M.Rosenquist Headshot.jpgThe Intel IT employee newsletter, sat down with Matthew Rosenquist, an IT information security strategist who recently reached the midway point of his 6-month rotation working with Intel PC security products team focusing on strategic planning. Intel CIO Diane Bryant is a strong advocate of such job rotations, believing it not only grows the person doing the rotation, but gives other parts of the company exposure to IT’s greatest resource—its people.

 

If you missed it, see Part 1 of the series.

 

Q. Now that you’re settled into your new job, how are things going?
Outstanding! The product groups have welcomed me into the teams and shown the upmost patience with my persistent questions. They, in turn, leverage me as a resource to provide insights of how the consumer and enterprises will view and challenge our security designs and initiatives. I provide the tough questions that the market will voice.

 

Q. What’s one of your key roles in the group?
I sit on the PC Strategic Planning team which ties into the very heart of our products and the bulk of Intel’s revenue.  From this position, I have access to work with specific technology groups to recommend new use-cases, help refine focus to maximize benefit, and drive product roadmaps. In the planning discussions, I help build the Intel playbook with the development of relevant new security feature stratagems, identifying emerging opportunities, warning against inaccuracies of anticipated benefits, and recognizing industry nuances that may lead to unintended consequences in the future. In short, I’m doing what I do best—constructively adding to the planning conversations for a better end result.

 

Q. So, what have you learned so far?
I’ve been exposed to the complex world which develops and manages the process to make intricate technology changes to our products. The cooperation, focus, and deep interaction across hundreds of people are truly mind-boggling. I never knew the amount of time, resources, and effort necessary to innovate, make changes, and deliver our technology to the world. It almost seems surreal as all this feverish effort is for products that will emerge three to five years from now. Unlike IT, these groups rarely have the luxury of seeing or touching something tangible. Everything is on paper, in theory, and described in varying ways. This is all about planning for what doesn’t yet exist.

 

In security, we’re looking to develop meaningful capabilities and services to intersect customer and service provider needs of the future. Many volatile factors affect how security as a market will vary, including how technology evolves, the different ways people will generate and handle data, and the innovative methods attackers are sure to develop to achieve their objectives. Peering into the future is more of an intuitive art than science. Traditional tools of market analysis, partner surveys, and finance estimates are represented in pretty charts, but they’re attempting to forecast the highly chaotic security industry; therefore, potentially misleading as nobody can accurately predict the future security opportunities. In the product groups, I’ve found common sense discussions are what really drive decisions. The more knowledgeable the people in the room are, the better the outcome. I’ve learned a lot about how Intel delivers products, but I’m still looking upwards at the mountain. With every step, I learn and contribute.

 

Q. From your fresh perspective in IAG, have you learned anything new about IT?
After 15 years in IT, I know the great effort we place in making it easy for the other business groups to leverage us. However, now standing on the other side of the fence, I’ve seen how, in some cases, IT is still difficult to engage. Sometimes, we put our own processes and metrics ahead of what’s needed or best for our enterprise business. There are times when this is the right decision, but we must be open to those times when it’s not. Situations where the business value to our stockholders exceeds the value of alignment to established processes do occur. Breaking with practice may cause a short-term hit to IT efficiency, but may result in a much larger dividend to Intel. As a support and enablement organization, every level of IT must be aware of the big picture and ready to contribute in non-traditional ways.

 

On a humorous note, I’ve always believed IT had far too many acronyms. My viewpoint has now changed. Since I started in IAG, I’ve been inundated with a flood of new abbreviations and acronyms. So many, in fact, I started my own personal glossary to keep them all straight. I’ve surpassed the 350 mark with no end in sight. I add a handful more every day. I’ll never again complain about how many acronyms IT uses!

 

Q. So, what have they learned from you?
The planning and engineering teams are world-class experts on developing and delivering superior integrated computing technology. Designs and features involving processing speed, power efficiency, and I/O are well understood from both the supplier as well as the consumer perspectives. Intel is masterful in leading, adapting, and transforming the industry. We’ve proven brilliance in establishing our brand and selling our products. Security, however, is a new and unfamiliar beast. We’re short on organic security expertise to understand the drivers in the security industry, practical integration and operational challenges, as well as how to sell security to consumers and enterprises.

