Topics of Interest Archives: innovation

Living with Legacy in an Era of Innovation – A Security Story

siliconangle blog post image  Legacy is a perception of investment, and of value.  Unfortunately, legacy in the digital transformation era is seen to be a re-investment is what has been, but not what will necessarily be useful going forward.  For me, this is a false statement. For example, when the Year 2000 issue happened with systems, some firms used that opportunity to build more functionality into their systems where others just fixed the necessary bugs for the changeover.  So, one person’s legacy situation is perhaps another person’s opportunity.

But as the volume of legacy in an enterprise grows, how have we grown in our ability to leverage the investment in this legacy — or, for that matter, is it still worth the effort? Do legacy applications house a hoard of useful information and behavior — or is it a ball and chain, something you should reduce if you want to be innovative and actively working on transformation?

Legacy constraints often seem immense and burdensome — but, do they always need to be? Is object-oriented legacy software spaghetti code — or is it more like ravioli? Do agile methods embrace or reject the use of the legacy?  I am writing a series of blog posts on legacy and innovation, disproving the myth that old equals out of date and useless.

In this blog post, I will look at legacy in regards to security and streamlining of security operations. The shift to cloud and mobile has not always been graceful for organizations and has been disruptive to the way we deploy security controls. Making significant changes in authentication flow, the one security control that gates all vital access and privilege, is an enormously arduous and fragile task. The modern ‘mobile-first’ access pattern has thrown a wrench into what was an otherwise easy manageability for account security.

Not only are modern security controls challenging to adapt and apply to legacy infrastructure and interfaces, but legacy security controls tend to fall flat when it comes to modern infrastructure. How do you deploy your legacy security controls in the world of cloud and mobile when you don’t control the endpoint, network, application or infrastructure?

Authentication is often the only effective security control you have left in a modern, cloud and mobile-enabled IT environment. So you better be damn sure that authentication control is more than a simple password. But many do not.  Why is this?

I have done several authentication projects recently, and one of the main challenges I have seen is a lack of understanding of what must be protected and by whom. Too often, the focus is on cost and procedure, and not on an understanding of the dataflow and the number of endpoints involved in protecting the data. So why does the means to modern authentication seems difficult and expensive, and why do we worry so much about the impact on user experience when we never did in legacy? (wry smile).  Let’s look at why 2FA, SSO and biometrics never have caught on with many legacy houses, and why some still stick with passwords 10 years after many predicted their demise.

Two-factor authentication is becoming the norm for password security in what amounts to a reasonable concession from users to IT staff pleading with them to follow basic password security protocols. Since almost no one follows those protocols, two-factor authentication has become the stop-gap. Although passwords are bad, biometrics and other mechanisms were never considered a good replacement because they all suffered their own flaws, and could not counteract the biggest advantage passwords have going for them: They are cheap and convenient. Today we are seeing a growing movement away from explicit, one-point-in-time authentication to a recognition model that mixes implicit factors — such as geolocation, device recognition and behavioral analytics — with explicit challenges such as passwords, biometrics, OTPs [one-time passwords] and dynamic KBA [knowledge-based authentication] based on identity verification services. I just borrowed a colleague’s login to use an online application, and was denied based on geolocation and was asked for verification code from his email.   Given he is (hopefully) asleep in Canada and I am in Belgium, this stopped my progress to use the app.

Given we are throwing mobile into the mix, many firms are starting to use mobile push assuming we are glued to our mobile devices (at least the folks under 30) and can use it as an authenticator.  Mobile OTP and mobile device authenticators add some value in a 2FA approach, assuming you have not lost the device and/or are out of battery. But for security, do remember that a smartphone can still receive and display social media  or text message alerts even when the device’s screen is locked and the application that is pushing the notification is closed.

Basically, the security measures we use today reflect our risk tolerance and desire for simplicity.  This is because we assumed the hardware and systems were defended, and the endpoints were irrelevant because of strong system security.  Appropriate security depends on how valuable your data in the transaction is and what other protection is available for the data (encryption, public key infrastructure, etc).  Legacy complexity can be a good thing if the data is valuable.  But we work the data now at the endpoints, and therefore we need to find a way to block endpoint activities if necessary, using legacy technology.

