how do you prove that it does what you say you do? There are standards for that, which helps. It helps everybody. It certainly helps buyers understand a little bit more about what they're getting.

No best practices

And last, but not least, and the reason it’s in quotes, “best practices,” is because there actually are no best practices. Why do I say that -- and I am seeing furrowed brows back there? First of all, lawyers don't like them in contracts, because then if you are not doing the exact thing, you get sued.

There are good practices and there are worst practices. There typically isn't one thing that everyone can do exactly the same way that's going to be the best practice. So that's why that’s in quotation marks.

Generally speaking, I do think standards, particularly in general, can be a force for good in the universe, particularly in cybersecurity, but they are not always a force for good, depending on other factors.

And what is the ecosystem? Well, we have a lot of people. We have standards makers, people who work on them. Some of them are people who review things. Like when NIST is very good, which I appreciate, about putting drafts out and taking comments, as opposed to saying, "Here it is, take it or leave it." That’s actually a very constructive dialogue, which I believe a lot of people appreciate. I know that I do.

Sometimes there are mandators. You'll get an RFP that says, "Verily, thou shall comply with this, less thee be an infidel in the security realm." And that can be positive. It can  be a leading edge of getting people to do something good that, in many cases, they should do anyway.
You get better products in something that is not a monopoly market. Competition is good.

Implementers, who have to take this and decipher and figure out why they are doing it. People who make sure that you actually did what you said you were going to do.

And last, but not least, there are weaponizers. What do I mean by that? We all know who they are. They are people who will try to develop a standard and then get it mandated. Actually, it isn’t a standard. It’s something they came up with, which might be very good, but it’s handing them regulatory capture.

And we need to be aware of those people. I like the Oracle database. I have to say that, right? There are a lot of other good databases out there. If I went in and said, purely objectively speaking, everybody should standardize on the Oracle database, because it’s the most secure. Well, nice work if I can get it.

Is that in everybody else’s interest? Probably not. You get better products in something that is not a monopoly market. Competition is good.

So I have an MBA, or had one in a prior life, and they used to talk in the marketing class about the three Ps of marketing. Don’t know what they are anymore; it's been a while. So I thought I would come up with Four Ps of a Benevolent Standard, which are Problem Statement, Precise Language, Pragmatic Solutions, and Prescriptive Minimization.

Economic analysis

And the reason I say this is one of the kind of discussions I have to have a lot of times, particularly sometimes with people in the government. I'm not saying this in any pejorative way. So please don't take it that way. It's the importance of economic analysis, because nobody can do everything.

So being able to say that I can't boil the ocean, because you are going to boil everything else in it, but I can do these things. If I could do these things, it’s very clear what I am trying to do. It’s very clear what the benefit is. We've analyzed it, and it's probably something everybody can do. Then, we can get to better.

Better is better than omnibus. Omnibus is something everybody gets thrown under if you make something too big. Sorry, I had to say that.

So Problem Statement: why is this important? You would think it’s obvious, Mary Ann, except that it isn't, because so often the discussions I have with people, tell me what problem you are worried about? What are you trying to accomplish? If you don't tell me that, then we're going to be all over the map. You say potato and I say "potahto," and the chorus of that song is, "let’s call the whole thing off."
Buying a crappy product is a risk of doing business. It’s not, per se, a supply chain risk.

I use supply chain as an example, because this one is all over the map. Bad quality? Well, buying a crappy product is a risk of doing business. It’s not, per se, a supply chain risk. I'm not saying it’s not important, but it it’s certainly not a cyber-specific supply chain risk.

Bad security: well, that's important, but again, that’s a business risk.

Backdoor bogeyman: this is the popular one. How do I know you didn’t put a backdoor in there? Well, you can't actually, and that’s not a solvable problem.

Assurance, supply chain shutdown: yeah, I would like to know that a critical parts supplier isn’t going to go out of business. So these are all important, but they are all different problems.

So if you don't say what you're worried about, and it can't be all the above. Almost every business has some supplier of some sort, even if it’s just healthcare. If you're not careful how you define this, you will be trying to define a 100 percent of any entity's business operations. And that's not appropriate.

Use cases are really important, because you may have a Problem Statement. I'll give you one, and this is not to ding NIST in any way, shape, or form, but I just read this. It’s the Cryptographic Key Management System draft. The only reason I cite this as an example is that I couldn't actually find a use case in there.

So whatever the merits of that are saying, are you trying to develop a super secret key management system for government, very sensitive cryptographic things you are building from scratch, or you are trying to define a key management system that we have to use for things like TLS or any encryption that any commercial product does, because that's way out of scope?

So without that, what are you worried about? And also what’s going to happen is somebody is going to cite this in an RFP and it’s going to be, are you compliant with bladdy-blah? And you have no idea whether that even should apply.

Problem Statement

So that Problem Statement is really important, because without that, you can't have that dialogue in groups like this. Well, what are we trying to accomplish? What are we worried about? What are the worst problems to solve?

Precise Language is also very important. Why? Because it turns out everybody speaks a slightly different language, even if we all speak some dialect of geek, and that is, for example, a vulnerability.

If you say vulnerability to my vulnerability handling team, they think of that as a security vulnerability that’s caused by a defect in software.

But I've seen it used to include, well, you didn’t configure the product properly. I don’t know what that is, but it’s not a vulnerability, at least not to a vendor. You implemented a policy incorrectly. It might lead to vulnerability, but it isn’t one. So you are seeing where I am going with this. If you don’t have language to find very crisply the same thing, you read something and you go off and do it and you realize you solved the wrong problem.

I am very fortunate. One of my colleagues from Oracle, who works on our hardware, and I also saw a presentation by people in that group at the Cryptographic Conference in November. They talked about how much trouble we got into because if you say, "module" to a hardware person, it’s a very different thing from what it meant to somebody trying to certify it. This is a huge problem because again you say, potato, I say "potahto." It’s not the same thing to everybody. So it needs to be very precisely defined.
Everybody speaks a slightly different language, even if we all speak some dialect of geek, and that is, for example, a vulnerability.

