SOA Security

The National Institute of Standards and Technology has released a 128-page guide to help organizations understand the security challenges of Web services in service-oriented architecture. Download link http://csrc.nist.gov/publications/nistpubs/800-95/SP800-95.pdf

Issues addressed in the publication include:

• Confidentiality and integrity of data transmitted via Web services protocols.
• Functional integrity of the Web services requiring the establishment of trust between services.
• Availability in the face of denial-of-service attacks that exploit vulnerabilities unique to Web service technologies.

Web site dedicated to Service Oriented Security http://www.service-orientedsecurity.com/

California Enterprise Architecture Program issues SOA Security White Paper http://www.cio.ca.gov/caIT/pdf/SOA_Security_White_Paper.pdf

Free SOA Security E-Book http://www.team509.com/download/docs/security/hacking/McGraw.Hill.Osborne.Media.XML.Security.eBook-TLFeBOOK.pdf

BPM and Security from James McGovern http://duckdown.blogspot.com/2006/12/thoughts-on-bpm-and-security.html

Colin White on SOA Security and reuse http://colin.trematon.com/enterprise-business/soa-security-and-enterprise-reuse/

Most of these are courtesy of Garry E. Smith

Unifying Process Framework

The UPF is a business framework that is generic to businesses and applies across all sectors commercial and public. It is naturally used by IT where it is part of a business, or by IT if it operates in a market where it is servicing a number of businesses on a commercial basis.

http://www.bita-center.com/upf2

Article 1 - 'The IT Management Status Quo and 5 Year Challenge'
Article 2 - 'Concepts of a Unified Framework and Mapping Existing IT Frameworks'
Article 3 - 'Mapping IT Governance and the IT Value Chain onto a Unified Framework'
Article 4 - 'End to End Service Management: A Case Study'

Article 5 - 'The UPF Support Dimension'
Article 6 - 'The UPF Enabling Dimension'

Article 7 - 'UPF 'The Way Forward''

Business Model or Operating Model

Recently on one of EA online discussions the concept of Business Model vs Operating Model was explored. I just wanted to use this post as a way to summaries the thinking for my own use.

Chris Potts view on components of operating model

•  Key operational performance ratio(s) - usually only one or two primary ones from which everything else cascades
• Core financial structure - P&L, new investments and cash flow
• Distribution of accountabilities and competencies - e.g. product versus geography
• Organisation - capability areas, not actual roles
• Processes and knowledge (as one composite framework, not two separate ones)
  Systems and technologies

Following reasons why an Organisation might want to invest in Operating Model.

•  To provide input to their plans for investing in change
• To help figure out why their current operations are underperforming
• To decide how best to integrate a new acquisition
• If a company is planning to change its business model, to compare current and intended operating models and expose the impacts and costs of the change 
• When the company is scenario planning its business model, to explore the operating impacts of different scenarios and therefore help assess their relative merits

There are some schools of thought out there to define the Business Model as a construct following are links to some of them.

• OMG's Business Motivation Model
• http://www.businessrulesgroup.org/home-brg.shtml

If you take a Value Chain or Process Viewpoint following links might help.

• http://www.sap.com/solutions/businessmaps/c-businessmaps/index.epx
• http://www.apqc.org

There is a Business Model Design template from Arvetica that is helpful when starting the journey.

 

The only challenge with this model is it does not give a lot of weight to Market Architecture which is Chris Potts speciality and I am eager to find out :-)

MIT Sloan has published some material on Business Models and they describe the same as "what a company does and how they make money from doing it". They then classify it using 16 Archetypes more info here http://process.mit.edu/Info/eModels.asp the concept can be downloaded from the following location working paper.

Lets not forget the book "Enterprise Architecture as Strategy" which started the whole discussion. It defines the business model as following types.

•  Replication - Few shared customers with highly variable product design. Example is a holding company that has a set of companies in related businesses. An example might be a company that owns auto dealerships, auto financing, and auto parts stores.
• Coordination -  Shared customers with highly customized products, services, and features. A wealth management firm is a good example. They sell a set of services such as financial planning, insurance, and estate planning. Each of those services is provided by different companies but there is a high degree of sharing customer information. The services are coordinated by a single representative.
• Replication - Few shared customers with operationally similar product units. This is the franchise model. (McDonalds)
• Unification - Consistent product design and globally integrated processes for all customers. (Dow Chemical Example)

Web Services Security and Federated Identity Authentication

Sometime back [circa 2004] I had written a paper on the above topic the link is attached. It is more for my benefit than anyone else, such that I can find the file quickly :-). Any comments welcome.

