Friday, September 30, 2011

Cloud Security - What to consider

Multi-tenancy is the most popular model to support multiple customers with a single (shared) application environment. To further exploit economy of scale, we frequently see SaaS applications utilizing a shared cloud delivery platform. I've seen how architecting access and authorization impacts this -- enforcing security constraints between applications and between application tenants is a critical requirement for our customers.

My approach in architecting our own SAAS offerings -- and the cloud platforms at commercial and government organizations -- involves a few key considerations:

  • Employing a security proxy component that ensures access to web servers and manages this infrastructure centrally. The result is linking the servers into one logical platform.
  • Use the web server (Apache) as a reverse proxy, and a means to distribute the load from incoming requests to applications. A re-written URL for each incoming request matches the relevant internal location of the requested resource.
  • In my architectures, I've endeavored to cluster application servers specific to each SaaS application.
  • Virtually all architectures I've come up with have used a directory server that stores information about authorized users and what privileges each user has (less and less, Exchange/Active Directory, more and more LDAP - Lightweight Directory Access Protocol).
  • Working with the customers to develop policies and security administration based on global policies. For example, setting reasonable password rules and session timeouts.
  • Finally, creating templates for firewall considerations. Yes, firewalls are still present in cloud platforms such as Amazon's AWS. But these demilitarized zones (DMZs) are intended to maintain additional IP level access control. Using a template approach ensures uniformity, depending on the type of service.

Thursday, September 29, 2011

DoD Contract Vehicle Win for Bluedog

Bluedog, as a team member of Sotera, won a coveted spot on the Technology and Systems Engineering (TSE) contract -- a maximum five-year, multiple-award, Indefinite Delivery/Indefinite Quantity (IDIQ) contract for the development, operation, maintenance, and transition of information technology and communications infrastructure, tools, and capabilities to support the Joint Improvised Explosive Device Defeat Organization (JIEDDO) Counter-IED Operations Integration Center (COIC).

Read more at Sotera's site, here

Wednesday, September 28, 2011

Lessons learned from the FTC SOA/portal effort

This eWeek article captures the lessons learned from Bluedog's FTC SOA project. The Federal Trade Commission (FTC) retained Bluedog in the role of systems integrator and software architects, to upgrade the ID Theft and Do Not call systems, which distributes fraud and identity theft information to a broad range of users and applications. It was the vision of FTC chief information officer Stephen Warren who was technology-savvy enough to have an idea for how he wanted SOA to be implemented and articulate that vision to his customers, the FTC commissioners.

Bluedog had worked on projects to SOA-enable systems at several government agencies, including the Environmental Protection Agency and Justice Department, so the company was prepared for the FTC project. We
had about nine months to complete the job. A lesson learned from previous work with the Justice Department was the need to talk with business customers to find out exactly what their pain points were; we then picked a half-dozen areas to tackle those issues using SOA-based technologies.

Government Computing News reports on Bluedog's SOA Efforts

When Bluedog built out service oriented architectures at Federal Trade Commission, National Institutes of Health, the US Dept of Justice, and the Environmental Protection Agency, I helped devise a methodology ("Bluedog Unified Process") that standardizes selection of business process that should be enabled with web services. Government Computing News wrote about it here...

Tuesday, September 27, 2011

Bluedog is now a SBA-certified HubZone firm...

Bluedog has been certified as a HUBZone firm, for U.S. federal government contracting opportunities. HUBZone is a United States Small Business Administration (SBA) program for small companies that operate and employ people in Historically Underutilized Business Zones (HUBZones). Agencies of the U.S. federal government are required by the HUBZone Empowerment Act to contract with HUBZone certified small businesses for more than 3% of their budget in the form of prime contracts to HUBZone firms.

Friday, September 23, 2011

This is typical project charter for a prototype

For a client, this prototype was proposed (in the form of a project charter):

This project is to develop a prototype 3-tiered application to provide back-office support for the processing of incoming letters and accompanying payments. for this project, BlueDog will convert the existing FileMaker 5.5 database to a SQL version (deployed under FrontBase but the SLQ code will generate the entities in any SQL92 compliant database such as Oracle or MySQL).
Further, we will develop an HTML interface for data entry, data management, and reporting purposes. With Bob Kelley’s input, we will modify the current work flow to accommodate anticipated work process changes.
BlueDog will incorporate its pre-built libraries for interface, security, and report writing. the customer shall own the MySQL database, the SQL code to generate the entities, and any SQL scripts for populating the tables once we are ready for data migration. If this pilot is deemed successful, BlueDog will endeavor to enter into a long term relationship to provide further application development, technical evaluations of hosting vs. in-house services, and other services as requested.

Tuesday, September 13, 2011

Data behind lock-n-key

Reason enough to use a BlueDog solution, because ALL important data -- custoemr, product, transaction -- are well out-of-reach of prying eyes. All information in BlueDog-deployed applications are behind firewalls within secure database servers. Even the content visitors see on a BlueDog-powered website is generated by compiled applications.

Small Business Computing Magazine - Online Shops Expose Customer Order Data Several small online shops are exposing their customer order data, including credit card numbers, because of improperly installed online shopping cart software.

Wednesday, September 7, 2011

Cycling in America...not for the feint of heart

In this Economist article, the perils of being a cyclist in America are delineated. In Dublin, cyclists are even more reviled. Too bad -- bicycles relieve congestion, reduce pollution and encourage fitness.

Tuesday, September 6, 2011

Incremental - slow and steady wins the race

Services oriented architecture (SOA) done incrementally -- that's the gist of this article on Government Computer News. They quote me (tom termini) on some efforts Bluedog has been instrumental on, as architects and developers.

According to the author,
"SOA can help with all that, but if you’re getting started on it, experts have two words of advice: Start small. Incremental change and gradual improvements are better than trying to SOA-enable your entire IT infrastructure.

SOA is a design approach that integrates business and IT strategies to provide users with common services that leverage existing and new functionality. A key goal is the development of a business and technology architecture that can support changing regulatory, business and customer needs."

Full article:


Of course, they mention some good stuff, like the FTC SOA effort.

Saturday, September 3, 2011

Cloud and SOA - ways of thinking

“SOA is something you do,” while cloud “is a computing model or a way of leveraging computing resources where those resources can be provisioned and released as required from a set of resources pooled locally in a private cloud or remotely in a public cloud.”

Is SOA a vendor-driven fad? What isn't? Sound architectural philosophy is not a throw-away.