Enterprise Architecture and Service-Oriented Architecture Fad or Foundation? Part 4
Editor's note: There is a comprehensive glossary of important terms and reference list at the end of this article that will be useful for this discussion of enterprise architectures. To find the other installments of this series, please visit:
Part 1: http://www.dmreview.com/article_sub.cfm?articleID=1025078
Part 2: http://www.dmreview.com/article_sub.cfm?articleID=1025567
Part 3: http://www.dmreview.com/article_sub.cfm?articleID=1025870
Finding and Walking the Appropriate Enterprise Architecture Road
As we assimilate the information related to the choices we must make to create an enterprise architecture (EA) for a given organization, we need to remain cognizant of our goal: Integrating the software and wetware (the information and human components of the system) while maintaining and extending the existing IT investments of the organization. This is easily lost in the wealth of detail we just enumerated, so before we finish the task with the final lists of hardware and terminology, we need to refocus on the objective now that we have nearly finished enumerating the components we need to consider, choose to implement immediately or defer and get underway. At this point we ought to have a handle on the somewhat "intangible" assets with which we must build our conceptual and systemic architecture. However, it is all too easy to get lost in the forest of details. The list that follows can be used as a checklist of sorts to be compared against the goals and objectives we started out with on this journey of transformation. However, this checklist should also be considered as a way to remind us that our method needs to be modeled carefully. Infrastructure is both our starting point and our end point. What started out as a collection of systems and components that have likely been added together in a more or less piecemeal fashion, albeit with a one or two major investment junctures where some attempt at homogenization is likely to have occurred in response to Y2K, the result needs to be clearly that of a comprehensive whole that has a clear plan into the future.
If that is not the case, or is not clear to both management and workforce, then remediation is needed immediately. While writing this, it is suspected that an effort as complex and as lengthy as this approach requires will quite frequently result in exactly this situation. However, it should not be a cause of great concern. It is most likely that there will have been one of two kinds of changes that will have occurred over the course of what is likely to be a half-year process at a minimum. Either personnel at or near the top of the project will have changed, with the concurrent likelihood that there may have been a lack of familiarity with the ongoing process during the change and a fairly thorough review will alleviate concerns, or the overall situation of the enterprise or organization will have changed significantly due to uncontrollable and unpredictable events, in any number of ways, from a major shift in the marketplace, such as recession or unexpected growth, to a catastrophe of natural or man-made origins, which will require a refactoring of the enterprise architecture effort. However, with road map in hand, an organization can fairly easily retrace the steps back to where the divergence in circumstance requires a change to the plan, and make the adjustments that can be made. Of course, it is better to recognize that need at the time it occurs, but that is much easier said than done as anyone who has gone through a major earthquake, fire, flood or system-wide crash can attest. This is the reason why a formal EA effort is required. Formal documentation, an assessment, the usage log-based analysis, system-wide requirements, etc, give the enterprise the tools to adjust. Even if it occasionally seems trivial, it is definitely in the long-term interest of the organization to thoroughly document the process against a project management timeline. No amount of money or effort will ever regain a second of time lost for lack of documentation.
Infrastructure Assets to be Reused, Part One: General
EA and service-oriented architecture (SOA) methodologies are predicated on reusing assets across the enterprise to improve both quality of service and overall efficiency. Listed below are the major IT assets that are applicable to EA and SOA.
An application server is the middleware that acts as the medium for a company's front-end applications through its back-end business systems. It must be able to extract core data and present it to a variety of clients (e.g., desktops, smart cards, Web browsers, etc.). In addition, the application server provides developers with the capability to build and deploy Web application logic with data access through APIs. Leading application server vendors include BEA, IBM, Microsoft, Oracle, Sun and Sybase. It is important to note that Microsoft does not currently offer a true application server. However, application-server functionality may be achieved in the Microsoft world by combining IIS, ASP+, COM+ and the Windows operating system.
Business Intelligence Tools
Once a database foundation has been populated, the information it contains may then be evaluated with various business intelligence (BI) tools. These tools identify specific segments, individual users and activity patterns. The results of these analysis efforts are the basis on which preemptive campaigns and strategies may be formulated and deployed. BI solutions are comprised of two main groups that include database inclusive (e.g., Microsoft SQL Server 2000 Analysis Services, Oracle 10g Data Mining, etc.) and third-party solutions (e.g., BusinessObjects Analytics, SAS Analytic Intelligence, etc.). The following three listings are examples of the various types of BI tools.
Data Mining. Data mining tools search for specific patterns and trends. These tools enable users to extract information from data warehouses, perform data transformations, determine rules with algorithms and neural networks, and display results with various multidimensional charts and graphs.
Online Analytical Processing (OLAP). OLAP is an interactive querying tool that enables users to analyze multiple types of information. This information can then be broken down into sections, which may include a specific activity and or activities relating to a specific area of interest.
Statistical Analysis. Statistical analysis tools classify and segment information into user profiles that builds association trees. All relevant information is integrated across the enterprise and updated.
This type of software enables entities such as the Department of Homeland Security to collaborate with the agencies under its auspices, different governments and private sector businesses and organizations. Collaboration software will be of great value to the consolidation effort because it has the capability of bringing together applications and data from various sources. Listed below are the salient features of collaboration software.
