Sunday, October 21, 2012

Top 4 Principles for IT Leaders to focus on

Experts predict that IT Leadership is taking a hit as the business is not happy with the value that IT delivers. The emergence of Cloud and SaaS based Applications have made the business leaders to think that they can get the needed IT support as services, though they are unaware of the issues or challenges with that idea. But this has certainly made the IT leaders to think and do a self-assessment in terms the focus area and the value delivery. Here are the four principles that may help IT leaders to continue delivering value to the business and thereby ensuring their very existence.

Embrace the Business Change

In today’s competitive world, Businesses need to revisit their vision, mission and strategies too often than they did in the past. This most of the times will call for change to the people, process and technology and depending on the priorities, such change may have to happen too soon. IT traditionally has been resisting changes, though with Agile and other approaches, Changes are welcome, but due to various other factors like the maintainability of the systems, cost of change etc, the IT is finding it a challenge to embrace such changes. This is why business leaders are trying to explore options to minimize their dependence on their own IT, so that they can move on with the desired changes quicker and reap the benefits of the change.

For IT leaders, embracing change is a challenge as most of them are still living with legacy systems which have very poor characteristics in terms of scalability and maintainability. The IT leaders should find ways to overcome these barriers and should be willing and ready to support business changes. The solutions include, revisiting their application design principles with a view to ensure that all their current and future custom applications are Service Oriented and are highly scalable, maintainable and performing. For other legacy systems, explore options to service enable them using appropriate tools and technologies, without changing systems themselves.

Focus on Value Delivery

Though traditionally IT has been a cost centre, most IT leaders have shown interest in treating IT as a profit centre. Most IT investments, though are evaluated in terms of the return (value) that this investment brings back, this is not monitored throughout its execution. Ideally, the focus on value should not be lost during the execution phase. This is true as the discoveries or problems encountered as the project execution progress may have a significant impact on the perceived value and in such cases, it would be wiser to take call to fail the project and call off further investment without waiting for the end result.

When something is offered for free, everyone will want it whether irrespective of there being a real use for it. Similarly, applying the 80/20 rule, 80% of the business functions are likely consume only 20% of the IT services. There need to be a method or process to keep accounting the service offerings and identify the 20% of services and prioritize the support for these services in terms of taking up changes around these and delivering them faster than expected by the business.

Bringing in a culture (at the least within the IT function) wherein the need for focus on value delivery is well understood and demonstrated by all would certainly help achieve greater benefits overall. Every member should know and be aware of the expected business value of every project or sub projects and that they are associated with and should take pride in ensuring that their actions in fact result in the business enjoying the perceived value.

IT Leaders should devise suitable process or systems which will help measure everything and use it in turn to calculate and publish the metrics or statistics around the business value delivered by different projects or investments. IT Governance frameworks like COBIT can help achieving this.

Communicate & Collaborate

IT leaders normally express their point of view technically, which the business users or leaders may not get it right and eventually the value proposition might not be understood well. This is where IT leaders should start putting across their proposals or point of views in a way that make sense to the business leaders. While the converse is also true that while Business leaders talk about business changes, IT leaders find it difficult to understand, which IT leaders should overcome. IT is important that the IT Leaders and the most part for their team should be willing to acquire the required business skills and should demonstrate the same in their communication and deliveries.

Similarly, it is important for the IT leaders to collaborate with the business proposals and get involved right from the initial stages, so that they are able to get to know the business requirements and priorities better and at the same time present them back with the various risks and caveats that related tools and technology that enables this change may bring in for them to manage.

Talent Development

With the technology landscape changing rapidly, and the business leaders are looking for such enabling technologies to gain competitive advantage or to improve the efficiencies at various levels, the IT team has a pressing need to cope up with such needs. This is where, IT leaders should now look for people with multiple technical and business skills and with the willingness and ability to learn newer technology and business skills faster. This should be best achieved through mentoring and not by force.

IT leaders together with the HR leaders should also provide the employees an environment, which is conducive to develop the abilities of the employees. The organization culture should also envision the need for continuous learning and devise a system to measure and monitor the efforts spent in learning. For instance, depending on the role, the employees may be asked to log certain number of learning hours in a year on specified technical and business areas.

The IT leaders should also be continuously learning and stay on top of the technology trends, so that they can identify the right technology and tools that can improve the service capabilities of the business functions and in turn could give competitive advantage.

