Category Archives: Technology

TOGAF Certification – Passing on the Helpful Tips

10 Monday Mar 2014

Posted by in General, Technology, TOGAF

Leave a comment

Tags

, , , ,

Having successfully become certified with TOGAF 9. I thought it would be good to share some hints, tips and observations that have helped me along the way.  So as you may know the exam is conducted through multiple choice – but that simple examination approach should not give a false sense of ease – because a lot of the options will sound right (until you understand the exact technical meanings).

  • Training course or not to training course, that is the question? Personally I wouldn’t taken on the exam without the training – the TOGAF full text runs to 1000 pages. The course for me at least gave 1000 foot view, an some insight from practitioners and the 1st set of suggestions on preparing for the exam.
  • One of the key points I picked up is the terminology and language is very important. Understand the key terms and read questions very carefully and a lot of information will standout. As I was told when on the training, it is surprisingly common for the right answer to often be the longest textual answer because it is being semantically accurate.
  • Books – well I’d suggest that the full TOGAF® Version 9.1 manual is a desk reference for whilst practicing TOGAF. To get the exam under your belt read TOGAF® 9 Foundation Study Guide you will need to pretty much need to know this stuff cover to cover. Although the guide is Foundation stage – it will get you a long way and you can add additional knowledge from the TOGAF® Version 9.1 A Pocket Guide
  • From these guides you need to know the ADM itself, including the steps in each phase, what the techniques are for and why you might use them (things like gap analysis etc).
  • The study guide has mock stage 1 exams, and each section also has practice questions – take advantage of them. The questions are stylistically pretty good, although in hindsight perhaps erring of the easier side, and the mock exam questions got progressively harder in my opinion.  But the real exam for me, question 1 was a real curve ball.
  • There are other sources of mock questions (including other books) – I found the mock exams at http://theopenarch.com/ helpful.  After each mock exam, I reviewed the answers that I got wrong to try and understand why they are wrong – which helped me identify any areas of reading I was weak on.
  • Read the questions very carefully, there are sometimes indicators as the right answer in the question. Also watch for things like, not what answer in A-E is right, but which one is wrong.
  • Timing – 60 minutes for 40 questions in part 1 doesn’t sound like very long – particularly given the advise of take your time read the questions very carefully. But actually, you’ll find once you’ve got a handle on a chunk of the study guide you’ll find you can rip through some of the questions very quickly giving you time to think carefully about the questions that aren’t so easy – the exam also has means by which you can go back and review questions if you want.
  • For the harder questions, in part 1 I ended up writing A-E on the paper and crossing off the answers I could eliminate. That made it easier (for me at least) to then focus on dissecting the 1 or 2 possible options left. In part 2, I applied a similar approach – part 2 is more about which phase(s) do I need to use and what are the steps. So I took each possible answer and wrote on paper what phase(s) then answer needed and then went through each answer option teasing out the terminology for the different steps (and the phases they originated from). The option with the most steps from the correct phase, appear to give me the best or second best answers.
  • Part 1 is closed book, but part 2 you are meant to be able to refer to the TOGAF material – for me the link to the TOGAF reference failed.  So best not to bank on having it available.

Aside all of this there are classic exam suggestions – give yourself time to get to the exam location – a calm composed mind is crucial for this.  Try and rush through this and you’re potentially facing a disaster. Make sure you have all the information the test centre requires (id’s etc) – one less stress.  Travel light as you wont be able to take anything into the test room. Finally, try and get into ‘the zone’ and roll with the blows dont let the process of taking the exams stress you.  I thought I’d scrapped through stage 1, and flunked stage 2 – but discovered I came through with reasonably good scores.

Architecting within a License constrained world

20 Thursday Feb 2014

Posted by in Oracle, Technology

Leave a comment

Tags

, , , ,

In an ideal world software design shouldn’t be driven by software license costs if constraints. But when you can be paying tens or hundreds of thousands of dollars per server for an application or middleware it isn’t an aspect you can ignore. The challenge is when licensing rules are so complex like those for Oracle you either end up with licensing experts reviewing design artefact or you need to find an alternate approach (and the hope of using agile strategies with such a review framework necessary have gone).