- Calendaring and scheduling
- Document management
- Instant messaging
- Mobil user support
- Real-time conferencing
Secure information exchange is a key factor. Accordingly, the collaboration software offering should support proven security technologies such as public key infrastructure (PKI) and secure sockets layer (SSL). Collaboration solutions are comprised of two main groups that include established players (e.g., Lotus, Microsoft, Novell, etc.) and new entrants (e.g., Documentum, Groove Networks, SiteScape, etc.).
Content Management Systems
Content management systems (CMS) provide support for the creation, distribution and management of dynamic or static content to a desired audience. These systems enable entities such as the department of Homeland Security to enhance the efficiency of internal workflow and the availability of resources, while maintaining and offering fresh content to both the government and private sectors. CMS ease "content burden" by delivering quick searches and fast data retrieval of information, which ultimately streamlines the internal processes and enables the desired audience to assimilate data. The current CMS are able to source information in unlike formats, for delivery to any type of device ranging from desktops to wireless devices. CMS are comprised of two main groups that include established players (Documentum, Interwoven, Vignette, etc.) and new entrants (e.g., FatWire, Microsoft, etc.).
Customer Relationship Management
Customer relationship management (CRM) software enables entities such as the Department of Homeland Security to service the needs of their employees, suppliers and other related users. This type of software provides both automated and live support to service inquires over various mediums including telephone, fax, and the Internet. Leading CRM vendors include Oracle, SAP and Siebel. In addition to basic operational functionality, the aforementioned CRM offerings provide support for analysis, customization, personalization, reporting and workflow. CRM software is highly complex and difficult to deploy because it must integrate with critical front-end, middleware and back-end systems.
A database is a collection of data that is organized so its contents may be accessed, managed and updated. The three main types of databases include:
- Distributed - Can be dispersed or replicated among different points in a network.
- Object Oriented - Is congruent with data defined in object classes and subclasses.
- Relational - A tabular or table-matrix design in which data is defined so that it can be organized and accessed.
- Object Relational - A combination of object and relational concepts where objects are mapped to relational databases, often used to persist enterprise Java beans
At this time, relational databases are the most prevalent type of offering. Leading relational database vendors include IBM, Microsoft, Oracle and Sybase. These offerings support a wide range of solutions that include business intelligence, collaboration, multimedia and transactions processing. An enterprise database foundation will most likely be based on a two-tier architecture that is comprised of agency data marts and a central data warehouse. This type database architecture provides four primary benefits that include 1) high-speed access 2) the capability to expand functionality both on the agency and/or the central data warehouse level without reengineering the core architectural topology 3) excellent security 4) 360-degree perspective. The key components of the two-tier architecture are:
Agency Data Mart. The data mart will act as the information focal point regarding the activities of a specific agency such as the Transportation Security Administration (TSA). It employs a modular architecture that is comprised of individual data silos that are directly coupled and synchronized with the agency's software solutions (e.g., CMS, CRM, ERP, etc.). A data silo methodology allows for faster access times because a query is only performed against a specific section of the data mart and does not have to search the entire data mart for the targeted information. Security is greatly improved because data silos house only information on specific types of solutions, so access can be implemented on a finer level of granularity. The information held in the data mart may then be sent to the central data warehouse on a scheduled basis chosen by the Department of Homeland Security.
The Central Data Warehouse. The central data warehouse will act as the main repository and focal point for all agency data mart information. Each agency data mart is directly coupled and synchronized with the central data warehouse. The information housed in the central data warehouse provides the authorized user with a 360-degree perspective of the entire workings of each agency.
The database foundation should leverage important standards such as extensible markup language (XML) for internal as well as external applications. Hence, the need to create the proper infrastructure to support this essential technology. The ability to store and retrieve XML documents in their native format will be of paramount importance to the consolidation effort because it will improve the efficiency of structured data exchange.
An integrated development environment (IDE) is a programming environment integrated into an application. It enables developers to create applications that are meant to satisfy specific needs and/or requirements. Subsequently, hardware platforms and operating systems are meant to run these applications. At this time, there are two main development paths (Java centric or Microsoft centric) for building traditional as well as Web services applications. Leading IDE vendors include BEA, Borland, IBM, Microsoft, Oracle, Sun and Sybase.
There are various devices that support bidirectional information flow such as telephones, faxes, personal computers (PCs) and wireless offerings (e.g., e-mail pagers, cell phones with microbrowsers, notebooks, PDAs, smart phones, etc.). The Internet has become an ever more popular medium because of its ability to support graphics, text and voice. Hence, the justified attraction of PCs and wireless offerings. The latest PC and wireless products incorporate high-speed processors and expanded memory that allows for greater throughput, which ultimately provides improved graphics, decreased latency, and the ability to support advanced security technologies such as biometrics. The two main vendor groups include 1) PCs: Apple, Compaq/Hewlett Packard, Dell, Gateway, IBM and Sony 2) wireless offerings: Ericsson, Motorola, Nokia, Palm and RIM.
Enterprise Management Systems
Enterprise management systems (EMS) are open network computing management solutions that extend from the mainframe to the desktop to a public interface via the Web in the case of the more sophisticated portal products and simplify the administration process by centralizing various functions into one central control center. These types of systems provide support for single sign-on, antivirus, firewall integration and administration, LDAP directory server integration and administration. Listed below are the salient features of enterprise management systems.
