Software Engineering, Project Management, and Effectiveness
A theme of the economic downturn is that the world won't simply go back to "business as usual" -- it's a fundamental shift.
Gartner says the World of Work Will Witness 10 Changes During the Next 10 Years:
# 8 is especially interesting to me. Gartner says:
"Gartner expects to see a significant growth in the number of organizations that create groups specifically charged with detecting divergent emerging patterns, evaluating those patterns, developing various scenarios for how the disruption might play out and proposing to senior executives new ways of exploiting (or protecting the organization from) the changes to which they are now more sensitive."
Lucky for me, patterns are my forte.
Some of the biggest shifts I see are:
I learned that in life, one of the best ways to roll with the punches is to look at the funny side of things. Many thanks to Dilbert, The Far Side, and Calvin and Hobbes for adding fuel to that fire and giving me lots to work with. Work also goes a whole lot smoother when you can find a way for it to amuse you (and you always can, if you decide to.) Humor is a key way to stay curious, light-hearted, and avoid falling into the bitterness trap.
I’ve baked comedy into my life in various ways. For example, I regularly go to comedy clubs. You can learn a lot from comedians about timing, how to work a room, and how to be comfortable in your own skin. You can also learn how to shift your perspective from a serious tone, to the lighter side of life, or at least the zany side.
One of my favorite comedians is Craig Shoemaker. He’s a real pro and he’s funny in multiple ways, from his skits to his impressions. I’m honored to have a guest post from Craig on 10 Lessons Learned in Comedy.
Enjoy.
One of the best ways for making sense of a space is to have a lens for looking at it. The productivity and results space are well-traversed and the body of knowledge is enormous. That’s part of the problem. Without an effective lens, it can be difficult to find, organize, and share the productivity strategies, tactics, etc.
Knowledge Areas You can think of a “frame” or a “lens” as a set of knowledge areas that make it easier to learn a space. Together, the knowledge areas form a constellation of knowledge. For example, the PMBOK (Project Management Body of Knowledge) and SWEBOK (Software Engineering Body of Knowledge) use knowledge areas to cluster related topics, concepts, tasks, and terms to help share the information more effectively. It’s a way to frame out the space.
Productivity Body of Knowledge While working on Getting Results the Agile Way, one of the first things I needed to do was carve out the space into meaningful buckets. By “framing out” the results and productivity space, I created a more effective lens to look at productivity. This is how I created a “Productivity Body of Knowledge". I named the collection of knowledge areas for productivity and results, the Results Frame. Giving it a name and putting it into a simple table, made it easier to refer to and to share as a mental model with others.
The Results Frame (Productivity Knowledge Areas) Here is the Results Frame:
The key with these knowledge areas is that they are can contain insight and action. They are great containers or buckets for productivity principles, patterns, and practices. To create the buckets, I first gathered up all the “rocks” (the individual principles, patterns, practices, terms, concepts, etc.) , then I group the collections, and then I labeled the buckets. This is the opposite of making up buckets and then looking to fill them. I was more interested in creating buckets for proven practices and applied knowledge, rather than treating productivity as an abstract or academic exercise.
Not only did the Results Frame help with organizing my own body of knowledge for results and productivity, but it made it incredibly simple for me to very quickly parse just about any body of knowledge or significant work in the productivity space. This frame also helped me quickly pressure test productivity systems against a more holistic view, as well as to find their more specific strengths and weaknesses. Interestingly, you can also use the categories to help evaluate project management approaches and software development approaches. The frame is useful whether you use it to organize your own knowledge base on productivity, or you use it for teams, or organization. Don’t just take my word for it though … test drive it and you decide what works for you … you’re the ultimate expert on your context and scenario.
These are some of the best ways I’ve found to master time management, get great results, improve your productivity, and amplify your impact:
For more patterns and practices for improving results, see my book, Getting Results the Agile Way.
patterns & practices Parallel Programming with Microsoft .NET is now available. The book shows design patterns to help developers use the .NET 4 Task Parallel Library (TPL) to write parallel applications successfully.
