Digital Power on Digital Infrastructures at Scale

Introduction to Risk

Wed, 12 Mar 2025 13:13:35 +0000

Risk is the flip side of value. For everything that is of value, there can be circumstances threatening that value. While value is realized in the past and the present, risk is what can happen with that value in the future.

Risk in a digital world is not always easy to think through. While we can borrow a lot from the real world, certain important differences exist.

At the core of every risk assessment there is the thing we worry about the most: the ‘asset’. In a digital world, this is often the data. Think of business-critical data, like our database of customers. Think of data that we have a compliance obligation on, such as personal data.

Information Security Assets

Sun, 11 May 2025 08:37:01 +0000

Let’s dive a little deeper into assets. The most relevant asset in information security is data. That is what users of information care about most. In addition, we can also see the processing power that we need as an asset.

Here are some examples of data assets:

A customer record in a business system
An MRI scan
A browser cookie (on the server)
A logfile entry

As you can guess from these examples, many involve regulatory concerns due to the type of data that they consist of. One of the tasks of a risk analyst is to figure out what regulations apply exactly.

Elements of the Digital World

Thu, 27 Mar 2025 20:34:01 +0000

It all starts with bits: digital units of information. It is about how we store these bits, how we move these bits, and how we transform or process these bits.

The three major elements of digital infrastructures are:

Storage
Networks
Processors

In the cloud security world, it is customary to talk about data at rest, data in motion, and data in use. This introduces data as the key common element. But more on cloud security later.

Digital Autonomy: the Actors

Tue, 28 Apr 2026 00:00:00 +0000

Achieving some form of digital autonomy or sovereignty is a wicked problem, too large to handle in one go. Let’s start therefore with the main actors, and what is at stake for them. We can then talk about how digital autonomy allows these actors to collaborate and compete, and therefore impacts the risks they see. Elsewhere, I write about international actors, and this story builds on that.

All actors (e.g. governments, companies) perceive IT risk in their own way. Generally though, they include the standard IT risks (confidentiality, integrity, and availability). Beyond that, there is the risk of failing to capture the value of new technology, and failure to exercise governance and control over relevant other actors.

A badge on the wall

Mon, 27 Apr 2026 00:00:00 +0000

A badge on the wall: repurposing hacker camp hardware as a home energy display

I wanted a wall display for my house’s energy. Not an app, but something glanceable, always on, no clicks required. Apparently that’s harder to buy than it sounds.

On a sunny day, it makes sense to turn on energy-intensive appliances such as washing machines, because the energy surplus from our solar panels earns us almost nothing.

Why You Work: Amateur, Professional, or Passionate?

Tue, 21 Apr 2026 00:00:00 +0000

Have you ever been called an amateur? It stings. It shouldn’t be.

Amateurs

The label ‘amateur’ has a negative feel, it refers to unskilled workers, hobbyists, and poor results. But the word actually derives from the Latin ‘amare’, meaning to love. So an amateur is somebody who is doing it for the love of it.

They come to their work for play, for fun, and discovery. When it comes to the quality of their work, they are setting the bar for themselves only.

Local AI inferencing or cloud based?

Sat, 07 Mar 2026 14:24:22 +0000

I am trying to figure out where the pendulum for AI LLM inference hosting will swing to.

Will we have more cloud service usage of the cloud hyperscalers, or will inferencing be on local devices such as laptops or in corporate datacenter?

Here is my thinking.

I believe Moore’s law will be relevant for a few more years, implying that an affordable supply of local capacity will grow.

I also believe that there is a minimum LLM size to make them functional, in the same way that there is a minimum number of bytes for a decent picture or audible sound. But above a certain size, there is going to be a diminishing return. Depending on the scenario, we are talking about billions to trillions of parameters in the LLM.

Architectural Integrity, Angkor Wat, and open source

Fri, 06 Feb 2026 07:31:06 +0000

Angkor Wat (Cambodia) is the world’s largest religious building and site. Built in the 12th century, it is still a stunning building, featuring high symmetry and perfect north-south alignment.

As I was visiting this and other temples, I got to think about architectural integrity. For example, Angkor Wat has 4 major towers around a central tower. I call that an architectural feature.

Symmetry like this does not happen automatically. It takes an architect and good execution, in other words carefully controlled power, to realize this. As a visitor, you notice, maybe only subconsciously, that great power was required to construct such a building. The building is a symbol of power.

How are AI Agents Self Aware?

Wed, 04 Feb 2026 08:56:29 +0000

I was chatting with an AI agent about its own configuration, and it answered with surprising confidence.

Then I thought: wait. How would it even know that?

This post is about what I found when I went looking.

Nanobot is a deliberately simpler version of OpenClaw.

If you haven’t heard about it, OpenClaw is an AI agent running on your behalf 24/7, potentially having all your credentials. This is possibly the piece of software with the steepest adoption curve of all time, it got to over 1 million active users in 1 week. Potentially it is also one of the biggest IT security dramas of all time. Because the more powerful they are, the more risky they become.

Securing my AI travel mail bot

Fri, 23 Jan 2026 09:55:29 +0000

I wanted to experiment with AI automation while also paying particular attention to security concerns. Security is something I take seriously (I delivered cloud security training for more than 10 years), and the power that AI has is very scary.

There are lots of frameworks related to AI security, and I feel that it is hard to apply them to the real world.

For example how would you mitigate LLM06 – Sensitive Information Disclosure, or ASI05 - Inadequate Guardrails and Sandboxing from the OWASP guidelines?

Wicked problems in 2026

Thu, 25 Dec 2025 00:39:13 +0000

As 2025 ends, I reflected on the major topics that I see evolving in my practice. They are digital sovereignty and AI security, in particular the security of AI agent systems. These are systems where AI is not just used as an advanced data processor, but is undertaking autonomous actions.

I focus specifically on so-called wicked problems: problems that do not have simple solution because they are intertwined with many other issues and conflicting interests.

What certificate to pursue

Thu, 27 Nov 2025 05:06:40 +0000

A question I often get is “what certification or knowledge should I pursue to get me a better job?”.

Or variants such as “which cert is going to get me employed?”.

Here is my opinion on it.

Certificates only bring you so far. Most companies aren’t looking for people with knowledge. They are looking for the results that the knowledge brings, such as improved processes, new revenue, etcetera.

Today’s major innovations are in using generative AI.

AR newsletter Nov9 25

Sun, 09 Nov 2025 09:39:50 +0000

(sent nov 11. How to make AI work for you) By now, you probably had your first encounters with AI. What did you run into? Would love to know about that.