Scope is also important. I don’t know why. I have to say this a lot and it does get kind of tiresome, I am sure to the recipients, COTS isn't GOTS. Commercial software is not government software, and it’s actually globally developed. That’s the only way you get commercial software, the feature rich, reads frequently. We have access to global talent.

It’s not designed for all threat environments. It can certainly be better, and I think most people are moving towards better software, most likely because we're getting beaten up by hackers and then our customers, and it’s good business. But there is no commercial market for high-assurance software or hardware, and that’s really important, because there is only so much that you can do to move the market.

So even a standards developer or big U.S. governments, is an important customer in the market for a lot of people, but they're not big enough to move the marketplace on their own, and so you are limited by the business dynamic.

So that's important, you can get to better. I tell people, "Okay, anybody here have a Volkswagen? Okay, is it an MRAP vehicle? No, it’s not, is it? You bought a Volkswagen and you got a Volkswagen. You can’t take a Volkswagen and drive it around streets and expect it to perform like an MRAP vehicle. Even a system integrator, a good one, cannot sprinkle pixie dust over that Volkswagen and turn it into an MRAP vehicle. Those are very different threat environments.

Why you think commercial software and hardware is different? It’s not different. It’s exactly the same thing. You might have a really good Volkswagen, and it’s great for commuting, but it is never going to perform in an IED environment. It wasn’t designed for that, and there is nothing you can do or make it designed to perform in that environment.

Pragmatism

Pragmatism; I really wish anybody working on any standard would do some economic analysis, because economics rules the world. Even if it’s something really good, a really good idea, time, money, and people, particularly qualified security people, are constrained resourses.

So if you make people do something that looks good on paper, but it’s really time-consuming, it’s an opportunity, the cost is too high. That means what is the value of something you could do with those resources that would either cost less or deliver higher benefit. And if you don’t do that analysis, then you have people say, "Hey, that’s a great idea. Wow, that’s great too. I’d like that." It’s like asking your kid, "Do you want candy. Do want new toys? Do want more footballs?" Instead of saying, "Hey, you have 50 bucks, what you are going to do with it?"

And then there are unintended consequences, because if you make this too complex, you just have fewer suppliers. People will never say, "I'm just not going to bid because it’s impossible." I'm going to give you three examples and again I'm trying to be respectful here. This is not to dis anybody who worked on these. In some cases, these things have been subsequent revisions that have been modified, which I really appreciate. But there are examples of, when you think about it, what were you asking for in the first place.
I really wish anybody working on any standard would do some economic analysis, because economics rules the world.

I think this was an early version of NISTR 7622 and has since been excised. There was a requirement that the purchaser wanted to be notified of personnel changes involving maintenance. Okay, what does that mean?

I know what I think they wanted, which is, if you are outsourcing the human resources for the Defense Department and you move the whole thing to "Hackistan," obviously they would want to be notified. I got that, but that’s not what it said.

So I look at that and say, we have 5,000 products, at least, at Oracle. We have billions and billions of lines of code everyday. Somebody checks out a transaction, getting some code, and they do some work on it and they didn’t write it in the first place.

So am I going to tweet all that to somebody. What’s that going to do for you? Plus you have things like the German Workers Council. We are going to tell the US Government that Jurgen worked on this line of code. Oh no, that’s not going to happen.

So what was it you were worried about, because that is not sustainable, tweeting people 10,000 times a day with code changes is just going to consume a lot of resource.

In another one, had this in an early version of something they were trying to do. They wanted to know, for each phase of development for each project, how many foreigners worked on it? What's a foreigner? Is it a Green Card holder? Is it someone who has a dual passport? What is that going to do for you?

Now again if you had a super custom code for some intelligence, I can understand there might be cases in which that would matter. But general-purpose software is not one of them. As I said, I can give you that information. We're a big company and we’ve got lots of resource. A smaller company probably can’t. Again, what will I do for you, because I am taking resources I could be using on something much more valuable and putting them on something really silly.

Last, but not least, and again, with respect, I think I know why this was in there. It might have been the secure engineering draft standard that you came up with that has many good parts to it.

Root cause analysis

I think vendors will probably understand this pretty quickly. Root Cause Analysis. If you have a vulnerability, one of the first things you should use is Root Cause Analysis. If you're a vendor and you have a CVSS 10 Security vulnerability in a product that’s being exploited, what do you think the first thing you are going to do is?

Get a patch in your customers’ hands or work around? Yeah, probably, that’s probably the number one priority. Also, Root Cause Analysis, particularly for really nasty security bugs, is really important. CVSS 0, who cares? But for 9 or 10, you should be doing that common analysis.

I’ve got a better one. We have a technology we have called Java. Maybe you’ve heard of it. We put a lot of work into fixing Java. One of the things we did is not only Root Cause Analysis, for CVSS 9 and higher. They have to go in front of my boss. Every Java developer had to sit through that briefing. How did this happen?

Last but not least, looking for other similar instances, not just root cause, how did that get in there and how do we avoid it. Where else does this problem exist. I am not saying this to make us look good; I 'm saying for the analytics. What are you really trying to solve here. Root Cause Analysis is important, but it's important in context. If I have to do it for everything, it's probably not the best use of a scarce resource.
If you mandate too much, it will stifle innovation and it won’t work for people.

My last point is to minimize prescriptiveness within limits. For example, probably some people in here don’t know how to bake or maybe you made a pie. There is no one right way to bake a cherry pie. Some people go down to Ralphs and they get a frozen Marie Callendar’s out of the freezer, they stick it in the oven, and they’ve got a pretty good cherry pie.

Some people make everything from scratch. Some people use a prepared pie crust and they do something special with the cherries they picked off their tree, but there is no one way to do that that is going to work for everybody.

