Monthly Archives: July 2022

Enforcing SLAs with Real Data

Posted on by
Reply

I’m sure by now you’ve probably seen tons of articles telling you about how important it is to travel with location devices in your luggage. The most common one I’ve seen is the Apple AirTag. The logic goes that if you have one in your checked suitcase that you’ll know if there are any issues with your luggage getting lost right away because you’ll be notified as soon as you’re separated from it. The advice is sound if you’re someone that checks your bag frequently or has it lost on a regular basis.

The idea behind using technology to enforce an agreement is a great one. We make these agreements all the time, especially in networking. These service level agreements (SLAs) are the way we know we’re getting what we pay for. Take a leased line, for example. You typically pay for a certain speed and a certain amount of availability. The faster the link or the more available it is the more it costs. Any good consumer is going to want to be sure they’re paying for the right service. How can you verify you’re getting what you’re paying for?

For a long time this was very hard to do. Sure, you could run constant speed tests to check the bandwidth. However, the reliability was the part that was typically the more expensive thing to add to the service. Making a circuit more reliable means adding more resources on the provider side to ensure it stays up. Allocating those resources means someone needs to pay for them and that is usually on the customer side.

It’s easy to tell when a link goes down during working hours. You can see that you’re not getting traffic out of your network. But what about those times when the circuit isn’t being as heavily utilized? What about the middle of the night or holidays? How can you ensure that you’re getting the uptime you pay for?

Trust and Verify

This is actually one of the groundbreaking areas that SD-WAN pioneered for networking teams when it came out years ago. Because you have a more modern way of maintaining the network as well as a way to route application traffic based on more than source and destination address you can build in some fancy logic to determine the reliability of your circuits too.

One of the biggest reasons in the past to use a leased line over a broadband circuit was that reliability factor. You need MPLS because it’s more stable than a cable modem. You get guaranteed bandwidth. It’s way more reliable. Those are the claims that you might hear when you talk to the salesperson at your ISP. But do they really hold water? The issue for years is that you had no way of knowing because your analytics capabilities were rudimentary in most cases. You could monitor the link interface but that was usually from the central office and not the remote branch. And depending on the polling interval you could miss downtime events.

SD-WAN changed that because now you could put an intelligent device on the edge that constantly monitored the link for throughput and reliability. The first thought was to do this for the broadband links to see how congested and unreliable they could be do know when to switch traffic to the more stable link. Over time admins started putting those same monitors on the MPLS and leased line circuits as well. They found that while broadband, such as cable and DSL, was typically more reliable than the sales people would have you believe it was the relatively unreliable leased circuits that surprised everyone.

Much like the above example of lost luggage you previously had to take the airlines at their word when they said something was lost. No details were available. Did your bag ever leave the airport when you flew out? Did it make it to the right location but get stuck somewhere? Did your bag get on the wrong plane and end up in Cleveland instead of Las Vegas? Because the airline reporting systems were so opaque you had no idea. Now, with the advent of Tile and AirTags and many others, you can see exactly where it is at all times.

The same thing happened with SD-WAN analytics. Now, armed with proof that links weren’t as reliable as the SLA, admins could choose to do one of two things. They could either force the provider to honor the agreement and provide better service to meet the agreement. Or the company could reduce their contract to the level of service they are actually getting instead of the one that is promised by not delivered. Having the data and a way to prove the reliability helped with the negotiations.

Once the providers knew that organizations had the ability to verify things they also had to up their game by including ways to monitor their own performance to ensure that they were meeting their own metrics. Overall the situation led to better results because having technology to enforce agreements makes all sides aware of what’s going on.

Tom’s Take

I’ve only had a couple of bags misplaced in my travel time so I haven’t yet had the need to go down the AirTag route. I’ve done it on occasion for international travel because knowing when my bag is about to come out on the carousel helps me figure out how much time it’s going to take me to get through customs. The idea of using technology to make things more transparent is important to me on a bigger scale though. If you can’t verify the promises you make then you shouldn’t make them. Having the AirTag or SD-WAN software to ensure we’re getting what we pay for are just parts of a bigger opportunity to provide better experiences.

All Problems Are Hardware Problems

Posted on by
1

When I was a lad in high school I worked for Walmart. I learned quite a bit about retail at my early age but one of the fascinating things I used in the late 1990s was a wireless inventory unit, colloquially known as a Telxon. I was amazed by the ability to get inventory numbers on a device without a cable. Since this was prior to the adoption of IEEE 802.11 it was a proprietary device that only worked with that system.

