Software Engineering, Project Management, and Effectiveness
What are the key steps to designing an effective authentication and authorization strategy? The keys are knowing your user stores, role stores, and who need to access what or perform which operations. In this post, I share the approaches we've used in two of our patterns & practices guides. These are the approaches we've used to help customers design successfully design their authentication and authorization approaches.
Designing an Authentication and Authorization Strategy - v1When we first wrote Building Secure ASP.NET Applications, here's the meta-process we came up with for working through your authentication and authorization strategies:
For elaboration, see Authentication and Authorization.
Designing an Authentication and Authorization Strategy - v2 When we recently wrote Improving Web Application Security, we made some revisions:
Personally, I've found it really cuts to the chase if you start with your user stores and role stores, since they tend to be somewhat fixed.
IdentitiesWhen you think through the identities, I've found it helpful to think in terms of who needs to access which resources or perform which actions. Consider the following:
Resource TypesWhen you think through the resource types, I find it helpful to think in terms of:
Authorization StrategiesWhen thinking through the authorization strategies, I find it helpful to consider:
Resource Access PatternsWhen thinking through the resource access patterns, I find it helpful to consider:
Designing authentication and authorization can be a gnarly topic. I hope the scaffolding above helps you find a path that works for you.
Our guide, patterns & practices Improving Web Services Security:Scenarios and Implementation Guidance for WCF is now available in HTML.
Today we released our WCF Security guide, patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF. This is our Microsoft playbook for Windows Communication Foundation (WCF - "Indigo".) It shows you how to build secure Web services using WCF. It's a compendium of proven practices, product team recommendations and insights from the field.
Download the guide
Contents at a Glance
Contributors and Reviewers
The key to making principles, patterns, and practices more effective is to have an organizing frame. While working on our patterns & practices WCF Security Guidance Project, we created the Web Services Security Frame for just such a purpose. We use the frame throughout the guidance to organize threats, attacks, vulnerabilities and countermeasures, as well as to organize principles, patterns, and practices.
Web Services Security Frame
Here's a snapshot of the frame (the power of the frame is that it's a durable, evolvable backdrop -- in other words, you can shape it to your own purposes.) You'll see this frame used throughout our upcoming guide. Notice that the categories serve as a pivot that we can hang other viewpoints (threats/attacks, vulnerabilities, countermeasures.)
Threats / Attacks Organized By the Web Services Security Frame
Vulnerabilities Organized by the Web Services Security Frame
Countermeasures Organized by the Web Services Security Frame
ThanksSpecial thanks to Rudy Araujo and ACE Team members, Richard Lewis and John Steer for their contribution toward helping shape a better frame.
My Related Posts
If you're building Web services or if you're implementing SOA on the Microsoft platform , then you're probably either working with or exploring WCF (Windows Communication Foundation.) When we started our patterns & practices WCF Security Guidance project, one of the first things I did was compile a list of WCF security resources for our team. This helped us quickly ramp up and as well as see gaps. One thing that surprised me is how much is available in the product documentation, if you know where to look. Here's a preliminary look at our WCF Security resources index which we'll include in our WCF Security Guide:
Documentation (MSDN Product Documentation)
Threats and Countermeasures
patterns & practices
Product Support Services (PSS)
MSDN Support WebCasts
For this week's release in our patterns & practices WCF Security Guidance project, we released our first version of our WCF Security Practices at a Glance. Practices At a Glance gives you a bird's-eye view of how to perform common tasks. They are scannable and outcome-driven so that you can quickly browse the problem/solution pairs. Rather than a laundry list of granular tasks, we organize them by our Web Services Security frame (still evolving.)
CategoriesHere's how we grouped our WCF Security Practices at a Glance so far:
Here's a snapshot of the problems solved from our Practices At a Glance, but you can see our answers explained at our WCF Security Guidance project site.
Auditing and Logging
Ken Blanchard spoke at Microsoft last week. He's all about empowering people, growing people, and helping everybody get an A. This post is my notes from the session.
Catch People Doing Something Right, Accentuate the Positive I'm putting this right up front because Ken said if there was only one thing he could be remembered for, he would want it to be:
"Catch People Doing Something Right, Accentuate the Positive."
"Catch People Doing Something Right, Accentuate the Positive."
Random Highlights Here's a sampling of some of the one-liners and insights from the session:
Philanthropy is the News Around the World Ken travels the world and the big news he kept hearing about was the philanthropy. Specifically, the news was focused on Bill Gates and Warren Buffet. The fact that Buffet trusts the Bill & Melinda Gates Foundation to help the world sends a powerful message.