Contents at a Glance
The Patterns The book describes six key parallel patterns for data and task parallelism and how to implement them using the TPL.
The Book
The Code Samples
The Talk
The Community
This is a behind the scenes look at my involvement in the creation of the MSDN Hub pages.
The MSDN Hub pages you get to from the main “buttons” on the MSN home (pictured above.) Specifically, these are the actual pages:
The intent of the MSDN Hub pages to create some simple starting points for some of our stories on the Microsoft developer platform. For example, you might want to learn the Microsoft cloud story, but you might not know the “building blocks” that make up the story (Windows Azure, SQL Azure, and Windows Azure platform AppFabric.) A Hub page would be a way to share a simple overview of the story, a way to get started with the technology, common application paths and roadmaps, and where to go for more (usually the specific Developer Centers that would be a drill down for a specific technology.)
Why Was I Involved? If you’re used to seeing me produce Microsoft Blue Books for patterns & practices, and focusing on architecture and design, security, and performance, it might seem odd that I was part of the team to create the MSDN Hub pages. Actually, it makes perfect sense, and here’s why -- They needed somebody who had looked across the platform and technology stacks and could help put the story together. Additionally:
My Approach My approach was pretty simple. I worked closely with a variety of team members including Kerby Kuykendall, Howard Wooten, Chris Dahl, John Boylan, Cyra Richardson, Pete M Brown, and Tim Teebken. I started off working mostly with Kerby, but eventually I ended up working closest with Tim because he became my main point of contact for influencing and shaping the work. That said, it was still a lot of mock ups, ad-hoc meetings, whiteboard discussions, and group meetings to shape the overall result. Tim did a stellar job of integrating my feedback and recommendations, as well as sanity checking group decisions with me.
I also sanity checked things with customers, and I worked closely with folks on the Microsoft Developer Platform Evangelism team including Tim Sneath and Jaime Rodriguez. They were passionate about having a way to tell our platform story, show common app pathy, and how to put our leggos together, and make technology choices. I tried to surface this in the design and information model for the Hub pages.
The Hubs For the Hubs, at one of our early meeting in November of 2009, I recommended a we use “deployment targets” as a way to help slice things up and keep it simple. Specifically:
As you can see, it maps very well to the App Types set I created circa 2004, but I evolved it to account for a few things. First, I included learnings from working on the App Arch guide (such as moving away from Rich Client to just “desktop.”) Second, I tried to pin it more directly to physical deployment targets to keep it simple. As a developer, you can write apps to target the Web (a “Web” browser app), a desktop (such as a Windows client, or Silverlight, or WPF, etc.), a game (game console), etc. Third, I aligned with marketing efforts, such as recommending we use the “deployment target” metaphor and I renamed the “Mobile” bucket to “Phone” (which worked, because it extended the “deployment target” metaphor, was still easy to follow, and kept things simple.
I also kept the physical aspect of the “deployment target” metaphor loose. For example, “Web” could run on server, or “desktop”, etc. Instead, I wanted to bubble up interesting intersections of application types plus common deployment targets, and keep it simple.
The Server Hub For the server hub, I recommended addressing our story from a few lenses. First, we have server-side products that can be extended, such as SharePoint, Exchange, SQL Server, etc. That lens is pretty straightforward. Second, I recommended focusing on “Service.” Here’s where it’s hard for folks to follow if they aren’t familiar with server-side development. While you can lump “service” under “Cloud” (as a cloud developer, I can write a Web app, a service, etc.), the “service” story is a very special one. It’s the evolution of our “middleware developers” and our “server-side developers.” It’s the path that the COM builders and server-side component builders shifted to … a more message-based architecture over an object-based one, as well as a shift to replacing DCOM with HTTP.
So if we had a Server Hub, it realistically should address building on our server-side products/technologies (SharePoint, Exchange, SQL Server, AppFabric, etc.) and it should address “Services.” Sure you could also lump SharePoint under Web or Services under Cloud, but you can also bubble up and give focus to some of the fundamental parts of our Microsoft application developer platform.