Best practice for something. For example, I can say truthfully that a best development practice would not be just start coding, number one; and number two, it compiles without too many errors on the base platform, and ship it. That is not good development practice.

If you mandate too much, it will stifle innovation and it won’t work for people. Plus, as I mentioned, you will have an opportunity cost. If I'm doing something that somebody says I have to do, but there is a more innovative way of doing that.

We don’t have a single development methodology in Oracle, mostly because of acquisitions. We buy a great company, we don't tell them, "You know, that agile thing you are doing, it’s the last year. You have to do waterfall." That’s not going to work very well, but there are good practices even within those different methodologies.

Allowing for different hows is really important. Static analysis is one of them. I think static analysis is kind of industry practice now, and people should be doing it. Third party is really bad. I have been opining about this, this morning.

Third-party analysis

Let just say, I have a large customer, I won't name who used a third-party static analysis service. They broke their license agreement with us. They're getting a lot of it from us. Worse, they give us a report that included vulnerabilities from one of our competitors. I don’t want to know about those, right? I can't fix some. I did tell my competitor, "You should know this report exist, because I'm sure you want to analyze this."

Here's the worst part. How many of those vulnerabilities the third-party found you think had any merit? Run tool is nothing; analyzing results is everything. That customer and the vendor wasted the time of one of our best security leads, trying to make sure there was no there there, and there wasn't.

So again, and last but not least, government can use their purchasing power in lot of very good ways, but realize that regulatory things are probably going to lag actual practice. You could be specifying buggy whip standards and the reality is that nobody uses buggy whips anymore. It's not always about the standard, particularly if you are using resources in a less than optimal way.
This is one of the best forums I have seen, because there are people who have actual subject matter expertise to bring to the table.

One of the things I like about The Open Group is that here we have actual practitioners. This is one of the best forums I have seen, because there are people who have actual subject matter expertise to bring to the table, which is so important in saying what is going to work and can be effective.

The last thing I am going to say is a nice thank you to the people in the Trusted TTPF, because I appreciate the caliber of my colleagues, and also Sally Long. They talk about this type of an effort as herding cats, and at least for me, it's probably like herding a snarly cat. I can be very snarly. I'm sure you can pick up on that.

So I truly appreciate the professionalism and the focus and the targeting. Targeting a good slice of making a supply-chain problem better, not boiling the ocean, but very focused and targeted and with very high-caliber participation. So thank you to my colleagues and particularly thank you to Sally, and that’s it, I will turn it over to others.

Jim Hietala: We do, we have a few questions from the audience. So the first one and both here could feel free to chime in on this. Something you brought up Dr. Ross, building security in looking at software and systems engineering processes. How do you bring industry along in terms of commercial off-the-shelf products and services especially when you look at things like IoT, where we have got IP interfaces grafted on to all sorts of devices?

Ross: As Mary Ann was saying before, the strength of any standard is really its implementability out there. When we talk about, in particular, the engineering standard, the 15288 extension, if we do that correctly every organization out there who's already using -- let's say a security development lifecycle like the 27034, you can pick your favorite standard -- we should be able to reflect those activities in the different lanes of the 15288 processes.

This is a very important point that I got from Mary Ann’s discussion. We have to win the hearts and minds and be able to reflect things in a disciplined and structured process that doesn't take people off their current game. If they're doing good work, we should be able to reflect that good work and say, "I'm doing these activities whether it’s SDL, and this is how it would map to those activities that we are trying to find in the 15288."

And that can apply to the IoT. Again, it goes back to the computer, whether it’s Oracle database or a Microsoft operating system. It’s all about the code and the discipline and structure of building that software and integrating it into a system. This is where we can really bring together industry, academia, and government and actually do something that we all agree on.

Different take

Davidson: I would have a slightly different take on this. I know this is not a voice crying in the wilderness. My concern about the IoT goes back to things I learned in business school in financial market theory, which unfortunately has been borne out in 2008.

There are certain types of risks you can mitigate. If I cross a busy street, I'm worried about getting hit by a car. I can look both ways. I can mitigate that. You can't mitigate systemic risk. It means that you created a fragile system. That is the problem with the IoT, and that is a problem that no jury of engineering will solve.

If it's not a problem, why aren’t we giving nuclear weapons’ IP addresses? Okay, I am not making this up. The Air Force thought about that at one point. You're laughing. Okay, Armageddon, there is an app for that.
I really wish that people could look at this, not just in terms of how many of these devices and what a great opportunity, but what is a systemic risk that we are creating by doing this.

That's the problem. I know this is going to happen anyway. whether or not I approve of it, but I really wish that people could look at this, not just in terms of how many of these devices and what a great opportunity, but what is a systemic risk that we are creating by doing this.

My house is not connected to the Internet directly and I do not want somebody to shut my appliances off or shut down my refrigerator or lock it so that I can’t get into it or use that for launching an attack, those are the discussions we should be having -- at least as much as how we make sure that people designing these things have a clue.

Hietala: The next question is, how do customers and practitioners value the cost of security, and then a kind of related question on what can global companies due to get C-Suite attention and investment on cybersecurity, that whole ROI value discussion?

Davidson: I know they value it because nobody calls me up and says, "I am bored this week. Don’t you have more security patches for me to apply?" That’s actually true. We know what it costs us to produce a lot of these patches, and it’s important for the amount of resources we spend on that I would much rather be putting them on building something new and innovative, where we could charge money for it and provide more value to customers.

So it's cost avoidance, number one; number two more people have an IT backbone. They understand the value of having it be reliable. Probably one of the reasons people are moving to clouds is that it’s hard to maintain all these and hard to find the right people to maintain them. But also I do have more customers asking us now about our security practices, which is be careful what you wish for

I said this 10 years ago. People should be demanding. They know what we're doing and now I am going to spend a lot of time answering RFPs, but that’s good. These people are aware of this. They're running their business on our stuff and they want to know what kind of care we're taking to make sure we're protecting their data and their mission-critical applications as if it were ours.