While I am currently on a sabbatical, these things are top of mind for me.

For me, I am focussing on two AI directions. Given my background in cloud security, I cannot help but think about AI security and governance.

How Claude Flow helped me create my next tool

Wed, 15 Oct 2025 20:01:08 +0000

After coding a demo application with Claude Flow it was time to do a larger project.

Claude Flow allows the distribution of coding work over a variety of agents. Each of the agents has a specific role in the project, such as coder, tester, analyst, and others.

These agents create stuff, inform each other, and check each other’s results.

But even after a few projects, I still find it difficult to grasp the subtleties and intricacies of its various agents, components and options.

Cloud Security and AI

Tue, 09 Sep 2025 06:10:21 +0000

How can you use cloud security lessons to better secure AI? This is what is keeping some of my clients busy recently.

Arguably the most important concept in cloud security is the allocation of responsibilities across the independent actors that contribute to any digital service. Often referred to as ‘shared responsibility’, this is about ‘who does what?’. For example, in an IaaS service model, the provider does the physical security of servers, offers a variety of network isolation options, and so forth. The IaaS consumer’s job is to use those features to, for example, organize logical server access, so only authorized access is permitted. In contrast, many mistakenly think it is the provider’s job to secure and update the operating system. It is not, in an IaaS model, it is the consumer’s job.

Testing RSS updates

Mon, 01 Sep 2025 11:28:58 +0000

Testing RSS

OWASP LLM Risk Allocation

Fri, 29 Aug 2025 09:33:34 +0000

Applications based on LLMs (Large Language Models) have risks too. The OWASP Top 10 for LLM Applications risks are a good start for analyzing the risks of such a system.

These types of applications, like many others, are also cloud applications. This means that there is a variety of parties responsible for controlling those risks.

But, who is supposed to do each control? And which role do they have? For example, there are model providers, there is the AI consumer, and so on. For a deeper story on these roles look at AI roles.

Agentic coding, the next level

Mon, 25 Aug 2025 10:09:31 +0000

My AI coding journey continues.

My first version of the Tic-Tac-Toe game took some time to get right even though I already applied some serious automated top-down design.

As explained, understanding feedback loops is crucial for correcting errors. Part of this is using explicit tests for desirable outcomes. A process for test-driven design would be even better.

The main question from that experience was: How can we let the AI check itself?

Why 2025 resources

Thu, 31 Jul 2025 08:10:04 +0000

For the book, here is the link: https://digitalinfrastructures.nl.

PDF: How to bluff your way into Zero Trust

PDF: Using deployment diagrams to explain architecture and security to everybody.

The presentations are also online in the WHY2025 YouTube channel and at the CCC.

More on deployment diagrams in the book, in which you can search.

Find me on LinkedIN or Mastodon @petersgriddle@fosstodon.org.

AI Coding: "Look Ma, no hands!"

Sat, 19 Jul 2025 12:22:13 +0000

Here is how I AI-coded a fully functional Tic-Tac-Toe web game without looking at a single line of code or manually identifying a GUI or logic error. I ran Claude Code (Pro) in VS Code without any other IDE/AI tooling.

But it takes some effort and discipline to get there. The core idea is to be very specific and use an opinionated environment that includes extensive automated testing.

The Agentic AI way

Many people are researching this, all with slightly different approaches. There are a variety of ways to do more or less the same thing. Here are some of the interesting approaches I found. Interestingly, they all popped up in the first half of 2025.

AI coding rabbit holes

Sat, 12 Jul 2025 06:26:24 +0000

The approach

People call LLMs statistical completion engines and that they therefore cannot write computer code. While the first may be true, the conclusion not necessarily follows.

My answer to this question: let’s try this out! Inspired by modern discoveries in, for example, context engineering and swarm coding (references to come) I decided to give AI assisted coding a shot.

I had a little used SaaS application (an LMS) that was nevertheless costing serious money. Yet, completely killing it was not an option. It was relatively easy to extract the Gigabytes of content in there, also through a bit of AI assistance. So I decided to rebuild the app, or at least a minimal version of it. Of many options, I selected Claude as my coding assistant.

Can AI automate compliance?

Tue, 24 Jun 2025 14:37:11 +0000

My AI-supported risk analysis assistant mirrors a common pitfall in risk management: focusing on irrelevant controls rather than genuine threats.

I have created a risk analyst AI based on industry best practices, or so I assume. This is part of a quest toward more compliance automation, because as an industry we are falling behind in security.

I am running through a simple example of a chatbot that answers questions over a nonsensitive dataset. The analyst dives deep into questions on all kinds of controls that, in my view, are quite irrelevant to the risk at the business level.

How I Got Started in Computer Networks

Sun, 08 Jun 2025 14:31:28 +0000

My first interest in networking came in the early 80s, as I was in the final years of my mathematics and computer science master’s program.

At the time, dial-up terminal networking was about the most advanced there was. And if you were lucky, you’d get 1200 baud (transmitting approximately 120 characters per second). My current fiber-optic home links are 1 Gigabit/sec, which is about 1 million times faster.

Beyond this, computer-to-computer communication was mostly confined to the local data center. Transferring files from one computer to another typically involved physically moving storage media around. I have a great story about that, but that will be in another unit.

Zero Trust Myths

Tue, 03 Jun 2025 10:37:45 +0000

What is the problem with the image that Zero Trust based information security brings along?

Once you understand the principles, and they are not really difficult, it is obvious that only ZT can lead us to a more secure cyber future.

So, what is holding us back?

Here are some of the misconceptions:

“It is a boatload of work, so let’s not start.” Truth: yes, fully securing your IT with all its technical debt is a boatload of work. That is exactly the reason why you need ZT, so that you know where you can get started quickly, and be more secure before the last hole is plugged.

The AI Coding Age

Sun, 01 Jun 2025 13:13:09 +0000

This is the dawn of a new age.

I have been observing software development for more than fifty years, ever since I wrote my first computer program. In that entire time, I have never witnessed a development that has changed the profession deeper, faster, or more pervasively than now. AI-assisted coding has escaped from the lab, and is impacting the work of every software developer.

In the communities I track I hear stories of software engineers regret taking a single week of vacation because of the innovations that they now have to catch up to.

AI will replace coders, not software engineers

Fri, 23 May 2025 12:45:13 +0000

If you build software for a living, generative AI may be a scary development, as it has the potential to take over a lot of software creation. But I think it depends on what you see as the job of creating software.