For those less aware of Oracle’s licensing you have be licensed by CPU, by users, by profitability and probably will be impacted by atleast 2 of these models. Then each license can also be constrained by usage (unlimited or limited) which says that you can use some products with some things and not others, or use your licenses for only particular activities. Finally you have product dependencies, so the licensing of 1 product and indirectly impact how you can use another. For example I may have unlimited use for Weblogic (on 20 CPUs) but SOA Suite, the components that together allow you to run Process Integration Packs (PIPs) which as a Fusion Middleware offering provide a collection of middleware components to achieve common tasks – for example keep your customer information synchronised between a CRM solution and your accounting solution, which maybe limited to only work with Oracle applications – so extending a PIP to also send one of your own application an event wouldn’t be allowed (unless you’ve built an extension on an approved Oracle application).  Then for fun you have what are called Unlimited License Agreements (ULAs) – although they’re not really unlimited.

Just when you think you’ve got a grip of the licensing story, there is one more mix of the pot.  When you’re negotiating licensing you’re likely to be working through a purchasing team who aren’t technical Oracle product experts, and licensing discussions are likely to be done whilst costing a programme where unless you’re an enterprise mature organisation or operationally very well instrumented to measure this information it isn’t going to be easy to get volumetrics and an ability to determine likely throughput (i.e. how complex and demanding will your custom logic be).  So by the time you get to from your conceptual to-be perspective which told your which products you need to when you’re actually working on the realisation you may well hit  challenges.

With all of this in mind, we’ve arrived with the idea of usage scenarios. We’ve tried to differentiate usage scenarios from design patterns, as their goals also differ; a pattern is typically to provide a means to describe and provide good design approaches to technical problems, think of things facades and factory’s from the Gang of Four (GoF) or composite patterns such as VETO and here we seeking a means to communicate what can or can’t be done. These aren’t use cases either, if for no other reason to avoid the UML notation association.

So how does it work, so we have identified common or likely approaches to using our Oracle technology stack, need them so there is a short hand reference (as you have with design patterns) and then determined of the scenario is permissible by licensing rules. The idea is that an application architect or developer can design a solution and then verify the solution against the scenarios. To start with go for the obvious scenarios, as things go forward when a situation crops up where there isn’t a scenario you can add the the catalogue  and get confirmation as to compliance.  This should mean after a short period of development you’ll reach a point where you’re not consulting licensing experts all the time.  The secret is not to try ‘boil the ocean’ on day 1 as you’ll invest a lot of time, potentially creating representations of things you’ll never do and produce a very bulky artefact for your developers to try and work with.  Oracle’s AIA Developer Guide

With the scenario we document references to the various license and contract documents showing which clauses drove the decision so you don’t have to rework out how you determined the legitimacy of the scenario.  I’ve created a fake representation of a usage scenario below.

There is a further bonus, you can drive into the guidance when there is a need for additional governance attention.

Of course this mechanism doesn’t tackle the question of is there sufficient licensed capacity. As capacity management has its own set of challenges (such as balancing the capacity requirement forecasts for multiple current development programmes that are likely to be taking place vs actual consumption and forecast consumption for business growth).

The following diagram is a mock up of the sort of diagrams produced. Mocked up as I don’t want (and shouldn’t) disclose any information about what specific technologies and approaches we’ve adopted internally.

Usage Scenario with 1 scenario acceptable, another note

Usage Scenario with 1 scenario acceptable, another not

 

Key

 

approval

 

UK Oracle User Group – Special Interest Groups

07 Friday Feb 2014

Posted by in Oracle, Technology

Leave a comment

Tags

, , ,

I am fortunate enough to have an employer who promotes the idea of community participation both internally but also with communities relating to our technology vendors such as Oracle. As a result manage our membership of the UK Oracle User Group.

The original motivation for membership was that membership effectively paid for attendance to the big annual conferences, given the chance of attending Oracle Open World was a lot less likely.

In addition to the conference opportunity, part of our membership is the opportunity to participate in Special Interest Group (SIG) sessions. There are SIGs covering different aspects of Oracle’s portfolio from middleware and development technologies (my specialisms) through to Supply Chain and JD Edwards and obviously database tech. I have to admit I didn’t have great expectations when I attended my first SIG. But actually the first SIG and subsequent ones I have attended have been gold mines of useful information. The sessions cover a range of topics and the presentations come from customers, partners as well as Oracle and are typically very conversational as a result you pickup insight into a lot of practical aspects not just theory as you’d commonly get in say a training session.

