Archive
Iasa UK North 1
Great Evening on Thursday at Iasa UK North 1 where Astra Zeneca played host to a great series of lightening talks! So good in fact that I have to push mine off the agenda!
Well, I still got chance to introduce the speakers and to give a quick overview of Iasa UK activities which you can find here.
Next up was Bola Rotibi from Creative Intellect who talked about what the enterprise needs architects to consider.
Next on was John Whiteway who went solo with nothing more than a piece of paper, his wit and intellect – great talk with the catchy title “Enterprise Social Networking underpins Predictive Science Capability”! Honestly inspiring stuff!
Following this was hard, but Simon Thurman of Emerging Technology at Microsoft UK is a dab hand, giving us a brief history of Azure on one slide …
After more pizza and beer it was time to realise that … Architecture is Boring, or so someone said to Neil Wetherall of Astra Zeneca! He gave some compelling reasons why people say this and more importantly, what architects should do to change this view …
Last but least it was the turn of Saffron Prior to share more secrets of agile and how it’s changing the way that IT generates value.
SO there we go … what a first night for Iasa UK North … with plenty more in store like this to follow!
Many thanks to all and especially Astra Zeneca for making this such a success!
Authentication as a Service
In partnership with Swivel Secure, the owners of PINsafe, a multifactor authentication solution inTHiNK has successfully delivered a solution to hosting PINsafe in the cloud opening the way to delivering bank grade authentication as a service at a price affordable to all.
inTHiNK has developed a fully standards based Security Token Service that sits in front of PINsafe allowing the service to engage in the exchange of SAML-based claims leveraging the core value of PINsafe’s guaranteed one-time code algorithm.
As shown in the diagram here, a trust relationship is created between a relying application, here it is an Azure hosted .NET web application, but it could exist anywhere, and the PINsafe Federation Service (the Security Token Service). On entering the application, the client is redirected to PINsafeFS where they are challenged to submit a valid username and pin through this services relationship with PINsafe itself.The client submits a user name and one time pin code and on successful validation are redirected back to the relying application with a valid SAML ticket that can be used by the relying application.
To try it out, just visit http://pinsafe.cloudapp.net and see for yourself.
Once you hit this site you will be redirected to PINsafeFS and asked for a username and pin.
- Type in the user name test and tab to the password.
- A unique TURing string will now appear.
- Type in the characters that appear at position 1,2,3 and 4 of this string into the password field.
- Submit and you will be validated by PINsafe
- Once validated, a set of claims about the user will be wrapped in a SAML token and passed back to the relying application.
- Back on the relying application, this SAML token is unpacked and the claims are accessed which include the user name.
Simple!
PINsafeFS is now in beta and available to clients to work with. The next phase will see the delivery of a full featured self-service portal to allow relying applications to manage their identities and the claims they wish to store and use for their users.
PINsafeFS is full standards based and non-invasive using WS-* protocols and SAML tokens.
Now
Welcome new inTHiNKERS
It’s with great delight to announce the arrival of two new inTHiNKers to the inTHiNK Associate network.
Bola Rotibi brings over 18 years IT experience and is a world renowned and respected Industry Analyst in ALM space.
Bola joins the inTHiNK network to help define and deliver first class advisory services right across the Application Lifecycle which we are seeking to launch early in 2011.
Richard Godfrey brings over 20 years experience is software development, having built some of the most powerful .NET and Windows Azure based solutions in recent times. He is a well known and respected Software Architect heralding from many years at Microsoft and Deloitte.
Richard joins the inTHiNK network to bolster our ability to deliver architectural services and solutions designs as well as taking these forward into implementation and delivery.
For more on Bola, Richard and the rest of the inTHiNKers click here.
Testing the cloud?
One of my favourite subjects of late is how do you test your cloud?
It’s always been a challenge to get testing more involved in the development process and tooling has come along way to making this possible. But what happens when you add the cloud to the mix?