Web service security

Business Architecture Kick Start

Ever wanted to get a quick overview of business functions in an organisation SAP have done a great job with their Business Maps; worth checking out http://www.sap.com/solutions/businessmaps/index.epx

Service Oriented Network Architecture (SONA)

Not that we did not have enough acronyms to confuse us CISCO goes ahead and creates another one. I was doing some background research on an article published by the CIO magazine "The Rise of Service-Oriented IT and the Birth of Infrastructure as a Service", when I came across SONA. Quick search on CISCO website showed standard marketing hype and nothing more CISCO SONA Stuff . What I was looking for was some sort of reference architecture on how CISCO saw all this working. I like the concept just that so far it appears like a half baked stuff created by marketing.

From a concept point of view if the network can become application aware, for example in a branch office if the link goes down the network can cache till head office comeback on line and things like that will be a big boost for SOA as application then don't have to worry about implementation of reliable messaging and so on.

If anyone has more info on SONA or Infrastructure as a Service I would be really happy to hear it.

Business Process Architecture and SOA

Recently I had the pleasure of presenting at the BTELL Conference on Business Process Management on the topic of Business Process Architecture and SOA. Fortunately the talk was well received and did raise interesting point. Subsequently the organizers have asked me to come back and give a similar talk with more architectural focus at their upcoming Enterprise Architecture Conference. For those of you who missed the earlier conference should try and make it to this one. It is well worth a look and quite a few industry leaders in the EA space will be there. Check out the web site at this URL http://www.btell.com/content/eac07/ 

If you do decide to make it do look me up.

Changing of the guard

For the past couple of years everyone from Gartner to Harvard Business Review has been talking about corporate agility, where lack of the same can kill organisations. Following In the IT press SOA has been promised at the panacea for all the ills and somehow delivering the ultimate agility to the organisations. All this hype got me thinking about why there is so much demand for agile organisations.

From an Organizational history point of view large organisations (from banks to car manufacturers) where able to mass produce goods at a higher quality and lower price point than there smaller competitors (mom and pop shops). For many years this was a great thing and lots of small businesses either became bigger or absorbed into lager organisations and some went belly up.

With the advent of Internet, and efficient global logistics (UPS, FedEx and so on) cost of advertising and distribution dropped and world became flatter. Consumers got fed up with mass produced items (there are only so many IKEA coffee tables you could buy) and started to look for customize products. They wanted something different, something tailored to their needs (home loans tailored to their needs, furniture customized to their flat). An entire market emerged to satisfy this trend and slowly it is becoming the norm rather than the exception. In such a market large organisations are asked to produce items with greater variety and lower quantity per batch. Such a shift does require some fundamental shift in thinking and many organisations have successfully made the transition.

In such a rapidly changing environment large organisations finding there huge investment in IT infrastructure preventing them to move rapidly. IT investment which once was a competitive advantage for these organisations is proving to be a disadvantage, smaller competition with no legacy infrastructure or lumbering mainframes to support are able to adapt to the changing consumers needs at a much faster rate. The question that emerges is what value IT really adds to an organisation’s revenue or profitability. McKinsey recently did a study in Europe where they looked how much value IT spends was adding to the bottom line of the organisations. The graphics below is straight out of their report and I am including it without their permission for which I apologize.

 

From the study two things were found;

• IT spending varied between 10 to 30 percent of operating costs.
• Higher levels of IT spending didn't increase the effectiveness or efficiency of the business (banks that appear to get the most business value from IT spend up to 40 percent less than the weakest performers).

The four quadrants above represented following aspects of IT spend.

• Effective business enablers, achieve the greatest business efficiency and effectiveness, from a relatively low level of IT spending.
• High IT spenders pay out about 13% of their operating revenue on IT but don’t see the desired impact on business efficiency and effectiveness.
• Heavy IT transformers, spend about 15 % of their operating revenue on IT, mainly for specific business transformation projects.
• Efficient IT executors spend just 10% of their operating revenue on IT but haven't achieved a high level of operating efficiency.

The above study if definitely interesting as I then wanted to compare how Australian Banks would fare in such a scenario, banks are interesting as they are quite intensive users of IT and have made significant investment in the same for past couple of years.