 

As an example, faster processors, longer battery life, new human/computer interactive modes, and social enabling technology are all sexy and consumers will pay, stand in line, and generally drool for such features. Security, on the other hand, is not sexy. Nobody waits in line for the release of the latest security product. Consumers and enterprises don’t want to pay for security; they only do so because they feel they must. So, the marketing strategy is completely different from the traditional models.

 

This is where IT, specifically the information security organization, can add tremendous value. Within IT, our security department is well versed in the usage challenges of security technologies, the ever-changing threat landscape, and the important role attackers play in the changing trends of what’s important. Every day, IT evaluates the value of security programs, competing technologies, services, and capabilities for internal use. This is the very data needed for our external strategic planning. Additionally, with the acquisition of McAfee, we have another world-class security organization to leverage.  I bring my experience of the security industry to the planning discussion and am working to establish permanent links between the internal IT resources and the IAG development teams. I challenge the engineering-minded teams with the behavioral and usage aspects of the industry. At times, this can be an uncomfortable discussion. Engineers are wired to think about achieving functionality. As an example, engineers tasked with building a hammer will make it strong, cheap to build, ergonomic, and efficient—able to sink nails in one skillful swing. With their job done, they can rest easy in knowing carpenters will be able to use the hammer to build wonderful things with such an efficient and effective tool. Often, the security aspects are missing. Can the hammer be counterfeited, stolen, or used as a weapon to threaten others? These are important considerations in the security product space. Translating back to Intel, we don’t want our products compromised or used in malicious ways, especially when they’re designed to promote security.

 

Tactics to insure security considerations are understood, include the infusion of ‘Red Team’ principles—thinking how the bad guys do, profiling the most likely threat agents, and learning from historical attack methods. These exercises are used by Intel information security internally and can be equally important tools to temper the external feature design process. In spearheading these discussions, I help expand the scope of work from the ‘does the design work’ mindset to include ‘how can someone break it or leverage it to do something malicious.’

 

Recently, I’ve been involved with market value and competition analysis. This includes giving input on how our products will be evaluated by the security industry. In IT, we are particularly critical of outlandish claims of certain security product vendors peddling their wares to Intel, which are quickly dismissed. Our marketing claims must be realistic and accurate. They must properly reflect what we can deliver in the security space. We can’t make the same mistakes we’ve seen from others in the industry who rely on fear, uncertainty, and doubt to artificially drive short-term sales. Important checks and balances exist. Nowadays, a healthy worldwide security community takes the role of evaluating and vetting products and services as expert proxies for the customers. They quickly callout companies who overstate their products or make misleading claims and are particularly ruthless to established corporations looking to leverage the ‘security’ moniker just to sell more products. Understanding how these security experts will measure effectiveness, value, and longevity goes a long way in properly positioning our marketing message. Ethically, Intel always strives to be open, straightforward, and do the right thing. So it comes down to the accuracy in the message of what we deliver.

 

Q. So, what’s next?
Moving forward, I hope to land more security product pilots internally, build more cross-organizational bridges to share insights, and contribute to strategies and designs that intersect future business opportunities in the market. So far, the journey has been exciting, educational, satisfying, and frustrating. The most important measure for me, though, is when I wake up each morning—I look forward to the challenges ahead. Halfway through the rotation and I continue to enjoy every day. I can't wait to see what happens in the next few months!

This week I am hammered by a lot of spam messages on my Facebook page. I was sure those were from my lovely friends clicking on malicious links on their own page. I eventually posted a note and asking them to 'stop and think' before clicking on inviting links. A colleague responded and reminded me law #4 of Malcolm Harkins' Five Irrefutable Laws of Information Security - Users wants to click. It suddenly dawned on me that Malcolm's insight was so true. Fortunately, I'm still proud to say that I haven't fall as a victim of the malicious links and spamming my friends yet. Some of those inviting links I encountered were obviously macilious. However, some were on the border line of being legitimate. I had to hold my urge to click. Of course, some of them proved to be bad ones, too, after my friends clicked on them.

 

Here are the 5 laws from Malcolm. You can find them from Intel IT's whitepaper on Rethinking Information Security to Improve Business Agility.

