Going Lean

In January, I was fortunate enough to attend two events which both focused on the concept of product / market fit.  Marc Andreessen, of NetScape fame and now a venture capitalist, coined the term.  But the story doesn’t really begin there.  There is a movement known as “Lean Startup,” whose chief advocate is an entrepreneur and consultant named Eric Ries.  My introduction to Ries was at the two events I mentioned.  At TIE Boston, a group which helps entrepreneurs and startups, venture capitalist Tom Huntington spoke eloquently on product / market fit based on his own startup experiences.  His key point was that companies should not scale up in their use of resources until they have found the right fit between the product and the market it is directed to.  He used several examples where companies had functional products, but didn’t have the right market fit, so growth wasn’t happening.  

The next week, I attended the keynote at the Boston Product Management Association (BPMA) on “The Magic Fit”, delivered by Jeff Bussgang of Harvard and Flybridge Ventures.  Bussgang’s presentation built nicely upon the messages I’d heard the week before, but he dug a bit deeper.  He touted Lean principles as an ongoing revolution for Product Management and strongly encouraged all of us to get on board.  LIke Tom Huntington, he emphasized the value of placing the MVP (Minimum Viable Prototype) in the hands of customers and then learning as quickly as possible from these customer experiences.   Bussgang was generous in his use of references and made it clear that author Eric Ries was a key inspiration for many of these Lean Startup concepts.   

A few weeks ago, I borrowed Ries’s book The Lean Startup, from our library and I just finished reading it.  Ries does a nice job of explaining the series of startup experiences which caused him to develop the “Lean Startup” methodology and then he explains the methodology in detail.  As alluded to by the two speakers I’d heard in January, a key concept is setting up an approach that allows startups to get their prototypes (MVPs) out to customers and conduct detailed experiments to see which product or business model approaches are most valuable to customers.  Like many contemporary management theorists, Ries is a strong advocate of creating effective metrics and then conducting measurements, but he also emphasizes the need to talk with customers to understand the meaning behind the statistics.  In the latter approaches, he draws directly from the experiences of companies like Toyota who have been innovators in the lean manufacturing space.  

Ries has written an excellent book which holds lessons both for startups and bigger companies that want to move faster in a turbulent marketplace.   My thanks to Jeff Bussgang for recommending the book.  I ran my own company for 7 years in the Nineties, so the concepts of creating new product ideas and then testing them with customers are familiar to me.  But Eric Ries has put his lessons learned into playbook form and I anticipate these concepts will be valuable in my future business roles.   



Securing Fax over IP for Business Communications

The recent controversy regarding NSA tracking of phone conversations has elevated concerns about security and privacy for business communications. Enterprises generally want to keep their communications private. Use of techniques such as private networks, firewalls and secured tunnels can help to protect internal communication from eavesdroppers, but there are also many exchanges which entail communication with third parties over public networks.

Facsimile is best known as a method of communicating images of printed pages over the Public Switched Telephone Network (PSTN) and many fax companies touted the PSTN as being much more secure than the public Internet, hence reducing the need for formal security approaches. But the circuit-switched network is rapidly being replaced by hybrid and all-IP networks, and a portion of business fax traffic is now sent over the Internet.

During the Nineties, the fax standards experts in the International Telecommunications Union (ITU-T) added annexes to the Group 3 fax T.30 protocol to protect against a variety of security threats. However, there was lack of consensus on how to proceed, so two different approaches were standardized. As attention turned to standardizing fax over higher speed V.34 links and over IP networks, the initial efforts to implement fax security using the new standard approaches fizzled out and never got traction in the marketplace.

Fast forward to 2013. Security and privacy now have a much higher profile. The NSA exposé and other security glitches like the Wikileaks exposures of government and corporate documents have increased awareness of the down side of unsecured documents and communication. In the meantime, as the phone network is being replaced by IP technology, most new sales of fax to the enterprise are for Fax over IP and the T.38 standard from the ITU is frequently used. Most applications of T.38 use a transport protocol called UDPTL (User Datagram Protocol Transport Layer) which is currently an unsecured protocol.