The challenge was finding the right information as I did not know anyone in the banking industry. The journey started by gathering publicly available information I.e. Annual Report which outlined how much they spent of IT or Communications. Mind you as I am no Balance Sheet expert, I may have well got my figures mixed up (at least I would have them consistently mixed up). Following graph is a summary of what I found.

The above figures are based on 2005 annual reports and represent a total IT spend of AUD $3.5 Billion of AUD $24.4 Billion operating expense. One thing that emerges is Australians don’t spend nearly as much compared to their European Competition. Commonwealth Bank and Westpac both have large outsourcing models in place, hence have a limited discretionary spending. Bank of Queensland may appear to be out there, which could be due to their large BPO contract which gets added in as an IT cost. A word of caution at this point please do not fall into the simplistic metrics trap as the figures don't really represent business value being added by IT, I am using it as a mechanism to compare entities and if their size has any relation to money they spend on IT.

If we look at the above numbers from an innovation perspective it appears large IT spend does not guarantee innovation. Smaller players like Bendigo Bank are able to offer services like two factor authentication for their web client while the bigger ends are still struggling. In the last couple of months innovation has become the buzz word and everyone is looking to IT for innovative ideas that will transform the business.

The question then emerges is innovation the domain of big players with huge R&D budgets or can smaller players outmaneuver their bigger rivals. History has proved otherwise smaller startup have been able to innovate and bring new products to market and capture a bigger slice of the market. Other have been able to open up totally new markets where none existed before Google and YouTube are prime example. If smaller players can be more adaptive and innovative  will it change the model of corporations as we know it. Will this mean we are going to see smaller more nimble players banding together and forming virtual entities yet retaining their autonomous sub parts? ...........till next time.

Architects

Not having blogged for sometime it feels a bit strange to do so again. Last few months has been hectic between the birth of our second son, and a few projects coming off the boil simultaneously (one of sensitive nature restricting what I can blog about).

Someone recently asked me what do I look for if I am hiring architect, the question caught me off guard as I had never given it much thought. In the past I have interviewed lots of Solution Architects, hired a few good ones and a few not ok ones. The problem with interviews is it is such a luck of the draw, despite the best intentions there are no guarantee of outcomes. Having said that I wanted to pen down what I thought made a good enterprise/solution/software/architect.

Architects in our information age have a unique position they sit between the business and technology acting as a bridge between competing domains. This role has become even more important as role of IT has changed from being Automating Business to Information Management and finally Business Transforming (Information Paradox). The other paradox with architects role is even though they play such a crucial role very often they have no power to direct things, other than to influence from the sidelines. Often when IT projects turn bad CIO have been know to turn to their Architects (Enterprise or Solution) and ask them where were you when the rot started (on the sidelines watching the project go downhill).

From my personal experience and what I have seen in others to be successfully architects one need to have equal parts of following professional traits.

Salesman: to be able to sell the concept to other members of the team and stakeholders. Basic sales skills are important to firstly empathize with others and understanding what they are truly looking for.

Preacher: As an architect one needs to believe in something and have the ability to appeal to others emotional core. When things don't go as planned every one in a software project team have a tendency to turn to the architect who had initially articulated the vision. During such trying times faith in ones ability should be unfaltering. The down side of being too much of a preacher are the flame wars we are so often familiar with "Linux is better than Windows", "RUP is better than SCRUM", "UML is the only modeling language the world needs".

Thinker: This is perhaps the most important ability of an architect, the ability to solve complex problems either by abstraction or separation of concern. This is the trait which gets discussed the most when talking about architects so I wont waste any more time or space.

Dana Bredemeyer and Ruth Malan in their article "What It Takes to Be a Great Enterprise Architect" describe US Constitution as a form of Enterprise Architecture and James Madison the first Enterprise Architect. They outline similar skills I have outlined above and include a few more (domain expertise, political acuity, strategic ability, and leadership skills).

Having said all this an architects job is never easy they have to often juggle multiple dimensions and competing priorities with the responsibility to articulate a solution which balances all these dimensions and then communicate it to diverse group of stakeholders. James M Butler in his book Technology Blueprints: Technology Foundations for High Performance Companies defines a form of psychosis that afflicts architects when these forces goes out of balance. Following are his list.

