mlryan blog

During the Postini takeover discussion, a lot of the community members do not seem to trust a supplier to keep secure their confidential data. For example using a hosted email service would fail the test since confidential business communications are sent using such a service.

I wonder what proportion of businesses routinely require all external email to be sent only via encrypted emails? Not many - due to a lack of standard technologies.

I also wonder how many hosted application providers commit to storing only encrypted data. Is it beyond the realm of possibility for a supplier to only allow encrypted communications between the customer and their infrastructure. HTTPS is a reasonably robust and secure mechanism for the transmission of data. But if suppliers were to add to that encryption of all data *stored* in their data centre, then where is the issue? The data stored can only be accessed by the customer because only they can transmit the keys that are used to decrypt it, manipulate it and re-encrypt it ready for transmission back to the customer.

The confidential data stored by the supplier is only ever held in plain text format in the memory of applications which are acting on it. These applications can only do that when the customer is explicitly connected and has authenticated and provided the keys that allow the data to be decrypted for processing.

Therefore, no amount of stealing of laptops, servers, backup tapes, etc, from the supplier, or of hacking in to their data centre, etc, will give you access to the confidential data they are storing on behalf of their customers.

What am I missing?

Are you generally fit and healthy with limbs that respond accurately to your mind's wishes?

Lucky you. Not everyone does.

And if you do have hands that shake or reduced mobility in your arms and fingers, it can be a great pain (sometimes literally) to use some software and websites.

Accurately positioning a mouse over a very small target on the screen and holding it steady while you click can be a difficult task. And one that would be immeasurably easier if the target was just a bit bigger.

Take the links at the top of the ZDNet.co.uk page. The banner ad is big, easy to click on. The top level of navigation (home, news, opinion, etc) are smaller but well-sized. The second level under that (forums, people, etc) is I think borderline. Anything smaller than that (such as the excruciatingly small RSS button) and a visitor could well be struggling.

Anyone got some examples of websites or software that demands precision mouse movements worthy of a neuro surgeon?

Can you count the number of times that you have been implored to think about an IT issue early in the project lifecycle? I certainly can't. IT professionals are being constantly urged to think about things as early as possible.

Want to improve application security? Capture the need in the statement of requirements and build it into the design.

Application performance? You have to think about it before you start to design.

Testing? Apparently we have to start *conducting* testing before a single line of code has been written [How? By testing the basis of the project and the statement of requirements!]

I'm fed up with this constant pressure to do things in an order which does not appear to make sense. In the world of operating systems activities that can be performed later are executed later (because when you get there you may find you don't have to do them at all). This seems to me to make sense; if we do everything up front, what is left to do for the remainder of the duration of the project?

We are in danger of rushing around madly for the first days and weeks of a project considering all of the peripheral aspects of a project and never actually getting to build the product.

So why are we asked to do so much so early? In my opinion it is because in some project teams the team members lack the skill and experience to do a good job. Getting project managers to think about many different aspects of their project very early on is a way to help prevent problems that occur because the designer doesn't consider security at all, or developers write poorly performing code and so on.

The need to do a myriad of tasks up front or as early as possible is largely unnecessary when skilled people are in key roles in a project team.

hile researching training options for some of my technical staff, I was surprised (but in retrospect why?) to see firms advertising to take your exams for you. Get the certificate without having to study or go through the stress of sitting an exam. The examples I saw appeared to originate from people located in India and China. I assume the test centres must be in collusion somehow, in order to waive the normal stringent photo-id requirement.

But then recently one of my staff came back from an ISEB business analysis aural exam (viva) in London and reported that no photo ID was requested.

So why is this worthy of note? Because it makes a mockery of the whole certification process. Don't rely on the paperwork - but we all knew this anyway.

CDC Software, owners of the Pivotal CRM software, have merged with (taken over) UK-based CRM software vendor Saratoga Systems.

As a consultant to one of Saratoga's biggest clients, I am in the unenviable position of having to advise my client whether they should be actively looking for a replacement. The new owners have of course issued reassuring messages about how the new acquisition's product set is complementary to their own and funding will continue for both.

But we all know of course that the reality is that running two development and support teams is more expensive than migrating customers from one product set to the other and then only running one development and support team.

So the questions are:- at what point will the investment drain from one of the products into the other, which product set will be preserved and will the official transition path be relatively painless?

If you have a strong opinion, let me know. I will tell you what I come up with later...