The conventional wisdom might have a “who cares?” attitude, since there’s a common perception that nobody uses fax anymore. However, fax still is used a great deal for a wide variety of business applications which include healthcare, financial and legal organizations, plus fax is integrated into a variety of business processes. Fax is also used for transmission of many normally confidential documents such as insurance claims, real estate transactions and legal notices, plus there are regulations such a HIPAA in the health care domain which require protection of documents from third parties.

For all of these reasons, the need for better security solutions for IP-based facsimile is becoming clear. In another realm of standardization, WebRTC is attracting a lot of attention as a next generation method for performing a wide variety of real time communications such as video and voice over web protocols. The original applications of the Session Initiation Protocol (SIP) were often implemented with little attention paid to security, so the WebRTC standards activities have examined the best approaches for addressing matters such as security and are recommending use of a relatively new security protocol known as Datagram Transport Layer Security (DTLS) to secure real time communications of media within WebRTC.

One advantage of DTLS is that it is relatively protocol agnostic and can be applied as a security layer for various different protocols. So this is a good time to consider how protocols planned for use in WebRTC might also have other applications. The Third Generation Partnership Program (3GPP) has recognized that IP fax is still an important application and wants to have a standard approach to secure faxes which are being transported over IP networks. As a result, there is now an Internet Draft being circulated for comments within the MMUSIC (Multiparty Multimedia Session Control) working group of the Internet Engineering Task Force (IETF) which proposes that DTLS be established as a transport layer that can be used to secure sessions of T.38 IP fax when running over the SIP protocol.

I’m personally enthusiastic about this direction and have made comments on the current draft. I find it ironic that the IETF is looking at adding security layer support to an ITU protocol, but in the world of standards, it’s useful for the work to be done by the experts who have the right domain expertise. In this case, the IETF created DTLS and there is interest in the combination of UDPTL and T.38 from the Fax over IP task group of the SIP Forum, so there is probably enough participation by the Internet and fax communities to produce a useful standard. At this writing, MMUSIC is considering adoption of this draft as an official working group item.

Stay tuned on this one. WebRTC is training a generation of engineers to use a new toolkit of various protocols, so the potential adoption of DTLS by the IP fax community may be a harbinger of a trend to re-purpose various components of the WebRTC initiative in innovative and surprising ways.

WebRTC – Solution for Over The Top Communications?

WebRTC offers an intriguing mix of web-based access and real-time communications.   Part of the excitement has been due to the aggressive approach which has been taken by browser companies such as Google and Mozilla in adding WebRTC to recent versions of their production browsers. 

As a result, any user of these browsers could potentially be connected to other users of WebRTC applications. One example where this could come into play is in Over the Top (OTT) applications. The term Over the Top usually means that an application runs over a broadband IP network and is usually not a packaged service sold by the Internet service provider (ISP). For example, Skype provides a way to do audio and video communications over IP networks. Its base level of service allows for connection to other Skype users at no charge for both audio and video communications. Skype also includes sophisticated features like encryption of calls. For ISPs, Skype potentially competes with a bundled voice offering and a user might elect to use the combination of Skype and a mobile phone for all of their voice communications. This means the ISP gets to sell the customer a broadband IP connection, but may not get any other bundled service revenue.

Let’s suppose you’re an ISP that would like to offer an alternative to Skype for your customer community. What does WebRTC bring to the table? On the media side, WebRTC can support both audio and video communications. It also has built-in security methods for authentication and securing of sessions. For the application, the ISP can create this from scratch or layer this onto a WebRTC enabled browser and automatically take advantage of the WebRTC “hooks” which are built into a browser such as Chrome or Firefox. To truly complete the OTT application, there is still more to do such as determine which signaling to use, and what addressing scheme should be used to interconnect users. For a good analysis of the signaling side, see this recent blog post from webrtchacks.

