Category Archives: Technology

Mitigating Risks of Cloud Services

08 Monday Dec 2014

Posted by in General, Technology

Leave a comment

Tags

, , , , , , , ,

As previously blogged there are risks with using cloud that differ from self hosting solutions. SaaS, PaaS and all the other XaaS offerings aren’t a panacea. Hopefully you won’t become the next Sony as the provider keeps you patched etc. But if you’re using a SaaS provider that goes bust or you get into litigation with your provider, as result losing access to your data. It could be potentially be months whilst the lawyers sort things out. A horrible situation that no one wants to find themselves in. But how to mitigate such risks?

Any half decent SaaS provider should give directly the means to get a view of all your data through a generic or custom report (s), or will should make available the means for providing an export of your data. The later approach may well come with a cost. If your SaaS solution has a lot of data in place – for example a multinational’s HR solution you may want to just target the extract of deltas. This means extra donkey work and someone to ensure it is happening. How frequently that should depend upon your business needs through an agreed Recovery Point Objective and the tolerance to potential data loss as you can assume you’ll lose everything from the last snapshot. If you have middleware in front of your SaaS service you can have a wiretap to reduce the risk here.

Your net position is in the event of a loss or possibly a prolonged service outage (remember even Amazon have had multi-day failures & not all SaaS solutions follow good cloud practise of being able to fail to secondary centres) is that you have your data and can atleast cobble something together to bridge the gap. Unless you SaaS vendor is offering you something very unique then they’re probably going to have competitors that are more than likely to be glade to help you import the data into their solution for you.

All this for a case of paranoia? Well actually you can have harvest a raft of other benefits from taking full data extracts – for example reconciliation with a view to managing data quality – statistics from Experian show the value of resolving discrepancies. This is to say – that you might find data errors between systems as a result things like edge scenarios such as handling errors in the integration layer. To illustrate the point, let’s assume that your web sales channel is via a SaaS provider and you’re receiving the sales into your on premise ERP for fulfilment and accounting. By taking every week all transactions in the SaaS solution you can identify and discrepancies and reconcile any issues between the sales solution, your finance and fulfilment capabilities to ensure what you have sold is what you have accounted for.  If we’re talking about solutions that impact your financial accounting, then for atleast US declarations it maybe necessary to perform such reconciliation in support of Sarbanes Oxley (SOX) requirements.

Add to this a richer data set can be added to your Big Data or Data Warehouse environments allowing you to gain potentially further insights into your activities.

When you are running a hybrid of on premise and cloud solutions or event just cloud but a mix of vendors don’t just think about you application data, but consider whether audit and web traffic information can be retrieved from the vendor – there maybe value in feeding that data into a solution such as Splunk which may then find a pattern of misuse or attack that may not show up with just the monitoring data from your on premise solutions.

The final point I should make, is don’t assume your service provider will let you at the data as described – look at your contracts before any payment or act of agreement. Ideally such checks should be part of your service due diligence activities (along with ESCROW) etc. There are SaaS providers who will consider the data as their property not yours even when the data might be about your employees.

Single Vendor Cloud

20 Thursday Nov 2014

Posted by in General, Oracle, Technology

1 Comment

Tags

, , , , , , , , , ,

The recent outage of Microsoft Azure, raises some interesting questions. This isn’t the first big vendor cloud service outage, Amazon AWS and others have had their moments. Of course this had lead to the recommendation that to ensure your service has continuity that a DR arrangement with a different provider be in place. This works with Platform as a Service. But what we have been seeing is move from PaaS up the value stack to vendors offering their own rich ecosystem to build on – from Amazon SQS to Oracle’s latest announcement Oracle Internet of Things platform.

These solutions, can be built with open standards etc but ultimately when used create vendor lock-in as no one else will have an equivalent capability with the same APIs. So how do you mitigate these outages, or even the risk of such an outage? Well Oracle do claim you can actually run all their cloud capabilities on premise. But is that practical? As cloud is adopted organisations are going to wind back their hardware capital outlay, after all that is one of the value points of cloud.

So where does that leave us? Accepting the risk and trying to mitigate the risks in our own commercial agreements? What about the fact in an IoT solution where you’re event stream processing and using period on period comparisons to set thresholds which means the likely data loss from an outage will have both ‘echos’ as you period analysis has holes in data plus false thresholds as the data hole will skew the data when that period is being used for period comparison.