To be fair, a lot of folks moved around during the MSDN Hub page project, and as new folks came on board, the history, insights, and some of the work may have gotten lost.
How To Solve the Issue of Too Many Hubs This was my suggestion for dealing with too many Hubs:
“I think one thing that helps to keep in mind is that different people will want different views – but I think it’s simpler to choose the most useful one across the broadest set of scenarios. That’s why Burger King and McDonald’s have a quick simple visual menu of the most common options … then you can drill in for more with their detailed menu if needed. I like that metaphor because it addresses the “simple” + “complete” Platform is a pretty solid bet – with an orientation around “tribes” (I’ll walk you through when we sync live) – after all, we do competitive assessments against platforms and that’s where we need to win.”
I also made a few additional recommendations to deal with the problem of “simple” + “complete”:
This would provide a “durable” + “expandable” … AND… “simple” + “complete” … and in the end, a “platform guidance” approach.
While I’m not a graphic artist, I had done some mockups to help illustrate the point …
Home with “View More >>”
View More … (full dev center against a durable backdrop, full tech stack, Roadmaps)
This is blowing up a section of the “Microsoft Developer Products and Technologies” map above that I had created to illustrate the point:
… etc. and the map of course, continued with the technology stack, but used a robust backdrop. The map would need to be vetted across product teams but that’s just the point … have a common map that shows our “catalog” of technologies that customers could easily browse, and that product teams stand behind, while providing simple jump points to either MSDN Developer Centers or Product Team sites.
The Information Model for the Hub Pages I tried to be inclusive in the information model and I wanted to address and integrate customer pain points I’ve heard about how we tell our story over the years, as well as keep the pages simple and useful, based on what I know about customer usage patterns. These are the main sections I recommended:
A picture is worth a 1000 words (note this is a picture of the “Information Model” – NOT the page mockups):
My key customer scenarios and questions I used for test cases were:
My key recommendations included:
Tim Teebken and I had many late night discussions and drill-downs, which made the work interesting and exciting. It’s always great to work with smart people. We pushed each other, challenged each other, and ultimately we stayed on the same page on the journey.
Well, that’s the story in a nutshell. That’s a behind the scenes look at the making of The Design of the MSDN Hubs and the role that I played.
If you have feedback on the information model, please feel fee to send my way. You can use the contact form on my blog.
David Zinger has shared his take on Getting Results the Agile Way in a review on his blog at http://www.davidzinger.com. You can check out David’s review of Getting Results the Agile Way at:
If you don’t know David, he’s a writer, educator, speaker, consultant, and all around good guy, that lives and breathes employee engagement, which is all about how individuals, teams, and leaders can be more engaged in the work that they do. His passion and super skill is helping people get more out of their work, and unleash their passion on the job.
You can see David in action at The Employee Engagement Network and you can check out his amazingly concise and insightful book, Zengage. In a nutshell, Zengage is a short powerful book to help you get more out of your work by getting more into your work.
Today was the final day of 30 Days of Getting Results, based on my book Getting Results the Agile Way.
It’s basically free training on many of the key skills for:
It’s the synthesis of what I’ve learned at Microsoft in the trenches and my travels in life, as well as from many very good mentors. Mostly, it’s what I’ve learned from the school of hard knocks, trial and error, and necessity (I think of it as a collection of Microsoft Survival Skills in a box.)
Agile Results Agile Results is a personal results system for work and life. It’s a simple system for meaningful results that you can apply whenever you need it. It’s a way to help you make the most of what you’ve got. It’s a way to be the author of your life, and write your story forward.
Problems Addressed
It’s been a fun ride and I’ve heard some amazing stories from people around the world. I’ve enjoyed the emails and stories from people who have used the system to enhance their life, a day at a time, a story at a time.
