Building A Low Budget Intranet

Let’s say you have been challenged with building a low budget information distribution solution that might include allowing your user base to update content and possibly post videos or vBlog. This solution would allow your C-level executives to video blog and possible post other articles of information for your internal staff to consume. In the current technology market, senior executives are seeing online services that allow them to share content on demand through simple user interfaces. Sites like YouTube and Google Video (Google Apps) are drawing attention as ways to distribute information to the information consumer base they are attempting to reach (such as staff). If these solutions meet your need then you should certainly leverage their capabilities as they provide great value. What if the material that will be presented is sensitive and you want a seemless user experience?

Option 1: You could use a service such as Google Apps for the Enterprise and build Single-Sign On (SSO) capability. It keeps you from having to build the content library and delivery mechanism but you’ll have to build the SSO capability. Also, if you’re looking at Google Video you may also be opening the door to the entire suite of Google Apps. I’m just using Google as an example but there are a variety of other online services that you could substitute in. However, to my knowledge, the Office 365 suite does not have a video library offering at the moment.

Option 2: Install SharePoint, or use SharePoint online, and use an internal media server for videos. This would provide the information consumers with a positive user experience but SharePoint can get expensive unless you already have an existing implementation. IIS 7.5 is amazing and the extensions coming out of the IIS team are well worth checking out. The streaming media services for IIS would really polish the user experience but you’d have to build transforms for the media files. There’s a bit of work involved with building the transforms but if you decide to take it on then you’d have a pretty slick streaming media blog. Something to keep in mind is your network bandwidth. If you have consumers accessing the media over low bandwidth network links then I’d recommend investigating one of these first two options. The ability of these services to adjust the video stream for bandwidth is an important variable in the user experience equation.

Option 3: Another option is to build an internal blog. This is a low cost option that requires little maintenance and is easy to get setup. You can use Linux as your OS but let’s assume you’re a Microsoft shop and want to run this solution on Microsoft Windows 2008 R2. No problem.

  1. Make sure you have the proper IIS roles installed for administration of a web server
  2. We’re going to use WordPress as the framework running on PHP and MySQL. WordPress gives you a nice customizeable freamwork to work within. Here is a blog post on how to install the necessary software. The article is a bit dated so don’t worry if it’s not 100% accurate. The screen shots are also dated.
  3. You should not have a base WordPress site running on PHP and MySQL on IIS.
  4. Using the Web Platform Installer, download and install the PHP Manager extenstion. This will allow you to tweak PHP settings through the IIS management interface.
  5. Open PHP Manager and enable the LDAP extension. You may also want to change the maximum upload variable.
  6. I’m not going to detail how to customize and build a WordPress site. There is plenty of information on the Internet about how to do this. There will be a couple of plugins you want to take a look at though.
  7. Active Directory Integration lets you perform LDAP queries against your AD domain for the user base. The plugin will automatically create WordPress accounts for them. This plugin also allows you to automatically assign roles to users based on AD group membership. So, you could have AD groups for authors and admins and add AD user accounts to these groups for role assignment. WordPress will automatically assign or modify the roles based on the group membership.
  8. Embedded Video adds a nice little button to the author page that prompts the author for the location of the video. It can also embed video from online services such as YouTube, Google Video, etc. This gives the author a push button approach to embedding video to a posting.
  9. Setup a file share for local video that authors can copy video to.

You should now have a low cost multi-author blog capable of delivering video with active directory integration. Your CEO can now record a video from their Apple iPad, upload it to the file share and blog it in less than 5 minutes. Use categories on posts to allow the conumsers to filter posts. Consumers can also be notified of new posts through the built-in RSS capability within WordPress.

If you know of other solutions let’s hear about them

What Got Us Here Won’t Get Us There

I had the opportunity to attend a Marshall Goldsmith speaking engagement where he was presenting the lessons from his book “What Got You Here Won’t Get You There”. He is a very personable and engaging entertainer. The session was a full eight hours that unfolded seamlessly as a result of, I assume, many previous engagements. He appears to be a genuinely nice man that enjoys interacting with people. Prior to him initiating his show he wandered around the room introducing himself to individuals and sharing stories. The same occurred at the end of the day where people approached with questions and feedback.

The day was filled with him wandering around the room and engaging individuals with questions. There was ample role playing and partner or group discussion on various topics. I’m sure this makes for either a very short day for individuals that enjoy interacting with others or a very long day for individuals that shy away from these types of activities.

I’m not going to summarize the book or his presentation as I won’t do it justice. The book was a top seller and many people and institutions applaud his teachings. Instead I can provide this link if you’re interested. Alternatively, Google is another option. Instead, I’ll just provide a couple of points I took away and my assessment. The information can be applicable to anyone but I believe his focus is on individuals in the most senior positions.

