Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Satya Nadella at the security poker table

This morning Microsoft's CEO Satya Nadella gave a global speech about enterprise security. He announced a new Cyber Defense Operations Center, a should-not-be-new Microsoft Enterprise Cybersecurity Group and a not-at-all-new-sounding Enterprise Mobility Suite (EMS). The webcast can be replayed here but don't expect to be blown away. It's all just tablestakes for a global cloud provider.

Security is being standardised all over the place now. Ordinary people are getting savier about security best practice; they know for example that biometrics templates need to be handled carefully in client devices, and that secure storage is critical for assets like identities and Bitcoin. "Secure Element" is almost a lay-person's term now (Apple tried to give the iPhone security chip the fancy name "Enclave" but seem to now regard it as so standard it doesn't need branding).

All this awareness is great, but it's fast becoming hygeine. Like airplane safety. It's a bit strange for corporations to seek to compete on security, or to have the CEO announce what are really textbook security services. At the end of the speech, I couldn't tell if anything sets Microsoft apart from its arch competitors Google or Amazon.

Most of today's CISOs operate at a higher, more strategic level than malware screening, anti-virus and encryption. Nadella's subject matter was really deep in the plumbing. Not that there's anything wrong with that. But it just didn't seem to me like the subject matter for a CEO's global webcast.

The Microsoft "operational security posture" is very orthodox, resting on "Platform, Intelligence and Partners". I didn't see anything new here, just a big strong cloud provider doing exactly what they should: leveraging the hell out of a massive operation, with massive resources, and massive influence.

Posted in Security, Cloud

My opening remarks on privacy at Constellation Connected Enterprise 2015

A big part of my research agenda in the Digital Safety theme at Constellation is privacy. And what a vexed topic it is! It's hard to even know how to talk about privacy. For many years, folks have covered privacy in more or less academic terms, drawing on sociology, politics and pop psychology, joining privacy to human rights, and crafting new various legal models.

Meanwhile the data breaches get worse, and most businesses have just bumped along.

When you think about it, it’s obvious really: there’s no such thing as perfect privacy. The real question is not about ‘fundamental human rights’ versus business, but rather, how can we optimise a swarm of competing interests around the value of information?

Privacy is emerging as one of the most critical and strategic of our information assets. If we treat privacy as an asset, instead of a burden, businesses can start to cut through this tough topic.

But here’s an urgent issue. A recent regulatory development means privacy may just stop a lot of business getting done. It's the European Court of Justice decision to shut down the US-EU Safe Harbor arrangement.

The privacy Safe Harbor was a work-around negotiated by the Federal Trade Commission, allowing companies to send personal data from Europe into the US.

But the Safe Harbor is no more. It's been ruled unlawful. So it’s a big, big problem for European operations, many multinationals, and especially US cloud service providers.

At Constellation we've researched cloud geography and previously identified competitive opportunities for service providers to differentiate and compete on privacy. But now this is an urgent issue.

It's time American businesses stopped getting caught out by global privacy rulings. There shouldn't be too many surprises here, if you understand what data protection means internationally. Even the infamous "Right To Be Forgotten" ruling on Google’s search engine – which strikes so many technologists as counter intuitive – was a rational and even predictable outcome of decades old data privacy law.

The leading edge of privacy is all about Big Data. And we aint seen nothin yet!

Look at artificial intelligence, Watson Health, intelligent personal assistants, hackable cars, and the Internet of Everything where everything is instrumented, and you see information assets multiplying exponentially. Privacy is actually just one part of this. It’s another dimension of information, one that can add value, but not in a neat linear way. The interplay of privacy, utility, usability, efficiency, efficacy, security, scalability and so on is incredibly complex.

The broader issue is Digital Safety: safety for your customers, and safety for your business.

Posted in Privacy, Innovation, Cloud, Big Data

An identity glut on the Internet of Things

The identerati sometimes refer to the challenge of “binding carbon to silicon”. That’s a poetic way of describing how the field of Identity and Access Management (IDAM) is concerned with associating carbon-based life forms (as geeks fondly refer to people) with computers (or silicon chips).

To securely bind users’ identities or attributes to their computerised activities is indeed a technical challenge. In most conventional IDAM systems, there is only circumstantial evidence of who did what and when, in the form of access logs and audit trails, most of which can be tampered with or counterfeited by a sufficiently determined fraudster. To create a lasting, tamper-resistant impression of what people do online requires some sophisticated technology (in particular, digital signatures created using hardware-based cryptography).

On the other hand, working out looser associations between people and computers is the stock-in-trade of social networking operators and Big Data analysts. So many signals are emitted as a side effect of routine information processing today that even the shyest of users may be uncovered by third parties with sufficient analytics know-how and access to data.

So privacy is in peril. For the past two years, big data breaches have only got bigger: witness the losses at Target (110 million), EBay (145 million), Home Depot (109 million records) and JPMorgan Chase (83 million) to name a few. Breaches have got deeper, too. Most notably, in June 2015 the U.S. federal government’s Office of Personnel Management (OPM) revealed it had been hacked, with the loss of detailed background profiles on 15 million past and present employees.

