The Importance of purpose, presence, and human connection

Recently, I was reminded of the power we all have to make a difference in the lives of others and the importance of human connection in our work lives. While I typically work remotely from Arizona, I made the voluntary decision to travel to both my US and London offices. This allowed me to connect with and be present for my team, co-workers, and work family. Simply by being present and connecting with people, I discovered a renewed sense of purpose in the work I do and witnessed the transformative potential of work in shaping lives and the world around us.

The past few years, emerging from the pandemic, have been a traumatic period in human history. The nature of work has undergone significant changes, with a large number of people now working remotely. This has sparked debates on the effectiveness and viability of remote work, often leading to extreme positions where individuals are either fully in favor or completely against it.

I believe that the choices are not limited to these all-or-nothing extremes. The reality is more nuanced. There are indeed genuine benefits to both remote work and coming together in an office setting. Those who advocate for remote work recognize its advantages for individuals, productivity, and companies. On the other hand, there are undeniable benefits to gathering in an office environment, fostering human connection, and drawing upon our inherent social nature. Throughout history, human beings have found belonging, security, and common purpose through face-to-face interactions, whether it be sharing meals, celebrating successes, or supporting one another through challenges.

During my visit to our London office, I had the opportunity to meet many of my co-workers in person for the first time. The diversity and inclusiveness of our work culture were vividly evident as I heard voices speaking Dutch, French, Spanish, Welsh, Irish, and Scottish. Our remarkable and inviting workspace at Henrietta House in London provided an ideal setting for essential conversations about work. Meeting people face-to-face allowed me to offer my assistance to my co-workers in advancing our company’s mission, while also receiving the gifts of accommodation, welcoming inclusion, and collaborative problem-solving.

Furthermore, for me personally, it was about bringing people together to acknowledge their hard work and sacrifices. Many of these individuals did not report to me or exist in any organizational chart with my name at the top. Yet, the essence of coming together lies in recognizing that we are all part of the same team, united by a common cause and shared purpose. We all have families, we all age, and we all come from diverse backgrounds. The human family transcends the boundaries of a multinational corporation or a small team. This was the underlying motivation behind my visit—to remind myself and others that we are in this together, supporting one another in our shared struggles. Every individual has value and worth, and I discovered a renewed sense of optimism that together, we can overcome any challenges that lie ahead.

Lastly, my trip to the United Kingdom, particularly London, was an exceptional experience. London is a wonderfully diverse and inclusive city, where cultures from all over the world are welcomed and celebrated. The people of London were kind, quick-witted, and eager to share their humor and wisdom. As I ventured to places like the Cotswolds and York, I realized that London served as a magnifying glass, reflecting the spirit of diversity and inclusivity found across the country. Great Britain set a remarkable example, showcasing how individuals from various faiths and backgrounds can maintain their unique cultural identities while coexisting harmoniously.

Dreams of the future

I spend a lot of time contemplating the future. I read books about it ("AI 2041", "The Singularity is near", "Future Stories", "Stories, Dice and Rocks that think"). I've always watched a lot of Star Trek. So its no wonder I spend a lot of my dreamtime imagining how things might be.

One such dream popped up with a lot of detail Saturday night (AUG 27 2022). It was a compelling vision of computing so I wanted to write it down in some detail. I was in an office about to discuss a topic with a colleague. I opened my "computer" which was a polymimetic sheet that unrolled from its aluminum container like the scrolls of old. The sheet/computer laid flat on the table. The case it was in went back into my suit jacket. The material was flexible and I could stretch it to be a number of resolutions. As I stretched it out, it automatically displayed the size of the screen while simultaneously adapting the contents to fit the resolution. Internet connectivity was ubiquitous so I didnt have to connect it to a wifi or login to it. It read and securely connected to the local network and used my fingerprints as biometric authentication. There wasnt a lot of storage on the system as it was always connected to the cloud. The focus of the system was on computing, the display, and being able to change the state/phase of the material the made up the system and display. The display was a 4k display and fully interactive with a touch screen for navigating on the table surface. I got the sense that the display could be stretched to about a 48" diagonal.

After I was done with the display I was able to lift it up from the surface and with a couple of touches to the back of the systems make it a rigid display. It stayed in the resolution I had it set to on the table surface. From there I was able to magnetically attach it to a monitor stand. I had a couple options, I could attach a keyboard or usE my AR glasses. My augmented reality (AR) smart glasses set a virtual holographic keyboard for me to use with the computer. I could configure the keyboard layout to be anything I wanted, size and configuration. My AR glasses connected to the computer seamlessly as well as if they were biometrically authenticated. My glasses were uniquely paired with my computer. They enabled me to set another great feature, privacy shield.

