Thursday, April 20, 2017

Cautiously optimistic on blockchain at MIT

Blockchain has certain similarities to a number of other emerging technologies like IoT and cloud-native broadly. There’s a lot of hype and there’s conflation of different facets or use cases that aren’t necessarily all that related to each other. I won’t say that MIT Technology Review’s Business of Blockchain event at the Media Lab on April 18 avoided those traps entirely. But overall it did far better than average in providing a lucid and balanced perspective. In this post, I share some of the more interesting themes, discussion points, and statements from the day.

It’s very early

Joi Ito, MIT Media Lab

Joi Ito, the Director of the MIT Media Lab, captured what was probably the best description of the overall sentiment about blockchain adoption when he said that we "should have a cautious but optimistic view.” He went on to say that “it's a long game” and that we should also "be prepared for quite of bit of change.” 

In spite of this, he observed that there was a huge amount of investment going on. Asked why, he essentially shrugged and suggested that it was like the Internet boom where VCs and others felt they had to be part of the gold rush.  “It’s about the money." He summed up by saying "we're investing like it's 1998 but it's more like 1989."

The role of standards

In Ito’s view standards will play an important role and open standards are one of the things that we should pay attention to. However, Ito also drew further on the analogues between blockchain and the Internet when he went on to say that "where we standardize isn't necessarily a foregone conclusion” and once you lock in on a layer (such as IP in the case of the Internet), it’s harder to innovate in that space. 

As an example of the ongoing architectural discussion, he noted that there are "huge arguments if contracts should be a separate layer” yet we "can't really be interoperable until agree on what goes in which layer."

Use cases

Most of the discussion revolved around payment systems and, to a somewhat lesser degree, supply chain (e.g. provenance tracking).

In addition to cryptocurrencies (with greater or lesser degrees of anonymity), payment systems also encompass using blockchains to reduce the cost of intermediaries or eliminating them entirely. This could in principle better enable micropayment or payment systems for individuals who are currently unbanked. Robleh Ali, a research scientist in MIT’s Digital Currency Initiative notes that there’s “very little competition in the financial sector. It’s hard to enter for regulatory and other reasons." In his opinion, even if blockchain-based payment systems didn’t eliminate the role of banks, moving money outside the financial system would put pressure on them to reduce fees.

A couple of other well-worn blockchain examples involve supply chains. Everledger uses blockchain to track features such as diamond cut and quality, as well as monitoring diamonds from war zones. Another recent example comes from IBM and Maersk who say that they are using blockchain to "manage transactions among network of shippers, freight forwarders, ocean carriers, ports and customs authorities.” 

(IBM has been very involved with the Hyperledger Project, which my employer Red Hat is also a member of. For more background on Hyperledger, check out my podcast and discussion with Brian Behlendorf—who also spoke at this event—from a couple months back.)

It’s at least plausible that supply chain could be a good fit for blockchain. There’s a lot of interest in better tracking assets as they flow through a web of disconnected entities. And it’s an area that doesn’t have much in the way of well-established governing entities or standardized practices and systems. 

Amber Baldet, JP Morgan


This topic kept coming up in various forms. Amber Baldet of JP Morgan went so far as to say “If we get identity wrong, it will undermine everything else. Who owns our identity? You or the government? How do you transfer identity?"

In a lunchtime discussion Michael Casey of MIT noted that “knowing that we can trust whoever is going to transact is going to be a fundamental question.” But he went on to ask “how do we bring back in privacy given that with big data we can start to connect, say, bitcoin identities."

The other big identity tradeoff familiar to anyone who deals with security was also front and center. Namely, how do we balance ease-of-use and security/anonymity/privacy? In the  words of one speaker “the harsh tradeoff between making it easy and making it self-sovereign."

Chris Ferris of IBM asked “how do you secure and protect private keys? Maybe there’s some third-party custodian but then you're getting back to the idea of trusted third parties. Regulatory regimes and governments will have to figure out how to accommodate anonymity."

Tradeoffs and the real world

Which is as good a point as any to connect blockchain to the world that we live in.