I see a terrible systemic weakness in the standard practice of information security. Look at the OPM breach: what was going on that led to application forms for employees dating back 15 years remaining in a database accessible from the Internet? What was the real need for this availability? Instead of relying on firewalls and access policies to protect valuable data from attack, enterprises need to review which data needs to be online at all.

We urgently need to reduce the exposed attack surface of our information assets. But in the information age, the default has become to make data as available as possible. This liberality is driven both by the convenience of having all possible data on hand, just in case in it might be handy one day, and by the plummeting cost of mass storage. But it's also the result of a technocratic culture that knows "knowledge is power," and gorges on data.

In communications theory, Metcalfe’s Law states that the value of a network is proportional to the square of the number of devices that are connected. This is an objective mathematical reality, but technocrats have transformed it into a moral imperative. Many think it axiomatic that good things come automatically from inter-connection and information sharing; that is, the more connection the better. Openness is an unexamined rallying call for both technology and society. “Publicness” advocate Jeff Jarvis wrote (admittedly provocatively) that: “The more public society is, the safer it is”. And so a sort of forced promiscuity is shaping up as the norm on the Internet of Things. We can call it "superconnectivity", with a nod to the special state of matter where electrical resistance drops to zero.

In thinking about privacy on the IoT, a key question is this: how much of the data emitted from Internet-enabled devices will actually be personal data? If great care is not taken in the design of these systems, the unfortunate answer will be most of it.

Steve Wilson CISID15 Rationing Identity in IoT (0 4) HANDOUTS  Data flows in Internet of Cars
Steve Wilson CISID15 Rationing Identity in IoT (0 4 1) HANDOUTS  Imposing order IoT PII flows

My latest investigation into IoT privacy uses the example of the Internet connected motor car. "Rationing Identity on the Internet of Things" will be released soon by Constellation Research.

And don't forget Constellation's annual innovation summit, Connected Enterprise at Half Moon Bay outside San Francisco, November 4th-6th. Early bird registration closes soon.

Posted in Security, Privacy, Cloud, Big Data

BlackBerry Security Summit 2015

On July 23, BlackBerry hosted its second annual Security Summit, once again in New York City. As with last year’s event, this was a relatively intimate gathering of analysts and IT journalists, brought together for the lowdown on BlackBerry’s security and privacy vision.

By his own account, CEO John Chen has met plenty of scepticism over his diverse and, some say, chaotic product and services portfolio. And yet it’s beginning to make sense. There is a strong credible thread running through Chen’s initiatives. It all has to do with the Internet of Things.

Disclosure: I traveled to the Blackberry Security Summit as a guest of Blackberry, which covered my transport and accommodation.

The Growth Continues

In 2014, John Chen opened the show with the announcement he was buying the German voice encryption firm Secusmart. That acquisition appears to have gone well for all concerned; they say nobody has left the new organisation in the 12 months since. News of BlackBerry’s latest purchase - of crisis communications platform AtHoc - broke a few days before this year’s Summit, and it was only the most recent addition to the family. In the past 12 months, BlackBerry has been busy spending $150M on inorganic growth, picking up:

  • Secusmart - voice & message encryption (announced at the inaugural Security Summit 2014)
  • Movirtu - innovative virtual SIM solutions for holding multiple cell phone numbers on one chip
  • Watchdox - document security and rights management, for “data centric privacy”, and
  • Athoc (announced but not yet complete; see more details below).

    Chen has also overseen an additional $100M expenditure in the same timeframe on organic security expansion (over and above baseline product development). Amongst other things BlackBerry has:

  • "rekindled" Certicom, a specialist cryptography outfit acquired back in 2009 for its unique IP in elliptic curve encryption, and spun out a a new managed PKI service.
  • And it has created its own Enterprise Identity-as-a-Service (IDaas) solution. From what I saw at the Summit, BlackBerry is playing catch-up in cloud based IDAM but they do have an edge in mobility over the specialist identity vendors in what is now a crowded identity services marketplace.

    The Growth Explained - Secure Mobile Communications

    Executives from different business units and different technology horizontals all organised their presentations around what is now a comprehensive security product and services matrix. It looks like this (before adding AtHoc):

    BBY Security Platform In Action

    BlackBerry is striving to lead in Secure Mobile Communications. In that context the highlights of the Security Summit for mine were as follows.

    The Internet of Things

    BlackBerry’s special play is in the Internet of Things. It’s the consistent theme that runs through all their security investments, because as COO Marty Beard says, IoT involves a lot more than machine-to-machine communications. It’s more about how to extract meaningful data from unbelievable numbers of devices, with security and privacy. That is, IoT for BlackBerry is really a security-as-a-service play.

    Chief Security Officer David Kleidermacher repeatedly stressed the looming challenge of “how to patch and upgrade devices at scale”.