I’ve had a few chats with Danny Crone from nFocus about this in relation to Azure and was really excited to see they’ve got an event on the very subject …
The only problem is that this takes place tomorrow afternoon in Reading so I can’t make it …
http://testing-with-vs2010-in-the-azure-cloud.eventbrite.com
I only hope that there’s a repeat or that they share some of the presentations …
This sits well with the ALM Health Check Service that inTHiNK is looking to offer in the coming weeks – more on this soon!
How Secure is your Cloud?
Cloud security is perhaps the number one topic when it comes to cloud computing and this is still definitely the case if you look like meetings like CloudCamp for example. So why then is there not more of a focus on it from the cloud vendors?
In their June report, "Assessing the Security Risks of Cloud Computing" Gartner provided a fairly competent list of questions that customers should raise with their prospective cloud vendors.
1. Privileged user access.
2. Regulatory compliance
3. Data location
4. Data segregation (which includes Encryption)
5. Recovery
6. Investigative support
7. Long-term viability
Although the list is useful, and I especially like number 7 raised in a security context, there are a couple of key points missing, that while they maybe covered in some subtext under these seven items I personally believe they should be raised to the top level. So here’s my additional set of security topics to raise with your vendor:
8. Internal threat management
9. Portability/access
10. SLAs/Penalties
11.Security in depth
Internal threat management
As we all know too well (or should), one of the majority of security threats of traditional data centres comes from within, with the cloud you’re passing this issue on to someone else. So what are the internal threat management procedures of your cloud vendor? How do they safe guard your data from prying eyes? Sure, encryption and segregation are elements that help here, but what are the data centre processes themselves?
Portability/access
A real favourite topic out there that in many ways overtakes the issues of interoperability is that of portability. How do I safeguard my ability to move from one cloud to another? Once my data is in a cloud how easily (expensive, quickly) can I get it off again? Now add to this the question of secure and robust portability and this becomes a really interesting question to ask.
SLAs/Penalties
So if there is a breach of security what is the cloud vendors policy? Is this transparent? Made publically available? What sort of compensation could you expect? Free hours? SLAs are an obvious discussion point with cloud vendors but are seldom discussed in terms of security.
Security in Depth
This is one I particularly like and relates to internal threat management and processes but specifically to the development and creation of the cloud vendor’s infrastructure itself. Clearly clouds just don’t happen, someone has to build them and that means software engineering. Therefore a clear explanation of their cloud development processes should be clearly articulated at a software development level. This is one of the key lessons Microsoft has learnt over the years and one I know well.
So what other security questions would you want answered by your prospective cloud vendor?
SOA: A square peg in a round hole?
It is really interesting when you look back on your blogs over the years and reflect on how your views have changed, and whether anything still remains true given what you know now. Over the past few months I’ve been researching the state of SOA today; well over a decade since .NET Web Services arrived on the scene and the term SOA first came to popular attention.
One blog I’ve referred to time and time again in talking about SOA is the one I wrote on SOA Anti-patterns back in 2005. I use these anti-patterns regularly when talking to people and had come to think that their value had never been more significant than they are today given the emergence of the so-called “cloud”. However, I had noticed that they resonated less well with those where SOA was being “successful”. It therefore came as quite a shock when I actually re-read the blog only to find that the core tenet on which these anti-patterns were based was actually proving to be itself one of the core anti-patterns of SOA and why in so many cases SOA has proved unsuccessful.
The anti-pattern was actually described in the opening section where I suggest that the decentralised nature of SOA “left unchecked” could lead to the occurrence of a number of the anti-patterns that I went on on to describe. Unwittingly, I had hit upon one of the core anti-patterns for SOA; the square-peg anti-pattern, it was just that at the time I didn’t realise it.
The square-peg anti-pattern
As I noted back in 2005, SOA is a “decentralised” pattern for integrating distributed systems, but what I didn’t realise at the time and where the true problem turns out to be, is that we insist on trying to fit SOA (the peg) into a “centralised” model of IT (the round hole). This is like holding the same poles of two magnets end to end, they repulse each other, we are simply trying to put two incompatible models of operation together as one.
From a centralised perspective of IT these anti-patterns make sense, but turn the problem on the head and they become less significant and maybe cease to exist. The reality of the problem turns out, not to be one of fitting a square peg into a round hole, but that there are simply no square holes!