- Application management
- Asset management
- Database management
- Desktop system diagnostics
- Help desk
- Integrated network management
- Mainframe and midrange computer management
- Security management
- Software upgrades
- Storage management
- Virus protection
- Workload management
Leading vendors include Computer Associates, Hewlett Packard, Oracle and Tivoli Software especially as a component of IBM's WebSphere Business Integration (WBI) package.
Enterprise resource planning (ERP) is a business management system that integrates various facets of the enterprise including financials, human resources, inventory and operational control. It is meant to increase the efficiency of internal as well as external operations by integrating useful information across critical segments of the business life cycle. Listed below are the primary areas covered by ERP.
Financials - Enable businesses and organizations to effectively manage financials related data, reduce accounting and finance costs, reduce IT costs and improve operational efficiency.
Human Resources - Allow businesses and organizations to A) align their workforce with goals and objectives, B) deploy self-service across the enterprise, C) streamline their human resources systems to lower costs.
Supply Chain Management (SCM) - Inventory and Operational Control - Provide support for planning, execution and management of events. In addition, inventory and operation control delivers coordination capabilities that track financial, informational and materials processes/processing exceptions.
Leading ERP vendors include J.D. Edwards, Oracle (currently consolidating its purchase of PeopleSoft) and SAP.
Integration tools are meant to reduce the time and effort associated with application, business processes and partner integration. Java messaging service (JMS) is a backbone technology used by the majority of leading product offerings that include BEA, IBM, Oracle, Sun, Sybase, Tibco and the webMethods. JMS is a set of interfaces and associated semantics developed by Sun, which define how a JMS client accesses the facilities of an enterprise-messaging product. It provides a common way for Java programs to create, send, receive and read an enterprise system's messages. Enterprise messaging products or message oriented middleware (MOM) products is fast becoming an essential technology for integrating intracompany operations. These products provide a reliable and flexible service for asynchronous exchange of critical data and events. The JMS API adds to this common API and provider framework, which enables the development of portable messaged based applications in the Java programming language. As a result, JMS provides the means for Java clients and Java middle-tier services to properly access these messaging systems. It is important to note that all of the aforementioned integration tools support core XML-based Web services standards that include WSDL, UDDI and SOAP.
Hardware platforms along with operating systems provide the capability to run applications. Therefore, the hardware platform and operating system chosen directly impact the performance of the application (e.g., CRM, ERP, OMS, etc.) considered for deployment. Availability, flexibility, reliability and scalability are essential factors that should be taken into account regarding hardware platform suitability requirements. Listed below are the four main types of hardware platforms and associated operating systems.
Operating System: Free UNIX-type operating system (e.g., Red Hat, Novell (SuSE), TurboLinux, etc.). Current status Kernel v2.6.
Business Applications: File and print servers and Web applications.
Salient Characteristics: Excellent horizontal scalability.
Hardware Offerings: Compaq/Hewlett Packard AlphaServer, Itanium-Based Servers and ProLiant Servers, Dell PowerEdge Servers, IBM iSeries, pSeries, xSeries and zSeries, NEC Express5800/FT Linux Server, Sun LX50 Server and Unisys ES7000 Servers.
Acquisition: May be purchased directly from vendors such as Compaq/Hewlett Packard, Dell, IBM, NEC, Sun, Unisys or through authorized resellers.
Operating System:Mainframe-type operating system (e.g., IBM z/OS and OS/390, MVS, etc.).
Business Applications: Database and OMS.
Salient Characteristics: Outstanding availability, flexibility, reliability and scalability.
Hardware Offerings: Fujitsu GlobalServer, IBM z/Series and Unisys ClearPath.
Acquisition: May be purchased directly from vendors such as Fujitsu, IBM, Unisys or through authorized resellers.
Operating System:Cost UNIX-type operating system (e.g., HP-UX 11i, IBM AIX V5, Sun Solaris 10, etc.).
Business Applications: CRM, Database, ERP, OMS and Web applications.
Salient Characteristics: Excellent availability, flexibility, reliability and scalability.
Hardware Offerings: Apple Computer Xserve, Compaq/Hewlett Packard AlphaServer, Itanium-Based Servers and PA-RISC Based Servers, Fujitsu PRIMEPOWER Servers, IBM pSeries, Sun Enterprise Servers and Sun Fire Servers.
Acquisition: May be purchased directly from vendors such as Apple Computer, Compaq/Hewlett Packard, Fujitsu, IBM, Sun or through authorized resellers.
Operating System:Windows-type operating system (e.g., NT, 2000, Server 2003, etc.).
Business Applications: CRM, database, OMS and Web applications.
Salient Characteristics: Good horizontal and vertical scalability.
Hardware Offerings: Compaq/Hewlett Packard Itanium-Based Servers, ProLiant and Superdome with Intel Itanium, Dell PowerEdge Servers, Fujitsu PRIMERGY, IBM xSeries, NEC Express5800 Servers and Unisys ES7000 Servers.
Acquisition: May be purchased directly from Compaq/Hewlett Packard, Dell, Fujitsu, IBM, NEC, Unisys or through authorized resellers.
It is logical to assume that the United States government currently supports a majority of the aforementioned hardware platforms.
The current landscape supports various traditional and wireless network options that satisfy a broad range of computing needs. Leading vendors in this space include AT&T, Cingular, Cisco, Sprint PCS, Verizon Wireless and VoiceStream. Listed below are examples of both traditional and wireless networks according to Webopedia and wireless networks according to Network Computing Magazine.