When I wanted, say in a public space like an airplane. I could put on my AR glasses and turn on privacy. The entire screen would be opaque to everyone around me but fully visible to me alone with my glasses. Bone conducting speakers and a microphone in the glasses let me fully interact with the system without disturbing people around me.

Power wasnt a consideration. I was able to leverage it on the table surface for an hour before connecting it to the video stand. The video stand charged the system. When I left for the day, I was able to remove it from the stand, tap the back of it once more and roll it up into its case. When I arrived home I simply inserted the case into a charger to keep it ready for the next day.

This system was current in the next 20 yrs from the present or by mid century. It was considered a breakthrough and very disruptive to traditional laptop and PC markets. The next interation that would replace this came nearer to the end of the century. The end of the century system was fully holographic and required no medium at all. Users could interact with it using AR glasses and special gloves. The gloves controled the same of the display and interacted with the system itself. You could open menu bars and other applications using gestural commands. The best thing about the new system was the 3D hologrpahic nature of it, all objects on the flat surface could be rendered just above the system as 3D holographic objects that the AR Gloves and Glasses could interact with. All the power, computing, and storage came from the AR Systems with no more need for a physical medium. Any space could be turned into a TV, Projector, computer, workstation, etc. Transferring from glove and glasses based projection systems to home based or office based projectors was also seamless.

I'm sure much of this came from recent articles I've been reading about AR and Smart glasses as well as scholarly articles on things like Vanadium Oxide and other nanomaterials. From my perspective, the future is nearly upon us and it looks great!

Time for Crypto fun. If you've got my note, please leave the code and response in the comments! Hint, its Caesar's cipher.

The New DevSecOps Positions

Finding good people especially in this market is hard. Historically low unemployment makes it difficult. Finding good IT talent, developers, engineers, architects, analysts, etc. is even more difficult. Getting the right person with a passion for their technology, an intrinsic motivation like making a difference, or collaborating with others on game changing technology, and someone who can communicate and cooperate with others from diverse backgrounds is difficult. These are all generally understood and the market tends to reward those with that rare set of skills and motivations.

Specialists are even more difficult to find. Developers with just the right mix of UI, experience with Ruby or Python or Go, and experience with your framework of choice. Security specialists with Threat Intel, SIEM, Threat Hunting, IAM, Forensics, Endpoints, and so much more are hard to find. Engineers with experience on just the right version of Linux, open source software, patching, networking, and more are equally difficult. These specialist with just the right certifications command a premium.

As technology has evolved new hybrid positions have come to exist. Consider the Cloud Engineer, or the Site Reliability Engineer, the Data Analyst, the Data Privacy Officer, all combinations of one or more specialties. As the need for these hybrids have increased and the number of people with the relevant experience dwindles, companies have been forced to promote and grow people with experience in one half of the equation while learning the other half. Most cloud engineers are former systems admins who were thrust into the world of AWS, Azure, Google Cloud, etc. and learned their position through on the job training with a mix of new certifications. So too the data analysts, taken from the ranks of business analysts and taught all about SQL, statistics, probability, as well as the new tools and technologies therein. These Data Analysts have to relate their newfound insights from data back into business terms.

The world of DevOps is no different. The DevOps engineer usually comes from a developer or engineering background and learns the other half of the trade. Developers learn the systems covering things like Continuous Integration or Continuous Deployment. Engineers learn about source control management systems, integrating software testing tools, and scripting. And as more and more of the Continuous Deployment landscape moves to containers and Infrastructure as Code, Engineers are finding they have to learn more about writing code.

Enter the DevSecOps Engineer. These positions are the new ‘unicorns’ of hiring. The DevSecOps engineer has a background in software development, application security and testing, as well as an engineering background for linking all three of these disciplines together. While DevSecOps has been around for a while it seems there are very few with titles reflecting the discipline. Hiring for senior positions yields quite a few resumes with a DevOps background. By and large, the majority of DevOps candidates are engineers who made some tentative moves into software development. So few have skills in languages like Ruby, Python, or Go. Moreover, gauging their skillsets by way of public code repositories or contributions to open source projects would seem a wise approach. Another consideration is hiring senior software developers with a basic understanding of systems administration or DevOps and teaching them application security.