For IT and let’s face it, for the really important part; the business, to really take advantage of SOA it needs to give up being the monopoly, it needs to decentralise and devolve control to the services themselves. The result is smaller IT, encapsulated within the service, focused almost entirely on delivering business value for that service, rather than having to pay a high tax to conform to the demands of a centralised IT function.
The three Cs!
So if this is the major problem, then why do it? Why not drop SOA and retain the centralised model for IT? Of course this is an option, but let’s look at it through the lens of the three Cs that Hammer and Champy raised in re-engineering the corporation:
- Customers take charge
- Competition intensifies
- Change becomes constant
IT is subject to the same pressures and has to deliver the service that is required by the business. Your customer demands the ability to be more in control, dynamic, they have choice and increasingly have the potential to ‘shop elsewhere’. The competition from others who can provide the service, faster, cheaper and to order is increasing. The rate of change required by your customer grows daily and the need for IT to move from reactive to proactive and part of driving business.
Specialised Units of Business Capability
In looking at the trends within the business itself, one can see it is differentiating into often finer units of specialism. the benefit being, to take advantage of market leading innovation quicker, cheaper and at lower risk. IT needs to power these new capabilities, but can’t do so through a rigid model of centralised command and control. These new capabilities need to move fast, grow fast and evolve quickly in response to change. The IT needs to be as close to that business innovation as possible and be part of the solution rather than a problem that slows down their time to react.
The rise of the Central IS function?
So what now for IT? Is it the end of IT department? Well may be it is, as we know it today. Decentralisation is inevitable for Business as it is for IT, as the technology layers commoditise there is less need for many of the old functions of IT, but given all these moving parts, these increasing units of specialised business capabilities, the increasing number of sourcing choices for services of all shapes and sizes, it is clear that there is a need for:
- co-ordination
- governance
- compliance
- innovation management
These, then become the watch words for the future of the centralised IT function, but it is perhaps the name that needs a change, it is less about the technology but still about the information and management and certainly needs to nurture innovation and of course it’s all about the service.
Welcome to the:
Corporate Information and Innovation Management Service.
Azure Architectural Guidance Part 1 Review: Migration
I once had the chance to move over to Redmond to deliver architectural guidance for Azure with the patterns & practices group so you can imagine my interest in seeing what they managed to produce in my absence, despite it taking quite a while to get this out there.
Where to get it
Documentation: 
Source code:
The Review
As a piece of “Achitectural” guidance I am to be convinced that this delivers on its promise. In what states to be the first in a series it, rather oddly, decides to focus on “Migration” as the first topic. Personally, I was expecting more of a architectural review of the platform itself taking into account architectural considerations of reliability, scalability, redundancy and security and the like. These, instead, are confined to a rather light-weight platform overview, that raises more questions than it answers, including several inaccuracies, that reads more like marketing literature than offering technical insight. This may be because it is assumed that the “what is Azure?” discussion has already been done to death, but I don’t agree. No one has really addressed the architectural considerations of the platform, providing a thorough explanation of how features have been implemented and on what their limitations are. Certainly, nothing exists, to the level required by architects facing real business and technical opposition to cloud adoption. This, in my opinion is a missed opportunity and something that is still required.
That said, this is couched as being “guidance” and therefore the fact that it seeks to investigate the process of “migration” should not make it any the less useful. However, in this regard too, it fails to really deliver what, in my opinion the architect requires. Rather than considering a wider range of ‘adoption’ scenarios, it chooses instead, a simple, straight forward migration scenario in the context of an enterprise that has no concerns over use of cloud services. The real issues architects face in convincing others of the value of cloud, and even in convincing themselves in order to champion the opportunity is therefore avoided. A broader look at migration approaches and patterns and how these apply in the context of Azure I think would have provided more value to the architect.
