TechEd 2009: Day 1 Session Notes

Good first day.  Keynote was relatively interesting (even though I don’t fully understand why the presenters use fluffy “CEO friendly” slides and language in a room of techies) and had a few announcements.  The one that caught my eye was the public announcement of the complex event processing (CEP) engine being embedded in SQL Server 2008 R2.  In my book I talk about CEP and apply the principles to a BizTalk solution.  However, I’m much happier that Microsoft is going to put a real effort into this type of solution instead of the relative hack that I put together.  The session at TechEd on this topic is Tuesday.  Expect a write up from me.

Below are some of the session notes from what I attended today.  I’m trying to balance sessions that interest me intellectually, and sessions that help me actually do my job better.  In the event of a tie, I choose the latter.

Data Governance: A Solution to Privacy Issues

This session interested me because I work for a healthcare organization and we have all sorts of rules and regulations that direct how we collect, store and use data.  Key Takeaway: New website from Microsoft on data governance at

  • Low cost of storage and needs to extend offerings with new business models have led to unprecedented volume of data stored about individuals
  • You need security to achieve privacy, but security is not a guarantee of privacy
  • Privacy, like security, has to be embedded into application lifecycle (not a checkbox to “turn on” at the end)
  • Concerns
    • Data breach …
    • Data retention
      • 66% of data breaches in 2008 involved data that was not known to reside on the affected system at the time of incident
  • Statutory and Regulatory Landscape
    • In EU, privacy is a fundamental right
      • Defined in 95/46/EC
        • Defines rules for transfer of personal data across member states’ borders
      • Data cannot be transported outside of EU unless citizen gives consent or legal framework, like Safe Harbor, is in place
        • Switzerland, Canada and Argentina have legal framework
        • US has “Safe Harbor” where agreement is signed with US Dept of Commerce which says we will comply with EU data directives
      • Even data that may individually not identify you, but if aggregated, might lead you to identify an individual; can’t do this as still considered “personal data”
    • In US, privacy is not a fundamental right
      • Unlike EU, in US you have patchwork of federal laws specific to industries, or specific to a given law (like data breach notification)
      • Personally identifiable information (PII) – info which can be used to distinguish or trace an individual’s identity
        • Like SSN, or drivers license #
    • In Latin America, some countries have adopted EU-style data protection legislation
    • In Asia, there are increased calls for unified legislation
  • How to cope with complexity?
    • Standards
      • ISO/IEC CD 29100 information technology – security techniques – privacy framework
        • How to incorp. best practices and how to make apps with privacy in mind
      • NIST SP 800-122 (Draft) – guidelines for gov’t orgs to identify PII that they might have and provides guidelines for how to secure that information and plan for data breach incident
    • Standards tell you WHAT to do, but not HOW
  • Data governance
    • Exercise of decision making and authority for data related matters (encompasses people, process and IT required for consistent and proper handling across the enterprise)
    • Why DG?
      • Maximize benefits from data assets
        • Improve quality, reliability and availability
        • Establish common data definitions
        • Establish accountability for information quality
      • Compliance
        • Meet obligations
        • Ensure quality of compliance related data
        • Provide flexibility to respond to new compliance requirements
      • Risk Management
        • Protection of data assets and IP
        • Establish appropriate personal data use to optimally balance ROI and risk exposure
    • DG and privacy
      • Look at compliance data requirements (that comes from regulation) and business data requirements
      • Feeds the strategy made up of documented policies and procedure
        • Consider what info you ask of customers and make sure it has a specific business use
  • Three questions
    • Collecting right data aligned with business goals? Getting proper consent from users?
    • Managing data risk by protecting privacy if storing personal information
    • Handling data within compliance of rules and regulations that apply
  • Think about info lifecycle
    • How is data collected, processed and shared and who has access to it at each stage?
      • Who can update? How know about access/quality of attribute?
      • What sort of processing will take place, and who is allowed to execute those processes?
      • What about deletion? How does removal of data at master source cascade?
      • New stage: TRANSFER
        • Starts whole new lifecycle
        • Move from one biz unit to another, between organizations, or out of data center and onto user laptop
  • Data Governance and Technology Framework
    • Secure infrastructure – safeguard against malware, unauthorized access
    • Identity and access control
    • Information protection – while at risk, or while in transit; protecting both structured and unstructured data
    • Auditing and reporting – monitoring
  • Action plan
    • Remember that technology is only part of the solution
    • Must catalog the sensitive info
    • Catalog it (what is the org impact)
    • Plan the technical controls
      • Can do a matrix with stages on left (collect/update/process/delete/transfer/storage) and categories at top (infrastructure, identity and lifecycle, info protection, auditing and reporting)
      • For collection, answers across may be “secure both client and web”, “authN/authZ” and “encrypt traffic”
        • Authentication and authorization
      • For update, may log user during auditing and reporting
      • For process, may secure host (infra) and “log reason” in audit/reporting
  • Other tools
    • IT Compliance Management Guide
      • Compliance Planning Guide (Word)
      • Compliance Workbook (Excel)