Local-Area Networks (LANs).Are computer networks that span a relatively small area. Most LANs are confined to a single building or group of buildings. However, one LAN may be connected to other LANs via telephone lines. A system of LANs connected in this manner is called a wide-area network (WAN).
Wide-Area Network (WAN).Is a computer network that spans a relatively large geographical area. Typically, a WAN consists of two or more local area networks (LANs). Computers connected to a WAN are often connected through public networks, such as the telephone system. They can also be connected through leased lines or satellites.
Fixed Access Wireless Systems. Includes technologies that range from licensed microwave and unlicensed spread-spectrum point-to-point systems to so-called wireless DSL and satellite.
Personal Area networks (PANs). Are short-range wireless networks that provide connectivity among compliant mobile devices, over distances of approximately 10 meters.
Wireless LANs (WLANs). Are medium-range wireless networks built around the IEEE 802.11b/WiFi (Wireless Fidelity) standard that provide connectivity among compliant mobile devices, over distances of approximately 100 meters.
Wireless WAN (WWAN). Are products and services that provide mobile wireless services using a single device over a wide geographic area.
Emerging technologies such as 3G and 802.11g are quite enticing because of their outstanding high-speed throughput capabilities. However, interoperability and financial instability of tier-one and tier two-players will continue weigh heavily on this sector.
Provide a software platform on top of which other programs, called application programs, can run. Accordingly, application programs must be written to run on top of a particular operating system. As a result, the operating system chosen directly impacts the overall performance of the application program (e.g., CRM, ERP, OMS, etc.) being deployed. In addition to basic tasks, server operating systems make certain that different programs and users running at the same time do not interfere with each other. These types of operating systems are also responsible for security, ensuring that only authorized users have access to the system. The four main types of server operating systems have been listed below.
Offering:Free UNIX-type operating system.
Current Status: Kernel v2.6.
Business Applications: File and print servers and Web applications.
Processors Supported: 1 to 16 CPUs.
Acquisition: May be downloaded off the Internet at no charge. It may also be purchased through vendors such as Red Hat, Novell (SuSE) and TurboLinux.
Salient Characteristics: Supports multithreading and horizontal scalability.
Offering:Mainframe-type operating system.
Current Status: z/OS V1.6
Business Applications: Database and OMS.
Processors Supported: Up to 512 CPUs in zSeries Parallel Sysplex.
Acquisition: May be purchased directly from vendors such as IBM and or through authorized resellers.
Salient Characteristics: Supports 24-bit, 31-bit, and 64-bit addressing modes. Outstanding availability, reliability, security and scalability.
Offering:Cost UNIX-type operating system.
Current Status: Hewlett Packard HP-UX 11i,IBM AIX V5 and Sun Solaris 10.
Business Applications: CRM, Database, ERP, OMS and Web applications.
Processors Supported: 1 to 8192 CPUs.
Acquisition: May be purchased directly from vendors such as Hewlett Packard, IBM and Sun or through authorized resellers.
Salient Characteristics: Excellent availability, reliability, security and scalability.
Offering:Windows-type operating system.
Current Status: Windows Server 2003.
Business Applications: CRM, Database, OMS and Web applications.
Processors Supported: 1 to 64 CPUs.
Acquisition: May be purchased directly from Microsoft or through authorized resellers.
Salient Characteristics: Available in 32-bit and 64-bit product offerings. Supports multithreading and horizontal scalability.
It is logical to assume that United States government currently supports a majority of the aforementioned operating systems.
A portal is a Web site or service that offers an extensive array of resources and services, such as e-mail, forums, search engines and online shopping, up to systems which implement enterprise management systems, integration tools, collaboration software, content management services, customer relationship management, supply chain management and include e-mail and instant messaging, auditing and monitoring.
Regarding the Department of Homeland Security consolidation effort, portals will enable authorized users to access a variety of resources such as applications, documents and services. As a result, portals will contribute significantly to reducing the time and effort needed to find, request and acquire relevant information. Portal software provides tools for publishing information, building applications, and deploying and administering Web portal environments. In addition, portal software provides support for single sign-on, while combining important services such as personalization and wireless access. The latest genre of portal software is comprised of three main groups that include application-server related (e.g., BEA WebLogic Portal, IBM WebSphere Portal, Oracle 10g Portal, Sun ONE Portal Server, Sybase Enterprise Portal, etc.), Microsoft related (SharePoint) and third-party solutions (e.g., Plumtree Corporate Portal, Vignette Application Portal, etc.).
Applications such as CMS, CRM and ERP are especially data-intensive and should have the proper storage and back-up capabilities, which adhere to business as well as legal guidelines. Mass storage is a term that refers to various methodologies and devices for storing large amounts of data. The devices used for mass storage include all types of disk drives and tape drives. Mass storage is distinct from memory, which refers to temporary storage areas within the computer. Unlike main memory, mass storage devices retain data even when the computer is turned off. The main types of mass storage include 1) floppy disks 2) hard disks 3) optical disks 4) tapes. The popular enterprise storage options include network attached storage (NAS) and storage area networks (SANs). Brief summaries NAS and SAN have been listed below.
NAS. A network attached storage (NAS) device is a server that is dedicated to nothing more than file sharing. NAS does not provide any of the activities that a server in a server-centric system typically provides, such as e-mail, authentication or file management. NAS allows more hard disk storage space to be added to a network that already utilizes servers without shutting them down for maintenance and upgrades. With a NAS device, storage is not an integral part of the server. Instead, in this storage-centric design, the server still handles all of the processing of data but a NAS device delivers the data to the user.
