J.D. Meier's Blog

Software Engineering, Project Management, and Effectiveness

  • J.D. Meier's Blog

    Effectiveness Post Roundup

    • 11 Comments

    At Microsoft, I regularly mentor some fellow softies.   It can be tough to navigate the waters, find your strengths, figure out worklife balance, and deal with the stresses of the job, all while making things happen.  I help my mentees learn  the most effective ways for getting results in a tough, competitive environment.  It's challenging.  It's rewarding.  I've had several great mentors throughout my life at Microsoft, so mentoring is a way that I give back, sharing my lessons learned and helping others grow.  While my 1:1 sessions are the most effective, I try to share key practices more broadly in posts.  Here's a roundup of my various posts for improving effectiveness at work and life.  I organized them by meaningful buckets and provided an A-Z list at the end.  Enjoy.

    Career
    Learn how to find your path and get more from your career.  Work with the right people on the right things making the right impact.  These posts focus on career and worklife balance:

    Communication
    Communication is among the most important skills for getting results in work and life.  Empathic listening is the most important communication skills.  Improve the quality of your communication, and improve the quality of your life.  These posts focus on communication skills:

    Email
    Don't be a slave to your mail.  With the right approach, you can spend less time in your inbox and enjoy an empty inbox on a regular basis.  These posts focus on email management:

    Intellectual Horsepower
    Thinking is asking and answering questions.  Learn ways to improve your thinking through question-driven techniques and changing perspectives:

    Leadership
    Leadership is influence.  Amplify your results by improving your sphere of influence.  Leadership starts with self-leadership.  These posts focus on leadership skills: 

    Learning
    Learning is a life-long process.  Adopt practices that help you grow.  These posts focus on improving your learning:

    Motivation
    Motivation is your energy or desire to make something happen.  It's also the energy or desire for others to make something happen.  Learn how to improve your own passion for results as well as how to influence and motivate those around you.  These posts focus on motivation:

    Personal Development
    Personal excellence is a path, not a destination.  In life you're either climbing or sliding.  One key is to find ways to climb faster than you slide.  Another key is balancing your multiple demands and growing in your mind, body, career, emotions, financial, relationships and fun.  These posts focus on personal development: 

    Personal Productivity
    Make stuff happen.  Drive or be driven.  With the right approaches, you can carve out time for what's important and prioritize more effectively.  This is the key to getting results.  These posts focus on personal productivity:

    Project Management
    If you need to get something done, make it a project.   Whether it's a small-scale, personal project or a large, team-based project, there's patterns and practices you can use to be more successful.  These posts focus on project management:

    Teamwork
    Effective teamwork is a key skill in today's workplace.  Learn how to get more done with your colleagues.  These posts focus on improving your teamwork:

    Time Management
    You can't add more hours to the day, but you can spend your time more effectively.  You can also add more power hours to your day.  These posts focus on time management:

    Questions
    Questions are a powerful way to shape your thinking and mindset.  Ask better questions and get better answers.  These posts focus on asking and answering better questions:

    A-Z
    Here's the posts organized in a flat A - Z list for easy scanning:

    Sources of Insight
    If that's not enough for you, check out my project blog: Sources of Insight.  Sources of Insight is a browsable KB of insights and actions for work and life.  It's where I share my lessons learned from books, heroes and quotes.  You can read more about the mission and vision in the About page.

  • J.D. Meier's Blog

    Agile Architecture Method

    • 11 Comments
    AgileArchitecture

    I presented our new patterns & practices Agile Architecture Method for the first time at the patterns & practices Summit.   Our Agile Architecture Method is an iterative and incremental approach for designing architectures. 

    To summarize, it’s a technique that:

    • Scopes and focuses your architecture exercise.
    • Uses scenarios to drive the design and evaluate potential solutions.
    • Helps you think through your choice of application type, deployment, architectural style and technologies.
    • Helps you quickly iterate through potential solutions.
    • Helps you map potential patterns.

    I’ve summarized the approach below, and we’ve posted a step-step how to on CodePlex:

    Input
    Here’s the key input into the process:

    • Use cases and usage scenarios
    • Functional requirements
    • Non-functional requirements (quality attributes such as performance, security, and reliability)
    • Technological requirements
    • Target deployment environment
    • Constraints

    Output
    Here’s the key output of the process:

    • Architecturally significant use cases
    • Architecture hot spots
    • Candidate architectures
    • Architectural spikes

    Summary of Steps

    • Step 1. Identify Architecture Objectives.
    • Step 2. Identify Key Scenarios.
    • Step 3. Create an Application Overview.
    • Step 4. Analyze Key Hot Spots.
    • Step 5. Create Candidate Solutions.

    Step 1. Identify Architecture Objectives
    This is a scoping exercise.  The purpose of this step is to figure out how much time and energy to spend on subsequent steps as well as guide your overall effort.   You should know what you want in terms of outcomes.  Here’s an example of potential goals:

    • Build a prototype
    • Identify key technical risks
    • Test potential paths
    • Share models and understanding

    Step 2. Identify Key Scenarios
    Identify relevant scenarios to focus your design on what matters most, and to evaluate your candidate solutions.    In this case, you want to identify architecturally significant use cases.  Architecturally significant use cases are those that meet the following criteria:

    1. They are important for the success and acceptance of the deployed application.
    2. They exercise enough of the design to be useful in evaluating the architecture.

    You can draw key scenarios from your user stories, business stories and system stories.

    Step 3. Create an Application Overview
    Create an application overview.  The application overview serves to make your architecture more real, connecting it to real-world constraints and decisions. 

    WhiteboardingYourDesign

    An application overview consists of the following steps:

    • Determine your application type. First, determine what type of application you are building. Is it a mobile application, a rich client, a rich internet application, a service, a Web application, or some combination?
    • Understand your deployment constraints. Next, understand your targeted deployment environment and determine what impact this will have on your architecture.
    • Identify important architectural styles. Determine which architectural styles you will be using in your design. Will you build a service oriented architecture, client/server, layered, a message bus, or some combination?
    • Determine relevant technologies. Finally, identify the relevant technology choices based on your application type, architectural styles and deployment constraints.

    A good test of an application overview is whether you can whiteboard it.

    Step 4. Analyze Key Hot Spots
    Identify key hotspots based on quality attributes and the architecture frame. These are the areas where mistakes are most often made when designing an application.

    Quality Attributes Frame
    Understand the quality attributes that are important for your application and scenarios. For instance, most applications need to address security and performance and will be traded against usability, flexibility and other attributes that may be more or less important to you depending on your scenarios and requirements.  You can use the following frame to identify key quality attributes to consider:

    Category Considerations
    Availability
  • How to design for failover support
  • How to design a redundant site
  • How to plan for backup and recovery How to design for runtime upgrades
  • Conceptual Integrity
  • How to isolate from external dependencies
  • How to create a migration path from legacy technologies
  • How evolve the system without breaking clients
  • Flexibility
  • How to handle dynamic business rules How to handle dynamic UI
  • How to handle changes in data and logic processing
  • How to handle changes in business requirements
  • Interoperability
  • How to allow applications to interoperate while still evolving separately
  • How to isolate systems through the use of service interfaces
  • How to isolate systems through the use of mapping layers
  • Maintainability
  • How to reduce dependencies between layers and components
  • How to implement a pluggable architecture
  • How to choose an appropriate communication model
  • Manageability
  • How to understand the key types of failure
  • How to monitor system operation and health
  • How to modify system behavior based on load
  • Performance
  • How to determine a caching strategy
  • How to design high performance communication between layers
  • How to design high performance data access
  • How to manage resources effectively
  • Reliability
  • How to handle unreliable external systems
  • How to audit requests and jobs
  • How to redirect load
  • How to handle failed communication
  • How to handle failed transactions
  • How to handle exceptions
  • Reusability
  • How to reduce duplication between components and layers
  • How to share functionality across systems
  • How to share functionality across components and layers
  • Scalability
  • How to design layers and tiers for scalability
  • How to scale-up or scale-out
  • How to handle spikes in traffic and load
  • Security
  • How to address authentication and authorization.
  • How to protect against malicious input.
  • How to protect sensitive data
  • Supportability
  • How to design auditing and logging
  • How to design usable error messages
  • Testability
  • How to design for testability
  • How to design unit tests
  • How to design for UI automation
  • Usability
  • How to design for user empowerment
  • How to improve responsiveness
  • How to avoid common user experience pitfalls
  • Architecture Frame
    The architecture frame represents cross cutting concerns that will impact your design across layers and tiers. These are also the areas in which high impact design mistakes are most often made. Use the architecture frame to identify hot spots in your design that require additional attention to get right.  You can use the following architecture frame to identify cross cutting concerns in your design:

    Category Considerations
    Authentication and Authorization
  • How to choose an authentication strategy.
  • How to choose an authorization strategy.
  • How to flow identity across layers and tiers.
  • How to store user identities when not using Active Directory.
  • Caching and State
  • How to choose an appropriate caching technology.
  • How to determine what data to cache.
  • How to determine where to cache the data.
  • How to determine the expiration policy.
  • Communication
  • How to choose appropriate protocols for communication across layers and tiers.
  • How to design loose coupling across layers.
  • How to perform asynchronous communication.
  • How to pass sensitive data.
  • Composition
  • How to choose a composition pattern for the user interface (UI).
  • How to avoid dependencies between modules in the UI.
  • How to handle communication between modules in the UI.
  • Concurrency and Transactions
  • How to handle concurrency between threads.
  • How to choose between optimistic and pessimistic concurrency.
  • How to handle distributed transactions.
  • How to handle long running transactions.
  • Configuration Management
  • How to determine what information needs to be configurable.
  • How to determine where and how to store configuration information.
  • How to protect sensitive configuration information.
  • How to handle configuration information in a farm/cluster.
  • Coupling and Cohesion
  • How to choose an appropriate layering strategy for separation of concerns.
  • How to design highly cohesive components and group them within layers.
  • How to determine when loose coupling is appropriate between components within a layer.
  • Data Access
  • How to manage database connections.
  • How to handle exceptions.
  • How to improve performance.
  • How to handle binary large objects (blobs).
  • Exception Management
  • How to handle exceptions.
  • How to log exceptions.
  • How to provide notification when required.
  • Logging and Instrumentation
  • How to determine which information to log.
  • How to make the logging configurable.
  • How to determine what level of instrumentation is required.
  • User Experience
  • How to improve task efficiency and effectiveness.
  • How to improve responsiveness.
  • How to improve user empowerment.
  • How to improve look and feel. </>
  • Validation
  • How to determine where and how to perform validation.
  • How to validate for length, range, format, and type.
  • How to constrain and reject input.
  • How to sanitize output.
  • Workflow
  • How to choose the appropriate workflow technology.
  • How to handle concurrency issues within a workflow.
  • How to handle task failure within a workflow.
  • How to orchestrate processes within a workflow.
  • Step 5. Create Candidate Solutions
    Create a candidate architecture and along with architectural spikes and evaluate it against your key scenarios, hot spots, and deployment constraints.  The outcomes of this step are:

    • Baseline / Candidate Architectures
    • Architectural Spikes

    Iterative and Incremental Design
    You can iteratively flesh out your architecture as you work through your design and discover more details that impact your architecture.  You don’t have to design your architecture in a single iteration. Do not get lost in the details; focus on the big steps and build a framework on which you can base your architecture and design.