A coder in the world of IT is somebody who writes code in some programming language. More typically they modify code instead of writing it from scratch. This is in response to bugs, feature requests, and so on. In the age of AI, a lot of coding can be automated. We have seen many examples of AI generating lots of code based on fairly compact specifications.

Vibe OPSing with MCP: proof of concept

Tue, 20 May 2025 09:30:03 +0000

Here is the story of how I started to use AI to help with running and securing my home network. I call it vibe ops, in analogy to vibe programming.

This post is going to be obsolete very soon, even though it is already the second version …

My home network plays an additional role as a nice lab, and in the process of better securing it, preferably with Zero Trust Architectures, I am doing some experiments.

Why You Should Read this Book

Sun, 11 May 2025 08:47:28 +0000

You should not read this book because I tell you to. After all, you are an autonomous person, making your own decisions.

You should read this book because you are convinced that it is likely to give you significant insights into a world that matters to you.

Digital infrastructures, and information technology at large, have moved from a fringe niche technology to becoming an essential part of modern life. Most companies would go belly up in weeks, if not days, if their digital infrastructures would fail.

What is the value of information?

Sat, 10 May 2025 11:33:28 +0000

What is information really? If we know that, we can try to understand how we can judge its value, or even start to understand how we can create value with information.

In Claude Shannon’s theory of communication, information is about reducing uncertainty. Another way is to say that more information means less noise because if you add noise to information, that information will have more uncertainty and less value.

To visualize this, think of a picture that is obscured by a bit of fog or haze. You can still see some of the picture, but not very clearly. You will make more errors when trying to understand what the picture means.

Three books on Zero Trust, and when you should read them

Wed, 30 Apr 2025 12:46:33 +0000

‘But where do we start?’

The question hung in the air of my training session, asked by many of the attendants. Mind you, these are experienced people with many years of cyber security experience.

But turning Zero Trust from an abstract concept into concrete action? That’s where everyone gets stuck.

I know that feeling well. Years ago, I joined my first Zero Trust working group, swimming in a sea of frameworks, agency guidelines, and vendor whitepapers. I even had the privilege of attending sessions with John Kindervag, the father of Zero Trust himself. Yet the gap between theory and implementation remained stubbornly wide.

Saas Security: the first three steps

Wed, 30 Apr 2025 10:56:37 +0000

The security of your SaaS cloud solutions starts with the review of three major areas. Practically all companies are using SaaS providers in one way or another. SaaS includes Services such as Trello for project management, Microsoft 365, and e.g. specialized solutions for marketing intelligence services. The sky is the limit. Most companies are using hundreds of SaaS solutions.

Here are 3 tips to start with.

Maturity match

The first thing to worry about is if the maturity of the provider matches your risk appetite. Are they good enough for your use case? If you are working with a mission-critical SaaS solution, you want to make sure that the provider is mature. You can start finding out if that is the case is by looking at their certifications. An example could be the ISO 27000 series certification for IT risk management, or similar. Most mature cloud providers have dozens of certifications. On the other end of the spectrum, you may want to work with a provider that is not so mature, but that is delivering a very innovative solution of great business benefit to your company. That benefit, that competitive edge, may warrant a greater risk appetite. So start with that maturity match first.

Great Introduction to Zero Trust

Wed, 30 Apr 2025 10:48:42 +0000

“Project Zero Trust” is a business novel by George Finney. It talks about an emerging approach to IT and Cybersecurity that attempts to reduce cyberrisk in a more fundamental way. Zero Trust is a bit of a hype in IT these days, and both product companies and knowledge agencies are dropping lots of papers on this. But this book is in another game.

What I like about it is that it paints a reasonably realistic picture of a modern enterprise, including the information technology choices that it makes. This serves as a good backdrop to a variety of Zero Trust initiatives, which are described in a bit of detail. As an instructor I find that most of the vendor neutral training material out there lacks specific examples. This makes it hard for students to anchor the abstract concepts that they are fed to a realistic environment with some resemblance to their job situation.

Key Knowledge Gaps in Cloud Security and How to Address Them

Wed, 30 Apr 2025 07:41:35 +0000

What are the real challenges in cloud security these days? In my recent conversations with industry practitioners, one came up consistently: the lack of knowledge and skills to adopt cloud securely. These gaps are slowing down how teams build, manage and secure their cloud environments, and they may be affecting your teams as well.

Provider specific technical expertise

Many IT professionals attempt to transfer their on-premises security knowledge directly to cloud. But this often leads to ineffective and hard to maintain solutions. A technical example is insisting on traditional firewall architectures. These are hard to implement right in the cloud and can lead to less secure deployments than are possible with cloud native architectures. One set of skills that is relevant to addressing this is understanding what features a specific cloud provider has for building a secure architecture. There are many courses available from the providers, even free ones, though it can sometimes be a bit challenging to select the correct ones. However, without understanding how abstraction and automation change the IT security game, these technical skills will not result in more efficiency. And without more efficiency security efforts will be outpaced by the speed of new developments.

Vibe coding an MCP Server

Sun, 27 Apr 2025 08:39:55 +0000

Model Context Protocols (MCP, see my post on their security) are the new glue between humans, chatbots, and old school IT.

Here is the step by step approach that I followed to ‘vibe code’ a Model Context Protocol server for my CRM and mailing list manager.

I journaled this description, so I have included most of the detours and false starts. For readability, I edited the description later, but the flow is as I went through it.

Look at MCP now to be ahead of AI risk

Wed, 23 Apr 2025 06:03:44 +0000

If you are in security and not fully on top of AI risk, you want to look at MCP now, as this is going to be popular and risky. Reach out to your development teams and beyond to offer your help in using them wisely, even if you know nothing about them yet.

MCP, Model Context Protocol, was introduced in November 2024 as a standardised way to feed AI chatbots with extra information. You can extend Claude or OpenAI desktop with MCP servers, which are basically small programs that run on the desktop and have access to all information and services that the user has.

Who Suffers?

Tue, 15 Apr 2025 21:27:25 +0000

I have found that no discussion on risk is going to lead anywhere if it does not make clear who suffers from it. Make clear who has the pain. For my phone and laptop it is easy: if I lose them, I suffer. In a larger organization it is less clear. Suppose a server dies. Whose application then no longer runs? Who has to pay for a new server? This gets increasingly harder if we are talking about shared services, because the owner and the consumer are now decoupled.

Vibe Coding in Reality

Tue, 08 Apr 2025 14:34:54 +0000

How does vibe coding work in the real? Vibe coding is having AI write your software. Coined by Andrej Karpathy, the hype is all over the map, with companies that are rethinking their hiring strategies for programmers. Sounds like disaster for software engineers and programmers.