As Oracle support the SIGs by having representation at the SIGs which means there is potential opportunities to pick an SME’s brains – 15 minutes of free consultancy over coffee (something that doesn’t come often with Oracle 😉 ). Not to mention time given in the day to chew the fat with partners and other customers. For example on my 2nd SIG session I ended up discussing experiences of working with Packt Publishing with an Oracle Partner (not necessarily directly related, but interesting to see what the experience was like from an author’s perspective).

I know from talking with other colleagues where I work who have attended SIGs have come away feeling that it was a day well used (and have also encouraged other to participate). It would also seem that many people who attend also participate on a regular basis suggesting they to get a lot out of the sessions (all lending towards a bit of a community spirit as well).

Based on my experiences, and those shared with me I would strongly recommend finding an excuse (or making the time as if is for me) to get out of the office a take advantage of your membership (or even joining UKOUG). Justify it as cheap training if need be; but getting yourself along to one of Oracle’s offices (who lend their facilities to support the user group) in London, Reading or Solihull I’m sure you’ll find it will be very worthwhile even if the travel is a bit of a bind.

I would also like to take the time to thank people like  Simon Haslam at Veriton who put their time and effort in organising their particular SIG sessions.

Enterprise Security – A Data Centric Approach – A brief review

05 Wednesday Feb 2014

Posted by in Book Reviews, Books, General, Packt, Technology

Leave a comment

Tags

, , , , , , ,

So I have previously blogged a series of largely chapter by chapter reviews of Aaron Woody’s book Enterprise Security – A Data Centric Approach. This post tries to provide a brief summarised view pulling my thoughts of the book overall together.

As an Enterprise Architect I took an interest in this book as an opportunity to validate my understanding of security and ensure in the design and guidance work that I do I am providing good insights and directions so that the application architects and developers are both ensuring good security practices and also asking the helpful information available to other teams such as IT Security, operational support and so on.

The book has been overall very well written and extremely accessible to even those not versed in the dark arts of IT Security. Anyone in my position, or fulfilling a role as an application designer or product development manager would really benefit from this book. Even those on the business end of IT would probably benefit in terms of garnering an insight into what IT Security should be seeking to achieve and why they often appear to make lives more difficult (I.e. putting restrictions in, perhaps blocking your favourite websites).

So why so helpful, well Aaron has explained the issues and challenges that need to be confronted in terms of Security from the perspective of the organisations key assets – mainly its data (certainly the asset that is likely to cause most visible problems if compromised). Not only that the book presents a framework to help qualify and quantify the risks as a result device a justifiable approach to securing the data and most importantly make defensible cases for budget spend.

I have to admit that the 1st chapter that that introduces the initial step in the strategy was a bit of a struggle as it seemed to adopt and try to define a view of the world that felt a little too simplistic. The truth is that this the 1st step in a journey, and in hindsight important – so stick with it.

Once the basic framework is in place we start looking at tooling strategies and technologies to start facilitating security. The book addresses categories of product rather than specific solutions so the book isn’t going to date too quickly. The solution examination includes the pros and cons of their use (e.g wifi lock down) which is very helpful.

Finally to really help the book comes with a rich set of appendices providing a raft of references to additional material that will help people translate principles into practice.

To conclude, a little effort maybe needed to get you started but ultimately a well written, informative, information rich book on security.

Previous blog entries:

There is also a supporting website for the book athttp://www.datacentricsec.com/
Enterprise Security - A Data Centric Approach

Enterprise Security – A Data Centric Approach – the final chapter

05 Wednesday Feb 2014

Posted by in Book Reviews, Books, General, Packt, Technology

1 Comment

Tags

, , , , , ,

so I have reached the final chapter of the book which covers the handling of security events and security incidents (the differentiation of the two being the consequences of the event – a piece of malware being detected on a desktop can an event as the consequences are relatively trivial compared to the defacing of an e’tailer’s website).

I have to admit I glossed through this chapter as my role within an organisation doesn’t demand the operational management of issues. That said, the book provides some clear guidance on how to develop a process to support the handling of a security issue – important as you don’t want be figuring these things out when something happens, you want to get on and focus on execution. s with previous chapters, this well written and doesn’t demand knowledge of security dark arts to get to grips with.

The book finishes with a series of appendices which provides some illustrative information for chapters in the book, plus a series of appendices of really useful additional reference information sites cover a spectrum of information from security education resources to security tools.