      • MyPOV: Functional upgrades for smart devices will of course be part and parcel of IoT, but at the same time, we need to work much harder to significantly reduce the need for reactive security patches. I foresee an angry consumer revolt if things that never were computers start to behave and fail like computers. A radically higher standard of quality and reliability is required. Just look at the Jeep Uconnect debacle, where it appears Chrysler eventually thought better of foisting a patch on car owners and instead opted for a much more expensive vehicle recall. It was BlackBerry’s commitment to ultra high reliability software that really caught my attention at the 2014 Security Summit, and it convinces me they grasp what’s going to be required to make ubiquitous computing properly seamless.

    Refreshingly, COO Beard preferred to talk about economic value of the IoT, rather than the bazillions of devices we are all getting a little jaded about. He said the IoT would bring about $4 trillion of required technology within a decade, and that the global economic impact could be $11 trillion.

    BlackBerry’s real time operating system QNX is in 50 million cars today.


    AtHoc is a secure crisis communications service, with its roots in the first responder environment. It’s used by three million U.S. government workers today, and the company is now pushing into healthcare.

    Founder and CEO Guy Miasnik explained that emergency communications involves more than just outbound alerts to people dealing with disasters. Critical to crisis management is the secure inbound collection of info from remote users. AtHoc is also not just about data transmission (as important as that is) but it works also at the application layer, enabling sophisticated workflow management. This allows procedures for example to be defined for certain events, guiding sets of users and devices through expected responses, escalating issues if things don’t get done as expected.


    We heard more about BlackBerry’s collaboration with Oxford University on the Centre for High Assurance Computing Excellence, first announced in April at the RSA Conference. CHACE is concerned with a range of fundamental topics, including formal methods for verifying program correctness (an objective that resonates with BlackBerry’s secure operating system division QNX) and new security certification methodologies, with technical approaches based on the Common Criteria of ISO 15408 but with more agile administration to reduce that standard’s overhead and infamous rigidity.

    CSO Kleidermacher announced that CHACE will work with the Diabetes Technology Society on a new healthcare security standards initiative. The need for improved medical device security was brought home vividly by an enthralling live demonstration of hacking a hospital drug infusion pump. These vulnerabilities have been exposed before at hacker conferences but BlackBerry’s demo was especially clear and informative, and crafted for a non-technical executive audience.

      • MyPOV: The message needs to be broadcast loud and clear: there are life-critical machines in widespread use, built on commercial computing platforms, without any careful thought for security. It’s a shameful and intolerable situation.


    I was impressed by BlackBerry’s privacy line. It's broader and more sophisticated than most security companies, going way beyond the obvious matters of encryption and VPNs. In particular, the firm champions identity plurality. For instance, WorkLife by BlackBerry, powered by Movirtu technology, realizes multiple identities on a single phone. BlackBerry is promoting this capability in the health sector especially, where there is rarely a clean separation of work and life for professionals. Chen said he wants to “separate work and private life”.

    The health sector in general is one of the company’s two biggest business development priorities (the other being automotive). In addition to sophisticated telephony like virtual SIMs, they plan to extend extend AtHoc into healthcare messaging, and have tasked the CHACE think-tank with medical device security. These actions complement BlackBerry’s fine words about privacy.


    So BlackBerry’s acquisition plan has gelled. It now has perhaps the best secure real time OS for smart devices, a hardened device-independent Mobile Device Management backbone, new data-centric privacy and rights management technology, remote certificate management, and multi-layered emergency communications services that can be diffused into mission-critical rules-based e-health settings and, eventually, automated M2M messaging. It’s a powerful portfolio that makes strong sense in the Internet of Things.

    BlackBerry says IoT is 'much more than device-to-device'. It’s more important to be able to manage secure data being ejected from ubiquitous devices in enormous volumes, and to service those things – and their users – seamlessly. For BlackBerry, the Internet of Things is really all about the service.

    Posted in Software engineering, Security, Privacy, PKI, e-health, Constellation Research, Cloud, Big Data

  • Apply for a SuperNova Award - Recognising leaders in digital business

    Every year the Constellation SuperNova Awards recognise eight individuals for their leadership in digital business. Nominate yourself or someone you know by August 7, 2015.

    The SuperNova Awards honour leaders that demonstrate excellence in the application and adoption of new and emerging technologies. In its fifth year, the SuperNova Awards program will recognise eight individuals who demonstrate true leadership in digital business through their application of new and emerging technologies. Constellation Research is searching for leaders and corporate teams who have innovatively applied disruptive technolgies to their businesses, to adapt to the rapidly-changing digital business environment. Special emphasis will be given to projects that seek to redefine how the enterprise uses technology on a large scale.

