Blog

Entries categorized as ‘Requirements’

Security in the Cloud?

December 29, 2009 · 2 Comments

Security is emerging as the #1 reason people give for shying away from the cloud, according to NIST (National Institute of Standards and Technology, Computer Security Division).

This post is my attempt at pulling together the cloud security-related resources in one place.

A recent article in Technology Review was quoted in NYT. The tone is more sensational than is warranted. The TR article is based on an experiment where researchers were able to discover whether a “victim” Virtual Machine was lightly or heavily loaded. OK, so you can tell when the server is busy — just like the pizza delivery guy can tell when folks are working late at the CIA office. It’s a long way from there to getting your hands on confidential information, IMHO.

Sensational or not the point of security is valid. If you are a cloud company your competitor may well use FUD (fear,uncertainty and doubt) against you. So how do we assure ourselves and our customers of the security of our cloud application? No silver bullets here, just old-fashioned common sense applied across the board. Keep in mind, security is more than IT security. If you have an ultra-secure IT infrastructure and your users leave passwords on yellow-stickies under their keyboards, the infrastructure was probably not worth the money you spent on it.

First, building security into the architecture, not as an afterthought. Amazon offers these guidelines for developing HIPAA-compliant applications. Whether you use Amazon or not, whatever your application’s security requirements, you need to have architecture guidelines for your application. And your implementation team needs to follow them.

Second, there are a number of assessment tools out there. Thanks to Steve Primost (his blog) for this link on the Microsoft Security Assessment Tool.

Third, if you were the customer, which would you find more compelling?

  1. We did an assessment of our software and believe it to be secure or
  2. We had an independent IT security firm go through our architecture and implementation and found it to be secure?
  3. We had an independent IT security firm try to penetrate our security by hacking into our system. After a week, they gave up.

The level you choose depends on how important security is for your business and your customers. Well, of course it is important. But are you/they willing to pay for the extra cost of insuring that it is?

Categories: Requirements
Tagged: , , ,

Introduction to Google App Engine

December 10, 2009 · Leave a Comment

App Engine Logo

Google App Engine

This talk will introduce software engineers to Google App Engine.

Event Details:

  • Google App Engine — Mass GTUG Meeting
  • Location: MIT Campus, Building W92 at 304 Vassar St, Cambridge MA.
  • Date: Tue, January 12, 2010
  • Time: 6pm – 8pm
  • To register, click here

It is not an introduction to web programming or a Google Apps session. It is assumed you know server-side web development — perhaps ASP, JSP or PHP. Please note, this session will be based on Python. Still, it is not a programming language session — the emphasis will be on learning the available APIs which are common between Java and Python on GAE. The idea is to familiarize everyone with the basic App Engine APIs.

We will create a toy bank and be able to transfer “money” between accounts.

Agenda:

  1. Getting Started – What is App Engine
  2. Structure of an App Engine Application
  3. Data Store — the data store is common between Python and Java.
  4. Template Engine — the Template Engine is unique to the Python environment.
  5. Transactions — the transaction model is common between Python and Java.

Prep Work: To get more out of the meeting, you may want to

If you do some of the prep work outlined above, you may be able to ask more pointed questions. I will make sure to allocate plenty of time for questions.

Categories: Requirements
Tagged: , ,

Secure Access to Google App Engine

September 17, 2009 · 2 Comments

Google App Engine supports HTTPS if you access your application through https://abc.appspot.com but not through https://www.abc.com. Google is working on a solution but there is currently no ETA.

For some companies HTTPS access through their own domain is essential.

We at Early Stage IT have come up with an interim solution. The pricing and reliability parameters are not fully set but we think it might cost about $35/month plus $0.30/GB for 3-nines availability. It would also add about 75 msec to each access request.

With these parameters, is this a service that would be of interest to your company?

Categories: Requirements
Tagged: , ,

Cloud Development

July 25, 2009 · Leave a Comment

What are some of the hurdles we have encountered with Cloud Development? What mechanisms have we used to overcome them? The problems posed by the different cloud platforms are different. I will be writing on this topic in a series blog posts. I expect to blog on these topics. If you know of others, please let me know. These list items will get hyperlinked over time.

  1. Cloud Development for Google App Engine
  2. Cloud Development for Amazon EC2
  3. Managing software delivery from outsourcers
  4. Managing evolution of database configurations
  5. Performance and Stress Testing
  6. Security Testing

In this introductory post, I want to cover activities that cross all platforms. The premise of Cloud Development is that the company does not own any hardware. Under these circumstances, how does software development get done? (more…)

Categories: Requirements · Techniques · Technology Strategy
Tagged: , , , , , , , ,

Question for the Entrepreneur: What’s your business?

June 8, 2009 · 3 Comments

It’s an annoying question. You want to get going with your business and here’s your IT partner asking these fluffy questions. But if you’re going to be successful, you need to know what business you are in.

Before going further, I want to review the Powell Doctrine. (Here is the original for your reference). Why Powell? Because business is war and we need to learn from one of the best. The Powell Doctrine, interpreted (by me) for business:

  1. What problem does your business solve? Is it a problem worth devoting several years of your life to?
  2. Do we have a clear attainable objective?
  3. Have the risks and costs been fully and frankly analyzed?
  4. Are there other, less painful, ways of solving the problem?
  5. Is there a plausible exit strategy to avoid endless entanglement?
  6. Have the consequences of the business been fully considered? Who will benefit from it — are they worth benefiting? Who will be hurt by the business?

