Scott Morrison

Scott Morrison

Scott Morrison is the Chief Technology Officer at Layer 7 Technologies, providing the visionary innovation and technical direction for the company. He has extensive technical and scientific experience in a number of industries and universities, including senior architect positions at IBM. He is one of the four co-editors for the WS-I Basic Security Profile. Scott is a much sought-after author and speaker. He has published over 50 book chapters, magazine articles, and papers in medical, physics and engineering journals.

February 19th, 2014

New eBook: 5 Simple Strategies for Securing Your APIs

5 Simple Strategies for Securing APIsRecently, I wrote about the excitement I feel working within CA. This company is full of talented people and when you draw on their capabilities, amazing stuff happens. Here in R&D, we have some innovative solutions underway that are tangible results of CA and Layer 7 working well together. I can’t reveal these yet but you can see the same 1+1=3 equation at work in other groups throughout the organization.

Here is a good example: It’s an eBook we’ve assembled to help managers and developers build more secure APIs. The material started with a presentation I first delivered at a recent RSA show. We updated this with best practices developed by real customers facing real challenges. The content is solid but what I love is the final product. It’s accessible, easy to digest and the layout is fantastic. Half the battle is delivering the message so that it’s clear, approachable and actionable. This is just what we delivered. And best of all, it’s free.

The last year has been a difficult one in security. The Snowden affair made people talk about security; this, at least, is good and the dialog continues today. But if 2013 was a year of difficult revelation, 2014 is going to be about back-to-basics security.

APIs offer tremendous business value to enterprise computing. But they also represent a potential threat. You can manage this risk with a solid foundation and good basic practices but you need to know where to start. This is the theme of our new eBook. It offers simple guidelines, not tied to any particular technology. You should apply these whenever you deploy APIs.

I hope you find this eBook useful. As always, I’d love to hear your feedback.

Download the eBook: 5 Simple Strategies for Securing Your APIs

February 14th, 2014

The Truth About CA & Layer 7

CA Layer 7Has it really been almost a year since my last post? I suspected I was near that milestone but it’s still surprising to discover it has been so long.

The story of the last year, of course, is the acquisition of Layer 7 by CA Technologies. Today being Valentine’s Day, I’m reminded that acquisitions are very much like relationships and I’ve been completely consumed with making this one a success. So, the last year is a blur of integration, customer outreach and some terrific innovations — but not a lot of writing.

Hopefully, now that the smoke has at least partly cleared, I’ll get back to blogging regularly and maybe even writing some lengthier pieces of content.

For now though, let’s get back to talking about the acquisition because I know people are curious. The number one question I get asked is how am I doing at a large company and — more specifically — how is CA? It is a logical question but one always delivered with a slightly raised eyebrow that really implies “just give me the dirt — the juicer the better”.

I respond with the truth. And the truth, to be honest, is quite a bit less salacious than everyone secretly hopes. At CA and Layer 7, we are steering clear of  the all-too-common pitfalls of start-up/enterprise marriages. We seem to be finding a very effective approach that works nicely for everyone.

Like all good relationships, this one is founded on a base of mutual respect and a healthy dose of trust. CA recognizes that the Layer 7 team in Vancouver is a great engine of innovation. So, the team stays together and has the mandate to continue pushing the envelope around APIs and mobility. We all recognize that we are part of a much larger narrative now, but honestly, this is what excites us most of all.

CA is a large company but it isn’t overwhelming. Indeed, I’ve been struck by what a small big company this actually is. In just seven months, I feel as though I’ve got a good handle on who all of the key players are and I can pretty much engage anyone I need to and be taken seriously. It’s a level of engagement I never dreamed of.

So, while the truth is boring and my anecdotes are not sexy, that’s all a very good thing. Actually, it’s a great thing. The numbers are high, opportunity abounds and there is a sense we can affect real change when change makes sense. This is a good place to be and I can promise you that there are very good things to come. Stay tuned.