Difficult question

Ross: The ROI question is very difficult with regard to security. I think this goes back to what I said earlier. The sooner we get security out of its stovepipe and integrated as just part of the best practices that we do everyday, whether it’s in the development work at a company or whether it’s in our enterprises as part of our mainstream organizational management things like the SDLC, or if we are doing any engineering work within the organization, or if we have the Enterprise Architecture group involved. That integration makes security less of  “hey, I am special” and more of just a part of the way we do business.

So customers are looking for reliability and dependability. They rely on this great bed of IT product systems and services and they're not always focused on the security aspects. They just want to make sure it works and that if there is an attack and the malware goes creeping through their system, they can be as protected as they need to be, and sometimes that flies way below their radar.

So it's got to be a systemic process and an organizational transformation. I think we have to go through it, and we are not quite there just yet.
So it's got to be a systemic process and an organizational transformation. I think we have to go through it, and we are not quite there just yet.

Davidson: Yeah, and you really do have to bake it in. I have a team of -- I’ve got three more headcount, hoo-hoo -- 45 people, but we have about 1,600 people in development whose jobs are to be security points of contact and security leads. They're the boots on the ground who implement our program, because I don't want to have an organization that peers over everybody’s shoulder to make sure they are writing good code. It's not cost-effective, not a good way to do it. It's cultural.

One of the ways that you do that is seeding those people in the organization, so they become the boots on the ground and they have authority to do things, because you’re not going to succeed otherwise.

Going back to Java, that was the first discussion I had with one of the executives that this is a cultural thing. Everybody needs to feel that he or she is personally responsible for security, not those 10-20 whatever those people are, whoever the security weenie is. It’s got to be everybody and when you can do that, you really have to see change and how things happen. Everybody is not going to be a security expert, but everybody has some responsibility for security.

This has been a special BriefingsDirect presentation and panel discussion from The Open Group San Diego 2015. Download a copy of the transcript. This follows an earlier discussion from the event on synergies among major Enterprise Architecture frameworks with The Open Group.

Transcript of a live panel discussion at last month's The Open Group San Diego 2015. Copyright The Open Group and Interarbor Solutions, LLC, 2005-2015. All rights reserved.

You may also be interested in:

Tuesday, July 09, 2013

Platform 3.0 Ripe to Give Standard Access to Advanced Intelligence and Automation, Bring Commercial Benefits to Enterprises

Transcript of a BriefingsDirect podcast on how The Open Group is working to stay ahead of converging challenges organization face with big data, mobile, cloud and social.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: The Open Group.

Dana Gardner: Hello, and welcome to a special BriefingsDirect Thought Leadership Interview series, coming to you in conjunction with The Open Group Conference on July 15, in Philadelphia.

Gardner
I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator throughout these discussions on enterprise transformation in the finance, government, and healthcare sector. Registration to the conference remains open. Follow the conference on Twitter at #ogPHL.

We're here now with a panel of experts to explore the business implications of the current shift to so-called Platform 3.0. Known as the new model through which big data, cloud, and mobile and social -- in combination -- allow for advanced intelligence and automation in business, Platform 3.0 has so far lacked standards or even clear definitions.

The Open Group and its community are poised to change that, and we're here now to learn more how to leverage Platform 3.0 as more than a IT shift -- and as a business game-changer.

With that, please join me in welcoming our panel: Dave Lounsbury, Chief Technical Officer at The Open Group. Welcome, Dave.

Dave Lounsbury: Hi, Dana, happy to be here.

Gardner: We're also here with Chris Harding, Director of Interoperability at The Open Group. Welcome, Chris. [Disclosure: The Open Group is a sponsor of this and other BriefingsDirect podcasts.]

Chris Harding: Thank you, Dana, and it's great to be on this panel.

Gardner: And also Mark Skilton, Global Director in the Strategy Office at Capgemini. Welcome, Mark.

Mark Skilton: Hi, Dana, thanks for inviting us today. I'm very happy to be here.

Gardner: A lot of people are still wrapping their minds around this notion of Platform 3.0, something that is a whole greater than the sum of the parts. Why is this more than an IT conversation or a shift in how things are delivered? Why are the business implications momentous?

Lounsbury: Well, Dana, there are lot of IT changes or technical changes going on that are bringing together a lot of factors. They're turning into this sort of super-saturated solution of ideas and possibilities and this emerging idea that this represents a new platform. I think it's a pretty fundamental change.

Lounsbury
If you look at history, not just the history of IT, but all of human history, you see that step changes in societies and organizations are frequently driven by communication or connectedness. Think about the evolution of speech or the invention of the alphabet or movable-type printing. These technical innovations that we’re seeing are bringing together these vast sources of data about the world around us and doing it in real time.

Further, we're starting to see a lot of rapid evolution in how you turn data into information and presenting the information in a way such that people can make decisions on it. Given all that we’re starting to realize, we’re on the cusp of another step of connectedness and awareness.

Fundamental changes

This really is going to drive some fundamental changes in the way we organize ourselves. Part of what The Open Group is doing, trying to bring Platform 3.0 together, is to try to get ahead of this and make sure that we understand not just what technical standards are needed, but how businesses will need to adapt and evolve what business processes they need to put in place in order to take maximum advantage of this to see change in the way that we look at the information.

Gardner: Chris Harding is there a time issue here? Is this something that organizations should sit back, watch how it unfolds, and then gauge their response? Or is there a benefit of being out in front of this in some way?

Harding: I don’t know about in front of this. Enterprises have to be up with the way that things are moving in order to keep their positions in their industries. Enterprises can't afford to be working with yesterday's technology. It's a case of being able to understand the information that they're presented and make the best decision to reflect that.

Harding
We've always talked about computers being about input, process, and output. Years ago, the input might have been through a teletype, the processing on a computer in the back office, and the output on print-out paper.

Now, we're talking about the input being through a range of sensors and social media, the processing is done on the cloud, and the output goes to your mobile device, so you have it wherever you are when you need it. Enterprises that stick in the past are probably going to suffer.