"Dimensional Myopia: Focusing too tightly on resolving certain dimensions of the problem space while being unaware of or choosing to ignore others

Evolutionary Vertigo: Refusing to ever commit to an approach, tactical or strategic, based on a perception that the solution spaces are changing too rapidly, thus resulting in a lack of traction

Molecular Paranoia: Working 23 hours a day to mentally maintain for real-time access all details along all dimensions and scanning all news sources for any external influence for fear of missing any single detail, relevant or not

Reverse Acrophobia: Clinging only to the highest levels of abstraction and avoiding reality-based grounding while apathetically assuming that the engineers can and will do all the heavy lifting"

I have seen Dimensional Myopia especially among architects who come from a specific stream background (I.e. Data Architects tend to see the whole world as a database). As an software architect it is important to have well rounded experience, preferably some in non IT space (manufacturing, finance and so on). Recently reviewing someone's architecture I came across Reverse Acrophobia; in this particular case solution was at a level of abstraction where reality was a problem. I am not going to comment on Molecular Paranoia as sometimes I suffer from that affliction :-).

Recently I came across a beautifully quote from Chris Bangle Chief Designer at BMW where he says "Engineers make the world happen. The role of the designer is to give them focus." In the world of IT Architects play the role of designers and software developers, hardware engineers, network engineers make it happen.

As a final word have a look at this article http://www.cio.com/archive/030105/blueprint_sidebar_five.html

VS2005 and SOAPExtensions

For the last couple of days I have been concentrating on creating some SOAP extensions that will allow me to Log messages, validate messages and monitor performance counters in my web services. I got stumped the other day when I was trying to debug the extension by adding them to a dummy web service. It turns out in VS 2005 when using the default documentation page to send soap to the web service I could not get the SOAPExtension to load. After spending a day researching I discover the problem is IE when sending the message uses HTTP GET and this does not get intercepted by the SOAP Pipleline. Finaly I had to use Altova XML SPy to send test message to the service in order to debug. Finally it is working now; just got to finish my Logging, Validating, Authenticate, Timing and Exception throwing SOAPExtension library.

Companies get the systems they deserve

Over the past couple of years working with various clients in Australia, Eurpoe and US I often came accross organisations whose applications were siloed and in total mess. During these times I did often wonder how did they get there, understanding that is partly the way to help them get out of it. Recently I came accross following quote and I think in few lines it aptly sums up the issue. Challenge is how do you fix something as fundamental as this.

Jim Crookes, Chief Architect at BT has observed,
“Companies get the systems they deserve. A company's systems estate is a result of its culture, organizational history, and its funding structures. Coherent, well integrated systems will only ever exist in companies that value coherence and integrated service.”

Just when you thought VB6 was dead

I recently came across this while reading Australian IT and could not resist the urge to blog about it. Sun and Microsoft have teamed together and released Semplice. You might be wondering what is Semplice. Project Semplice - Visual Basic for the Java Platform, yes indeed. It will allow you to compile your program to Java platform and run it on any platform that JVM supports. You never thought that it would be possible to run VB6 on mainframes did you. Well here is your chance :-)

More details here, have fun. Would be interesting to see how this technology is received and pans out.
http://blogs.sun.com/herbertc/entry/project_semplice_visual_basic_for

Business architecture

When doing Enterprise Architecture for any organisation, most people tend to start from bottom up. They would map out the infrastructure architecture (more or less what assets they have), application architecture and may be their information architecture. What often gets left behind is the business architecture, fundamentally what is the organisation trying to achieve and does all its assets support that objective. The key to achieving this is to have a solid understanding of what business motivations are what are its strategy and then map it back to its applications and infrastructure, while maintaining all the relationships that exist between all the entities.

Just trying to visualise (Business Strategy to Function to Application and finally to Infrastructure) the scenario will send most people into a head spin, often we try to visualise the complexity using Visio or PowerPoint. These are good presentation tools but lack the depth when it comes to modelling dynamic relationships. This then leads to simplifications and the risk of abstracting the reality away just so we can fit it into the modelling tool of choice.

In next couple of weeks I will try and blog around this concept and how it then translates into SOA (Business Services vs. Web Services).

Another blog from inside Microsoft Word 2007 Beta as you can see I am loving this.

My first Word 2007 Blog post

This is a test blog to see if I can publish from right inside Word 2007 Beta.