  • Be aware of what you are communicating and how you communicate it
  • Pay attention to bad habits or look at what you should stop doing
  • Stay focused on the mission and not a single goal. Similar to the age old wisdom of winning the war is more important than winning a particular battle.

If you’ve noticed I’ve used the terms entertainment and show above. I felt like I was attending some type of show with the constant story telling, name dropping, self promotion and interaction with the audience. I can certainly understand the purpose of the approach. A teacher than can relate a point or lesson with an engaging story will hold the attention of the student and increase the level of comprehension. However, for me it felt more like a show. Ultimately it is my responsibility to learn and I have come to understand the methods that are most effective for me. For me, a little more black and white and a little less color is more effective but I believe I may be in the minority. I mention this as a technology leader with an engineering mindset. I look at systems and applications as a science of design and operation. I’m a horrible at the art of user interface and experience design. Notice the simplicity and lack of pizzazz on this website?

Anyways, back to the point. My experience was a small sample size but I made a general observation that is supported by a few brief individual conversations with other attendees. Individuals that held senior positions  and/or of the baby boomer era or close to it were engaged and seemed to greatly enjoy the session. However, individuals that were in or closer to the Generation X era generally had feedback that there was some good material but we’ve seen a lot of it elsewhere and it was drawn out. It’s an interesting dynamic and one that I’m not qualified to provide anything other than opinions on. Although I will say I am a Gen X’er. It’s an interesting topic to me as we continue to move forward. What will we see as differences between yesterday’s senior leaders and tomorrow’s? Will we see a convergence of science minded leaders into the business leadership structure in traditional businesses? How long will we continue to have traditional business structures?

The Graduate Management Admission Council (GMAC) published research that states at least 66% of graduate degrees are MBA’s. The number of MBA applications continues to increase according to the Council of Graduate Schools through their report on Graduate Enrollment and Degrees: 2000 to 2010. We’re seeing leadership books flying off the shelves faster than ever while independent training organizations and universities are deploying leadership certificates and courses annually. The question I am attempting to pose is, will what got us here get us to where we want to be or are we in a leadership bubble? I wonder if what we’re experiencing is similar to the technical certification boom a decade ago. The difference with leadership is that there is little science behind it and a lack of a strong governing body.

I am not an expert on leadership but it consumes quite of bit of my time at work. I would love to hear alternative views and feedback. In the spirit of full disclosure I have trained or had some exposure to leadership topics via:

  • Fierce, Inc.
  • Marshall Goldsmith
  • Seattle University Center for Leadership Formation
  • Jim Collins

ISC2 Changes to CISSP

Something to be aware of with the CISSP examination, or any ISC2 certification, is that the ISC2 makes changes to it on occasion. This is important to individuals that are studying for the examination because they can add new material that you will be expected to know. The good news is that these types of changes are not frequent and the ISC2 announces the changes in advance. You must be aware of the changes though and attempt your exam before the changes take place or study the new material. Below is the announcement of changes for the CISSP examination that went into effect January 2012.

2012 ISC2 CIB Updates for CISSP, SSCP, ISSEP

Reviewing the CISSP Exam Experience – Part 2

I offered my experience taking the CISSP examination last summer. As I recently took the ISC2 Information Systems Security Architecture Professional (ISSAP) examination I thought I would follow up with another review. As far as the overall experience of taking an ISC2 exam goes it does not matter what test you are taking. The test only determines what questions you are faced with and how much time you have to enjoy your session.

This examination was in downtown Seattle again but at a different hotel from my previous experience. This hotel was in a location where vehicle and foot traffic was much lighter. I arrived about 45-60 minutes prior to the examination time. This allowed time for me to find parking, acclimate to the unfamiliar surroundings and sit in the lobby to review some last minute notes. I stayed in the lobby until there where approximately 10 minutes left before check-in closed. I decided I preferred sitting in the lobby focusing on my priorities versus sitting in the exam room.

I visited the check-in table and was assigned my seat in the back of the room. As I was taking the ISSAP exam I would have a time limit of 3 hours versus 6 hours for the CISSP. With this in mind, they seat the examinations with a shorter duration in the back of the room where the exit was located. At the top of the hour the doors closed with only one person missing check-in as announced by the proctor. I believe there where approximately 20 people attempting examinations in this session. I am not certain but it appeared that there were about 6 of the individuals taking exams other than the CISSP. Based on my observations, I was the only one taking the ISSAP, my table partner was taking the ISSEP and I believe the remaining non-CISSP attempts were for the SSCP.

