Financial Services Architect Forum - Part 3/3
About: This is the third and last post in a series of posts about the spring session of the financial services architect forum, this post focuses on the ‘Identity management and federation’ and ‘Data center virtualization’ panel discussions by architects from Bank of Nova Scotia, Royal Bank of Canada, Manulife Insurance, ObjectSharp and Microsoft. It also provides an overview of the Windows Vista and Office 12 session presented by Microsoft.
Hello,
The breakout sessions on Identity management and federation and data center virtualization were probably the most interesting sessions of the day. Imagine a group of architects with passionate and strongly held opinions, now imagine those opinions being different from each other and then imagine all of them in the same room for over two hours! It was definitely a perfect recipe for interesting and animated interaction, some of the highlights of these sessions are as follows:
Identity management and federation
The Identity management and federation session panel consisted of architects from ObjectSharp, Bank of Nova Scotia and Manulife Insurance. The session started with a discussion of the definition, scope and challenges of managing identities in a large organization. Some of these challenges include
1) Existence and synchronization between multiple identity stores i.e. lack of an authoritative system of record
2) Custom built applications and COTS solution having their own identity provisioning and enforcement mechanisms
3) Varying authentication models
4) Finding the ‘right’ place to store the authorization information
5) Impact of audit requirements on Identity management mechanisms
The session also divided the initiatives to improve identity management in the following areas and discussed the various tools that can help you in each of the areas:
1) Consolidating identity stores
2) Establishing security standards
3) Improve password management
4) Standard audit policy
5) Develop identity aware applications
6) Single Sign On (SSO)
These tools and links provided in the presentation included:
Active Directory, http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/default.mspx
ADAM, http://www.microsoft.com/windowsserver2003/adam/default.mspx
MIIS, http://www.microsoft.com/windowsserversystem/miis2003/default.mspx
ASP.NET, http://msdn.microsoft.com/asp.net/
Security, http://msdn.microsoft.com/security/
The panelist also discussed the maturity and applicability of SAML and WS-Federation standards and provided the following definitions for some of the terms in this area:
Federation – is the process of securely exchanging identity based claims across identity and security boundaries (company, department, etc )
Digital Identity - is a set of claims that characterize a person or thing in the digital world
Claim - is a statement made about someone/something by someone/something, Claims are packaged in Security Tokens
ID Provider (IDp) - is the party that performs authentication and makes a claim about someone/something. (also called “asserting party”)
Service Provider (sp) - is the entity that provides a service based on evaluations of the claims. (Also called the “relying party”)
The panelist then discussed the various laws of identity and their relevance and applicability to the systems being designed by arhitects, these laws of identity are as follows:
1. User Control and Consent:
Digital identity systems must only reveal information identifying a user with the user’s consent.
2. Limited Disclosure for Limited Use
The solution which discloses the least identifying information and best limits its use is the most stable, long-term solution.
3. The Law of Fewest Parties
Digital identity systems must limit disclosure of identifying information to parties having a necessary and justifiable place in a given identity relationship.
4. Directed Identity
A universal identity metasystem must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
5. Pluralism of Operators and Technologies:
A universal identity metasystem must channel and enable the interworking of multiple identity technologies run by multiple identity providers.
6. Human Integration:
A unifying identity metasystem must define the human user as a component integrated through protected and unambiguous human-machine communications.
7. Consistent Experience Across Contexts:
A unifying identity metasystem must provide a simple consistent experience while enabling separation of contexts through multiple operators and technologies.
Interestingly, towards the end of the session the panelists and the group seemed to agree that identity management and federation is challenging and despite the marketing rhetoric implementing a true single sign-on solution is difficult from both technical business perspectives.
Data Center Virtualization
The data center virtualization was one of the highest rated sessions of the event. The architect from RBC and Microsoft presented their experiences in reducing the time it takes to prepare infrastructure for a development group from days to hours. They started by defining virtualization as part of a spectrum of consolidation activities that includes virtualization via virtual machines and having shared environments for similar workloads e.g. databases and web and mentioned that:
• Traditional software based VMs are the first step to realizing a consolidated infrastructure (easiest to take)
• Along the path of a mature infrastructure model based on shared services rather than siloed functionality
• Technology is ‘cool’ but Lifecycle Management of VMs is where the real cost savings are amplified
– Reduce image proliferation
– Reduce cost of image ownership
– Development of new and creative ways to manage change
– Also area of lowest marketplace support
– Currently, additional investment required in technology and processes
The panelist from RBC also shared the following learnings based on their experience at implementing virtualization at the bank:
- Breaking down the traditional application development attitude towards infrastructure ownership
– 3+ servers per application system unsustainable
– Effective governance and process integration is key
• Refresh cycles of existing hardware
• Architecture and capacity planning of new systems
- Tackle the problem a little at a time
– Understand you can’t virtualize everything at once
– Move applications and business to an agile SOA without business even realizing it (no big sell needed).
