Feeds

Microsoft offers Architects a view

First postcard from Microsoft's conference

Securing Web Applications Made Simple and Scalable

Always be careful what you wish for. I liked Stuart Okin when he was chief security officer for Microsoft UK and thought he did a lot for Microsoft's credibility in this area, but I'm afraid I occasionally laughed at Microsoft for putting a developer type in charge of security, instead of a superannuated spook as everyone else does.

Well, I'm sorry now, as at Microsoft's Architect Insight conference (you can find the programme here) I saw the pukka ex-FBI agent now in charge (Ed Gibson) – and he's actually a bit scary. Ed Gibson is an entertaining speaker, but he sure plays the FBI card and "protect the little girls" hard - and actually wears a suit (so Microsoft really is the new IBM).

At least the assembled "architects" (and what is an "architect"? – Matt Deacon, chief architectural advisor to Microsoft UK, had a defining matrix I didn't find too convincing) weren't usually wearing suits. Which perhaps indicates that an architect is merely a well-paid systems cum business analyst – which may be no bad thing.

Gibson made some good points, however, about the need for architects to design security into systems so that their business users, as Gibson puts it, "don't have to play in my world".

However, I don't really believe that there are these two worlds. There's a continuum for most people, from little dishonesties that "don't matter" or punish their employer for some real or imagined injustice; to major frauds and criminalities. Most people stop at the beginning of that path and good governance built into automated systems (yes, Gibson is right, architects do have a responsibility here) encourages this. But I don't believe that a black and white division of people into two groups (the sheep that live blameless, if boring, lives; and the, possibly romantic, goats that break the rules) helps us to introduce good governance.

I was much happier with Lord Erroll's keynote (he's an independent peer and involved with PITCOM, the parliamentary IT committee) about the legislative process that is increasingly embodied in or impacts automated systems and the need to balance risk-taking entrepreneurial attitudes against an understandably risk-averse concern with safety - "life is for living".

Erroll pointed out that rules can't control a complicated system which is usually non-deterministic (or, at least, chaotic) in behaviour. What architects or designers can do is put boundaries around what is acceptable behaviour – as English common-law tries to do. Getting too prescriptive and, for example, implementing laws (or development methodologies, for that matter) that you can't enforce, rapidly becomes counter-productive.

He sees security as something which facilitates business – a very sensible point of view. So, identity management is not only about who you are but what role you're performing – and what authority you have to make "contracts" in that role.

Erroll also points out that globalisation has an impact on all this – you may build a bomb-proof data repository in the USA but if it is not proof against the Patriot Act, Chinese businesses, say, may not want to use it. The aims of legislation like the Patriot Act may be very laudable, but if you can inspect company data in order to prevent terrorism who's to say that the information won't also leak to a US business rival as straightforward, possibly state-sanctioned, industrial espionage?

So, the conference keynotes so far are about setting down Microsoft's credentials as a good player in the corporate governance space, although the sessions proper are much more IT and business focused. More on these later.

Oh, and Nick McGrath (director of platform strategy at Microsoft Ltd) wants us all to petition our local standards body (BSI) to support the ratification of Ecma Open XML as an ISO standard (a pleading letter was included in the conference pack). "The issue should be technical, not political," he says. Really? Since when was standards-making not political, in part at least? Why do you think that the (mostly excellent) OMG UML 2.0 standard has redundancies in it, if not to keep participating vendors happy?

No, the real issue with standards is the follow-on availability of cheap, effective interoperability testing suites. I don't really see why we can't have overlapping standards, where Open XML, say, supports conversion from legacy Microsoft Office document formats into something more open, and ODF supports a simple universal (but less rich) document format for everybody else to use. Any tools will have to support both formats just as they import Word docs now. Once you have your Word documents in XML format, converting this to ODF can't be that hard – and if ODF can't cope with spreadsheets, at least that removes a huge source of errors from the company archives <grin>.

Microsoft's Architect Insight conference is being held in Gwent and is sponsored by Avanade, Capgemini, Conchango and Solidsoft.

Bridging the IT gap between rising business demands and ageing tools

More from The Register

next story
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
Apple: We'll unleash OS X Yosemite beta on the MASSES on 24 July
Starting today, regular fanbois will be guinea pigs, it tells Reg
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.