TechEd 2009: Day 1 Session Notes

Good first day.  Keynote was relatively interesting (even though I don’t fully understand why the presenters use fluffy “CEO friendly” slides and language in a room of techies) and had a few announcements.  The one that caught my eye was the public announcement of the complex event processing (CEP) engine being embedded in SQL Server 2008 R2.  In my book I talk about CEP and apply the principles to a BizTalk solution.  However, I’m much happier that Microsoft is going to put a real effort into this type of solution instead of the relative hack that I put together.  The session at TechEd on this topic is Tuesday.  Expect a write up from me.

Below are some of the session notes from what I attended today.  I’m trying to balance sessions that interest me intellectually, and sessions that help me actually do my job better.  In the event of a tie, I choose the latter.

Data Governance: A Solution to Privacy Issues

This session interested me because I work for a healthcare organization and we have all sorts of rules and regulations that direct how we collect, store and use data.  Key Takeaway: New website from Microsoft on data governance at

  • Low cost of storage and needs to extend offerings with new business models have led to unprecedented volume of data stored about individuals
  • You need security to achieve privacy, but security is not a guarantee of privacy
  • Privacy, like security, has to be embedded into application lifecycle (not a checkbox to “turn on” at the end)
  • Concerns
    • Data breach …
    • Data retention
      • 66% of data breaches in 2008 involved data that was not known to reside on the affected system at the time of incident
  • Statutory and Regulatory Landscape
    • In EU, privacy is a fundamental right
      • Defined in 95/46/EC
        • Defines rules for transfer of personal data across member states’ borders
      • Data cannot be transported outside of EU unless citizen gives consent or legal framework, like Safe Harbor, is in place
        • Switzerland, Canada and Argentina have legal framework
        • US has “Safe Harbor” where agreement is signed with US Dept of Commerce which says we will comply with EU data directives
      • Even data that may individually not identify you, but if aggregated, might lead you to identify an individual; can’t do this as still considered “personal data”
    • In US, privacy is not a fundamental right
      • Unlike EU, in US you have patchwork of federal laws specific to industries, or specific to a given law (like data breach notification)
      • Personally identifiable information (PII) – info which can be used to distinguish or trace an individual’s identity
        • Like SSN, or drivers license #
    • In Latin America, some countries have adopted EU-style data protection legislation
    • In Asia, there are increased calls for unified legislation
  • How to cope with complexity?
    • Standards
      • ISO/IEC CD 29100 information technology – security techniques – privacy framework
        • How to incorp. best practices and how to make apps with privacy in mind
      • NIST SP 800-122 (Draft) – guidelines for gov’t orgs to identify PII that they might have and provides guidelines for how to secure that information and plan for data breach incident
    • Standards tell you WHAT to do, but not HOW
  • Data governance
    • Exercise of decision making and authority for data related matters (encompasses people, process and IT required for consistent and proper handling across the enterprise)
    • Why DG?
      • Maximize benefits from data assets
        • Improve quality, reliability and availability
        • Establish common data definitions
        • Establish accountability for information quality
      • Compliance
        • Meet obligations
        • Ensure quality of compliance related data
        • Provide flexibility to respond to new compliance requirements
      • Risk Management
        • Protection of data assets and IP
        • Establish appropriate personal data use to optimally balance ROI and risk exposure
    • DG and privacy
      • Look at compliance data requirements (that comes from regulation) and business data requirements
      • Feeds the strategy made up of documented policies and procedure
        • Consider what info you ask of customers and make sure it has a specific business use
  • Three questions
    • Collecting right data aligned with business goals? Getting proper consent from users?
    • Managing data risk by protecting privacy if storing personal information
    • Handling data within compliance of rules and regulations that apply
  • Think about info lifecycle
    • How is data collected, processed and shared and who has access to it at each stage?
      • Who can update? How know about access/quality of attribute?
      • What sort of processing will take place, and who is allowed to execute those processes?
      • What about deletion? How does removal of data at master source cascade?
      • New stage: TRANSFER
        • Starts whole new lifecycle
        • Move from one biz unit to another, between organizations, or out of data center and onto user laptop
  • Data Governance and Technology Framework
    • Secure infrastructure – safeguard against malware, unauthorized access
    • Identity and access control
    • Information protection – while at risk, or while in transit; protecting both structured and unstructured data
    • Auditing and reporting – monitoring
  • Action plan
    • Remember that technology is only part of the solution
    • Must catalog the sensitive info
    • Catalog it (what is the org impact)
    • Plan the technical controls
      • Can do a matrix with stages on left (collect/update/process/delete/transfer/storage) and categories at top (infrastructure, identity and lifecycle, info protection, auditing and reporting)
      • For collection, answers across may be “secure both client and web”, “authN/authZ” and “encrypt traffic”
        • Authentication and authorization
      • For update, may log user during auditing and reporting
      • For process, may secure host (infra) and “log reason” in audit/reporting
  • Other tools
    • IT Compliance Management Guide
      • Compliance Planning Guide (Word)
      • Compliance Workbook (Excel)