Difficult questions with no obvious answers, other than you mitigate you things commercially and push Microsoft and others to make things more robust – time for Netflix Chaos monkey?

Next Generation SOA book

12 Wednesday Nov 2014

Posted by in Books, General, Technology

Leave a comment

Tags

, , ,

My copy of the Next Generation SOA on the Service Tech Press /Prentice Hall arrived today. This is first Prentice Hall book I have contributed to as a pre publication reviewer. It is always nice to see a recognition in the book, particularly when the draft of the book is of such a high standing your feedback is more helping finesse things.

Acknowledgements

Next Generation SOA

I have previously blogged that this is a book I would highly recommend, it isn’t a vast heavyweight text, but provides a great broad view of SOA in the current IT landscape.  If you’re not adverse to eBooks you might consider getting the ebook version as the diagrams look far better in colour than in the grayscale of the print edition.

Next Generation SOA

Thinking about a COTs Mobile Strategy

28 Tuesday Oct 2014

Posted by in General, Technology

1 Comment

Tags

, , , , , , , ,

More and more software capability is becoming commoditised and off the shelf either in the form of COTS packages or SaaS solutions new considerations and challenges arrive for customer businesses.

Recently we had an initial conversation at the architectural level with a vendor who have a well thought out end to end offering which includes mobile apps for our customers (white label offering). This is great in many respects as we can depend on our vendor to deal with the challenges of keeping mobile apps upto date and contend with the ever changing mobile landscape.

If a business you don’t fit into classic solution stacks for example Boots (now part of Walgreens) isn’t just a retailer but also a prescription pharmacist you’re likely to be sourcing solutions from different suppliers. The challenge comes from the fact you’re likely want to leverage different white label apps for different offerings e.g. prescriptions, eye test related etc (which are potentially going to come from different vendors, particularly if you want to adopt a best of breed set of solutions). It is however important that you get a consistency in look and feel, and unified authentication to the different apps is essential when presenting solutions to end customers. The worst thing in the world would be have different authentications which means the customer has to remember multiple passwords to engage with your business.

The look and feel can be to an extend dealt with by the fact a lot of contemporary mobile applications are built on a hybrid framework so you can use CSS3 to drive standardisation or atleast colour and branding; which plays to a white label strategy.

As to authentication that could be more challenging, you need consistency in approach between all of the applications, there are standards out there such as OpenId but you the different apps to offer the same authentication sources. Even OpenId has issues, and the support for the latest version of the standard looks somewhat mixed. But in addition to that there is the fact there is a degree of fragmentation for example Facebook used to support OpenId but now has Facebook Connect.

So if you wanted to offer a voucher system from your POS (Point of Sale) provider and perhaps an app for an ordering capability built around your ERP from a different vendor what are the chances of having consistency?

If you know all your vendors and launching your mobile solutions you can look for common denominators and drive in that direction. But this is a rare situation. All of this is ideally linked to your normal website as well which may well be linked to a different solution such as Oracle’s OID.

If the apps offer their own LDAP authentication service then you have the possibility of synchronising these repositories so if the user interacts with one app then the details can be pushed to the other apps’ repository through your own integration layer.

In a perfect world your white label apps will have the means to configure to connect to a single LDAP server, in this case you can get things aligned at-least for authentication.

Without this then there is going to be a pretty challenging situation, to the point the ROI on consistent user experience needs to be seriously examined ad it maybe time to think about building the solutions yourself.

Hierarchy of Data Assurance

19 Sunday Oct 2014

Posted by in General, Oracle, Technology

Leave a comment

Tags

, , , , , ,

I was discussing the challenges of ensuring that data is protected and proven to to have integrity and that as the data moves through systems that there isn’t data loss. This sort of thing starts at the simplest level with data validation and with the most advanced and greatest investment you have some end to end reconciliation framework.

Obviously this thinking doesn’t work in every environment, for example complex event processing (CEP) your going to just accept the data coming through and if it’s incomplete or data has been lost along the way you just accept it as it is – these conditions will create outliers which will get smoothed out in trends. It is possible you will have created he gaps by dropping data slow to arrive. But for the majority of your run of the mill solutions such as accounting, HR and so on the thinking stands up.