This series of blogs on this book will wrapped up with a short review of the whole book. But I would like to congratulate Aaron Woody on a fine book rich with helpful additional information.

Previous blog entries:

There is also a supporting website for the book athttp://www.datacentricsec.com/
Enterprise Security - A Data Centric Approach

Gaps in Oracle’s Cloud Cover? An Update

21 Tuesday Jan 2014

Posted by in Oracle, Technology

Leave a comment

Tags

, , , ,

So having written my blog entry Gaps in Oracle’s Cloud Cover? to things have popped up on my radar.  Firstly a message via LinkedIn from epmvirtual.com indicating that they could potentially assist (although EPM’s site only currently offer solutions around Hyperion online); and then the news item of Oracle and Verizon offering SOA in the cloud which reports that Verizon’s cloud solution (currently in Beta) offers SOA middleware cloud instances that can be rented by the hour (with bring your own license or rent license as well).  Verizon’s own announcement can be read here.   Bottomline – Verizon have beaten Oracle to the punch of offering Oracle’s own middleware in the cloud.  We’ll write more when there is something to share.

Gaps in Oracle’s Cloud Cover?

20 Monday Jan 2014

Posted by in General, Oracle

2 Comments

Tags

, , , , , , ,

As an Enterprise Integration Architect I need to get my hands dirty with products such as Oracle’s SOA suite and AIA Foundation Pack.  In the past, I’ve dealt with this by talking with our infrastructure team – obtaining a VM or a laptop with sufficient guts to host SOA Suite (and it doesn’t have a small footprint).  This is all well and fine, but means I have to lug a big old laptop (our current standard laptop spec’s are lovely light machines with SSD’s but just don’t pack the punch for SOA Suite when it comes to memory) or have to leap through a series of security steps to get remote access – again not a problem unless I want to share my skunk works with someone outside the organisation.  Nor, do I really want to invest chunks of time building a SOA Suite environment to work with – I don’t do it enough to be able to throw these things together quickly.  Even Oracle recognise that with the support for a prebuilt VirtualBox with SOA Suite and BPM. The only problem with VirtualBox is I’ve saved on the build time, but still need that heavy laptop or remote access.

Oracle Cloud Java

With the rise of the cloud, particularly Oracle’s big push (announcements at Open World 2013), Amazon offering small footprint dev platforms more or less for free I thought we’d be able to get a PaaS deployment of SOA Suite – after all Oracle offer a range of Fusion Apps in the cloud (built on top of SOA Suite technologies), have launched development of Java and ADF solutions in their cloud and even offer Weblogic on Microsoft’s Azure.  How I wrong could I have been.  So I started looking around, perhaps someone has an AMI ready to go – well sort of if I want 10g.  So I’ve dug around, and found the odd provider who could deliver what was needed (e.g. Titan GS) but we’re talking big bucks – not a low cost dev/skunk works environment.  

This is very surprising really, and sort of ironic, given Oracle’s recent announcement for SaaS Adapters for the likes of SalesForce and WorkDay along with convenience tooling to connect to Oracle Cloud solutions such as HCM.  I say ironic, because to use the cloud adapters you can’t have a SaaS middleware; in fact the whitepaper Oracle published on Simplifying Cloud Integration infers/assumes that you’d be hosting your own middleware.  So if a midsized business has Has HCM, Taleo etc for their staffing management, SalesForce for the Sales/CRM operations and perhaps EBis or JD Edwards to move your business into the cloud you have to either go IaaS and carry the labour of maintaining the middleware platform or self host (one of the things the adoption of SaaS is trying to free you from).

All of this seems to be a really missed opportunity for Oracle.  If the oracle wants to host the world (and I think Larry Ellison would like that) and definitely get into that midmarket sector that JDEwards particularly tries to inhabit they need to make it easy for businesses to cloud all aspects of their IT solution, that includes orchestrating specialist solutions that will be hosted by someone other than Oracle (shock, horror). All of which means SOA Suite (and ideally AIA) need to be in the cloud.

As for my problem, its either the pain of building something on Amazon or setting up several copies of the VirtualBox deployment linked to a common GIT repository, and hope those I would like to collaborate with can also get their hands on the virtualbox and connect to GIT.