 

  1. Information wants to be free - People want to talk, post, and share information
  2. Code wants to be wrong - We will never have 100 percent error-free software
  3. Services want to be on - Some background process always need to be running and can be exploited by attackers
  4. Users want to click - People naturally tend to click when they see web links, buttons, or prompts. Malware creators know this and take advantage of it.
  5. Even a security feature can be used for harm - Security tools can be exploited by attackers, just like other software. This means laws 2, 3, and 4 are also true for security capabilities.

 

Under the new connected, always on, and social internet age, how are you, or in fact, how should we all respond to the new paradigm and new kinds of information security risks? In my recent experience, the user is still the weakness link.

Data processing and analytics are important focus areas for various groups within IT.

One of the applications used internally to track our R&D computing-related statistics gets up to 100M records/day. This data is used for computing utilization

analysis and optimization, capacity planning and other purposes.

Today, this application is implemented using traditional relational DB with SAN backend. Query performance is problematic at this scale, multiple aggregations and extensive tuning is required to achieve acceptable performance for the pre-defined queries.

Ideally, we'd like to store more raw data and allow more ad-hoc analytics' capabilities.

With the existing environment, this becomes too expensive.

We recently performed a study of an open source MapReduce framework's applicability for our internal needs.

This is a popular framework that allows for the distributed processing of large data sets across clusters of computers using a simple programming model. It is designed to scale up from single servers to thousands of machines, each offering local computation and storage.

During our exploration, we achieved almost linear performance scalability using the framework. We explored various interface layers, both open source and some commercial ones, which may provide better user experience to analysts who are not necessarily experienced Java programmers to use the original interface.

We also decided to harden the cluster using login access restrictions, as well as blocking the framework's ports' access from outside of the cluster.

Currently, we see this framework as a possible complementary solution for the relational DB for specific use cases.

 

Are you using any kind of MapReduce or NoSQL solutions in your environment for similar purposes? How well does it serve your needs?

 

Till the next post,

   Gregory Touretsky

Rob@Intel

You can trust me!

Posted by Rob@Intel Jun 16, 2011

There is a great deal of research that shows we need to start trusting users. Now the concept of trusting anyone will leave many security professionals having mild panic attacks, don’t worry guys, there is help available!

 

So why should we trust our users? Well let’s take crossing the road, when you teach a child to cross the road are you teaching them to only do it with you? I don’t think so, you’re trying to teach them to be independent, and you give guidance so that they develop the skills to cross the road when you’re not there. They can adapt these skills for all different types of road, it’s part of them growing up and you are looking after them best by teaching them to be able to do this without you.

 

OK, now let’s look at the corporate security department, taking the same analogy you should be able to remove all your security staff and the company would still be secure. The employees would be able to work in a secure way and look after the company. Health warning.. If the first paragraph caused a panic attack, you’re probably on the floor in a mess by now.

 

Technology is changing and corporate control is reducing and consumer technology can do more. So maybe it’s time to look at the needs of the employees. Enforcing a policy on a device is really not a great long term solution. We need to get better at being able to know our users will do the right thing for the company.

 

Our user education needs to be at the same standard as the child crossing the road, that’s not to say we should not use technology, just that its only part of an overall package.

 

Thoughts?

Prior to 1998, Intel used RISC systems in several of our mission-critical environments.  As part of a multiyear strategy, Intel IT began migrating Intel’s most mission-critical computing environments from proprietary systems to Intel® architecture. These environments included silicon design, manufacturing, and global enterprise resource planning (ERP).  Intel’s business results depend on these environments and so we approached the migrations with careful planning.

 

We ultimately chose Intel® Itanium® processor based solutions for 24x7 reliability, large scale-up database and HP-UX based application stacks.  Intel® Xeon® processor based solutions were chosen for highly reliable, scale out applications running on industry standard OS-based application stacks.

