Tuesday, October 07, 2014

Failure never smelled so sweet

Politics/IT crossover moment! In his Globe & Mail column today, Gary Mason has this to say about the negotiations underway to bring LNG terminals to the BC coast:

Quick primer for the IT audience: in the last election the government promised 100s of thousands of jobs and 100s of billions of revenue (and amazingly, I'm not exaggerating those figures) should BC successfully seed an LNG "industry" on our coast. It was basically all they talked about in the campaign. Unsurprisingly, having placed all their political eggs in the LNG basket, the government is now at the mercy of the companies that are supposed to bring us this windfall, as Mason notes below.

There is an enormous amount at stake for the Premier and her government. From the outside, it appears B.C. needs Petronas and the others more than they need B.C. Ms. Clark comes out the loser if those companies walk away and her LNG dream evaporates. She can also lose if her government signs desperate deals [emphasis mine] that are deemed to be so slanted in favour of the project promoter that the province becomes a global laughingstock.

Actually no, as anyone on a failed IT project knows, after a desperate deal is signed, both the LNG proponent (vendor) and government (manager) will get together and sing the praises of the finished deal.

"It's a world class deal, and it was a tough negotiation, but we did it", the government will say.

"They drove a hard bargain, but we think we can make it work", the proponent will say.

The media at best will run a he said/she said with the government's claims against the opposition's analysis, and we'll all move on. The government won't be the loser in the case of a bad, desperate deal, the people of BC will.

Just as, when a vendor and a dependent manager deliver a shitty IT project and declare it the best thing since sliced chips, it's the users who suffer in the end.

Friday, October 03, 2014

Solving Boundary-Similkameen

When analyzing the new legislation governing redistricting in British Columbia this cycle, I noted in passing that the creation of three "protected regions" creates an isolated, unprotected region in the Okanagan. If there are districts that have unbalanced population in the Okanagan, the only way to solve the problem is moving population around inside the Okanagan.

Well, there is a district with unbalanced population: Boundary-Similkameen (37,840) is 30% below the provincial population average (54,369), and 36% below the average population of unprotected ridings (58,810). So about 15,000 people need to be added.

On the face of it, this is no problem, the other ridings in the region have excess population in the 4% to 14% range, so there's lots of people to transfer to Boundary-Similkameen, in theory. The trouble is, people don't live in a nice uniform distribution over the whole land area of the region. They are clumped together.

Here's what the situation looks like now:

The commission cannot take population from the east or west, those are both protected regions, the only direction to go is north. But, to the north is Penticton, with a population of 33,000. The whole of Penticton cannot be added, the only way to balance Boundary-Similkameen is going to be splitting Penticton in half.

Splitting communities in half, particularly small ones that are much smaller in population than the district itself is generally avoided by Canadian boundary commissions, because retaining jurisdictional integrity is one of the concerns they attempt to address (unlike the US of A). One of the "failures" of the last commission was the splitting of Williams Lake between Cariboo North and South.

If the commission were drawing borders without the artificial restriction of the protected regions, it would be possible for Boundary-Similkameen to discard some of it's communities on the east and west edges (into underpopulated ridings that need the help) and transform into a simple north-south oriented riding running from Penticton down to the US border.

However, that's not on. It's not the only conundrum the commission will be wrestling with, either.

Monday, September 22, 2014

PostGIS Feature Frenzy

A specially extended feature frenzy for FOSS4G 2014 in Portland. Usually I only frenzy for 25 minutes at a time, but they gave me an hour long session!

PostGIS Feature Frenzy — Paul Ramsey from FOSS4G on Vimeo.

Thanks to the organizers for giving me the big room and big slot!

Tuesday, September 16, 2014

PostGIS for Managers

At FOSS4G this year, I wanted to take a run at the decision process around open source with particular reference to the decision to adopt PostGIS: what do managers need to know before they can get comfortable with the idea of making the move.

The Manager's Guide to PostGIS — Paul Ramsey from FOSS4G on Vimeo.

Saturday, August 09, 2014

That's not a strategic plan...

Strategy documents

Did I just see you yawn? Let me try again. Strategy documents.

Setting high level goals is important, but the process walks a knife edge: are the goals too general to be realized? are they too specific to provide a guide to the whole organization?

Here's the goals from the BC CIO's strategic plan:

  • Adopting and incorporating outcome management in strategic planning activities;
  • Applying integrated, collaborative, consistent and transparent approach to strategy development;
  • Developing and delivering on IM/IT goals and objectives; and
  • Optimizing collaboration across the division and with stakeholders

It's hard to choose where to start hating these: the focus on process; the organization-centric worldview; or the relentless use of the passive voice. You choose.

When Vivek Kundra took over as Barack Obama's CIO, he produced a 25 Point Implementation Plan to Reform Federal Information Technology Management:

  • Apply “Light Technology” and Shared Solutions
    • Complete detailed implementation plans to consolidate at least 800 data centers by 2015
    • Create a government-wide marketplace for data center availability
    • Shift to a “Cloud First” policy
    • Stand-up contract vehicles for secure IaaS solutions
    • Stand-up contract vehicles for commodity services
    • Develop a strategy for shared services
  • Strengthen Program Management
    • Design a formal IT program management career path
    • Scale IT program management career path government-wide
    • Require integrated program teams
    • Launch a best practices collaboration platform
    • Launch technology fellows program
    • Enable IT program manager mobility across government and industry
  • Align the Acquisition Process with the Technology Cycle
    • Design and develop a cadre of specialized IT acquisition professionals
    • Identify IT acquisition best practices and adopt government-wide
    • Issue contracting guidance and templates to support modular development
    • Reduce barriers to entry for small innovative technology companies
  • Align the Budget Process with the Technology Cycle
    • Work with Congress to develop IT budget models that align with modular development
    • Develop supporting materials and guidance for flexible IT budget models
    • Work with Congress to scale flexible IT budget models more broadly
    • Work with Congress to consolidate commodity IT spending under Agency CIO
  • Streamline Governance and Improve Accountability
    • Reform and strengthen Investment Review Boards
    • Redefine role of Agency CIOs and Federal CIO Council
    • Rollout “TechStat” model at bureau-level
  • Increase Engagement with Industry
    • Launch “myth-busters” education campaign
    • Launch interactive platform for pre-RFP agency-industry collaboration

While there's still a certain amount of navel-gazing at internal concerns, around things like CIO councils and review boards, the plan at least is made up of actions, stated in the active voice, most of which can be evaluated on a done/not-done basis over time. The organization can track whether it is executing this plan, and whether staff are allocated to it's accomplishment.

Of more recent vintage, the UK Government Digital Service has a strategic plan (note, available in simple HTML)

  • Improve departmental digital leadership
  • Develop digital capability throughout the civil service
  • Redesign transactional services to meet a new Digital by Default Service Standard
  • Complete the transition to GOV.UK
  • Increase the number of people who use digital services
  • Provide consistent services for people who have rarely or never been online
  • Broaden the range of those tendering to supply digital services including more small and medium sized enterprises
  • Build common technology platforms for digital by default services
  • Remove unnecessary legislative barriers
  • Base service decisions on accurate and timely management information
  • Improve the way that the government makes policy and communicates with people
  • Collaborate with partners across public, private and voluntary sectors to help more people go online
  • Help third party organisations create new services and better information access for their own users by opening up government data and transactions

There are fewer done/not done items here than in the US plan, but a lot less emphasis on internal processes and more about achieving results, for "people" (the word "people" shows up in four of the twelve points). The plan is focussed on not on internal processes, but on external results.

Which organization is likely to produce more positive results for the people who pay their salaries? The one "optimizing collaboration across the division"? Or the one that seeks to "increase the number of people who use digital services"?

This can be (heck, it IS) deathly dull, but these documents provide the base note over which the activities of an organization are laid: does this organization accomplish things, or does it talk about how best to accomplish things? You can tell a lot, and learn a lot, from these documents.

Wednesday, July 30, 2014


Bill Dollins wrote an excellent paean to the positive aspects of vendor lock-in, which is worth a few minutes of your time:

Lock-in is a real thing. Lock-in can also be a responsible thing. The organizations I have worked with that make the most effective use of their technology choices are the ones that jump in with both feet and never look back. They develop workflows around their systems; they develop customizations and automation tools to streamline repetitive tasks and embed these in their technology platforms; they send their staff to beginning and advanced training from the vendor; and they document their custom tools well and train their staff on them as well. In short, they lock themselves in.

I think locking yourself into a good technology could have all the positive knock-on effects Bill lists. But, we never quite know what we're getting, good or bad, until we've spent some time with it. Which to me means being carefully modular and standards-oriented in design (which is to say, the opposite of how most vendors will architect a solution).

The BC Integrated Case Management (ICM) project yet again provides an excellent example of the negative aspects of vendor worship. In this case, ICM chose their software vendor first (way back in the single-digit 2000's they chose Seibel) and then chose their system integrator (Deloitte) and finally began to get the first major phases of delivery a couple years ago. One result of this slow motion train wreck is that the Seibel software is dragging other aspects of the Ministry's technology base down to its level.

For example, among the limitations (scroll to the bottom) ICM (Seibel) imposes are:

  • "Using any version of IE other than IE 8 may result in unexpected behavior". So no IE 9, 10, or 11. Also, no Windows 8 support, since IE 8 only works on Windows 7 or less. Also no browser other than IE.
  • "The 32-bit ActiveX Seibel plug-in does not work with 64-bit IE". So all sorts of potential collisions between 64-bit/32-bit libraries. (The sysadmins weep.)

Only a few years after launch, ICM is already locking the Ministry to desktop technology that is several versions out of date, which will in turn restrict flexibility for doing more modern work in the future. This is one of the the downsides of lock-in.

Wednesday, July 16, 2014

BC IT Outsourcing 2013/14

"O frabjous day! Callooh! Callay!"

The BC Public Accounts came out today, so it's time to update the statistics and see how the IT consulting racket shaped up in BC last year. Judging from the sharp suits on the streets and general perkiness of the local IT labour market, I'd guess "pretty peachy", but there's something to be said for actually checking the numbers.

Totalling up all the Usual Suspects, I am pleased to report that 2013/14 was another record-breaking year in technology outsourcing: a $435,350,420 spend, that's up 11% over last year! Rockin' it!

Let's put that in perspective, shall we?

  • IT sourcing rocked it with an 11% gain.
  • Overall government spending was up $174M on a budget of $43B, for a gain of 0.4%.
  • The government recently offered the teachers a contract with a 1.1% (average) annual wage lift.
  • Canadian inflation in 2013 was 1.24%.
  • BC education spending increased 2.6% over last year.
  • BC health care spending increased 2.1% over last year.

I said it last year, and I'll say it again this year: suck on that, children and sick people! Who's the boss? IT people are the boss!

Once again, in the individual category, HP Advanced Solutions reigns supreme, billing out $138,407,858, a 6.8% gain. HP's growth is slowing though and my favourite systems integrator, Deloitte, just closed a monster year with 51% year-over-year billings growth and a take of $54,294,507. Look out HP, someone hungry is on your heals!

I recently discovered that there's a significant government IT spend in the health authorities, so I'm looking forward to adding some new stats over the summer. In addition, I feel like leaving Telus out of the accounting is an increasingly hard call: while much of their billing is infrastructure stuff like group cell phone plans and connectivity, they also have a huge new outsourcing arm doing all sorts of not-at-all-like-a-telephone stuff: Telus Health, anyone?

Until next year, keep on spending, British Columbia!

Monday, July 07, 2014

Some Privacy is More Private Than Others

One of the things that struck me in researching the long and tortuous story of how the government is trying to move British Columbian's private data into off-shore cloud computing services was the odd choice of the pilot project for the whole scheme: STADD.

What's STADD? It's "Services to Adults with Developmental Disabilities".

That's right, adults with developmental disabilities are the subjects of the BC government's experiment to see "hmm, I wonder if we can offshore private data using fancy tokenization software".

Let me put some icing on the cake.

The BC Liberal caucus has to manage information about the citizens who access services via their constituency offices. These are their "customers" and they use a "customer relationship management" (CRM) system to hold the information.

Are they storing this personal information offshore? Are they trying to shoehorn it into salesforce.com using tokenization software to avoid FOIPPA restrictions and protect their constituents from the PATRIOT Act?

No, that would be risky, that's the kind of thing that STADD can pilot. The BC Liberal caucus uses a product called "Maximizer CRM". Designed, built and hosted in... Vancouver, British Columbia.

FOSS4G 2014 in Portland, Oregon, September 2014

Just a quick public service announcement for blog followers in the Pacific Northwest and environs: you've got a once in a not-quite-lifetime opportunity to attend the "Free and Open Source Software for Geospatial" (aka FOSS4G) conference this year in nearby Portland, Oregon, a city so hip they have trouble seeing over their pelvis.

Anyone in the GIS / mapping world should take the opportunity to go, to learn about what technology the open source world has available for you, to meet the folks writing the software, and the learn from other folks like you who are building cool things.

September 8th-13th, be there and be square.

Friday, July 04, 2014

Tokenization and Your Private Data (5)

Recapping (last time):

  • (Day 1) The government is interested in using the salesforce.com CRM and other USA cloud applications, but the BC FOIPPA Act does not allow it.
  • (Day 2) So, the BC CIO has recommended "tokenization" systems to make personal information 100% obscured before storage in USA cloud applications.
  • (Day 3) But, using truly secure tokenization renders CRMs basically useless, so software vendors are flogging less secure forms of tokenization hoping that people won't notice the reduced security levels because they still call it "tokenization".
  • (Day 4) And, the BC Freedom of Information & Privacy Commissioner distinguishes between "encryption" (which is considered inadequate protection for personal information held outside Canada) and "tokenization" (which is considered adequate (but only where the "tokenization" itself is "adequate" (which seems to mean "fully random"))).