Not so fast.

Curious to learn more about it, I reached out to an old friend who is an experienced software engineer. He was a co-founder in a SaaS company in the monitoring space. After a successful exit he now has a bit more time to pursue hobbies. But he is still professionally busy.

Introduction to Change and Control

Tue, 08 Apr 2025 09:17:02 +0000

Change is quite inherent in technology, and in particular in information technology. At the same time we want technology to provide a reliable service, and that requires a degree of control. In this chapter we’ll explore some fundamentals of change, in particular how this works with groups of people.

Change and control mindsets complement each other. We need both, even if they conflict at times.

For example, in a typical IT environment, you have developers and system administrators. The output of the developers is a stream of changes: new features, improvements, bug fixes, and so on. Adminstrators are in the business of keeping everything stable, the same. They see no fundamental difference between a new feature and an incident. Both are disrupting the normal flow of business. Consequently, they are seen as a threat, and that is why it often feels that developers and system administrators are from different planets.

Introduction to Power

Sat, 05 Apr 2025 12:31:46 +0000

Power is a concept that is widely used and ill defined. Many philosophers have discussed it, but not one definition really stands out. Before we attempt to define power formally, let’s see how the word in used in everyday IT situations.

Understanding power in IT is not just academic. As the examples show it is crucial in understanding how IT works, and creates value and risk.

The cloud architect held significant power in deciding which platforms the organization would adopt for its digital transformation.
Automated deployment pipelines gave development teams the power to release software faster and with fewer errors.
Legacy systems often retain unexpected power in large organizations, simply because so many critical processes still depend on them.
Regulators have the power to halt digital initiatives if data protection requirements are not met.
By owning the central identity management service, the security team had the power to control access across the entire infrastructure.
Outages at major cloud providers show how concentrated power in digital infrastructures can lead to systemic risk.
The CIO used the power of budget approval to steer the enterprise toward adopting more secure infrastructure patterns.
Power struggles between central IT and business units can delay the rollout of shared infrastructure services.
With real-time observability tools, operations teams gained the power to detect and respond to incidents before users were affected.
An open-source community can collectively wield more power than a single vendor when shaping the direction of a software tool.

From these examples, we can see certain recurring features of power in the context of IT and digital infrastructures.

Value in Process Improvement

Thu, 27 Mar 2025 20:33:42 +0000

Most digital infrastructures are meant to communicate or coordinate, or are in support of other digital infrastructures that communicate or coordinate. That is where their prime value is.

The internet is a great example. It is designed to enable computers to communicate by moving data packets between them.

Social media is another example, used by people to communicate with each other. Its success is a testament to the fact that communication is a fundamental human need.

Promise Theory

Fri, 25 Apr 2025 21:21:54 +0000

Digital infrastructures focus on services rather than products, making it elusive to capture the essence of these services, especially in defining the fluid interactions between service providers and consumers.

Promise theory is a little-known approach to interaction, though it has quite a few great thinkers behind it. Introduced by Mark Burgess and others, it is about how autonomous agents work together. It helped me a lot in getting a handle on various distributed systems. There was this project where we designed a scalable travel information system with what we now call microservices. We needed to describe how these parts work together. And there was a project that required lots of independent and autonomous social security agencies to work together on providing a service. In getting this from the drawing board to actual production, promise theory turned out to be a great tool.

The moral necessity of talking about power

Thu, 24 Apr 2025 20:30:57 +0000

For many people, the word power has a negative connotation. They’d rather avoid using power altogether. I can feel that, and I can definitely feel that about the abuse of power.

But does that make it unethical to talk about power? Power is everywhere, and conflict too. There is no society without a power structure. There are always differences of opinions in any group, if only to decide when to have lunch.

The Automation Business Case

Fri, 04 Jul 2025 06:51:53 +0000

Automation is a big part of IT, but not all automation brings value. Automation takes time and effort, upfront, and any benefits come later.

Think of the IT projects you were involved in, most of those aimed at providing a measurable benefit somewhere.

This diagram (from xkcd, a series of webcomics) illustrates when automating repetitive tasks, or even just parts of them, brings benefit. In other words, is there a business case for such an intervention?

Control Through Feedback Loops

Sat, 19 Apr 2025 20:01:07 +0000

There are many ways to influence and control a system, but one of the most controlled (pun intended) ways is to use feedback loops.

Let’s start with an analogy first: driving a car.

If you want the car to stop as fast as possible, it suffices to push the brakes as hard as you can. But that does not give you much control. For example, your passengers might not like it, and it leads to wear on the tires. If you want the car to stop at an intended location, for example just in front of a traffic light, you apply a feedback loop.

Contracts are complementary promises

Thu, 15 May 2025 21:03:24 +0000

Once we understand promises, contracts between agents now become really simple to express. They are a set of complementary conditional promises: “If you do this, I will promise that”. In our example this looks like the following.

“If you promise to pay me, I will promise to bring you coffee.”
“If you promise to bring me coffee, I will promise to pay you.”

If one party does not keep its end of the bargain, the other party is free to withdraw from their part of the deal. Of course there is the complication that somebody has to deliver first: do you get coffee first, or do you have to pay first? This requires trust. As you are probably aware, both types of contract exist in real life. In fact you can find more complicated versions as well.

Shared Services Lead to Conflicts

Fri, 06 Jun 2025 10:32:19 +0000

Digital infrastructures serve, nearly always, multiple customers. These customers therefore share the resources provided by these digital infrastructures. With that sharing comes the potential for conflicts over those resources.

When I talk to my friend over the phone, we share a connection, and that is exactly when sharing is part of the value of that infrastructure. But when multiple users draw computer capacity from the same pool, there is a risk that the pool is too small, and some users will not get the capacity that they require.

Things Break at Scale

Wed, 16 Apr 2025 21:16:12 +0000

Computers are terribly reliable, in general. Today’s computer systems execute millions, even trillions, of instructions each second, with an error rate that is inconceivable in other technologies. Yet, if you have hundreds of thousands of machines, you do need to take care of failures.

In the early days of Google growth I read an article about their error numbers (a Google cluster has several thousands of machines):

In each cluster’s first year, it’s typical that 1,000 individual machine failures will occur; thousands of hard drive failures will occur; one power distribution unit will fail, bringing down 500 to 1,000 machines for about 6 hours; 20 racks will fail, each time causing 40 to 80 machines to vanish from the network; 5 racks will “go wonky,” with half their network packets missing in action; and the cluster will have to be rewired once, affecting 5 percent of the machines at any given moment over a 2-day span, Dean said. And there’s about a 50 percent chance that the cluster will overheat, taking down most of the servers in less than 5 minutes and taking 1 to 2 days to recover.

