Geek Speak

July 2018 Previous month Next month

By Paul Parker, SolarWinds Federal & National Government Chief Technologist


Here is an interesting article from my colleague Joe Kim, in which he discusses how technology drives military asset management.


Military personnel need to be able to easily manage the lifecycle of their connected assets, from creation to maintenance to retirement. They can do this by creating a digital representation of a physical object, like a troop transport, which they can use for a number of purposes, including monitoring the asset’s health status, movements, location, and more.


The concept behind these “digital twins” was first presented in 2002 during a University of Michigan presentation by Dr. Michael Grieves, who posited that there are two systems: one physical, the other a digital representation that contained all of the information about the physical system. His thought was that the digital twin could be used to monitor and support the entire life cycle of its physical sibling and, in the process, keep that sibling functioning and healthy.


Digitizing a vehicle


Consider a military vehicle that has just rolled off the assembly line and is ready to be commissioned.

Getting the most out of this asset requires consistent maintenance. Ideally, that maintenance can be performed proactively to prevent any potential breakdowns. It can be difficult to know or keep track of when the vehicle may need maintenance, and impossible to predict when a breakdown may occur.


Fortunately, the data collected by the various sensors contained within the vehicle can be used to create a digital twin. This representation can provide a very clear picture, in real time, of its status.

Further, by collecting this information over time, the digital twin has the ability to create an evolving yet extraordinarily accurate picture of how the vehicle will perform in the future. As the sensors continue to report information, the digital twin continues to learn, model, and adapt its prediction of future performance.


This information can help teams in a number of ways. The analytics derived from historical performance data can be used to point to potential warning signs and predict failures before they occur, thereby helping avoid unwanted downtime. Data can also be used to diagnose a problem and even, in some cases, solve the issue remotely. At the least, digital twins can be used to help guide soldiers and repair specialists to quickly fix the problem on the ground.


The life cycle management process also becomes much more efficient. Digital twins can help simplify and accelerate management of a particular thing, in this case, a physical entity like a vehicle.


Taking the next step


The digital twin concept is a logical next step to consider for defense agencies that have already begun investing in software-defined services. These services are designed to simplify and accelerate the management of core technology concepts, including computing, storage, and networking. The idea is to improve the management of each of these concepts throughout their life cycles, from planning and design through production, deployment, maintenance, and, finally, retirement.


Digital twins take this concept a step further by applying it to physical objects. It’s an evolution for the military’s ever-growing web of connectivity. Digital twins, and the data analysis they depend on, can open the doors to more efficient and effective asset lifecycle management.


Find the full article on SIGNAL.

A recent conversation on Twitter struck a nerve with me. The person posited that,


"If you're a sysadmin, you're in customer service. You may not realise it, but you are there TO SERVE THE CUSTOMER. Sure that customer might be internal to your organisation/company, but it's still a customer!"


A few replies down the chain, another person posited that,


"Everyone you interact with is a customer."


I would like to respectfully (and pedantically) disagree.


First, let's clear something up: The idea of providing a "service," which could be everything from a solution to an ongoing action to consultative insight, and providing it with appropriate speed, professionalism, and reliability, is what we in IT should always strive to do. That doesn't mean (as other discussions on the Twitter thread pointed out) that the requester is always right; that we should drop everything to serve the requester's needs; that we must kowtow to the requester's demands. It simply means that we were hired to provide a certain set of tasks, to leverage our expertise and insight to help enable the business to achieve its goals.


And when people say, "you are in customer service" that is usually what they mean. But I wish we'd all stop using the word "customer." Here is why:


Saying someone is a customer sets up a collection of expectations in the mind of both the speaker and the listener that don’t reflect the reality of corporate life.


As an external service provider—a company hired to do something—I have customers who pay me directly to provide services. But I can prioritize which customers get my attention and which don’t. I can “fire” abusive customers by refusing to serve them; or I can prohibitively price my services for “needy” customers so that either they find someone else or I am compensated for the aggravation they bring me. I can choose to specialize in certain areas of technology, and then change that specialization down the road when it’s either not lucrative or no longer interesting to me. I can follow the market, or stay in my niche. These are all the things I can do as an external provider who has ACTUAL customers.