However, it is important to note that the guidance is not completely devoid of any architectural value and the “How much will it cost?” section is a pretty useful evaluation approach to considering the cost impact of design decisions. It also does a reasonable job at introducing the subject of lifecycle management, although this is rather over simplified, it is still useful in highlighting the requirement. But it is on the developer side where the guidance starts excel, providing hundreds of developer gems hidden through out the document, such as the effect of partition keys on table query performance and in identifying the differences between development and windows azure table storage, referencing a useful MSDN article on the subject. In valuable stuff, but hidden from view.
In fact, it is pretty clear why the scenario was chosen, this is not really about providing architectural guidance, but in providing a context for explaining how to implement claims-based identity on Azure. As a technical resource for providing practical developer guidance on implementing a Claims-Based Identity and Access Control using Active Directory with an Azure application, this guidance actually scores pretty high. This type of guidance is simply not available else where. The problem and shame is that all this architectural veneer, hides the fact that this delivers genuine and much needed technical value and further, that no one who needs it will actually find it.
All in all, this is a valuable and well written resource, but my concern is it’s misdirected and that it’s value wont be fully recognised unless the right audience find it and in its current format, this audience would find it hard to get past the first pages to find all the goodness inside. The need here is to liberate the value and consider re-delivery as a straightforward, honest, simple to follow, developer how to guide. In the mean time, if you want to try and implement claims-based identity on Azure than I’d recommend skipping straight to Phase 1: Getting to the Cloud or even straight to the source on codeplex.
The Verdict
Rating (as Architectural Guidance): 5 out of 10. There are gems, but they’re hidden.
Rating (as Developer “How to”): 7 out of 10. If reformatted as a developer guide I’d put it nearer a 9!
Visual Studio Architect Guidance
I got chance to organise an analyst briefing last week at Microsoft to cover the architecture capabilities of Visual Studio 2010. It was a great session as there’s such a strong and exciting story growing for Microsoft in their support not just for architects but right across the Application lifecycle that also reaches out to support development not just of .NET but other languages too which is a great example of Microsoft taking interoperability seriously.
There’s plenty I could talk about, such as UML support and more significant, that you can reverse engineer the likes of sequence diagram directly from your code. Or the architectural explorer and the support for creating layer diagrams with rules that you can then validate your code against plus the support for dependency matrices, and so the list goes on.
However, this raised a slight concern for me that with the growth in tools like these could eventually lead to a significant overhead in learning how to use them. Obviously they are built to be intuitive and easy to use but all the same, the shear volume could become overwhelming.
But as luck would have it the meeting coincided with the release of a codeplex project that provides guidance on how to get the best out of Microsoft’s Architect Tooling in Visual Studio. This has been produced by a set of Microsoft Rangers who have the job it provide out of band solutions for missing features or guidance on the product so you know it’s always going to be useful and based on real-world experiences.
Finally, as this guidance had input from Alan Wills, who has long been synonymous with the world of software modelling, I can’t recommend it highly enough. It’s worth downloading an evaluation copy of VS2010 Ultimate and having a trail if you haven’t already upgraded!
Architect Tooling:
vsarchitectureguide.codeplex.com/
Visual Studio Ultimate:
www.microsoft.com/visualstudio/en-us/products/2010-editions/ultimate
The Pig, The Banker and the Cloud
A story of cloud awareness
This is the story of the Banker and the Pig. It is not based on any specific single reality but on the collection of many factors. It’s based on the presentation I prepared called Unbundling the bank.
”Oh no!”, says the (fictional) Banker (not related to any actual banker I have met!) on seeing the initial slides from the Unbundling the Bank presentation.
“We live in a multi-sourced, software+service (Hybrid Cloud) world!”
”We just didn’t know it!”
”But hold on”
”Isn’t SOA dead?”
”Didn’t SOA fail to deliver a return on investment (ROI)?”
“And anyway, we’re too silo’d and project and opportunity driven to consider adding cloud to the mix too!” the Banker concludes, almost looking a little relieved.
“Ah yes, but the problem isn’t with SOA it’s with the SOA Junkies!” says the Pig.
“The SOA Junkies?” shrieks the Banker!
“Yes” says the Pig calmly.
“They think too much like Adam Smith with his division of labour and Henry Ford with his assembly line! They’re too Task oriented!”