- Shared workload environments are the viable end state
– VM good for legacy and mis-behaved COTS systems
– Final end game is effective and efficient shared environment in a single host OS
– Otherwise, VM procurement becomes so easy, you have guest OS numbers growing like bacteria
He also pointed out that virtualization will be a core competence of infrastructure organizations and quoted industry studies indicating that organizations that do not aggressively embrace virtualization will have 40% higher acquisitions costs and 20% higher administration (people) costs
Bruce Cowper from Microsoft echoed the sentiments expressed by the RBC speaker and described the dynamic system initiative (http://www.microsoft.com/windowsserversystem/dsi/default.mspx) by Microsoft in the following manner
- Traditional systems live within boundaries
- Applications have fixed dedicated resources
- Results in need for more responsive infrastructure
- Wasted capacity
- Virtual systems break down some of these boundaries
- Virtualization allows for better resource utilizatio
- Dynamic systems go further
- Resources are intelligently (policy) and flexibly assigned as needs change
The panelist and the group discussed the following questions towards the end of the session
• To virtualize or not to virtualize that is the question
• Level of maturity of tools and standards in this area
• Data center virtualization in a diverse environment
And seemed to have a consensus that it is worth investing resources in virtualization.
Windows Vista and Office 12
Jerome from Microsoft presented a session on the architecture, design and salient features of Windows Vista and Office 12, he mentioned that Windows Vista is founded on allowing the users to have a “Clear, confident and connected” computing experience. Vista is the biggest release of windows in terms of features and functions and is based on the following principles:
• Secure and reliable
• Modern UX supporting modern hardware
• Interactive digital media and commerce
• Advanced data visualization and analysis
• Task-oriented and user-centric workflow
• Document lifecycle management with business process integration
• Information aggregation
• Mobility for corridor warriors and road warriors
He provided a demonstration of the graphic and other features of the operating system which generated a lot of oohs and aahhs from the crowd and emphasized the integration of search in Vista which will allow you to:
- Enable a simpler data management experience in your application:
- Use the OLE DB Provider for Windows Search to make full-text and meta-data search an integral part of your app
- Common File Dialogs include rich metadata functionality
- Reusable Explorer controls for list and stacking support
- Make your app’s files part of the experience
- Write relevant file meta data using the Property Provider APIs
- Enable meta data indexing and updating with Property Handlers
- Implement Live Icons for a better Explorer experience
- Rich Preview handler for search preview and hit highlighting
- Consider the Open Package specification for XML based file formats
He also discussed WinFX which is expected to significantly reduce the amount of coding that you have to do for your business application and defined the components of WinFX as follows:
- Windows Communication Foundation (WCF): Unified API for service-oriented distributed applications
- From high-perf cross-process to high-interop cross-platform
- Fine grained control and extensibility
- Rich instrumentation and tracing
- Windows Workflow Foundation (WF): Framework for building workflow into applications
- Unified workflow technology for Microsoft products, partner solutions, and customers
- Integrates both system and human workflow scenarios
- Natural extension to .NET Framework and Visual Studio 2005
- Peer to peer infrastructure for collaborative applications
- WCF PeerChannel
- PeerNet
- People near me
- “InfoCard”: Federated Identity
- Enables federated claims-based identity
- New credential common dialog
He also described the increased focus on supporting blogging through
- Common services for RSS support:
- Feed service and synch engine
- Common store
- API access model
- RSS List extensions
- Key scenarios:
- Expose critical data as RSS feeds
- Share feed lists between applications with Shared Feed List (IFeeds)
- Use the unified feed parsing API to access application-relevant data from feeds
Lastly Jerome showed the architecture and demonstration for Office12 to the audience which generated some interesting discussion about the UI changes and impact on existing application.
This was my last post on the financial services architect forum, I plan to focus on providing resources for J2EE and .NET interop, writing about the ‘dark side’ of SOA and the sessions and topics discussed at the Vancouver architect forum in the remaining posts this month.
Best regards,
Mohammad