So, let’s assume the ISP completes the OTT application using WebRTC. What is the potential value add compared to a application like Skype? One potential benefit is the capability for the user to communicate with other users that have WebRTC-enabled applications. One limitation of Skype is that it is a closed community and uses proprietary technologies. As a result, Skype users can currently only communicate with other Skype users unless they go off the network. By contrast, with WebRTC, there will be a standards-based interface based on JavaScript APIs, so that the ISP could structure their application so that it can talk to other WebRTC-enabled applications. There are also a wide variety of WebRTC to SIP gateways that have already been brought to the market, so this offers the potential to interconnect the WebRTC enabled application with the existing base of SIP applications. Hence, WebRTC offers the potential to help break down the silos which currently dominate multimedia communications and enable different applications to communicate either directly via WebRTC or indirectly through WebRTC to SIP gateways.

One way to look at WebRTC is that it offers a very robust “toolkit” of multimedia communications capabilities that can run over web interfaces. The example we have discussed in this blog of an OTT application is just one possibility of how a developer or ISP might use this toolkit. As the web development community learns to take advantage of WebRTC, there will no doubt be a wide range of applications which will emerge. On the business side, WebRTC is a disruptive technology, so we can also anticipate a wide array of different business models to emerge which will build on its open standards hooks.

WebRTC – New Communications Paradigm?

About two years ago, Google brought a new communications initiative called WebRTC to the two best known Internet standards organizations.  WebRTC is short for Web Real Time Communications and the intent is to enable complex real time communications of voice, video and data using web clients, web servers and related applications.  Google has been advancing the work both through contributions to open source libraries and by contributions to standards organizations.  As you may know, once work is accepted by standards organizations, lots of people can get involved, so this work is no longer strictly a Google initiative and has gained support and participation from many companies both large and small. 

The breakdown of work between the standards organizations has played to the strengths of two of them.  The Internet Engineering Task Force (IETF) is contributing Internet protocols to the work and the Worldwide Web Consortium (W3C) is preparing an application program interface (API) based on JavaScript.    

By the second half of last year, the drumbeats promoting WebRTC sounded loudly and in recent weeks, there was an industry conference dedicated strictly to WebRTC, with more to come later this year.   I spoke at the SIPNOC conference on a WebRTC panel a couple of months back and there was lots of interest from telecom industry participants who have been busy in recent years building out real time communications using the Session Initiation Protocol (SIP).  Some articles have even touted WebRTC as the “savior” for the telecom industry, whereas other pundits have said that WebRTC is very high on the hype scale.   

One of the goals of this blog will be to cut through marketing spin and look at what is really happening in the world of communications.  In my view, WebRTC has no shortage of hype, but there is also real technical substance in the initiative and many companies are making serious investments in WebRTC, even though many of the technical elements are nascent and the standards are not yet baked.  One key thing to keep in mind is that WebRTC is the latest attempt to bring real time multimedia communications into the web infrastructure and make it relatively easy for web developers to add real time communications to their applications, without having the master the intricacies of SIP.  The telecom industry has made several attempts to integrate with web developers in the past five years, but the WebRTC initiative seems more promising, since it is centered on web protocols, not on telecom protocols, and much of the “plumbing” will be buried beneath the same kind of JavaScript APIs that web developers have been utilizing for many years.  

If you want a deep dive into WebRTC on the technical side, I can recommend the book “WebRTC:  “APIs and RTCWEB Protocols of the HTML5 Real-Time Web,” written by Alan Johnston and Dan Burnett.  They have just released a second edition, which I have not read yet, but the first edition offered a good technical overview and a nice distillation of the many standards that are being extended or developed as part of the overall initiative.  (Disclosure: I know Alan well from his work in the IETF and we are co-authors on a current Internet Draft.)  Since this is open standards work, you can also dive even deeper and sign up for the various IETF and W3C standards lists if you want to fill up your mailbox with emails.

Circling back to the title of this post, will WebRTC truly be a new communications paradigm?   In my view, it’s too early to tell, but stay tuned and hold on tight.  This promises to be quite a ride. 


