The problem with certifications

Certifications sound like a great idea, and if I were in HR recruiting IT people, I could be forgiven for thinking that they tell me something important about a person’s skills level. But I would be wrong.

The idea of certifications is not wrong. If I were having a boiler installed, I would probably want the technician to be certified to work with gas. This would be an industry certification, perhaps with an independent assessment body. They might also have done some training for the specific type of boilers they install. The IT industry does not do this. It has vendor certifications that are intended to demonstrate a skill level with a specific technology:

  • Cisco Certified Internetwork Expert (CCIE) and Cisco Certified Design Expert (CCDE)
  • Microsoft Certified Solutions Expert (MCSE)
  • VMware Certified Design Expert (VCDX)

The certifications are hard. Anyone who has a CCIE certification has demonstrated the ability to study and has the aptitude to pass a certain type of exam. They may also have been fortunate to have an employer willing to pay the steep fees for courses. The question, however, is whether they demonstrate real expertise in the technology.

The problem is that the course material is created with the idea of enabling an exam, and the exam is created purely as a test of the course material. An example will show what I mean.

This example is taken from the Cisco material for TSHOOT. This is one of the exams for the Cisco Certified Network Professional (CCNP) Routing and Switching certification. It covers the skills for troubleshooting and maintaining Cisco IP Networks. Cisco certifications are some of the best, so this example is not an adverse comment on Cisco. It is just an example of a certification topic.

Troubleshooting an IP network requires a good understanding of TCP/IP, and how packets flow through a network from server to switch to WAN and client, and back to the server. NetFlow is a way of recording information about flows, so that you can diagnose performance problems. There is quite a lot you need to know about flows in order to diagnose problems. The course material tells us that:

"A flow is a unidirectional stream of packets, between a given source and a destination, that have several components in common. The seven fields that need to match for packets to be considered part of the same flow are as follows:

  • Source IP Address
  • Destination IP Address
  • Source Port (protocol dependent)
  • Destination Port (protocol dependent)
  • Protocol (Layer 3 or 4)
  • Type of Service (ToS) Value (differentiated services code point [DSCP])
  • Input interface."

I suppose there are a number of concepts here. One is that the flow is a specific "conversation" between client and server. Now this is a bit surprising. It says "unidirectional". Does that mean that the response to a request is in a different flow? How can I tell if there is a network or server delay if the request and response are in different flows? Another concept is that you can’t jump between interfaces. You might have more than one network connection to a switch, but those would be separate flows. I don’t really need to know that there are precisely seven fields: I can always look that up. And I don’t need to know trick questions about what might be a field but is not. TCP/IP flows is a really interesting topic, and I would like to know a bit more about it.

Now here is the test question:

"Which of the following is not a NetFlow key field

  • Source IP Address
  • Layer 4 Source Port
  • ToS Byte (DSCP)
  • TTL
  • Input Interface."

Did you notice what happened there? I don’t need to know anything about flows. I just need to remember the list of seven fields. And I need to be aware of trick answers. Is Source Port really Layer 4? Is TOS value really a byte? Did I just forget TTL, or could there be a reason why Time to Live is a field that I have forgotten? None of this matters in the real world. In the real world we switch on NetFlow, and configure a collector like SolarWinds. The real work is in interpreting the NetFlow data. And NetFlow is expensive. And it can’t tell you what is happening on the parts of the WAN you do not control. And it does not tell you what response time the user actually experiences.

The problem here is the methodology. If the exam were in Algebra, there would be a vast body of knowledge, different course material, trained teachers and professional examiners. But there is no such body of knowledge or of educators for troubleshooting an IP network. Cisco has to get someone to prepare a course and someone else to prepare an exam. The exam is a test of the course.

Certification courses provide useful training. And simple exams that test whether you paid attention are OK. But certifications do not prove skills. They prove a willingness to study, and an aptitude for a certain kind of test.

Windows 10 S for Enterprise?

Windows 10 S is the new edition of the client OS that is restricted to run only applications from the Windows Store. The advantage is that it is more stable and secure than an OS where the user can install software from anywhere. Microsoft has positioned the OS for the education market. But perhaps it has possibilities for the enterprise too.

Windows 10 S was released in May 2017. It is only available as an OEM installation, for example in this Microsoft Surface Laptop.


Vendors with Windows 10 S laptops currently include Dell, HP and others. Prices are in a similar range to other laptops and notebooks.

The marketing from Microsoft is aimed at the education market, but what interests me is the scope for using Windows 10 S in the enterprise. Mobility is costly, and this OS might bring the cost down.

The main problem for enterprise mobility is making it secure. One approach to this is the managed laptop:

  • a custom Windows 10 Enterprise image
  • joined to the domain
  • encrypted
  • authenticated by a certificate
  • no admin rights for the user, OR admin rights with more active detection and blocking
  • SSL VPN client
  • web proxy client.