The Essence of Digital Infrastructures

Mon, 10 Mar 2025 21:34:21 +0000

What do roads, airports, the internet, the electricity network, and a search engine have in common? They are all services that are independent of a specific user or usage. They are provisioned on a longer timescale than that of an individual usage. And they are typically not owned by their users, or at least, not directly.

In this book I am mostly concerned with digital infrastructures. Their services are digitally accessible. Of the above examples, the internet and the search engine are the best examples of that. Interestingly, the other services increasingly rely on digital infrastructures themselves, or even incorporate specific digital infrastructures. Trading platforms, for example, enable the planning of electricity supply and demand. In many countries, electricity is a market, not a monopoly, which requires coordination between the various players.

Systematically applying technology

Sat, 22 Mar 2025 17:56:43 +0000

How to fix the WiFi? How to find a new phone for grandma?

Applying technology follows certain rules. However, many people only have an intuitive understanding of these rules. As a result, technology is not optimally applied. By understanding how applying technology really works, you can be more effective, more efficient, reduce waste, and overall do a better job. It takes just a few simple steps to improve any attempt at applying technology. We’ll focus on information technology here, though most principles have wider applicability.

Provider Value

Tue, 11 Mar 2025 09:10:54 +0000

Consumers of digital infrastructures benefit from not running them themselves, but having a provider who serves more consumers do it for them.

Imagine stringing a wire to connect your PC to your neighbor’s PC in order to play a game together. People have been doing these things. How long does it take to string the wires and connect them? What is the cost? Where do you buy the cable? How are you going to run that cable? It is a lot faster to just use the internet for that.

A Small Example of Cloud Native Development

Mon, 10 Feb 2020 23:29:51 +0000

Cloud-native software development enables new practices. But it also requires them. It is a new level of working. However, putting all these new practices together requires integrating a lot of pieces. To illustrate this new approach, I have started to develop a minimal application. Although minimal, I run it in production. Its basic function is to regularly pull out data from an air quality sensor into a cloud-based database. Together it is a few hundred lines of code. Here are the major features of the example:

Governance over IT, an example

Thu, 01 May 2025 11:07:46 +0000

Shared resources can lead to conflicts. If the capacity runs out, somebody will feel the pain at the expense of somebody else. This conflict will be resolved in one way or another. Without other arrangements, the stakeholder with the most power wins. This is not necessarily the best outcome for the organization as a whole.

To illustrate this, I gave ChatGPT the following prompt:

Write a business case story about the conflict over shared computing resources.

Promise to Update

Thu, 14 Aug 2025 11:30:02 +0000

An important part of managing digital infrastructures is updating various software components. It does not matter if we are talking about operating systems, applications, AI models, configurations, software libraries, and so on.

What matters is: who is going to do that?

Updates happen for many reasons, but the major ones are:

new functionality
better security.

As you can imagine, there are different stakeholders for these changes, and different skill sets required.

Where the buck stops

Thu, 15 May 2025 21:08:13 +0000

The US president Harry S. Truman famously had a sign on his desk that said:

The buck stops here.

This refers to the process of “passing up the buck”, meaning to escalate decisions to the next higher level in the organization.

Truman implied that he took responsibility but also that this is where power comes from.

This is an essential part of governance, and this vertical line of responsibility represents one way of looking at it. We can trace how this works in the following risk management example.

What a lunch in Spain taught me about digital infrastructures

Sat, 15 Mar 2025 16:06:44 +0000

In 2005 I visited my father in France. It turned out to be convenient to pick me up from the Gerona airport in Spain. And as we had enough time, we had lunch in La Jonquera.

At the restaurant’s checkout I noticed a peculiar array of devices: there were four payment terminals.

I’d never seen that. From what I know, a merchant works with a bank which handles all their payments. Apparently not over here.

Positions of Power in IT

Sun, 09 Mar 2025 11:06:48 +0000

One of the key aspirations of Digital Infrastructures at Scale is to equip you with the tools to shape and drive change in your professional environment—especially when your goal is to lead a transformation.

Every stakeholder has power. Here I want to highlight two important positions of influence in IT where technology meets power are architects and auditors/assessors.

IT architects are builders. They design new applications, platforms, and infrastructures that enable businesses to operate more effectively. A CRM system, for example, is not just a technical solution—it transforms workflows, communication, and decision-making. Similarly, infrastructure architects create digital foundations that accelerate the deployment of such applications.

Power Flows

Sun, 20 Apr 2025 09:24:41 +0000

Power does not automatically flow from those that have it to those that are influenced by it.

As they say in dutch, quoting the poet Willem Elsschot: “tussen droom en daad staan wetten in de weg, en praktische bezwaren”. (“between dream and deed stand laws in the way, and practical objections”).

We want to understand this. If we want to exercise power, we need to understand the intermediaries. If we want to subvert power, the intermediaries are one of our disruptive points.

Execution Environments

Sun, 20 Apr 2025 09:03:00 +0000

What do a laptop, a smartphone, and a smart thermostat have in common with a browser, a database, and a data center?

They are all execution environments that contain software and data, and that makes them building blocks for deploying digital infrastructures. In a diagram we often depict them as a box, or an oval. Inside the box, software gets executed, instructions get interpreted, actions are done. Software without execution is just dead data.

Agile Requires Cloud

Wed, 12 Oct 2016 15:12:04 +0000

Getting to value quickly has value in itself. The faster you get to value, the better it is, generally. We’ll discuss some of the reasons for that elsewhere.

Agile development is all the fashion nowadays for getting to digital value quickly. Why is that and what kind of digital infrastructures does that require? Back in the old days, business software was primarily written to automate existing business processes. Those processes might change somewhat as a result, but in the core processes were no different. Think accounting systems, scheduling, “customer relationship management” and so on.

Lean Risk and Economics

Tue, 27 May 2025 19:58:41 +0000

From the moment a security vulnerability is discovered, it represents a negative value to its potential victims. When it gets exploited, it can lead to loss of data or loss of integrity of the data. This in turn impacts the victim’s business processes.

For example, if personal data is leaked, reputations will be damaged, financial losses and fines can be expected. Credit card abuse forms another example of loss.

This “damage potential” increases as the vulnerability becomes well-known, progressing from nation state actors, to organized crime, to script kiddies, just to name one example pathway. At first, few people know about it, but gradually more people will be able to inflict damage with it. Over time, each step adds to the likelihood of that vulnerability being exploited and causing real damage. The likelihood starts at near zero, and ends at close to 100% as the vulnerability is completely public. This only stops when an investment is made to mitigate the vulnerability, for example by updating the software. And hopefully, that investment is less costly than the damage potential.

