Tag Archives: architecture

Legislation for software architects

12 Monday May 2025

Posted by in General, Technology

Leave a comment

Tags

, , , ,

When we start our IT career (and depending on how long ago you started), the idea of software and legislation seemed pretty remote; the only rules you might have to contend with were your local development standards. As an architect today, that is far from the case, as the saying goes, you need to be a ‘Jack of all Trades’. You don’t need to be a lawyer, but you have to have a grasp of legislation and agreements that can impact, and recognise when it is time to talk to the legal eagles.

I thought it worthwhile calling out the different things we need to have a handle on, based on my experience. There will always be domain-specific laws, but the following are largely universal..

  • Software licenses—Today, we rarely build a solution without using a library, package, utility, or even a full application we haven’t written ourselves.
    • But what we can and can’t do with that third-party asset or reasonably expect from it, provided the resource is provided, is dictated by a license, explicit or implicit. Consider the implications of an Apache license compared to a Creative Commons Share-Alike. In terms of negative impact, open source licenses can at worst…
      • Prevent code from being used commercially or to provide commercial services (several software vendors, such as Elastic and Hashicorp, have adopted this).
      • Require you to share whatever you develop using open-source libraries
      • Declare your use of libraries (remember, such information can provide clues on possible attack vectors).
    • Fortunately, licenses for software solutions under several organizational umbrellas, such as the Linux Foundation (and its subsidiary organizations, such as the CNCF), require the projects to adopt a permissive licensing model.
    • Commercial licenses can come into play as well. The Open Source model often involves the key contributing organizations offering services such as support and training, or extended features. A|ttractive for larger organizations so that they have a fallback and access to specialist resources. However, we also have products that only exist commercially. Understanding the licensing position of these tools is essential – for example, Oracle database, where you pay for production deployments by the number of CPUs, but non-production deployments are free. Such licensing may have material on the architecture, for example, minimizing the amount of non-DB compute effort on those nodes that take place, and sizing your solution such that you have more CPUs but with less power to provide better resilience. In terms of negative impacts…
      • You can become exposed to unplanned license costs that hadn’t been planned.
      • Undermine the solution’s cost-benefit
  • GDPR – There are many variations of the General Data Protection Regulation (GDPR), but most have taken GDPR as a foundation. Covering concepts of the right to know and correct data held about an individual, disclosure as to personal data use, and the right to be forgotten are essential. There are resources available that cover which laws apply where. The negative impacts…
    • Additional development processes and administration to create evidence of compliance (eg, audit of access to data)
    • Additional costs to satisfy compliance, e.g, regular mandatory training for all developers that could be impacted
  • Several acts, such as the US Cloud Act, can also impact the choices of service providers when using hosting, such as cloud providers. This highlights an interesting factor to keep in mind: legislation from other countries can still impact the situation even if the solution will not be used in that country. Impacts could be…
    • Using sovereign cloud and any associated costs.
    • Solution options are controlled by the availability of sovereign cloud services.
    • Limit the use of managed services to make the solution portable to different sovereign clouds.
  • AI and ML are rapidly evolving areas of legislation. The EU has been proactive in this space with the AI Act. However, secondary legislative factors exist, such as intellectual property law. While we may not all be directly involved in training LLMs, we still need to understand the ramifications and the data we work with. Possible impacts can include…
    • Data source assurance processes.
  • PCI—While the Payment Card Industry (PCI) does not have legal standing, its impact is broad and substantial, so we might as well treat it as such. The exact rules PCI requires depend on whether you’re an organization providing the use and storage of cards or a service provider.
  • In areas like PCI, while not strictly legislation, certain domain compliances demand compliance with various standards, perhaps the most pervasive of these is ISO27001, which covers information security across the spectrum of business/commercial considerations, but extends to infrastructure, software, and its development IT. Understanding this and standards such as SOC 1, SOC 2, and SSAE16 (now 18 and 22) are essential to understand, as these are standards you need to determine if they are important to you when considering cloud and SaaS services, particularly. Things have improved over time, but we have encountered specialist managed/cloud services where the providers are unaware of such standards and have no position or evidence of addressing some of the expectations set out by SOC1 and SOC2.
  • If you work for a software vendor, exportation law can impact your business, particularly when the solution involves complex algorithms such as those used in encryption.