And now to the main point of this post. Business involves choices. If you’re unclear about your core business,

  1. How will you decide who to compete with and who to cooperate with?
  2. When you are cooperating, is it capitulation or is it two parties joining together to achieve a common purpose?
  3. What will you buy and what will you build? Obviously, you want to build what is the core value of your business. You want to buy what is not core.
  4. If you’re going to raise money, and for your own purpose too, you will need to know what your market share is. Knowing market share involves knowing who to include and who to exclude when doing that measurement.
  5. Can you practically assure your stakeholders — investors, customers, yourself, your family — that you can deliver? Recall the other Powell Doctrine: Overwhelming Force in pursuit of your core mission†.
  6. Will the people your business benefits know what they will get for their money and what they won’t? Will they give it their support? Their love? Their money?

The real point is, a business is not an endless series of pragmatic decisions. You have to know why you’re doing it and what your business stands for.

———

† Thanks to Larry Grumer for his comment reminding me of this point.

Categories: Requirements
Tagged: ,

Barriers to Acceptance: User IDs

May 4, 2009 · 1 Comment

Have you ever been discouraged by a “Sign Up for free” link? Many users are. 15-20% users abandon a site rather than do the register-confirm-accept dance. Consider lowering the barrier that many users feel when asked to provide their email address to register. In this post, I discuss how you can use IDs from major providers instead of coming up with your own.

A word of caution: OpenID idea has enjoyed less than spectacular success. Still, a consensus seems to be evolving and a number of announcements this year suggest that perhaps the industry is arriving at a consensus.

A vision of the login sequence Login Screenusing IDs from other providers, is shown on the right.

The table below shows user counts that the UI vision above would target. They were compiled from Comscore stats for internet properties (MySpace is under Fox Interactive Media) and from a different report which zeroes in on email addresses.

# Site Users(000,000)
1 Gmail 31
2 Yahoo! 93
3 Hotmail 43
4 AOL 45
5 MySpace 89
:: :: ::
8 Amazon 63
:: :: ::
13 Facebook 51

A key question that remains to be asked is what are the stats for your users. Of course, you won’t know the answer to that question until you have gone live, so perhaps it is best to cast a wide net in the beginning.

Here are a few references for implementation:

  1. Some background material: What is OAuth and how does it work?
  2. If you want to do the programming, a recipe for OpenID 1.1 from Plaxo, instructions for using Yahoo! as an identity provider, using Google’s OAuth.
  3. If you want to use a third-party solution, RPX service for OpenID 2.0 from JanRain.

Of course, this only addresses the authentication question. How your users will be given entitlements to do what they need to do, and only what they need to do, remains an implementation decision.

Categories: Requirements
Tagged: , , ,

Training: Instructor Led Classes vs eLearning

April 18, 2009 · Leave a Comment

Which form of training is best? Neither, I think.

With e-learning, the attention wanders, Outlook flashes incoming messages, some auto-update thingy on the PC comes to life and it’s over.

In-class learning is a little better because we learn not only from the trainer but also from the discussion. But how many of us really remember what was discussed a week after we come back from the training?

Ironically, the last time I had an effective learning experience was on-line but it wasn’t an e-learning course. It was a series of exercises where at each step you had to add a level of complexity to a working piece of software and get it doing more things. Two-3 hours later, you had a fairly complex piece of software and you looked at it and said, wow!

My most effective classroom training situation was a management training course where teams were given a hypothetical company to run. Every few hours, we had to make decisions about actions to take, those actions had consequences on the hypothetical company, the external circumstances changed, and you had a new set of problems to deal with. Whichever team showed the best EBITDA at the end of 3 days won!

Whether the training is on-line or in person is the wrong question. The effectiveness of the training is determined by how much effort has gone into constructing it, how much fun you can make it, and the wow factor at the end.

If you want your team trained, and trained well, and trained so they know the material forever after, find inspired training.

Categories: Requirements · Training
Tagged: , ,

Amazon Web Services Resources

March 16, 2009 · Leave a Comment

One of our clients will be using AWS and, to help with that, here is a compilation of resources:

Categories: Requirements
Tagged: , ,

Accessing Amazon Web Services from Google App Engine

January 3, 2009 · Leave a Comment

Amazon.com has put together a set of services (AWS) that allow you to rent, not buy, your infrastructure. They are extremely competitive and competent. Despite the use of the word simple in the naming of these services, simple they are not. Echoing Einstein perhaps: things should be as simple as possible but no simpler.

A gem: Amazon knows a thing or two about payments and money transfer; no surprise that Amazon FPS (flexible payment system) should be a unique part of the offering.

When it comes to writing applications, Google App Engine (GAE) is more constrained but ramp-up is easier and more amenable to agile development — a necessity for Early Stage companies.

How can we leverage the robustness of AWS from the simple (but constrained) environment of GAE? We tried to call FPS services from GAE to see. The remainder of this post is about tips and tricks for doing so. Fair warning, it’s a bit technical. (more…)

Categories: Requirements · Techniques
Tagged: ,

Cloud Computing for Early Stage IT

December 18, 2008 · Leave a Comment

Recent publication from IEEE Computer Society spurred me to write this post.  First, some excerpts:

IT Industry Gets Cloudy 

Daryl Plummer, Gartner Group chief of research for advanced IT, believes IT organizations will have to evolve to become service providers themselves, and their employees will need to develop relationship management skills in order to negotiate and manage contracts. According to Gartner analyst Thomas Bittman, one of the major unrecognized challenges of cloud computing will be how IT departments will manage the services.

(more…)

Categories: Requirements