Right strategies around these four areas would certainly help IT leaders stay focussed in the business benefits and in turn demonstrate measurable value on IT investments.

Sunday, October 14, 2012

Application Architecture Review - Security

In continuation of the Architecture review series, let us focus on security review in this blog. With information security breaches hitting the news headlines quite frequently, many enterprises are realizing the real need to manage this security risk and be resilient. As such, it is possible that as an Architect, you might have been called for to perform a security review of the existing applications. I have tried to put together the following areas of concern, which need a closer look to form an opinion whether the application architecture is secure enough.
In general the broad areas of concern for the security architects should be the following:
Authentication – Review the tools, technology and the approach used by the application to establish the identity of the application users for possible deficiencies. In this connection the following specific areas need attention.
  • Look for identification of the legitimate human and system users of the application in the requirements document which in turn are validated with appropriate business scenarios. 
  • If the application exposes interface to external systems, understand how access by such systems are identified and authenticated. Also understand how secure such other external systems are and if possible ask for a security assessment of such other systems.
  • Identify how users are authenticated, whether two factor or three factor authentication.
  • Check if Single Sign On is implemented and in such case, understand how it is implemented, what tools and technology are used. If the Identity provider is external to the system boundary, then also check how the information in transit between the identity provider and the application is secured.
  • In case of external identity providers, it would also be worth checking the security practices followed by the Service Provider and whether they are being subject to regular external independent security assessment.
  • If the application maintains the user information locally and authenticates against it, ensure whether identity related data is secured appropriately from unauthorized access.
  • It would also be worth understanding how the database servers authenticate the application or the application user. If the application users happen to be the users of the database as well, then the mechanisms implemented to prevent such users directly accessing the database needs to be scrutinized.
Authorization - Each of the identified human or system users would be operating on the application by assuming defined roles and the authorization to access various components or information should be dependent on such roles. Get a clear view of how the roles and authorization are implemented in the application. The following specific areas are worth the attention in this regard.
  • Check if there exists an information sensitivity policy or information privacy policy as relevant to the data or information being accessed or managed by the application.
  • Understand how the defined roles are mapped to the various datasets in terms of the permission to the Create, Read, Update and Delete. It would also be good to examine the various roles defined by the organization whether they are in line with that of the principles of segregation of duties and look for how the users with multiple or overlapping roles are handled by the system.
  • With a view to improve application performance, developers tend to create interfaces (both visual and non-visual) in such a way they are chunky as against being chatty. While this holds good in terms of application performance, the datasets being served need to be reviewed with respect to the information sensitivity and the role based permission restrictions should be applied to all internal and external APIs and interfaces.
Availability / Scalabiltiy – Systems are designed to process data in the expected and timely manner so that the information users make the most of it, and perform the business operations efficiently and effectively. The general experience is that the systems perform very well in the initial testing phase and when it is deployed in production its behaviour could be different and might slow down considerably due to various environment and load related issues. As an architect it is essential that the proper estimation is done for expected user and data growth and the application is designed to meet such needs. Examination of the following areas might reveal how the application meets this concern.
Auditability – The systems should be designed to log certain events, which could be potentially lead to security breach. These logs should be readable when needed by users with appropriate roles and should be monitored periodically. Event alerts also help notifying the administrators on the occurrence of certain type of events, which may require immediate attention. Examine the following areas of the application design to form an opinion on this concern.
  • Review the Application architecture to understand how the event alert and logging mechanism is implemented. 
  • Review for completeness of various events that are being handled and the relevant data is being logged. Examine if any sensitive data is being logged and if so, whether role based access restrictions is also implemented around the log data. 
  • Check how the event log data is organized and stored and also look for existence of any policy or procedures around managing such log data.
  • Understand the regulatory needs, which many times govern the data to be logged and how long such log data need to be retained.
  • The log data grows too fast and many times if the storage of log data is within the same production database of the application, there is a possibility that this growth may impact the performance of the application itself impacting the Availability needs. Depending on the volume and growth rate of the data, ensure that the chosen tools and technology is adequate and appropriate.
This blog is not an exhaustive checklist and just intended to bring out the broad concerns which at a minimum should be considered in the Architecture Review. TOGAF 9.1 has in its ADM Guidelines and Techniques has listed the design considerations with respect to building security as part of the design and architecture. These security design considerations can be used for an exhaustive security review, which also covers the implementation, change management and the IT infrastructure.

Also check out my own blog titled as Building Secure Application, which is abour making security part of the SDLC.