These points primarily focus on ‘universal truths’, but there are domain-specific laws and expected standards that can be considered in the same or similar light. As with all domains, there are specialist legislation requirements like the Digital Operational Resilience Act (DORA) that impact financial businesses and Consumer Protection (Distance Selling) for e-tail.

Some useful resources:

Architectural governance – decision matrices as way to reduce friction

24 Monday Jul 2023

Posted by in Enterprise architecture, General

Leave a comment

Tags

, ,

When it comes to software delivery processes, governance processes such as architectural governance boards can often be perceived as a hold-up to software delivery processes, so when a project is slipping against its forecast timelines, such processes can become the easy thing to blame (along with any other process that engages beyond the project team). Sometimes, the slip is happening for very good and legitimate reasons in these situations it is just very hard to defend the slip.

There are a number of things we can do, to simplify and streamline the process. One of these is the use of decision matrices – something I’ve written about in the past (Decision Matrix aka ‘Stress Test’ as a vehicle to make decisions easier). The value of the decision matrix when it comes to governance is that it can be used as a catalog of pre-approved solution approaches. Let’s give an example; we could provide a decision matrix to select the best type of application server, which perhaps covers whether a micro profile framework is used and which ones (e.g., Helidon but not Payara because of the support agreements in place) vs. J2EE (and again reflecting decisions relating implementations such as WebLogic but not WebSphere). Then when a team decides on the implementation or developing a roadmap, if they are working within the matrix’s guidance, then the decision could be approved on the spot by any member of the governance team. With the approval given by just checking the approach being adopted is sensible.

TOGAF – governance perspective

If the solution falls outside of the decision matrices recommendations, this comes down to one of the following reasons:

  • The approach represents a good approach that could and should be applied within the domain but not yet captured in the matrices – therefore, the matrix needs updating.
  • The solution makes sense and follows common industry strategies and/or tools but is addressing an outlier/anomalous situation for this organization – therefore should go to governance seeking a dispensation on this basis. In this situation, it is would beneficial for the designer(s) to highlight the case for dispensation. By highlighting how the existing decision options do not fit. In effect, sharing the assessment of the relevant matrix(ices) against the problem.
  • The approach reflects the development team’s preferences rather than perhaps aligning with the organization’s needs for the ability to maintain technologies. For example, keeping development language in use to the top 5 commonly used languages according to TIOBE rather than adopting a niche language such as Haskell or avoiding languages that have a reputation for being difficult to maintain, such as Perl. In these situations, a careful examination of the case is needed by any governance process.

What we are effectively doing is making the decision matrix not only a tool to help developers select the most effective options (given the ability to standardize approaches raises the chance of possible code reuse or refactoring to reuse) to being a way to lighten governance, or the perception of governance. Whatever mechanism is used to record decisions by a team just has to reference the decision matrices.

Bucharest Tech Week Conference – Monoliths in a Microservices World

29 Monday May 2023

Posted by in General, Technology

Leave a comment

Tags

, , , , , , , , , , , , , , , ,

Last week I was fortunate enough to have the opportunity to present at the Software Architecture Summit as part of the Bucharest Tech Week conference. My presentation, Monoliths in a Microservice World, was all new content that, by chance, worked well, bringing together a number of points made by other speakers. The presentation aimed at the challenges of adopting Microservices and whether Monoliths had a place in modern IT, and for those of us not fortunate enough to be working for one of the poster children for microservices like Netflix, Amazon, etc, how we can get our existing monoliths playing nicely with microservices.

