Thursday, 30 September 2010

Dynamic BPM Success Story

Sandy Kemsley brought us some good news here with
  • a government department going from legislation to operation system in 12 months;
  • agile methods in a government program of work;
  • (dynamic) BPM underlying case management
What a pity the growth 'industry' is the UK's Insolvency Service.

Tuesday, 28 September 2010

Intercepts for Facebook etc?

Computerworld seems to have woken up to this issue which has been around the privacy community for sometime.

The Obama Administration is reportedly considering a statute that would make it easier for federal authorities to intercept communications over services such as Facebook, Skype and BlackBerry -- an idea that's stoking anxiety within the privacy community.

The debate includes worthy noises about the need to eavesdrop on terrorists but does not address the trust that gets placed in the government agency.

For those of us outside the US whose communications are incidentally caught up in US service providers like Google, or Skype there are another set of considerations.
  • Does every tin-pot government agency in the world get its own feed from the communications honeypot?
  • Are we going towards a 2-level communications regime (inside and outside US regulation)?
  • While end-end encryption inherent in RIM's BlackBerry defeats the eavesdropper, it is easily identifable that encryption is taking place and could lead to the assumption that the parties involved are 'evil' rather than simply private.

Those interested in privacy rights would do well to advocate end-end encryption of every communication to make wholesale eavesdropping ineffective until encryption scheme breaking moves forward a few more generations.

UPDATE: An expert view here from Bruce Schneier.

Friday, 17 September 2010

Security Barriers are not Enough

Lauren Weinstein commented reasonably on the Alleged Snooping at Teens' Data by Google Engineer . Yet again we are shown that technology is no match for the evilly disposed or simply stupid. You do not have to be a conspiracy theorist to understand that there is a lot of sensitive information flying around the internet or that by collating seemingly harmless data, sensitive information can be reconstructed. Points of concentration in the network (your ISP, Google, Bing and the like) increase the threat simply through the quantity of data available for analysis. Network security, database security and the strangely titled "Site Reliability Engineer" have fairly free range to see controlled information in order to do their job but are they to be trusted? and who watches the watchers?

The trusted person does not have to be in the shadows. There are plenty of jobs where an authorised person could misuse authority. Law enforcement immediately springs to mind. Generally we trust those people in law enforcement, they are checked, double checked and swear allegiance. But what do we do when people in these positions abuse the trust. In New Zealand, they get promoted!
A senior policeman caught accessing the police computer to pass on information to a private investigator working for convicted pack rapist Brad Shipton has been promoted to head the Police College's investigation and intelligence school. In 2005, then Senior Sergeant Dave Archibald was reprimanded for accessing the computer system known as National Intelligence Application during the trial of former police officers Shipton, Bob Schollum and two Mt Maunganui residents. from Dominion Post 25/08/2010
Remember that it is the information that has to be controlled and protected, and that its presence in a computer network is not the whole of its life. On the systems side we need to ensure that:
  • information is appropriately classified
  • if the information needs to be restricted to authorised parties, there are systems
  • to ensure that the information access is appropriately controlled
  • to track the handling of that information so that misuse is detected
and, out in the real world, we need to behave as though privacy and personal security matter.

Tuesday, 14 September 2010

Signalling in BPMN

At the risk of raising the ire of those that want to avoid precise meaning in their process flow diagrams, I recommend a study of Anatoly Belychook's handy primer on the use of the signal event.

I would emphasise that the signal event allows the ultimate "late binding". You do not have to design the world process ... only the bit you are in control of at the moment. When you come to an event that you know will be useful to another bit of the enterprise ... Signal ... then when a use is found in another bit of process design you do not have to redo the process design work again. Of course, you will need a way to hunt down these useful signals and some standardisation of how they will look in your enterprise.

For those of us that look forward to the executable process, Signals also provide a simple communication method between parallel flows within the same pool and avoid the process designer having to think too much about implementation level stuff like writing data to a store somewhere.

see also

Wednesday, 1 September 2010

BPMN only part of the solution

Scott Francis takes up the pen in the the ongoing and tedious debate about BPMN ( enough, too much, too hard, too rigid, too imprecise ....) and makes the excellent point that "too many people think that BPM starts and stops with BPMN!".

With a very small set of symbols, BPMN allows a range of expression of process definition from a whiteboard-quality overview to the precision of a computer algorithm for calculating Pi. Even with a palette of 1007667 English words, it is very difficult to get the necessary precision for specifying a business process. Working on the basis of the average reader using only a small subset of those possible words (about 2000) it is clear that we need something more formal than text to get to commitment on what a process is or should be.

It would be really scary if those responsible for the operation of multimillion dollar enterprises can't take on the meaning of a set of symbols that can be put on a small wallchart.

The sad thing is that there is not a similar set of symbols that could be used to encapsulate other aspects of the business canvas so that discussions on whiteboards, or around coffee-bar napkins could be more enduring and useful communication of requirements.