One of my clouds just vanished

I woke up this morning to a flurry of tweets about Google’s announcement that they’ll be killing off Google Reader in a few months time. If you haven’t used it, Reader is a neat tool which brings together feeds from websites which you want to follow into a single place, and it works nicely with apps like Flipboard to create a personalised online magazine of useful information.

Now, this announcement is a pain but not the end of the world. But I do expect that it’ll cause an even bigger flurry of people warning against the perils of cloud services altogether. After all, if the provider can just decide to pull a service which you rely on how can you trust the cloud (and particularly public cloud services) with your business critical functions?

For some time though a host of wiser advisors have been giving straightforward advice about the things to consider when you look to the clouds for your services, and steps you can take to do this safely. And in reality these are much the same as the steps we need to take when planning to buy any sorts of services, whether they’re cloudy or earth-bound.

Making sure that you know how you’ll get your data back and carry on without the service are a key part of planning your strategy. And so is making sure that you understand the business strategy and stability of your provider before you commit to buy from them — especially if the services are for business critical functions.

Reader evaporating is a good reminder of the dangers of cloud naivety. Cloud has lots to offer on a personal and business level. It’s just key to remember that nothing’s perfect and that understanding how you’ll manage risks and continuity is a key part of innovation.

Some thoughts on BYOD (part two of two): so, how can we do it?

In my last post I explained why I think that bring your own device needs to be taken seriously. In this post I’ve tried to bring together some thoughts to suggest how we can go about enabling bring your own in a way that strikes a balance between appropriate security and real benefits for the workforce.

To start with, I thought that it was worth putting down a few things which I think ‘bring your own’ is probably not:

  • securing personal devices in the way we would corporate devices: who’d want to subject their shiny new iPhone 5 or Galaxy S3 to becoming a pseudo-corporate device and have large parts of key functionality switched off to meet security rules? I don’t think that this is necessary, nor is it likely to be very successful.
  • delivering a virtualised Windows desktop to a smartphone or tablet: which can be a fairly painful user experience even for patient people. In my view, this is definitely a last resort where legacy applications aren’t ready for delivery to mobile devices.
  • something that will only work if the user is online: even in central London there are plenty of spaces where consistently reliable mobile internet connectivity is still a dream — and when you step outside of the city it can be even further off…
  • a way to save lots of money: I’m unconvinced that bring your own will replace the need to provide core tools for many (/ most) users for a good while yet, and savings from device costs are quite likely to be swallowed up by the investment required to provide a more flexible infrastructure. And then there’s the support for this new diversity of devices to consider too…

I think that there are a number of practical ways to bring bring your own to life, specifically:

  • take it one step at a time: there are many commentators who make the (valid) point that simply delivering email to personal devices isn’t really achieving bring your own. But given how important a role email plays in people’s working lives, it’s still a good place to start, and personal experience suggests that this is still a Big Thing. In my view we should focus on practical measures to move appropriate access for corporate systems and data beyond the private network, and keep iterating.
  • don’t forget that people have personal computers too: most of the bring your own debate focuses on mobile devices, but virtualised desktops or access to corporate apps via the web using personal PCs is still a great way to make it easy for people to work from home. Indeed, I’ve lost track of how many times I’ve been asked “why can’t I get to that using my home PC?” — not everyone likes lugging a laptop to and from home everyday…
  • policy and training are every bit as important as technology: as I’ve highlighted before, unwise user behaviour is still the #1 cause of security breaches.
  • if you’re doing it encourage it: we’re looking hard to see how we can use employee purchase schemes to encourage wider use of new devices (without cost to our organisation) and maximise the exploitation of the technology change we’re delivering. The Guardian have a great video showing what they’ve achieved with this here.
  • the real hard work will be liberating our information and making it available on any device: this is going to require effort to deliver mobile application management and ultimately mobile information management (Brian Madden gives a useful summary of these terms here), and for me the goal is to provide effective APIs to corporate data — where information security is built into the API — and apps that work with those APIs. This isn’t a trivial exercise though, and isn’t simply about bring your own (actually I think that the real justification for this effort is in mobilising the workforce, better online services and open data). So, as I’ve suggested above, it makes sense to look for the quick wins that can give users a real benefit while the harder work takes place.

Getting the right perspective

For many years now our focus in public sector ICT has been hugely on securing the information which we’re responsible for. There are good reasons for this, and plenty of examples which demonstrate the importance of taking care of the information people trust us with (not that they always do this by choice of course!).

But are we seeing the full picture? In my view there’s a real risk that some other equally important considerations get lost if we only look at technical security measures:

  • Behaviour matters as much as technology: a quick review of fines from the Information Commissioner’s Office shows that a disproportionate number of breaches are due to people’s behaviours with email, faxes and online information.
  • Paper can be as much (or even more) of a risk as electronic information: again, significant fines have been levied in response to lost paper records (which can’t be password protected, encrypted or wiped remotely in the event that they’re lost).
  • We risk focusing on security at the expense of productivity: with a result that business performance is held back and customers lose out in terms of the timeliness and quality of services they receive.
  • We need to be sensible about where we draw the line: there’s a significant difference in my view between critical business information and ‘user-generated information’ such as meeting notes etc. The latter have historically been kept in notebooks and loose paper, and if these haven’t been subject to strict controls before we need to think carefully before we lock them down simply because they’re being taken electronically.

The right approach will depend on what the information is and the context (it’s easy to forget that many private enterprises are every bit as concerned to protect intellectual property and trade secrets as government organisations are to protect public information).

Technology can play a part in changing the balance though, and I’m very drawn to the concept (put forward by Brian Katz and others) that we look afresh at security and move to an approach where we can reliably and securely work with untrusted devices, and instead focus on securing apps and information. My light summer reading has included the useful book APIs: a Strategy Guide, and this has really got me thinking about the potential for successfully using APIs to enforce business controls, and securely unlock information to balance the needs of a productive workforce with our responsibility to keep information safe.

A big step forward in opening up our data

[This first appeared as a guest blogpost on the Lambeth open data blog]

At Lambeth we’ve been delighted to be recognised as one of the leading local authorities for open data (see Openly Local’s ratings), and we see this as an important part of our commitment to be a cooperative council.

We’ve already seen some good examples which show how open data can be used creatively by people outside the council to create useful apps and to give a greater level of transparency for the council’s work.

The recent Made In Lambeth event was a brilliant example of this (find out more here and check out the tweets at http://twitter.com/#!/search/Madeinlambeth).

This will be a journey and we’re determined to do more. Today we are taking the next step in our journey and we’re really excited to share this with you. Our release today includes:

We’re ambitious to go further, and as well as an ongoing programme of work to publish more data and build a rich datastore, we are currently working to build APIs which will let anyone create apps using our data. We’re hoping to have a beta version ready for testing later this summer — please get in touch at opendata@lambeth.gov.uk if you’d like to take part in this. We want to learn about what will work and build something that will make a big contribution to cooperative working.