The conference may not have the size of Devoxx (yet), but it certainly had quality with presenters from globally recognized organizations such as Google (Abdelkfettah Sghiouar), Thoughtworks (Arne Lapõnin), Vodafone (IT Services business unit – _VOIS – Stefan Ciobanu), Bosch, as well as subsidiaries of companies like DXC (Luxsoft) and rapid growth SaaS vendor LucaNet.

As a presenter, you’re always wanting to walk the tightrope of being at the biggest conferences to maximize reach for your message while at the same time wanting the experience to be friendly and personable, which often means slightly smaller conferences. The Software Architecture Summit balanced that really well; rather than lots of smaller breakout sessions, the conference focussed on a single auditorium for a large number of attendees, with presentation slots varying in length depending upon the subject matter. If a session didn’t interest you, then there were plenty of exhibitors to talk with – although, from what I saw, the auditorium was full during the sessions, reflecting the interest in the content.

“Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.” – John F. Woods

Quote of the conference – as cited by @DevPaco (Paco van Beckhoven)

The conference organizers (Universum) certainly put in the effort to ensure the presenters were looked after. It is the little touches that really make the difference, such as taking care of logistics which can be as simple as organizing airport transfers. A letter of thanks will be waiting for you at the hotel after the event, organizing a meal for the presenters at a local restaurant and so on.

Continue reading

API Gateway for data egress

11 Wednesday Jan 2023

Posted by in Cloud, General, Technology

Leave a comment

Tags

, , ,

Most larger organizations route their outbound web traffic through a web proxy. The primary motivation for this is to measure where traffic is going. Log traffic for analysis to try and detect activities trying to egress data that should remain within the organization and prevent access to websites that are considered harmful in one form or another.

So why consider an API Gateway as part of an outbound traffic flow? After all, isn’t a Gateway there to protect us? Several very good reasons. Let’s look at them:

  • Managing the use of an external paid service. You may have multiple solutions using a third-party service – for example, an SMS service. Rather than expecting all these different calls to the external API, each having a copy of the 3rd party credentials to manage, we could use the gateway as a single point to attach the credentials.
  • When it comes to being charged for a service, being able to identify the requests at the API level makes it very easy to track your own consumption and forecast forward before being billed. This is really helpful if you have an agreement that provides a good price for pre-booked capacity and a higher charge for overage/capacity not pre-booked.
  • Economies of scale for using 3rd party services can be very powerful. But it can also present two problems.
    • Switching providers quickly can be difficult as multiple points of possible change
    • How to partition the cost of the external service across different departments if everyone is using a common account.

The first of these issues can be easily overcome using the anti-corruption layer pattern where the gateway represents the correct route so it can reformat the requests in one place to work with a different provider.

At the same time, we can more intelligently use Gateway’s metering mechanisms rather than having to implement functionality to mine the proxy’s logs.

Of course you can achieve same effect without a gateway, but you don’t get the benefits that a gateway will offer out of the box. In addition the chances are that you have already got an API Gateway running for your current North-South traffic.

CI/CD worker nodes as virtual machines or K8s Containers?

07 Wednesday Sep 2022

Posted by in General

Leave a comment

Tags

, , , , , , , ,

When it comes to CI/CD deployments, something that doesn’t show very often in documentation is the pros and cons of running your worker nodes as containers in a Kubernetes environment or as (virtual) machines in a cloud environment.

Containerized CI/CD
Continue reading

Streaming APIs

05 Friday Aug 2022

Posted by in APIs & microservices, development, General, Technology

1 Comment

Tags

, , , , , , ,

Yesterday I was fortunate enough to participate in the Dev Innovation summit part of the World Festival virtual conference.

The presentation took a look at how Streaming APIs offer an alternative to API polling and the considerations needed when adopting streaming.