As Dan Elitzer, IDEO coLAB, commented "if we move to a system where the easiest thing is to do things completely anonymously, regulators and law enforcement will lose the ability to track financial transactions and they'll turn to other methods like mass surveillance.” Furthermore, many of the problems that exist with title registries, provenance tracking, the unbanked poor, etc. etc. aren’t clearly the result of technology failure. Given the will and the money to address them in a systematic way that avoids corruption, monopolistic behaviors, and legal/regulatory disputes, there’s a lot that could be done in the absence of blockchains.

To take one fairly simple example that I was discussing with a colleague at the event, a lot of the information associated with deeds and titles in the US isn’t stored in the dusty file cabinets of county clerks because we lack the technology to digitize and centralize. They’re there for some combination of inertia, lack of a compelling need to do things differently, and perhaps a generalized fear of centralizing data. In other situations, “inefficiencies” (perhaps involving bribes) and lack of transparency are even more likely to be seen as features and not bugs by at least some of the participants.  Furthermore, just because something is entered into an immutable blockchain doesn’t mean it’s true.

Summing up

A few speakers alluded to how bitcoin has served as something of an existence proof for the blockchain concept. As Neha Narula, Director of Research of DCI at the MIT Media Lab, put it, bitcoin has "been out there for eight years and it hasn't been cracked” even though “novel cryptographic protocols are usually fragile and hard to get right."

At the same time, there’s a lot of work still required around issues like scalability, identity, how to govern consensus, and adjudicating differences between code and the spec. (If the code is “supposed” to do one thing and it actually does another, which one governs?) And there are broader questions. Some I’ve covered above. There are also fundamental questions like: Are permissioned and permission-less (i.e. public) blockchains really different or are they variations of the same thing? What are the escape hatches for smart contracts in the event of the inevitable bugs? What alternatives are there to proof of work? Where does monetary policy and cryptocurrency intersect?

I come back to Joi Ito’s cautious but optimistic.



Top: Joi Ito, Director MIT Media Lab

Bottom: Amber Baldet, Executive Director, Blockchain Program Lead, J.P. Morgan

by Gordon Haff

Wednesday, April 19, 2017

DevOps Culture: continuous improvement for Digital Transformation

Marshmallow winners

In contrast to even tightly-run enterprise software practices, the speed at which big Internet businesses such as Amazon and Netflix can enhance, update, and tune their customer-facing services can be eye opening. Yet a miniscule number of these deployments cause any kind of outage. These companies are different from more traditional businesses in many ways. Nonetheless they set benchmarks for what is possible. 

Enterprise IT organizations must do likewise if they’re to rapidly create and iterate on the new types of digital services needed to succeed in the marketplace today. Customers demand anywhere/anywhen self-service transactions and winning businesses meet those demands better than their competition. Operational decisions within organizations also must increasingly be informed by data and analytics, requiring another whole set of applications and data sets.

Amazon and Netflix got to where they are using DevOps. DevOps touches many different aspects of the software development, delivery, and operations process. But, at a high level, it can be thought of as applying open source principles and practices to automation, platform design, and culture. The goal is to make the overall process associated with software faster, more flexible, and incremental. Ideas like the continuous improvement based on metrics and data that have transformed manufacturing in many industries are at the heart of the DevOps concept.

Development tools and other technologies are certainly part of DevOps. 

Pervasive and consistent automation is often used as a way to jumpstart DevOps in an organization. Playbooks that encode complex multi-part tasks improve both speed and consistency. It can also improve security by reducing the number of error-prone manual processes. Even narrowly targeted uses of automation are a highly effective way for organizations to gain immediate value from DevOps.

Modern application platforms, such as those based on containers, can also enable more modular software architectures and provide a flexible foundation for implementing DevOps. At the organizational level, a container platform allows for appropriate ownership of the technology stack and processes, reducing hand-offs and the costly change coordination that comes with them. 

However, even with the best tools and platforms in place, DevOps initiatives will fail unless an organization develops the right kind of culture. One of the key transformational elements is developing trust among developers, operations, IT management, and business owners through openness and accountability. In addition to being a source of innovative tooling, open source serves as a great model for the iterative development, open collaboration, and transparent communities that DevOps requires to succeed.

Ultimately, DevOps becomes most effective when its principles pervade an organization rather than being limited to developer and IT operations roles. This includes putting the incentives in place to encourage experimentation and (fast) failure, transparency in decision-making, and reward systems that encourage trust and cooperation. The rich communication flows that characterize many distributed open source projects are likewise important to both DevOps initiatives and modern organizations more broadly.