Posted in Blog | Tagged , , , , | Leave a comment

Great Expectations? ITSM and Innovation

servinov

One of the challenges with IT in the enterprise is making IT both self-service and self-serving, leading to questions such as:

- What are the benefits that most IT organizations can hope to achieve from their self-service initiatives? Will those benefits match/exceed expectations?

- How can they simplify IT as a Service (ITaaS) and focus on predictability and consistent delivery?

The landscape we have known in the past as IT service management (ITSM) has morphed into next generation service platforms, with a focus on social, analytics, mobile, and cloud (SMAC). For example, the ability to handle requests with your mobile and other peripherals can result in a faster response time and an increase in client satisfaction.

Historically, many IT departments did not embrace the “know-your-customer” (KYC) approach to provide market-competitive services and to show that they understood customer needs and requirements, and could deliver a compelling value proposition. Constant innovation in provisioning IT services is the only way to meet user expectations while supporting (within budgetary constraints) an ever-increasing business demand for connectivity.

Blue Hill is examining where the service desk plays a role in infrastructural innovation. The innovation occurs in streamlining IT operations, getting day-to-day demand under control, and transforming IT into a mature business innovator, rather than “break-fix” mode operator. Cutting-edge organizations realize that a next-gen service desk does not just operate within IT, but also manages requests and incidents from HR, finance, and so on. Focusing on the user experience means that the service desk should make life simple for your users by using a single point of digital interaction, with one tool and a single service description. Yet many organizations still have multiple points of contact on their intranet, and one of those is a separate IT service desk. How do we change this?

Let’s start by revisiting what was ITSM and how it has gone into self-service mode. It’s been over 20 years since the Information Technology Infrastructure Library (ITIL) was introduced, launching the ITSM market. Now what once were ITSM discussions are morphing into discussions on lean and agile processes, including topics like DevOps, agile development, micro services, lean IT, business relationship management, cyber-resilience, and service integration and management (SIAM).

What is IT self-service?  ITSM going into self-service mode empowers employees by letting users log and resolve their own issues, request and track services, share knowledge, and solve problems through collaboration which does not have to actively involve the IT department. Part of the lean discussion is finding and leveraging knowledge champions within the enterprise, not just within the IT department.

One trend: Knowledge and automation

A key service-desk implementation trend is promoting the sharing of skills and experience amongst IT staff (and others) through a knowledge management strategy. This is fast becoming a critical factor in service management outcomes. One effective option is knowledge-centered support (KCS), where knowledge creation is closely bound to the support resolution process.

KCS as a process has been formalized by the Consortium for Service Innovation, which manages KCS practices and techniques based on the collective experience of the Consortium members, who include PTC, Oracle, Salesforce, Qlik, SAP, and others. Knowledge articles are created directly from logged calls, and the original problem description is preserved as part of the knowledge article. Gathering knowledge and best practice for resolution creates momentum to encourage knowledge-sharing. The immediate nature of knowledge creation and the automatic way in which the authors of knowledge are recognized encourage the creation of material and the refined knowledge article is still bound to the raw problem description. If you want to learn more about best practices in KCS, this upcoming webinar with case studies with Lowe’s and Spectrum Health might be of interest for you.

Trends in Orchestration: See IT, solve IT

Another trend is orchestration of the service management environment. What kind of tools and solutions have we seen that have created either orchestration or integration into processes in ITSM?

- Atlassian provides tools to automate scrum boards, kanban boards and agile development management tools that integrate into ITSM workflows.

- AUTOMIC orchestrates self-service automation with leading helpdesks (BMC, Remedy, ServiceNow)

- Ivanti enables endpoint security to take remediation actions through the integration of service management, security management and asset management approaches.

ServiceNow has created a business command center for CIOs, focused on helping IT run projects and portfolios from a financial perspective through the new ServiceNow IT Business Management Suite.

Self-service: No longer optional

With more and more automated devices entering the workforce, providing self-serving IT service and support becomes more mission critical for the digital-enabled enterprise. A positive user service experience and increased customer satisfaction fosters a culture of innovation and enhanced processes for today’s enterprise to be more competitive and agile.

Posted in Blog, Governance, Risk Management, and Compliance, IT Infrastructure | Tagged , , | Leave a comment