Continue reading

New Challenge – New Job

21 Monday Mar 2022

Posted by in General

Leave a comment

Tags

, , , , ,

Those I interact with more regularly will know I have this last week started a new job. You could say I’ve followed a common path for Ace Directors that don’t have instrumental roles within a company and joined Oracle. But some things won’t change; my new role as Cloud Developer Evangelist means I will still be producing blog content. My writing will appear on Oracle’s websites through the Blog, Community, Developer, and Architecture parts of the site, plus potential contributing to other high profile sites. But We’ll continue to add posts here, including referencing contributions in other locations.

I will continue submitting papers/presentations to conferences and presenting. Hopefully, we’ll start to get out and see people whilst presenting as well.

This does mean a change to my Ace Director status, as I will become an Alumni of the community, and we’ll be updating logos etc. But I have developed many friendships and contacts within the ace community. Not to mention, I believe and value what the Ace Community does, so while I may not be officially part of the community anymore, I will endeavour to support my friends and the wider community.

Leaving Capgemini has been uncomfortable, as I have left behind many great people that I’ve enjoyed working with (although some of those have also preceded me into Oracle). But to do more of what I have learnt over the years as the most rewarding (talking and writing about applying technology to solve problems, sharing insights and knowledge), particularly as part of the Ace community, meant a need for a new challenge.

To those who have contributed and influenced my journey – as ever my thanks.

Building Evolutionary Architectures

16 Saturday Mar 2019

Posted by in Book Reviews, Books, General, Technology

Leave a comment

Tags

, , , , ,

I have been working my way through Building Evolutionary Architectures by Neal Forward, Rebecca Parsons and Patrick Kua. Three senior and respected members of Thoughtworks (also the home of Martin Fowler). Having read and listened to Neal and Rebecca’s presentations and writing I had expected a deeply thought-provoking read, but have to admit to being disappointed. There are some good points without a doubt, but the book pretty much focuses on one idea, the application of fitness functions. But I’m not convinced it warrants several hundred pages of a book as a result the point does at times feel laboured.

There are some arguments made, that leaves me thinking that there is a view that the only answer is microservices in the conventional model of Kubernetes, Docker etc, which I agree is a powerful paradigm to allow solutions to evolve, but it isn’t a silver bullet and not always right in every case (if you have a team lacking the underlying appreciation of the goals, or put in to place in an ad-hoc manner (see Chris Richardson‘s work) it isn’t going to help.

Alongside this, there is little said about the interface definition for microservices (typically APIs of one form or another). Whilst mention of leaky abstractions are made, the material illustrations such as code lead API definitions are omitted (risk being, code changes, the API changes and the impact cascades).

What surprised me the most is the on more than one occasion the books points to ERPs not being sufficiently customisable. Yet, anyone working with ERPs will tell you that ERPs are at their best when you use them to leverage industry best practices rather than crowbar them to fit unconventional ways of operating. If you’re a manufacturer, is fiscal reporting part of your differentiator; probably not, so why not take best practice OOTB.

As usual, I have mind mapped things as I read through the book.  The dynamic/interactive version is here, the image (but not in full detail) is below.

evolutionary architectures.png

 

Value of Technical Capability Models

01 Thursday Nov 2018

Posted by in Enterprise architecture, General, Technology, TOGAF

1 Comment

Tags

, , ,

The use of Technical Capability models is not something I have seen a lot of use of, which is a little unfortunate as they can provide tremendous insight into an organizations IT needs.

Typically you want to use the Technical capability model to be used in conjunction with a business capability model, and this is where things can get tricky as developing the business views can take time.  I came across this short video which focuses on the more business aspect but helps explain the ideas behind the models:

Note how the model is largely groups of capabilities that happen in the business. Underlying this kind of diagram you would have a brief explanation of each capability.  If you want to go all out on EA modelling then you can link the capabilities to the documented associated processes etc.

Independently, the ideal is to then identify the technical capabilities that are likely to be needed. This will provide a similar looking model. The technical capabilities are probably best drawn from industry best practices, and specific business needs. The model should be completely product agnostic. The real value comes in by then mapping the technical capabilities to which business capabilities use.