    We’re searching for the boldest, most transformative technology projects out there. Apply for a SuperNova Award by filling out the application here: http://www.constellationr.com/node/3137/apply

    SuperNova Award Categories

    • Consumerization of IT & The New C-Suite - The Enterprise embraces consumer tech, and perfects it.
    • Data to Decisions - Using data to make informed business decisions.
    • Digital Marketing Transformation - Put away that megaphone. Marketing in the digital age requires a new approach.
    • Future of Work - The processes and technologies addressing the rapidly shifting work paradigm.
    • Matrix Commerce - Commerce responds to changing realities from the supply chain to the storefront.
    • Next Generation Customer Experience - Customers in the digital age demand seamless service throughout all lifecycle stages and across all channels.
    • Safety and Privacy - Not 'security'. Safety and Privacy is the art and science of the art and science of protecting information assets, including your most important assets: your people.
    • Technology Optimization & Innovation - Innovative methods to balance innovation and budget requirements.

    Five reasons to apply for a SuperNova Award

    • Exposure to the SuperNova Award judges, comprised of the top influencers in enterprise technology
    • Case study highlighting the achievements of the winners written by Constellation analysts
    • Complimentary admission to the SuperNova Award Gala Dinner and Constellation's Connected Enterprise for all finalists November 4-6, 2015 (NB: lodging and travel not included)
    • One year unlimited access to Constellation's research library
    • Winners featured on Constellation's blog and weekly newsletter.

    Learn more about the SuperNova Awards.

    What to expect when applying for a SuperNova Award. Tips and sample application.

    Posted in Constellation Research, Cloud, Big Data

    Digital Disruption - Melbourne

    Ray Wang tells us now that writing a book and launching a company are incredibly fulfilling things to do - but ideally, not at the same time. He thought it would take a year to write "Disrupting Digital Business", but since it overlapped with building Constellation Research, it took three! But at the same time, his book is all the richer for that experience.

    Ray is on a world-wide book tour (tweeting under the hash tag #cxotour). I was thrilled to participate in the Melbourne leg last week. We convened a dinner at Melbourne restaurant The Deck and were joined by a good cross section of Australian private and public sector businesses. There were current and recent executives from Energy Australia, Rio Tinto, the Victorian Government and Australia Post among others, plus the founders of several exciting local start-ups. And we were lucky to have special guests Brian Katz and Ben Robbins - two renowned mobility gurus.

    The format for all the launch events has one or two topical short speeches from Constellation analysts and Associates, and a fireside chat by Ray. In Melbourne, we were joined by two of Australia's deep digital economy experts, Gavin Heaton and Joanne Jacobs. Gavin got us going on the night, surveying the importance of innovation, and the double edged opportunities and threats of digital disruption.

    Then Ray spoke off-the-cuff about his book, summarising years of technology research and analysis, and the a great many cases of business disruption, old and new. Ray has an encyclopedic grasp of tech-driven successes and failures going back decades, yet his presentations are always up-to-the-minute and full of practical can-do calls to action. He's hugely engaging, and having him on a small stage for a change lets him have a real conversation with the audience.

    Speaking with no notes and PowerPoint-free, Ray ranged across all sorts of disruptions in all sorts of sectors, including:

    • Sony's double cassette Walkman (which Ray argues playfully was their "last innovation")
    • Coca Cola going digital, and the speculative "ten cent sip"
    • the real lesson of the iPhone: geeks spend time arguing about whether Apple's technology is original or appropriated, when the point is their phone disrupted 20 or more other business models
    • the contrasting Boeing 787 Dreamliner and Airbus A380 mega jumbo - radically different ways to maximise the one thing that matters to airlines: dollars per passenger-miles, and
    • Uber, which observers don't always fully comprehend as a rich mix of mobility, cloud and Big Data.

    And I closed the scheduled part of the evening with a provocation on privacy. I asked the group to think about what it means to call any online business practice "creepy". Have community norms and standards really changed in the move online? What's worse: government surveillance for political ends, or private sector surveillance for profit? If we pay for free online services with our personal information, do regular consumers understand the bargain? And if cynics have been asking "Is Privacy Dead?" for over 100 years, doesn't it mean the question is purely rhetorical? Who amongst us truly wants privacy to be over?!

    The discussion quickly attained a life of its own - muscular, but civilized. And it provided ample proof that whatever you think about privacy, it is complicated and surprising, and definitely disruptive! (For people who want to dig further into the paradoxes of modern digital privacy, Ray and I recently recorded a nice long chat about it).

    Here are some of the Digital Disruption tour dates coming up:


    Posted in Social Media, Privacy, Internet, Constellation Research, Cloud, Big Data

    The state of the state: Privacy enters Adolescence

    Constellation Research recently launched the "State of Enterprise Technology" series of research reports. The series assesses the current state of the enterprise technologies Constellation consider crucial to digital transformation, and provide snapshots of the future usage and evolution of these technologies. Constellation will continue to publish reports in our State of Enterprise Technology series throughout Q1.

    My first contribution to this series, "Privacy Enters Adolescence", focuses on Safety and Privacy. I've looked at information data privacy in 2015, and identified seven trends of which you should be aware in order to potect your customer's information.

    Here's an excerpt from the report:

    Digital Safety and Privacy

    Constellation's business theme of Digital Safety and Privacy is all about the art and science of maximizing the information assets of a business, including its most important assets – its people. Our research in this theme enables clients to capitalize on cloud, mobility, Big Data and the Internet of Things, without compromising the digital safety of the business, and the privacy and trust of your end users.

    Seven Digital Safety and Privacy Trends for 2015

    • Consumers have not given up privacy - they've been tricked out of it. The impression is easily formed that people just don’t care about privacy anymore. Yet there is no proof that privacy is dead. In fact, a robust study of young adults has shown no major difference between them and older people on the importance of privacy.
    • Private sector surveillance is overshadowed by government intrusion, but is arguably just as bad. There is nothing inevitable about private sector surveillance. Consumers are waking up to the fact that digital business models are generating unprecedented fortunes on the back of the personal data they are giving away in loyalty programs, social networks, search, cloud email, and fitness trackers. Most people remain blissfully ignorant of what's being done with all that data, but we see budding signs of resentment from consumers whose every interaction is exploited without their consent.
    • The U.S. is the Canary Islands of privacy. The United States remains the only major economy without broad-based information privacy laws.
    • Privacy is more about politics than technology. Privacy can be seen as a power play between individual rights and the interests of governments and businesses.
    • The land grab for "public" data accelerates. Data is an immensely valuable raw material. More than data mining, Big Data is really about data refining. And unlike the stuff of traditional extraction industries, data seems inexhaustible, and the cost of extraction is near zero. Something akin to land rights for privacy may be the future.
    • Data literacy will be key to digital safety. Computer literacy is one thing, but data literacy is different and less well defined so far. When we go online, we don’t have the familiar social cues, so now we need to develop new ones. And we need to build up a common understanding of how data flows in the digital economy. Data literacy is more than being able to work an operating system, a device and umpteen apps: it means having meaningful mental models of what goes on in computers.
    • Privacy will get worse before it gets better. Privacy is messy, even in jurisdictions where data protection rules are well entrenched. Consider the controversial new Right to Be Forgotten ruling of the European Court of Justice, which resulted in plenty of unintended consequences, and collisions with other jurisprudence, namely the United States' protection of free speech.

    My report "Privacy Enters Adolescence" can be downloaded here. It expands on the points above, and sets out recommendations for improving awareness of how personal data flows in the digital economy, negotiating better deals in the data-for-value bargain, and the conduct of Privacy Impact Assessments.

    Posted in Social Media, Privacy, Cloud, Big Data

    The Constellation Research Disruption Checklist for 2015

    The Constellation Research analyst team has assembled a "year end checklist", offering suggestions designed to enable you to take better control of your digital strategy in 2015. We offer these actions to help you dominate "digital disruption" in the new year.

    1. Matrix Commerce: Scrub your data

    Guy Courtin

    When it comes to Matrix Commerce, companies need to focus on the basics first. What are the basics? Cleaning up and getting your data in order. Much is discussed about the evolution of supply chains and the surrounding technologies. However these solutions are only as useful as the data that feeds them. Many CxOs that we have spoken to have discussed the need to focus on cleaning up their data. First work on a data audit to identify the most important sources of data for your efforts in Matrix Commerce. Second, focus on the systems that can process and make sense of this data. Finally, determine the systems and business processes that will be optimized with these improvements. Matrix Commerce starts with the right data. The systems and business processes that layer on top of this data are only as useful as the data. CxOs must continue to organize and clean their data house.

    2. Safety and Privacy - Create your Enterprise Information Asset Inventory

    Steve Wilson

    In 2015, get on top of your information assets. When information is the lifeblood of your business, make sure you understand what really makes it valuable. Create (or refresh) your Enterprise Information Asset Inventory, and then think beyond the standard security dimensions of Confidentiality, Integrity and Availability. What sets your information apart from your competitors? Is it more complete, more up-to-date, more original or harder to acquire? To maximise the value of information, innovative organisations are gauging it in terms of utility, currency, jurisdictional certainty, privacy compliance and whatever other facets matter the most in their business environment. These innovative organizations structure their information technology and security functions to not merely protect the enterprise against threats, but to deliver the right data when and where it's needed most. Shifting from defensive security to strategic informatics is the key to success in the digital economy. Learn more about creating an information asset inventory.

    3. Data to Decisions - Create your Big Data Plan of Action

    Andy Mulholland

    Big Data is arriving at the end of the hype cycle. In 2015, real-time decision support using ‘smart data’ extracted from Big Data will manifest as a requirement for competitiveness. Digital Business, or even just online sellers, are all reducing reaction and response times. Enterprises have huge business and technology investments in data that need to support their daily activities better, so its time to pivot from using Big Data for analysis and start examining how to deliver Smart Data to users and automated online systems. What is Smart Data? Well, let's say creating your organization's definition of Smart Data is priority number one in your Big Data strategy. Transformation in Digital markets requires a transformation in the competitive use of Big Data. Request a meeting with Constellation's CTO in residence, Andy Mulholland.