Security – A Teachable Moment?

The recent headlines about the NSA capturing data related to phone calls brings up a familiar topic – security. I’ve been managing a session border controller product for the past year and I’ve often been asked if the product supports security. This can be a frustrating question for a product manager, since security is a blanket term that can cover so many areas and this kind of naive question means that the discussion needs to start at a pretty basic level. However, the question can be turned around. One logical response is to ask what kind of security the person wants to know about. An even better response is to get back to basics and ask what are they — typically a customer — trying to protect. In other words, what are the threats?

In the world of international telecom standards, the definition of security starts with the analysis of threats. The National Standards Institute (NIST) wrote a fine paper on security for Voice over IP networks which can be found here. The authors analyzed potential threats to such networks and then proposed solutions. This is preferable to the approach that is often taken of prescribing a security solution before understanding what the goals of the security solution are.

Returning to the topic of the NSA, the President offered a response to critics saying that NSA was not recording phone calls, as if that was the only issue in play here. But if we look at this from a threats perspective, if you are an individual subscriber of phone services, you might want assurances from the service provider of privacy protecting both the content of your communications and the records of who you are talking to. We’ve all seen television shows where the police get a warrant to dump the cell phone records of a potential suspect and just by analyzing the call patterns, are able to figure out who they were calling, when and for how long. This kind of information is often called “traffic analysis” and it can be very revealing. If your company is discussing a merger deal with another company, getting access to these kinds of phone records might reveal the potential merger participants in advance of any public announcement. So is there an incentive for businesses and individuals to protect against people who want to do traffic analysis on their voice (or other) communications? You bet.

I’ve been hearing that argument that if people participate on Facebook and Twitter their public activities are an open book for anybody with Internet access. Sure, that’s true to an extent, though there are battles going on between Facebook and their members about where the privacy lines get drawn. However, I think most phone subscribers, be they individuals or businesses, expect that their private communications will remain so.

On the technical side, this story boils down to a question of where to draw the lines between security and privacy. If this story and the resulting publicity causes individuals and businesses to consider what information they’d like to remain private and which data is considered “fair use” by the government and under what guidelines, then maybe we can have a useful public debate on these matters and not “leave it to the experts.”

Communications Advisor: Starting Up

I’ve decided to begin a new blog to talk about trends in communications technology.  During the nineties, my company Human Communications offered innovative advice, consulting services, a newsletter and training to a broad roster of clients around the world.  I also wrote, edited and managed communication standards in several standards groups including the Internet Engineering Task Force, the International Telecommunications Union and participated in a variety of other industry consortia exploring related matters.  I’m still active in the IETF in areas such as SIP and WebRTC, and my background in fax technology still comes into play sometimes when I attend industry conferences such as the recent SIPNOC. 

As I transition out of my current role as a director of product management for Dialogic, I’m exploring a wide variety of possibilities for what’s next, but I retain my interest in the future of communications technology. 

I’ve also recently gotten excited about the innovations in social media as it applies to marketing.  Back when I attended graduate school at Rensselaer, the management engineering curriculum had a very analytical slant.  I loved digging into statistics and putting together computer simulations using queuing theory, but my first corporate job was mostly about applying computers for business applications and all of the fancy math stuff I’d been learning in school didn’t really come into play.  

Fast forward to the world of marketing today and the analytical approaches I learned back in school are an important part of the trend known as inbound marketing.  

I’m not sure what the future will bring, but I’m confident that communication technologies will continue to evolve and new applications will surprise us all.  In a similar manner, social media is rapidly infusing the business world and opening up new ways to communicate with customers.  My goal will be to talk about these trends and cite the work of others who are leading the charge.  

I will also continue to write posts to my other blog — Writer’s Notebook — but my focus there will be on my throughts and experiences about writing, travel and the use of personal technology.   

The opinions expressed here will be my own, unless I’m citing the work of others.   

That’s all for now. I look forward to hearing your feedback and comments as the blog evolves.