This has more complexity and higher support costs than a standard desktop.An alternative approach is to do away with the idea of validating the device at all, and provide access to enterprise data and applications only through a virtual desktop. In this case mobility is provided by any device running the remote access software: like Citrix Receiver or the VMware Horizon client. It can be a Mac, a Chromebook or a mobile thin client. The problem here is that, if you want to work offline, you need to store data and you need local applications. If you do that, you again need a managed device, and you add further costs.

Windows 10 S may provide a new option. Use a regular desktop in the office, and a Windows 10 S laptop for mobility. As the Windows 10 S laptop cannot run applications except from the Windows Store, the level of protection and additional support required is much lower. You can still run Office applications like Outlook. You can still edit a PowerPoint presentation or work on an Excel spreadsheet offline. But the scope for malware is much reduced. If you need to use an enterprise application like SAP when working from home, say, then you can use remote access to connect to a virtual desktop or a published application. But in this case the virtual desktop needs to be provided only to the mobile users and not to all users.

Windows 10 S supports these enterprise features:

  • Trusted Platform Module (depending on the OEM hardware)
  • Certificate Store for enterprise certificates
  • BitLocker disk encryption
  • Azure domain join and Windows Hello authentication
  • mobile device management with Intune, AirWatch or similar
  • desktop applications from Microsoft, Adobe, etc. as long as they are available from the Windows Store.

The typical company laptop is an expensive compromise. It needs to be powerful enough to run enterprise applications, light enough to carry around easily, secure enough to hold enterprise data, flexible enough to allow the user to work offline. I think on balance I would prefer to use a regular desktop in the office, and a Windows 10 S laptop for mobility.

OneNote and OneDrive

Have you tried using OneNote recently? It is a free product from Microsoft, but it rarely gets a mention. Combined with OneDrive, it is a good tool for keeping track of different types of information related by topic.

OneNote has been around since 2002. It is one of those products that you don’t hear much about, and it is easy to overlook. But it is a very useful tool for keeping track of different types of information related by topic. For example, let’s suppose you find a good article online. You want to make a note of the author, the URL, the key points and a graphic. Maybe you have other notes on the same topic. How do you do it, and where do you keep it?

You might try Notepad; but you can’t save the image or a hyperlink there. You could use MS Word, of course. Now you have a document. But how would you relate it to other material on the same topic: all in one document; or using different documents in a folder? And how you would you add something new from your mobile?

OneNote organises information in a hierarchy of Notebook, Section within Notebook, and Page within Section. You can move sections and pages around, if you want to reorganise. You can make links between sections and pages. In this sense it acts like a Wiki.

OneNote Example

You can use different types of material: text, images, tables, audio and video files, hyperlinks, file attachments.

OneNote Insert

You can also use OneNote as the notes manager for Outlook items, like appointments, contacts or tasks. The Outlook plugin adds OneNote to the menu bar, and lets you choose which notebook to save notes in.

Outlook Ribbon

From the notification area on the desktop taskbar you can make "quick notes" without opening OneNote.

OneNote Notification

This opens a note with a cut down menu.

Quick Note

In Edge you can use the OneNote Web Clipper to clip pages or parts of web pages and put them straight into notebooks. For example, here we are clipping a piece of a web page from Wikipedia:

OneNote Clip

The screenshots shown here are from the free version included with Windows 10. Office 365 has an enhanced version: for example you can add a spreadsheet item instead of a simple table.

When you open OneNote, you sign in with a "Microsoft" account, either a personal account at or a business account through Office 365. You can add more than one account so, for example, you could share a Travel notebook between your personal and your business accounts. You only need to open the notebooks you choose, so at work you could open a Projects and a Travel notebook, while at home you could open a Travel and a Family notebook.

OneNote notebooks are saved automatically in OneDrive, the online personal datastore. This makes them accessible from anywhere, provided your security settings allow it. You can open your notebooks from Windows, Mac, iPad, Android and Windows Mobile clients. So, if you are away from your desk and you want to make a note, you can save it in the right notebook instead of hunting around for it later.

You can also share notebooks. You can share with Edit or View rights. The sharing is managed through OneDrive permissions, and you can manage the sharing in OneNote or OneDrive.

Share Notebook

OneNote is a good example of a simple idea developing over time into a useful tool. Do you remember Groove? Groove was a tool created by Ray Ozzie, creator of Lotus Notes. Groove Networks was founded in 1997, and acquired by Microsoft in 2005. Groove allowed document synchronisation and sharing, where both parties connected through a broker. Ray Ozzie later became Chief Software Architect at Microsoft., where he started the services that became Azure. The broker was the forerunner of SaaS services, and Groove was the forerunner of OneDrive. Now OneNote and OneDrive do more or less what Groove used to do, but in a simpler and more versatile way.