Flash forward to the 2020s. I went to Walmart the other day to look for an item and I couldn’t find it. I asked one of the associates if it was in stock. They said they could check and pulled out their phone. To my surprise they were able to launch an app and see that it was in stock in the back. As I waited for them to return with the item I thought about how 25 years of progress had changed that hardware solution into something software focused.

Hardware Genesis

All problems start as hardware problems. If there’s a solution to an issue you’re going to build something first. Need to get somewhere fast? Trains or cars. Need to get there faster? Planes. Communcations? Phones or the Internet. All problems start out by inventing a thing that does something.

Technology is all about overcoming challenges with novel solutions. Sometimes those leaps are major, like radio. Other times the tool is built on that technology, like wireless. However they are built they almost always take physical form first. The reasoning is simple in my view. You have to have the capability to build something before it can be optimized.

If you’re sitting there saying to yourself that a lot of our solutions today are software-focused you would be correct. However, you’re also making some assumptions about hardware ubiquity already. Sure, the smartphone is a marvel of software simplicity that provides many technological solutions. It’s also a platform that relies on wireless radio communications, Internet, and cloud computing. If you told someone in 2005 that cellular phones would be primarily used as compute devices they would have laughed at you. Because the hardware at the time was focused on audio communications and only starting to be used for other things, like texting or PDA functions.

Hardware exists first to solve the issue at hand. Once we’ve built something that can accomplish the goal we can then optimize it and make it more common. Servers seem like a mainstay of our tech world today but client/server architecture wasn’t always the king of the hill. Cloud computing seems like an obvious solution today but AWS and GCP haven’t always existed. Servers needed to become commonplace before the idea to cluster them together and offer their capacity as a rentable service emerged.

Software to the Rescue

Software doesn’t like unpredictability. Remember the Telxon example above? Those devices ran proprietary software that interfaced with a single server. There was no variation. If you wanted to use the inventory software on a different device you were out of luck. There was zero flexibility. It was a tool that was designed for a purpose. So many of the things in our lives are built the same way. Just look at your home phone, for example. That is, if you still have one. It’s a simple device that doesn’t even run software as we know it. Just a collection of electrical switches and transistors that accomplish a goal.

However, we have abstracted the interface of a telephone into a device that provides flexibility. Any smart phone you see is a computer running software with a familiar interface to make a phone call. There’s no specialized hardware involved. Just an interface to a system that performs the same functions that a traditional phone would. There are no wires. No switches like an old telecom engineer would recognize. Just a software platform that sends voice over the Internet to a receiving station.

Software becomes an option when we’ve built a hardware environment that is sufficiently predictable as to allow the functions to be abstracted. The Walmart Telxon can function as an app on a smartphone now because we can write an app to perform those same functions. We’ve also created interfaces into inventory systems that can be called by software apps and everyone that works for Walmart either carries a phone or has access to a device that can run the software.

Tom’s Take

Programs and platforms provide us with the flexibility to do things any time we want. But they only have that capability because of the infrastructure we’ve built out. We have to build the hardware before we can abstract the functions into software. The most complicated unsolved problem you can think of today will eventually be solved by a piece of kit that will eventually become a commodity and replicated as a series of functions that run on everything years later. That’s the way that things have always been and how they will always be.

Friday Mobility Field Day Thoughts

Posted on by
2

I’m finishing up Mobility Field Day 7 this week and there’s been some exciting discussion here around a lot of technology. I think my favorite, and something I’m going to talk about more, is the continuing battle between 5G and Wi-Fi. However, there’s a lot going on that I figured I’d bring up to whet your appetite for the videos.

  • What is mission critical? When you think about all the devices that are in your organization that absolutely must work every time what does that look like? And what are you prepared to do to make them work every time? If it’s a safety switch or some other kind of thing that prevents loss of life are you prepared to spend huge amounts of money to make it never fail?
  • Operations teams don’t need easier systems. They need systems that remove complexity. The difference in those two things is subtle but important. Easier means that things are simplified to the point of almost being unusable. Think Apple Airport or even some Meraki devices. Whereas reduced complexity means that you’ve made the up front configuration easy but enabled the ability to configure other features in different places. Maybe that’s by giving your engineers the ability to log in to an Advanced dashboard or something like that.
  • When you’re trying to figure out where your audience is on a subject, always aim slightly above their technical level. If all goes well you will pull them up to where you want them and they’ll appreciate the opportunity to stretch their thinking to meet you there. If not you’ll provide them lots of great material to learn about when they get there later.

Tom’s Take

Technology changes quickly but the way we teach it doesn’t need to if we do it right the first time. By taking the time to aim high and educate instead of retelling something we’ve already said a few times we create content that endures.