“They think in terms of the Separation of Concerns, abstractions, and ah … yes Re-Use, the magical holy grail of Re-use!” continues the Pig.
“How many times have we tried to deliver the ‘Single view of the Customer?’” asks the Pig rhetorically!
“These approaches just breed more complexity and like the forth bridge, never end, adding little if any business value as a consequence. All they do is pile on the technical debt from which IT slowly suffocates” remarks the Pig.
“The problem is that the approach is based on technology principles instead of the principles of business!”
“We need to look above the ‘HOW’; above the layers of people, process and especially the technology.”
“We need to focus on instead, on the ‘WHAT’ instead! We need to map the enterprise that describe its Business Capabilities. These encapsulate the people, process and technology, and unlike these things, capabilities are stable, unchanging, self-contained, measurable and above all value-oriented in relation to the business.”
“Oh!”, says the Banker!
What is an Enterprise?
“So let’s step back for a moment” says the Pig “and ask ourselves, what is the Enterprise?”
“Obviously, there are customers, one hopes! And then there are the Business partners, but what is actually inside that box we call the enterprise?”
The Banker is puzzled.
“Well I’ll tell you”, says the Pig, “It’s interesting, but from a capability perspective enterprises look remarkably similar to each other!”
“Ugh?” snorts the Banker.
“Looking at an enterprise’s capabilities at the top most level and we can see a regular pattern of capabilities that occur in all enterprises.”
“Firstly, there is a capability to plan new products and services.”
“Next, there is the capability to develop these new products or services”
“Third, there is create demand for these new products and services”
“And finally there is the need to Fulfil the delivery of these products and services. Simple, but amazing in the same way.” says the Pig with an air of triumph.
“All there is to an enterprise is simply Plan, Develop, Demand and Fulfil! Oh and add to this Collaborate too and that’s it; the 5 core capabilities that every enterprise or business has!”
“But hold on this can’t be all there is to it, surely!” questions a rather bemused looking Banker.
“Well of course not!” chuckles the Pig, “Each of these capabilities contains 1 to many sub-capabilities and these then contain more capabilities within them! So far we’ve taken capabilities down 5 levels and it still amazes me that this model holds true across the vast majority of enterprises we’ve seen!”
“Of course, there is variance, but there is about a 70% recurrence of these capabilities, even down to level 5, across enterprises, and across verticals!”
Silence.
“Ah how I love patterns” sighs the Pig looking upward as if to look for some hidden force.
The New Model Enterprise
“Ok, ok, so this is all very good” says the Banker, a little impatiently. “I can see that this is all very nice and pretty, but there’s devil in the details of those little capabilities!”
“There’s still the problem with the HOW!”
“Ah yes”, says the pig, nodding his head knowingly.
“Because these capabilities are stable, well defined and measurable, you can ask questions of them, value-oriented questions like, ‘what’s your value to the business?’ and ‘How healthy are you?’”.
“From the answers you get back you can produce a heat map of the enterprise that will give you a view of the health of your enterprise and more over where to focus your efforts in drilling down into the capabilities below, to find out what really is at fault and where to prioritise your efforts!”
“You can do this as a light-touch mapping across the enterprise and only drill down on the areas that flag up through the heat maps. Making it and efficient process”
“Ahhh” says the Banker, relaxing his facial expression slightly for the first time.
“But here’s the thing …” whispers the pig, leaning forward as if to ensure that this is for the Bankers ears only.
“Capabilities allow you to decompose the enterprise into discrete self contained units of specialisation, in so doing you can differentiate between the ones you care about; that creat value, and the ones you don’t.”
“You can then think about unbundling yourself from the cost of managing and maintaining these yourself.”
You can plan to move these away from a ‘bespoke’ internalised model to that of a more ‘standardised’ model.”
“Think of these capabilities as being like mini-enterprises all neat and self-governing and that the HOW might not need to be your problem at all” the Pig Winked.
“Oooh” says the Banker, his eyes widening, but this time less in shock and more in anticipation.
“Exactly”, says the Pig. “Now you’re looking at your enterprise differently aren’t you.”