The setup for the room was very similar to my previous experience. This room was wider and a bit more shallow than the other hotel. There were three columns of of two person tables. The tables were some type of brushed aluminum that is susceptible to noise and vibration. I’ve gotten lucky with table partners at both sessions. The only disturbance that could be heard in this room was the elevator shaft adjoining the right rear of the room. I’ll take a low constant drone over rumbling trucks and voices any day though. The proctors also offered foam ear plugs for anyone that wanted them.

The proctors introduced themselves and began the roughly 30 minutes of instruction prior to beginning the examination. There was the usual display of nervousness or just general lack of organization by several participants. Multiple trips to the back of the room by the same individuals to swap out pencils or whatever they felt they needed to do. However, there was no one that seemed like they were out of place or couldn’t follow simple instructions to fill out a bubble sheet.

The go ahead was given to begin the exams and we all dug in. I would say that the ISSAP examination was not extremely difficult but there was certainly a level of complexity to it. I found myself having to read questions multiple times and work through all of the answers. This was a rare case for me on the CISSP examination. My study material for the ISSAP was the official ISC2 ISSAP study guide which I feel is a bit inadequate for the examination. For example, I believe the book could provide coverage of PKI to better prepare candidates.

I finished my exam at the 2 hour mark and could have used the remaining hour to review my answers. Instead I just looked for stray marks and dark circles on my scorecard. I was drained from the exam and was ready to leave. I left with a feeling that I could have been better prepared and faced some difficult questions that surprised me. It was about three weeks when I received the e-mail congratulating me on passing the exam and awarding the certification of CISSP-ISSAP. I definitely passed the exam due to my experience and not my studies for the exam. It’s not an exam to be taken lightly and it is primarily design oriented.

This was a much better experience for testing than my CISSP nine months earlier. My advice for first time examinations is to stay focused and limit your exposure to variables outside of your control. Bring important notes and review them in a quiet space such as the lobby or your car before checking in. Shed your nervous habits if you have them. You’re either going to pass or fail and you are making a serous investment of time and money to attempt these tests. Control what you can and stay focused.

I would be interested in achieving other ISC2 certifications such as the ISSMP or the CSSLP. I think the CSSLP would be a nice complimentary certification for an infrastructure professional to prove knowledge of a SDLC and development practices. Unfortunately, there would be no way for me to maintain that many certifications from ISC2. I’ve decided that I could not maintain the CPE requirements for any more than two certifications. I think this might be a policy that ISC2 should take a closer look at in the future. I can appreciate the desire to continue education within specific realms applicable to a certification. Making the maintenance requirements linear reduces the certification population. Of course, maybe that’s the intended result.

Corporate Cost Analysis of Apple iPad & iPhone

The recent news of the Apple iPad 3 got me to thinking about the cost of using these devices in the business environment. It appears that Apple is releasing their iPhone and iPad products about every twelve months. Apple has arrogance about them as a market leader and cannot produce an inferior product. As long as customers are buying these devices as fast as they are being produced I can’t really blame them.  I find it interesting to attempt to understand what this product lifecycle means to organizational budgets.

In my experience I have seen users demanding, or somehow winding up with, the latest version of these devices soon after release. Historically IT departments have controlled the lifecycle of desktop and laptop computers based on budgets or at least the financial lifecycle. These devices are typically considered assets and are purchased using capital which implies a financial lifecycle that requires being written off if disposed of before their lifecycle is complete. In my brief research and understanding of financial requirements it appears that most Apple devices are not considered corporate assets or purchased with capital funds.

I’ve put together some high level numbers to project the cost impact of these devices compared to more controlled assets like desktops and laptops. Your numbers may vary but this is strictly for high level comparison purposes. I’ve assigned a lifecycle of 3 years to desktops and laptops while using 18 months for Apple iPhone and iPad devices. If you’ve managed to maintain a 2 year or greater lifecycle for mobile devices then I congratulate you. For the cost of the devices I’ve used $700 for a desktop computer assuming the monitor doesn’t get replaced every 3 years and $1,200 for a decent laptop versus $400 for an iPad and $200 for an iPhone. Your costs may vary and certainly the iPhone cost is variable based on contract status.

Device Cost Lifecycle
Desktop

$700

36

Laptop

$1,200

36

iPad

$400

18

iPhone

$200

18

Next I’ve assigned a percentage of the population that would use each device as not every employee has one of each (I hope). These numbers are subjective and based on my experiences.

Device Cost Lifecycle % of Population
Desktop

$700

36

70%

Laptop

$1,200

36

30%

iPad

$400

18

40%

iPhone

$200

18

70%

I want to look at the 5 year cost impact so multiplying these numbers over 5 years provides the following results. Keep in mind that I am using the average cost per month versus the actual dollars out the door.