This will now help inform a number of decisions identity areas of focus.  The technical capabilities should have mappings or fall into one of the following states, with the associated reasons:

  • Maps To Business Capabilities
    • This is healthy
  • Technology is Being Used but no Business Mapping
    • Gap in the business capability model?
    • Nuance of the business model not understood by IT?
    • Redundant processes being performed?
  • Business Process with no Technology
    • Opportunity for business improvement?
    • Genuinely no value in applying technology e.g. Business Value is something is hand made?
    • Capability delivered by Shadow IT?
  • Doesn’t Map to Any Business Capabilities
    • Capability isn’t needed and therefore jettisoned OR
    • Potential capability that the business are unaware or haven’t understood what can be offered

With the exception of the 1st condition, the other scenarios things should be examined more closely and adjust the models accordingly.

With the capability models linked and the miss matches addressed.  The Technical Capability model can really deliver value by linking the capabilities to the actual technologies being used.  Very quickly it is possible to see details such as:

  • Technology weaknesses (i.e. a key business area is not well supported by IT e.g. products being mapped are End of Life, not got the level of support). Whilst some of these will be ‘no brainers’ it is more than likely a free surprises will show up
  • Technology duplication – sometimes we’ll see multiple products in one area, can the product list be rationalised to maximise license investment? Would it be more cost effective to invest 1 one high-end product and eliminate lots of smaller niche pieces?
  • Where IT investment will likely improve key capabilities vs investment on niche capabilities
  • How technology change can impact the business, for example replacing a Content Management System may impact an organisations online presence, but it may also show to impact how we deliver support services to customers.
  • If the business prioritise a specific area, how does that map onto IT systems and processes?

Whilst a lot of this will seem pretty obvious, it will uncover unexpected details and most importantly provide a relatively simple set of visualisations as cross references that help understand the business and explain the impact of IT related decisions to the business in their terms.

The following deck provides a presentation on the value of Technical Capability Models:

eBook(lets) from O’Reilly

27 Tuesday Sep 2016

Posted by in Books, General, Technology

Leave a comment

Tags

, , , , , , , , , , , ,

I received an email through the virtual Java User Group highlighting the availability of a couple of eBooks around Java published by O’Reilly. The details are below. The books are more booklets (nothing wrong with that). The key difference being that they are shorter and focused on one or two focused subjects (in this case Java 8’s Lambda’s & Streams) which is great because I don’t want a whole Java book again, I just want to get a handle on the key changes and language innovations. It is worth highlighting that these aren’t just ‘free chapters’ which is what you see happen sometimes as the goal of the book is described, doesn’t depend on prior chapters to work the illustrated material and structured with the appropriate cover material contents, index etc so works as a discrete entity.

This approach seems to be coming more common at O’Reilly at least as a marketing device, and we have seen this being done with the Dummies brand where the booklets have then been printed as conference give aways.

Some may argue that this is a reflection of our ever shortening attention span with books. This maybe the case for some, but I suspect it is more about providing some that is more digestible than a ‘free chapter’, but more importantly reflects the recognition that for books that are providing guides (as opposed to reference books – which I’d include patterns books) people don’t want to buy a latest edition of a book where the 1st chapters are exactly the same as the previous edition of the book and that the only significant change is a new section on Lambdas for example.

Any way the latest book details received are:

by Raoul-Gabriel Urma
Offers a practical tutorial to some of the core Java 8 features and gets you programming quickly with Java 8.
by Richard Warburton
Explains the similarities and differences between functional programming and object oriented programming with Java focused examples.

http://insightfullogic.com
@RichardWarburto

The other book(lets) that have drawn my attention to the trend include:

In addition to these Book(let)s O’Reilly offer a range of ‘reports’ such as:

 

In addition O’Reilly have a page on ‘Open Books’ (here) – covering significant texts O’Reilly have had some involvement in but published under licenses such as Create Commons.