Secure DevOps for PLM

A fistful of your data

Back in 1989, Toyota was accused of copycatting Lexus from Mercedes. But as noted once in the Mary Magdalene incident, do not rush to throw stones – you may not be without sin either.

For a fistful of dollars,” a now-iconic 1964 Western movie, was a direct copycat of Akira Kurosawa‘s Yojimbo. According to Kurosawa, Sergio Leone had made “a fine movie, but it was my movie.”

In his defense, Leone has claimed that both he and Kurosawa owed a “thematic” debt for both Fistful and Yojimbo to Carlo Goldoni‘s 18th century Servant of Two Masters – the concept of the protagonist playing two camps against each other. Leone also referenced earlier-produced American Westerns in the film, like Shane and My Darling Clementine, both of which differ from Yojimbo.

The Servant-FistfulYojimbo story can be easily reimagined for the modern engineering context, especially as it applies to larger enterprises. Various security or simply IT-focused “gangs” are constantly battling each other for dominance while stifling innovation and potentially the business itself.

Keeping secrets from competitors and adversaries is important. A completely locked-down environment may be super safe, but it is not innovative. Cold War’s COCOM played a major role in preventing the Soviets from obtaining critical technologies. In the 21st century, security must go hand-in-hand with policies that foster a higher velocity of change.

The operational freedom of US technology companies is what makes them super-competitive super-achievers. That’s why the ongoing discussion in the US about security frameworks seeks to bring more businesses into defense innovation.

When companies develop new designs, materials and processes, they have two principal routes:

  • They can patent their creations and guarantee themselves a supposedly strong level of protection for a period of time while exposing their invention to the wide world. Unfortunately, China can then copy and “improve” these designs with reasonable impunity.
  • Alternately, they can keep their invention as a trade secret and share its details only on the need-to-know basis via a network of NDAs. In that case China initially knows nothing, but if (when) that knowledge does get out, no legal recourse is available to the original inventor at all.

The intellectual property protection conversation naturally converges with several more topics:

  • An Enterprise Search framework deployed on top the engineering environment, which includes requirements management, PLM, ERP, MES and more. That search capability provides engineers with a quick access to any information within the enterprise (and sometimes beyond it). It is a huge force multiplier.
  • Data Loss Prevention (DLP) is all about preventing company data from escaping the company’s grip through various information-sharing channels: email, web, on-premise apps and/or cloud-based apps. There are plenty of tools from major vendors covering this magic quadrant, and the key there is to set up and continuously maintain a domain-specific classification database.
  • Dealing with dependencies tackles the issue of users knowingly or unknowingly incorporating someone else’s IP into your designs, thus creating a potential liability and/or bringing your own IP value to zero. What barely worked for Sergio Leone in his theatrical domain may not work for aerospace and defense at all. Fortunately, there are already vendors providing tools to address this issue by tracing all dependencies.
  • Additive manufacturing, with all its advantages, creates a problem of its own. When 3D printing equipment at an overseas US military base utilizes CAD files from a remote vendor, how does one ascertain the authenticity of these files and ensure they have not been tampered with? Here, using blockchain-based solutions seems to be all the rage – I personally know at least two startups and one major corporation going into that direction.

NB: Capturing changes starting from requirements management in SysML models, to PLM, and eventually to end users with blockchain-based solutions offers a lot of promise for both legal and practical purposes. Unfortunately, the blockchain depends on all players accepting it. This solution may work within a relatively closed top-down ecosystem like the DoD, but it will take the likes of Steve Jobs, Bill Gates and Sauron to convince the global business community to accept the burden of creating and maintaining its infrastructure.

Jojimbo and Firstful heroes managed to liberate their respective localities from the bad guys by playing them against each other, and in the end making them all dead. I am certainly not suggesting getting rid of the Security and IT departments. On the contrary, I want them happy, healthy, productive – and reasonably out of the way of innovation.

What is the right balance between security, IP protection and faster innovation? That is a trillion-dollar question.

Perhaps a magnificent stranger on a white horse will help? Can it be a technology leader, who will create a magic tool that helps visualize the company’s level of innovation vis-a-vis its level of protection, and allows the management to change gears depending on traffic and weather? Can it be a senior executive with mandate of heaven who understands both the security risks and the value of a liberated workforce and is able to balance innovation and security by commanding both factions in order to further the common goal?

I wish I could ask Clint Eastwood, but I seriously doubt he cares about such mundane topics. Hence, until that magnificent stranger comes to town, companies are left making these tough decisions on their own when dealing with competing factions – factions that have their own mutually contradictory local mini-mandates.

In this process, Senticore and its security-focused partners will always be there to help our clients innovate in the right security envelope – smarter, faster, together!