The true DevSecOps professional will have to have a more well rounded resume. Modern concerns include securing Kubernetes which brings application security concerns back to system security concerns like securing the kernel, isolating processes and access, and protecting the whole with advanced networking controls. DevSecOps engineers will also have to address the need for sending telemetry to security operations systems from cloud based applications and platforms. Dynamic DNS, infrastructure as code, programmable certificate management, secrets management, encryption as a service, and log aggregation at scale for both systems, infrastructure, and applications are all in the purview of the modern DevSecOps leader.

New DevSecOps positions will include hybridizations of older hybrids. Security focused Site Reliability Engineers or SSRE’s will take on the role of supporting application development teams with the various technologies and disciplines of DevSecOps, things like Threat Modeling, leveraging security pipelines, and securely deploying your applications, on-premise or in the cloud. Agile software developers will become security software developers, building out the new software based DevSecOps tech stack. And of course there will be the need for the architects who can tie it all together, who have or support the vision of DevSecOps in the enterprise, can develop the needed reference architectures, work collaboratively with people in technical and managerial roles, and guide their team mates in maturing your program.

There are few if any certifications in this new DevSecOps realm. There is no governing body suggesting this person or that is a certified DevSecOps architect for instance,.Reliance on metrics like positions held, time on the job, or responsibilities are no longer sufficient. The new paradigm has to shift to a focus on accomplishments and demonstrated abilities. What did you build? What can you do? How well do you fit in our corporate culture? What are you passionate about doing going forward? These are the new focus for the modern DevSecOps hiring manager. What can you offer to entice these newest ‘unicorns’? A salary commensurate with their abilities, an environment of transparency and collaboration, the opportunity to make a difference, and an environment where they get to work with best of breed and cutting edge technologies. Expect to compete with the biggest and best companies around as this very limited pool of resources is highly sought after.

Where will this talent come from? Should you look for people with more systems administration or software development in their background? My background as a software developer makes me lean towards the software developers. Good software developers have the right mindset. They understand programming languages in the context of the underlying systems they run on as well as networking. They understand the relevance of their software as it impacts the business bottom line. They have a basic understanding of security as it applies to systems, software, and the business. And most importantly, the best software developers have an insatiable curiosity. These are hackers in the very best meaning of the word.

As more of our modern security stack moves to virtualized or cloud based systems, the importance of DevSecOps will grow. I fully expect that eventually the worlds of application security and ‘traditional’ security will merge back into one. The future of that world belongs to these new DevSecOps positions.

Ode to a MacBook Pro (13" with retina display)

trying to show my oldest son how to write sonnets, did one (in iambic pentameter) about the first thing that came to mind.

Ode to a MacBook Pro

Gleaming silver surrounding a white fruit

The Apple is the best friend for me

Its sleek design, form and function do suit

It’s backlit keyboard so easy to see

The retina display a work of art

4 million pixels a window for all

Its solid-state drive that touches my heart

Its noiseless performance; a siren call

So light like a feather, cold to the touch

Yet fast like a cheetah this cat can run

The press of a button that does so much

Homework and learning transformed into fun

Oh MacBook Pro I admit my desire

You make my geek heart glow with burning fire

Addicted to devices or indentured to work, is that the only two choices?

One of my favorite movies HEAT has a scene where Vincent Hanna (Robert Deniro) is trying to convince one of his long time associates, Michael Cheritto, to back out of a job and retire. The score isnt worth it considering the heat (the police) involved. Cheritto replies "Well ya know for me, the action is the juice." meaning the payoff for him isnt the reason he does the job, the adrenaline, the action, is the reason he's addicted to robbing people. I've thought alot about that line over the years and it rings true for me and my relationship with my job and my employer.

 The New York Times article "Silicon Valley Worries About Addiction To Devices" suggests we are addicted to the rapid reward we get from devices and the interaction much like people are addicted to the Internet, video games, sex, gambling, drugs, etc. I can see this point of view and there is some truth to it. How else could you explain the record profits of folks like Apple and others. Tech junkies get off on tech and I am certainly one of them. But thats not the whole point.

 The Atlantic countered the NY Times article with a cheeky but point on retort that we're not addicted to our devices as much as we are slaves to our employers and our jobs. There's a pale indictment of big business behind all of this BUT the real point is that we collectively feel like slaves to our jobs because it allows the for a 24/7 work schedule. Again, there are times when work interferes with life and there's always the pressure to keep up with the sycophantic few who try to impress with the post 11p emails. But again, thats not the whole point.