    My Related Posts

  • New Release: patterns & practices App Arch Guide 2.0 Beta 1
  • patterns & practices App Arch Guide 2.0 Project
  • App Arch Guide 2.0 Overview Slides
  • Abstract for Application Architecture Guide 2.0
  • App Arch Meta-Frame
  • App Types
  • Architecture Frame
  • App Arch Guidelines
  • Layers and Components
  • Key Software Trends
  • Cheat Sheet: patterns & practices Catalog at a Glance Posted to CodePlex
  • Cheat Sheet: patterns & practices Pattern Catalog Posted to CodePlex

  • J.D. Meier's Blog

    Layers and Components

    • 11 Comments

    In my previous post, I summarized layers and tiers.  In this post, I'll walk through the key components of the layers.  This exercise is part of our patterns & practices App Arch Guide 2.0 project.

    Layers and Components
    Here's a visual of a layered architecture and relevant components:

    LayeredArch

    Note that this is just an example of common components and layers.  Your scenarios may vary.

    Presentation Layer Components
    Here's typical presentation layer components:

    • User interface (UI) components. Your user interface components (controls) provide a way for users to interact with your application. They render and format data for users and acquire and validate data coming in from them.
    • User process components. Your user process components help synchronize and orchestrate user interactions. This way the process flow and state management logic is not hard-coded in the user interface elements themselves, and the same basic user interaction patterns can be reused by multiple user interfaces.

    Business Layer Components
    Here's typical business layer components:

    • Application Facade. (Optional).  Your application facade maps your business logic to your application.  It's optional and it depends on how reusable and generic your business logic is.  If your business logic was written specifically for your application, then you probably don't need an application facade.
    • Business components. Your business components implement business rules and perform business tasks.
    • Business workflows. Your business workflows define and coordinate long-running, multi-step business processes.  They can be implemented using business process management tools.
    • Business entity components. Your business entity components represent actual business entities (for example products or orders.)  You use them to pass data between components.  They're usually data structures (such as DataSets, DataReaders, or XML streams), but they can also be implemented using custom object-oriented classes.

    Data Layer Components
    Here's typical data layer components:

    • Data access logic components. Data access components abstract the logic necessary to access. Doing so centralizes data access functionality and makes it easier to configure and maintain.
    • Data Helpers / Utilities.   
    • Service agents. Your service agents help you call external services.  They do so by mapping the format of the data exposed by the service to the format your application uses, as well as help manage the semantics of calling the services.

    Cross-Cutting

    • Cross-cutting components.  This includes components  components to perform exception management, to authorize users to perform certain tasks, and to communicate with other services and applications.

    Feedback
    Does this match what you see in practice?

    Additional Resources
    Here's some relevant links:

    My Related Posts

  • J.D. Meier's Blog

    Getting Results the Agile Way - The Book on Getting Results

    • 11 Comments

    GettingResults2

    “Are you getting results? …”

    Over Christmas break, I committed to finishing the writing for a book that I expect to change a lot of people's lives.  It's my first non-technical book.  The working title is, Getting Results the Agile Way.  It's all about getting results in work and life.  It's the playbook I wish somebody had given me long ago for finding work/life balance, managing time, playing to my strengths, and making the most of what I've got.

    Why Getting Results
    The world is a tough place.  Between layoffs, the economy, and simply the unknown, a lot of people are having a really tough time in their lives.  There are constantly new challenges at a pace that's tough to keep up.  Worse, I don't think you learn a lot of these skills in school or on the job, except through the school of hard knocks.

    This is my playbook for you.  For more than 10 years at Microsoft I've tested and evaluated ways to get results.  I've had to find things that not only work for me, but that could work for the people I mentor inside and outside the company, as well as for large teams around the world.  I'm a big believer that everybody can get great results if they have the right know-how.

    What Sorts of Problems Does It Tackle
    The book is a system and a playbook for some of these common challenges:

    • How to find work / life balance
    • How to shift from tasks and activities to meaningful results and outcomes
    • How to use stories and scenario-driven results to carve out value in your life
    • How to overwhelm your challenges with fierce results
    • How to defeat perfectionism
    • How to avoid analysis paralysis and take action a simple story at a time
    • How to find your flow state for more engaging work
    • How to find your passion and purpose
    • How to play to your strengths for more energy and better results
    • How to conquer fear and avoid learned helplessness
    • How to motivate yourself in ways that make you feel you can move mountains
    • How to focus on what really counts
    • How to prioritize more effectively
    • How to create more value for yourself and others
    • How to spend more time on what you want, and less time on what you don’t

    It helps with a lot of things because mostly it gets you spending the right time, on the right things, with the right energy, the right way.  This is the key to your best results.

    My Story
    When I first joined Microsoft, it was sink or swim.  I saw a lot of people fail.  Among the chaos, I also saw many people thrive.  I wanted to know their secrets.  I started with people on my team, but the next thing you know I was studying success patterns around the company.  If somebody was known for getting results, I hunted them down and studied their ways.

    I learned so many simple things that actually worked.  For example, instead of managing time, the real key is managing your energy.  I'd rather have four power hours, than a week of just going through the motions.  The secret of work life balance is setting up your own artificial boundaries, whether it's "dinner on the table at 5:30" or "no work on the weekends."  Finding your passion can be as simple as connecting to your values.  For example, I use metaphors to make my project an epic adventure and I have the team create the movie poster of what great results will look like.  How's that for wanting to show up and give your best every day knowing you're working on blockbuster results?

    What is Agile Results?
    You'll hear me talk about Agile Results quite a bit.  It's the name I gave the system  that serves as the foundation for the Getting Results guide.  Agile is all about responding to change.  It's agility in action.  It's all about making progress while the world changes under your feet.

    My Agile Results system borrows the best principles, patterns, and practices across a variety of disciplines from sports, positive psychology, personal productivity, Agile development, Scrum, project management, time management, leadership skills, and strengths-based development.  It's more than a mash up -- I've tested and honed the system to work for individuals and teams while refining it over years of deliberate practice.  To me, great results for the team, always starts with unleashing an individual’s best.  Having fun is contagious and getting results spreads like a wild fire.

    Agile Results in a Nutshell
    Here is the Agile Results system at a glance:

    • The Rule of 3 – You can apply the Rule of 3 to work and life to avoid overwhelming yourself while carving out  value, a day at a time, a story at a time.  See The Rule of 3.
    • Monday Vision, Daily Outcomes, and Friday Reflection – This is a simple weekly pattern for results.  On Mondays figure out your 3 compelling results for the week.  Each day, figure out your 3 best results for the day.  On Fridays, identify 3 things going well, and 3 things to improve.  See Monday Vision, Daily Outcomes, and Friday Reflection.
    • Hot Spots -  This is your heat map.  Hot Spots are a simple lens to look at your life as a portfolio you invest in: mind, body, emotions, career, financial, relationships, and fun.  It’s under-investing or over-investing in these areas that can get in the way of great results.  See Hot Spots.

    How to Get Started
    Getting started is really easy.  If you write down 3 results you want for today, you're doing Agile Results.  Is there more to it? … Sure, but take it at your own pace.  Here’s a one-page guide for getting started with Agile Results.

    How To Follow Along for the Ride
    You can read Getting Results for free online in HTML.  I’ll continue to shape the guide over the next several weeks based on feedback.  I’ll also be making March a focus on getting results so if you’ve been looking for a jumpstart for your life, this is a great month to make it happen.   I’ll be sharing nuggets for getting results at my effectiveness blog, Sources of Insight.

    If you're not getting the results you want in your life, you just need the skills.  Use my guide to stuff your bag of tricks with some new tools that will change your game and help you unleash your best.

  • J.D. Meier's Blog

    Using Live.com for RSS

    • 11 Comments

    Here's a quick set of steps for using Live.com (http://www.Live.com) as your RSS reader.  What I like about it is that I can log in to it from anywhere.  What I like most is that I can create multiple pages to organize my feeds.  This let's me focus my information.

    Here's the steps for creating pages and adding feeds to them: (you need to login to Live.com for these options)

    Adding a New Page

    1. Click Add Page.
    2. Click the drop-down arrow next to the new page you just created.
    3. Click Rename and type the name of your page (for example VS.NET)

    Adding Feeds

    1. Click Add stuff (upper left)
    2. Click Advanced options
    3. Put the path to the RSS feed you want (for example, http://blogs.msdn.com/jmeier/rss.xml), next to the Subscribe button.
    4. Click subscribe.  This will add the feed to your page.
    5. Either add more feeds or click Add stuff again (upper left) to close the options.

    Tip - If I need to search for a feed, I use a separate browser, do my search, and then paste the path next to the Subscribe button.  I don't like the Search for feeds option because I lose my context.

    I like Live.com for my Web-based RSS reading experience.  I use JetBrains Omea Pro for my desktop experience, where I do my heavy processing.  I think of this like my Outlook Web Access and Outlook desktop experiences.  My Web experience is optimized for reach; my desktop experience is optimized for rich.

  • J.D. Meier's Blog

    New Release: patterns & practices Team Development with Team Foundation Server Guide

    • 11 Comments

    Today we release the final version of our patterns & practices: Team Development with Visual Studio Team Foundation Server.  It's our Microsoft playbook for Team Foundation Server.  It shows you how to make the most of the Team Foundation Server.  It's a compendium of proven practices, product team recommendations, and insights from the field.

    Key Changes Since Beta 1

    • We added guidelines for build, project management and reporting.
    • We added practices at a glance for build, project management, and reporting.
    • We added a chapter to summarize key Visual Studio 2008 changes.
    • We revamped our Internet access strategies.
    • We did a full sweep of the guide.
    • We completed more thorough product team reviews for key chapters.

    Contents at a Glance

    • Part I, Fundamentals
    • Part II, Source Control
    • Part III, Builds
    • Part IV, Large Project Considerations
    • Part V, Project Management
    • Part VI, Process Templates
    • Part VII, Reporting
    • Part VIII, Setting Up and Maintaining the Team Environment
    • Part IX, Visual Studio 2008 Team Foundation Server


    Chapters

    • Ch 01 – Introducing the Team Environment
    • Ch 02 – Team Foundation Server Architecture
    • Ch 03 – Structuring Projects and Solutions in Source Control
    • Ch 04 – Structuring Projects and Solutions in Team Foundation Source Control
    • Ch 05 – Defining Your Branching and Merging Strategy
    • Ch 06 – Managing Source Control Dependencies in Visual Studio Team System
    • Ch 07 – Team Build Explained
    • Ch 08 – Setting Up Continuous Integration with Team Build
    • Ch 09 – Setting Up Scheduled Builds with Team Build
    • Ch 10 – Large Project Considerations
    • Ch 11 – Project Management Explained
    • Ch 12 – Work Items Explained
    • Ch 13 – Process Templates Explained
    • Ch 14 – MSF for Agile Software Development Projects
    • Ch 15 – Reporting Explained
    • Ch 16 – Installation and Deployment
    • Ch 17 – Providing Internet Access to Team Foundation Server
    • Ch 18 – What’s New in Visual Studio 2008 Team Foundation Server

    Our Team

    Contributors and Reviewers

    • External Contributors / Reviewers: David P. Romig, Sr; Dennis Rea; Eugene Zakhareyev; Leon Langleyben; Martin Woodward; Michael Rummier; Miguel Mendoza; Mike Fourie; Quang Tran; Sarit Tamir; Tushar More; Vaughn Hughes
    • Microsoft Contributors / Reviewers:  Aaron Hallberg; Ahmed Salijee; Ajay Sudan; Ajoy Krishnamoorthy; Alan Ridlehoover; Alik Levin; Ameya Bhatawdekar; Bijan Javidi; Bill Essary; Brett Keown; Brian Harry; Brian Keller; Brian Moore; Buck Hodges; Burt Harris; Conor Morrison; David Caufield; David Lemphers; Doug Neumann; Edward Jezierski; Eric Blanchet; Eric Charran; Graham Barry; Gregg Boer; Grigori Melnik; Janet Williams Hepler; Jeff Beehler; Jose Parra; Julie MacAller; Ken Perilman; Lenny Fenster; Marc Kuperstein; Mario Rodriguez; Matthew Mitrik; Michael Puleio; Nobuyuki Akama; Paul Goring; Pete Coupland; Peter Provost; Granville (Randy) Miller; Rob Caron; Robert Horvick; Rohit Sharma; Ryley Taketa; Sajee Mathew; Siddharth Bhatia; Tom Hollander; Tom Marsh; Venky Veeraraghavan

    My Related Posts

  • J.D. Meier's Blog

    The Better Adapted You Are, the Less Adaptable You Tend To Be

    • 10 Comments

    I was skimming The Secrets of Consulting and I came across this nugget: 

    “...Many years ago, Sir Ronald Fisher noted that every biological system had to face the problem of present versus future, and that the future was always less certain than the present. To survive, a species had to do well today, but not so well that it didn’t allow for possible change tomorrow. His Fundamental Theorem of Natural Selection said that the more adapted an organism was to present conditions, the less adaptable it tended to be to unknown future conditions. We can apply the theorem to individuals, small groups of people, large organizations, organizations of people and machines, and even complex systems of machinery, and can generalize it as follows: The better adapted you are, the less adaptable you tend to be...”
    Source: Gerald M. Weinberg, The Secrets of Consulting (New York, Dorset House Publishing, 1985) pp 29-30

    Along the same lines, I was scanning Lean Software Engineering and came across this nugget:

    "... When it comes to large-scale, creative engineering, the right processes for all the various teams in an organization depends on both people and situation — both of which are constantly changing. You can’t just adopt a particular process and be done with it.  So really the only “bad process” is one that doesn’t provide framework to reflect and permission to adapt..."
    Source: Avoid Dogma When Herding Cats

    This reminded me of a quote from Hereclitus - "Nothing endures but change."

    I'm a fan of adaptability and continuous improvement.  I think adaptability is a key ingredient for effectiveness.  I always reflect on and test how adaptable is my mindset? ... my approach? ... my tools? ... my teams? ... my organization? ... my company? ... etc.

  • J.D. Meier's Blog

    patterns & practices WCF 3.5 Security Guidelines Now Available

    • 10 Comments

    For this week's release in our patterns & practices WCF Security Guidance project, we released our first version of our WCF 3.5 Security Guidelines.  Each guideline is a nugget of what to do, why, and how.  The goal of the guideline format is to take a lot of information, compress it down, and turn insight into action.

    The downside is that it's tough to create prescriptive guidelines that are generic enough to be reusable, but specific enough to be helpful.  The upside is that customers find the guidelines help them cut through a lot of information and take action.  We contextualize the guidelines as much as we can, but ultimately you're in the best position to do the pattern matching to find which guidelines are relevant for your scenarios, and how you need to tailor them.

    Here's a snapshot of the guidelines, but you can see our security guidelines explained at our WCF Security Guidance project site.

    Categories
    Our WCF Security guidelines are organized using the following buckets:

    • Auditing and Logging
    • Authentication
    • Authorization
    • Binding
    • Configuration Management
    • Exception Management
    • Hosting
    • Impersonation and Delegation
    • Input/Data Validation
    • Proxy Considerations
    • Deployment considerations 

    Auditing and Logging

    • Use WCF auditing to audit your service
    • If non-repudiation is important, consider setting SuppressAuditFailure property to false
    • Use message logging to log operations on your service
    • Instrument for user management events
    • Instrument for significant business operations
    • Protect log files from unauthorized access
    • Do not log sensitive information

    Authentication

    • Know your authentication options
    • Use Windows Authentication when you can
    • If you support non-WCF clients using windows authentication and message security, consider using the Kerberos direct option
    • If your users are in AD, but you can’t use windows authentication, consider using username authentication
    • If your clients have certificates, consider using client certificate authentication
    • If you need to streamline certificate distribution to your clients for message encryption, consider using the negotiate credentials option
    • If your users are in a custom store, consider using username authentication with a custom validator
    • If your users are in a SQL membership store, use the SQL Membership Provider
    • If your partner applications need to be authenticated when calling WCF services, use client certificate authentication.
    • If you are using username authentication, use SQL Server Membership Provider instead of custom authentication
    • If you need to support intermediaries and a variety of transports between client and service, use message security to protect credentials
    • If you are using username authentication, validate user login information
    • Do not store passwords directly in the user store
    • Enforce strong passwords
    • Protect access to your credential store
    • If you are using Windows Forms to connect to WCF, do not cache credentials

    Authorization

    • If you use ASP.NET roles, use the ASP.NET Role Provider
    • If you use windows groups for authorization, use ASP.NET Role Provider with AspNetWindowsTokenRoleProvider
    • If you store role information in SQL, consider using the SQL Server Role Provider for roles authorization
    • If you store role information in Windows Groups, consider using the WCF PrincipalPermissionAttribute class for roles authorization
    • If you need to authorize access to WCF operations, use declarative authorization
    • If you need to perform fine-grained authorization based on business logic, use imperative authorization

    Binding

    • If you need to support clients over the internet, consider using wsHttpBinding.
    • If you need to expose your WCF service to legacy clients as an ASMX web service, use basicHttpBinding
    • If you need to support remote WCF clients within an intranet, consider using netTcpBinding.
    • If you need to support local WCF clients, consider using netNamedPipeBinding.
    • If you need to support disconnected queued calls, use netMsmqBinding.
    • If you need to support bidirectional communication between WCF Client and WCF service, use wsDualHttpBinding.

    Configuration Management

    • Use Replay detection to protect against message replay attacks
    • If you host your service in a Windows service, expose a metadata exchange (mex) binding
    • If you don’t want to expose your WSDL, turn off HttpGetEnabled and metadata exchange (mex)
    • Manage bindings and endpoints in config not code
    • Associate names with the service configuration when you create service behavior, endpoint behavior, and binding configuration
    • Encrypt configuration sections that contain sensitive data

    Exception Management

    • Use structured exception handling
    • Do not divulge exception details to clients in production
    • Use a fault contract to return error information to clients
    • Use a global exception handler to catch unhandled exceptions

    Hosting

    • If you are hosting your service in a Windows Service, use a least privileged custom domain account
    • If you are hosting your service in IIS, use a least privileged service account
    • Use IIS to host your service unless you need to use a transport that IIS does not support

    Impersonation and Delegation

    • Know the impersonation options
    • If you have to flow the original caller, use constrained delegation
    • Consider LogonUser when you need to impersonate but you don’t have trusted delegation
    • Consider S4U when you need a Windows token and you don’t have the original caller’s credentials
    • Use programmatic impersonation to impersonate based on business logic
    • When impersonating programmatically be sure to revert to original context
    • Only impersonate on operations that require it
    • Use OperationBehavior to impersonate declaratively

    Input/Data Validation

    • If you need to validate parameters, use parameter inspectors
    • If your service has operations that accept message or data contracts, use schemas to validate your messages
    • If you need to do schema validation, use message inspectors
    • Validate operation parameters for length, range, format and type
    • Validate parameter input on the server
    • Validate service responses on the client
    • Do not rely on client-side validation
    • Avoid user-supplied file name and path input
    • Do not echo untrusted input

    Proxy Considerations

    • Publish your metadata over HTTPS to protect your clients from proxy spoofing
    • If you turn off mutual authentication, be aware of service spoofing

    Deployment considerations

    • Do not use temporary certificates in production
    • If you are using a custom domain account in the identity pool for your WCF application, create an SPN for Kerberos to authenticate the client.
    • If you are using a custom service account and need to use trusted for delegation, create an SPN
    • If you are hosting your service in a Windows Service, using a custom domain identity, and ASP.NET needs to use constrained trusted for delegation when calling the service, create an SPN
    • Use IIS to host your service unless you need to use a transport that IIS does not support
    • Use a least privileged account to run your WCF service
    • Protect sensitive data in your configuration files

    My Related Posts

  • J.D. Meier's Blog

    New Release: Guidance Explorer is Now on MSDN

    • 10 Comments

    This is a significant release for Guidance Explorer (GE).  Our online "guidance store" is now hosted on MSDN.  To take advantage of this, you need to download the new version of Guidance Explorer (release 20071206)

    What Is the Guidance Store
    Our guidance store is a catalog of reusable guidance nuggets for helping you build applications.  The catalog is organized by the following:

    • Types (e.g. principles, patterns, practices, guidelines, checklists, how tos, Q&A, app scenarios, code examples ... etc.)
    • Topics (e.g. security, performance., project management, reporting, build, ... etc.)
    • Technologies (e.g. .NET Framework, ADO.NET, ASP.NET, XML, SQL Server, Visual Studio Team System, Web Services ... etc.)
    • Techniques (e.g. security inspection, performance inspection, threat modeling, performance testing ... etc.)

    At a high-level, you can think of the catalog as a collection of application scenarios, "building codes" and engineering practices.

    What is Guidance Explorer
    Guidance Explorer is a smart client application that talks to the Guidance Store over a Web service.  You can use GE to create, organize and share your favorite guidance nuggets.

    Key Usage Scenarios
    The key usage scenarios are:

    • Find relevant patterns & practices guidance.
    • Build customized checklists for your development scenarios.
    • Build customized guidelines for your development scenarios.
    • You can build custom sets of guidance and share with your team as recommended practice.

    To put it another way, you can use GE to slice and dice the patterns & practices catalog, tailor the guidance, or build your own guidance. 

    What's New in the Latest Release
    What you can expect in Guidance Explorer version 20071206:

    • MSDN now hosts the guidance store (the guidance catalog is now hosted in MSDN labs)
    • Improved catalog of guidance (it's more than 3,000 nuggets)
    • Improved general usability, reliability, performance, and security
    • Improved view structures in My Views and the patterns & practices Library
    • Improved authoring/editing experience (tweaked the UI to feel better, improved reliability, fixed copy+paste from Word and added image support)
    • Improved pushing down guidance types (if we do a new guidance type, you’ll get it now)
    • Improved pushing down new views (if we change our views, you’ll get them)
    • Improved deploying guidance stores (if you are a hosting your own guidance store, you can deploy it more reliably)

    How's that for guidance as a service?  (Personally, I think the next step is relevant guidance feeds for guidance mash up scenarios.)

    Getting Started

    1. Download Guidance Explorer.
    2. Unzip to a directory.
    3. Run the .EXE file from the \bin file.

    When you run GE the first time, let it synch for about 10 minutes.  It's downloading more than 3,000 items from our catalog.

    Test Driving Guidance Explorer
    Here's a few of the first things to try

    1. Build your own playlist of guidance (create a new view under My Views and then drag your favorite guidance nuggets into it.)
    2. Build your own guide on the fly (create a view of your favorite nuggets and save the view to a Word doc.)
    3. Tailor an existing guidance nugget (double-click an item, click Edit, make your modifications then save to My Library.)
    4. Write your own guidance (right-click My Library and add a new Item.)
    5. Create a new focused library (right-click Libraries, click New Library, name your library then add some new items.)

    Key Links

  • J.D. Meier's Blog

    New Video: How To - Personalize Team System Guidance with Guidance Explorer

    • 10 Comments

    If you are a hunter and gatherer of guidance, you'll want Guidance Explorer.  Watch Video: How To - Personalize Team System Guidance with Guidance Explorer to see how you can use Guidance Explorer to build a custom collection of guidance from our Visual Studio Team System Guidance project.  If you haven't used Guidance Explorer before, or it's been a while, you're in for a surprise.  Seriously.

    Guidance Explorer is a free tool to help you browse, find, organize, or even create your own guidance. When you launch Guidance Explorer, it synchronizes with our online store.  For example, today's additions include a number of brand new Team System guidance items:

    My favorite Guidance Explorer features include:

    • Create collections of your favorite guidance (custom views)
    • Browse by checklists, code examples, how tos, guidelines (view by type)
    • Filter for just security, performance or Team System (Filter by technology, topic or category)
    • Share guidance among your teams (UNC share scenario)
    • Build a customized guide or whitepaper on the fly with exactly the parts you want (Save to Word, HTML or XML)
    • Create new guidance libraries and write your own personal guidance or checklists.

    Keep in mind that Guidance Explorer is actually a diamond in the rough.  It has its flaws, but it also has unique powers.  For example, I could use Guidance Explorer to inform you of brand new, emerging security practices.  I could also flag the top performance issues using the priority field.  Imagine the alternative of hunting through a whitepaper or article, instead of organized collections and lists of actionable, guidance nuggets.

    I know consultants that literally save themselves many hours per week by using Guidance Explorer as a personal knowledge base and for tailoring guidance for customers.  I also know of customers using Guidance Explorer as a light-weight and effective way to share guidance among their development teams.  It's actually the type of tool where customers surprise me what they use it for.

    While Guidance Explorer has nearly 1100 guidance nuggets at last count (across security, performance and .NET 1.1. and 2.0), you can quickly shrink the haystacks to find the needle that you need (Ed and I call this our Shrinking Haystack pattern).  You can also discover relationships among the guidance, because related items are linked.  Don't take my word for it though, test drive it for yourself.  Did I mention it's free?  Oh yeah, I should also mention it comes with source, so shape it to your heart's content.

    Go ahead and watch Video: How To - Personalize Team System Guidance with Guidance Explorer and then download Guidance Explorer.  If you do use Guidance Explorer and you have a story you'd like to share, please leave a comment in this post. 

  • J.D. Meier's Blog

    Architecture Frame

    • 10 Comments

    As part of our patterns & practices App Arch Guide 2.0 project, we've put together an arch frame.  The arch frame is simply a collection of hot spots.  These aren't just any hot spot though.  These hot spots represent key engineering decisions, anti-patterns, and opportunities for improved designs for more effective technical architectures.  This Arch Frame is part of the larger App Arch Meta Frame.  Think of it as an important branch off the main tree.  It serves as a lens to cut through a lot of information to get to the most meaningful and actionable guidance.

    Categories
    The following categories are the "hot spots" in the architecture frame:

    • Authentication and Authorization
    • Caching and State
    • Communication
    • Composition
    • Concurrency and Transactions
    • Configuration Management
    • Coupling and Cohesion
    • Data Access
    • Exception Management
    • Logging and Instrumentation
    • User Experience
    • Validation
    • Workflow

    What you might notice about the hot spots is that they map to common cross-cutting concerns when building applications.  You also might notice that the hot spots map to various patterns & practices solution assets.  For example, Enterprise Library includes blocks for caching, data access, exception management, logging, validation ... etc.  The categories also map to very actionable decisions where you there's relevant principles, patterns, and practices.  These buckets also contain many anti-patterns.  The worst anti-patterns are the "do overs."  Nobody wants a "do over" architecture.

    Key Engineering Decisions
    This table summarizes the key engineering decisions within each hot spot:

    Category Key Engineering Decisions
    Authentication and Authorization
  • How to store user identities.
  • How to authenticate callers.
  • How to authorize callers.
  • How to flow identity across layers and tiers.
  • Caching and State
  • How to choose effective caching strategies.
  • How to improve performance with caching.
  • How to improve security with caching.
  • How to improve availability with caching.
  • How to keep the cached data up to date.
  • How to determine when and why to use a custom cache.
  • How to determine what data to cache.
  • How to determine where to cache the data.
  • How to determine the expiration policy and scavenging mechanism.
  • How to load the cache data.
  • How to monitor a cache.
  • How to synchronize caches across a farm.
  • How to determine which caching technique provides the best performance and scalability for a specific scenario and configuration.
  • How to determine which caching technology complies with the application's requirements for security, monitoring, and management.
  • Communication
  • How to communicate between layers / tiers.
  • How to perform asynchronous communication.
  • How to pass sensitive data.
  • Composition
  • How do design for composition.
  • How to design loose coupling between modules.
  • How to handle dependencies in a loosely coupled way.
  • Concurrency and Transactions
  • How to handle concurrency between threads.
  • How to choose between optimistic and pessimistic concurrency.
  • How to handle distributed transactions.
  • How to handle long running transactions.
  • How to determine appropriate transaction isolation levels.
  • How to determine when compensating transactions are required.
  • Configuration Management
  • How to determine which information needs to be configurable.
  • How to determine where and how to store configuration information.
  • How to handle sensitive information.
  • How to handle configuration information in a farm/cluster.
  • Coupling and Cohesion
  • How to separate concerns
  • How to structure the application.
  • How to choose an appropriate layering strategy.
  • How to establish boundaries.
  • Data Access
  • How to manage database connections.
  • How to handle exceptions.
  • How to improve performance.
  • How to improve manageability.
  • How to handle blobs.
  • How to page records.
  • How to perform transactions.
  • Exception Management
  • How to handle exceptions.
  • How to log exceptions.
  • Logging and Instrumentation
  • How to determine which information to log.
  • How to make the logging configurable
  • User Experience
  • How to improve task efficiency and effectiveness.
  • How to improve responsiveness.
  • How to improve user empowerment.
  • How to improve look and feel.
  • Validation
  • How to determine where and how to perform validation.
  • How to validate for length, range, format, and type.
  • How to constrain and reject input.
  • How to sanitize output.
  • Workflow
  • How to handle concurrency issues within a workflow
  • How to handle task failure within a workflow
  • How to orchestrate processes within a workflow
  •  

    Key Issues
    This table summarizes the key issues within each hot spot:

    Category Key Issues
    Authentication and Authorization
  • Clear text credentials in configuration files
  • Passing clear text credentials over the network
  • Over-privileged accounts
  • Long sessions
  • Mixing personalization with authentication
  • Reliance on a single gatekeeper
  • Failing to lock down system resources against application identities
  • Failing to limit database access to specified stored procedures
  • Inadequate separation of privileges
  • Caching and State
  • Cache misses.
  • Failure to expire items
  • Poor cache design
  • Lack of a cache synchronization mechanism for scaling out.
  • Communication
  • Increased network traffic and latency due to chatty calls between layers.
  • Inappropriate transport protocols and wire formats.
  • Large data volumes over limited bandwidth networks.
  • Composition Tightly coupled modules Duplication of code
    Concurrency and Transactions
  • Blocking calls
  • Nongranular locks
  • Misuing threads
  • Holding onto locks longer than necessary
  • Inappropriate isolation levels
  • Configuration Management
  • Insecure administration interfaces
  • Insecure configuration stores
  • Clear text configuration data
  • Too many administrators
  • Over-privileged process accounts and service accounts
  • Coupling and Cohesion
  • Limited scalability due to server and resource affinity.
  • Mixed presentation and business logic, which limits your options for scaling out your application.
  • Lifetime issues due to tight coupling.
  • Data Access
  • Per user authentication and authorization when not required.
  • Chatty calls to database
  • Intersperse of business logic
  • Exception Management
  • Leaving system / application in unstable state
  • Revealing sensitive information to end users.
  • Using exceptions for logic
  • Not logging enough details about the exception.
  • Logging and Instrumentation
  • Lack of logging and instrumentation
  • Too fine grained logging and instrumentation
  • Not making logging and instrumentation configurable option at runtime
  • Failure to log business critical functionality.
  • User Experience
  • Inefficient or ineffective task support.
  • Poor responsiveness.
  • Disempowered users.
  • Validation
  • Application-only filters for malicious input
  • Non-validated input in the Hypertext Markup Language (HTML) output stream
  • Non-validated input used to generate SQL queries
  • Reliance on client-side validation
  • Use of input file names, URLs, or user names for security decisions
  • Workflow
  • Tight coupling
  • Inflexible processes
  • Race and deadlock issues
  •  

    Key Guidelines
    This table summarizes the key guidelines within each hot spot:

    Category Key Guidelines
    Authentication and Authorization
  • Consider single-sign on requirements.
  • Separate public and restricted areas.
  • Use account lockout policies for end-user accounts.
  • Support password expiration periods.
  • Be able to disable accounts.
  • Do not store passwords in user stores.
  • Require strong passwords.
  • Do not send passwords over the wire in plaintext.
  • Protect authentication cookies.
  • Use multiple gatekeepers.
  • Restrict user access to system-level resources.
  • Consider authorization granularity.
  • Caching and State
  • Avoid caching per-user data.
  • Avoid caching volatile data which is required by the user to be accurate and updated in real time.
  • Cache data that does not change very frequently or is completely static.
  • Do not cache shared expensive resources.
  • Cache transformed data, keeping in mind the data use.
  • Evaluate stateful versus stateless design.
  • Consider your state store options.
  • Minimize session data.
  • Free session resources as soon as possible.
  • Avoid accessing session variables from business logic.
  • Communication
  • Choose the appropriate remote communication mechanism.
  • Design chunky interfaces.
  • Consider how to pass data between layers.
  • Minimize the amount of data sent across the wire.
  • Batch work to reduce calls over the network.
  • Reduce transitions across boundaries.
  • Consider asynchronous communication.
  • Consider message queuing.
  • Consider a "fire and forget" invocation model.
  • Cut call chains with queues and caches as much as possible. Doing so will enhance the scalability and availability of the overall solution.
  • Push out asynchronous boundaries close to the user, service interfaces, and service agents, to isolate your service from external dependencies.
  • If you need to expose functionality as a synchronous operation, evaluate whether you can wrap an internally asynchronous operation as described in the following discussion
  • Composition
  • Avoid using dynamic layouts that are difficult to load and maintain.
  • Be careful with dependencies between components. Use abstraction patterns when possible to avoid issues with maintainability.
  • Consider creating templates with placeholders. For example use the Template View pattern to compose dynamic web pages to ensure reuse and consistency.
  • Consider composing views from reusable modular parts. For example use the Composite View pattern to build a view from modular, atomic component parts.
  • Use well-known design patterns to implement a composite interface containing separate modules or user controls where appropriate.
  • Modules should not directly reference one another or the application that loaded them.
  • Modules should use services to communicate with the application or with other modules.
  • Modules should not be responsible for managing their dependencies.
  • Modules should support being added and removed from the system in a pluggable fashion.
  • Concurrency and Transactions
  • Treat threads as a shared resource.
  • Pool shared or scarce resources.
  • Acquire late, release early.
  • Consider efficient object creation and destruction.
  • Consider resource throttling.
  • Reduce contention by minimizing lock times.
  • Balance between coarse- and fine-grained locks.
  • Choose an appropriate transaction isolation level.
  • Avoid long-running atomic transactions.
  • Configuration Management
  • Protect your administration interfaces.
  • Protect your configuration store.
  • Maintain separate administration privileges.
  • Use least privileged process and service accounts.
  • Coupling and Cohesion
  • Partition application functionality into logical layers.
  • Choose the proper locality for your objects based on your reliability, performance, and scalability needs.
  • Design for loose coupling.
  • Design for high cohesion.
  • Use early binding where possible.
  • Evaluate resource affinity.
  • Data Access
  • If your application uses a single database, use the database-specific data provider.
  • If you need to support multiple databases, you generally need to have an abstraction layer, which helps you transparently connect to the currently configured store.
  • Consider resource throttling.
  • Consider the identities you flow to the database.
  • Separate read-only and transactional requests.
  • Avoid unnecessary data returns.
  • Exception Management
  • Avoid revealing sensitive data to users.
  • Do not use exceptions to control application flow.
  • Use validation code to avoid unnecessary exceptions.
  • Do not catch exceptions that you cannot handle.
  • Be aware that rethrowing is expensive.
  • Preserve as much diagnostic information as possible in your exception handlers.
  • Logging and Instrumentation
  • Instrument your code up front.
  • Make your logging configurable.
  • User Experience
  • Measure effectiveness against scenarios.
  • Improve user responsiveness where possible.
  • Model from effective user design.
  • Validation
  • Validate for length, range, format, and type.
  • Constrain and reject input.
  • Sanitize output.
  • Don’t rely on client-side validation.
  • Workflow
  • Determine management requirements. If a business user needs to manage the workflow, you’ll need a solution that provides an interface that the business user can understand.
  • Determine how exceptions will be handled.
  • With human workflow, you need to consider the un-deterministic nature of humans. In other words, you can’t determine when a task will be completed, or if it will be completed correctly.
  • Use service interfaces to interact with external workflow providers.
  • If supported, use designers and metadata to define the workflow instead of code to define the workflow.
  • How To Provide Feedback
    We're still banging through the frame.  There's some rough spots.  We want to make sure we can map problems, principles, patterns, assets, and technologies to the right hot spots.  We want a prioritized list over a laundry list so we're still deciding what's in and what's out.  We'll add it to CodePlex shortly.  You can either comment here on my blog or wait until the frame is on CodePlex, and then provide comments in the Wiki.

    Additional Resources


    My Related Posts

  • J.D. Meier's Blog

    Lessons Learned from Per

    • 9 Comments

    I like to learn from everyone around me.  One of my most influential mentors has been my manager, Per.  Here’s a highlight of some of the lessons I learned from Per over the years:

    Communication

    • Consolidate communication.   Chunky over chatty.  Rather than a random stream of ideas, consolidate down to a theme.  Rather than a bunch of mini-mails, consolidate to a more meaningful message. 
    • Distinguish between phases of communication.  Walt Disney used three stages for ideas: Dreamer, Realist, and Critic.  Dreamer is the vision, Realist is the steps, Critic is the constraints and limits.  In practice, Per encourages first brainstorm, then critique.

    Cutting Questions

    • Do you influence or do you own?   Distinguish between when you own the decision versus when you influence.  If you influence, but don’t own, reset your own expectations.  Responsibility without authority is a common pitfall. 
    • Does it matter?   In the grand scheme of things, does this particular issue matter.
    • Five customers under your belt?  If you don’t have five customers you can point to that stand behind what you’re doing, it’s a flag.  As simple as this test sounds, I’ve used it many times to ensure project success.
    • Is it the right thing to do?  First figure out the right thing to do, then figure out what you can do based on the circumstances.
    • Is it working?  If you keep taking the same approach, but it’s not working, you need to change your approach.  It’s simple, but you’d be surprised how many people get stuck.
    • Next steps?   Asking “next steps?” at the end of your meeting is a pretty crisp way of turning talk into action.
      What’s the agreement?  When you’re not sure why things aren’t happening as you expect, check the agreement.  You might find you don’t really have one.
    • What’s the solution?  If you’re spending too much time on the problem, switch by asking, “what’s the solution?”
    • What’s their story?  If you don’t get why another person or team isn’t doing what you want, figure out what their side of the story is.  (see What’s Their Story)
      What’s your gut say?  If you find a decision isn’t sitting right, check your gut.   While the numbers may say one thing, your intuition may be telling you a deeper story.

    Influence

    • Argue the data.  Rather than argue your opinion, argue the data.  Arguing the data keeps it more objective.  It can also be more convincing.
    • Don’t state the conclusion.  Rather than state your conclusions, show the data that leads to your conclusions.  Even if you know the “right answer,” showing the data can help others get on board.
    • Lead the horse to water.   Let them connect the dots.  You can draw a dotted line, but let your audience connect the dots. 
      Mental Judo.  This is Per’s phrase for Ward Cunninham’s uncanny ability to lead people to a conclusion through rhetoric and stories.
    • Set the frame.   Frame the problem or solution so that you have a common backdrop to share understanding.  This will help set boundaries, create agreements, and improve communication.
    • They’re not engaged.  If you notice a lack of engagement throughout your meeting, there’s a good chance that you don’t have rapport.  If you don’t have rapport, you won’t effectively influence.
    • They’re not on board.  You should be able to tell whether somebody is on board.  If they aren’t, then don’t kid yourself.
      You didn’t agree on values.  Recognize when you don’t have the same values.  Do they value time or do they value a level of results?  If you don’t share the values, you can expect problems in agreements, prioritization, expectations, and results.
    • You didn’t have buy in.  Just because somebody shakes their head yes, doesn’t mean they are bought in.  You don’t want somebody to tell you yes, just to drag their feet.

    Organizational Prowess

    • Call it an experiment.  In a risk adverse environment, it can help to call a project an experiment.  It’s a simple but effective metaphor to help people think about trying something new.
    • Do you influence or do you own?  If you don’t own the decision, you don’t own it.  Period.  You can attempt to influence, but at the end of the day, you’re not the owner.   That doesn’t mean don’t try your best.  Just don’t be surprised if it’s not the decision you wanted and don’t take it personally.
    • Expose the approach.   People may not agree on the implementation or the results, but sharing the approach is a good place to start.  Exposing the approach gives you a chance to improve the approach.  Exposing the approach can also build trust, particularly if everybody buys in.
    • Expose the thinking.  This is similar to showing your homework.  If you expose the thinking, then you can improve the thinking.  You can also help build trust.  You may not get to the right answer, but showing how you got there helps bring people along with you.
    • Get consensus.  Where possible and time permits, get folks on board.  If there’s resistance, this can be a flag that you’re off in the wrong direction.  If it’s a decision where you need everybody’s skin in the game, then you’ll want them on board helping push the ball forward versus dragging their feet.
    • Get smart folks on the bus.  This is just a general belief that if you have smart people around, the right things will happen.  It’s about people over process.
    • Slides are a forcing function.    Slides are a great way to get folks on the same page, or at least start the dialogue.  If you can’t show your ideas in a slide, then you don’t have a well-formed message for others.  Doing slides helps create a strawman of the thoughts that can be reviewed and improved.  Slides can help turn thoughts into action.

    Results

    • Change your approach.  If it’s not working; change your approach.
    • Change yourself first.  You can change yourself faster than you can change others.  Seriously.
    • Chunk it down.   If you can’t release something in a healthy rhythm, chunk it down.
    • Divide and Conquer.  If you have an overwhelming challenge, divide and conquer.(See Divide and Conquer - One Step at a Time)
    • Drive or Be Driven.  If you don’t drive it, you’ll be driven by somebody else.
      Get it out and get feedback.  Good ideas often die because there’s no action or momentum.  If you get something out, you can get feedback and start to improve it.
    • Give attribution.  In our industry, acknowledgement is important.  Be sure to give attribution where it’s due.
    • Focus.   If there’s one place where projects fail or people fail, it’s a lack of focus.  Focus is your friend.  If you’re not getting results, narrow the focus. 
    • Follow your passion.  Where there’s passion, there’s strength.
    • Forcing functions.  Use meetings, slides, and reviews as forcing functions to drive results.
    • Model the best.   This is Per’s phrase for my approach of finding the best people and modeling their success. 
    • Play to your strengths.  Per’s a fan of the book, Good to Great, and he believes in focusing on your strengths rather than your weaknesses.
    • Rattle the cage.  Challenge the thinking.  Challenge ideas.  Challenge yourself.  Don’t fall into the trap of the status quo.
    • Ship it!  This is one of Per’s favorite sayings which characterizes the emphasis on getting results and making impact.   He’s learned that a rhythm of shipping produces results while failure to ship is how teams fail at Microsoft. 

    My Related Posts

  • J.D. Meier's Blog

    Agile Architecture Method Pocket Guide

    • 9 Comments
    Agile Architecture Method Pocket Guide
    We posted our Agile Architecture Method Pocket Guide to our Application Architecture Guidance KB.  This is in response to customers who expressed interest in more modular guides as a supplement to our Application Architecture Guide 2.0.

    Chapters At a Glance
    Here’s the chapters at a glance:

    • Ch 01 - Agile Architecture Method
    • Ch 02 - Step 1 - Identify Objectives
    • Ch 03 - Step 2 - Identify Key Scenarios
    • Ch 04 - Step 3 - Application Overview
    • Ch 05 - Step 4 - Key Hot Spots
    • Ch 06 - Step 5 - Candidate Solutions
    • Ch 07 - Reviewing Your Architecture
    • Ch 08 - Communicating Your Architecture

    Download

    My Related Posts

  • J.D. Meier's Blog

    New Release: patterns & practices WCF Security Guide

    • 9 Comments

    Today we released our patterns & practices Improving Web Service security: Scenarios and Implementation Guidance for WCF on MSDN.  Using end-to-end application scenarios, this guide shows you how to design and implement authentication and authorization in WCF. You'll learn how to improve the security of your WCF services through prescriptive guidance including guidelines, a Q&A, practices at a glance, and step-by-step how to articles. The guide is the result of a collaborative effort between patterns & practices, WCF team members, and industry experts.

    Key Scenarios
    Here's the key scenarios:

    • A development team that wants to adopt WCF.
    • A software architect or developer looking to get the most out of WCF, with regard to designing their application security.
    • Interested parties investigating the use of WCF but don’t know how well it would work for their deployment scenarios and constraints.
    • Individuals tasked with learning WCF security.
    • Authentication, authorization, and communication design for your services
    • Solution patterns for common distributed application scenarios using WCF
    • Principles, patterns, and practices for improving key security aspects in services

    Contents at a Glance

    • Part I: Security Fundamentals for Web Services
    • Part II: Fundamentals of WCF Security
    • Part III: Intranet Application Scenarios
    • Part IV: Internet Application Scenarios

    Chapters

    • Foreword by Nicholas Allen
    • Foreword by Rockford Lhotka
    • Chapter 1: Security Fundamentals for Web Services
    • Chapter 2: Threats and Countermeasures for Web Services
    • Chapter 3: Security Design Guidelines for Web Services
    • Chapter 4: WCF Security Fundamentals
    • Chapter 5: Authentication, Authorization, and Identities in WCF
    • Chapter 6: Impersonation and Delegation in WCF
    • Chapter 7: Message and Transport Security
    • Chapter 8: Bindings
    • Chapter 9: Intranet - Web to Remote WCF Using Transport Security (Original Caller, TCP)
    • Chapter 10: Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
    • Chapter 11: Intranet - Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
    • Chapter 12: Intranet - Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)
    • Chapter 13: Internet - WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
    • Chapter 14: Internet - Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
    • Chapter 15: Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

    Our Team

    • J.D. Meier
    • Carlos Farre
    • Jason Taylor
    • Prashant Bansode
    • Steve Gregersen
    • Madhu Sundararajan
    • Rob Boucher

    Contributors / Reviewers

    • External Contributors / Reviewers: Andy Eunson; Anil John; Anu Rajendra; Brandon Bohling; Chaitanya Bijwe; Daniel Root; David P. Romig, Sr.; Dennis Rea; Kevin Lam; Michele Leroux Bustamante; Parameswaran Vaideeswaran; Rockford Lhotka; Rudolph Araujo; Santosh Bejugam
    • Microsoft Contributors / Reviewers: Alik Levin; Brandon Blazer; Brent Schmaltz; Curt Smith; David Bradley; Dmitri Ossipov; Jan Alexander; Jason Hogg; Jason Pang; John Steer; Marc Goodner; Mark Fussell; Martin Gudgin; Martin Petersen-Frey; Mike de Libero; Mohammad Al-Sabt; Nobuyuki Akama; Ralph Squillace; Richard Lewis; Rick Saling; Rohit Sharma; Scott Mason; Sidd Shenoy; Sidney Higa; Stuart Kwan; Suwat Chitphakdibodin; T.R. Vishwanath; Todd Kutzke; Todd West; Vijay Gajjala; Vittorio Bertocci; Wenlong Dong; Yann Christensen; Yavor Georgiev
  • J.D. Meier's Blog

    VMs for Web and Worker Roles in Windows Azure

    • 9 Comments

    This is my current mental model for Virtual Machines (VMs) for Web and Worker Roles in Windows Azure:

    VMs for Web and Worker Roles in Windows Azure v2

    On Windows Azure, you run your application in Web and Worker Roles.  Each instance of a Web or Worker Role runs in a VM.  You define how many instances of each Web or Worker role you want to run.  Windows Azure then spins up a VM for each instance.  You can choose from 4 flavors of VMs: one core, two core, four core, and eight core.

    Here is a summary of the key components:

    • Web Role - includes Internet Information Services (IIS) and can accept HTTP and HTTPS Requests.  A Web Role talks to a Worker Role indirectly through a queue, or you can talk directly using WCF.
    • Worker Role – is not configured with IIS and is primarily for background processing, such as queuing, monitoring, or ticket-system scenarios.
    • Windows Azure Agent – each VM has an agent that lets your application talk to the Windows Azure Fabric using an API.

    The load balancer spreads the incoming HTTP or HTTPS requests across your Web Role instances.

    For a higher-level view, see my related post, Windows Azure Platform at a Glance.

  • J.D. Meier's Blog

    Windows Azure Scenarios Map

    • 9 Comments

    image

    The Windows Azure scenarios map is a consolidated and shared view of the common scenarios and tasks developing applications for the Windows Azure platform. You will find Getting Started and Architecture scenarios first, followed by other common areas. Scenarios in each group should represent common tasks developers for this platform would face.

    Your call to action here is simply scan the Windows Azure Scenarios Map below and either share your scenarios in the comments or email your scenarios to me at feedbackandthoughts at live.com.  Be sure to share your scenarios in the form of “how to blah, blah, blah …” – this makes it much easier to act on and update the map.

    For a quick review of what a good Scenarios Map looks like, see my related post, 5 Keys to Effective Scenario Maps.

    Categories

    • Getting Started
    • Architecture and Design
    • Administration
    • ALM
    • ASP.NET Applications
    • Authentication / Authorization
    • Caching
    • Configuration
    • Data Access / Storage
    • DataMarket (“Dallas”)
    • Deployment
    • General
    • Logging / Health Monitoring
    • Performance
    • Security
    • Service Bus
    • SQL Azure
    • Transactions
    • WCF
    • WIF (Windows Identity Foundation)
    • Windows Azure VM (Virtual Machine) Role
    • Worker Role
    • Workflow

    Windows Azure Scenarios Map

    Category

    Items

    Getting Started

    • How to set up your development environment for Windows Azure development.
    • How to build a web site in a web role.
    • How to deploy an application to Windows Azure.
    • How to debug deployed applications.
    • How to build a worker process in a worker role.

    Architecture and Design

    • How to implemented layered architecture in the cloud.
    • How to run an on-premise app in the cloud.
    • How to design an application to scale across multiple data centers.
    • How to design a loosely coupled system.
    • How to design around latency issues.
    • How to dynamically increase or decrease the number of role instances based on load.
    • How to use Azure diagnostics to troubleshoot production issues.
    • How to provide incremental progress feedback from a worker role (for ex: progress bar).
    • How to design for integration (custom cloud applications / finished services (BPOS) / on premise / ESB)
    • How to call on-premise data stores from Windows Azure.
    • How to decide if your application is right for Windows Azure (on-premise vs. cloud, advantages/disadvantages).
    • How to scale horizontally.
    • How to scale vertically.
    • How to manage state in the cloud.
    • How to manage logs.
    • How to cache data.
    • How to design for asynchronous work.
    • How to design a tightly bound system.
    • How to segregate application logic between Azure roles.
    • How to create a small-to-medium Web app.
    • How to create a large Web application.
    • How to manage separation of responsibilities in functional roles.
    • How to build a system using both hosted data and on-premises data.
    • How to coordinate multiple worker roles.
    • How to create a parallel processing application.
    • How to use a distributed cache.
    • How to implement multi-tenancy in Azure.
    Administration
    • How to manage your subscription(s) when you've got a team of developers.
    ALM
    • How to manage both environment and application upgrades.

    ASP.NET Applications

    • How to connect to SQL Azure.
    • How to connect to Windows Azure Storage.
    • How to authenticate users using Live ID.
    • How to implement a RESTful interface in an ASP.NET application.
    • How to access certificates.
    • How to manage state in an application.
    • How to connect to a WCF service with an internal endpoint.
    • How to encrypt a value using RSA encryption.
    • How to monitor health of other VM instances.
    • How to access performance counters from code.
    Authentication / Authorization
    • How to perform single sign on (Federation).
    • How to turn your application into a claims aware application.
    • How to authenticate callers.
    • How to identify callers.
    • How to manage personally identifying information / sensitive data in the cloud.
    • How to build an STS.
    • How to integrate with Active Directory.
    • How to integrate with my Membership Provider.
    • How to leverage roles (Membership).
    • How to leverage claims.
    • How to turn claims into roles. How to authorize access to a REST interface.
    • How to implement complex logic in claims mapping.
    • How to configure my application for multiple authentication methods?
    • How to perform sign-out from my claims aware application?
    • How to Enable Tracing
    • How to use Windows Azure platform AppFabric Access Control to obtain a Simple Web Token (SWT) after providing a SAML token.
    • How to integrate Windows Azure platform AppFabric Access Control with ADFS.
    • How To: Configure Facebook as an Identity Provider for Azure AppFabric Access Control Service (ACS)
    • How To: Configure Google as an Identity Provider for Azure AppFabric Access Control Service (ACS)
    • How To: Configure Yahoo! as an Identity Provider for Azure AppFabric Access Control Service (ACS)

    Caching

    • How to leverage a distributed cache (e.g. Velocity)
    • How to swap out cache providers.
    • How to cache data effectively.
    • How to expire the cache.
    • How to use Azure's VM local storage.
    • How to implement the Azure AppFabric Cache session provider.

    Configuration

    • How to configure a web role.
    • How to configure a worker role.
    • How to cache configuration data.
    • How to decide what settings should go in ServiceConfiguration vs. Web/App Configs.
    • How to programmatically change configuration settings.
    • How to set up DNS for Azure applications.

    Data Access / Storage

    • How to access Azure Storage tables.
    • How to access Azure Storage queues.
    • How to connect to SQL Azure.
    • How to decide whether to use Azure Table Storage vs. SQL Azure
    • How to access Windows Azure Storage from Silverlight
    • How to upload files to BLOB storage.
    • How to handle connection timeouts with Azure Storage.
    • How to design an extensible schema that will never need to be updated.
    • How to choose a partition key for different entities.
    • How not to get too much data into one partition.
    • How to load initial/domain data (ETL)
    • How to do BI in the cloud.
    • How to store BLOB data for an on premise application.
    • How to organize your containers and blobs efficiently.
    • How to track/retrieve additional information/properties about blobs
    • How to authorize access to containers/blobs
    • How to name storage containers in WAS (what are the restrictions for naming?)
    • How to design a scalable partitioning strategy for WAS.
    • How to authorize access to BLOBs using Shared Access Signatures
    • How to persist a VM drive to Azure Drives.
    • How to organize your containers and blobs efficiently.
    • How to track/retrieve additional BLOB properties.
    • How to use queues for IPC.
    • How to deploy data to an Azure Drive.
    • How to create a WCF Data Services interface for Windows Azure Storage.
    • How to expose SQL Azure through a WCF Data Services interface.
    • How to support transactional data in Azure Storage.
    • How to repartition your live data.
    • How to repartition data.
    • How to programmatically reset and obtain storage access keys.
    • How and when to leverage Azure Local Storage.
    • How to change Azure Storage partitioning of existing services (should scaling needs require a change).
    • How to create idempotent transactions.

    DataMarket (“Dallas”)

    • How to use DataMarket from my application
    • How to address security, billing, auditing, and authenticating

    Deployment

    • How to install an SSL certificate for an Azure ASP.NET app.
    • How to determine number of instances of roles to deploy.
    • How to roll out a deployment.
    • How to roll back a deployment.
    • How to create and install a deployment certificate.
    • How to deploy applications programmatically through the portal API’s.

    General

    • How to push peak loads to the cloud to reduce the size of an on premise data center.
    • How to decide if you application is right for Windows Azure (on-premise vs. cloud, advantages/disadvantages)
    • How to run your own VM in the cloud.
    • How to develop with a team of developers.

    Logging / Health / Monitoring

    • How to determine your log destination (EventLog, TableStorage, Flatfile, etc)
    • How to view logs
    • How to monitor the health of a deployed application
    • How to log information from IIS (until IIS Logs are available).
    • How to monitor web roles.
    • How to monitor worker roles.
    • How to alert/alarm if needs are beyond Windows Live Alerts (currently what Azure provides)
    • How to throttle your logging.

    Performance

    • How to design around Azure throttling.
    • How to simulate load.
    • How to access/view performance counters.
    • How to do capacity planning.
    • How to compare BLOB storage against VM drives.
    • How to measure performance against CRUD.

    Security

    • How to encrypt values stored in configuration files.
    • How to sanitize logging events for sensitive data.
    • How to prevent CSRF attacks.
    • How to protect configuration settings.
    • How to encrypt persisted data.
    • How to secure any sensitive data that is sent between cloud applications.
    • How to store sensitive data in the cloud.
    • How to secure sensitive data sent to a cloud app.

    Service Bus

    • How to use the service bus to expose on-premise services to Windows Azure hosted applications.
    • How to use the service bus from a Silverlight client.
    • How to expose “discoverable” services via the service bus.
    • How to authenticate service bus access with AppFabric Access Control.

    SQL Azure

    • How to decide between Windows Azure Storage and SQL Azure.
    • How to implement separation of privileges in SQL Azure.
    • How to avoid SQL Azure throttling.
    • How to deploy SQL Azure TSQL or DB schemas as part of application deployment process.
    • How to backup SQL Azure databases.
    • How to restore SQL Azure databases.
    • How to use SQL roles and accounts in conjunction with claims based authentication mechanisms.

    Transactions

    • How to implement 2-phase commit.
    • How to roll back.
    • How to update multiple pieces of data at the same time.
    • How to lock effectively.

    WCF

    • How to set up transport security for WCF on Windows Azure.
    • How to use client certs with a WCF service on Windows Azure.
    • How to use on-premise user stores for authentication and authorization.
    • How to use internal endpoints with a WCF service.
    • How to expose an on-premise WCF service to a Windows Azure hosted client.
    • How to build a WCF service in a worker role.

    WIF (Windows Identity Foundation)

    • How to set up ADFS as an STS for Active Directory.
    • How to create a custom STS.
    • How to create a federation provider STS.
    • How to use a custom claims repository.
    • How to: Using the FederatedPassiveSignIn ASP.NET User Control
    • How to use WSTrustChannelFactory and WSTrustChannel
    • How to identify from Windows Phone to ASP.NET web site?
    • How to identify from Windows Phone to WCF service?
    • How to identify from iPad/iPhone to WCF service?
    • How to identify from droid to WCF service?
    • How to identitfy from Silverlight to WCF service?
    • How to Enable Tracing
    • How to log WCF and WIF traces to different tracing sources
    • How to use svctraceviewer.exe for troubleshoting
    • How to use svctraceviewer.exe to inspect WIF traces
    • How to: Establishing Trust from an ASP.NET Relying Party Application to an STS using FedUtil
    • How to package and deploy claims aware application on-prem?
    • How to package and deploy claims aware application to Azure?
    • How to request an ActAs token.

    Windows Azure VM (Virtual Machine) Role

    • How to choose between VM Role and designing for a Web or Worker Role
    • How to design for the VM Role

    Worker Role

    • How to communicate between different types of worker roles.
    • How to schedule work.
    • How to group different types of work.
    • How to determine the number of worker roles.
    • How to determine if multiple threads should be used

    Workflow

    • How to design for asynchronous work.
    • How to design for integration (custom cloud applications / finished services (BPOS) / on premise / ESB)

    Contributors and Reviewers

    • External Contributors / Reviewers – Adam Grocholski; Andy Eunson, Bill Collette; Brent Stineman; Kevin Lam, Rainer Stropek, Terrance Snyder, Will Clevenger
    • Microsoft Contributors / Reviewers – Alik Levin, Carlos Farre, Julian Gonzalez, Mohit Srivastava, Rob Boucher

    My Related Posts

  • J.D. Meier's Blog

    CodePlex, GE, and MSDN

    • 9 Comments

    One of the questions I get is how we build and publish our guides and what's the relationship of CodePlex, GE and MSDN.  At a high-level, we build reusable guidance nuggets for customer questions and tasks.  We then build a larger guide to bring the nuggets together into a story. Together, this gives us both a knowledge base of nuggets and a series of guides.  We can incrementally deliver value, refactor as appropriate, and respond to changing needs.

    Bird's-Eye View of Agile Guidance Engineering
    You can think of our approach as progressive rendering of solutions (incrementally sharing and stabilizing.)

    AgileGuidanceEngineering

    From CodePlex to MSDN
    As we build guidance modules, we publish them to GE and CodePlex.  GE lets you, the user, build more relevant views or tailor the nuggets to your own needs.  CodePlex gives us a place to experiment with views and get direct user feedback, while we vet the guidance. 

    Once we're stable, we do a focused, batch effort to port to MSDN.  MSDN gives us a bunch more channels and hooks including integration in Visual Studio / Visual Studio Team System.

    There's much more to the story, so if there's interest, I'll share a behind the scenes look at how we build books.

    My Related Posts

  • J.D. Meier's Blog

    patterns & practices WCF Security Guidance: Updated Application Scenarios

    • 9 Comments

    For this week's release in our patterns & practices WCF Security Guidance project, we added new sections to our WCF Security Application Scenarios.  We added sections for analysis, code and configuration examples.  The analysis section explains the rationale behind some of the decisions. 

    The idea behind the application scenarios is to show you a before and after look of end-to-end solutions.  Rather than a single solution, we give you a set of solutions to pick from.  The main parameters that vary in each solution include: Intranet vs. Internet, ASP.NET client vs. Windows Forms clients, TCP vs. HTTP, impersonation/delegation vs. trusted subsystem, and AD (domain credentials) vs. a custom user store.

    WCF Security Application Scenarios
    Intranet

    Internet

    Note that if there's enough interest and time, we'll add a scenario that shows accessing an existing custom user store (i.e. you aren't using Membership.) 

    My Related Posts

  • J.D. Meier's Blog

    Ken Blanchard Speaks at Microsoft

    • 9 Comments

    Ken Blanchard spoke at Microsoft last week.  He's all about empowering people, growing people, and helping everybody get an A.  This post is my notes from the session.

    KenBlanchard 

    Catch People Doing Something Right, Accentuate the Positive
    I'm putting this right up front because Ken said if there was only one thing he could be remembered for, he would want it to be:

    "Catch People Doing Something Right, Accentuate the Positive."

    Random Highlights
    Here's a sampling of some of the one-liners and insights from the session:

    • The triad is the provider of choice, employer of choice, investment of choice.
    • People will compete with you in garages -- have the triad.
    • Bring your brains to the job vs. kiss up the hierarchy.
    • Write the final exam up front.
    • Life's about getting A's.  Everybody gets A's.
    • The journey of an effective leader starts with self-leadership (who are you)
    • None of us is as smart as all of us (the collective brain)
    • Don't ask yes/no questions -- ask, what's one thing we could have done differently to make your experience better?
    • Know your rank order values.  Walk your values.  Don't have too many values.
    • Profit is the applause you get for taking care of customers and being a motivating place to work.
    • Get customers telling stories about you.
    • Who does she work for? a duck or an eagle? Ducks quack excuses.  Eagles soar above the crowd.   Bring your brains to work.
    • You got what you got (your team), what are you going to do?
    • Help people accomplish goals and have goals tied into the organization.
    • Now you have the position, don't use it (don't use your position -- it's on loan.)
    • All the important stickers went on people (people are the most important asset.)
    • Ken's favorite insight from the movie Ghost - "You can take the love with you."
    • What Ken's mom taught him -- "Don't act like you're better than anybody ...but don't let anybody act like they're better than you."

    Philanthropy is the News Around the World
    Ken travels the world and the big news he kept hearing about was the philanthropy.  Specifically, the news was focused on Bill Gates and Warren Buffet.  The fact that Buffet trusts the Bill & Melinda Gates Foundation to help the world sends a powerful message.

    4 Keys to Lead at a Higher Level
    Ken framed out 4 keys to lead at a higher level:

    1. Set your sights on the right target and vision.  Ken reminded us that since Alice didn't know where she wanted to go, the Chesire cat told her that the direction doesn't matter.
    2. Treat your customers right.  Decide, discover, and deliver.
    3. Treat your people right.  If you don't treat your people right, they won't take care of your customers (the customers are the only people they can beat up.)
    4. Have the right kind of leadership.  Effective leadership starts on the inside.  You don't own the position, it's on loan.  Be a servant leader over a self-serving leader.

    Decide, Discover and Deliver
    To treat your customers right, Ken provided a decide, discover, deliver approach:

    • Decide.  Decide what experience you want your customers to have.  For example, one gas station used the "Indianapolis pitstop experience" and had the slogan, "jump to the pump." 
    • Discover.  Listen to what your customers want and see if it makes sense to include their suggestions in your vision.  Don't ask yes/no questions -- ask, what's one thing we could have done differently to make your experience better?
    • Deliver.   To implement your customer service vision, invert the traditional pyramid and empower your people.

    Turn the Pyramid Upside Down
    Turn the pyramid upside down.  Have your team bring their brains to work vs. kiss up the hierarchy.  Don't have them be ducks (who just quack excuses why they can't do this or can't do that.) Empower them to be eagles who soar above the crowd. 

    A Fortunate 500 List According to Ken Blanchard
    Ken suggested the idea of a Fortunate 500 list.  A Fortunate 500 Company would have a triple bottom line and be a good citizen in the community.

    Customers, Business, Employees (The Triple Bottom Line)
    The triple bottom line includes:

    1. Provider of choice (customers)
    2. Employer of choice (employees)
    3. Investment of choice (business)

    Ken remarked that profit is the applause you get for taking care of customers and being a motivating place to work.

    Organizational Vitality, Employee Passion, Customer Devotion
    Ken outlined the keys to organizational vitality:

    • Organizational vitality.  Organizational vitality is supported by customer devotion and employee passion (which support each other).  The employees don't see strategic initiatives in their day to day, so the biggest impact on org vitality is how does their boss threat them and how are they evaluated? (fair/just?)
    • Strategic leadership.  Strategic leadership supports org vitality.  Strategic leadership includes vision, culture, and strategic imperatives.
    • Organizational leadership.  Organizational leadership supports employee passion and customer devotion.   Organizational leadership includes policies and procedures (indirect relationship on strategy), leader behaviors, and fairness / justice.

    From Self-Leadership to Organizational Leadership
    The journey of an effective leader starts with self-leadership (who are you) and progresses to organizational leadership:

    • Self-leadership (who are you)
    • One-to-one leadership
    • Team leadership
    • Organizational leadership

    Ken noted that one of his favorite mantras is -- none of us is as smart as all of us.

    3 Skills of Situational Leader
    Ken identified 3 skills of a situational leader:

    1. Diagnosis - figuring our the development level.
    2. Flexibility - adapting your leadership style based on the development level.
    3. Partnering for performance - helping everybody get A's. 

    The 4 D's (Development Level)
    The four development levels vary by competence and motivation.  If you can identify which development level somebody is in, you can use the right leadership style:

    • D1 - Enthusiastic beginner (low competence, high commitment)
    • D2 - Disillusioned learner (low competence, low commitment)
    • D3 - The capable, but cautious performer (low to some competence, variable commitment)
    • D4 - The self-reliant achiever (high competence, high commitment)

    4 Leadership Styles
    The four leadership styles range from directing to delegating:

    • S1 - Directive
    • S2 - Coaching
    • S3 - Supportive
    • S4 - Delegating

    Your leadership style varies by how you need to teach skills and provide motivation.   You match your leadership style based on the development level.

    More Supporting, Less Delegating
    Ken noted that the most common style in tech is delegating (telling folks what to do), but that it only works if you have self-reliant achievers.  He said lots of situations where somebody fails, it's because the leader didn't spend enough time supporting.  For example, somebody might be great at sales, but poor at administration and could use more support.

    Don't Be a Seagul
    Ken described the seagul type manager:

    1. Flies in
    2. Makes a lot of noise
    3. Dumps on everyone
    4. Flies out

    Yuck!  Don't be a seagul.

    How to Manage Effectively
    Ken gave us a recipe for managing effectively:

    1. Teach situational leadership II
    2. Agree on goals
    3. Agree on level of performance
    4. Diagnose development level
    5. Agree on appropriate leadership style
    6. Follow up on agreements

    Leadership vs. Management
    When a colleague asked Ken about his thoughts on the difference between leadership and management, he said he doesn't get involved in the debate.  He doesn't think management should play 2nd fiddle.

    Don't Rank Employees on a Bell Curve
    Ken made a few key points against ranking employees on a bell curve:

    • Why screw a certain percentage?
    • You don't hire losers to fill slots.
    • Putting your new people at the bottom doesn't encourage them.

    Help Everybody Get A's
    Ken's recipe for results is:

    • Give out the final exam up front
    • Teach people answers to get the A's
    • Demonstrate how you've helped them get A's each quarter
    • Have an informal formal review each quarter
    • A review at the end of the year should be a review -- not a surprise.

    Share Them With Your Competition
    What happens if you give help people get A's but they don't get A's:

    • If they're a good citizen, then help them find the right position.
    • If they're not a good citizen, then share them with your competition.

    From self-serving leaders to Servant Leadership
    Ken gave us three ways that somebody moves from a self-serving leader to servant-leadership:

    1. Near death experience
    2. Spiritual awakening
    3. Be a role model

    Basically it's life-changing events or by following an example.

    Egos Anonymous
    There's two ends of the spectrum with ego issues:

    1. False pride
    2. Self-doubt / fear

    The problem with ego issues is that the world spins around you.  Ken said the key is to put the focus somewhere else.  When you put the focus on something else, the fear goes away.

    Ken told us about "Egos Anonymous" meetings.   He said at the meetings, people introduce themselves with "I'm an ego maniac, the last time my ego got in the way ..." 

    The irony is, everybody wants to go last to be more clever, funnier -- and that's an ego thing.

    Bigger Emphasis on Results or Developing People?
    Ken pointed out that it's not an either/or it's a both/and.  The keys are:

    1. Fixing motivation.
    2. Fixing capability.

    The Secret of Great Leaders
    Ken told us the secret of great leaders:

    • Values, results and people
    • Emphasis on results
    • Significant investment in their lives
    • Express appreciation

    You're Learning or Dying
    Ken told us we're learning or dying:

    • Reinvent continuously.
    • How will your resume be different next year?
    • Are you learning from mentors?

    SERVE - What Great Leaders Know and Do
    Ken explained that SERVE is what great leaders know and do:

    • See the future.
    • Engage and develop others
    • Reinvent continuously.
    • Value results and relationship.
    • Embody the values.

    Leadership is Love
    Ken told us leadership is love:

    • Loving your mission
    • Loving your customers
    • Loving your people
    • Loving yourself -- enough to get out of the way so others can be magnificent.

