Some 2012 projects / plans

Following on from my brief overview of progress during 2011 I thought I would share some of the projects I’ll be undertaking during 2012.  This will give anuone reading this blog an idea of some of the likely content that will appear during this year on top of general thoughts and some book reviews.

1. Complete my masters, which assuming I have passed my most recent module means choosing and completing my project.  Based on the university schedule the bulk of this will be completed between April and September.  Now to decide on a topic!

2. Lead (co-chair) the Cloud Security Alliance – Security as a Service working group through the delivery of the planned implementation guides covering each of the categories detailed in the white paper we published in 2011.

3. Become a lot more familiar with the Xen hypervisor, in addition to the VMWare products in order to better assess virtualisation options for both desktops and servers.  This is for a combination of reasons around expanding my knowledge and better understanding the options around Xen (open source and Citrix variants) and VMWare and the various virtual desktop solutions.  Also with people like Amazon and Rackspace using Xen it must be worth a closer look..

4. Having recently done some study around secure coding I’ve been prompted that I should probably brush up my scripting skills, so I plan to put a little time into Perl this year.

…  Likely a few other things will be added around architecture, potentially some further study / research, databases and security, but these have yet to be finalised and I need to be realistic about what I’ll achieve this year.  I’d rather do less well than try to do too much and not be satisfied with the results!

Expect to see blog posts on the above topics throughout this year, feel free to email or comment if there are any specific areas you would like detailed blog posts on.

K

Advertisements

2011 review

As is often the tradition I thought I would start the year with a couple of posts covering an overview of some key points from the last year, and some planned projects for this year.

As I am sure you have guessed this post will be a brief review of 2011 from a study / career / research perspective.

2011 was a pretty busy year with cloud security research, masters work and finally realising my previous role was no longer offering much/any challenge; culminating in moving to a new role at the end of the year / start of 2012.

From a study perspective I completed two more MSc modules;

– Wireless mobile and ad-hoc networking

– Secure systems programming

Assuming I pass the secure systems programming module (final piece of coursework was completed 9/1/12) there is ‘just’ the project left to complete in order to finish my masters.

Also on a Study front I achieved a couple of certifications;

– ISSAP (Information Systems Security Architecture Professional).  This is a secure architecture addition to the CISSP (Certified Information Systems Security Professional).

– British Computer Society Enterprise and Solutions Architecture certificate.

So all in all a successful and reasonably productive year from a study / certification perspective, especially if I have managed to pass the secure coding module!

From a career perspective I has been looking around within my previous company for a little while but decided that I was stagnating in my previous role so it was time to look outside in order to move on.  The good news is I was successful, being offered a considerably improved role as a Senior Systems Architect with Canada Life that I started 3/1/12.  I’ll update on how this is going and any non propriety technologies / projects I am working on in upcoming posts.

From a research / general learning perspective 2011 was the year of the cloud.  As anyone who has read this blog knows I have been very involved in work defining Security as a Service (SecaaS) with the Cloud Security Alliance, chairing the research group on this topic.  This has resulted in a paper being published and SecaaS being added as a new domain to the CSA guidance.

I’ll follow this post with one detailing some of my plans and projects for 2012.

K

 

BCS / ISEB Certificate in Enterprise and Solution Architecture

This week I attended the BCS (British Computer Society, that refers to itself as ‘The Chartered Institute for IT’) ISEB (Information Systems Exam Board) ‘Certificate in Enterprise and Solution Architecture – Intermediate’ four day course and exam.  I’ll share my thoughts and impressions of the course and exam.

One the first day my hopes of the week being useful were actually low, as with many of these courses the main purpose was clearly about learning by wrote the facts required to pass the exam.  While this did indeed turn out to be true, the course turned out to be a lot more useful than expected.

This was due to a combination of factors;

– the instructor / tutor we had was actually very knowledgeable around the various architecture frameworks / ontologies such as TOGAF and Zachman.

– interaction with peers from a variety of industries and backgrounds.  As with any course / conference this is one of the key benefits as it gives you the opportunity to gain a wider viewpoint and see how developers and business analysts etc from different industries view architectures / business issues and what their concerns are.

– As the exams itself is largely about architect roles, frameworks and how they link together the course provides a good insight and overview of some of the most common frameworks and how there different terminologies used relate to each other.

If you want to know more about the course and topics covered, or just gain a greater insight into enterprise and solution architecture terminology then the web sight maintained by our tutor is is a great starting point;

http://grahamberrisford.com

Which also gives a clue as to his name.  If you do want to do the course and are UK / London based I’d recommend choosing a course with him instructing if you can, as he has many years experience in IT and the course material.  Graham also has some strong ideas and opinions which made for some great classroom debates.