Excellent Enterprise Architecture Books

For past few weeks I have had the pleasure of working with Adrian (he is a Principle in Architecture and Strategy Team), during this time we have had numerous discussions about what should make an Enterprise Architecture. Surprisingly we have been in violent agreement all the time. He shares the same view as me EA is more that IT it should encompass all aspects of an organisation including manual tasks. Often when we focus too much on IT aspect is when we miss the flow on effects manual tasks have on IT dependent processes.

Adrian being more experienced than I am (having been Chief Architect for 3G at Vodafone in UK), has written a simple book on the EA framework that he has developed during his career. I would recommend it to anyone considering some light reading on the topic.

Book Details:
"An Enterprise Architecture Development Framework: The Business Case, Framework and Best Practices for Building Your Enterprise Architecture" : by Adrian Grigoriu
Link: http://www.amazon.com/gp/product/1412086655/sr=1-1/qid=1154835650/ref=sr_1_1/104-0229407-0975133?ie=UTF8&s=books

Some changes for good in my life

I have been silent for a long time on this blog and it has been due to some personal reasons. Most of you who knew me professionally were aware that I was working as National Lead Architect for Volante Software Solutions in Sydney. Volante became target of a hostile takeover by Commander Communications and they won after a protracted period. At this point I thought it may not be a bad idea to explore greener pastures.

Couple of months back I got a firm offer from Oakton to join their Enterprise Strategy and Architecture team as an Enterprise Architect. I did accept the offer and for past one month have been working with them. Having said that I am still passionate about technology and Microsoft .NET so will continue to blog about that including SOA, and some new areas around Business Architecture, Application Architecture, Information Architecture and what ever else that catches my fancy :-) .

Agile dev end of life, Waterfall is back

For all the SCRUM and Agile people out there, Waterfall is back have a look at this conf and meet all like minded people. http://www.waterfall2006.com/

One of the guys at work sent me the link after I had been pestering everyone why Agile is so cool....

:-)

I found the following really funny and will resonate with all Architects.

"If designs are ruined by execution details, then we should divorce designs from execution. Implementation is harmful to designs! Implementation ruins the elegance, beauty, and symmetry of designs. The problem is execution; and so it is execution that must be eliminated. As a community of designers we need to insist that our designs remain unexecutable!"

Every thought what would happen if Amazon and Google were to merge

This is an old movie but a classic it looks at how we bloggers are changing the world, what would happen if Google and Amazon were to merge and become one company how will Microsoft respond. What will happen to all of us the bloggers......in 2014.

Have a look at this http://mccd.udc.es/orihuela/epic/ might change your perspective at things.

I remember at the last Code Camp in Wagga Wagga someone (an un-named person :-) ) said, "I don't buy books any more, prefer to read blogs instead" think about that after seeing this movie....I am already seeing in my profession what I call Bloggitechture (Software Architecture by blogs ).


By now I think I have pissed of quite a few people so let me stop now.

Ever wondered how much your blog is worth

This one is worth B$1,297.49 there is a web site which calculates what blogs are worth. Mine is way lower than Frank's which is worth a princely amount of B$19,216.04. You can check your blog rating out on this page http://www.blogshares.com/ . This is the trading history of Franks blog
http://www.blogshares.com/newgraph.php?type=price&large=true&blog=http://blogs.msdn.com/frankarr/

Future Shock and our daily lives

<>
For those who know me, will know my fascination for the book Future Shock written by Alvin Toffler. He was recently in Sydney Australia and said the following in his interview with Australian Financial Review.
"The issue is not jobs but creating value, creating something that someone else needs," he says. "Whether you get that through a regular, paid job, whether you do that as a freelancer, or whether you do that as a group that forms itself for a purpose and then folds up its tent."

Everyday we worry about the fact where our next job is going to come from, how will Indian outsourcing engine will effect us. Yet we continue along creating value for our customers and employers hence remaining employed. Fundamentaly I think the day we stop creating value will be the day we slowly start moveing towards unemployment.

His other thought that interested me the most was "It a period in which wealth is now mobile and we can reverse the tyranny of distance because value is so often based on intangibles and weightless products. ". Which is so true did I write a kilo of code today :-) or how many kilos of software did Microsoft ship this month.

Anyway I am eagerly waiting for his new book "Next May, Toffler publishes his latest book, Revolutionary Wealth (Alfred A. Knopf), about the way we are making money and will continue to make money in the knowledge economy. " April 25th to be precise.
http://www.amazon.com/gp/product/0375401741/103-2029315-9912650?vi=ossnet-20&n=283155
<>