SAN. Storage area network (SAN) is a high-speed subnetwork of shared storage devices. A storage device is a machine that contains nothing but a disk or disks for storing data. A SAN's architecture works in a way that makes all storage devices available to all servers on a LAN or wide-area network (WAN). As more storage devices are added to a SAN, they too will be accessible from any server in the larger network. In this case, the server merely acts as a pathway between the end user and the stored data. Because stored data does not reside directly on any of a network's servers, server power is utilized for business applications, and network capacity is released to the end user.
Leading mass storage vendors include Dell, EMC, Hewlett Packard, IBM and Sun.
Infrastructure Assets to be Reused, Part Two: Security Related
Authentication and Access
Authentication is the process of identifying an individual, usually based on a user name and password. It is meant to ensure that the individual is who he or she claims to be but says nothing about the access rights of the individual. In security systems, authentication is distinct from authorization, which is the process of giving individuals access to system objects based on their identity. Most businesses and organizations involved in high security environments typically support two-factor authentication. In addition to the basic user name and password, two-factor authentication requires a third-party authentication device such as the RSA SecurID authenticator, which generates a new, unpredictable code every 60 seconds to enhance the authentication process.
Leading security vendors including RSA and VeriSign support important standards such as public key infrastructure (PKI), which is the combination of software encryption technologies and services that enables businesses and organizations to protect the security of their communications and business transactions on the Internet. PKIs integrate digital certificates, public key cryptography and certificate authorities into enterprise-wide network security architecture. A typical enterprise's PKI encompasses the issuance of digital certificates to individual users and servers; end-user enrollment software; integration with corporate certificate directories; tools for managing, renewing and revoking certificates; and related services and support.
Lightweight directory access protocol (LDAP) has become a viable technology with respect to enterprise access. In basic terms, LDAP a set of protocols for accessing information directories. It enables almost any application running on virtually any computer platform to obtain directory information, such as e-mail addresses and public keys. Because LDAP is an open protocol, applications need not worry about the type of server hosting the directory. An LDAP directory server is an LDAP-based server that stores user, configuration and security information. Regarding PKI, this server provides the capability to query keys with the use of LDAP. Additionally, the LDAP directory server centrally updates information that can later be used by multiple applications, networks and systems across various platforms.
Biometrics related software provides authentication techniques that rely on measurable physical characteristics that can be automatically checked. Examples include computer analysis of fingerprint patterns, iris scans, or speech recognition. Leading vendors in the space include NextgenID, onClick and VicarVision.
A firewall is a security device that is typically positioned between an internal trusted network and the Internet. It is meant to keep sensitive data protected, while providing access to authorized users prescribed by security policies outlined by the entity deploying this technology. A firewall has two main areas of focus that include 1) tracking and controlling communications, 2) deciding whether to allow, reject and or encrypt communications. Listed below are the key technologies used to implement firewalls.
Packet Filters -Usually implemented on routers. Packet filters look at each packet entering or leaving the network and accepts or rejects it based on user-defined rules.
Application-Layer Gateways-Applies security mechanisms to specific applications, such as file transfer protocol (FTP) and Telnet servers.
Circuit-Level Gateway -Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
Proxy Server -Intercepts all messages entering and leaving the network. The proxy server effectively hides true network addresses.
Leading firewall vendors include Check Point Software Technologies and Cisco.
Virtual Private Network
A virtual private network (VPN) is a connected set of IP addresses for computers that comprise an area where secured information may be exchanged, and business transactions can take place. In simple terms, a VPN is a network that connects to other networks. It may be used to link agencies, different governments, and private sector businesses across the Internet. A VPN provides support for the following:
- Managing network connections, routers, servers at sender/receiver locations
- Managing packet flow to and from sender/receiver locations
- Monitoring performance (e.g., hits, security, speed, etc.) of all Web traffic to and from sender/receiver locations
- Supporting sender/receiver locations on a 24x7 basis
There are two main VPN options, which include single point type and multiple point type. Listed below are brief summaries of VPN options.
Single Point Type. Only one URL or entry point is supported. A single point type VPN could be used for selected offices and/or suppliers. It is relatively simple to implement and manage.
Multiple Point Type. With this type of configuration multiple VPNs reside inside the enterprise's main VPN. Multiple point type VPNs provide increased efficiency by enabling various groups to work simultaneously on related projects. However, this type of VPN is far more difficult to implement and manage compared with the single point VPN.
VPN Security Options
Many different types of security technologies exist to protect against unwanted threats. Encapsulation by itself does nothing to enhance the integrity or confidentiality of the tunneled data. This is usually done by encryption, but new encapsulation technology can be applied in this area to improve security. It is imperative that the end points be authenticated so that the tunnels are established only for authorized users. Products supporting network layer encryption must be transparent to the end users, applications and networking infrastructure. The integration of these products is much more difficult to configure through a firewall, but they provide the greatest advantage. Listed below are the primary areas of VPN security.
Internet Protocol Security (IPSec). Is the standard for virtual private network (VPN) security, which provides standard methods for authenticating users or computers that initiate the tunnels.
Layer Two Transport Protocol (L2TP). Combines the features of Microsoft's Point to Point Tunneling Protocol (PPTP) and LayerTwo Forward Protocol (L2F). As an extension of PPP operating at the data-Link layer, L2TP can support any higher-layer protocols and not just IP.
Encapsulation Security.Internet service providers (ISP's) may add encapsulation security with IP encapsulating security payload (IPSecIPESP), tunneling mode protocol and PPTP technologies.
Digital Signature Standard (DSS) and Secure Hash Algorithm (SHA). ISPs can also provide additional security in the form of the digital security standard (DSS) and secure hash algorithm (SHA) protocols. These protocols allow the sender look up the recipient's public key in a directory and then proceeds to send files. Only the recipient's private key can decrypt and open these files.
Layer 5. Circuit proxies operate above the transport layer, which relays traffic from one secure network to the Internet on a socket-by-socket basis.
Secure Sockets Layer (SSL). Provides encryption from the tunnel initiator to the tunnel terminator.
Intrusion Detection System
An intrusion detection system (IDS) inspects all inbound and outbound network activity and identifies suspicious patterns, which may indicate a network or system attack from someone attempting to break into or compromise a system. Listed below are examples of IDS according to Webopedia.
Misuse Detection vs. Anomaly Detection:In misuse detection, the IDS analyzes the information it gathers and compares it to large databases of attack signatures. Essentially, the IDS looks for a specific attack that has already been documented. Like a virus detection system, misuse detection software is only as good as the database of attack signatures that it uses to compare packets against. In anomaly detection, the system administrator defines the baseline, or normal, state of the network's traffic load, breakdown, protocol and typical packet size. The anomaly detector monitors network segments to compare their state to the normal baseline and look for anomalies.
Network-Based vs. Host-Based Systems:In a network-based system, or NIDS, the individual packets flowing through a network are analyzed. The NIDS can detect malicious packets that are designed to be overlooked by a firewall's simplistic filtering rules. In a host-based system, the IDS examines at the activity on each individual computer or host.
Passive System vs. Reactive System: In a passive system, the IDS detects a potential security breach, logs the information and signals an alert. In a reactive system, the IDS responds to the suspicious activity by logging off a user or by reprogramming the firewall to block network traffic from the suspected malicious source.
Though they both relate to network security, an IDS differs from a firewall in that a firewall looks out for intrusions in order to stop them from happening. The firewall limits the access between networks in order to prevent intrusion and does not signal an attack from inside the network. An IDS evaluates a suspected intrusion once it has taken place and signals an alarm. It also watches for attacks that originate from within a system. Leading IDS vendors include Cisco, Computer Associates and Symantec.
Firewall to Back-End Systems Security Technologies
There are a number of effective technologies that may be used in conjunction with, and from the firewall to back-end systems in order to thwart attempts by uninvited guests, and or disgruntled employees. Listed below are various security technologies that address the aforementioned areas of the enterprise.
Collaboration Software. Collaboration software such as Lotus Notes supports numerous important security technologies such as PKI and SSL. In addition, the Notes administrator has the ability to control access and secure the servers. The Access Control List (ACL) may be set up to control lists of members, groups, and roles in each database. Only those user groups or employees authorized by the administrator may have access to the information that is stored on the firms' databases. Changes to this list of groups or users may be made quickly and easily to adapt to the dynamic changes of the project. The administrator may also assign different levels of security to the servers to add additional security. Leading established collaboration software vendors include Lotus, Microsoft, and Novell.
Enterprise Management Systems. Enterprise management systems are open network computing management solutions that extend from the mainframe to the desktop, and simplify the administration process by centralizing various functions into one central control center. In addition, these systems offer a broad scope of security related capabilities and provide support for the following:
- Authentication and access
- Firewall administration
- Intrusion detection
- LDAP directory server administration
- Network management
- Operating systems
- PKI infrastructure
- User administration
- Virus protection
Leading vendors include Computer Associates, Hewlett Packard and Tivoli Software.
The concept of the bottom line has come to mean many things beyond the final calculation of profit made by subtracting expenses from income. Unfortunately, it has come to mean a final decision-making statement rather than a signpost on a journey. It has also come to stand for an evaluation of success or failure as measured by a quarterly earnings report.
While this is debilitating to the business climate at any time, it is much more critically focused at this time in history as it bears on both the American and world economies. These are seen as separable, so we must couch our conclusions in this frame of reference even while we disagree with it. The facts are that the American economy is in difficulties directly proportional to the ever-increasing reliance on the bottom line. Successfully transforming businesses through the implementation of accurately gauged EA planning, using SOA components is one measure that can help ameliorate this condition.
However, it may well be that failure to understand the paramount importance of information technology implemented carefully in line with a well-founded EA-SOA plan may equate to eventual failure for any organization in an increasingly competitive world. It is critical to come to this understanding soon. Further, this must be an understanding that recognizes the primary importance of not simply allowing or enabling better communications design, but requiring it and requiring it in a way to soundly maintain the knowledge management base on which the organization or business depends and upon which ongoing improvements in the EA-SOA implementation plan can be realized.
That is the ultimate bottom line, and real meaning of continuous improvement. It is not something that one can indefinitely postpone to some more convenient time. Your organization's survival may just depend on it.
ADO.NET. Provides the native data access layer for the .NET framework.
ASP. Active server pages are a set of software components that run on a Web server and allow Web developers to build dynamic Web pages.
ASP+. Are the next generation of active server pages (ASP). They provide the services necessary for developers to build Enterprise type Web applications.
BPEL. Business Process Execution Language (BPEL) is a business process execution language which forms the necessary technical foundation for multiple usage patterns including both the process interface descriptions required for business protocols and executable process models.
BPELJ. Business Process Execution Language for Java (BPELJ) is a joint effort by BEA and IBM that is a combination of BPEL and the Java programming language allowing the two languages to be used together to build business process applications.
BPEL4WS. Business Process Execution Language (Business Process Execution Language for Web Services (BPEL4WS): Is an OASIS specification that provides a common language for business processes and business interaction protocols. BPEL4WS is designed to integrate heterogeneous applications and services into transactional business processes.
CLR. Common language runtime provides the common services for .NET Framework applications. Programs can be written for the common language runtime in just about every language, including C, C++, C#, and Microsoft Visual Basic(R), as well as some older languages such as Fortran. The runtime simplifies programming by assisting with many mundane tasks of writing code. These tasks include memory management--which can be a big generator of bugs--security management, and error handling.
COM. Common object model is an object-based programming specification, designed to provide object interoperability through sets of predefined routines called interfaces.
COM+. Provides an enterprise development environment, based on the Microsoft component object model (COM), for creating component-based, distributed applications.
CORBA. Common object request broker architecture is the Object Management Group (OMG) vendor-independent architecture and infrastructure, which computer applications use to work together over networks.
CSS. Cascading style sheets is a style sheet language that enables authors and users to attach style (fonts, spacing and aural cues) to structure that include HTML and XML applications.
DOM. Document object model is a platform and language neutral interface that allows programs and scripts to dynamically access and update the content, structure and style of documents.
DTD. Document type definition is a text file that specifies the meaning of each tag.
EJB. Enterprise JavaBeans are server component architecture that conform to the Sun EJB component model. The EJB may be used to create a business object and related content may be sent using Java server pages (JSPs).
FTP. File transfer protocol is the protocol used on the Internet for sending files.
HTML. Hypertext markup language is a non-proprietary format based on SGML and is the publishing language of the Web.
IDL. Interface definition language is the standard API for calling CORBA services.
Java. Is a cross-platform source programming language that allows applications to be distributed over networks and the Internet.
JavaMail. J2EE applications use the JavaMail API to send e-mail notifications.
J2C. The connector architecture specification (JCA Specification) is a standard architecture for integrating Java applications with existing enterprise information systems.
J2EE. Java 2 Platform Enterprise Edition defines a standard for developing multitier applications.
J2ME. Java 2 Platform Micro Edition provides application-development platform for mobile devices including cell phones and PDAs.
JAAS. Java Authentication and Authorization Service (JAAS) provides a way for a J2EE application to authenticate and authorize a specific user of group of users to run it.
JAF. JavaBeans Activation Framework (JAF) provides a standard service to determine the type of an arbitrary piece of data, encapsulate access to it, discovers the operations available on it, and create the appropriate JavaBeans component to perform those operations.
JAXP. The Java API for XML Processing (JAXP) supports the processing of XML documents using DOM, SAX, and XSLT. It enables applications to parse and transform XML documents independent of a particular XML processing implementation.
JAXR. The Java API for XML Registries (JAXR) facilitates access to business and general purpose registries over the Web. JAXR supports the ebXML Registry and Repository and UDDI.
JAX RPC. Java API for XML-based RPC (JAX-RPC) is used to build Web applications and Web services, incorporating XML-based RPC functionality according to the simple object access protocol (SOAP) 1.1 specification.
JDBC. Java database connectivity is the standard API for accessing relational data.
JMS. Java messaging service is the standard API for sending and receiving messages.
JNDI. Java naming directory interface is the standard API for accessing information in the enterprise name and directory.
JSP. Java server pages are a way to create dynamic Web content. They may also be used to generate and consume XML between n-tier servers or between servers and clients.
JVM. The Java virtual machine runs the Java applications.
JTA. Java transaction API defines a high-level transaction management specification.
JTS. Java transaction services ensures interoperability with sophisticated transaction resources.
LDAP. Lightweight directory access protocol is based on the standards contained within the X.500 standard, but is significantly simpler. And unlike X.500, LDAP supports TCP/IP, which is necessary for any type of Internet access.
Microsoft .NET Framework. Is the foundation of the next generation of Windows-based applications to build, deploy, and integrate with other networked systems. The .NET Framework consists of two main parts: the common language runtime (CLR) and the .NET Framework class library.
Microsoft .NET Class Library. The library includes prepackaged sets of functionality that developers can use to more rapidly extend the capabilities of their own software. The .NET Library is made of three main components that include 1) ASP.NET to help build Web applications and Web services 2) Windows Forms to facilitate smart client user interface development 3) ADO.NET to help connect applications to databases.
Namespaces. XML namespaces provide a simple method for qualifying element and attribute names used in XML documents by associating them with namespaces identified by URI references.
OASIS. The Organization for the Advancement of Structured Information is a non-for-profit consortium that advances electronic business by promoting open, collaborative development of interoperability specifications.
ODBC. Open database connectivity is a widely accepted API for database access. It is based on the call-level interface (CLI) specifications from X/Open and ISO/IEC for database APIs and uses structured query language (SQL) as its database access language.