To communicate the idea effectively to senior management on the risks of just focusing on functional delivery and whether there is maturity in the delivery capability we hit on the idea of using a variant of Maslow’s triangle of needs – something I think everyone gets. You can see our representation here:

hierarchy of Data Assurance

The interesting thing is that you could look at the triangle and suggest that typically the more pressed a project is on factors such as volume of functionality, cost and/or time the more likely a project will remain at the bottom of the triangle. But as the width of the triangle at the point of the capabilities realised also reflects on the operational costs. So if you’re at the bottom of the triangle then you’re likely to incur more costs dealing with data issues as the means to detect and then resolve are a lot more restricted.

With frameworks such as those in Oracle’s SOA Suite and AIA it should make it easier to move up atleast part of the triangle, although full end to end reconciliation is more likely to demand more data centric tools, as you probably want to perform by doing batch like assessments.

Oracle middleware cloud – what does it mean to Mulesoft and Apigee?

10 Friday Oct 2014

Posted by in Oracle

Leave a comment

Tags

, , , ,

Oracle will soon be launching 2 cloud offerings – a hosted approach to their heavy weight SOA Suite middleware. But more importantly potentially for some of the cloud integration players like Mulesoft and Apigee is a lighter, web interface IDE solution. This lighter solution is clearly aiming (and statements made to the effective of) the Gartner pace layering ethos where you want to quickly link existing services together to offer new capabilities. This new cloud integration service will be aware of all the other cloud service APIs from Oracle you have and provide smart prebuilt transformations, which you can extend or change if you want. For non Oracle integrations the service is meant to use some intelligence and heuristics built through how other customers have realised mappings to make suggestions. With control frameworks for security, access and errors etc based policy mechanisms.

The solution includes access to prebuilt connectors to obviously Oracle products, but also the likes of Salesforce, Workday and more coming like Successfactors. When combined with other new cloud offerings such as their new mobile apps then the pacing message becomes a lot stronger. Add to this the cloud adoption of the CEP (Complex Event Processing) engine (which looks very good) and the addition of several API tools next year for catalog and realtime discovery and they will have a pretty solid suite.

With this lighter weight cloud solution there is meant to be means to pull the integrations out of the cloud and into on-premise middleware deployments. This makes sense as a lot of the capability looks to be built on top of OSB.

Add to all of this the other service offerings being launched such as Dropbox like distributed document with google doc like collaboration and there is a very potent story for the Oracle one stop shop. So you could use Oracle for best of breed integration but convenience and who got fired for buying Oracle is likely to be ruling story.

I suspect you will see Oracle appear strongly in the iPaaS assessments by Gartner soon.

Given Ellison has indicated that the new cloud services from Oracle will be aggressively priced it will be interesting to see how the smaller players differentiate themselves. I suspect one of the keys will be the speed of offering new capabilities by their cloud solutions both at the product core and through connectors. Prior to the 12c launch the rate of change in the middleware space didn’t appear to be rapid.

Oracle Open World Middleware Update

09 Thursday Oct 2014

Posted by in General, Oracle, Technology

Leave a comment

Tags

, , , ,

So having been fortunate enough to attend part of Oracle Open World I provided some support to the UKOUG Fusion Middleware SIG chairman with a short briefing on some of the key points from OOW.

The following are my initial notes, if you want the complete deck, it should be available through the UKOUG website.

Cloud
– key note from Larry was all cloud, cloud cloud
– more SaaS than anyone else – announced dozens of services is the last year – probably hundreds across all the sectors
– build and buy
– platform upgrade
– data as a service – BlueKai acquisition Data Management Platform
– Some of these offerings included capabilities that sounded like enterprise offered Dropbox – so might soon see personal cloud?
– data migration of data or app up and down from cloud push of a button (reality bit more complex)
– innovation for securing the cloud at lowest levels
– going after b2c and b2b capabilities

Middleware Cloud
– SOA Suite as a hosted solution or integration cloud which more like web UI for OSB integration.
– ethos change for integration cloud no deployment – develop and promote to production
– Override able Automated mappings when going between own cloud services or Oracle adaptors to 3rd party. Can built own mappings and incorporate own functionality
– Configuration controls policy driven such as error handling etc
– Can bring integrations back to on premise
– breadth & agility / ease (pace layering started to get mentioned a lot more)
– Use cases such as linkage to mobile – 7-11 use case
– More cloud adaptors coming to support 3rd party
– API inventory and discovery capabilities coming – successor to OES
– Support for JSON and REST alway through SOA rather than transformational capability only

Mobile Application Framework
– seems to have crept up quietly, successor to ADF mobile in the form of MAF Faces
– by delivering hybrid strategy like Phone Gap but enables Java in a container on Andriod & iOS
– MAF actually incorporates Apache Cordova – the open source version of PhoneGap
– with it is a new UI presentation style with all the support style guidance – ALTA
– Java on iOS but Jobs said …. done by compiling to native solution

A couple of presentation grabs ….