Device Cost Lifecycle % of Population Cost per 100 users for 5 years Cost per 1,000 users for 5 years
Desktop

$700

36

70%

$81,666.67

$816,666.67

Laptop

$1,200

36

30%

$60,000.00

$600,000.00

iPad

$400

18

40%

$53,333.33

$533,333.33

iPhone

$200

18

70%

$46,666.67

$466,666.67

Now if I divide the purchase price by the lifecycle and multiply by 60 months we can see the cost per unit over a 5 year term.

Device Cost Lifecycle Cost per unit over 5 years
Desktop

$700

36

$1,166.67

Laptop

$1,200

36

$2,000.00

iPad

$400

18

$1,333.33

iPhone

$200

18

$666.67

The frequency of replacing iPad devices starts to add up and exceed the cost of desktop computers in this model. The iPad would need a 21 month lifecycle between replacements in order to equal the cost of a desktop in this model. If you’re in a financially conservative organization and lifecycle your desktops over four years then you need 27 months between replacing iPads to be competitive on a per unit basis.

Device Cost Lifecycle % of Population Cost per 100 users for 5 years Cost per 1,000 users for 5 years
Desktop

$700

48

70%

$61,250.00

$612,500.00

Laptop

$1,200

48

30%

$45,000.00

$450,000.00

iPad

$400

18

40%

$53,333.33

$533,333.33

iPhone

$200

18

70%

$46,666.67

$466,666.67

 

Device Cost Lifecycle Cost per unit over 5 years
Desktop

$700

48

$875.00

Laptop

$1,200

48

$1,500.00

iPad

$400

27

$888.89

iPhone

$200

24

$500.00

The cost of the iPad devices seems trivial based on the per unit purchase price that is advertised. However, when we consider the frequency of purchase we start to see that the cost quickly approaches or exceeds that of a desktop computer in an environment where 30% fewer people can leverage the investment. What this tells me is that I should focus on penetration rate or lifecycle if I want to adjust the budget impact for device expenditures. Secondarily, there is a fine balance between purchase price and lifecycle ratio. The price of replacing an iPhone every 18 months may be acceptable at a $200 purchase price but if I am spending $400 for that same device then I’m approaching the cost of a desktop computer with much less functionality.

The CIA and DAD Triads

The core concepts of information security are confidentiality, integrity, and availability. These principals are known as the CIA triad and are the foundation for combating the DAD triad. In this post I’ll provide CISSP candidates a simple tip to remember these core components and allow you to divert your brain power towards more complex concepts.

The CIA triad:

Confidentiality
Confidentiality implies data classification but it is important to have the ability to identify data that requires protection. The first step in this area is to provide an ability to identify a specific piece of data as confidential. Not all information is confidential, and not all information has the same level of confidentiality.

Integrity
One of the most important concerns in data control is the integrity of the data. One must ensure that the data is accurate and reliable at any given time.

Availability
In order for information systems and information security to be effective the information must be available. One major concern is to manage the computer infrastructure from possible threats, such as malicious viruses, power outages, and failures in hardware. The second major concern is ensuring that components are maintained appropriately, providing the required health checks, and making upgrades to hardware and software as required.

These are principals that must be understood and applied appropriately. These principals can oppose each other and must be adjusted, as if on a scale, based on the requirements of the solution or situation. As an example, the best method of assuring confidentiality and integrity could be to lock a paper document in a safe or a server with no network connectivity. However, one should appropriately question if the availability of that solution would meet the needs of the user base. 

Having a good understanding of the CIA triad also means understanding the DAD triad. The DAD triad consists of disclosure, alteration and destruction. The DAD triad opposes the CIA triad as I attempt to represent in the less than creative Visio image below.

The DAD triad:

Disclosure
Disclosure can be defined as revealing information. What we want to be concerned with is unauthorized or inappropriate disclosure. Confidentiality attempts to prevent disclosure to unauthorized users.

Alteration
Data can be altered at rest or in transit. If information cannot be trusted it is not information; it is simply data at best. Integrity controls combat alteration.

Destruction
Destruction refers to making the information unavailable. While it sounds fairly simple it can be easy to confuse destruction with alteration. I find it easiest to think of destruction as being total destruction. If the data is destroyed it is no longer available while altered data is still data that is available. I make this point for those that are early in their information security studies.

I realize this all sounds simple. Six letters and memorizing what words the letters stand for is a good study method for CISSP candidates. There are many more complex concepts that require your time and concentration as you progress through your studies. This simple concept is something that will stick with you for years to come.

CIA-DAD Triad Image

Yes, I have seen more asthetic representations of this information.

You Want To Be A Technology Manager? Master Workload Management

I work in a schedule driven environment. That’s not to say that everything is planned for but it is a project heavy workload. My team is responsible for the design and build of infrastructure systems in support of organizational initiatives as well as the ongoing support and maintenance of these systems. When you add all of this up it is a heavy workload that requires a lot of planning and attention to detail to execute effectively. Part of my job as the leader of the team is to plan this workload, manage priorities and oversee the execution towards our commitments. Regardless of whether the work is project oriented or not the approach is similar. We identify the goals, define tasks, deliverables or outcomes, and plan a schedule to follow for each workload initiative.

I often get approached about ad-hoc initiatives or support work. A business unit wants to do something that is unplanned, as far as I know, or we need to apply engineers to a problem for resolution. This can come in the form of a short troubleshooting incident or more extended requests for analysis. Managing priorities sounds logical enough when everyone agrees what the priorities are or the path of escalation is consistent and clear. However, that is rarely the case in my experience. Priorities change constantly as if each day is a new beginning. It is my responsibility to inform decision makers of the impact of changing priorities and shifting resources. In this day of “do more with less” and “the speed of business” it seems we have lost sight of what it is we really need to do for what we really want to do right now. I understand where this stems from but it certainly makes the job of IT more complex and less efficient.

I’m constantly asked to assign engineers to these unplanned activities with the expectation that we still continue to execute as originally planned. Examples of this would include requests like just assign a systems engineer to perform predictive analysis and determine if any of our storage LUN’s will near capacity in the next X days or just assign a DBA to troubleshoot the performance on the application that was just developed. I can certainly support these requests but they come at a cost. There will be an impact of pulling the personnel off of what they are working on and reallocating them to the request. In an organization that runs fairly lean on personnel we don’t sit around and wait for someone to bring us work.

Beyond my responsibilities to my senior team that I mentioned above I also have responsibilities to the team I lead. It is my responsibility to provide clear direction and allow them the appropriate time and tools to execute that direction. If I’m going to pull an engineer off of a project to troubleshoot for two days then there is impact to the project schedule that needs to be accounted for. That project can’t just continue ahead as if nothing has changed. It’s also not simple enough to say that two days off means a two day delay. In a lean shop I cannot afford to have resource wholly dedicated to an activity for long periods of time. Personnel are typically working on multiple activities for a given time period. That means it all needs to be reassessed and all schedules changed. That could mean a week for the project when we only needed two days for the interruption. Priorities are dynamic based on the current point in time. What is priority one today may be priority two in a week. All of this sounds simple enough in theory but it’s also important to consider the project and organizational impact of these types of delays. What does pulling a systems engineer for two days and causing a one week delay mean to the overall project? Does that mean the software engineers are sitting around waiting for a system build to continue development? That’s not efficient and we must ask if the cost of the delay is worth the change in priorities. Typically the requestor of the change in priorities is not thinking in these terms but is focused on their want or need.

I don’t put a heavier weight on either my upward or downward responsibilities. It is equally important for me to inform and support my senior team as it is for me to inform and support the team I lead. While it is different information and type of support they are both equally important. One without the other can be ineffective or possibly extinct. Without my team there is no need for me and without the senior leadership there may be no need for my team.

Workload management is one of the first skills a manager must begin to master in my opinion. The skill level required and difficulty of execution is determined by the organization.  A number of other skills come in handy when attempting exercise workload management but having your inputs and outputs logically connected can mean you have time to exercise your other skills.

Quest Software Foglight Implementation Review

I purchased the Foglight product from Quest Software in 2010 with the hope of building business service monitoring. My team had reviewed on-site demonstrations from the Nimsoft and Foglight sales teams. We chose Foglight because of the Foglight Experience Monitor appliance and the ability for Foglight to collect data from the .NET CLR. It is one of the few products that can extract and measure very detailed information from custom developed .NET code. This made the product stand out for me even though the Nimsoft product seems to be much simpler to maintain and has a superior architecture. If Nimsoft could access the .NET CLR I would have selected it.

In addition to purchasing the product we also purchased professional services with the intent of having the expertise of Quest Software to implement the system and get us up and running in less time than we could by ourselves. While negotiating the SOW (statement of work) with Quest Software the Foglight sales representative that sold us the product was involved by being on the phone but clearly her responsibility had been fulfilled. She did not engage in helping beyond the sale. Instead I was working with the manager of professional services (Anna) which has a severe lack of customer service skills. Quest Software has one type of SOW and it’s time and materials. You buy hours and they will do as much as they can in that block of hours. In my experience, they will not commit to delivering a solution that meets the customer’s needs and are not willing to work outside of their standard operating model. Also, keep in mind that they will charge for all travel expenses which includes dry cleaning at their hotel.