30 Lessons on Getting Results the Agile Way
Key Links
If you visit just one lesson, check out Day 27 – Do Something Great. If you check out two, check out Day 10 – Feel Strong All Week Long.
I've been sharing this lens with some of the people I mentor and they've been finding it helpful. It's a simple lens for looking at the organizational culture you’re in and helping make sense of what you see:
You can usually get a sense for what an organization values by looking to the writing on the wall. The key word here is “valued.” You need to know what’s valued so that you can tailor your behavior and expectations for the context. It helps you more effectively adapt your behavior, adjust the situation, or avoid situations with skill.
The ideal scenario is a balance of the results + social + process. In my experience, I’ve found that usually an organization tends to be out of balance – they lean more towards one end than another. Here are some of the symptoms you see when an organization is skewed toward one end:
When you know the context of the org you are in, you know what counts and what does not. This helps you reshape your expectations and your behavior accordingly which leads to your success.
I’ve been coaching individuals, teams, and leaders on getting results. Basically, for several years I’ve tested and applied various patterns and practices for improving focus, improving motivation, improving time management, and improving personal productivity. I’ve also applied these practices to distributed team settings for several years (I’ve lead distributed teams since 2001, working with Argentina, UK, India, etc.). The system itself is a combination and synthesis of proven practices learned from project management, software management, positive psychology, and sports psychology. It’s also battle tested in some of the most extreme scenarios. It’s ultimately a simple system for meaningful results that scales up and down, from individuals to teams and leaders.
At the heat of the system is a story-driven approach or a “3x3” approach:
By using three stories to drive your day, your week, your month, and your year … you identify your most important results, you connect to your values, and you flow value on a regular basis.
I’ve wrapped up and shared this getting results system as a guide. The book is called Getting Results the Agile Way and you can read the testimonials which includes people inside and outside of Microsoft (it’s generalized to work beyond the Microsoft context.) It’s one of my most important contributions back to the community … distilling all the of the best of the best of what I’ve learned about getting results from my various mentors, my multiple projects over many years, and from the school of hard knocks. It’s the playbook I wish somebody gave me when I started.
For this month, I’ve been doing a Monthly Improvement Sprint to help teach you the system and to learn how to improve personal productivity, improve energy, and improve time management. Basically, I want you to get the system on your side. Monthly Improvement Sprints are one of the core practices from the system, so I’m effectively, using the system to teach the system. Each day, I share another nugget in the form of a post on my personal effectiveness blog. Each nugget is self-contained so you can pick up from anywhere.
Here is a description of the project:
Here are the daily lessons so far on improving personal productivity, time management, focus, and prioritization:
Join anytime and pick up from wherever you are. The most important theme is this:
Be the author of your life and write your story forward … a day at a time, and a moment at a time.
Heuristic evaluation is one of the most common types of expert reviews for Web sites. It was developed by Jakob Nielsen. In the book, The Design of Sites, by Douglas K. Van Duyne, James A. Landay, Jason I. Hong, the authors explain heuristic evaluations.
What Is a Heuristic Evaluation Van Duyne, Landay, and Hong write:
“The basic idea is to have three to five expert judges independently evaluate a site, using a list of usability heuristics or principles.“
How To Perform a Heuristic Evaluation Van Duyne, Landay, and Hong write:
“In a heuristic evaluation, the judges go through the site, often with a set of sample tasks as a guide, looking for violations of the heuristics. They note each violation and make a suggestion for fixing it. ... The judges also rate each violation with a level of severity. Severity levels are usually assessed on the basis of the expected customer impact and frequency of the violation.”
7 Design Principles / Heuristics (The Design of Sites)
10 Usability Heuristics (Jakob Nielson)
For an explanation of Jakob Nielson’s 10 usability heuristics, see Ten Usability Heuristics.
When it comes to prototyping Web site design, paper prototypes tend to have an advantage. In the book, The Design of Sites, by Douglas K. Van Duyne, James A. Landay, Jason I. Hong, the authors explain some of the advantages.