 

Migrating our infrastructure from expensive proprietary architectures to Intel architecture solutions was a strategy we used within the Intel IT Data Center environment to improve infrastructure efficiency, solution performance and business agility.  The migration from RISC to IA has allowed us to create business value by reducing total cost of ownership, improve performance while maintaining the reliability, availability and scalability requirements (RAS) for these environments.  Some key milestones during our migration journey include:

  • All new RISC investment ended in 2004
  • Intel IT successfully implemented a decentralized ERP environment that is based on Intel Xeon  processor based servers and supports more than 10,000 active users, after moving off a previously scale-up RISC based infrastructure
  • Intel’s Manufacturing Execution Systems, which track all material, routes and production steps for our manufacturing environments, were migrated from RISC (VAX/Alpha) to Xeon (applications servers) and Itanium (database servers)
  • Our Yield Analysis systems in Fab/Sort was migrated to Itanium-based servers running HPUX
  • Factory Scheduling has been moved from a scale-up SPARC based solution to a scale-out to Xeon-based solution running an industry standard OS.
    Manufacturing Assembly Test is currently being moved from Alpha to a combined solution architecture of Xeon (application stack) and Itanium (database)

 

As a result of our meticulous planning process and best practices we developed along the way, the  migrations turned out to be less  difficult—and the benefits greater—than we originally anticipated. Some of the more significant benefits of RISC Migration to Intel’s business can be summarized as follows:

  • Saved $1.4B in capital spending from 1998-2004
  • Data Center density improved 2X to 5X and overall eliminated 20,000 sq ft of data center footprint
  • Reduced server and solution acquisition costs in both hardware and software
  • 2X average performance improvement between IA and RISC

 

Check out this Mission-Critical paper that documents and shares Intel IT's RISC migration best practices and how we ultimately achieved significant business value with little or no interruption to our core business results.

 

Ajay

Before all you security conscious folks start nay-saying regarding the above title, let me throw some use-cases your way.  Also give me the opportunity to explain how I see security shifting; role re-architecting opportunity. Above all else, I too want to keep the keys to the castle safe and secure. There may be some opportunities to move some things out to the village, away from the castle keep.

 

What data to protect

Each company has their own guidelines for what is allowed out in the public and what needs control applied. As we all start looking at the movement towards bring-your-own (BYO) devices, we are already beginning to reduce our levels of control. Our understanding of use patterns and what we must do is being replaced by other restrictions.  We are drawing a line in the sand and stating that no data (or capability) above a certain level will ever be deployed in a mobile space. You too need to understand what your threshold for control is.

 

The cloud is secure

Do your homework with the vendors offering solutions in this space. You may not want to push everything into that space, but there will be content you are willing to release your grip on and allow to be placed into an environment where it can be highly shared. Don’t worry – it will be alright as long as you plan appropriately.

 

Use-cases for lifting control

Once you move outside of your tight hardware and software stacks, you will begin feeling anxiety around every release. So before this causes you to reconsider a mobile strategy, look closely at your data, processes and consumers. When digging into your data consider doing a full risk assessment around these areas:

 

Start listing how it affects your:

  • Market standing
  • Consumer confidence
  • Intellectual property rights

You may be surprised to find some information has low risks in the public space regarding these three vectors. For those that are not limited, put contingencies in place. Consider only publishing summary information that has applicability to your employees (only).

 

Regardless, only publish the minimum information that is needed. Never push it all and let the consumer figure out what they want, since that is a tenet of the mobile device you need to abide by.

 

What are your thoughts in this area?

JohnSimpson

Ideas from the high seas

Posted by JohnSimpson Jun 8, 2011

Innovation doesn't often come when we schedule it, instead it happens when we least expect. Most often when we are looking for a simple solution to a complex problem. Only when we sit down to solve a known problem do we truly begin to discover the nature inside innovation. We can try and schedule, wrap it up policy and structure,  but without the construct of a real (or perceived) problem we tend to miss the mark.

 

So what problems have I been trying to solve?

 

Vacations for me have been full of relaxation and innovation. It's only when my mind begins to dissolve the boundaries imparted by business and open up to the possibilities around do I see opportunity. And when I say "around" I really mean with the consumers of the products we make everyday.

 

At Intel we are actively working on merging the user experience across different computing platforms. This continuum of experience is key to adoption both inside and outside the business arena. However today I have my non-business hat on (and shorts).

 

There are certain facts about travel today.

  1. We generate more digital content at larger volumes than ever before.
  2. Our devices are running operating systems that do not talk well with one another.
  3. Solution providers have put in place "fixes" in the cloud to solve the interoperability issues.
  4. Not all locations have access to the cloud.

 

So here I sit on a cruise ship writing a blog entry on my tablet with no cloud access. That means I have to utilize local storage to do this function. For writing a blog entry this is a pretty easy solution. What about storing photos or video content? How about using some of the smarter applications that require a persistent connection such as web-based mapping or GPS?