4 Keys to Lead at a Higher Level Ken framed out 4 keys to lead at a higher level:
Decide, Discover and Deliver To treat your customers right, Ken provided a decide, discover, deliver approach:
Turn the Pyramid Upside Down Turn the pyramid upside down. Have your team bring their brains to work vs. kiss up the hierarchy. Don't have them be ducks (who just quack excuses why they can't do this or can't do that.) Empower them to be eagles who soar above the crowd.
A Fortunate 500 List According to Ken Blanchard Ken suggested the idea of a Fortunate 500 list. A Fortunate 500 Company would have a triple bottom line and be a good citizen in the community.
Customers, Business, Employees (The Triple Bottom Line) The triple bottom line includes:
Ken remarked that profit is the applause you get for taking care of customers and being a motivating place to work.
Organizational Vitality, Employee Passion, Customer Devotion Ken outlined the keys to organizational vitality:
From Self-Leadership to Organizational Leadership The journey of an effective leader starts with self-leadership (who are you) and progresses to organizational leadership:
Ken noted that one of his favorite mantras is -- none of us is as smart as all of us.
3 Skills of Situational Leader Ken identified 3 skills of a situational leader:
The 4 D's (Development Level) The four development levels vary by competence and motivation. If you can identify which development level somebody is in, you can use the right leadership style:
4 Leadership Styles The four leadership styles range from directing to delegating:
Your leadership style varies by how you need to teach skills and provide motivation. You match your leadership style based on the development level.
More Supporting, Less Delegating Ken noted that the most common style in tech is delegating (telling folks what to do), but that it only works if you have self-reliant achievers. He said lots of situations where somebody fails, it's because the leader didn't spend enough time supporting. For example, somebody might be great at sales, but poor at administration and could use more support.
Don't Be a Seagul Ken described the seagul type manager:
Yuck! Don't be a seagul.
How to Manage Effectively Ken gave us a recipe for managing effectively:
Leadership vs. Management When a colleague asked Ken about his thoughts on the difference between leadership and management, he said he doesn't get involved in the debate. He doesn't think management should play 2nd fiddle.
Don't Rank Employees on a Bell Curve Ken made a few key points against ranking employees on a bell curve:
Help Everybody Get A's Ken's recipe for results is:
Share Them With Your Competition What happens if you give help people get A's but they don't get A's:
From self-serving leaders to Servant Leadership Ken gave us three ways that somebody moves from a self-serving leader to servant-leadership:
Basically it's life-changing events or by following an example.
Egos Anonymous There's two ends of the spectrum with ego issues:
The problem with ego issues is that the world spins around you. Ken said the key is to put the focus somewhere else. When you put the focus on something else, the fear goes away.
Ken told us about "Egos Anonymous" meetings. He said at the meetings, people introduce themselves with "I'm an ego maniac, the last time my ego got in the way ..."
The irony is, everybody wants to go last to be more clever, funnier -- and that's an ego thing.
Bigger Emphasis on Results or Developing People? Ken pointed out that it's not an either/or it's a both/and. The keys are:
The Secret of Great Leaders Ken told us the secret of great leaders:
You're Learning or Dying Ken told us we're learning or dying:
SERVE - What Great Leaders Know and Do Ken explained that SERVE is what great leaders know and do:
Leadership is Love Ken told us leadership is love:
How To Implement the program Ken said he's seen remarkable impact when organizations apply the knowledge. He said there's three keys:
Wrap Up At the end of the talk, I met Ken and he signed my copy of The 3 Keys to Empowerment. What surprised me the most was how down to earth and engaged in the moment he was. I thanked him for teaching people situational leadership. I asked him where the II part came from in Situational Leadership II and he told me the story of the split. I told him it would be great to be able to read stories like that in his blog, if he had one.
3 Actions As a habit, I challenge myself to turn what I learn into three things I can apply. There's always more I can do, but I start with three. Here they are:
If you need to make an important decision, the following can help:
For example, when I was giving input on hiring our PUM, I identified the following criteria:
I then assigned a weighting. For example:
I rated the candidate against each criteria and then multiplied by the weighting. This gave me a quick frame to compare different candidates as well as have more meaningful dialogues with others. The actual numbers were less important than testing and clarifying criteria.
We have 6 new How Tos for this week's release of our patterns & practices WCF Security Guidance Project.
WCF Security How Tos
Each month I pick a focus or a theme for my improvement sprint. I find it's easier to start and stop a new sprint each month, rather than start in the middle of a month and try and remember when to stop. I also like the fact that each month is a fresh start. Cycling through a new improvement sprint each month, gives me 12 sprints I can allocate to whatever I want or need to focus on. This keeps me learning and growing throughout the year in a simple, but systematic way. Each month I can do another sprint on the same topic or pick a new area to explore. Periodically, I try to inject an improvement sprint that focuses on something physical. For example, last year I did a living foods improvement sprint and in another sprint I worked up to roller-blading 15+ miles a day.
Here's the improvement sprints I've done so far this year:
Sometimes I'll do more than one sprint for a month, but in general I try to stick with one theme. The power of the sprint is the focus. Its easier for me to stay focused when I remind myself I can switch focus each month.
What are your key security-related questions with WCF? More importantly, what are the answers? For this week's release of our WCF Security Guidance Project, we posted our WCF Security Q&A (Questions and Answers) to CodePlex.
To create the questions and answers set, we first gathered and organized recurring questions from our field, support, customers and forums. We then worked through to create precise answers. What you get is a browsable collection of questions and answers, organized by our security frame. The security frame maps to actionable categories of your application.
Here's a snapshot of the questions from our Q&A, but you can see our answers explained at our WCF Security Guidance project site.
For this week's release in our patterns & practices WCF Security Guidance project, we released our first version of our WCF 3.5 Security Guidelines. Each guideline is a nugget of what to do, why, and how. The goal of the guideline format is to take a lot of information, compress it down, and turn insight into action.
The downside is that it's tough to create prescriptive guidelines that are generic enough to be reusable, but specific enough to be helpful. The upside is that customers find the guidelines help them cut through a lot of information and take action. We contextualize the guidelines as much as we can, but ultimately you're in the best position to do the pattern matching to find which guidelines are relevant for your scenarios, and how you need to tailor them.
Here's a snapshot of the guidelines, but you can see our security guidelines explained at our WCF Security Guidance project site.
CategoriesOur WCF Security guidelines are organized using the following buckets:
Impersonation and Delegation
For this week's release in our patterns & practices WCF Security Guidance project, we added new sections to our WCF Security Application Scenarios. We added sections for analysis, code and configuration examples. The analysis section explains the rationale behind some of the decisions.
The idea behind the application scenarios is to show you a before and after look of end-to-end solutions. Rather than a single solution, we give you a set of solutions to pick from. The main parameters that vary in each solution include: Intranet vs. Internet, ASP.NET client vs. Windows Forms clients, TCP vs. HTTP, impersonation/delegation vs. trusted subsystem, and AD (domain credentials) vs. a custom user store.
WCF Security Application Scenarios Intranet
Note that if there's enough interest and time, we'll add a scenario that shows accessing an existing custom user store (i.e. you aren't using Membership.)
My Related Posts
If you know the underlying principles for security, you can be more effective in your security design. While working on Improving Web Application Security: Threats and Countermeasures, my team focused on creating a durable set of security principles. The challenge was to make the principles more useful. It's one thing to know the principles, but another to turn it into action.
Turning Insights Into Action
To make the principles more useful, we organized them using our Security Frame. Our Security Frame is a set of actionable, relevant categories that shape your key engineering and deployment decisions. With the Security Frame we could quickly find principles related to authentication, or authorization or input validation ... etc.
Once we had these principles and this organizing frame, we could then evaluate technologies against it to find effective, principle-based techniques. For example, when we analyzed doing input and data validation in ASP.NET, we focused on finding the best ways to constrain, reject, and sanitize input. For constraining input, we focused on checking for length, range, format and type. Using these strategies both shortened our learning curve and improved our results.
Core Security Principles
We started with a firm foundation of core security principles. These influenced the rest of our security design principles. Here's the core security principles we started with:
Frame for Organizing Security Design Principles
Rather than a laundry list of security principles, you can use the Security Frame as a way to organize and share security principles:
Auditing and Logging
Here's our security design principles for auditing and logging:
Here's our security design principles for authentication:
Here's our security design principles for authorization:
Here's our security design principles for configuration management:
Here's our security design principles for cryptography:
Here's our security design principles for exception management:
Input / Data Validation
Here's our security design principles for input and data validation:
Here's our security design principles for sensitive data:
Here's our security design principles for session management:
Using the Security Design Principles
This is simply a baseline set of principles so that you don't have to start from scratch. You can build on this set and tailor for your specific context. I find that while having a set of principles helps, that you can't stop there. To share the knowledge and help others use the information, it's important to encapsulate the principles in patterns as well as show concrete examples and create precise, actionable guidelines for developers. Personally, I've found Wikis to be the most effective way to share and manage the information.
Dr. Stephen Covey presented at Microsoft today. It’s one thing to know the information; it’s another to experience the delivery live.
This post is a bit longer than usual, but hey, it’s not every day that Covey is in the house. Here are some of my highlights from today’s session.