Iterate and Explore the Design with Paper Prototypes Van Duyne, Landay, and Hong write:
"Research shows that designers who work out conceptual ideas on paper tend to iterate more and explore the design space more broadly whereas designers using computer-based tools tend to take only one idea and work it out in detail."
Low-Fidelity Prototypes Over High-Fidelity Prototypes Van Duyne, Landay, and Hong write:
“Nearly every one of the designers we have talked to has observed that the discussions is qualitatively different when people are presented with a high-fidelity prototype. Clients often respond with comments like, 'I do not like your color scheme,' or 'These two buttons need to be aligned correctly.' When presented with a low-fidelity prototype, however, clients are more like to say something like, 'These labels on the navigation bar do not make sense to me,' or 'You're missing a link to the shopping care here on this page.' In other words, with low-fidelity prototypes, which lack irrelevant details like color, font, and alignment to distract the eye, people focus on the interaction and on the overall site structure. “
However, it's worth noting that software that emulates paper prototyping can be very helpful. One example is Balsamic Mockups.
When you’re prototyping sites in the early stage, the three main artifacts are: sitemaps, storyboards, and schematics. In the book, The Design of Sites, by Douglas K. Van Duyne, James A. Landay, and Jason I. Hong describe the three artifacts as follows:
There’s often confusion over the distinction between information architecture, navigation design, and graphic design. One of my favorite books that explains what these terms are and the distinctions is the book, The Design of Sites, by Douglas K. Van Duyne, James A. Landay, Jason I. Hong.
Van Duyne, Landay, and Hong define the terms as follows:
Note that information and navigation design are typically done before graphic design.
Also note that the authors mention that there's often a debate in the design community about the boundaries between information architecture and information design. They point out that information architecture focuses more on structure and language, while information design focuses on presentation and perception. At the end of the day, the key point is that the two disciplines are about helping customers find, understand, and manage complex information.
It’s also worth knowing the terms “Information Model” and “Data Models” since they often come up in discussions regarding information architecture:
So many Web sites fail at helping users complete tasks or find the information they need in a simple way. E-Commerce sites like Amazon tend to do a better job than a lot of sites here because they have a tight feedback loop for customers completing their tasks. Basically, they keep the score on their customer success against their goals. If customers can’t find what they need, perform their transactions in a fast and simple way, easily give feedback, or provide useful reviews to the community at large, then Amazon fails and customers look for alternatives. It’s a self-re-enforcing loop and Amazon does a lot of A/B testing to find the most effective way to improve customer success on their Web site.
The good news is … Success leaves clues in the form of principles, patterns, and practices.
There’s really no reason for Web sites to fail at basic user experiences, given that so many problems are already solved. Not only are the problems solved, but user experience solutions even have names in the form of patterns. Better yet, you can check each pattern against live examples on the Web. It’s effectively a living catalog of success.
Lessons Learned on Site Design While working on one of my information architecture projects, I analyzed more than 350 Web sites, mostly in the consumer space, to learn interaction patterns, site design, and user experience patterns. I apply these lessons to many of my CodePlex sites, Wikis, SharePoint sites, and blogs within the bounds of things that I control. For example, on my personal effectiveness blog Sources of Insight, I regularly test site design principles, user experience, and interaction patterns. The downside during all of my research is that I didn’t think to name all the patterns I learned. Because I didn’t name the patterns, it’s difficult to share the lessons learned or to create a simple catalog of the cornerstone concepts. All is not lost though …
User Experience Patterns for Effective Site Design When you need to design effective user experiences for Web sites, you don’t have to start from scratch. You can model from the success patterns of existing sites. However, distilling all the successful principles, patterns, and practices can be a challenge. One of my favorite guides that does the distillation for you is The Design of Sites. It’s a comprehensive catalog of proven practices for designing effective Web sites in terms of customer-centered design, information architecture, interaction patterns, and task-completion.