 

This is where I arrive at the problem phase that leads naturally into innovation. How do we, collectively as a larger industry of service providers, solve problems like this, in order to enable that continuum of computing?

 

Storing photos and video content

A long term fix is to fully enable high-bandwidth cloud access on all devices throughout our planet. You would then simply subscribe for space and share with friends and family. Since this won't happen in my lifetime then a more incremental improvement is needed.

 

How about a device that operates  between our current systems (tablet, phone, computer and camera) allowing for simple data unload/load? This device should be protected against theft (with encryption) and data loss (with internal mirroring). Something like this could either read straight from the media device or the storage card (reader). Add some extra features such as a small screen with indicators (space available, battery levels) and wired network port (for sharing). Make it small and water/shock proof and you help solve one of my major travel headaches.

 

Before someone explains that we can solve this with a laptop today, did I mention I'm using a small seven inch  tablet? Up until this trip we've used a netbook (plus USB memory stick) with great success,  but I shifted to a tablet wanting more portability. A device that I can use while standing or when a folding form factor just isn't practical. So my network transfer and backup plan is out the window.

 

I want a device that works seamlessly with my tablet; that solves my backup problem with no impact to my current use patterns for the tablet. Just plug it in (or insert the memory card), select "copy" or "backup", and press a button. No wireless battery drain, no worries of adapters, no concerns over what operating systems work well together. It just works as it should, as naturally as using a keyboard or turning on the television.

 

"John's Traveling Backup" (JTB) should also be able to unload media for ease in sharing to the cloud or with other devices. How many times, while traveling with a group, have you tried to share media? If someone brought a laptop it becomes a memory card juggling act. And then the laptop owner has to remember to burn media discs (many) and mail to everyone. Truly a device to change the world, or at least make my travels easier.

 

Although my wanderings brought up and solved a problem, it did show some of the complexity in the compute continuum work we look at solving. Everyone sees problems around them, its only through our individual actions that we can be truly innovative. Problem solving in this space can make our computing experience one of excitement coupled with usability wrapped in joy.

 

And when someone is ready to work on the JTB System I detailed above, drop me a note. This is a real problem which needs solved for the consumer. A solution which needs technology to solve without getting in the way.

 

PS: I wrote this on my 7" tablet, while floating through the ocean waters around Alaska.

Well, I missed a week but I'm back . In the continuing series of my discussions with Malcolm Harkins, Intel CISO, here is the fourth of five vblogs on the various hot topics. In this week's vblog Malcolm talks about how misperceiving risk can be the greatest vulnerability we face today, whether it is over exaggerating or under estimating.


If you haven't had a chance to catch the first three, check them out here:
--Malcolm and security and the cloud
--Malcolm talks about how embracing social computing can reduce risk

--Information Security: Is compromise inevitable?

 

We, in Intel IT, have had to rethink how we protect Intel. In the old days, blocking everything and only accessing anything within the firewall was the best way to 'protect' our assets. In the new days...with employees wanting to have access to information and data anytime/anywhere, the old ways of thinking just don't work. In fact, if we keep trying to block and tackle everything, we will actually increase the risk because employees will go around and find their own ways in an effort to be more productive. Check our the attached IT@Intel Executive Insights: Intel IT: Information Security should Protect and Enable.

"What is the best way to get the most ROI from every IT dollar invested?"...that is the question of the day! If someone had THE answer to this question we would all be the heroes. At Intel IT we struggle with this same challenge and we believe that, in part, the answer lies in our IT strategic planning process. If an IT organization has a strong strategic planning process, it can become the foundation for IT investments now and in the future.

 

We have been able to better respond to the dynamic nature of our business since implementing an IT strategic planning process two years ago. As a result, we have been able to better align IT investments with Intel corporate strategies, and better manage our IT budget to improve the business value of IT.

 

We were better able to anticipate key trends like Cloud Computing, IT consumerization and social computing as a result of our strategic planning process.

 

The two resources below outline our IT best practices in this area:

 

  • Executive Insights, Intel IT: Maximizing the Business Value of IT (attached)

and

 

Do you do a strategic planning process in your organization? Does it look anything like what we are doing here at Intel IT?

 

Let's share our best practices and learn from each other!

Filter Blog

By author:
By date:
By tag: