Bret Piatt

A common security technique is to classify attackers by IP addresses or reverse DNS lookup and blacklist the bad ones.  This technique has been falling in popularity with the increased usage of DHCP and NAT for Internet access and cloud computing will be its death knell.

Cloud computing allows attackers to rapidly switch IP addresses for as low as $0.015 per switch or per hour of using the address.  Right now only a few clouds exist so it isn’t quite the wild west yet but over the next 2-5 years we’ll see the thousands of dedicated hosting providers all switching to offer cloud services.

So what this means to the IT security world is you have some time to think about this and get it right using the few clouds out there now.  “Getting it right” may require more than just individual enterprises coming up with a way to solve it for them.  We really need to get together as an Internet community and discuss this in the broader scope of entity identification.  I use the term “entity” because we need a way to identify systems and individual users.

We're going to digital ID, the train is leaving the station

Identity and access management has always been viewed as an enterprise or site specific issue — this needs to change.  The recent Twitter hack is an example of how out of control identity and access management has become.  Understanding and documenting all of the application interactions around identity management in an enterprise is something few if any have a firm grasp on.  We’ve finally reached the point that implementing an Internet wide “digital identity” with a centralized identity and access management architecture similar to the domain registration/SSL certificate heirarchy.

OAuth and OpenID are a good place to start the discussion as they have the proper frameworks but they lack a centrally managed authority or list of authorities to manage identification and authentication.  Major “trust” providers on the Internet need to get together and solve this: VeriSign, Google, Microsoft, Ebay/Paypal, Banks, and major Internet Service Providers (AT&T, Verizon, Comcast, Cox, Time Warner, etc.).

Major Web 2.0 players have large directories of people but they don’t have a real trust relationship — just because you have a Myspace/Facebook/Twitter account doesn’t mean I should trust the e-mail you send me but if Chase Bank says you have a bank account with them and you’re sending me an e-mail I’m much more likely to trust it.  With the appropriate identity management if you’re sending spam I can flag that and Chase will tie it to your “digital identity” which is tied to your “real identiy” provided when you created that bank account.  It will be much more difficult to create new identities than it is today and we’ll see a significant decrease in “wild wild west” type behavior on the Internet.

The secondary benefit is consumers will also start to take security more seriously as they won’t want to waste time getting the “spammer” flag removed from their digital identity because their system was hacked (similar to disputing things on your credit report if the system works out properly).  They’ll also prioritize security in their buying decisions forcing system vendors to take it more seriously.

A tertiary benefit will be a reduction in misleading activities that lead to horrible events like the Myspace teen suicide because people won’t create fake identities to hide behind.  Some may say this is part of the “fun” of the Internet as it allows them to escape from their day to day lives.  That type of fun isn’t good for both parties involved — typically part of the fun is misleading other people such as the recent case of the lady that pretended to be a 15 year old kid with cancer.  “Fake identity” activities like this should be restricted to a place like Second Life where everyone knows people are pretending.

As private industry and a world society I hope we can take care of this ourselves before it gets so out of control Congress tries to figure out how to do it and we end up with some horrible mess of a “National ID and Digital Identity Act” that looks at it only from the perspective of the USA and makes it very difficult for non-US citizens to do anything online (as most of the major Internet properties are US based) creating a whole new barrier for 3rd world citizens to overcome.

We’ve all been there….something we have is broken, we can’t fix it on our own and we dread picking up the phone to call technical support because we know it won’t be a good experience.  Many of you think, “It’s tier 1 support, how hard can it be to learn this stuff?”  The truth of the matter is that for many people it isn’t hard but those people are rarely the people you get on the phone.

A tier 1 role is by definition an entry level position.  Based on the stats from Top Grading only 25% of the people hired into any role will excel at it.  So at first glance you should have a 1 out of 4 chance of having an excellent tier 1 experience but the hiring only tells half the story.  Some of the people hired in at a tier 1 level aren’t complacent and don’t want to stay at that level if they are excellent — they took the tier 1 job to get in the door and from there they want to move to other roles.  Other people hired into a tier 1 role are only a C player even in that role and they aren’t qualified for anything else — they’ll be a tier 1 forever.  This leads to eventually the tier 1 ranks of a given support center filled with B and C players (some C players will become B players in a role but very rarely do they turn into an A player) as the A players are promoted to other roles and the others remain.

Have agents identify themselves, anomymity promotes mediocrity

So how do you fix this if you’re a company with a support organization?  A few options exist and the easiest to implement is hiring the right people in the first place.  This will end up sounding like a promotional piece for Top Grading but if you hire A players 75% of the time instead of 25% you’ll always have a good amount of A players even in the tier 1 ranks.  Another option is to hire for a tier 1.5 role that is customer facing and if people turn out to not be an A player in that role give them a lateral/demotion to a tier 1 role where they perform non-customer facing non-time sensitive tasks — your B/C player at the more difficult role will have a much better chance of being an A player at the easier job.

A third option is to provide training or teaming.  Training is useful where somebody enjoys the tasks they’re being asked to do but they aren’t very good at them.  Training is not going to make a person an A player at things they don’t enjoy doing — this is where teaming comes in.  As a manager people on your teams will have different strengths and by teaming people with complimentary strengths together you can improve both of their performances.  As an example assign the analytical person the task of building a score sheet to measure performance and ask the empathetic woo person to try and rebuild a relationship with a disgruntal customer.

At the end of the day though you have to be willing to have difficult conversations with people, especially difficult in an economy like today — that they may not be a fit for the role their in and that you need them to find another role in the company or looks elsewhere.  While it may be hard for both parties to have the conversation in the long run it is better for everyone — people want to be an A player in the role they fill when they wake up each day — it isn’t fun waking up and knowing you’re headed to a job where you’ll struggle for the next 8-10 hours.

So next time you talk to that tier 1 support person don’t be so hard on them.  They applied for a job, they were hired — somebody told them they could be successful and good at it.  When you ask for a manager instead of yelling at the manager about how bad their tier 1 was ask them if they use a Top Grading style interview process, if they provide training or teaming, if they are doing anything to make that tier 1 successful — if they aren’t doing any of that feel bad for the tier 1 as they’re working for a management team that accepts mediocrity or doesn’t know enough to fix it.