Patterns Catalog from The Design of Sites You can actually browse the full catalog of patterns from The Design of Sites book. I like to be able to scan the patterns in alphabetic order by category, so I put them into a summary table to do so:
Not only are the names intuitive but when you use the book, you can drill into each pattern for concrete examples, as well as the design philosophy behind it.
Windows Azure Security Notes (PDF) is a collection of our notes and learnings from exploring the cloud security space and working through Windows Azure security scenarios. Note that this is not a guide and it’s not a Microsoft patterns & practices deliverable. It’s simply a way to package up, hand-off, and share what we learned during the exploration stage of our patterns & practices Windows Azure Security Guidance project.
The key things you’ll want to explore in the notes are the various application scenarios, the cloud security threats and countermeasures, and the checklist.
Download
Contents at a Glance Here is a quick look at the Windows Azure Security Notes:
Reference
Acknowledgements Many thanks to the following folks for sharing their time and expertise along the way:
While we’ve been thinking through content strategies and content experiences, one of the phrases I started using to quickly share an idea is “CRUD for Content.” It’s modeled after CRUD operations for applications – CREATE, READ, UPDATE, DELETE. It’s simple, but it quickly helps folks relate to the simple operations you can do with content as a user:
Sure there are plenty of variations off of that, but it’s a helpful backdrop to start from when thinking through experiences for finding, searching, saving, and sharing content on MSDN.
At the end of the day, if I’m going to throw my time and energy at something, I want to know that it will make impact. I also want to make sure that I’m on path, meaning it connects to my values and my purpose, and that I’m using proven practices to make things happen with skill.
There is a lot of science and wisdom of the ages but it’s tough to pull everything we know about thinking, feeling, and taking action in the most effective way. Add to that the challenge that we’re all different and we have to apply any principles, patterns, or practices to our specific scenario or context.
Getting Results the Agile Way is a way to pull it all together and get the system on your side. It’s the system I’ve honed over years and it’s principle-based, which means you can tailor it very easily to yourself or the situation.
To make it easy to learn some of the key ideas, I created three short slide shows to share the three key parts of Agile Results:
For August, I’m putting a strong emphasis on sharpening and honing my execution skills – a tune up of the system. As part of the process, I decided to make my August theme all about getting results. You can follow along at 30 Days of Getting Results where each day I will share another nugget from the book of getting results.
"I love it when a plan comes together." -- Colonel John "Hannibal" Smith, The A-Team
Project plans are tough. No matter how many times you do them – they are always tough. I’ve been doing them for years, and yet the path from zero to a "good enough" plan is always a lot of work. But it's worth it. It's often what separates the failed projects from the successful ones. When a project fails, you can usually find clues in the plan (or lack of.)
Regardless of how you get there or how you share the plan, the following are essential elements:
In question form, some simple checks are:
It's worth noting that projects often fail because
Interestingly, I know of some executive reviews that boil down to two cutting questions:
It helps answer the higher question -- “Why are we doing this and does it make business sense?”
"Don’t count the days, make the days count." - Muhammad Ali
If you've ever wanted to learn the key principles, patterns, and practices for getting results, now's the time. I'm making August a focus on Getting Results the Agile Way. It's a simple system for meaningful results. It's been helping individuals, teams, and leaders improve their results and get on top of their game (see reviews and success stories.)
Throughout August, I'll write a new post each day on Sources of Insight to help you adopt Agile Results, a nugget at a time, starting with 30 Days of Getting Results. If you want to follow along, subscribe to the RSS feed for Sources of Insight.
Here are some of the key topics I'll be addressing:
Agile Results is the system I talk about in the book, and it's a simple system for meaningful results. You can think of it as a personal results system for work and life. It's based on both studying success and applied research over a number of years, and it draws from a number of disciplines, including positive psychology, project management, software development, etc.
It's not about software development, but it is the same system I've used to mentor others, coach teams, and lead distributed teams for more than 10 years. You can think of it as "Scrum for Life" or "Story-driven results" or "Lean for Life." You can use the system to improve your mind, body, emotions, career, financial, relationships and fun. It's ultimately about writing your story forward, driving from your "why", and leveraging proven practices for thinking, feeling, and taking action.