Getting Tough with Cyberinsurance

Posted on by
Reply

I’ve been hearing a lot of claims recently about how companies are starting to rely more and more on cyberinsurance policies to cover them in the event of a breach or other form of disaster. While I’m a fan of insurance policies in general I think the companies trying to rely on these payouts to avoid doing any real security work is going to be a big surprise to them in the future.

Due Diligence

The first issue that I see is that companies are so worried about getting breached that they think taking out big insurance policies are the key to avoiding any big liability. Think about an organization that holds personally identifiable information (PII) and how likely it is that they would get sued in the event of a breach. The idea is that cyberinsurance would pay out for the breach and be used as a way to pay off the damages in a lawsuit.

The issue I have with this is that companies are expecting to get paid. They see cyberinsurance as a guaranteed payout instead of a last resort. In the initial days of taking out these big policies the insurers were happy to pay out because they were getting huge premiums in return. However, as soon as the flood of payouts started happening the insurers had to come back down to earth and realize they had to put safeguards in place to keep themselves from going bankrupt.

For anyone out there hoping to take out a big insurance policy and get paid when you inevitably get compromised you’re about to face a harsh reality. Gone are the days of insuring your enterprise against cyber threats without doing some form of due diligence on the setup. You’re going to have to prove you did everything you could to prevent this from happening before you get to collect. And if you’ve ever filed an insurance claim for a car or a house you know that it can take weeks for them to investigate everything to find out if there is a way for them to not pay out.

There is a very reasonable chance your policy will exclude certain conditions that could have easily been prevented. It would be potentially embarrassing for your executives to find out you are unable to collect on an insurance policy because it specifically doesn’t cover social engineering or business email compromise (BEC).

Getting Ahead of the Insurance Game

How can you prevent this from happening? What steps can you take today to make sure you’re not going to find yourself on the losing end of a security incident?

  1. Check Your Coverage – It’s boring and reads like stereo instructions but you really do need to check your insurance policy completely, especially the parts that mention things that are specifically excluded from coverage. You need to know what isn’t going to be covered in a breach and have a response for those things. You need to know how to respond in areas that are potential weak points and be ready to confirm that you didn’t end up getting attacked there.
  2. Look for Suggestions From the Insurer – I know people that will only buy cars based on safety reports from industry groups. They’d rather have something less flashy or cool in favor of a car that is going to keep them protected in the event of an accident. The insurance companies love to publish those reports because it means that more sales of those cars means smaller payouts on claims. Likewise, more companies that provide cyberinsurance are starting to publish lists of software that they would encourage or outright require in an organization in order to have coverage or be eligible for a payout. If your company has such a list you should really get it and make sure you’ve checked the boxes. You don’t want to find yourself in a situation where one missed avenue of attack cost you the whole policy.
  3. Make Sure Your Reports Are Working – In the event that everything does go wrong you’re going to need to provide proof to people that you did all you could to prevent it. That means logs and incident reports and even more data about what went wrong and when. You don’t want to go and pull up that reporting data after the worst day of your cybersecurity life only to find the reporting system hasn’t been working properly for months. Then you’re not only behind on getting the incident dealt with but you’re also slowing down the potential recovery on the policy. The insurance company is happy for you to take as much time as you need because every day that they don’t pay you is one more day they’re making money off their investments. Don’t delay yourself any more than you need to.

Tom’s Take

The best insurance is the kind you don’t need. That doesn’t mean you don’t get it, especially if it’s a requirement. However, even if you do have it you need to act like you don’t. Assuming that there’s a safety net to catch you isn’t always the case when that net comes with conditions that could pull the rug out from under you. You need to know what your potential exposure could be and what could prevent you from collecting. You need to be prepared to put new mechanisms in place to protect your enterprise and have a plan for what exactly to do when things go wrong. That should be paramount even without the policy. If you have everything ready to go you won’t need to worry about what happens when disaster strikes.

Saying “Yes” the Right Way

Posted on by
Reply

If only I had known how hard it was to say “no” to someone. Based on the response that my post about declining things had gotten I’d say there are a lot of opinions on the subject. Some of them were positive and talked about how hard it is to decline things. Others told me I was stupid because you can’t say no to your boss. I did, however, get a direct message from Paul Lampron (@Networkified) that said I should have a follow up post about saying yes in a responsible manner.

Positively Perfect

The first thing you have to understand about the act of asking something is that we’re not all wired the same way when it comes to saying yes. I realize that article is over a decade old at this point but the ideas in it remain valid, as does this similar one from the Guardian. Depending on your personality or how you were raised you may not have the outcome you were expecting when you ask.

Let me give you a quick personal example. I was raised with a southern style mentality that involves not just coming out and asking for something. You may have seen this expressed as excessive small talk when you are trying to ask for help. You may feel frustrated that the person that is asking you for something doesn’t come right out and ask for it. You may not understand that this person is trying to feel out your emotional responses before asking a question so they’re almost assured to get a positive answer.

Apply that knowledge to the opposite situation. What if the person that has a hard time come right out and asking for something is trying to interpret a request from someone else? Are they going to accept it for what it is? Or are they going to apply their own knowledge to the situation and assume that the person must be asking for something very important because they know how hard it is for them to ask in that situation? Can you see how this disconnect can create strife in the workplace because different values are being applied to something as simple as a request for help? Now you can see the undertones of the earlier conversation about saying “no” to people that constantly ask for things.

How To Say Yes

How do we agree to things then? If we’re trying to get things accomplished we need to be able to ask for help or tell our coworkers we need them to do something. How do we say “yes” and make sure that everyone involved knows that we are doing what we can to make it happen? How do we avoid being overwhelmed?

First, don’t just agree to make people happy. This is the number one issue that needs to be resolved in the workplace. It’s one that starts early on in our careers. We need to put limits on what we’re going to agree to do in order to keep from not having any boundaries whatsoever. Imagine a junior admin or a new hire constantly agreeing to work on things or come in on the weekends to do cutovers and the like. Does that style of work appeal to you? Do you think it’s something that show initiative and desire? If you’ve been in your role for a while do you think it’s a good thing to come in on the weekends? Or does it sound more like this person needs to have a little more work life balance?

If you agree to do things because you’re trying to make your boss happy or show your value to the organization you’re setting yourself up for eventual failure. Good managers and leaders don’t want robots that have zero personal time. They want good employees that know when they’re reaching their limits and can respectfully and responsibly decline things that would push them over the edge. When you agree to do something outside the scope of your job or perform extra work, make sure that the person you’re talking to understands that it’s outside the norm for you. If you tell them that this isn’t normally part of your role but you’re doing it to learn or that you’re helping someone out that asked you to come in for a cutover you’re setting the expectation that there is a purpose behind what you’re doing and not just that you agree to anything you’re told.

Second, you need to help people understand what is going on with what you’re doing. If an overworked colleague comes to you to ask you for help with something and you’re overworked too you’re not going to be able to provide them with much help or support. For those out there that think an outright refusal is a bad thing, like me present you with the following statement to clarify what’s going on:

What I need to make my answer “yes” is…

In essence, you’re telling the person that you want to agree to do what they’re asking but you need them to understand what’s going on beyond just agreeing. You’re not putting conditions on your answer so much as you’re telling them what you’re involved with and what needs to change in order to help them out. You’re informing them of the roadblocks that are keeping you from helping. That’s responsible in my book. While I’m sure there are people that will say it feels selfish to phrase answers like that you also have to see that you’re not saying “no” without providing context. You’re telling them you do want to help but that you need these other things to go a certain way too.

Third, you need to make sure you keep track of what happens after you agree. Does the job need to be done frequently and you always get asked to do it? Is it a one-time thing never to be seen or heard from again? Are you recognized for your effort? Even if it’s just a simple “thank you”? It sounds silly to keep track of things like this but it’s important because it provides data for you about how often you’re being pulled away to do other things. If this is a recurring task that your manager is asking you to do then it needs to be included in your job role. If it’s something that gets asked of you all the time and no one ever knows what you’re doing then you need to find out why.

Documenting your extra tasks will help you understand who is always coming to you for help and let you do something to reduce that. Do they need additional training? Are they being tasked with something that someone else should be handling? Do they just have a habit of asking you to help them with things because they’re overwhelmed too? Or, in a more negative light, are they making you do the work so they can take the credit? These are all questions that can only be answered when you have data. If you just have it in your head that you’re always helping a particular coworker or it feels like you’re always getting a phone call to run a particular report for someone you need to keep track of it so you can speak with confidence when it comes up.

Tom’s Take

There’s a lot of effort that goes into agreeing to do something for someone outside of what you normally do at work. It is true that you can’t say “no” to every request. However, you can agree in such a way as to help people understand what you’re working on and under what conditions you will be able to help. Again, I’m pretty sure there are those in the community that will tell me that I’m being prickly when I say that you need to put conditions on your agreement but you also have to see that saying yes to everything without taking your own situation into account is just as bad as saying no to things. Either you’re going to be seen as the person with no boundaries that will just do anything or you’re going to get so overwhelmed with work that you don’t get anything done and you end up in the same mess you’d be if you’d said no.