Network Management Automation - the DHCP case

Fri, 04 Apr 2025 14:20:26 +0000

As we mature processes, they come within reach of actual automation. Especially IT management processes. To paraphrase General Carl von Clausewitz, who said “War is the continuation of diplomacy with different means”, we can say that automation is the progression of process maturity with different means - replacing human effort with software and systems.

My favorite historical example is IP address allocation. In the past, whenever there was a new computer, you would walk up to the head of the lab or data center and ask for a new IP address for that machine. You may remember that.

Business Model Canvas for IaaS Providers

Sat, 15 Nov 2014 11:18:17 +0000

Business Model Canvas

The Business Model Canvas is a strategic management tool that serves as a visual framework for developing and discussing business models. For additional information, see http://en.wikipedia.org/wiki/Business_Model_Canvas.

The business model canvas has nine basic building blocks. These define the interconnections and relationships within a business model.

The example used in this section is Amazon Web Services (AWS), particularly EC2 (virtual machines on demand). This is an Infrastructure as a Service offering. The power of the business model canvas approach becomes clear when we see how it can distinguish between various cloud service offerings.

Technology architecture for non-techies

Fri, 02 May 2025 08:07:42 +0000

Understanding the technical architecture of digital infrastructures is critically important, in particular for non-technical professionals.

I have spent more than a decade educating people on cloud security, for example through certifications such as the Certificate of Cloud Security Knowledge (CCSK), organized by the Cloud Security Alliance (CSA), and the Certified Cloud Security Professional (CCSP), as organized by (ISC)2. These bodies of knowledge cover a lot of ground, and most of it is related to digital infrastructures at scale.

Deployment Diagrams

Sun, 09 Mar 2025 21:19:45 +0000

Deployment is everything that happens between writing software and actually using that software by its intended users. And as we get more software and more users, deployment becomes more complex.

Why deployment diagrams?

Deployment diagrams are a great technique for communicating about important decisions in deploying software. Decisions such as who is going to do what, how are things connected, and so on.

There are many ways to draw deployment diagrams and many standards to choose from. UML and Archimate are just a few of them. To me, there is no single right way to create deployment diagrams. In that sense, these diagrams are more like maps. And the usefulness of a map depends on the journey that you are going to make. A map for a mountain walk is pretty useless if you want to make a railroad journey and vice versa.

Business Model Canvas for SaaS Providers

Mon, 15 Dec 2014 11:18:17 +0000

Here is a high-level overview of the SaaS provider business model and some of the strategic options that are in there.

Business Model Canvas

In this unit, we’ll explore examples using two hypothetical SaaS providers: one offering bookkeeping software and the other a project collaboration platform.

Customer segments (CS)

In the Business Model Canvas, “Customer Segments” are the groups of customers that the company ultimately serves, I.e. the ones that consume and pay for the services.

Who made podcasting big?

Mon, 05 Sep 2005 13:35:00 +0000

Podcasting has its own digital infrastructures, for example in hosting them. Let’s look at how podcasting has grown, and what made it take off anyway? Many actors influence each other here, and the state of the art of the technology also has an impact on growth rates.

Suppose a hundred people get told by an enthusiastic friend to try podcasting. Of these, ten don’t have any hardware on which they can play the podcasts. So the rest goes online, and tries to find interesting content, but only 50 people can find a directory in which they can even start to look for podcasts that they like. Only 40 people then find content that they sufficiently like. Ten people drop out because they find loading the content too complicated. Of these, another ten find out that the files are too big for the hardware they have (for example in 2005, they just had a simple MP3 player, no iPod or similar). Of the ones left, another five don’t have the patience for the downloads (we are talking dial-up internet access for a lot of people here, still). If you have been keeping tabs: we are down to 25 people who are capable and willing to regularly listen to podcasts. Now suppose each of these tells four friends, on the average. That means we are back to a hundred.

What are AI Digital Infrastructures?

Sat, 08 Mar 2025 17:57:16 +0000

The AI landscape has many digital infrastructures.

Let’s explain this step by step and focus on which data is stored where and how it is processed.

A core element of AI systems is a trained model. This is especially true for the dominant form of AI these days: deep learning neural networks.

A trained model is the result of processing a lot of training data by a specific neural network. These models are fixed in size, but typically very big. The smallest useful models are close to a gigabyte, while recent public chat models run into multiple terabytes. LLM training costs hundreds, thousands, or more hours of compute time on specialized hardware.

Retrofitting Zero Trust on an existing application: an illustration

Fri, 28 Feb 2025 14:15:21 +0000

Zero Trust Architecture is an approach to better cybersecurity. To many, it seems daunting to implement. But it does not have to be hard to start.

Consider this hypothetical situation.

You have an application with hundreds of thousands of sensitive records, let’s say client records. We assume that in this example it seems hard to implement MFA (Multi Factor Authentication) on it. What other controls can you implement to reduce the assumed trust? We can use the Kipling method, which is at the core of Zero Trust architectures, to engineer better controls. In short, the Kipling method is about the ‘who’, ‘what’, ‘when’, etcetera of allowed communication.

Multiple Ways to Go Cloud

Sun, 03 Jun 2018 17:06:57 +0000

Public cloud migrations come in different shapes and sizes, but I see three major approaches. Each of these brings value in its own way, and they all have very different technical and governance implications.

Three approaches

Companies dying to get rid of their data centers often get started on a ‘lift and shift’ approach, where applications are moved from existing servers to equivalent servers in the cloud. The cloud service model consumed here is mainly IaaS (infrastructure as a service). Not much is outsourced to cloud providers here. Contrast that with SaaS.

Why lawyers need to understand cloud

Thu, 03 May 2018 13:54:48 +0000

Cloud is too important to leave to technical people.

Cloud distributes responsibility for IT services across an IT supply chain. This supply chain is composed of independent providers. This implies that there are these companies have technical boundaries that are matched by organizational and contractual boundaries. This is new, we did not have that before the digital revolution. Amazon calls this the shared responsibility model for cloud security. I would simplify that as: what do I do, and what do you do? For example, who is responsible for patching the Operating System in an IaaS service model?

A guide to digital sovereignty, autonomy, and business resilience

Fri, 11 Jul 2025 14:57:31 +0000

(First public draft)

Imagine that you are part of the government of an average nation, and you have just realized that IT has become a substantial factor in your operation. Or you have a similar position in a manufacturing industry, or in the financial sector. As IT increased in volume, you have tried to keep its costs down, it was just a facility. Outsourcing to more experienced partners was an option, and so was the use of cloud computing, for example for your Office applications.

