2 hours 41 minutes
and welcome back to Episode 14
off Cyber security, architecture, fundamentals,
architecture documentation, Part two.
In this session,
I would be covering architectural decisions what it is, how to put it together
and how to put all the previous work from the past sessions from Trent models to architecture design
into one document.
I know enough with some commercial tools that can help you.
So what is an architectural decision?
Well, from Wikipedia,
architectural decisions influence and impact the non functional characteristics of a system
each architecture decisions describes a concrete, architecturally significant design issue,
also known as a design problem designed, required
for which several potential solutions are options exists.
In short, you present why you made certain decisions and also the thought process behind coming to death decision. This is extremely important, as there's always tradeoffs in everything we do.
In some cases, we choose a certain solution because it's the only option we can afford. And debt is a valid architectural decision.
The last thing you one if someone coming in five years later looking at the design and wondering why such a decision was made and they questioned your competency,
those good to document all decisions and the rationale behind them so that future generations could understand how we arrive at those conclusions.
I think this is best illustrated with an example.
In this example, I'm showing I'm creating an architectural decisions on Thea Tent occassion method use for our application.
So in this case, we have the subject area being authentication,
and we state the decision that needs to be made in this case, which authentication I d. Do we use
Nick's? We try to articulate what is the issue or problem statement.
In this case, we would say we're unsure how many users have Facebook accounts that would use our system.
And if we use a local I d. How we manage and verify the local ID's,
these would scope out the problem statement for the decision.
In making any decisions, we usually have some assumptions. It is important to ST down all the assumptions made when making this decision.
In this case, the assumption made was that 80% off the target customers after Facebook account,
and we assume that Facebook would do a better job at idea verification than our internal team
mix. We try toe, understand what was the motivation that drives the decision in this case, the design principles off, having minimal steps for customer to create a lot on what's the motivation?
We also want to ensure that we document our completeness off thought. In this case, we are what is three alternatives,
and we could have used a Google I D or Twitter i d. As the lock and name.
In this case, the decision was made to use a Facebook i d.
Then we were right. The justification we use Facebook, i d. Simply because
the developers only know the Facebook a p I, and it's the only one that, comfortable with this is a valid decision,
as maybe the speed of delivery is important and they have no time to learn something else.
We would also need to list the implications or consequence off this decision.
In this case, customers who are like having a Facebook account will not come to your site or use your application.
And lastly, we tried to link other related decisions. For example, in this case, there might be another decision based on how uses are verified, and we'll link them together so that when someone reviewing the design could follow true all the related decisions.
This, in essence, is an architectural decision document. We would need to create one of these for every major decisions made along the way,
taking a step back, going back to the views in the previous session we want to talk about How do you actually document the views?
Well, the primary presentation is usually graphical. It's easy to convey the design in a picture rather than words. And English might not be the first language for many off your development team,
and we need to show what other elements
in the design and, well, it's a relationship between them.
We should also include the key that explains the notation, use and gift meanings to each symbols. Don't forget. The lines need meaning to.
It is also important to develop an element catalog, which explains all the element. Using the presentation,
we usually put this in a table or intellectual description.
If you're using a formal tool, this can be in
definition table in a database.
Sometimes some resource is have variables. Do not forget to Liston, for example, if he used a pull mechanism
list a number off instance in the pool
and any other parameters that is necessary to explain.
But the model
now do remember to attach the architecture decision for each of those views together with the design, so that they stay together for Sonny Buddy reviewing it
and for completeness. Also remember to relate it to another view, which is showing the same system or same processes
a stroke can imagine.
This gets very difficult
when your size grows and you have many components and many architectural decisions to be made.
It's very difficult to do this on paper or even discreet pictures like a physio or Paul Point. If you do use paper to record these, make sure you have a very good indexing system
and the spreadsheets. Pretty good tool for this,
but I believe it's worthwhile to invest in architecture to to help you manage your artifacts and the relationship.
to try to use standard formal notation like U N Rail to help in the communication
as the English language. It's not exactly very precise.
Another point to note ISS. Please start to create an asset catalog
to help re use architecture get easier over time if you have a control to help medicate a certain risk that control could be reused in another system with the same risks. So do take note of this.
As with everything else, no one knows everything. Be open to feedback
and update the document. The architecture document is a living document that needs to be updated when new information is uncovered.
Sometimes new technologies invented or new tricks are discovered, or some of your controls might be obsolete. ID.
make it a point to keep it up to date with the latest information and design
suspension earlier. Highlight
a few off the tools that are used by security architect CE.
All this ice server is a tool that supports the sub Sir Architecture.
The link here has a video to show how it would work and how it would help to have a central repositories off your artifacts.
Visual paradigm is another very popular tool used by architect CE.
It helps in linking all your diagrams together,
and it has out of the box support for many of the industry frameworks.
Another popular tool. This unit com System Architect. Just a formerly known as the IBM Rational System architect,
this two helps pull together all the different artifacts and let you drill down or go up to see all the different relationships within multiple systems.
While all of these twos have a learning curve,
it's actually more effective to spend the time to learn how to use a tour and document all your designs in a structured way
to go into more detail. Here are some good resource
in the IEEE Software magazine There was an article back in 2005 on architecture decisions, the mystifying architecture.
It has a pretty good explanation off how and why you should document your architecture decisions
and on slight share, I found interesting presentation on hard to do. Modeling off security architecture
might be a good video to see to compare with what you are doing currently.
So to wrap up this session,
I'll just briefly go to
what we discuss. We went through what is an architecture decision
and how to documented. Remember to use the template I provided to help you get started.
We also went through various tools that can help you
in the absence off tools. Please take care to index your documents and create relationships.
It can be pretty confusing once you grow to a certain size?
In the next session, which would be the last session in the series, I would go through a case study
on how security architectures apply. So if you have the time, please join me in a next session.