Once the SOW is signed the PS resource manager schedules all of the resources for the engagement. Most of our resources were scheduled in consecutive weeks and having up to two on-site at a time. The initial step engagement was to implement the Foglight Experience Monitor appliances. This is fairly easy and the implementation expert can discover most of the applications by watching URL requests.

The second step in the engagement was to perform an architecture assessment. This is where everything began to fall apart. The architect we were assigned (Michael T.) is not an architect. The first thing we realize is that we need additional licenses to do what we want to do. I’m not sure why the architect is at odds with the sales team but apparently this is a common occurrence with Quest Software and is something to be wary of. I was clear that I was not increasing my license count and he needed to find a way to make the solution work with what we were sold. The architecture assessment document came back from Quest Software with us needing to buy an additional $40-$50k of hardware to operate the software. As part of the sales process we were adamant that we wanted the systems to run in a VMWare environment and the architect said it would but there were specific processor requirements that are fairly robust. We were able to negotiate our way into a single piece of hardware with 24 processor cores to run all of the software. The architecture assessment took about two weeks to complete and gain a general agreement from both sides. Once that had occurred we ordered hardware. There were numerous other details that caused conflict through this process but I am not going into additional detail here. We are now significantly out of line with the expectations we had developed based on our engagement with the sales team. Since we had implementation technicians lined up to be on-site the entire schedule had to be changed as we did not get hardware ordered due to the conflicts during the architecture assessment.

One we had hardware on-site the technicians arrived and started building dashboards and installing cartridges. Once on-site the team expects that they can reboot systems and install software at their leisure. They were surprised when they were asking for information they needed and we did not have it available. Whoever is responsible for collecting that information and providing us with pre-requisites did not perform their responsibilities adequately. We were constantly trying to feed these guys the information they needed so they could complete their work. This was not what I had expected when I paid an organization for their professional services.

When the engagement was completed we were not where I had thought we would be. The Exchange cartridge we purchased was not installed because we were running Exchange 2010 SP2 and they did not support SP2 at that time. Second, there was a proxy service that we wanted to implement for communications through our firewall systems that was not ready for implementation. So, we were left without monitoring systems beyond our firewall. This means we had to pay for another engagement to have them come back on-site and implement these features when they were released which happened to be months down the road. The system was also not performing up to our expectations as it was extremely slow. The excuse we are given is that we shouldn’t use Internet Explorer but Firefox instead.

The technicians that came on-site were generally helpful and had good intentions. That doesn’t make up for a lack of management, coordination and customer service by the Quest Software though. The maintenance cost of the software is also higher than industry standards. They build in an incrementing increase annually to support “R&D”. My response to them on this was that it would be cheaper to buy a competing product in three years than to pay for maintenance on their product for three years. They gave me a discount on my maintenance contract.

Foglight can be a valuable tool to an organization as it has an extensive tool set and capabilities. The product is extremely complex though and we’ve learned that even Quest Software support technicians do not know the entire product. I do not intend to purchase Quest Software products to meet my needs in the future.  My experience with Quest Software has been intolerable from the sales cycle to professional services to support. If you choose to do business with Quest Software then I do wish you a good experience. They will not be receiving my business again.

Dreamforce 2011 – Review of My Experience

Dreamforce 2011 was held at the Moscone Center and Marriott Hotel in downtown San Francisco. I’ll start with the preparation for attending the conference. Once registered the attendee is allowed to build their agenda on-line through the Dreamforce application. Let me say that the Agenda Builder tool that you use to select sessions is painful to use. It requires a pretty good amount of time to build out an agenda but it is required. You are not allowed to attend sessions for which you are not registered. Also keep in mind that the sessions have a capacity and once they are full you can no longer register for those sessions.

Once I had a full session schedule I thought I was set. However, about a week prior to Dreamforce I was notified that one of my sessions had been cancelled. So, now I had to substitute it with whatever was left over. I also noticed that the times of my sessions had changed. It’s a good idea to print your schedule the day before you travel and not weeks before as things do change.

Attendance for Dreamforce in 2006 was approximately 5,000 people. In 2010 it had grown to 30,000 and the estimates for 2011 are coming in at 45,000. I would believe it if that number were actually higher. I will say that it was a mad house. Particularly in the lower level of the Marriott. The hallway is jam packed and there are lines for entering every session. It can be frustrating and confusing at times but as long as you have patience it’s something that can be handled.