I know a number of people are going through significant changes in their life. Having a system and science on your side, helps you stack the deck of success in your favor.
If you want to get started fast without reading the book, here is a One-Page Guide to Getting Started with Getting Results the Agile Way.
Several years back, I did an exercise in mapping out families of application architectures and application types. It was an extensive archeological expedition.
Key Goals / Outcomes There were several goals of the exercise:
The exercise fed into a number of later works years later, including:
Key Activities Some of the key activities of this early exercise included:
Keep in mind, that going into this, I already had the benefit of doing more than 650 customer architecture and design reviews -- yet still, this was an overwhelming exercise. It forced me to find new ways to deal with large bodies of data and information, and somehow turn them into shared maps, browsable, reusable knowledge nuggets, and backdrops for deeper conversations and elaboration.
Lessons Learned from Architectural Exploration Some of the surprises for me or things that I learned that I didn't expect include:
In retrospect, the simplicity and common denominators of CRUD make a lot of sense. It's all about interacting with information at a fundamental level. People are just trying to get things done and there's only so many things you can do with information -- find it, browse, save it, share it, transform it, etc. as part of your workflow.
Early Map of App Types I included one of the many early maps of the application types that helped us figure out what to throw out and what to keep as we moved forward. One of the key distinctions that Ward Cunningham helped me figure out was to distinguish between the shape of the application architecture and design, and the actual “purpose” of the application. Some purposes were more business-oriented, while some were more technically oriented, and this helped me find and distinguish different families of apps.
It's circa 2004, but the irony is how timeless the backdrop really has been. It’s rough and raw, but like I said, it’s just one sampling of the many braindumps behind the scenes of mapping out app types.
Cloud security has been a hot topic with the introduction of the Microsoft offering of the Windows Azure platform. One of the quickest ways to get your head around security is to cut to the chase and look at the threats, attacks, vulnerabilities and countermeasures. This post is a look at threats and countermeasures from a technical perspective.
The thing to keep in mind with security is that it’s a matter of people, process, and technology. However, focusing on a specific slice, in this case the technical slice, can help you get results. The thing to keep in mind about security from a technical side is that you also need to think holistically in terms of the application, network, and host, as well as how you plug it into your product or development life cycle. For information on plugging it into your life cycle, see the Security Development Lifecycle.
While many of the same security issues that apply to running applications on-premise also apply to the cloud, the context of running in the cloud does change some key things. For example, it might mean taking a deeper look at claims for identity management and access control. It might mean rethinking how you think about your storage. It can mean thinking more about how you access and manage virtualized computing resources. It can mean thinking about how you make calls to services or how you protect calls to your own services.
Here is a fast path through looking at security threats, attacks, vulnerabilities, and countermeasures for the cloud …
Objectives
Overview It is important to think like an attacker when designing and implementing an application. Putting yourself in the attacker’s mindset will make you more effective at designing mitigations for vulnerabilities and coding defensively. Below is the cloud security frame. We use the cloud security frame to present threats, attacks, vulnerabilities and countermeasures to make them more actionable and meaningful.
You can also use the cloud security frame to effectively organize principles, practices, patterns, and anti-patterns in a more useful way.
Threats, Attacks, Vulnerabilities, and Countermeasures These terms are defined as follows:
Cloud Security Frame The following key security concepts provide a frame for thinking about security when designing applications to run on the cloud, such as Windows Azure. Understanding these concepts helps you put key security considerations such as authentication, authorization, auditing, confidentiality, integrity, and availability into action.
Threats and Attacks
Vulnerabilities
Countermeasures
SDL Considerations For more information on preferred encryption algorithms and key lengths, see the Security Development Lifecycle at http://www.microsoft.com/security/sdl/ .