OMG. Object Management Group is the industry group dedicated to promoting object-oriented (OO) technology and its standardization.
PKI: Public-key infrastructure is the combination of software, encryption technologies and services designed to protect the security of communications and business transactions on the Internet.
RMI. Remote method invocation is used for creating and or distributing Java objects.
RMI/IIOP. Provides developers an implementation of the Java RMI API over the Object Management Group (OMG) standard Internet Inter-Orb-Protocol (IIOP). This allows developers to write remote interfaces between clients and servers.
SAX. Simple API for XML is an event-based interface for processing XML documents
Servlets. Allow users to run Java code on the server and send HTML pages to a browser.
SSL: Secure sockets layer is a security technology that is commonly used to secure server to browser transactions.
SOAP. Simple object access protocol is a World Wide Web Consortium (W3C) specification that facilitates the interoperability between a broad mixture of programs and platforms.
SQL. Structured query language is a standard language for making interactive queries from and updating databases.
UBL. Universal Business language (UBL) defines a common XML library of business documents, such as purchase orders and invoices, as well as reusable data components from which an unlimited number of other documents can be constructed. It is designed to plug directly into existing business, legal, auditing, and records management practices, eliminating the re-keying of data in existing fax- and paper-based supply chains and providing an entry point into electronic commerce for small and medium-sized businesses.
UDDI. Universal description, discovery and integration is a an online directory that gives businesses and organizations a uniform way to describe their services, discover other companies' services and understand the methods required to conduct business with a specific company.
Username. Is used to gain access to a computer system. Usernames and often passwords are required in multiuser systems.
Web Services. Are components, which reside on the Internet that have been designed to be published, discovered and invoked dynamically across various platforms and unlike networks.
WS-Reliability. Is a specification for open, reliable Web services messaging - including guaranteed delivery, duplicate message elimination and message ordering - enabling reliable communication between Web services.
WSS. Web Services Security (WSS) is an OASIS standard that handles complex confidentiality and integrity for SOAP messages, providing a general-purpose mechanism for associating security tokens with message content. It is designed to be extensible; WSS supports multiple security token formats.
WSDL. Web services description language is a specification that is published to a UDDI directory. WSDL provides interface/implementation details of available Web services and UDDI Registrants. It leverages XML to describe data types, details, interface, location and protocols.
WS-I. The Web Services Interoperability Organization is an open industry effort chartered to promote Web Services interoperability across platforms, applications, and programming languages. The organization brings together a diverse community of Web services leaders to respond to customer needs by providing guidance, recommended practices, and supporting resources for developing interoperable Web services.
WSRP. Web services for remote portlets (WSRP) is an OASIS specification for using Web services to deliver information to Internet portals will help to promote reuse.
XBRL. eXtensible Business Reporting Language provides an identifying tag for each individual item of data. For example, computers can treat XBRL data "intelligently" because they can recognize the information in a XBRL document, select it, analyze it, store it, exchange it with other computers and present it automatically in a variety of ways for end users.
XML. Extensible markup language is a non-proprietary subset of SGML. It is focused on data structure and uses tags to specify the content of the data elements in a document.
XML Encryption and XML Signature. Both security technologies have been proposed as W3C Recommendations in 2002. XML Signature, when paired with the XML Encryption, permits users to sign and encrypt portions of XML data.
XML Schema. Schemas are used to define and document XML applications.
XPath. XML path language's primary purpose is to address parts of an XML document. In support of this primary purpose, it also provides basic facilities for manipulation of strings, numbers and booleans.
XPointer. XML pointer language is based on the XML Path language (XPath) and supports addressing into the internal structures of XML documents. It allows for examination of a hierarchical document structure and choice of its internal parts based on various properties, such as element types, attribute values, character content and relative position.
XQuery. Is a query language that uses the structure of XML intelligently. It can express queries across all these kinds of data, whether physically stored in XML or viewed as XML via middleware. XQuery is designed to be broadly applicable across many types of XML data sources.
XSL. Extensible stylesheet language describes how data is presented. XSL may also be used to transform XML data into HTML/CSS documents on the Web servers.
XSLT. Extensible stylesheet language transformation is a language for transforming XML documents into other XML documents. XSLT is designed for use as part of XSL, which is a stylesheet language for XML.
W3C. The World Wide Web Consortium has become the primary organization for creating Web specifications, and whose principal goal is interoperability.
For more information on related topics visit the following related portals...
Service-Oriented Architecture (SOA) and
Rex Brooks, president of Stabourne Communications Design, has pursued an extensive and wide-ranging career in advertising art direction, corporate identity and graphic design. His ongoing interests have included the applications of computer technology in his field and applying concepts from the fields of psychology, sociology and advertising in the area of semantics and semiotics for the purposes of improving communications in digital information systems. This led to his involvement with OASIS in the HumanMarkup Technical Committee helping to create the Human Markup Language. He is the cofounder of the Content Development Working Group of the Web 3D Consortium and Humanmarkup.org, Inc. and serves as vice chair of the OASIS HumanMarkup Technical Committee. He is also actively serving on the OASIS Web Services for Remote Portlets and Emergency Management Technical Committees. You can reach him at email@example.com.
Russell Ruggiero is a senior IT analyst. He is the acting chairman of HumanMarkup.org. Ruggiero has authored more than 150 articles and reports for well-respected firms that include Gartner, Inc. and Source Media. He may be reached at firstname.lastname@example.org.