“A suite of mini-enterprises doing stuff themselves, but collaborating to deliver a bigger result than they can do themselves. Some may even deliver their capability to another enterprise in time. This happens already if you consider the SaaS applications you are using today!”
“Furthermore, you can create new dynamic specialised capabilities and build them in the model of being a mini enterprise, able to persist on their own, without the layers of management that the models of the industrial era would and do enforce.”
“One day, like others before them, these once innovations, now commodity capabilities could be set free to find other consumers or markets and maintain their own innovation edge.”
“Now you have unlocked a new kind of strategy strategy; that of the New Model Enterprise (NME) based on Business Service Centric Principles!”
“And you can start to take advantage of the multi-sourced Software + Service (Hybrid Cloud) that you know we already live in.”
“Oh my!” gasps the Banker!
“Don’t believe me?” asks the Pig?
“Hmmm?” questions the Banker.
“Just go and ask the other banks …” said the Pig.
And with a nonchalant flick his tail, the Pig hoped off the Bankers head and returned to his glorious mud bath.
After all it really was the most splendid weather for the time of year!
The End.
Supporting Information
It’s interesting to note from Joe Mckendrick’s, SOA’s Dead, long Live Services blog that Gartner suggest SaaS doesn’t equal as much as 1% of enterprise IT Budget spend. But as Joe comments, the market seems healthy enough and it’s worth looking at some of Ray Wang’s numbers who reports that “SaaS vendors kept steady growth in the double digits”.
Unbundling the Bank @ CloudCamp
The other night I tried my hand at a 5 minute cloudcamp presentation which was mad and to be honest didn’t go according to plan! But hey I’ve put all that down to life-long-learning now and in probably talking to the wrong audience!
Below is the deck I presented and for some most baffling reason, that I can’t explain, the deck centres on a conversation between a very scared banker and a pig on his head!
I came across it while hunting for images of banks and it made me really laugh at the time, but unfortunately I think it bombed a little on the day – no one (especially the OSS crowd) likes a guy from Microsoft trying to be funny – I had that feeling of the stand-up comedian confronted with silence once he’s delivered his best line! Urgh, the memory makes my skin crawl!
That said, I like the story and while the slides are great (of course;)!) I’ve had a go re-telling the story in a little more detail which I hope you’ll find fun and maybe even useful! You never know! This will follow as a separate post but in preparation here’s some background followed by the deck itself.
Some background
The title for the session came to me as you’ll know if you’re a regular to my blog, from the post I did the previous week that referenced an original post I did back in 2007 after seeing a session at QCon from Chris Swan and Craig Heimark. It came back to me a week or so ago when I got to talk to a group of around 30 Enterprise Architects for a large UK Bank. For too many the thought of using cloud was almost abhorrent and you could almost feel them each mouthing the words that “our bank will never use the cloud!”.
However, I had an ace up my sleeve being able to show, even back in 2008 through the work I did with Freeform Dynamics called IT on the front foot that Financial Services were among the leading adopters of Software as a Service (SaaS) at the time (remember the phrase cloud had not come to the fore at this time).
But what was perhaps more interesting was that contrary to popular belief, SaaS adoption is far more significant where IT is seen as a strategic advantage to the business. Most, especially many of the SaaS vendors wrongly argue that it’s an opportunity for business to bypass IT and focus their efforts on that of converting the business executives, avoiding what in reality could be a quicker route through IT itself. It is clear that with the early adopters, success has very much depended on IT being involved and potentially driving the agenda. To support this, it is increasingly the case as you listen to early Cloud adopters from IT who talk of the need to convince the business of the benefits of cloud versus the risks.
The final graph from the report I used shows that in the majority of cases SaaS adoption only takes place where there is a commitment to Service Oriented Architecture (SOA)! This makes sense given the obvious concerns over storing data external to the organisation. An Enterprise that has a strategic position on Integration is clearly able to take advantage of the resultant hybrid model that must naturally follow.
The Slide Deck
Next post will tell the story of The Pig, the Banker and the Cloud.
Matt Deacon's All New Digestive Blog 