IMG_0107.JPG

IMG_0104.JPG

Impact of App Maintenance on brand

26 Friday Sep 2014

Posted by in General, Technology

Leave a comment

Tags

, , , , , ,

I have recently been working on some guidance on when to use mobile or web applications for my employer. What has been interesting is that there is plenty of information on the technical dimensions that should be considered. But not so much on the negative brand impact that could occur if the application isn’t targeted at users properly, and most crucially sustained.

Let me show what I mean by highlighting some common, but relevant observations.

Many end user businesses tend to work on a project or programme basis, so once a solution whether internal, B2B or B2C once delivered gets handed over to the operational teams to monitor and keep alive. Even for devops once the solution is deemed complete the bulk of the team will move to new objectives. Net result is that the solution remains static until new functional requirements are needed.

As businesses, we would like to increase the ability for customers to serve themselves and ‘shape their customer journey’ to what they want. All of which means we will increasingly see 1st point of customer engagement either as new or returning customers through apps in the same way as websites have prior to the rise in mobility.

We know that mobile devices are evolving at a tremendous rate driven by vendor competition. This has resulted in things like ever changing screen sizes and resolutions which have largely been growing but with Apple jumping into the watch market I think we’ll see another change in the next couple of years.

Not only have the screen resolutions changed, the interaction and presentation styles have been evolving. Take the huge change for IOS7 with the adoption of the ‘flat’ design paradigm, and with IOS8 subtler but important changes to allow changing of the feel of aspects like the keypad. This all before you think about the change and evolution of other solutions that you might want to integrate with such as Facebook, Twitter etc.

So, back to my original point, what does this mean? Well essentially if you’re going to invest in mobile apps you have to keep up the investment with regular updates to keep the experience current, you can’t really use the project model. With stats like Gartner’s around security (75% of apps not passing security tests by 2015) there is a clear need also to invest in capability to drive quality into the solution in all the less visible non functional issues and examining the solution continually from the user view point. This all adds upto a mobile application not being cheap.

Just to bring my point home, below are some screen shots from the Apple App Store taken very recently which reflect what happens and the impact you could end up with (and the feedback in a form that you’re unlikely to address). Not to mention Virgin is a pretty brand aware organisation, so we’d have thought they wouldn’t have got caught out by these challenges.

IMG_0102.PNG

IMG_0101.PNG

Adopting Collaboration Tools in the Workplace

14 Sunday Sep 2014

Posted by in General, Technology

Leave a comment

Tags

, , ,

I was recently reading an article from MIT Sloan about the use of collaboration tools in the enterprise. The article made the point that collaboration tools are being introduced into the workplace, but not being effectively leveraged and people continuing to use email. I think there is a correlation here to some of the statistics for mobile and web applications.

So let me start with some facts, and some thoughts before I bring it back to the point about office collaboration.

We know from research from organisations such as PEW (general view of use, older generation view) that there is a correlation between age and use of mobile devices, and mobile apps. This I believe reflects on technology in general. As collaboration technology goes, it is a fairly young set of ideas. Although many will associate collaboration with social – there is a difference when social is more simply just sharing information. Collaboration is not just sharing but collectively working on assets such as documents.

Add to this a view of the demographics of any enterprise leadership (although IT is something of an exception) and you will see that leadership is an older generation (illustrated by this FT article). So, understandably less likely to lead an organisation into technology adoption.

Add to this the constant noise and increased pressure on information security, remembering that the most harmful security compromises originate internally. So with this sort of consideration you’re likely to see downward pressure to keep things tightly controlled. Such tight reigns seriously impact collaboration from my experience.