What is the success pattern for leading a successful v-team? I asked one of my mentors, a seasoned softie for his take on what are the keys to a successful v-team. Here is what he had to say:
This is a walk down memory lane. It’s an idea I was circulating circa 2005 so the words will seem stale now. Periodically I like to flip through my old ideas to see how I’ve used them, what impact they made, and what I learned in the process.
When I originally pitched the idea, there were two basic reactions – either “this will never fly” or “we have to make this happen.” The funny thing was, when Amazon launched its Mechanical Turk, several months later, some of the original naysayers, came back to me and said, “Oh, I guess you were on to something.”
I wasn’t passionate about the idea, so I didn’t pursuit it. I was also busy with other game changers. However, I did share the idea with some key folks, and then I wrote it up in a simple way so that whoever might need to see it, could quickly understand the scenarios and the value. However, the thinking behind this did end up shaping some interesting efforts. It also helped me articulate a principle that kept showing up – Human Shepherds and the Law of Relevancy.
As an aside, the big thing I learned from having clusters of ideas at a time … (I filed several patents that year, created a few key software prototypes that internal/external customers built offerings around, and helped shape some key product-line paths) … is that you can actually get ahead of the innovation eight-ball, if you know how to combine key principles and patterns with the trends and the maturity cycles of markets. The patterns and principles help you see things that might not otherwise be obvious. There are even tricks to getting ahead of the mainstream market. Someday I’ll share the patterns and practices for innovation that I’ve learned from the school of hard knocks (part of our group acted like applied research so we have the battle scars of making innovation stick against real-world scenarios.)
Here is the original idea of “Short-Burst Work”, in raw form. Note that one of the other things I learned since then is that choosing a sticky name for an idea, makes all the difference in the world – alliteration and fun, helps a ton!
Idea: Short Burst Work
Elevator Pitch ”Connect short-burst human power to the relevant short-burst work opportunities ...”
Summary Here's an idea that could be a game changer ... What if you could connect a world-wide market of job seekers to short-burst opportunities through "adverstising" in the corp space? (consumer works too, but let's play w/corp scenarios for now) This is nearly the "long tail" of job opportunities issue. Imagine all the short-burst work opportunities in your day job. What's interesting is this model is happening on SecondLife, with real people and real exchange of money. Imagine the world of pooled resources, available 24x7. Imagine the world of editors, coders, great thinkers …. etc. Imagine how many former dot-Com'ers that would love to lend short-burst help. Imagine all the great professors of the world you can suddenly involve when you can virtualize your work items and collaborate with a simple platform.
Situation
Opportunity
Recommendation From a mental model, think of it as a highly relevant "match" service for short-burst work opportunities and resource pools.
Corporate Scenarios Imagine live services to connect your short-burst work items to:
Home Scenarios
Why is this feasible? It's happening on SecondLife. Folks around their world are selling their services (scripting, image consulting, music dj …. You name it) It's happening because the barrier to entry is low:
To sell your services/skills:
To consume the services/skills:
There's reasons why existing services like this haven't taken off. Connecting the consumer/provider to the "long tail" of the short-burst opportunities is a relevancy algorithm issue and a platform hurdle (services platform with good consumption/provider models). Your engine can help folks find the short-burst services they need. And when the relevancy is beyond organic search, you broker a "concierge" type service (Live Concierge) to connect a consumer to a provider … or a provider to a consumer. It's a game changer. How to make it happen?
Imagine you the user wants to connect to "live" help. Think (Google (relevancy) + Monster (labor pool) + Temp Agencies (labor pool and short-burst work) + (plug in your favorite Web 2.0 model)
I use scenarios all the time for anything from designing a user experience to evaluating architecture. Scenario is an overloaded term though. There are lots of types of scenario tools. If you know the types of scenario tools, you can use the right one for the job. For example, exception scenarios are useful for assessing robustness. Misuse cases are helpful for figuring out potential threats and attacks.
In the book Scenarios, Stories, Use Cases: Through the Systems Development Life-Cycle , Ian F. Alexander and Neil Maiden write about the types of scenarios and when to use them in software development.
Here is a brief explanation of each: