This post is a summary of a presentation I gave to a group of lawyers on ICT fundamentals. It represents my own opinion, and not that of my employers or anyone else! I apologies for it being so wordy – but a lot of material was covered.
My presentation walked through some fundamental concepts in ICT, some major trends that are shaping ICT, and how ICT organisations are evolving. The aim is to give a plain english summary to allow ICT lawyers to have sensible conversations about ICT to support the work that they do with ICT professionals. In my view ICT may be hard to do, but it is not hard to understand. At the end of each topic I will include my own personal view.
Some Key Concepts
This following are some key concepts that ICT lawyers should understand – and understand how ICT professionals use them.
We aren’t talking about roads here. Infrastructure is a blurry concept, but it pays to be aware that we mean something reasonably specific about it when we talk in ICT teams. We mean the basic stuff we run software on. We mean, at its most basic, servers, their storage (hard disks and their more sophisticated brethren) and their associated networks and network devices (e.g routers, modems, and firewalls). Sometimes when we talk to non-ICT teams we might extend the term to include operating systems, databases, monitoring and management software and even middleware.
Doug’s view: Infrastructure is becoming a commodity. It is becoming less and less relevant to today’s organisations – and in many organisations should just be replaced by the cloud.
The first thing to understand is that there is no such thing as “the cloud” – only individual cloud services. A useful introduction to the main ideas of the cloud can be found in this short paper from the American National Institute of Standards and Technology. This is my plain-English summary of the key points of the NIST document.
NIST says that there are 5 essential characteristics of cloud services – I would call them key characteristics, rather than essential as there are many cloud services that are missing one of these to a greater or lesser extent. These characteristics are:
- On-demand self-service – you can buy it (or order more) without having to talk to a person each time.
- Broad network access – you can access it over the internet.
- Resource pooling – AKA multi-tenancy, you share the service with others.
- Rapid elasticity – you can scale up your use without having to wait for someone to order more hardware or licenses.
- Measured service – your usage is automatically measured – and this is usually how you are charged. In practice this is the pay as you go model.
There are three service models:
- SaaS – Software as a Service. Using the provider’s applications (e.g. SalesForce, Office 365).
- PaaS – Platform as a Service. Creating your own applications using the provider’s application development tools or platform (e.g. Microsoft’s Azure).
- IaaS – Infrastructure as a Service. Running your own applications, platforms or tools on the provider’s infrastructure (e.g. Amazon Web Services).
There are four deployment models:
- Private Cloud. The cloud service is used by only one organisation. Note: a lot of people say this isn’t really the cloud at all, as you can’t get enough of the key characteristics above.
- Community cloud. The cloud service is for the use of a group of customers with shared interests. The NZ government IaaS and DaaS services are good examples of this. They are services for multiple organisations, but it is an exclusive club.
- Public Cloud. The cloud service is for anyone – the standard or paradigmatic cloud service.
- Hybrid Cloud. Any mix of two or more of the three above.
Tied to the idea of the cloud is the idea of as a service (aaS). As a service is a commercial concept about how we procure ICT. Instead of buying it and running it ourselves, we rent it on an “as a service” basis. That is to say, we don’t own it, and we get it wrapped up with a range of complimentary service management. So, instead of buying some hardware, buying some CRM software and installing it on that hardware, and then running, operating and maintaining that hardware and software, I can get CRM as a Service from someone like SalesForce.com They take care of all of that for me, and charge me on a per user per month basis. This is not a new concept. Hotels are lodging as a service, taxis are chauffeur as a service. It is just that we now have the service management technology to allow us to the same with ICT services.
The NZ government has a “cloud first” policy. Detail on the policy and advice on use of cloud services can be found on the GCIO’s website.
Doug’s view: The move to cloud is inevitable and irresistible. The public cloud is where it is at – most enterprise software vendors are now focussing on the public cloud. Their investment and innovation is focussed there. We are starting to see that new features are delivered to cloud versions of products first, and are only later – if ever – making it into on-premise versions. In addition, the economies of scale means that IT organisations can never hope to achieve the level of service – in terms of scalability, availability and security – that public cloud providers can achieve.
If you still have any ICT infrastructure, where do you put it? And if you have outsourced that to a cloud provider, where do they put it? In datacentres. A datacentre is just a purpose built building for housing ICT infrastructure – servers and networks.
Datacentres have evolved rapidly in the last few years. The latest, state of the art, datacentres are built to be run by two or three people, are built next to power stations for cheap power, they have purpose built servers, specially designed cooling, are software managed and designed for failure.
Doug’s view: datacentre design and build has changed significantly over the last few years, and for this reason, datacentres are best left to the specialists.
There is a real stack – a communications protocol stack. This is a software implementation of a set of protocols used to communicate between devices where the higher protocols depend on the lower protocols to work. The key idea here is that the different layers of the stack are software defined, and fundamentally depend on the layer below. The World Wide Web is based on a protocol stack of:
Then there is the stack that we more commonly talk about which is a figurative stack. We usually mean any set of software with some sort of (usually metaphorical) dependency between the different “layers”. We often describe all of the enterprise software that is in use at an organisation as “the stack”, but sometimes we talk about it in terms of a particular solution space. For instance we might talk about an end user computing software stack of devices such as PCs or tablets, operating systems that run on those devices and applications that run on those operating systems. The other stack that we often talk about is the cloud stack of SaaS that runs on top of PaaS which runs on top of IaaS (at least in theory).
The key thing to understand is that this is a figurative use, and there is no single “stack”. What we are really talking about is a set of software that can be separated into “layers”, categories if you will, with some form of dependencies between the layers, and that work together to achieve some form of outcome – whether that is getting messages from one end of the world to another, to run a cloud service or to make a desktop PC work.
Doug’s view: This is just convenient – if somewhat confusing – shorthand for all of the software that we use. Don’t be afraid to ask what the stack is, and “What is in the stack anyway?”
Virtualisation (or Virtualization)
We often talk about virtualisation, or virtual machines, virtual servers, virtual desktops – but what are they and how do they differ from real ones?
Virtualisation is basically the idea of mimicking a physical thing (such as a server) using software. So, in the case of a virtual server, basically the software pretends that it is a server to other software (such as an operating system, or business application) that would typically run on a real server.
When talking about virtual machines (such as virtual servers or virtual desktops) we often use the terms “guest” and “host”. A host is the physical server that everything runs on, and the guest is the virtual server or desktop that is running on the host.
Why do we do virtualisation? Well software is more predictable and controllable than hardware – we can more easily manipulate it and control it. I can easily pretend that software is lots o different things – changing hardware is difficult. We call this abstracting away from the underlying hardware.
Doug’s view: virtualisation technology has been a key enabler for the cloud and has become a commodity.
Information security is about understanding the risks to your information and business and managing that risk. When we talk about security risks we talk about risks to the confidentiality of the information (risks that the information is disclosed to people who shouldn’t see it); risks to the integrity of the information (risks that the information will be corrupted or vandalised); risks to the availability of that information (risks that the information cannot be accessed when you need it).
Once we understand these risks to our information we can decide what controls we might apply to mitigate those risks. For example, we might encrypt to protect confidentiality, control admin access to protect integrity of a website; back up the information to protect availability.
Whatever we do, we do, we can only mitigate risks we cannot eliminate them. We cannot completely secure anything.
Doug’s view: information security is not the same as privacy, it is not just encryption. Information security is vital, and it should enable the business not get in the way.
Big Trends in ICT
There are a number of big trends that are changing ICT at the moment that ICT lawyers should be aware of. These are the ones that I think are the most important.
I’ve already covered this above, but the important change I see happening now is that the most transformative technologies will only be available in the public cloud.
Mobile device penetration is over 100% in most western countries (i.e. there is more than one mobile device per person) and those devices are mostly smart (it is almost impossible to buy a non-smartphone today in NZ). We are seeing statistics such as mobile devices starting to account for the majority of views on websites. Mobile is becoming the most popular way for people – our customers and our staff – to interact with the internet and with digital services. This has important implications on how we build websites and business applications.
The Internet of Things
The Internet of Things (IoT) is a phrase to denote a world of vast numbers of smart, connected devices. This has come about due to ubiquitous connectivity, the growth of devices that incorporate computers and software (e.g. smart fridges), and the low cost of RFID chips. This means that there a very large number of devices which are capable of collecting and transmitting data, and receiving instructions over the internet. The sheer volume of devices and data leads to management problems and opportunities.
The Internet of Things and the growth of social media have led to a vast explosion in the quantity of data that is created, and that people have a business need to manage and gain insight from. Increasing the problem is the fact that most of this data is not structured in the way that traditional data is structured. For example, hashtags are embedded randomly in social media posts as are key terms. Smart device data is often in text files. This has led to an explosion in new techniques and technologies to manage, explore, analyse, classify and gain value from this wealth of data.
The Consumerisation of ICT
This is one of my particular hobby-horses. The current experience that many people have (especially those recent entrants to the workforce) is that their personal IT – the tools they use in their everyday lives – are more powerful and useful than the tools they have at work. One of the consequences of this is that these people are then bringing these tools to work to get their jobs done more effectively, which is one aspect of what is often called shadow IT.
In reaction to this many ICT organisations are adopting consumer models, techniques and styles in delivering corporate IT services. This might be through BYOD programmes which allow staff to use their own devices for work, by creating self service portals or by sourcing consumer like technologies such as dropbox or enterprise versions of Facebook. However you look at it, this trend is currently having a massive impact on the IT market and on IT organisations.
How Are ICT Organisations Changing?
The key concepts and the big trends that I have discussed here are leading to major changes in IT shops internationally, and New Zealand is no different.
The key change I see is that ICT shops used to build, operate and own the IT: from installing servers that we bought, creating databases, writing all of our applications, and then maintaining, and supporting it all. We are moving to a model where a lot of that is now provided as services by external vendors, often from the cloud.
What that means is that there is less of a call for the build and operate parts of an IT shop. Now, you can react to this in one of two ways, you can fight a rearguard action and resist what I think is an irresistible tide, or you can embrace the change and take advantage of what it offers.
Forward thinking IT shops are changing in a few identifiable ways. They are moving to a model where they source capabilities rather than build and operate them, but these disparate capabilities need to be aggregated and integrated – so these IT shops are incorporating these activities as key capabilities, because they require different skills and technologies. They are also focussing on building a deeper understanding of the other parts of the organisation so they can deliver to those needs more effectively. And as a corollary to that they are building capability in managing vendors.
Another key change we are seeing is in the spread of the recent idea of 2-speed IT. That is the notion that we have a rapid speed for areas where we need responsiveness and innovation, and a traditional, slower speed, where we need stability and compliance. The different speeds need different methods, techniques, skills and governance and ICT organisations are looking at how to adopt these to deliver on the growing expectations from the rest of the organisation.
If there are a few key messages I’d like you to remember from this presentation and post they are:
- The basic ideas around ICT are not that complicated
- Infrastructure and datacentres are old hat!
- The cloud is not to be feared – it should be embraced
- You can ask: what is in “the stack”?
- Nothing is ever secure
- The major trends in ICT are having big impacts on ICT organisations