    4. Next Gen CXP - Make Customer Experience Instinctual

    Natalie Petouhoff

    Stop thinking of Customer Experience as a functional or departmental initiative and start thinking about experience from the customer’s point of view.

    Customers don’t distinguish between departments when they require service from your organization. Customer Experience is a responsibility shared amongst all employees. However, the division of companies into functional departments with separate goals means that customer experience is often fractured. Rid your company of this ethos in 2015 by using design thinking to create a culture of cohesive customer experience.

    Ensure all employees live your company mythology, employ the right customer and internal-facing technologies, collect the right data, and make changes to your strategy and products as soon as possible. Read "Five Approaches to Drive Customer Loyalty in a Digital World".

    5. Future of Work - Take Advantage of Collaboration

    Alan Lepofsky

    Over the last few years, there has been a growing movement in the way people communicate and collaborate with their colleagues and customers, shifting from closed systems like email and chat, to more transparent tools like social networks and communities. That trend will continue in 2015 as people become more comfortable with sharing and as collaboration tools become more integrated with the business software they use to get their jobs done. Employees should familiarize themselves with the tools available to them, and learn how to pick the right tool for each of the various scenarios that make up their work day. Read "Enterprise Collaboration: From Simple Sharing to Getting Work Done".

    6. Future of Work - Prepare for Demographic Shifts

    Holger Mueller

    In the next ten years 10% to 20% of the North American and European workforce will retire. Leaders need to understand and prepare for this tremendous shift so performance remains steady as many of the workforce's highly skilled workers retire.

    To ensure smooth a smooth transition, ensure your HCM software systems can accommodate a massive number of retirements, successions and career path developments, and new hires from external recruiting.

    Constellation fully expects employment to be a sellers market going forward. People leaders should ensure their HCM systems facilitate employee motivation, engagement and retention, lest they lose their best employees to competitors. Read "Globalization, HR, and Business Model Success". Additional cloud HR case studies here and here.

    7. Digital Marketing Transformation - Brand Priorities Must Convey Authenticity

    Ray Wang

    Brand authenticity must dominate digital and analog channels in 2015. Digital personas must not only reflect the brand, but also expand upon the analog experience. Customers love the analog experience, so deliver the same experience digitally. Brand conscious leaders must invest in the digital experience with an eye towards mass personalization at scale. While advertising plays a key role in distributing the brand message, investment in the design of digital experiences presents itself as a key area of investment for 2015. Download free executive brief: Can Brands Keep Their Promise?

    8. Consumerization of IT: Use Mobile as the Gateway to Digital Transformation Projects

    Ray Wang

    Constellation believes that mobile is more than just the device. While smartphones and other devices are key enablers of 'mobile', design in digital transformation should take into account how these technologies address the business value and business model transformation required to deliver on breakthrough innovation. If you have not yet started your digital transformation or are considering using mobile as an additional digital transformation point, Constellation recommends that clients assess how a new generation of enterprise mobile apps can change the business by identifying a cross-functional business problem that cannot be solved with linear thinking, articulating the business problem and benefit, showing how the solution orchestrates new experiences, identifying how analytics and insights can fuel the business model shift, exploiting full native device features, and seeking frictionless experiences. You'll be digital before you know it. Read "Why the Third Generation of Enterprise Mobile is Designed for Digital Transformation"

    9. Technology Optimization & Innovation - Prepare Your Public Cloud Strategy

    Holger Mueller

    In 2015 technology leaders will need to create, adjust and implement their public cloud strategy. Considering estimates pegging Amazon AWS at 15-20% of virtualized servers worldwide, CIOs and CTOs need to actively plan and execute their enterprise’s strategy vis-a-vis the public cloud. Reducing technical debt and establishing next generation best practices to leverage the new ‘on demand’ IT paradigm should be a top priority for CIOs and CTOs seeking organizational competitiveness, greater job security and fewer budget restrictions.

    Posted in Social Media, Security, Privacy, Constellation Research, Cloud, Big Data

    Privacy watch

    Update 22 September 2014

    Last week, Apple suddenly went from silent to expansive on privacy, and the thrust of my blog straight after the Apple Watch announcement is now wrong. Apple posted a letter from CEO Tim Cook at www.apple.com/privacy along with a document that sets outs how "We’ve built privacy into the things you use every day".

    The paper is very interesting. It's a sophisticated and balanced account of policy, business strategy and technology elements that go to create privacy. Apple highlights that they:

    • forswear the exploitation of customer data
    • do not scan content or messages
    • do not let their small "iAd" business take data from other Apple departments
    • require certain privacy protective practices on the part of their health app developers.

    They have also provided quite decent information about how Siri and health data is handled.

    Apple's stated privacy posture is all about respect and self-restraint. Setting out these principles and commitments is a very welcome development indeed. I congratulate them.

    Today Apple launched their much anticipated wrist watch, described by CEO Tim Cook as "the most personal device they have ever developed". He got that right!