Data, Risk, or Controls: where to start?

Mon, 01 Sep 2025 19:48:55 +0000

Where do you start your IT security journey? It is important, but it can be confusing.

For many organizations, the trigger is a compliance obligation to show that confidential information remains confidential. Maybe their customers are asking for an ISO/IEC 27001 certification, demonstrating that an IT risk management system is in place. Maybe they are handling credit cards and therefore need to worry about compliance to PCI DSS.

Controls

The common theme in these is that they are control based. The process is that you realize compliance by implementing a set of controls, such as defining a password policy, or implementing a type of firewall.

AI Roles and Responsibilities

Tue, 26 Aug 2025 15:56:05 +0000

AI systems, like most cloud systems, are composed of models, servers, software, and more, each of which can be provided by a different role.

We follow the roles outlined in the CSA AI Controls Matrix (AICM).

Each role also has promises associated with them (read more on promise theory here).

Together these run AI systems, from image recognition systems to Large Language Model based customer support systems.

AI Customer (AIC)

End users of AI applications. This includes the actual users as well as their organizational units. Even though they are only providing a service to themselves, they are still responsible for certain security and control functions. Some of these responsibilities are in the interest of their providers, and those are typically included in an AUP (Acceptable Usage Policy). For example, customers should maintain appropriate authorizations of users, and refrain from overloading their providers. Customers are also responsible for the business use of the data that is returned by the AI application.

Compliance is a Risk

Fri, 22 Aug 2025 09:18:35 +0000

For people who care about risk in IT, compliance is a mixed blessing. Compliance regulations can lead to better risk management, but sometimes it is more of a hindrance than a help.

Compliance in IT generally means compliance with regulations that are set up to reduce risk, for example, across a chain of actors. A great example is the PCI/DSS regulation, which governs everybody who touches a credit card transaction. The objective of this regulation is to protect card holders and card issuers from credit card fraud. The reason why the regulation exists in the first place is because negligence at one actor can lead to damages at another actor.

Organization Size Matters - Dunbar's number

Thu, 08 May 2025 20:45:16 +0000

Over the years, I have worked with many organizations, large and small. In one case, I implemented the exact same change in more than 15 organizations, whose size ranged from 35 to 35 thousand employees. You can imagine that this plays out differently across these organizations. But that is a story for another unit.

It led me to see patterns in decision making and trust. Who takes decisions in an organization? How do people even talk about decisions, especially when they concern digital technology? Who do you trust?

Games of value and power

Thu, 31 Jul 2025 12:30:29 +0000

A great way to look at how value is created in interactions between autonomous actors is game theory. How do autonomous actors respond to other actors? This is the core question here. How do you respond to an offer from a service provider? But also, how do they respond to you?

I have found game theory to be an effective model to think about the outcomes of sequences of interactions. This is because it clearly identifies the actors (or players) and their interests.

Non-Monetary Values

Wed, 19 Nov 2025 20:10:47 +0000

While value is often expressed in monetary terms, there are many other sources of value for individuals as well as for organizations. This implies that there are many other forms of power too, which is one of the reasons to look at this.

Individuals do not just have economic needs, they also have emotional needs. They don’t just want to support themselves and their families financially, they also want to belong to a group, act ethically, and be recognized as independent individuals.

A Unified Framework

Mon, 12 May 2025 21:05:36 +0000

The units so far have explored quite a few, seemingly unrelated, concepts and observations. Here we’ll embed them in a unified framework that illustrates how they fit together.

From the title of this book you can see that the main pillars of that framework include value, power, and risk. To get there, we need a fourth pillar: change. For now, we’ll call these pillars layers, though there is no implied hierarchy between them.

Big tech afhankelijkheid: wat is het echte risico?

Sat, 05 Apr 2025 09:36:33 +0000

Het nationale sentiment is negatief over de afhankelijkheid van ‘big tech’. Overheidsdata staat in een Amerikaanse cloud, we hebben geen eigen sociaal netwerk, enzovoort. En vergelijkbare sentimenten spelen bij andere organisaties.

Terecht wordt daarom nu op overheidsniveau een initiatief in gang gezet om wat aan die afhankelijkheid te doen. Dit initiatief staat ook bekend als Cloud Kootwijk. Maar met een motie in de Kamer zijn we er nog niet.

Emoties zijn vaak een goede indicator, maar geen goede inhoudelijke analyse. Ze leiden daarom nog wel eens tot beslissingen die onhandig, of zelfs contraproductief uitpakken. Hier legt de emotie wantrouwen bloot, maar waar die zich op richt moet een analyse uitwijzen.

How My Site Got Hacked

Sat, 29 Mar 2025 15:35:53 +0000

Detection

I should have acted on the first signals more aggressively. But let’s talk about that later in this story. Here is the story of my site being infected with malware, viewed by a professional cloud security expert. So I am going to apply all that cloud security theory to it.

The hack led to business damage at the end of one of my webinars. In 2016, on a Friday, I did a webinar, at the end of which I had two links to my site as a call to action.

5 Elements of Cloud Security

Mon, 24 Mar 2025 22:02:03 +0000

Five elements of cloud security

Historically, IT security started with infrastructure security. Just protecting the data center was good enough. But that was before we had data communications.

When data started to escape the confines of the data center we needed to protect it. Typically through encryption. Hence we need data security.

As the world wide web developed, we saw applications being exposed to it, and frankly, be vulnerable. So that is when application security started to become more important.

How AI Can Help IT Risk Classification

Mon, 24 Mar 2025 19:45:36 +0000

How cool would it be to let an AI do some of the grunt work in analyzing the risk of applications and services. This has the potential to speed up the work of risk assessors.

But, does it work in practice? Well, here is an example of AI-assisted risk classification. I downloaded some of the entries in the Dutch algorithm register, which is a public register of systems that use algorithms. For each entry about 30 fields are available, including name, classification, owner, et cetera. Some of the systems in the registry are AI-based. Indeed, we have AI to help check on AI…

International Actors

Sat, 22 Mar 2025 17:56:28 +0000

The international arena has many actors that can influence digital infrastructures. But opinions differ on what the important ones are, or even what the relevant ones are, as we will see. But the international arena matters, because by the nature of scaling, very few digital infrastructures are influenced by a single national actor only.