Shifting culture is always challenging and often needs to be an evolution. For example, Target CIO Mike McNamara noted in a recent interview that “What you come up against is: ‘My area can’t be agile because…’ It’s a natural resistance to change – and in some mission-critical areas, the concerns are warranted. So in those areas, we started developing releases in an agile manner but still released in a controlled environment. As teams got more comfortable with the process and the tools that support continuous integration and continuous deployment, they just naturally started becoming more and more agile.”

At the same time, there’s an increasingly widespread recognition that IT must respond to the needs of and partner with the lines of business--and that DevOps is an integral part of that redefined IT role. As Robert Reeves, the CTO of Datical, puts it: “With DevOps, we now have proof that IT can and does impact market capitalization of the company. We should staff accordingly.”


Photo credit:

Monday, April 17, 2017

DevSecOps at Red Hat Summit 2017

Screen Shot 2017 04 17 at 11 51 08 AM

We’re starting to hear “DevSecOps" mentioned a lot. The term causes some DevOps purists to roll their eyes and insist that security has always been part of DevOps. If you press hard enough, they may even pull out a well-thumbed copy of The Phoenix Project by Gene Kim et al. [1] and point to the many passages which discuss making security part of the process from the beginning rather than a big barrier at the end.

But the reality is that security is often something apart from DevOps even today. Even if DevOps should include continuously integrating and automating security at scale. It’s at least in part because security and compliance operated largely in their own world historically. At a DevOpsDays event last year, one senior security professional even told me that this was the first IT event that was not security-specific that he had ever attended.

With that context, I’d like to point you to a session that my colleague William Henry and I will be giving at Red Hat Summit on May 3. In DevSecOps the open source way we’ll discuss how the IT environment has changed across both development and operations. Think characteristics and technologies like microservices, component reuse, automation, pervasive access, immutability, flexible deploys, rapid tech churn, software-defined everything, a much faster pace, and containers.

Risk has to be managed across all of these. (Which is also a change. Historically, we tended to talk in terms of eliminating risk while today it’s more about managing risk in a business context.)

Doing so requires securing the software assets that get built and well as the machinery doing the building. It requires securing the development process from the source code through the rest of the software supply chain. It requires securing deployments and ongoing operations continuously and not just at a point in time. And it requires securing both the application and the container platform APIs.

We hope to see you at our talk. But whether or not you can make it to see us specifically, we hope that you can make it to Red Hat Summit in Boston from May 2-4. I’m also going to put in a plug for the OpenShift Commons Gathering on the day before (Monday, May 1).


[1] If you’re reading this, you’ve almost certainly heard of The Phoenix Project. But, if not, it’s a fable of sorts about making IT more flexible, effective, and agile. It’s widely cited as one of the source texts for the DevOps movement.

Thursday, April 13, 2017

Links for 04-13-2017

Wednesday, April 12, 2017

Podcasts: Talking cloud native projects at CloudNativeCon in Berlin

33697540381 8472d96277 z

Eduardo Silva, Fluentd/Treasure Data

A project within the Cloud Native Computing Foundation, Fluentd is focused on logging, pulling together data from a variety of sources and sending it to a back-end. Eduardo Silva spoke with me at CloudNativeCon in Berlin about Fluentd and its flexible architecture for plug-ins. Fluentd is widely used for tasks like aggregating mobile stats and to understand how games are behaving.

Listen to MP3 (15:10)

Listen to OGG (15:10)

Miek Gieben, CoreDNS

CoreDNS, which provides cloud-native DNS server and service discovery, recently joined the CNCF. In this podcast Miek provides  context about DNS and explains how today’s more dynamic environments aren’t always a good match with traditional approaches to DNS. Miek takes us through how CoreDNS came to be and discusses some possible future paths that it might take.

Listen to MP3 (12:24)

Listen to OGG (12:24)

Björn Rabenstein, Prometheus/SoundCloud

Bjorn Rabenstein of SoundCloud sat down with me at CloudNativeCon in Berlin to discuss Prometheus, the first project to be brought into the Cloud Native Computing Foundation after Kubernetes. Prometheus is a popular open-source monitoring system with a dimensional data model, flexible query language, efficient time series database and modern alerting approach. In this podcast, we get into the background behind Prometheus, why new monitoring tools are needed for cloud-native, and when you should wake people up with an alert--and when you shouldn't.