The Lighthouse Story Covey opened with a story of Captain Horatio Hornblower. As the story goes, one night at sea, Horatio awakens to find that a ship is in his sea-lane about 20 miles away and refuses to move. Horatio commands the other ship to move starboard, 20 degrees at once. The other ship refuses and tells Horatio that he should move his ship starboard, 20 degrees at once. Next, Horatio tries to pull rank and size on the other ship, stating that he’s a captain and that he’s on a large battle ship. The other ship replies, and it turns out it’s not actually a ship, but a lighthouse.
The take away from the story is, there are lighthouse principles. You don’t break them. You only break yourself against them. Don’t break yourself against lighthouse principles.
Values and Principles Covey distinguished values from principles:
The key take aways are:
Personal Mission Statement Covey asked us whether we had personal mission statements? Some folks raised their hands. He then asked us how many have them written down. A lot less kept their hands raised. I kept my hand raised because I happen to have my personal mission statement written down. My personal mission statement is, “To find the best way for any person to succeed in any situation.” I tie this back at work, where I try to help customers be as effective as possible, building on the Microsoft platform.
Family Mission Statement Covey then challenged the audience whether we had mission statements for our families? That one made me think. He then challenged, if you asked your loved ones, would they know it? Now there’s a good test!
He challenged us to go home and ask, “What’s the purpose of our family?” He warned us though, that our families will know that we’ve been seminar’ed!
Write and Visualize to Imprint on Your Subconscious Covey reminded us that writing down your mission imprints it in the subconscious mind. He added that visualizing also imprints on the sub-concsious mind.
The take away is that you should write and visualize your mission statements.
Keys to a Mission Statement Covey put it succinctly that a good mission statement is:
Why a Mission Statement Covey told us that the power of a mission statement is that it governs every other decision.
Sean Covey Covey introduced his son, Sean Covey. Sean wrote The 7 Habits of Highly Effective Teenagers and The 6 Most Important Decisions You Will Ever Make. When Covey introduced Sean, he also mentioned a 49th grand-child on the way. 49 … WOW! That’s quite the impressive team.
Point to True North Covey had us close our eyes and point to true North. When we opened our eyes, it was obvious there was little consistency. He said he gets similar results when he asks any department, group, or team – “what’s your purpose?” Urgent But Not Important Covey asked us how many struggle with work/life balance. Many hands went up. He then asked us what we think is the percentage of time we spend on things that are urgent, but not important.
He said people often report they feel they spend 50% of their time on urgent, but not important tasks. Why is that? Covey stated it’s because everybody defines purpose differently. Office Politics and Dysfunctional Activities Covey asked us how much time people spend in office politics. By office politics, he meant, reading the tea leaves, dealing with hidden agendas, fighting cross-group conflict, … etc. The data says that 75% of people claim they spend 25% of their time on these things. 25% say that 50% of their time is spent in dysfunctional activities. Urgency replaces important activities.
The key take away is that people feel they spend a lot of time on dysfunctional activities. Six Metastasizing Cancers (Victimism) Covey showed us a slide that listed what he called the Six Metastasizing Cancers:
The take away here is that these are ineffective behaviors and you end up acting like a victim.
Are You Utilized to Your Full Potential Covey asked us whether we can use our full talent and capacity in our organization. He then asked us whether we feel the pressure to produce more for less. The point here was to emphasize how there’s a demand for greater results, but that we’re not necessarily utilized to our full potential.
It’s Not Behavior, It’s Not Attitude … It’s a Bad Map Covey gave us a scenario where somebody gets a map of Seattle. The problem is, the map maker made a mistake. It’s not really a map of Seattle. It’s a map of Oregon. With this map, you can’t even make it out of the airport. There isn’t one corresponding point.
Trying harder isn’t the answer. If you double your speed, now you’re lost twice as fast. Thinking negatively isn’t the problem. Covey said some people might try to use a PMA (Positive Mental Attitude.) Well, that doesn’t help either. Now you’re all psyched up, but really you are just happy and contented in a lost state.
The take away here is that it’s not behavior and it’s not attitude. It’s a bad map.
Self-Educating Covey told us that we need to be self-educating. School taught us how to learn, but we need to continue to learn. He said we need to be willing to pay the price to be self-educating, which includes being systematic and disciplined.
Industrial Age vs. Knowledge Worker Age Covey points out that 20 years ago, it was about goods and services. Today, it’s about knowledge workers.
Expenses and Assets Covey asked us what we are called in spreadsheets. He said that in spreadsheet and financial accounting, people are called expenses and cost centers, while things like microphones, tools, and machines are called assets. He said this is left-over from the industrial age.
Finding Your Voice Covey asked how do you help people find their voice? You ask them what are they good at? What do they love doing? What is your greatest unique contribution?
The key is finding a voice that meets a human need.
Inspiration Over Jackass Theory The Jackass Theory refers to the carrot and the stick. Covey asked us what kind of supervisor do you need when you have a job that you are passionate about and is using your talents and you feel you are appreciated.
People are volunteers. You want them to contribute their greatest, unique contribution.
Keys to Effective Large Team Covey outlined the keys for effective large teams::
One person may represent the group, but accountability is to the team versus the boss. Accountability to the team versus an individual is a knowledge worker concept.
How To Find the Win / Win Performance Agreement Covey suggested an approach for finding the Win/Win for teams and organizations in terms of performance:
When you have that, you have a win-win. The key is to have a win/win performance agreement where it is mutually beneficial between the individual and the organization. The individual should be able to use their full talent and passion (there voice.)
Information is the Knowledge Worker's Disinfectant Covey mentioned that light is the greatest disinfectant in nature. For the knowledge worker, it’s information. For a knowledge worker to be effective in a team, they need information, they need the criteria for success and they need to be accountable to the group.
The Whole Person According to Covey, the whole person includes four parts:
Control-Paradigm to a Whole Person Paradigm Covey reminded us that today’s workforce is about directed autonomy. You manage (things) that can’t choose. You lead people. People have the ability to choose.
Keeping Top Talent Covey told us about how Admirals in the Pacific were losing people to better paying jobs. There was an exception. Covey got to meet the group that kept their top talent. The keys to a committed group included:
Indian Talking Stick Communication Covey shared a technique for improving empathic listening. It’s the Indian Talking Stick:
You don’t need to use an Indian talking stick. You can use any object. The value of the object is that you don’t get it back until the other person feels understood.
Industrial Age Concepts Throughout the session, Covey made reference to some "industrial age concepts":
Lighthouse Principles Throughout the presentation, Covey referred to some lighthouse principles that govern behavior:
Continuum of Communication Covey showed us a continuum of communication that moves from hostility and transaction-based communication to transformation:
Empathic Listening is the No. 1 Communication Skill Covey stated that communication is the number one skill in life. He went on to say that empathic listening is the number one communication skill. Covey explained that empathic listening is listening within the other person’s frame of skills. Listening empathically is listening with the other person’s frame of reference. The key is to listen until the other person feels heard and understood. Empathic Listening Over Telling and Selling A satisfied need, no longer motivates. Covey used the example of air – it’s a satisfied need. When the other person feels heard and understood, it’s more likely they will listen to you and that you can seek a better solution, that’s mutually beneficial. You are no longer telling and selling.
Our Experience is the Lens We Use to Interpret Life Covey showed the audience three pictures. One half of the audience looked at the first picture. Next, the other half of the audience looked at the second picture. Then the full audience looked at a third slide which was a composite of the first two slides. Depending on which of the pictures you saw first, influenced what you saw in this third picture.
The key take away here was that what you saw was influenced by your experience and that rather that impose your view, first understand the other person’s perspective – there’s a good chance, you’re both right! (This is a good case where the Indian Talking Stick could come in handy.) Resolving Conflict By Finding the Third Alternative Covey shared a technique for resolving conflict that works for him in 95% of the cases he runs into around the world. Here’s the key steps:
The key here is to listen to the other person first and listen empathically. The proactive part here is that you can choose to listen to the other person first (seek first to understand, then to be understood.) Listening to Loved Ones One of the audience members asked for advice on counseling a loved one. Covey responded with the following solution:
The key here that Covey mentioned is that most people will not pay the price of listening empathically.
7 Habits of Highly Effective People Covey shared a slide that framed out the seven habits of highly effective people in terms of private victory, public victory, dependence, independence, and interdependence.
Habits 1,2,and 3 are the foundation for private victories and integrity. Habits 4, 5, and 6 are the keys to public victories.
Peace of Conscience Over Peace of Mind Covey made a distinction between peace of mind and peace of conscience. He explained that integrity is more than honesty. Integrity means that if you make a promise, you keep it. If you’re honest, you might have peace of mind, but if you don’t have integrity, then you won’t have peace of conscience. You have peace of conscience by avoiding duplicity.
Loyalty to the Absent Covey made his point very simply – only talk about people as if they are there. You can be critical, but speak as if they were there in front of you. Don’t bad mouth them behind their back and then sweet talk them to their face. This is a lack of integrity and creates deep duplicity inside you. This inhibits your ability to have peace of conscience. Use I Messages Over You Messages Meet with the people you have a problem with directly. Practice the following:
Genuine Happiness Covey said the key to genuine happiness is to develop integrity. The key to developing integrity is the first three habits (your Private Victories):
Greek Philosophy of Influence Covey shared the three parts of the Greek philosophy of influence:
You Are the Creative Force of Your Life Covey challenged us to be a creative force: 1. Get out of victimism – You’re not a victim of your circumstances. 2. You are the creative force of your life.
Empathize first. Grow your circle of influence. Make tremendous impact.
The Most Important Thing You’ll Ever Do Covey closed with a powerful message we could take away:
The most important thing you’ll ever do is in the four walls of your own home.
The most important thing you’ll ever do is in the four walls of your own home.
Personally, I want to make more use of the Indian Talking Stick Communication technique, particularly at some of my more vibrant meetings.
We published an updated set of our WCF Security application scenarios yesterday, as part of our patterns & practices WCF Security guidance project. Application Scenarios are visual "blueprints" of skeletal solutions for end-to-end deployment scenarios. Each application scenario includes a before and after look at working solutions. While you still need to prototype and test for your scenario, this gives you potential solutions and paths at a glance, rather than starting from scratch. It's a catalog of applications scenarios that you can look through and potentially find your match.
IntranetCommon Intranet patterns:
Internet Common Internet patterns:
One Size Does Not Fit AllWe know that one size doesn't fit all, so we create a collection of application scenarios that you can quickly sort through and pattern match against your scenario. It's like a visual menu at a restaurant. The goal is to find a good fit against your parameters versus a perfect fit. It gives you a baseline to start from. They effectively let you preview solutions, before embarking on your journey.
How We Make Application ScenariosFirst, we start by gathering all the deployment scenarios we can find from customers with working solutions. We use our field, product support, product teams, subject matter experts, and customers. We also check with our internal line of business application solutions. While there's a lot of variations, we look for the common denominators. There's only so many ways to physically deploy servers, so we start there. We group potential solutions by big buckets.
In order to make the solutions meaningful, we pick a focus. For example, with WCF Security, key overarching decisions include authentication, authorization, and secure communication. These decisions span the layers and tiers. We also pay attention to factors that influence your decisions. For example, your role stores and user stores are a big factor. The tricky part is throwing out the details of customer specific solutions, while retaining the conceptual integrity that makes the solution useful.
Next, we create prototypes and we test the end-to-end scenarios in our lab. We do a lot of whiteboarding during this stage for candidate solutions. This is where we spend the bulk of our time, testing paths, finding surprises, and making things work. It's one thing to know what's supposed to work; it's another to make it work in practice.
From our working solution, we highlight the insights and actions within the Application Scenario so you can quickly prototype for your particular context. We then share our candidate guidance modules on CodePlex, while we continue reviews across our review loops including field, PSS, customers, product team members, and subject matter experts.
Our patterns & practices WCF Security Guidance Project is in progress on CodePlex. This is our first release of prescriptive guidance modules for WCF Security.
How Tos Our How Tos give you step by step instructions for performing key tasks:
Videos Our videos step you visually through key guidance:
About WCF Windows Communication Foundation (WCF) is a service-oriented platform for building and consuming secure, reliable, and transacted services. It unifies the programming models for ASMX, Enterprise services and .NET Remoting. It supports multiple protocols including named pipes, TCP, HTTP, and MSMQ. WCF promotes loose coupling, supports interoperability, and encapsulates the latest web service standards. With WCF, you get flexibility in choosing protocol, message encoding formats, and hosting. For more information, see the MSDN WCF Developer Center.
About the Project WCF provides a lot of options and flexibility. The goal of our patterns & practices WCF Security Guidance Project is to find the key combinations of security practices for WCF that work for customers and share them more broadly. At a high-level, you can think of the project in terms of these main buckets:
The plan is to incrementally share our guidance modules on CodePlex as we go, then build a guide, then port the guidance to MSDN once it's baked.
How do you identify the bull's-eye among your stakeholders? Nothing's worse than finishing a project and missing the mark you didn't know was there. At patterns & practices, one of our effective project practices is to use "tests for success" to help avoid this scenario.
What are Tests for Success "Tests for success" are the prioritized success criteria that the stakeholder's agree to. It's basically a set of test cases, that if the project passes, the project is perceived as a success. They help clarify outcomes and priorities.
Example Tests for Success Here's an example of "tests for success" from one of my projects:
Stakeholders for the project created and prioritized this list, with prompts from the project team. This exercise helped clarify a lot of ambiguity as well as do a level set for the team.
How Can You Use This Whether it's a personal project or a project at work, you can create your own tests for success. I think a small list of the vital few works better than a laundry list. Phrasing the tests as one-liner questions makes them easy to create and use. Here's some prompts to trigger your own tests for success:
When you're in the thick of things, you'll appreciate having a small set of criteria to go back to and help keep you and everyone involved on track.
Have you ever been on a project where key stakeholders don't have skin in the game, but they have a controlling vote? This is a bad situation. It's like multiple backseat drivers, except they won't be there if the car crashes. What's the solution? You turn chickens into pigs!
The Chicken and the Pig You may have heard the story about the chicken and the pig. The chicken says to the pig, "We should should start a restaurant." The pig asks, "What would we serve?" The chicken responds, "Bacon and eggs!" The pig says, "No thanks!"
The point in the story is the pig's "committed" while the chicken's "involved."
The Solution Recognizing the situation is more than half the battle. When you've identified that chickens have controlling votes over pigs, your options include:
How can you differentiate what you do? This can be particularly difficult in problem spaces that seem over-crowded. It helps if you have a frame. One of my mentors gave me a useful lens for differentiating that helps solve this problem.
Problem, Approach, or Implementation You can differentiate based on problem, approach or implementation:
If you differentiate at the problem you solve, it's good to be able to call that out. If you solve the same problem, but use a different approach, unless it produces a big difference in results, it's probably not worth it. If you differ only by implementation and the experience or results aren't valued by the customer, again, it's probably not worth it.
Using the Frame for Differentiation First identify whether you differentiate at the problem, approach, or implementation. Next, determine whether the level at which you're differentiating is worth it. For example, consider safety among automobile makers. Volvo's approach to safety stands out. They work the same problem but differentiate by approach.
By having clarity around where you differentiate, it's easier to communicate your deltas in a meaningful way to others.
Example At Microsoft, when I tackle a problem that's been "solved" before, I use the frame as a lens to quickly find the useful differentiation. For example, doing security reviews wasn't a new problem. However, changing the approach by using inspections and building a set of reusable criteria from a team of experts changed the game. By using criteria based on principles and patterns, and then organizing the criteria within a frame of actionable categories produced exponential results for all of our customers that adopted the approach. Old problem, new approach, great results.
What is your life frame? What are the key buckets in your life that you need to balance across? If you have a frame, you can balance your life through thick and through thin. If you have a life frame, you can more thoughtfully allocate your time and energy for maximum results. More importantly, when things aren't going well, you have a tool to help you spot where you are not investing enough.
Life Frame This is a baseline of your personal portfolio of your most important assets:
Note - if those buckets don't work for you, change them. It's a starter set.
I've been sharing this life frame with those I coach, and some colleagues and they've found it helpful, so now I'm sharing it more broadly. It's a great starting point when you're not getting what you want out of life.
Spread Your Energy and Time Across Your Buckets Spread your energy and time across them. If your current investment's not working, turn up the dial on some. If your stuck in one area, then try turning up another. For example, if you're not getting the results you want at work, then crank up your relationships dial. Remember that with this portfolio, the sum is more than the parts. It's the net effect.
What Can Happen When You Don't Use the Frame When I first got to Microsoft years ago, I didn't have this frame. Sure I knew about these areas of my life, but I didn't have the mental model of a portfolio. Instead, all I knew was that I would throw all my energy and hours at my career bucket. To put that in perspective, 80, 90, 100+ hours a week. The problem is I consistently got rated highly and produced results. But at what cost? Well, if you spend 100+ hours in one bucket, guess how much energy you're spending in others? Granted some buckets overlap, but I'm talking about when you really shine the spotlight on them.
Improve Your Approach Over Spend More Time Time is a limited resources. So is your energy. Interestingly, while working on performance modeling, the light bulb went off. If I carve out a minimum for some buckets and a maximum for others, it would be a forcing function. What's the maximum I would throw at my career bucket? 60? 50? 40? Timeboxing my career bucket forced me to identify the real value of all my work and to heavily prioritize. It also forced me to find the most effective principles, patterns and practices for project management, personal productivity, running high-performance teams, ... etc. Which is better ... more time at the problem? ... or better techniques, more value, and a sustainable pace?
Set Boundaries (Minimums and Maximums) The real lesson is that if you don't first set your boundaries, then you never really have a way to prioritize. For example, if you allocate fifty hours to your career bucket weekly, now you know how much to bite off at a time. Otherwise, you'll just work until everything's done, but there's always something more to do. Priorities, focus, and value are your friends.
As another example, I now continuously invest in my relationships bucket. For example, each week I have lunch with an old friend, and lunch with someone new. At Microsoft, and in life, it's what you know and who you know.
How To Use This To get started, just put these categories on your whiteboard or a pad of paper. Take a look across your portfolio and figure out your current investments in time and energy. Look at your results. How well are you balancing? If you're on track, great. If not, try increasing your investment is some areas and lowering another. The goal is to improve the quality of your life. If you want to really put some focus in an area, try a 30 Day Improvement Sprint.
I know success means a lot of things to a lot of people. My favorite definition is "success is when the response meets the challenge."
How do you make the most of any situation? Figure out whether you need to adapt, adjust or avoid.
Adapting to the SituationAdapting to the situation, means changing yourself for the situation. While flexibility is good, you need to be careful. You can trade your less effective behaviors, but don't adapt to the situation in a way that takes away your strengths. You'd be better off finding a situation where you can play to your strengths.
Adjusting the SituationAdjusting the situation, means changing the situation to suit you. Sometimes this is the best option, particularly if you can set it up to play to your strength. For example, when you take on a project, can you get the right people on board that compliment your ability?
Avoiding the SituationSometimes this is the best path. Learn to spot the situations where you don't do well. This is my caution. Because I turn any situation into a learning opportunity or challenge, I need to know when it's low ROI. Life's too short to spend energy in low ROI situations.
Self-Awareness is the KeyIf you know your personal strengths and passions, this is your key to success. You avoid adapting to situations that take away your strengths. You learn to setup situations in a way that you succeed. You learn the situations that you should avoid.
How do you get the people on your side or inspire a vision or change the world? First win the heart. I'm blogging on this because it's a lesson I've learned that shows up in so many ways, time and again. I see it in thought leaders. I see it in people leaders. I see it in everyday, conversational exchange. This is one of those ah-ha's that when it sinks in, you find opportunities to apply it every day to improve your effectiveness.
Connecting at the Heart vs. Connecting at the Intellect If you connect at the heart, the mind follows. Interestingly,if you connect at the intellect, you may not necessarily get the heart to follow.
Go For the Heart If you have great ideas, but people aren't on board, chances are you've been ignoring the heart. Change your approach. One way to invoke the heart is to address core values: loyalty, commitment and contribution, individual worth and dignity, and integrity.
Example One of my former leaders is known for inspiring people. For example, whenever I would tell him about a project, he would first ask me how I was going to change the world and who the dream team would be to make it happen?
While he couldn't always get me the dream team, he first focused on a compelling vision and that was inspirational. Where the heart goes, the mind follows. In fact, in many cases I was able to get the dream team, because of the emotional commitment to make it happen. Inspired visions trump purely intellectual ones.
Posts with Pictures While studying effective blogging practices, I noticed a success pattern. The pattern is to start your post with a picture. Ironically, I fought this pattern because the engineer in me wants efficient, effective value in text. So do a lot of engineers. However, many don't.
Choosing the right picture can cause your readers to have an emotional reaction to your information, and draw them into your post. If you don't believe me, take a look at Alik's post Glue Audience To Your Presentation With ZoomIt. Tell me that picture doesn't get you curious? While your picture should be relevant, it should also cause your readers to feel something, and have a reaction. An extreme anti-pattern is to use pictures to trick readers into your posts.
It Works On You If you know this, you can inspire yourself. Rather than smart talk yourself into something, try winning over your heart first. How can you get leverage on yourself? What inspires you? Win your heart and your mind will follow.
How do you pick the right theme for your blog? The challenge is that it's not a linear decision and it requires satisficing to balance content, function, and design ("look and feel"). As part of my research on effective blogging, I've been analyzing themes. I’ve literally evaluated more than 2,000 themes and heavily modified more than 20. I see a lot of patterns now. I've decided to share my lessons learned, since they might save you considerable time.
Summary of Lessons Learned Here's a summary of my key lessons learned:
Vital Factors in Your Blog Theme It's the sum of the parts that creates your overall blog theme impact. Part of the problem that cost me so much time is I didn't know what to look for at first. I had to go through hundreds of themes before I started to see patterns that made some themes more effective than others. The other thing that cost me so much time is that it's a combination of factors over any one thing. The overall look and feel is the sum of the parts. Here's what I found to be key factors in overall look and feel:
Key Blog Features Here's a quick list of the features that my focus group seemed to care about the most:
How I Did My Research My research was pretty basic, but time consuming and challenging, particularly because there's a lot of variables and not much prescriptive guidance that I found actionable. Here's what I did:
Key Galleries I Explored I explored several galleries, but here's a few of the key ones:
Key Themes I Tested While I tested a lot of themes, her's a few key ones that stood out:
How I'll Use This This has definitely shaped my perspective on blog themes. It's night and day from when I first evaluated themes. Knowing what to look for helps me test and experiment faster. I now have a more systematic way of figuring out why some blog themes work and why some don't. I'll be helping some colleagues with their blog themes and I'll be using what I learned as I launch new blogs.