 This brings me back to my initial discussion of HEAT in that I am very much like Michael Cherrito. I dont go to work for the paycheck, I am not addicted to my devices because of some dopamine receptor or tyrannical employer. I go to work because I get off on the action and I always have (and hopefully always will). My vocation is my avocation. My job allows me to create. It delivers the creative tension between whats possible and impossible. Its the Spartan agoge and the Athenian forum all rolled into one. I work with super smart and motivated people. I believe we collectively share a passion/addiction for making a difference, for doing something awesome and worthy of my time on earth.

 And I believe a great many people in technology are just like me, they get off on the job for the same reasons I describe. We have strong families and love our children, we enjoy our hobbies and our time off. We have some semblance of work/life balance although my wife will occasionally disagree. I feel fortunate to work in times like this. I enjoy the current technology zeitgeist. Its empowered me rather than enslaved me.

The Story of 'O' products

Its come to my attention lately there's a LOT of confusion about what the litany of 'O' products ('O' being Oracle). Given Oracle's choice to name everything after itself you end up with a myriad of 'O' products in three and four letter acronyms. Coming from a background of Microsoft products where almost every year the product was renamed to something entirely different for no rhyme or reason (see MIIS to ILM to FIM), I am OK with Oracle renaming everything it buys to "Oracle" something. Still there's a lot of confusion about the products and what they do. Given the recent acquisition of Sun products and there subsequent renaming there's lots of speculation that the products overlap or worse, compete. Some examples, OAAM or Oracle Adaptive Access Manager, OAM or Oracle Access Manager, given the names one might think the products are competitors. Naturally in today's business environment where every penny counts as businesses guard their cash reserves you wouldn't want to put anything into production with an overlapping or competitive function. As such, I've been repeatedly asked about things like OIM, OID, OIA, and OAAM and whether they are serving the same function. This post is my attempt to provide some insight as to how those products interact, what purpose they serve, and our roadmap for implementing them.

A good visual is invaluable to show the relationship between the parts of the Oracle Identity Suite. Here's the interaction as presented by Oracle for their products and respective niches they fill:

We're currently implementing the foundation for good Access & Identity Management which is good role based access and role governance. This is served by Oracle Identity Analytics or OIA. OIA will allow us to move away from the very manual of process of managing roles today by spreadsheet and SQL Scripts. It will also allow us several key improvements; separating our AIM systems from any and all legacy databases, moving away from the tight coupling of roles (access) to job codes and cost codes, and finally associating access with job functions and responsibilities in the form of enterprise roles. Having a solid grasp on roles is fundamental to our efforts and will provide a multitude of benefits to us, our customers, and the business.

We're also implementing Oracle Internet Directory or OID which will allow us to govern access to Oracle databases. Oracle Internet Directory (OID) is an implementation of LDAP (lightweight directory access protocol) and allows end users to access Oracle databases with their network credentials. This allows us to tie back access to Active Directory as our single point of control for all access in the enterprise. OID will also allow us to manage authorizations in Oracle databases via membership in LDAP (OID) groups, groups governed and approved by the database owners. So Business Intelligence database access will have to be approved by the Business Intelligence team, CRM database access will be controlled by CRM team, etc. All of this access will be requested, approved, and authorized through a single site, the Computer Access Process or CAP.

The CAP itself will get a facelift this year and we're going to improve and extend our provisioning process (see Identity Administration) as we implement Oracle Identity Manager or OIM. OIM will allow us to move away from our Microsoft based workflow engine, which has served our purposes admirably but not without its challenges, and allow us to begin to use OIM's connectors for expanded provisioning to the eBusiness applications. OIM also promises tighter integration with the Oracle owned applications like PeopleSoft and the rest of our Oracle Identity Suite products like Oracle Adaptive Access Manager (OAAM) and Oracle Identity Federation (OIF), two technologies we're going to implement in the next 4-6 months as well. More on Oracle Adaptive Access Manager and Oracle Identity Federation in a future post.

So to RECAP:

OIA: Oracle Identity Analytics - role management, a foundational piece (database) for role based access and role governance.

OID: Oracle Internet Directory - a directory implementing LDAP which will allow us to authenticate Oracle database users via Active Directory and authorize them based on membership in groups (roles) governed in the near future by OIA (no dependency).

OIM: Oracle Identity Manager - a workflow and provisioning engine for extending and enhancing the administration of identities.

OIF: Oracle Identity Federation - a means for federation of our identities with partner organizations. Federation via standards, plain and simple.

OAAM: Oracle Adaptive Access Manager - strong authentication and knowledge based authorizations for websites. Coupled with its capabilities for real time fraud detection and prevention this tool will serve a variety of purposes.