    Rather more than a watch, it's a sort of guardian angel. The Apple Watch has Siri built-in, along with new haptic sensors and buzzers, a heartbeat monitor, accelerometer, and naturally the GPS and Wi-Fi geolocation capability to track your speed and position throughout the day. So they say "Apple Watch is an all-day fitness tracker and a highly advanced sports watch in a single device".

    Apple Watch

    The Apple Watch will be a paragon of digital disruption. To understand and master disruption today requires the coordination of mobility, Big Data, the cloud and user interfaces. These cannot be treated as isolated technologies, so when a company like Apple controls them all, at scale, real transformation follows.

    Thus Apple is one of the few businesses that can make promises like this: "Over time, Apple Watch gets to know you the way a good personal trainer would". In this we hear echoes of the smarts that power Siri, and we are reminded that amid the novel intimacy we have with these devices, many serious privacy problems have yet to be resolved.

    The Apple Event today was a play in four acts:
    Act I: the iPhone 6 release;
    Act II: Apple Pay launch;
    Act III: the Apple Watch announcement;
    Act IV: U2 played live and released their new album free on iTunes!

    It was fascinating to watch the thematic differences across these stanzas. With Apple Pay, they stressed security and privacy; we were told about the Secure Element, the way card numbers are replaced by random numbers (tokenization), and an architecture where Apple cannot see how much you spend nor where you spend it. On the other hand, when it came to the Apple Watch and its integrated health sensors, privacy wasn't mentioned, not at all. We are left to deduce that aggregating personal health data at Apple's servers is a part of a broader plan.

    The cornerstones of data privacy include Collection Limitation, Use Limitation (or "Purpose Specification") and Openness. Custodians of our Personally Identifiable Information (PII) should refrain from collecting and retaining PII they don't really need; they should specify what they do with PII and restrict unrelated secondary usage; and they should tell people what they're doing, generally in a Privacy Policy. With Siri, Apple sadly fails all these tests.See Update 22 September 2014 above.

    The Apple Privacy Policy is altogether silent on Siri. The document details the sorts of information collected through its overt business processes like registration, sales and support, but it says nothing about the voice recordings and transcripts of Siri communications. Neither does the Siri FAQ mention what is done with all that data. It's quite an omission, seeing that when you dictate an SMS or an email to Siri, Apple retains a copy of communications that are normally out of bounds for your telecomms carrier.

    It's been left to journalists to try and find out what Apple does with the information it mines from Siri. Wired magazine discovered eventually that Apple retains masked Siri voice recordings for six months; it then purportedly de-identifies them and keeps them for a further 18 months, for research. Yet even these explanations don't touch on the extracted contents of the communications, nor the metadata, like the trends and correlations that go to Siri's learning. If the purpose of Siri is ostensibly to automate the operation of the iPhone and its apps, then Apple should be refrain from using the by-products of Siri's voice processing for anything else. But we just don't know what they do, and Apple imposes no self-restraint.See Update 22 September 2014 above.

    We should hope for radically greater transparency with the Apple Watch and its health apps. Most of the watch's data processing and analytics will be carried out in the cloud. So Apple will come to hold detailed records of its users' exercise regimes, their performance figures, trend data and correlations. These are health records. Inevitably, health applications will take in other medical data, like food diaries entered by users, statistics imported from other databases, and detailed measurements from Internet-connected scales, blood pressure monitors and even medical devices. Apple will see what we're doing to improve our health, day by day, year on year. They will come to know more about what's making us healthy and what's not than we do ourselves.

    Apple Watch Activity App

    Now, the potential benefits from this sort of personal technology to self-managed care and preventative medicine are enormous. But so are the data management and privacy obligations.

    Within the US, Apple will doubtless be taking steps to avoid falling under the stringent HIPAA regulations, yet in the rest of the world, a more subtle but far-reaching problem looms. Many broad based data privacy regimes forbid the collection of health information without consent. And the laws of the European Union, Australia, New Zealand and elsewhere are generally technology neutral. This means that data collected directly from patients or doctors, and fresh data collected by way of automated algorithms are treated essentially the same way. So when a sophisticated health management app running in the cloud somewhere mines all that exercise and lifestyle data, and starts to make inferences about health and wellbeing, great care needs to be taken that the indiviuals concerned know what's going on in advance, and have given their informed consent.

    One of the deep privacy challenges in Big Data is that data miners don't know what they're going to find. Even with the best will in the world, a company can struggle to say in its Privacy Policy what PII is expects to extract (and thus collect) in future from the raw data it collects today. At Constellation Research we've been fleshing out a new sort of compact between businesses and individuals that seeks to keep users abreast of developments in data analytics, and promises to provide people with proper control of personal Big Data results.

    It ought to be possible to expressly opt in to Big Data processes when you can understand the pros and cons and the net benefits, and to later opt out, and opt back in again, as the benefit equation shifts over time. But even visualising the products of Big Data is hard; I believe graphical user interfaces (GUIs) to allow people to comprehend and actively control the process will be one of the great software design problems of our age.