The two things that disturbed me the most are the attendance level and the quality of information. I did not attend any of the key note sessions as they were all full. They do plan for overflow and broadcast the keynote sessions into alternate rooms but those filled too. The best thing to do is stream the key note sessions live via the Internet. This also applies to the Gala and networking event. The headliner was Metallica and no one really knew where they were playing. My understanding is that they were playing in Moscone South but that hit capacity very early. So, overflow was sent to Moscone North to watch the event via a live feed. That hit capacity as well and a couple of people that went over there said they couldn’t make it in far enough to see or hear anything. So, I can’t comment much more on the big bash beyond it being a waste of time walking from my hotel down to the Moscone center and wandering around. I had also thought of going to the vendor expo center but changed my mind after hearing the experience of someone who had gone in. It took them 20 minutes of standing in line just to exit the building.

I attended sessions on Chatter, RemedyForce, and Workflows & Approvals. For the most part, presenters were reading their slides and in one session the guy just lost track of what he was trying to say and fumbled around until a co-presenter broke in and tried to get things back on track. I didn’t come away with much material from the sessions. My summary of the sessions was how to collect 30 minutes worth of information in four days.

I believe that if you are a sales or marketing professional or are looking to network with others from these areas then it’s probably an ideal setting. Dreamforce is a huge sales pitch that you are paying for. This is an event that I would not consider attending again and would not recommend to Information Technology professionals unless you are an analyst of some type and will be in attendance with your business unit counterparts. I welcome your comment if you feel otherwise. However, I would say there are more valuable events to attend throughout the year. All of the information distributed at Dreamforce will be available on the Internet for you to consume.

Reviewing the CISSP Exam Experience

There is quite a bit of uncertainty and anxiety around preparing and taking the CISSP examination. I thought I would provide my experience in taking the exam. I recently, summer 2011, took the exam in Seattle which was held at a hotel in downtown on a Saturday morning. A major bridge and the main downtown exit for the hotel were closed for construction or maintenance that weekend. The reason for mentioning this is to heed the old advice of arriving early. I arrived about 30 minutes before check-in closed so I sat in my car for about 15 minutes and went over a couple of my notes. I figured a little last minute preparation would stimulate the brain enough early on a Saturday morning.

I went up to the hotel lobby with my registration form and found a line about 15 deep for check-in. There were numerous people in the lobby on laptops running through practice tests and notes. A good number of people in line were doing the same. I had the faint thought that maybe I was ill-prepared as I was fairly empty handed in comparison. Once I made it to the check-in desk I showed my drivers license and registration paperwork and was assigned a seat.

I took the seat I was assigned near the back of the room and ran through stuff in my head while I watched the others. Everything you bring, with the exception of pencils and liquids, must be placed in the back of the room. This includes all snacks and backpacks. Apparently some people thought the items on the table in the back of the room were available for anyone and provided by the testing facility. A couple of candy and energy bars were snagged by someone other than their owner. The general feeling in the room was uncomfortable with people making poor jokes and small talk. I interpreted this as an attempt to settle themselves. I’m just glad I didn’t show up and have to sit there any earlier than I did.

Once the doors closed the proctors introduced themselves. I believe there were four proctors at this particular examination. One of them is the lead while the other three support. The lead proctor took the next 30 or more minutes laying down the rules. The rules were fairly simple and should not be a complete surprise to anyone who has taken the SAT or similar test. No talking, no uncapped liquid containers on the desk, #2 pencil only, no other objects other than an eraser or pencil sharpener on the desk, only one person leaves the room for a restroom break at a time, raise your hand to get on the restroom break list, etc… Once the rules were communicated the test packets were handed out. Not everyone in the room is taking the CISSP but I would say the majority were at my location.

The next 30 or more minutes were spent filling out the non-test information required to identify and grade your test. These would be things like your name and address. What’s amazing to me is at least one guy couldn’t complete this task without personalized help from a proctor. The guy just started working on the test and we all had to wait while he received his personal attention. Lucky for me that this guy was sitting directly in front of me so I got to experience his antics the entire time. This was not the last.

Finally, an hour or more after the doors closed, we were allowed to start.  The room was finally quite for the first time and it started to set in how poor of an environment this was for taking a test. The room was on street level and in the corner of the building. So, we had street views on two walls. Not only do we get to see and hear every emergency vehicle in the general area we get to feel the seismic impact of every large truck that drives by. I used to sleep one deck below where U.S. Navy jets landed on the USS Nimitz. I can tune out that type of stuff when I need to. I have to imagine it was problematic for others.