February 22nd, 2013

Cisco & the Internet of Everything

Written by
Category API Management, M2M
 

Cisco and the Internet of EverythingJohn Chambers, CEO of Cisco, just published a good blog entry about the potential for change caused by universal connectivity – not just of our mobile gadgets but of pretty much everything. Recently, much has been said about the so-called “Internet of Things” (IoT), of which Cisco is expanding the scope, going so far as to make a bold estimate that 99.4% of objects still remain unconnected. This, of course, is great fodder for late-night talk show hosts. I’ll leave this softball to them and focus instead on some of the more interesting points in Chambers’ post and the accompanying white paper.

It strikes me that there might be more to Cisco’s “Internet of Everything” (IoE) neologism than just a vendor’s attempt to brand what still may be a technology maverick. Internet of Everything sounds so much better than the common alternative when you append “Economy” to the end – and this is how it first appears in Chambers’ post. And that’s actually important because adding economy in the same breath is an acknowledgement that this isn’t just marketing opportunism as much as a recognition that, like mobility, the IoE could potentially be a great catalyst for independent innovation. In fact, Cisco’s white paper really isn’t about technology at all but is instead an analysis of the market potential represented in each emerging sector, from smart factories to college education.

It is exactly this potential for innovation – a new economy – that is exciting. The combination of Mobile Access and APIs was so explosive precisely because it combined a technology with enormous creative potential (APIs) with a irresistible business impetus (access to information outside the enterprise network). The geeks love enabling tools and APIs are nothing if not enabling; mobile just gives them something to build.

I0E, of course, is the ultimate business driver and –  with APIs as the enabler – it equals opportunity of staggering proportions. Like mobile before it – and indeed, social Web integration before that – IoE will come about precisely because the foundation of APIs already exists.

It is here where I disagree with some IoT pundits who advocate specialized protocols for optimizing performance. No thank you; it isn’t 1990 and opaque binary protocols no longer work for us, except when streaming large data sets (I’m looking at you, video).

Security in the IoE will be a huge issue and Cisco has this to say on the topic :

“IoE security will be addressed through network-powered technology: devices connecting to the network will take advantage of the inherent security that the network provides (rather than trying to ensure security at the device level).”

I agree with this because security coding is still just too hard and too easy to implement wrongly. One of the key lessons of mobile development is that we need to make it easy for developers to automatically enable secure communications. Take security out of the hands of developers, put it in the hands of dedicated security professionals and trust me, the developers will thank you.

As IoE extends to increasingly resource-constrained devices, the simpler we can make secure development, the better. Let application developers focus on creating great apps and a new economy will follow.

January 3rd, 2013

CES 2013 Panel: Privacy & Security in the Cloud

CES 2013The Consumer Electronics Show (CES) 2013 is starting in Las Vegas next week and cloud computing is on the agenda. You can be sure that a technology has moved out of the hype cycle and into everyday use when it shows up at a show like CES, known more for the latest TVs and phones than computing infrastructure. People don’t really need to talk about cloud any more; it’s just there and we are using it.

Of course there will always be a place for a little more talking and I’ll be doing some of this myself as part of the CES panel Privacy & Security in the Cloud. This discussion will take place on Monday Jan 7, 11am-12pm, in LVCC, North Hall N259. The panel is chaired by my good friend Jeremy Geelan, founder of Cloud Computing Expo, who honed his considerable moderation skills at the BBC.

I’m planning on exploring the intersection between the cloud and our increasingly ubiquitous consumer devices. We will highlight the opportunities created by this technological convergence but we will also consider the implications this has for our personal privacy. I hope you can join us.

December 19th, 2012

Do You Agree to the Terms & Conditions? Mobile Devices & the Tipping Point of Informed Consent

Written by
 

End-User License AgreementSometimes, I wonder if anyone in the entire history of computing has every bothered to read and consider the contents of a typical end-user license agreement (EULA). Some Product Manager, I suppose (though truthfully, I’m not even sure of this one).

The EULA, however, is important. It’s the foundation of an vital consent ceremony that ends with only one effective choice: pressing OK. This much-maligned step in every software installation is the only real binding between an end user and a provider of software. Out of this agreement emerges a contract between these two parties and it is this contact that serves as a legal framework for interpretation should any issues arise in the relationship.