Listen to MP3 (16:38)

Listen to OGG (16:38)

Sarah Novotny, Kubernetes/Google

Sarah Novotny does open source community for Google Cloud and is also the program manager of the Kubernetes community. She has years of experience in open source communities including MySQL and NGINX. In the podcast we cover the challenges inherent in shifting from a company-led project to a community-led one, principles that can lead to more successful communities, and how to structure decision-making.

I’ve written an article with excerpts from this podcast which will appear on I’ll link to it from here when it’s available.

Listen to MP3 (20:54)

Listen to OGG (20:54)

Wednesday, April 05, 2017

Upcoming: MIT Sloan CIO Symposium

MIT CIO 2017 logo final B

My May schedule has been something of a train wreck given a Red Hat Summit in Boston (use code SOC17 for a discount) that’s earlier than usual and generally lots of events in flight. As a result, I didn’t know until a couple of days ago whether I would be able to attend this year’s MIT Sloan CIO Symposium on May 24. I always look forward to going. This is admittedly in part because I get to hop on a train for an hour ride into Cambridge rather than a metal sky tube for many hours.

But it’s also because the event brings together executives who spend a lot of time focusing on the business aspects of technology change. As you’d expect from an MIT event, there’s also a heavy academic component from MIT and elsewhere. Erik Brynjolfsson, Andrew McAfee, and Sandy Pentland are regulars. As I have for the past few years, I’ll be hosting a lunchtime discussion table on a topic TBD as well as covering the event in this blog afterwards. 

Data, security, and IoT at MIT Sloan CIO Symposium 2016

MIT Sloan CIO Symposium 2015: Dealing with Disruption

This year the Symposium will focus on the theme, “The CIO Adventure: Now, Next and… Beyond,” and will provide attendees with a roadmap for the changing digital landscape ahead. Among the associated topics are challenges of digital transformation, talent shortages, executive advancement to the C-suite, and leading-edge research.

Here’s some additional information from the event organizers:

The full agenda is available at Highlights include:

Kickoff Panel: “Pathways to Future Ready: The Digital Playbook” will discuss a framework for digital transformation and facilitate a conversation on lessons learned from executives leading these transformations. Virtually every company is working on transforming their business for the digital era and this panel will provide a playbook for digital. Featuring Peter Weill, Chairman, MIT Sloan Center for Information Systems Research (CISR); Jim Fowler, Vice President & Chief Information Officer, General Electric; David Gledhill, Group Chief Information Officer and Head of Group Technology & Operations, DBS; and Lucille Mayer, Head of Client Experience Delivery and Global Innovation, BNY Mellon.

Fireside Chat: “Machine | Platform | Crowd: Harnessing Our Digital Future” will be moderated by Jason Pontin, Editor-in-Chief and Publisher of MIT Technology Review and feature Erik Brynjolfsson, Director, and Andy McAfee, Co-Director, of the MIT Initiative on the Digital Economy (IDE), discussing what they call "the second phase of the second machine age." This phase has a greater sense of urgency, as technologies are demonstrating that they can do much more than just the type of work we have thought of as routine. The last time new technologies had such a huge impact on the business world was about a century ago, when electricity took over from steam power and transformed manufacturing. Many successful incumbent companies, in fact most of them, did not survive this transition. This panel will enable CIOs to rethink the balance between minds and machines, between products and platforms, and between the core and the crowd.

Other panel sessions driven by key IT leaders, practitioners, and MIT researchers will include:

“The Cognitive Company: Incremental Present, Transformational Future”; “Cloud Strategies: The Next Level of Digital Transformation”; “The CIO Adventure: Insights from the Leadership Award Finalists”; “Preparing for the Future of Work”; “Expanding the Reach of Digital Innovation”; “Running IT Like a Factory”; “Navigating the Clouds”; “Winning with the Internet of Things”; “Talent Wars in the Digital Age”; “Who’s Really Responsible for Technology?”; “You Were Hacked—Now What?”; “Measuring ROI for Cybersecurity: Is It Real or a Mirage?”; “Putting AI to Work”; “Trusted Data: The Role of Blockchain, Secure Identity, and Encryption”; and “Designing for Digital.”