Gardner: Mark Skilton, the ability to manage data at greater speed and scale, the whole three Vs -- velocity, volume, and value -- on its own could perhaps be a game changing shift in the market. The drive of mobile devices into lives of both consumers and workers is also a very big deal.

Of course, cloud has been an ongoing evolution of emphasis towards agility and efficiency in how workloads are supported. But is there something about the combination of how these are coming together at this particular time that, in your opinion, substantiates The Open Group’s emphasis on this as a literal platform shift?

Skilton: It is exactly that in terms of the workloads. The world we're now into is the multi-workload environment, where you've got mobile workloads, storage and compute workloads, and social networking workloads. There are many different types of data and traffic today in different cloud platforms and devices.

Skilton
It has to do with not just one solution, not one subscription model, because we're now into this subscription-model era, the subscription economy, as one group tends to describe it. Now, we're looking for not only just providing the security, the infrastructure, to deliver this kind of capability to a mobile device, as Chris was saying. The question is, how can you do this horizontally across other platforms? How can you integrate these things? This is something that is critical to the new order.

So Platform 3.0 addressing this point by bringing this together. Just look at the numbers. Look at the scale that we're dealing with -- 1.7 billion mobile devices sold in 2012, and 6.8 billion subscriptions estimated according to the International Telecommunications Union (ITU) equivalent to 96 percent of the world population.

Massive growth

We had massive growth in scale of mobile data traffic and internet data expansion. Mobile data is increasing 18 percent fold from 2011 to 2016 reaching 130 exabytes annually.  We passed 1 zettabyte of global online data storage back in 2010 and IP data traffic predicted to pass 1.3 zettabytes by 2016, with internet video accounting for 61 percent of total internet data according to Cisco studies.

These studies also predict data center traffic combining network and internet based storage will reach 6.6 zettabytes annually, and nearly two thirds of this will be cloud based by 2016.  This is only going to grow as social networking is reaching nearly one in four people around the world with 1.7 billion using at least one form of social networking in 2013, rising to one in three people with 2.55 billion global audience by 2017 as another extraordinary figure from an eMarketing.com study.

It is not surprising that many industry analysts are seeing growth in technologies of mobility, social computing, big data and cloud convergence at 30 to 40 percent and the shift to B2C commerce passing $1 trillion in 2012 is just the start of a wider digital transformation.

These numbers speak volumes in terms of the integration, interoperability, and connection of the new types of business and social realities that we have today.

Gardner: Dave Lounsbury, back to you. Why should IT be thinking about this as a fundamental shift, rather than a step change or a modest change? It seems to me that this combination of factors almost blows the whole IT definition of 10 years ago, out of the water. Is it that big a deal for IT? It also has an impact on business. I'd like to just focus on how IT organizations might need to start rethinking things?
There's no point giving someone data if it's not been properly managed or if there's incorrect information.

Lounsbury: A lot depends on how you define your IT organization. It's useful to separate the plumbing from the water. If we think of the water as the information that’s flowing, it's how we make sure that the water is pure and getting to the places where you need to have the taps, where you need to have the water, etc.

But the plumbing also has to be up to the job. It needs to have the capacity. It needs to have new tools to filter out the impurities from the water. There's no point giving someone data if it's not been properly managed or if there's incorrect information.

What's going to happen in IT is not only do we have to focus on the mechanics of the plumbing, where we see things like the big database that we've seen in the open-source  role and things like that nature, but there's the analytics and the data stewardship aspects of it.

We need to bring in mechanisms, so the data is valid and kept up to date. We need to indicate its freshness to the decision makers. Furthermore, IT is going to be called upon, whether as part of the enterprise IP or where end users will drive the selection of what they're going to do with analytic tools and recommendation tools to take the data and turn it into information. One of the things you can't do with business decision makers is overwhelm them with big rafts of data and expect them to figure it out.

You really need to present the information in a way that they can use to quickly make business decisions. That is an addition to the role of IT that may not have been there traditionally -- how you think about the data and the role of what, in the beginning, was called data scientist and things of that nature.

Shift in constituency

Skilton: I'd just like to add to Dave's excellent points about, the shape of data has changed, but also about why should IT get involved. We're seeing that there's a shift in the constituency of who is using this data.

We've got the Chief Marketing Officer and the Chief Procurement Officer and other key line of business managers taking more direct control over the uses of information technology that enable their channels and interactions through mobile, social and data analytics. We've got processes that were previously managed just by IT and are now being consumed by significant stakeholders and investors in the organization.

We have to recognize in IT that we are the masters of our own destiny. The information needs to be sorted into new types of mobile devices, new types of data intelligence, and ways of delivering this kind of service.

I read recently in MIT Sloan Management Review an article that asked what is the role of the CIO. There is still the critical role of managing the security, compliance, and performance of these systems. But there's also a socialization of IT, and this is where  the  positioning architectures which are cross platform is key to  delivering real value to the business users in the IT community.

Gardner: So we have more types of users, more classes of individuals and resources within a enterprise starting to avail themselves more of these intelligence capabilities more ubiquitously, vis-à-vis the mobile and the cloud delivery opportunity.
This is where The Open Group can really help things along by being a recipient and a reflector of best practice and standard.

How do we prevent this from going off the rails? How is it that we don’t start creating multiple fire hoses of information and/or too much data, but not enough analysis? Chris Harding, any thoughts about where perhaps The Open Group or others can step in to help make this a more fruitful, rather than chaotic, transition?

Harding: This a very important point. And to add to the difficulties, it's not only that a whole set of different people are getting involved with different kinds of information, but there's also a step change in the speed with which all this is delivered. It's no longer the case, that you can say, "Oh well, we need some kind of information system to manage this information. We'll procure it and get a program written" that a year later that would be in place in delivering reports to it.

Now, people are looking to make sense of this information on the fly if possible. It's really a case of having the platforms be the standard technology platform and also the systems for using it, the business processes, understood and in place.