Therein lies the rub, as the emphasis in a EULA — as in so much of contract law — is on legal formalism at the expense of end-user understanding. These priorities are not necessarily mutually exclusive but as any lawyer will tell you, it’s a lot more work to make them coexist on a more-or-less equal footing.

Mobile devices may provide the forcing function that brings change into this otherwise moribund corner of the software industry. Mobility is hot right now and it is demanding that we rethink a wide span of business processes and technologies. These new demands are going to extend to the traditional EULA and the result could be good for everyone.

Case in point: the New York Times reported recently on a study conducted by the FTC examining privacy in mobile apps for children. The researchers found that parents were not being adequately informed about what private information was being collected and the extent to which it could be shared. Furthermore, many mobile app developers are channeling data into just a few commercial analytics vendors. While this may not sound like too big a deal, it turns out that, in some cases, these data are tagged with unique device identifiers. This means that providers can potentially track behavior across multiple apps, giving them unprecedented visibility into the online habits of our children.

Kid plus privacy equals a lightning rod for controversy but the study is really indicative of a much greater problem in the mobile app industry. Just the previous week, the State of California launched a suit against Delta Airlines alleging the company failed to include a privacy policy in its mobile app, placing it in violation of that state’s 2004 privacy law.

You could argue that there is nothing new about this problem. Desktop applications have the same capacity for collecting information and so pose similar threats to our privacy. The difference is mostly the devil we know. After years of reading about the appalling threats to our privacy on the Internet, we have come to expect these shenanigans and approach the conventional Web guarded and wary. Or we don’t care (see Facebook).

But the phone, well the phone is just… different.  Desktop computers — or even laptops — just aren’t as ever-present as phones. Your phone goes with you everywhere, which makes it both a triumph of technology and a tremendous potential threat to your privacy.

The problem with the phone is that it is the consumer device that isn’t. Apple crossed a chasm with the iPhone, taking the mobile device from constrained (like a blender) to extensible (like a Lego set) without breaking the consumer-orientation of the device. This was a real tour de force — but one with repercussions both good and bad.

The good stuff we live every day — we get to carefully curate our apps to make the phone our own. I can’t imagine traveling without my phone in my pocket. The bad part is we haven’t necessarily recognized the privacy implications of our own actions. Nobody expects to be betrayed by their constant companion but it is this constant companion that poses the greatest threat to our security.

The good news is that the very characteristics that make mobile so popular also promise to bring much needed transparency to the user/app/provider relationship. Consumer-orientation plus small form factor equals a revolution in privacy and security.

Mobile devices tap into a market so vast it dwarfs the one addressed by the humble PC. And this is the market for which consumer protection laws were designed. As we’ve seen in the Delta Airlines case above, the states have a lever and apparently they aren’t afraid to use it.

But legislation is only part of the answer to reconciling the dueling priorities of privacy and consent. The other element working in favour of change is size — and small is definitely better here. The multi-page contract just isn’t going to play well on a four-inch screen. What consumer’s need is a message that is simple, clear and understandable. Fortunately, we can look to the Web for inspiration on how to do this right.

One of the reasons I get excited about the rise of OAuth is because it represents much more than yet another security token (God knows we have enough of those already). OAuth is really about granting consent. It doesn’t try to say anything about the nature of that consent but it does put in the framework to make consent practical.

Coincident with the rise of OAuth on the Web is a movement to make the terms of consent more transparent. This will need to continue as the process moves to the restricted form factor of the mobile phone. I have no doubt that, left to their own devices, most developers would take the easy route and reduce mobile consent to a hyperlink pointing to pages of boilerplate legalese and an OK button. But add in some regulatory expectations of reasonable disclosure and I can see a better future of clear and simple agreements that flourish first on mobile devices but extend to all software.

Here at Layer 7, we are deeply interested in technologies like OAuth and the role these play in a changing the computing landscape. We are also spending lots of time working on mobile because, more than anything, mobile solutions are driving uptake around APIs. When we built our SecureSpan Mobile Access Gateway, we made sure this solution made OAuth simple to deploy and simple to customize. This way, important steps like consent ceremonies can be made clear, unambiguous and — most importantly — compliant with the law.