The last key thread, is the fastest way to encourage adoption of something is for the executive and senior leadership visibly adopt something. Organisational role comes with an inferred command (a well established piece of psychology) best illustrated by a story where a chief exec wanted to motivate staff, so spent time wondering around talking with his staff, and in doing so made observations and suggestions to people thinking he was helping. But as his role inferred a level of command, he sound discovered that those suggestions and ideas had been read as instructions and his staff where rapidly implementing such suggestions.

So here you have a recipe, where executives potentially don’t get the power of collaborative technology, potentially nervous of the security implications and least of all not using position to leverage it. You can see why the technologies aren’t being effectively exploited.

What is worse, is that you will see hotspots of collaboration which will be established by those who get the ideas and will inspire their colleagues. This is the true risk of collaboration as it is unlikely to controlled or properly secured with no contingency or remedial actions in the event of a security breach as those situations aren’t being dealt with by

Mastering Puppet Review

09 Tuesday Sep 2014

Posted by in Books, General, Technology

Leave a comment

Tags

, , , , , , , , , , , , ,

Packt’s Mastering Puppet kicks off with substantial first chapter on how to setup Puppet in a manner that can then scale. The core of this is driven by an explanation of the constituent parts of a Puppet solution and where the workload is. In terms of execution this is as much about understanding the configuration of things like Apache, Passenger and Ningx as it is Puppet. As part of the explanation there are indicative numbers in terms of supportable scale which reflects the knowledge of the product.

Looking at configuration distribution for headless deployments with Git is a solid well considered piece and the writing suggests considers all the needs of a solid deployment of a production quality solution such as access control, whilst supporting collaborative working etc. it would be interesting to have seen how that would have stacked against capabilities such as Zookeeper.

As we move through the chapters the books continues with more advanced themes such as using Hiera as a object hierarchical framework for managing configuration and on into leveraging Puppet forge and various Git repositories (and the challenges when linking to git repositories of the latest code vs a release). With the repositories we can draw in additional tooling and how to incorporate these capabilities into a deployment. This includes looking at several modules that practical experience from the author would recommend.

By chapter 6 we’re into writing our own custom modules and facts and deploying them. So you can do things such as create modules to manage your custom solutions.

The next natural step is to look at the reporting aspects of Puppet, orchestration through marionette collective (mCollective). Obviously to report you need to gather the activity information, so the book touches on the out of the box (OOTB) approach and moves onto the idea of using IRC; presentation via Foreman and Puppet Dashboard. Finally then with a reporting view, the next step is to dynamically query the nodes in Puppet environment which uses mcollective to communicate back & forth with the nodes.

So now we have a dynamically configurable set of Nodes, which can report and have dynamic querying against the nodes.  Final chapters cover the use of things like PuppetDB, roles & profiles and developing and debugging your puppet environment.

Reading the book, I get the feeling that a fair grasp of Linux system administration would help (i.e. a bit more than the average developer). There are a few useful touches that I think could have been included, such as external references such as man pages for RPM or site for the Pulp tool mentioned. But, as criticisms go, this as much me being too lazy to Google. The only other refinement would be inclusion of some diagrams to support the words. As they say a picture can tell a 1000 words, even if this was to just show the hierarchy or directory structures involved.

Compared to the recently reviewed Puppet Reporting book, this book isn’t for someone starting out with Puppet (but the Packt site says as much). You atleast need to have got some basic understanding or practical exposure to Puppet,  and exposure to a development environment is an added bonus.  So if you’re setting out with Puppet you might consider starting with the Puppet 3 Beginner’s Guide (Amazon) or Instant Puppet 3 Starter (Amazon).  Having got those under your belt, try this book to to really develop the use of Puppet configuration and deployment.  When it comes to reporting I’d look at this book along with reporting book (reviewed here).  This book feels like more options are on offer, but Puppet Reporting is a lot richer (but you’d expect that given the different book emphasis).

In summary – good solid book, full of practical experience and ideas.  But don’t try to use this as a jumpstart to Puppet.

Below are a few links I thought might be helpful as they aren’t in the book:

  • YAML – human readable serialization format
  • Pulp – software repository management app
  • Ruby – Open Source OO programming language
  • Foreman – tool capable of extending puppet to deliver PXE capabilities along with capabilities such as reporting
  • Splunk – BigData style analytics on log files etc
  • Elasticsearch / Logstash / Kibana (ELK) – set of tools to provide analytics against log files
  • ActiveMQ – Apache implementation of a JMS compliant messaging solution used my mcollective

Mastering Puppet at Amazon.