While this series on tokenization has been a bomb with regular folks (my post on the BCTF and social media got 10x the traffic) one category of readers have really taken notice: tokenization vendors. I've gotten a number of emails, and some educational comments as well. (Hi guys!)

For the love of the vendors, I'll repeat yesterdays postscript. I think I have been overly harsh on the cloud security vendors, because there are really two questions here, which have very different answers:

  • Is less-than-perfect tokenization better than nothing? Yes, it's a lot better than nothing. Even with less-than-perfect tokenization, employees of the cloud software companies can't just casually read records in the database, and an entity wanting to break the security of the records would need to extract a pretty big corpus of records to analyze them to find information leaks and use them to break in.
  • Is less-than-perfect tokenization acceptable for BC? No, because of the FOIPPA law, and because the Commissioner has already set a very very very high bar by not allowing standard symmetric encryption (which can be very very secure) to be used to host personal data outside of Canada.

It's worth re-visiting the two key phrases in the OIPC guidance, which are:

Tokenization is distinct from encryption; while encryption may be deciphered given sufficient computer analysis, tokens cannot be decoded without access to the crosswalk table.

What I take from this is that the OIPC is saying that "encryption" is vulnerable (it "may be deciphered"), and "tokenization" is not (it "cannot by decoded"). Now, as discussed on day 3, the "cannot be decoded" part is only true for a very small sub-set of "tokenization", the kind that uses fully random tokens. And the OIPC is aware of this, though they only barely acknowledge it:

Public bodies may comply with FIPPA provided that the personal information is adequately tokenized and the crosswalk table is secured in Canada.

If you take "adequately" to mean "adequately" such that "tokens cannot be decoded without access to the crosswalk table" then you're talking about an extremely restrictive definition of tokenization. A lot more restrictive than what vendors are talking about when they come to sell you tokenization.

The vendors who are phoning me and commenting here are worried that readers will see my critique and think "huh, tokenization is insecure". And that's not what I'm saying. What I'm saying is:

Practical use of tokenization in a USA cloud CRM is not consistent with the British Columbia OIPC's incredibly narrow definition of an acceptable level of data security for personal information stored in foreign jurisdictions or under foreign control.
Paul Ramsey, Just Now

If you're just looking for a reasonable level of surety that your data in a cloud service cannot be easily poked and prodded by a third party (or the cloud service itself), and you don't mind adding the extra level of complexity of interposing a tokenization service/server into your interactions with the cloud service, then by all means, a properly configured tokenization system would seem to fit the bill nicely.


About Me

My Photo
Victoria, British Columbia, Canada


Blog Archive


bc (35) it (27) postgis (19) icm (11) enterprise IT (10) video (10) sprint (9) open source (8) osgeo (8) cio (6) management (6) enterprise (5) foippa (5) foss4g (5) gis (5) spatial it (5) foi (4) mapserver (4) outsourcing (4) politics (4) bcesis (3) oracle (3) COTS (2) architecture (2) boundless (2) esri (2) idm (2) natural resources (2) ogc (2) open data (2) opengeo (2) openstudent (2) postgresql (2) rant (2) technology (2) vendor (2) web (2) 1.4.0 (1) HR (1) access to information (1) accounting (1) agile (1) aspen (1) benchmark (1) buffer (1) build vs buy (1) business (1) business process (1) cathedral (1) cloud (1) code (1) common sense (1) consulting (1) contracting (1) core review (1) crm (1) custom (1) data warehouse (1) deloitte (1) design (1) digital (1) email (1) essentials (1) evil (1) exadata (1) fcuk (1) fgdb (1) fme (1) foocamp (1) foss4g2007 (1) ftp (1) gds (1) geocortex (1) geometry (1) geoserver (1) google (1) google earth (1) government (1) grass (1) hp (1) iaas (1) icio (1) industry (1) innovation (1) integrated case management (1) introversion (1) iso (1) isss (1) isvalid (1) javascript (1) jts (1) lawyers (1) mapping (1) mcfd (1) microsoft (1) mysql (1) new it (1) nosql (1) opengis (1) openlayers (1) oss (1) paas (1) pirates (1) policy (1) portal (1) proprietary software (1) qgis (1) rdbms (1) recursion (1) redistribution (1) regression (1) rfc (1) right to information (1) saas (1) salesforce (1) sardonic (1) seibel (1) sermon (1) siebel (1) snark (1) spatial (1) standards (1) svr (1) tempest (1) texas (1) tired (1) transit (1) twitter (1) udig (1) uk (1) uk gds (1) verbal culture (1) victoria (1) waterfall (1) wfs (1) where (1) with recursive (1) wkb (1)