Inside a company, I can do almost none of those things. I might be able to prioritize my work somewhat, but at the end of the day I MUST service each and every person who requests my help. I cannot EVER simply choose to not help or provide service to a coworker. I can put them off, but eventually I have to get to their request. Since I’m not charging them anything, I can’t price my services in a way that encourages abusive requestors to go elsewhere. Even in organizations that have a chargeback system for IT services, that charge rate must be equal across the board. I can’t charge more to accounting and less to legal. Or more to Bob and less to Sarah. The services I provide internally are pre-determined by the organization itself. No matter how convinced I am that “the future is cloud,” I’m stuck building, racking, and stacking bare-metal servers in our data center until the company decides to change direction.


Meanwhile, for the person receiving those services, as a customer, there’s quite a range of options. Foremost among these is that I can fire a provider. I can put out an RFP and pick the provider who offers me the best services for my needs. I can haggle on price. I can set an SLA with monetary penalties for non-compliance. I can select a new technical direction, and if my current provider is not experienced, I can bring in a different one.


But as an internal staff requesting service from the IT department, I have almost none of those options. I can’t “fire” my IT department. Sure, I might go around the system and bring in a contractor to build a parallel, “shadow IT” structure. But at the end of the day, I’m going to need to have an official IT person get me into Active Directory, route my data, set up my database, and so on. There’s only so much a shadow IT operation can do before it gets noticed (and shut down). I can’t go down the street and ask the other IT department to give me a second bid for the same services. I can’t charge a penalty when my IT department doesn’t deliver the service they said they would. And if I (the business “decider”) choose to go a new technical route, I must wait for the IT department to catch up or bring in consultants NOT to replace my IT department, but to cover the gap until they get up to speed.


Whether we mean to or not, whether we like it or not, and whether you agree with me or not, I have found that using the word "customer" conjures at least some of those expectations.


But there’s one other giant issue when you use the word “customer,” and that’s the fact that people often confuse “customer” with “consumer.” That’s not an IT issue, that’s a life issue. The thing to keep in mind is that the customer is the person who pays for the service. The consumer is the person who receives (enjoys) the service. And the two are not always the same. I’m not just talking about taking my kids out to ice cream.


A great example is the NFL. According to Wikipedia, the NFL television blackout policies were, until they were largely over-ridden in 2014, the strictest among North American sports leagues. In brief, the blackout rules state that “…a home game cannot be televised in the team's local market if all tickets are not sold out 72 hours prior to its start time.” Prior to 1973, this blackout rule applied to all TV stations within a 75-mile radius of the game.


How is this possible? Are we, the fans, not the customers of football? Even if I’m not going to THIS game, I certainly would want to watch each game so that the ones I DO attend are part of a series of experiences, right?


The answer is that I’m not the customer. I’m the consumer. The customer is “the stadium” (the owners, the vendors, the advertisers). They are the ones putting up the money for the event, and they want to make their money back by ensuring sold-out crowds. The people who watch the game—whether in the stands or over the airwaves—are merely consumers.


In IT terms, the end-user is NOT the customer. They are the consumer. Management is the customer—the one footing the bill. If management says the entire company is moving to virtual desktops, it doesn’t matter whether the consumer wants, needs, or likes that decision.


So again, calling the folks who receive IT services a “customer” sets up a completely false set of expectations in the minds of everyone involved about how this relationship is going to play out.


However, there is another word that exists, within easy reach, that is far more accurate in describing the relationship, and also has the ability to create the behaviors we want when we (ill-advisedly) try to shoehorn “customer” into that spot. And that word is: “colleague.”


A colleague is someone I collaborate with. Maybe not on a day-to-day basis or in terms of my actual activities, but we work together to achieve the same goal (in the largest sense, whatever the goals of the business are). A colleague is someone I can’t “fire” or replace or solicit a bid from another provider about.


“Colleague” also creates the (very real) understanding that this relationship is long-term. Jane in the mailroom may become Jane in accounting, and later Jane the CFO. Through it all she remains my colleague. The relationship I build with her endures and my behavior toward her matters.


So, I’m going to remain stubbornly against using the word “customer” to refer to my colleagues. It de-values them and it de-values the relationship I want to have with them, and the one I hope they have with me.