Then, you can do all these things quickly and build on learning from what people have gone in the past, and not go out into all sorts of new experimental things that might not lead anywhere. It's a case of building up the standard platform in the industry best practice. This is where The Open Group can really help things along by being a recipient and a reflector of best practice and standard.

Lounsbury: I'd like to expand on that a little bit if I could, Dana. I agree with all the points that Chris and Mark just made. We should also mention that it's not just the speed of the analysis on the consumption side. We're going to see a lot of rapid evolution in the input side as well.

New data sources

We're starting to see lot of new data sources come on line. We've touched on the mobile devices and the social networks that those mobile devices enable, but we’re really also on the cusp of this idea of the "Internet of things," where there is a vast globe full of network connected sensors and actuators out there, all of which produce their own data.

Part of the process that Chris alluded to and the best practices Chris alluded to is how you run your business processes so that you keep your feeds up to date, so that you can adapt quickly to new sources of information, as well as adapt quickly to the new demands for information from the lines of business.

Gardner: It seems to be somewhat unprecedented that we have multiple change agents playing off of one another with complexity, scale, and velocity all very much at work. It's one thing to have a vision about how you would want to exploit this, but it's another to have a plan about how to go about that.

Mark Skilton, with your knowledge of Capgemini and the role that they play in the market, it seems to me that there's a tremendous need for some examples or some sense of how to go about managing the ability to exploit Platform 3.0 without getting tripped up and overwhelmed in the process.

Skilton: That’s right. Capgemini has been doing work in this area. I break it down into four levels of scalability. It's the platform scalability of understanding what you can do with your current legacy systems in introducing cloud computing or big data, and the infrastructure that gives you this, what we call multiplexing of resources. We're very much seeing this idea of introducing scalable platform resource management, and you see that a lot with the heritage of virtualization.
Companies needs to think about what online marketplaces they need for digital branding, social branding, social networks, and awareness of your customers, suppliers, and employees.

Going into networking and the network scalability, a lot of the customers have who inherited their old telecommunications networks are looking to introduce new MPLS type scalable networks. The reason for this is that it's all about connectivity in the field. I meet a number of clients who are saying, "We’ve got this cloud service," or "This service is in a certain area of my country. If I move to another parts of the country or I'm traveling, I can't get connectivity." That’s the big issue of scaling.

Another one is application programming interfaces (APIs). What we’re seeing now is an explosion of integration and application services using API connectivity, and these are creating huge opportunities of what Chris Anderson of Wired used to call the "long tail effect." It is now a reality in terms of building that kind of social connectivity and data exchange that Dave was talking about.

Finally, there are the marketplaces. Companies needs to think about what online marketplaces they need for digital branding, social branding, social networks, and awareness of your customers, suppliers, and employees. Customers can see that these four levels are where they need to start thinking about for IT strategy, and Platform 3.0 is right on this target of trying to work out what are the strategies of each of these new levels of scalability.

Gardner: Dave Lounsbury, we're coming up on The Open Group Conference in Philadelphia very shortly. What should we expect from that? What is The Open Group doing vis-à-vis Platform 3, and how can organizations benefit from seeing a more methodological or standardized approach to some way of rationalizing all of this complexity? [Registration to the conference remains open. Follow the conference on Twitter at #ogPHL.]

Lounsbury: We're still in the formational stages of  "third platform" or Platform 3.0 for The Open Group as an industry. To some extent, we're starting pretty much at the ground floor with that in the Platform 3.0 forum. We're leveraging a lot of the components that have been done previously by the work of the members of The Open Group in cloud, services-oriented architecture (SOA), and some of the work on the Internet of things.

First step

Our first step is to bring those things together to make sure that we've got a foundation to depart from. The next thing is that, through our Platform 3.0 Forum and the Steering Committee, we can ask people to talk about what their scenarios are for adoption of Platform 3.0?

That can range from things like the technological aspects of it and what standards are needed, but also to take a clue from our previous cloud working group. What are the best business practices in order to understand and then adopt some of these Platform 3.0 concepts to get your business using them?

What we're really working towards in Philadelphia is to set up an exchange of ideas among the people who can, from the buy side, bring in their use cases from the supply side, bring in their ideas about what the technology possibilities are, and bring those together and start to shape a set of tracks where we can create business and technical artifacts that will help businesses adopt the Platform 3.0 concept.

Gardner: Anything to offer on that Chris?

Harding: There are some excellent points there. We certainly need to understand the business environment within which Platform 3.0 will be used. We've heard already about new players, new roles of various kinds that are appearing, and the fact that the technology is there and the business is adapting to this to use technology in new ways.

For example, we've heard about the data scientist. The data scientist is a new kind of role, a new kind of person, that is playing a particular part in all this within enterprises. We're also hearing about marketplaces for services, new ways in which services are being made available and combined.
What are the problems that need to be resolved in order to understand what kind of shape the new platform will have?

We really need to understand the actors in this new kind of business scenario. What are the pain points that people are having? What are the problems that need to be resolved in order to understand what kind of shape the new platform will have? That is one of the key things that the Platform 3.0 Forum members will be getting their teeth into.

Gardner: At the same time, The Open Group is looking to enter into more vertical industry emphasis with its activities. At the Philadelphia Conference, you've chosen finance, government and healthcare. Dave or Chris, is there something about these three vertical industries that make them excellent test cases for Platform 3.0? Is there something about going into a vertical industry that helps with the transition to 3.0, rather than a general or one-size-fits-all approach? What's the impact of vertical industry emphasis on this transition?

Lounsbury: First, I'll note that the overarching theme of The Open Group Conferences is about business transformation -- how you adapt and evolve your business to take better advantage of the efficiencies afforded by IT and other developments. So as a horizontal activity, Platform 3.0 fits in very well with that, because I believe these transformational drivers from the evolution of Platform 3.0 are going to affect all industries.