    How To Implement the program
    Ken said he's seen remarkable impact when organizations apply the knowledge.  He said there's three keys:

    1. Performance management program (3,4,5x the difference)
    2. Situational leadership
    3. Final exam.

    Wrap Up
    At the end of the talk, I met Ken and he signed my copy of The 3 Keys to Empowerment.   What surprised me the most was how down to earth and engaged in the moment he was.   I thanked him for teaching people situational leadership.  I asked him where the II part came from in Situational Leadership II and he told me the story of the split.   I told him it would be great to be able to read stories like that in his blog, if he had one. 

    3 Actions
    As a habit, I challenge myself to turn what I learn into three things I can apply.  There's always more I can do, but I start with three.  Here they are:

    1. Help everybody get A's.  I'll start by diagnose the development levels on my team.  Does somebody on the team need more encouragement or more instruction than they're getting right now?
    2. Figure out how my resume will be different next year.  I used to do this exercise regularly, but it's been a while.  Flashing forward is a great way to help me choose certain paths over others.
    3. Decide, discover, and deliver the right customer experience.  Very practically put, stop asking yes, no questions and start asking, what's one thing we could have done differently to make your experience better?
  • J.D. Meier's Blog

    Clearing Your Inbox

    • 9 Comments

    Today I helped a colleague clear their inbox.  I've kept a zero mail inbox for a few years.  I forgot this wasn't common practice until a colleague said to me, "wow, your inbox doesn't scroll."

    I didn't learn the zen of the zero mail inbox over night.  As pathetic as this sounds, I've actually compared email practices over the years with several people to find some of the best practices that work over time.  The last thing I wanted to do was waste time in email, if there were better ways.  Some of my early managers also instilled in me that to be effective, I needed to master the basics.  Put it another way, don't let administration get in the way of results.

    Key Steps for a Clear Inbox
    My overall approach is to turn actions into next steps, and keep stuff I've seen, out of the way of my incoming mail.  Here's the key steps: 

    1. Filter out everything that's not directly to you.  To do so, create an inbox rule to remove everything that's not directly To or CC you.  As an exception, I do let my immediate team aliases fall through.
    2. Create a folder for everything that's read.  I have a folder to move everything I read and act on.  This is how I make way for incoming.
    3. Create a list for your actions.  Having a separate list means you can list the actions in the sequence that makes sense for you, versus let the sequence in your inbox drive you.

    Part of the key is acting on mail versus shuffling it.  For a given mail, if I can act on it immediately, I do.  If now's not the time, I add it to my list of actions.  If it will take a bit of time, then I drag it to my calendar and schedule the time.

    Anti-Patterns
    I think it's important to note the anti-patterns:

    1. Using your inbox as a large collection of action and semi-action items with varying priorities
    2. Using your inbox as a pool of interspersed action and reference items
    3. Adopting complicated mail and task management systems

    My Related Posts

    1. Scannable Outcome Lists
    2. Using Scannable Outcomes with My Results Approach
  • J.D. Meier's Blog

    Patterns and Practices for New Hires

    • 9 Comments

    Whether you're a new hire or taking on a new job, here's some principles, patterns and practices to be more effective.  They're lessons learned from the school of hard knocks and they represent some of the proven practices that have worked for others and have stood the test of time.   This is a limited, but prioritized list (I gave myself a 20 minute window.)  I'll drill into areas in upcoming weeks, depending on where there's interest.

    Personal Productivity

    • Timebox your day.  Carve your day into time budgets.  Figure out how much time you should spend on administration, work time, meeting time, and think time.  Start with a day.   For example, some of the most effective people spend 1 hour on admin, 1 hour on think time, 4 hours on work time, and 2 hours on meetings.  You need to find the pattern that works for you.  The trap is to not know when the day ends and over-spend time in areas you should allocate to others.   See Timebox Your Day.
    • Manage your meetings.  You'll likely spend a lot of time in meetings.  Value your time.  Find out the meeting you must go to versus should or could.  Use meetings to build your network.  The most effective meetings have agendas and the right people.  Some meeting are more about connection versus results, so if you know that up front, you can reset your expectations.  Nothing's worse than trying to get results in a connection meeting.  One thing to remember is that connection precedes results.  You get more done with rapport (think "rose colored glasses")       
    • Manage your mail.  Doing a day of email doesn't mean you did a great day of work.  Timeboxes help.  See Clearing Your Inbox.
    • Manage your action.  Think in terms of daily results working towards larger outcomes.  See Execution Checklists and Using Scannable Outcomes with My Results Approach.
    • Manage your plate.  Underpromise and over-deliver.  It's better to nail a few things well, than take on a bunch and never finish.  Think of it like a buffet -- rather than over-flow your plate and get bogged down, take smaller plates and more trips.  The fast eat the slow.
    • Master information management.  The most important concept is to factor reference information from action.  Always use the RAT test on information you get (relevant? accurate? timeley?)  Use trusted sources and trusted people for finding the best, most distilled information.
    • Manage your energy.  You can throw a lot of time at a problem, but it's your energy that will give you the power hours.  See Manage Energy, Not Time.

    Results

    • Know what's important.  Your manager and peers will tell you if you ask.  Sanity check when you hear one thing, but see another.  Usually folks are doing what's on their commitments, so walk the commitments stack up the chain to see how and where you fit in.
    • Manage your results.  Microsoft rewards "smart and gets results."  Focus on outcomes over activities.  Think in terms of value delivered over activity performed.  You can do lots of activities but that doesn't necessarily translate into meaningful results.
    • Walk an instance end-to-end.  Know what you're getting yourself into.  Whatever your team delivers, walk an instance from start to end.  Knowing the bigger picture will quickly help you orient where you are in the bigger picture.  This will help you anticipate.  You'll also know how to pace yourself for the race (walk, jog or run.)
    • Avoid analysis paralysis.  It's really easy to fall into the trap of mistaking great throughts for great actions.  Take action and improve.  Analyze enough to start taking action, getting results and improving.  Figure out your higher risks earlier versus later.  Fail fast.
    • Learn project management.  Knowing how to do a work breakdown structure, timeline, work estimates and how to allocate resources gives you an advantage in getting results.  You can apply these skills to a micro-level (personal productivity) or to a macro-level (getting large projects done.)
    • Play to your strengths.  You have your strengths.  Use them.  Find a way.  If you find yourself doing a job and you know you really could be more effective, figure out whether it's your approach.
    • Use reference examples.  Find the best reference examples and work backwards from there.  Whatever you need to do, chances are, somebody's paved a path or there's an example you can find.  You can leapfrog results if you don't always start from scratch.
    • Know the tests for success.  Nothing's worse than to finish a major project only to find you missed the mark.  Figure out the tests for success earlier versus later.  They're might not be a lot of clarity in the beginning, but continuously refine figuring out what good looks like.
    • Deliver incremental results.  If you can chunk it down, you have a better chance for success.  Show progress along the way.  Always have a great end in mind, but be able to chunk it up and make progress on the bigger picture.
    • Think in terms of value delivered.  You can think in terms of time (daily, weekly, monthly).  You can think in terms of value (how important is this).  Just the act of thinking in terms of value delivered will help you prioritize your personal queue. 

    Communication

    • Create the driver's guide for your manager.  Your manager has a high-correlation to your job satisfaction and your success in Microsoft.  What's their communication style?  Do they like email, voice or dialogue?  How frequently should you meet with them to stay on the same page?  How do they want status?
    • What's their story?  Be careful when you jump to conclusions.  When somebody doesn't do something as you expect, it's good to checkpoint assumptions.  See What's Their Story? 
    • Speak in the right currency.  Know what matters to your audience and the terms they use.  Use their terms where you can to bridge the communication gap.
    • Use metaphors and mental models.  The better you can simplify complex information into a mental model or visual, the more effective you'll be.
    • Use stories.  Use short stories to convey a point.  By short, something you can say in a few sentences.  It should be relevant and have an emotional aspect.  If just stating a point, doesn't make the point hit home, sometimes telling the right story can.
    • Use a whiteboard.  The power of the whiteboard is that people tend to put down what's important versus get lost in the details.  You can also drill in or step back as needed.
    • Speak in slides.  A slide is a great forcing function to make you consolidate your point.  At Microsoft, it's easy to pass slides around.  I use One-Sliders.

    Intellectual Horsepower

    • Ask better questions.  Thinking in just asking and answering questions.  If you want better answers, ask better questions.  You can ask question in terms of time, meaning, assumptions, truth, causes, effects and actions.  One thing I like to do is think in terms of what do I know, don't know and need to know next.  See Cutting Questions.
    • Test it versus debate it.  There's a lot of opinions on a lot of things.  You'd be surprised how quickly a simple repro test can cut through debate.  Find empirical evidence where you can.
    • Learn thinking techniques.  There's lots of thinking patterns and techniques.  You can study Disney's imagineers such as Michael Michalko, or practices such as Neuro Linguistic Programming (NLP.)

    Learning / Improvement

    • Change your approach.  Stay adaptable.  If you're not getting results, change your approach.  The best way to get unstuck is to change your approach.  You learn the most from trying something different.  Sometimes this is uncomfotable, but that's what growth feels like.
    • Model the best.  Find the people that get results.  Have at least a few examples of people that have both continuous improvement and balance.  For balance, that means both work and home, and at work it means, balance between connection and results. 
    • Take key training.  Obviously, you'll want relevant technical training, but you'll want training to make you more effective in your day to day success at Microsoft.  While I've had great tech training, some of my most useful training has been in effective meetings, personal productivity, interpersonal communication, negotiation skills, influence, leadership, and thinking techniques.
    • Use everybody as a mentor.  Everybody can teach you something.  Everybody.  Find something each person does well and find out how they do it.  Success leaves clues.
    • Use a personal sounding board.  Find some folks you trust to give you the tough feedback.  Sanity check your ideas with your personal sounding board.
    • Improve strengths, but limit liabilities.  If you spend all your time working on your weaknesses, you won't get the benefit of your strengths.  Continously improve your strength, while you master you craft.  Every day at work is a chance to practice.  Reduce your liabilities, but don't ignore improving your strengths. 

    Networking

    • If you don't know, ask.  If you ask a precise enough question, you can stretch your network over time and space.
    • Build your network.  Your network naturally waxes and wanes.  Your results are a combination of what you know and who you know.  Building your network will help you get more done over time.  It's a long-term investment that builds on itself.
    • Play tradesees.  It's easier to network when you bring something to the table.  You can trade what you know or your expertise in an area with somebody elses.  This is how a lot of effective people get results.  They build a network of complimentary skills and experience. 
    • Use WIIFY.  What's In It For You (WIIFY) is a simple, but effective way to communicate.  If you always ask yourself, what's in it for the person you're brokering in, you're off to a better start.  Point out to them what's in it for them if it's not obvious.  If there's nothing it it for them, then that's a flag.  Challenge yourself to find a way for their to be something in it for them and you'll get further.

    My Related Posts

  • J.D. Meier's Blog

    Now on MSDN: patterns & practices Performance Testing Guidance for Web Applications

    • 9 Comments

    You can now find our patterns & practices Performance Testing Guidance for Web Applications on MSDN in HTML.  It's the same guidance we hosted on CodePlex.  CodePlex was our channel for agile release of the guidance.  Once we baked the guidance, we ported it to MSDN.

    Contents at a Glance
    Here's the

    Chapters

    Download
    You can download the patterns & practices Performance Testing Guidance for Web Applications from CodePlex.

    Guidance Explorer Scenario
    If you want to tailor the guidance for your scenario, you can download Guidance Explorer from CodePlex.  Using Guidance Explorer, you can create custom views by dragging and dropping the relevant guidance and then tailoring it as you see fit.  You can then save your view or an item to Word or HTML

  • Page 2 of 44 (1,084 items) 12345»