Programming Microsoft .NET Services

I hope to spend a sizeable amount of time this year getting smarter on this topic, so Aaron’s session was a no-brainer today.  Of course I’ll be much happier if I can actually call the damn services from the office (TCP ports blocked).  Must spend time applying the HTTP ONLY calling technique. Key Takeaway: Dig into queues and routers and options in their respective policies and read the new whitepapers updated for the recent CTP release.

  • Initial focus of the offering is on three key developer challenges
    • Application integration and connectivity
      • Communication between cloud and on-premises apps
      • Clearly we’ve solved this problem in some apps (IM, file sharing), but lots of plumbing we don’t want to write
    • Access control (federation)
      • How can our app understand the various security tokens and schemes present in our environment and elsewhere?
    • Message orchestration
      • Coordinate activities happening across locations centrally
  • .NET Service Bus
    • What’s the challenge?
      • Give external users secure access to my apps
      • Unknown scale of integration or usage
      • Services may be running behind firewalls not typically accessible from the outside
    • Approach
      • High scale, high availability bus that supports open Internet protocols
    • Gives us global naming system in the cloud and don’t have to deal with lack of IP v4 available addresses
    • Service registry provides mapping from URIs to service
      • Can use ATOM pub interface to programmatically push endpoint entries to the cloud
    • Connectivity through relay or direct connect
      • Relay means that you actually go through the relay service in the bus
      • For direct, the relay helps negotiate a direct connection between the parties
    • The NetOneWayRelayBinding and NetEventRelayBinding don’t have a OOB WCF binding comparison, but both are set up for the most aggressive network traversal of the new bindings
    • For standard (one way) relay, need TCP 828 open on the receiver side (one way messages through TCP tunnel)
    • Q: Do relay bindings encrypt username/pw credentials sent to the bus? Must be through ACS.
    • Create specific binding config for binding in order to set connection mode
    • Have new “connectionstatechangedevent” so that client can respond to event after connection switches from relay to direct connection as result of relay negotiations based on “direct” binding config value
      • Similar thing happens with IM when exchanging files; some clients are smart enough to negotiate direct connections after the session is established
    • Did quick demo showing performance of around 900 messages per second until the auto switch to direct when all of sudden we saw 2600+ messages per second
    • For multi-cast binding (netEventRelayBinding), need same TCP ports open on receivers
    • How deal with durability for unavailable subscribers? Answer: queues
    • Now can create queue in SB account, and clients can send messages and listeners pull, even if online at different times
      • Can set how long queue lives using queue policy
      • Also have routers using router policy; now you can set how you want to route messages to listeners OR queues; sets a distribution policy and say distribute to “all” or “one” through a round-robin
      • Routers can feed queues or even other routers
  • .NET Access Control Service
    • Challenges
      • Support many identities, tokens and such without your app having to know them all
    • Approach
      • Automate federation through hosted STS (token service)
      • Model access control as rules
    • Trust established between STS and my app and NOT between my app and YOUR app
    • STS must transform into a claim consumable by your app (it really just does authentication (now) and transform claims)
    • Rules are set via web site or new management APIs
      • Define scopes, rules, claim types and keys
    • When on solution within management portal, manage scopes; set your solution; if pick workflow, can manage in additional interface;
      • E.g. For send rule, anytime there is a username token with X (and auth) then produce output claim with value of “Send”
      • Service bus is looking at “send” and “listen” rules
    • Note that you CAN do unauthenticated senders
  • .NET Workflow Service
    • Challenge
      • Describe long-running processes
    • Approach
      • Small layer of messaging orchestration through the service bus
    • APIs that allow you to deploy, manage and run workflows in the cloud
    • Have reliable, scalable, off-premises host for workflows focused specifically on message orchestration
    • Not a generic WF host; the WF has to be written for the cloud through use of specific activities

Author: Richard Seroter

Richard Seroter is Director of Developer Relations and Outbound Product Management at Google Cloud. He’s also an instructor at Pluralsight, a frequent public speaker, the author of multiple books on software design and development, and a former editor plus former 12-time Microsoft MVP for cloud. As Director of Developer Relations and Outbound Product Management, Richard leads an organization of Google Cloud developer advocates, engineers, platform builders, and outbound product managers that help customers find success in their cloud journey. Richard maintains a regularly updated blog on topics of architecture and solution design and can be found on Twitter as @rseroter.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.