Enterprise Security – A Data Centric Approach – Chapters 5 & 6

17 Friday Jan 2014

Posted by in Book Reviews, Books, General, Packt, Technology

3 Comments

Tags

, ,

Continuing with Enterprise Security: A Data-Centric Approach to Securing the Enterprise by Aaron Woody Chapter 5 gest into some of the security processes and technologies to securing you compute platforms covering topics such as:

  • anti-virus (or not),
  • network lock down through the use of local firewalls built into the OS (so people can’t then just access the server by any means they desire SSH, RDP, telnet etc)
  • user permissions
  • auditing (so you can see what is happening/happened and by whom)
  • detection of file change in parts of the system that shouldn’t change except through specific mechanisms e.g. OS files should only change when patching the OS

But more importantly the chapter links these kinds of activities to the analysis of risk and previously developed trust models. So that you can understand how much security is suitable and justifiable.  The ideas along with the pros and cons of each activity are well explained and clearly presented.

Chapter 6 takes us back to central theme of the book – data.  With our policies and models identified we need to locate the data – this is harder than it may sound, not everything is in a database (the amount of business operation that runs on spreadsheets on people’s desktops, is endlessly amazing and then compounded by how we make the data collaborative – emailing, moving with personal USB storage, cloud services and on and on). To help find, track and potentially constrain it  (prevent undue leakage) the book walks through the ideas of classification and ownership/accountability and then really starts to tie together the earlier chapters, as well as introduce some additional technology concepts such as the encryption of data when in transit and at rest. Like chapter 5, you don’t need a PhD to understand where to apply security and why – the doing maybe a different kettle of fish of course.

Previous blog entries:

There is also a supporting website for the book athttp://www.datacentricsec.com/
Enterprise Security - A Data Centric Approach

Enterprise Security – A Data Centric Approach – Chapter 4

01 Wednesday Jan 2014

Posted by in Books, General, Technology

3 Comments

Tags

, , , , , , ,

Continuing into a chapter 4 of
Enterprise Security: A Data-Centric Approach to Securing the Enterprise by Aaron Woody we start to look at some technical aspects of security and technology covering things like the capabilities of new generation of firewalls, DNS security and so on. The information is presented in a very readable manner.

As an Enterprise Technology Architect, and having security specialist friends I thought I was reasonably well informed in this aspect of IT, but the book still taught me me things. Interestingly, perhaps not intended but the chapter left me with a number of things that could be incorporated into development governance that would make the work of network security a lot easier.

The chapter continues with lots of really helpful references many, maybe all are incorporated into a series of appendices that are full of helpful information references and links. If these are made available on the book’s website (see below) it would likely become a must go to site for security resources.

It does leave me asking one question how does this all fit in when using a PaaS solution such as those offered by the likes of Amazon and Rackspace?

Previous blog entries:

The book has been published by Packt (who at the time of writing are running a promotion – more here)

There is also a supporting website for the book at http://www.datacentricsec.com/
Enterprise Security - A Data Centric Approach

Enterprise Security – A Data Centric Approach — Chapter 3

29 Sunday Dec 2013

Posted by in Books, General, Technology

5 Comments

Tags

, , , , ,

So I’m back to reading Enterprise Security: A Data-Centric Approach to Securing the Enterprise by Aaron Woody. I’ve not finished reading the book yet but as I’m reviewing one or two chapters at a time, I thought I’d blog about Chapter 3 – particularly given its value (previous blog entry here and here).

Chapter 3 goes by the name of Security As A Process, which addresses the processes to determining security risk, the analysis of cost benefit of implementing security features to address those risks. The chapter then goes on to provide guidance on defining good policies and standards.

In hindsight the process for determining and analyzing the security risks and classifying them is fairly obvious – it took the reading to to draw the points and the mechanisms into focus. But the fact it makes sense in hindsight suggests that the approach the workability and the chance for the business to understand the risks and challenges being taken on.

The chapter also provides some really good information sources for people to use to support the adotion of the processes described. Some I’ve known about such as the SANS Institute others I hadn’t.

I have to say that based on the strength of this chapter alone I’d recommend the book to any architect who is seeking to develop practical appreciation of addressing security considerations or understand what they should be looking for what to ask for in a new organisation. Those trying to drive up the quality of processes or get across the need for a more proactive security strategy that is also pragmatic – reading this chapter alone should help provide some serious points to get a handle on things.

The book has been published by Packt (who at the time of writing are running a promotion – more here)

There is also a supporting website for the book at http://www.datacentricsec.com/
Enterprise Security - A Data Centric Approach