Programming Microsoft .NET Services

I hope to spend a sizeable amount of time this year getting smarter on this topic, so Aaron’s session was a no-brainer today.  Of course I’ll be much happier if I can actually call the damn services from the office (TCP ports blocked).  Must spend time applying the HTTP ONLY calling technique. Key Takeaway: Dig into queues and routers and options in their respective policies and read the new whitepapers updated for the recent CTP release.

  • Initial focus of the offering is on three key developer challenges
    • Application integration and connectivity
      • Communication between cloud and on-premises apps
      • Clearly we’ve solved this problem in some apps (IM, file sharing), but lots of plumbing we don’t want to write
    • Access control (federation)
      • How can our app understand the various security tokens and schemes present in our environment and elsewhere?
    • Message orchestration
      • Coordinate activities happening across locations centrally
  • .NET Service Bus
    • What’s the challenge?
      • Give external users secure access to my apps
      • Unknown scale of integration or usage
      • Services may be running behind firewalls not typically accessible from the outside
    • Approach
      • High scale, high availability bus that supports open Internet protocols
    • Gives us global naming system in the cloud and don’t have to deal with lack of IP v4 available addresses
    • Service registry provides mapping from URIs to service
      • Can use ATOM pub interface to programmatically push endpoint entries to the cloud
    • Connectivity through relay or direct connect
      • Relay means that you actually go through the relay service in the bus
      • For direct, the relay helps negotiate a direct connection between the parties
    • The NetOneWayRelayBinding and NetEventRelayBinding don’t have a OOB WCF binding comparison, but both are set up for the most aggressive network traversal of the new bindings
    • For standard (one way) relay, need TCP 828 open on the receiver side (one way messages through TCP tunnel)
    • Q: Do relay bindings encrypt username/pw credentials sent to the bus? Must be through ACS.
    • Create specific binding config for binding in order to set connection mode
    • Have new “connectionstatechangedevent” so that client can respond to event after connection switches from relay to direct connection as result of relay negotiations based on “direct” binding config value
      • Similar thing happens with IM when exchanging files; some clients are smart enough to negotiate direct connections after the session is established
    • Did quick demo showing performance of around 900 messages per second until the auto switch to direct when all of sudden we saw 2600+ messages per second
    • For multi-cast binding (netEventRelayBinding), need same TCP ports open on receivers
    • How deal with durability for unavailable subscribers? Answer: queues
    • Now can create queue in SB account, and clients can send messages and listeners pull, even if online at different times
      • Can set how long queue lives using queue policy
      • Also have routers using router policy; now you can set how you want to route messages to listeners OR queues; sets a distribution policy and say distribute to “all” or “one” through a round-robin
      • Routers can feed queues or even other routers
  • .NET Access Control Service
    • Challenges
      • Support many identities, tokens and such without your app having to know them all
    • Approach
      • Automate federation through hosted STS (token service)
      • Model access control as rules
    • Trust established between STS and my app and NOT between my app and YOUR app
    • STS must transform into a claim consumable by your app (it really just does authentication (now) and transform claims)
    • Rules are set via web site or new management APIs
      • Define scopes, rules, claim types and keys
    • When on solution within management portal, manage scopes; set your solution; if pick workflow, can manage in additional interface;
      • E.g. For send rule, anytime there is a username token with X (and auth) then produce output claim with value of “Send”
      • Service bus is looking at “send” and “listen” rules
    • Note that you CAN do unauthenticated senders
  • .NET Workflow Service
    • Challenge
      • Describe long-running processes
    • Approach
      • Small layer of messaging orchestration through the service bus
    • APIs that allow you to deploy, manage and run workflows in the cloud
    • Have reliable, scalable, off-premises host for workflows focused specifically on message orchestration
    • Not a generic WF host; the WF has to be written for the cloud through use of specific activities

Author: Richard Seroter

Richard Seroter is Director of Outbound Product Management at Google Cloud, with a master’s degree in Engineering from the University of Colorado. He’s also an instructor at Pluralsight, a frequent public speaker, the author of multiple books on software design and development, plus former editor and former 12-time Microsoft MVP for cloud. As Director of Outbound Product Management at Google Cloud, Richard leads a team focused on products that help teams build and run modern software. Richard maintains a regularly updated blog on topics of architecture and solution design and can be found on Twitter as @rseroter.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.