A word of clarification: I am using the word international here to mean all nations in the world, and their interrelations. In US vernacular, the word international appears to mean all nations, except the US. Instead, the word global is used to mean all nations, including the US. An example implication of this is that a US company would only consider ISO standards to be relevant to them if they also have operations outside the US.

The US Air Force Zero Trust Strategy

Fri, 21 Mar 2025 12:26:58 +0000

Who is really doing Zero Trust?

Well, the US Air Force is. Here is my summary, with some comments, of their strategy document for the benefit of my Certificate of Competence in Zero Trust (CCZT) learners. In fact, this is an edited version of a conversation we had during one of our classes.

You can download the full strategy here, and the current roadmap here, all linked from this page.

I think the fundamental first important point about the strategy document is that it exists at all. There is an actual organization of significant size that has a strategy and is implementing it. Many can learn from this.

Digital Infrastructures - the graphic novel

Sun, 09 Mar 2025 14:07:53 +0000

Here is the draft design of the graphic novel version of this book, which may or may not happen..

How Can We Achieve Autonomy Over Our Digital Infrastructures?

Sun, 02 Mar 2025 22:04:34 +0000

Building Our Own Cloud Kootwijk: Rethinking Digital Sovereignty

In the Netherlands, we are currently engaged in a heated debate about the undesirable dominance of big tech, particularly over a significant portion of the digital infrastructure of the Dutch government. This includes email, file storage, and many other forms of digital storage and processing—most of which are handled by American big tech companies.

I am sure a similar debate is going on in many other countries.

Deployment diagrams for network security; fix this

Fri, 26 Mar 2021 17:09:20 +0000

A while back, I introduced my take on deployment diagrams for cloud and devops infrastructure. Some of the big points there are: it starts with intuitive drawings. Many people draw these things in similar ways, even without them having formal training. In fact, formal training in architecture diagrams will not necessarily make those drawings easier to understand for the uninitiated. But still. There are good drawings and there are drawings that can be improved. My other big point is that deployment diagrams can be a great tool for security analysis. I am in some conversations with friends at banks who use them. Recently I ran into the following example. Here is an explanation of the difference between VPC and security groups. Great story, but I have some comments on the diagram, which used to come from AWS itself, by the way, but has been removed.

Top 8 cloud risks according to ENISA

Thu, 21 May 2015 09:22:07 +0000

Does security in the cloud ever bother you? It would be weird if it didn’t. Cloud computing has a lot of benefits, but also a lot of risks if done in the wrong way. So what are the most important risks? The European Network Information Security Agency did extensive research on that in 2009 already, and identified 35 risk categories. This analysis is used by a number of players in the industry, including certain banking regulators. From those 35, ENISA has selected 8 as the most relevant ones. This article explains them, not in any particular order. (And by the way: ENISA is pronounced as ‘eniesa’, not ‘enaiza’). You can also get the story on my YouTube video.

Controlling Cloud Sprawl in 2012

Wed, 01 Feb 2012 07:21:00 +0000

Even in a cloud world, reducing server count is a lofty goal in itself.

After all, you would be paying for all those servers anyway. Understand that sticking all your servers in a private cloud makes them more flexible, but not necessarily more efficient or cheaper.

Back in 2012 I did an interview with a guy who has a full time job in keeping those server counts down. Ron Kaminski is a capacity planner at Kimberly Clark Corporation (KCC). This interview is a composite of several conversations I had with Ron at the annual Computer Measurement Group (CMG) conferences, and a number of messages Ron wrote.

Directories are also infrastructures

Thu, 21 Sep 2006 10:54:00 +0000

One of the big projects I am working on right now (2006) is directory services for identity management. In these directories digital identities such as loginnames, addresses, access rights, etc. are stored. With an adequately structured directory service, the proper management of access rights becomes a lot easier, which translates into cost savings and better security.

Examples of these include the internet’s Domain Name System (DNS) and Microsoft’s Active Directory. A lot of organizations however, have requirements beyond these systems, and for these a wide range of custom solutions are used.

Mon, 01 Jan 0001 00:00:00 +0000

Typical mistake.

Manage your IT by reviewing all the tech and trying to figure out how to make sure it works, so that it can deliver value.

That is the wrong sequence, you likely to overlook the important bits.

You can’t manage your IT without looking at resource conflicts. Most IT systems act as some kind of digital infrastructure to its users, meaning that it has shared resources.

This sharing drives the benefits, for example by reducing cost or exchanging information.

Mon, 01 Jan 0001 00:00:00 +0000

Many in the IT profession confuse risk treatment with risk management.

Risk treatment is the process of reviewing a relevant risk and finding out what to do about it: mitigate, accept, or whatever it is you deem appropriate. If you look closely, there is so much risk in IT. Every individual device, every configuration setting (MS-Teams has over 2000 of them), every line of code, is potentially a risk.

That is a lot of risk.

Mon, 01 Jan 0001 00:00:00 +0000

to publish 22 dec ; nr 3.

In a previous message I wrote about the differences between risk treatment and risk management.

These are typically different activities, carried out by different parts of the organization.

But here is what often goes wrong with these activities.

If you understand the difference, you might be able to do something about it.

Risk management starts at the top as a paper policy and then gets translated into more and more paper. This process gets stuck when the higher layers in the organization don’t understand when their bureaucratic system can actually be translated into real tech.

Mon, 01 Jan 0001 00:00:00 +0000

AR nr 4 dec 2025. 23 dec

IT has not much value of itself, but it is a tool to create value elsewhere.

Often IT is about controlling a process better.

With more information about, for example, prospective customers, you can make them better offers.

With more information about the temperatures of your house, you can heat or cool it more efficiently.

With more information about stock, you can run better logistics.

Mon, 01 Jan 0001 00:00:00 +0000

AR nr 5 dec 2025. 29 dec

Subject: Velocity: the key to realizing value with IT

Many companies struggle to realize the value that they think should be realized with their IT.

Especially when they have multiple related projects going on, and a substantial set of applications.

What is often missing is velocity. Velocity is not just speed, it is speed with a direction.

Velocity is important, because when IT features become available sooner, two things happen.

Mon, 01 Jan 0001 00:00:00 +0000

AR nr 6 dec. 30 dec.

AI is dangerous. Really dangerous.

People project all kinds of human intelligence to it. But it is only a simulation of humans. Yes it is right a lot of the time. But unchecked its disasters can be colossal.

Uncanny valley.

AI is dangerous for the same reason large infrastructures are dangerous when misunderstood.

I have collected the best parts of my years of consulting experience on real projects into my book Digital Power: How Digital Infrastructures at Scale lead to Value, Power, and Risk.