As I’m going through the test I realize that these tables may have been picked up from a sidewalk sale at the local dollar store. Even coloring in the circles caused the table to shake. Fortunately there were only two per table and my table partner not extremely erratic. The next thing I noticed was that people immediately had to use the restroom. We’ve only been locked in a room for an hour and now there are people going in and out of the room. The guy in front of me happened to use the restroom multiple times. Every time he went he would shove his chair backwards and almost knock my table over. Thanks guy.

As I went through the test I would mark down the question numbers that I wasn’t certain of and would come back to them after I completed the test. That worked out fairly well and you can typically glean a bit of information for some questions throughout the test using deductive reasoning. My table mate was the first to complete at around the two hour mark. That’s pretty impressive considering there are 250 questions. I can only assume he answered all 250 but he seemed reasonably prepared before the test.

There were a few times throughout the test where I found myself reading and re-reading questions. I was losing my focus due to all of the activity in the environment. I would just lean back and take in some air and get back to work. However, it may be a good time to get on the list to take a restroom break or grab your snack. Personally I do not like disengaging once I have started something but that doesn’t work for everyone.

Once I completed the 250 questions I went through my answer sheet. Keep in mind the answer sheet is a bubble sheet. I figure it’s worth taking a couple of minutes to fill in any lightly marked bubbles and make sure my erased bubbles were as clean as they were going to get. I then raised my hand for a proctor to attend to me and walked my test up to the front desk. I walked out the door at just under four hours in of the six allotted hours. I felt pretty good about my time and my test. I wasn’t counting but I finished in the top ten with regard to time taken. The majority of the group was still heads down on there tests as I walked out.

There were only a couple of questions I struggled with. A couple were on network authentication protocols from a decade ago that I was not extremely familiar with. I found it amusing that I was a network engineer during the years these protocols were in use and that is what I was struggling with the most. I had never applied them though as there were better options available for my needs at that time. The second most problematic questions for me were what I believe were the research questions. Obviously, I can’t know they were research questions for a fact but I’m sticking to that story. The questions were around GPS telephony communications which did not fall into the realm of my studies or experience. There is no credit given for research questions.

I have no idea if my experience was normal but I don’t believe it is an exception based on other stories I have heard. Prepare yourself and be confident in your knowledge and abilities. I don’t believe the test was difficult but the experience can be rattling for those that get nervous or do not do well taking tests. I’m glad it’s over and done with but I wouldn’t be hesitant in taking the exam again. I received an e-mail approximately 15 business days after completing the test notifying me that I had passed and could now continue the process towards receiving the certification of CISSP.

Dreamforce 2011

Dreamforce is Saleforce.com’s annual exposition and will be hosted in San Francisco, CA the last week of August. It’s a great event for networking with a variety of individuals, learning about cloud capabilities and the future of cloud technology, and an all around party. When was the last time you saw Metallica headlining a technology event?

What value is there for an infrastructure minded individual? I’m interested in getting more insight on the following topics:

  • Maximizing our investment – We’re already a Salesforce.com customer. How can we better maximize our investment in this technology and what does the technology roadmap look like?
  • Chatter –  Is Salesforce.com Chatter something we can use more effectively to share information and collaborate?
  • Integration – As our Salesforce.com utilization increases what integration aspects do we need to consider and how do we approach them?
  • Information Security – What security controls are impacted by the Salesforce.com model? How does our information security model need to change?
  • Application Architecture – While I’m not responsible for application development I work closely with the development team to understand their needs and infrastructure is part of the SDLC. As we begin to move applications into cloud based frameworks there are impacts to the infrastructure and security that need to be considered.

I’ll provide my thoughts and review of Dreamforce ’11 in September after the event.

RIM Open Letter to Senior Management Released Today

An anonymous letter to the Research in Motion (RIM) Senior Management team was posted to the Internet today. The letter can be found here at www.bgr.com. CNET also has a couple of articles referencing it and the response which can all be found through this link.

I find the letter very interesting with some valid points. I have no idea what RIM’s work environment feels like. However, there are some valid points in the letter that can be applied to many organizations. It’s unfortunate that the letter is anonymous but based on the culture implied by the letter it would seem that retaliation could be possible.

The market is too competitive and crowded. I don’t know how RIM is going to survive without revamping their product line and strategies. Personally, I’m ready to start moving away from the Blackberry Enterprise Server (BES) and let McAfee Enterprise Mobility Manager (EMM) take over. The pricing may not be quite as good but the flexibility of the platform and ease of administration is worth the trade. I’ve spent more hours maintaining and supporting BES than I have for EMM in the same period of time. On top of that the user base wants the functionality that the new handheld platforms offer. RIM used to be a market leader and changed the game but they have let others catch up and surpass them. They have become redundant and almost irrelevant.