Monday, December 28, 2009

Dear Mr President, You have ordered a review of Air Travel Security Systems.

Today I have read that you have ordered an air security review; you want to know how a man carrying explosives managed to board a flight from Amsterdam to Detroit.

The answer is very simple. Today catching terrorists is evidently not a priority for the security services.

Since 9/11 the world’s governments, airports and airlines have put in place a huge security operation. It has revolutionized flying – making airport processes slow and very uncomfortable, for millions of ordinary passengers at huge cost to travellers, because we pay for this through airport taxes. Yet every regular traveller will tell you the security system is completely useless. It is not designed to catch terrorists; it is designed to demonstrate that governments are doing something, anything. When did the airport security systems catch a terrorist – never! I feel I can safely say that because had they done so, you can be sure we would have heard about it.

For years we have been telling governments, airlines, anyone that will listen that the answer to terrorism is differentiated security. In 2002 Richard Veryard writing in the CBDI Journal identified three patterns - Ghetto Security, Herd Security and Differentiated security. Today the security systems use Herd Security.

In contrast, differentiated security means that each individual belongs to a different class defined by profiling. And I note the Christmas Day bomber was on a “watch list” but was not considered sufficiently dangerous to be on the “no fly” list.

What’s needed is a system that uses profiling intelligently as part of a sophisticated range of checks that include before the event profiling as well as pre travel checks. The current system is binary – everyone gets the same security check unless they are on the “no fly” list - in which case they don’t get to travel.

But in 2003 we said that in differentiated services, service outcomes depend on context. This means we need to have better ways of selecting who gets closer scrutiny. In addition to profiles we must also have a range of scanning techniques, not to find the devices – because frankly these will always keep changing and security systems have a hard time keeping up. We need to scan the individual first as input to a triaged process:

- Electronic kiosks could support a range of biometric checks logically equivalent to those a human agent might make - is the passenger sweating, agitated, looking frightened, etc.

- Software can also measure the response time of the passenger, and may make useful inferences about the passenger and his context from any lengthy hesitation - just as a human agent does. Uncharacteristic hesitation may be a sign of impersonation, or it may signal a need for help.

- But actually these high tech solutions could easily be done today for an intermediate (not low or high risk) class of traveller by interview. The Israeli government does this today for all passengers which doesn’t scale – hence the need for profiling.

Profiles plus human and automated scanning can drive a triaged process that allows regular travellers, aged grandparents and indeed the 99.999% of travellers to be treated with human dignity, while the .001% are given an appropriate level of scrutiny.

The systems and technology are available to make this happen and could be brought to bear very rapidly. Clearly from recent public statements the various levels of profile information are available, they simply are not being used properly. The primary impediment to action is bureaucracy operating without executive direction. They need to be told what to do! This needs someone like you, Mr President to tell them go catch the terrorists and stop harassing ordinary, honest citizens.

Differentiation and Security - Three patterns of security

Friday, December 11, 2009

Application Modernization

Over the past few months I have been exploring how SOA is morphing into BAU (business as usual). The parallels with Climate Change are uncanny. There is a highly vocal lobby that would tell you SOA is not happening. Yet all the evidence from both personal experience and industry surveys tells us that SOA is happening for real. How often have we observed that after the hype has died down, real learning and rollout just happens quietly and in private?

I have commented previously that SOA will morph and converge with CEP, EDA, Web 2.0 etc. Also that ecosystems (intra and inter company) will be the primary route to a more strategic version of SOA, rather than enterprise SOA. I refer to this as the Smart Ecosystem.

But smart ecosystems need a basic platform of technologies and business services to get beyond first base. What I observe is considerable activity in what is being termed application modernization. As we start to emerge from the recession there is real business pressure to keep costs and complexity down, and to be able to support the inevitable business demands for new ways of doing business.

A Forrester report commissioned by BluePhoenix shows a majority of IT leaders placing IT modernization as the top software issue. A very high number of respondents indicate their intent to consolidate or rationalize enterprise applications. A very high proportion also indicate they will be using SOA to sort out their legacy problems.

It’s a no brainer really. We know how to architect and deploy SOA; but efforts to deliver “enterprise” SOA have foundered for lack of relevance to business programs and priorities. In contrast, handled correctly modernization can provide a sensible platform for sorting complexity and agility issues while delivering business programs.

Most application modernization in process today is strongly technology focused, with objectives relating to platform and language replacement and reengineering. Critically much modernization is application specific, just replacing one arbitrary application scope with the same implemented in a modern language.

But if this activity is business and architecture driven, the opportunities to deliver business value in a series of coordinated increments have the potential to radically reduce complexity, increase agility while delivering urgent business programs.

At CBDI we are working on enhancing our already popular SAE tools and practices framework to create an integrated application modernization approach. We will be publishing the first cut of this work in the December CBDI Journal. Knowledgebase detail will follow. Needless to say, there’s no industry agreement on definitions. Our first cut on Application Modernization is as follows:

Application Modernization: Rationalize one or more applications or a portfolio to improve business support, technology usage and life cycle and run-time delivery process. Objectives include:

  • Rationalize - eliminate duplicate applications; make multiple overlapping applications consistent.
  • Modernize – upgrade delivery and operational technology and processes including managed service, offshore, outsourced delivery.
  • Componentize – reorganize arbitrary boundaries to align with business morphology and enable business flexibility.
  • Service Enable – move to service architecture that aligns with business capabilities, services and events.

Can incorporate: Integration, Migration, Reengineering, Rewrite, Replacement, Acquire, Buy not build, Elimination, Functional Improvement, Outsourcing, Offshoring

Be very pleased to hear what others think.

Reference: Application Modernization And Migration Trends In 2009/2010, Forrester,

Reference: CBDI Application Modernization Resources