    Apple are obviously preeminent in GUI and user experience innovation. You would think if anyone can create the novel yet intuitive interfaces desperately needed to control Big Data PII, Apple can. But first they will have to embrace their responsibilities for the increasingly intimate details they are helping themselves to. If the Apple Watch is "the most personal device they've ever designed" then let's see privacy and data protection commitments to match.

    Posted in Privacy, e-health, Constellation Research, Cloud, Big Data

    BlackBerry Security Summit, 29 July 2014

    Summary: BlackBerry is poised for a fresh and well differentiated play in the Internet of Things, with its combination of handset hardware security, its uniquely rated QNX operating system kernel, and its experience with the FIDO device authentication protocols.

    To put it plainly, BlackBerry is not cool.

    And neither is security.

    But maybe two wrongs can make a right, in terms of a compelling story. BlackBerry's security story has always been strong, it's getting stronger, and it could save them.

    Today I attended the BlackBerry Security Summit in New York City (Disclosure: my travel and accommodation were paid by BlackBerry). The event was announced very recently; none of my colleagues had heard of it. So what was the compelling need to put on a security show in New York? It turned out to be the 9:00am announcement that BlackBerry is acquiring the German voice security specialists Secusmart. BlackBerry and Secusmart have worked together for a long time; their stated aim is to put a real secure phone in the "hand of every President and every Chancellor".

    Secusmart CEO Hans-Christoph Quelle is a forceful champion of voice security; in this age of evidently routine spying by state and competitors alike, there is enormous demand building for counter-surveillance in telephony and messaging. Secusmart is also responsible for the highly rated Micro SD cards that BlackBerry proudly use as removable security modules in their handsets. And this is where the SecuSmart tie-up really resonates for me. It comes hot on the heels of last week's Cloud Security Summit, where there was so much support for personal Hardware Security Modules (HSMs), be they Micro SD cards, USB keys, NFC Secure Elements, the good old "Trusted Platform Module" (TPM) or any number of proprietary chip sets.

    Today's event also showcased BlackBerry's QNX division (acquired in 2010) and its secure operating system. CEO John Chen reckons that the software in 50% of connected cars runs on the QNX OS (and in high reliability settings like power stations, wind turbines and even gaming machines, the penetration is even higher). And so he is positioning BlackBerry as a major player in the Internet of Things.

    We heard from QNX founder Dan Dodge about the elegance of their system. At just 100,000 lines of code, Dodge stressed that his team knows the software inside-out. There is not a single line of code in their OS that QNX did not write themselves. In contrast, such mastery is utterly impossible in the 15,000,000 lines that make up Linux or the estimated 50-70 million lines in Windows. It happens that I've recently lamented the parlous state of software quality and the need to return to first principles security. So I am on Dan Dodge's wavelength.

    BlackBerry's security people had a little bit to say about identity as well, and apparently more's to come. For now, they are flagging that with 250 million customers in their messaging system, BBM represents "one of the biggest identity systems in the world". And as such the company does plan to "federate" it somehow. They reminded us at the same time of the BlackBerry Cloud slated for launch in December.

    Going forward, the importance of strong, physical Two Factor Authentication for accessing the cloud is almost a given now. And the smartphone is fast becoming the predominant access mechanism, so the combination of secure elements, handsets and high security infrastructure is potent.

    There's a lot that BlackBerry is keeping close to its chest, but for me one extant piece of the IoT puzzle was conspicuously absent today: the role of the FIDO Alliance protocols. After all, BlackBerry has been a FIDO Board Member for a long time. It seems to me that FIDO's protocols for exchanging verified authentication signals and information about devices should be an important element of BlackBerry's play in both its software infrastructure and its devices.

    In closing, I'll revisit the very first thing we heard at today's event. It was a video testimonial, telling us "If you need nuclear security, you need BlackBerry". As I said, security really isn't cool. Jazzing up the company's ability to deliver "nuclear" grade to demanding clients is actually not the right message. Security in the Internet of Things -- and therefore in everyday life -- may turn out to be just as important.

    We basically know that nuclear power plants are inherently risky; we know that planes will occasionally fall out of the sky. Paradoxically, the community has a reasonable appetite for risk and failures in very complex systems like those. Individually and/or collectively we have decided we just can't live without electricity and travel and so we've come to settle on a roughly acceptable finite cost in terms of failures. But when the mundanities of life go digital, the tolerance of failure will drop. When our cars and thermostats and light switches are connected to the Internet, and when a bug or a script kiddie's stunt can soon send whole neighbourhoods into a spin, consumers won't stand for it.

    So the very best security we can currently engineer is in fact going to be necessary at scale for smart appliances, wearables, connected homes, smart meters and networked cars. We need a different gauge for this type of security, and it's going to be very tough to engineer and deploy economically. But right now, with its deep understanding of dependable OS's and commitment to high quality device hardware, it seems to me BlackBerry has a head-start in the Internet of Things.

    Posted in Software engineering, Security, Identity, Cloud