To get back to your question, the benefit of Platform 3.0 will be most immediately and urgently felt in vertical industries that deal with extremely large volumes of data and need to filter very large volumes of data in order to achieve their business objectives and run their businesses efficiently.

For example, one of the things that healthcare is struggling with right now is a mass of patient records that need to be done. How do care givers or care providers make sense of those, make sure that everybody is up-to-date, and make sure that everybody is simply working off of the same data? It's a core question for them.

Today's problem

That’s today's problem which some of the infrastructure of Platform 3.0 will undoubtedly help with. When you come to looking at care not only as an individual topic, how my doctor or nurse gives care to me, but in terms of the larger trends in healthcare, can we look at how certain drugs effect certain diseases, it's a perfect example for the use of data and strong analytics to get information. We couldn’t have actually gotten that before, simply because we couldn’t bring it together and understand it.

In some sense, the biotech industry has been leading this trend. Genomics have really seeded a lot of the big data capabilities.

That will be a very exciting area for healthcare. If you go into any Apple Store, you'll see a whole retail rack of gadgets that you wear on your body that tell you how fit you are, or how fit you aren’t in some cases. It will tell you what your pulse is, your heart rate, and your body mass index. We're getting very close to a time when we will have things that might even measure and report bits of your blood chemistry. We're very close to that, for example, with blood sugar.

That data might, through the concepts of Platform 3.0, provide a really personalized and much more immediate healthcare loop in the patient care. Again, these are all things a few years out. The Open Group is deliberately choosing to get in early, so we and our members can be informed about these trends, how to take advantage of them and what standards are going to be needed to do it.

We can go on about finance too, but it's also another area where this massive data that will need to be correlated and analyzed.

Gardner: You are saying that not only are we facing an internet of things, we're going to be facing an internet of living things as well. So, there's a lot of data to come.
The Open Group is deliberately choosing to get in early, so we and our members can be informed about these trends.

One of the great things about The Open Group that I've been observing over the years is that it really provides a super important environment for different types of organizations to collaborate and share their stories and understand what others are doing, both in their own vertical industries, but also another types of business.

I expect that’s really going to be a huge benefit to organizations as they transition towards Platform 3.0, to learn from how others are doing it and even how others have stumbled along the way? But do you have any early indicators, either examples or use cases that would illustrate just how important this is, how instrumental this can be in helping companies?

Let's go across our panel. Mark Skilton at Capgemini, any examples that we could point to that would indicate that when you do this well, when you transition, when you take advantage of all these changes in tandem, you get pragmatic and even measurable benefit.

Skilton: Identifying business value is the key and builds on what David was talking about in terms of having new types of data, sensors, and capabilities. What we’re finding is clients are dealing with this in eHealth, eGovernment and eFinance.  

Cost of health care

In the health sector the rising cost of health care and the increasing life expectancy and longevity of the population is increasing pressure on the cost of health care in many countries. eHealth initiatives, use of new technologies such as mobile patient monitoring, and improved digital patient record management and care planning will aim to drive down the cost of medical care while improving the quality of life of patients.

In the federal government sector the eGov initiatives seek to develop citizen services and value for money of public spend programs. Open data initiatives aim to develop information and marketing sharing of services.

What can we do there to accelerate the adoption of services across markets. How can we actually bring mobile services to customers quickly? How can we grow growth of different vertical and horizontal markets?  They're looking for convergence of Platform 3.0 services where I can offer portal services.

In the finance sector we see adoption of new technologies to scale to multiple consumer markets with rapid insight and large scale data analytics to profile financial behavior and credit risk profiles for example.

A recent seminar that I was involved in was about cost avoidance of the future cost of investing in more infrastructure. How can you bring big data and social capabilities together, bring new experiences and improve quality of life, and improve the citizens' value of services from their government? How can you drive new financial processes and services? There are many similar case studies across multiple industries.
But it's really early days yet. The idea of Platform 3.0 is only just crystallizing.

Gardner: Chris Harding, being involved with interoperability so deeply, are there any examples or use cases that you can point to where not only are organizations looking internally for better efficiency and productivity gain, but perhaps are expanding the capabilities of Platform 3.0 outside of their organizations into a ecosystem or even greater? What are some of the divisions around extending 3.0 benefits into a wider, collaborative environment?

Harding: If you want a practical but historical example of how shared information, analytics, collection, distribution can empower a whole industry, you only have to look at the finance industry, where it's been commonplace actually for some time. Shared information is collected in real time, various companies analyze it, and it's distributed and made available in graphical form. You can probably get it on your mobile phone if you want.

Imagine how that kind of information processing ability could be translated into other areas, such as healthcare, so that on a routine basis, medical people could get up-to-the-minute information on critical patients wherever they are. You can see what possibilities we are looking at.

But it's really early days yet. The idea of Platform 3.0 is only just crystallizing, and the point of it is, to pick up on Mark's point, that enterprises everywhere are constantly under pressure to do more and more with fewer and fewer resources. That’s why some kind of standard platform that will enable industries across the board to take advantage of this kind of possibility is something that we really need.

Lounsbury: We all know the Gartner hype cycle. We get out on the early edge of things. We see the possibilities, and then there is the trough of disillusionment. Chris has touched on something very important that I think is necessary for there to be a successful transition to this Platform 3.0 world we envisioned.

Data growth

One of the big risks here is that we see figures that say the amount of data produced doubles every 1.2 years. Well, the rate of growth of people who can deal with that data, data scientists and whatever, is pretty much a linear growth. Maybe it's 5 percent a year or 10 percent a year, or something like that, but it's not doubling every 1.2 years.

One of the reasons that it's very important for people to come in, get engaged, and start bringing in these use cases that you've mentioned is because the sooner we get to have common understandings and common approaches, the more efficient our industrial base and our use of the big data will be.

The biggest challenge to actually attaining the value of Platform of 3.0 will be having the human processes and the business processes needed to deal with that volume and velocity that Mark alluded to right at the beginning. To me that's a critical aspect that we've got to bring in -- how we get the people aware of this as well.