I’d recommend this course to anyone wanting to improve their knowledge of enterprise / solution architecture frameworks, tools and terminology whether this is to aid a career in architecture, or just to better understand the concerns and considerations of the architects you work with.  Don’t get me wrong, the overall material is pretty dry as is the case with many courses around frameworks and terminology etc. but overall this course was well worthwhile.

Onto the exam – there is not a lot to say here, it is a one hour, forty question multiple choice affair.  If you have paid attention in the class and have a reasonable understanding of the reference model (pdf can be freely downloaded from the BCS web site or use the slides coving it from Graham’s site) , you should find the exam pretty easy, he says not having yet received confirmation of passing it!

K

ISSAP – Information Systems Security Architecture Professional

So, I recently received confirmation from the ISC2 (International Information Systems Security Certification Consortium) that I passed the ISSAP exam.   This is a secure architecture concentration in addition to the CISSP (Certified Information Systems Security Professional) certification.

While I believe this should be a worthwhile addition to my CISSP and of course my CV, while also helping progress my current role, I felt I should write a post about my preparation for the exam.

As with the CISSP (Certified Information Systems Security Professional) the best way to be prepared is to have a solid grounding in the subject matter – e.g. IT security and technical / solutions architecture.  Indeed several years of industry experience is a prerequisite for obtaining these certifications.

Also as with the CISSP I chose to cover off the bulk of the revision by using the ISC2 recommended course text.  With the CISSP I used the well regarded Shon Harris ‘CISSP all in one guide’ that was well written and very comprehensive.

For the ISSAP I used the ISC2 Official study guide to the CISSP-ISSAP.  Currently this is the only book specifically for the ISSAP exam that claims to cover all aspects of the exam.  Personally I found this book to be very badly written and hard to read.  The first chapter must have used the phrase ‘Confidentiality Integrity Availability’ in almost every sentence, yes we all know that CIA is important and what we are aiming for but there is no need to repeat it so often.

Other sections of the book only skimmed over areas that were quite heavily covered in the exam.

In short if you did not already have a very solid grounding and experience in the areas covered by the exam, this official guide would not be anywhere near enough to pass the exam.  Obviously the ISC2 may argue that you are supposed to have industry experience, but this does not necessarily include all the areas covered in the exam such as specific components of the common body of knowledge or other specific standards.

If you are a CISSP involved in designing secure architectures then this certainly seems like a worthwhile certification to go for.  I would advise doing some supplementary reading covering the Common Body of Knowledge and something like ‘Enterprise Security Architecture’ along with of course a solid background in both security and architecture.

As an aside I am a firm believer that study and / or involvement in IT related work such as creating white papers, contributing to open source etc. is a great way to not only improve your skills and knowledge, but also essential to show current and future employers that you are genuinely passionate about what you do rather than it just being a job.

K

Architecture in turbulent times – part 2

This post will follow on from the previous ‘Architecture in turbulent times’ post covering some of the shifting demands on architects and further highlighting ways we can add value even during this tougher economic period.

The first thing to do is ensure you understand the shifting demands on the architect, and the business; doing this will ensure you remain at the centre of major IT decisions, either by making or advising on those decisions.

These changing demands may include areas such as;

–         Reducing project costs and doing more with existing or even less resource (as per the previously mentioned increasing efficiencies), with many businesses having a strong focus on reducing or managing Opex (Operating expenses).

–         Maintaining and encouraging talent, this may sound strange in the current environment, but keeping and providing a career path and training for talented employees is key during tough times.  Use this as an opportunity to train, mentor and encourage others in your department.

–         Outsourcing – in line with innovation and cost efficiency, are there repeatable processes that could be outsourced? Do new technologies and services such as Platform as a Service enable the outsourcing of technology to manage / reduce costs?

Use and develop your skills in areas including;

–         Negotiation and inspiration – this will enable you to gain buy in for your vision / plans, and get people motivated to drive changes forwards.

–         Problem solving / issue assessment – the ability to quickly and where required tactically resolve problems is more important than ever, and the architects ability to do this while looking holistically at the bigger picture is where we can add great value.

–         Understanding the business and their processes is as always a key component of the architect’s role.  We love technology, but it is the understanding of the business requirements and the ability to provide the simplest and most cost effective technical solutions to these requirements rather than just technology itself that is critical.

We need to think more tactically while still maintaining a holistic view of our business and the environment in which it trades (e.g. relevant regulatory considerations).  In this way the role of the architect remains key, and will ensure that the current technical solutions meet the business requirements of now around optimisation and simplification while being flexible enough to allow the business to grow and capitalise on any improvements in the economy.

I am thinking of the new focus as being tactically strategic, or strategically tactical! 

K