Game tile spelling out "DATA"

Building a culture that favors protecting data can be challenging. In fact, most of us who love our data spend a huge amount of time standing up for our data when it seems everyone else wants to take the easiest route to getting stuff done. I can hear the pleas from here:


  • We don't have time to deal with SQL injection now. We will get to that later.
  • If we add encryption to this data, our queries will run longer. It will make the database larger, which will also affect performance. We can do that later if we get the performance issues fixed.
  • I don't want to keep typing our these long, complex passwords. They are painful.
  • Multi-factor authentication means I have to keep my phone near me. Plus, it's a pain.
  • Security is the job of the security team. They are a painful bunch of people.


…and so on. What my team members don't seem to understand is that these pain points are supposed to be painful. The locks on my house doors are painful. The keys to my car are painful. The PIN on my credit card is painful. All of these are set up, intentionally, as obstacles to access -- not my access, but unauthorized access. What is it about team members who lock their doors, shred sensitive documents, and keep their collector action figures under glass that don't want to protect the data we steward on behalf of customers? In my experience, these people don't want to protect data because they are measured, compensated, and punished in ways that take away almost all the incentives to do so. Developers and programmers are measured on the speed of delivery. DBAs are measured on uptime and performance. SysAdmins are measured on provisioning resources. And rarely have these roles been measured and rewarded for security and privacy compliance.


To Reward, We Must Measure


How do we fix this? We start rewarding people for data protection activities. To reward people, we need to measure their deliverables.


  • An enterprise-wide security policy and framework that includes specific measures at the data category level
  • Encryption design, starting with the data models
  • Data categorization and modeling
  • Test design that includes security and privacy testing
  • Proactive recognition of security requirements and techniques
  • Data profiling testing that discovers unprotected or under-protected data
  • Data security monitoring and alerting
  • Issue management and reporting


As for the rewards, they need to focus on the early introduction of data protection features and service. This includes reviewing designs and user stories for security requirements.


Then we get to the hard part: I'm of a thought that specific rewards for doing what was expected of me are over the top. But I recognize that this isn't always the best way to motivate positive actions. Besides, as I will get into later in this series, the organizational punishments for not protecting data may be so large that a company will not be able to afford the lack of data protection culture we currently have. Plus, we don't want to have to use a prison time measurement to encourage data protection.


In this series, I'll be discussing data protection actions, why they are important, and how we can be better at data. Until then, I'll love to hear about what, if any, data protection reward (or punishment) systems your organization has in place today.

I hope everyone had a wonderful holiday six-day weekend. The second half of the year has begun. There is still time to accomplish the goals you set at the start of the year.


As always, here are some links from the Intertubz that I hope will hold your interest. Enjoy!


London police chief ‘completely comfortable’ using facial recognition with 98 percent error rate

It would seem that a reasonable person would understand that this technology isn’t ready, and that having a high number of mistakes leads to a lot of extra work by the police.


Why Won’t Millennials Join Country Clubs?

Because they are too busy paying down ridiculous student debt and mortgages?


Spiders Can Fly Hundreds of Miles Using Electricity

And they can crawl inside your ear when you sleep. Anyway, sweet dreams kids!


Manual Work is a Bug

A bit long but worth the time. Always be automating.


MoviePass is running out of money and needs to raise $1.2 billion

For $10 a month you can watch $300 worth of movies, which explains why MoviePass is bleeding cash right now. But hey, don’t let a good business model get in the way of that VC money.


If You Say Something Is “Likely,” How Likely Do People Think It Is?

I am certain that probably 60% of Actuator readers are likely to enjoy this article half the time.


US nickels cost seven cents to make. Scientists may have a solution

Sadly, the answer isn’t “get rid of nickels.” I’m fascinated about the downstream implications on this, and why our government should care that vending machines were built upon the assumption that coins would never change. Get rid of all coins, introduce machines that use cards and phones, and move into the 21st century, please.


How I spent my holiday weekend: building a fire pit, retaining wall, and spreading 3 cubic yards of pea stone. Who wants some scotch and s'mores?

By Paul Parker, SolarWinds Federal & National Government Chief Technologist


For the public sector to maintain a suitable level of cybersecurity, the U.K. government has implemented some initiatives to guide organizations on how to do so effectively. In June 2017, the National Cyber Security Centre (NCSC) rolled out four measures as part of the Active Cyber Defence (ACD) program to assist government departments and arms-length public bodies in increasing their fundamental cybersecurity.


These four measures intend to make it more difficult for criminals to carry out attacks. They include blocking malicious web addresses from being accessed from government systems, blocking fake emails pretending to be the government, and helping public bodies fix security vulnerabilities on their website. The fourth measure relates to spotting and taking down phishing scams from the internet when the NCSC spots a site pretending to be a public-sector department or business.


Government IT professionals must incorporate strategies and solutions that make it easier for them to meet their compliance expectations. We suggest an approach on three fronts.


Step 1: Ensure network configurations are automated


One of the things departments should do to comply with the government’s security expectations is to monitor and manage their network configuration statuses. Automating network configuration management processes can make it much easier to help ensure compliance with key cybersecurity initiatives. Device configurations should be backed up and restored automatically, and alerts should be set up to advise administrators whenever an unauthorized change occurs.


Step 2: Make reporting a priority


Maintaining strong security involves prioritizing tracking and reporting. These reports should include details on configuration changes, policy compliance, security, and more. They should be easily readable, shareable, and exportable, and include all relevant details to show that they remain up-to-date with government standards.


Step 3: Automate patches and stamp out suspicious activity


IT administrators should also incorporate log and event management tools to strengthen their security postures. Like a watchdog, these solutions are designed to be on alert for suspicious activity, and can alert administrators or take actions when a potentially malicious threat is detected. This complements existing government safeguards like protected Domain Name System (DNS) and DMARC anti-spoofing.


Implementing automated patch management is another effective way to help make sure that network technologies remain available, secure, and up-to-date. Government departments must stay on top of their patch management to combat threats and help maintain strong security. The best way to do this is to manage patches from a centralized dashboard.


Keeping up with the guidelines proposed in initiatives such as the ACD program can be a tricky and complicated process, but it doesn’t have to be that way. By integrating these simple but effective steps, government IT professionals are better positioned to efficiently follow the guidelines and up their security game, protecting not just themselves, but the government’s reputation.


Find the full article on Central Government.

Happy 4th of July! Holiday or not, the Actuator always delivers. I do hope you are taking the time to spend with family and friends today. You can come back and read this post later, I won’t mind.


As always, here are some links from the Intertubz that I hope will hold your interest. Enjoy!


Debugging Serverless Apps: from monitoring invocations to observing a system of functions

As our systems become more complex, it becomes more important than ever to start labeling everything we can. Metadata will become your most important data asset.


4 Types of Idle Cloud Resources That Are Wasting Your Money

Speaking of containers, they are likely a vampire resource in your cloud environment along with a handful of other allocated resources which are lightly used.


Dealing with the insider threat on your network

Buried in this article is this gem: “…security is not so much about monitoring the perimeter anymore; companies need to be looking on the inside - how communications are happening on the network, how systems are talking to each other and most importantly what are the users doing on the network.” This is why anomaly detection, built on top of machine learning algorithms, are the next generation of tools to defend against threats.


LA Fitness, ‘Hotel California’ and the fallacy of digital transformation

The author uses LA Fitness as one example, but I know of dozens more. This scenario is very common, where a company chooses to modernize only parts of their business. Usually, the part chosen is one that generates revenue, and not with customer service.


Apple is rebuilding Maps from the ground up

Two interesting parts to this story. The first is the admission that Apple knew their Maps feature was going to be poor right from the start, but they knew they needed to launch something. Second, the way they are making an effort to collect data and respect user privacy at the same time.


Here's how Amazon is able to poach so many execs from Microsoft

The answer combines a dollar sign in front and lots of numbers after.


About 300K expected to visit Las Vegas for July 4th

With July 4th on a Wednesday, more and more people are thinking "WOOHOO, SIX DAY WEEKEND!"


Happy Independence Day! Here's a picture of me riding an eagle:


Filter Blog

By date: By tag:

SolarWinds uses cookies on its websites to make your online experience easier and better. By using our website, you consent to our use of cookies. For more information on cookies, see our cookie policy.