Gardner: We're getting close to the end, but looking to the future, Dave, we think about the ability of the data to be so powerful when processed properly, when recommendations can be delivered to the right place at the right time, but we also recognize that there are limits to a manual or even human level approach to that, scientist by scientist, analysis by analysis.

When we think about the implications of automation, it seems like there were already some early examples of where bringing cloud, data, social, mobile, interactions, granularity of interactions together, that we've begun to see that how a recommendation engine could be brought to bear. I'm thinking about the Siri capability at Apple and even some of the examples of the Watson Technology at IBM.
In the future, we'll be talking about a multiplicity of information that is not just about services at your location or your personal lifestyle or your working preferences.

So to our panel, are there unknown unknowns about where this will lead in terms of having extraordinary intelligence, a super computer or data center of super computers, brought to bear almost any problem instantly and then the result delivered directly to a center, a smart phone, any number of end points?

It seems that the potential here is mind boggling. Mark Skilton, any thought?

Skilton: What we're talking about is the next generation of the internet.  The advent of IPv6 and the explosion in multimedia services, will start to drive the next generation of the internet.

I think that in the future, we'll be talking about a multiplicity of information that is not just about services at your location or your personal lifestyle or your working preferences. We'll see a convergence of information and services across multiple devices and new types of “co-presence services” that interact with your needs and social networks to provide predictive augmented information value.

When you start to get much more information about the context of where you are, the insight into what's happening, and the predictive nature of these, it becomes something that becomes much more embedding into everyday life and in real time in context of what you are doing.

I expect to see much more intelligent applications coming forward on mobile devices in the next 5 to 10 years driven by this interconnected explosion of real time processing data, traffic, devices and social networking we describe in the scope of platform 3.0. This will add augmented intelligence and is something that’s really exciting and a complete game changer. I would call it the next killer app.

First-mover benefits

Gardner: Chris Harding, there's this notion of intelligence brought to bear rapidly in context, at a manageable cost. This seems to me a big change for businesses. We could, of course, go into the social implications as well, but just for businesses, that alone to me would be an incentive to get thinking and acting on this. So any thoughts about where businesses that do this well would be able to have significant advantage and first mover benefits?

Harding: Businesses always are taking stock. They understand their environments. They understand how the world that they live in is changing and they understand what part they play in it. It will be down to individual businesses to look at this new technical possibility and say, "So now this is where we could make a change to our business." It's the vision moment where you see a combination of technical possibility and business advantage that will work for your organization.

It's going to be different for every business, and I'm very happy to say this, it's something that computers aren’t going to be able to do for a very long time yet. It's going to really be down to business people to do this as they have been doing for centuries and millennia, to understand how they can take advantage of these things.

So it's a very exciting time, and we'll see businesses understanding and developing their individual business visions as the starting point for a cycle of business transformation, which is what we'll be very much talking about in Philadelphia. So yes, there will be businesses that gain advantage, but I wouldn’t point to any particular business, or any particular sector and say, "It's going to be them" or "It's going to be them."
Pick your industry, and there is huge amount of knowledge base that humans must currently keep on top of.

Gardner: Dave Lounsbury, a last word to you. In terms of some of the future implications and vision, where could this could lead in the not too distant future?

Lounsbury: I'd disagree a bit with my colleagues on this, and this could probably be a podcast on its own, Dana. You mentioned Siri, and I believe IBM just announced the commercial version of its Watson recommendation and analysis engine for use in some customer-facing applications.

I definitely see these as the thin end of the wedge on filling that gap between the growth of data and the analysis of data. I can imagine in not in the next couple of years, but in the next couple of technology cycles, that we'll see the concept of recommendations and analysis as a service, to bring it full circle to cloud. And keep in mind that all of case law is data and all of the medical textbooks ever written are data. Pick your industry, and there is huge amount of knowledge base that humans must currently keep on top of.

This approach and these advances in the recommendation engines driven by the availability of big data are going to produce profound changes in the way knowledge workers produce their job. That’s something that businesses, including their IT functions, absolutely need to stay in front of to remain competitive in the next decade or so.

Gardner: Well, great. I'm afraid we'll have to leave it there. There will be lots more to hear at the conference itself. Today we've been talking about the business implications of the shift to Platform 3.0. They're coming about, and we can start to plan for transitions. We've seen how Platform 3.0 provides a potential game-changing opportunity for companies to leverage advanced intelligence and automation and heighten productivity in their businesses.

This special BriefingsDirect discussion comes to you in conjunction with The Open Group Conference this July, in 2013, in Philadelphia. It’s not too late to register or to follow the proceedings online and also via Twitter. You'll hear more about Platform 3.0 as well as enterprise transformation and how that’s impacting specifically the finance, government, and healthcare sectors. [Registration to the conference remains open. Follow the conference on Twitter at #ogPHL.]

I'd like to thank our panel for joining us today. It has been very interesting. Thank you Dave Lounsbury, Chief Technical Officer at The Open Group.

Lounsbury: Thank you, Dana, thank you for hosting the discussion, and we look forward to seeing many of the listeners in Philadelphia.

Gardner: We've also been here with Chris Harding, Director of Interoperability at The Open Group. Thanks so much, Chris.

Harding: Thank you, Dana, it's been a great discussion.

Gardner: And lastly, thanks to Mark Skilton, Global Director in the Strategic Office at Capgemini. Thank you, sir.

Skilton: Thank you, Dana, and to Dave and Chris. It's been an interesting, very topical discussion. Thank you very much.

Gardner: This is Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator throughout these thought leader interviews. Thanks again for listening, and come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: The Open Group.

Transcript of a BriefingsDirect podcast on how The Open Group is working to stay ahead of converging challenges organization face with big data, mobile, cloud and social. Copyright Interarbor Solutions, LLC, 2005-2013. All rights reserved.

You may also be interested in: