Rajeev Ujjwal's Blog

Wishing You a Very Happy and Peaceful Diwali!

Darkness cannot drive out darkness; only light can do that. Hate cannot drive out hate; only love can do that – Martin Luther King, Jr.

Remember-Putting crackers in your pocket is stupid and dangerous. Throwing crackers at people is stupid, dangerous and illegal; it’s a criminal offense to do so. Take care of your childerns – Better to share the sweet, candle light and enjoy – Rajeev & Family

Managing and Securing Employee’s Personal Devices (BYOD) through Active Directory 2012 R2 !

Now Managing of BYOD (Bring Your Own Device) through Microsoft Active Directory 2012 R2-

Few weeks back, I have published my blog “Microsoft Windows Server 2012 R2 Top 20 Released Features!” and two of important features are “Workplace Join” and “Multitenant VPN gateway“. Today, Lets discuss on these features in more detail.

As per Microsoft TechNet Article:

“One of the most prevalent IT industry trends at the moment is the proliferation of consumer devices in the workplace. Employees and partners want to access protected corporate data from their personal devices, from checking email to the consumption of advanced business applications. IT administrators in organizations, while wanting to enable this level of productivity, would like to continue to ensure that they can manage risk and govern the use of corporate resources.”

In Windows Server® 2012 R2, Active Directory has been enhanced with the below value propositions to connect employee’s personal devices to internal corporate network to access their application from anywhere anytime in a secured manner. It enables IT to empower their users to be productive from a variety of devices:

  • Workplace Join – IT administrators can allow devices to be associated with the company’s Active Directory and use this association as a seamless second factor authentication.
  • Single Sign-On (SSO) from devices that are associated with the company’s Active Directory
  • Managing Risk – Enable users to connect to applications and services from anywhere with Web Application Proxy
  • With Multi-Factor Access Control and Multi-Factor Authentication (MFA), manage the risk of users working from anywhere, accessing protected data from user’s devices.

Workplace Join:

Though “Workplace Join” feature is self-explanatory but let me explain here – Employee can “join” his/her own devices to his/her own “workplace” (Internal Corporate Application/Data). In simple terms, Employees can access their applications and data everywhere, on any device.

In this case, Employees require to registering their devices with their AD domain so that device will reflect in AD with associated owner and will be trusted when requesting and running company-secured applications, accessing company-secured data, or accessing company-secured resources.

To get more detail on Workplace Join – Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications Overview

Single-Sign-On (SSO):

When user joins a device to the workplace, it becomes “a known device and will provide seamless Second Factor Authentication and Single-Sign-On (SSO) to workplace resources and applications.” And once the device is “known”, IT Administrator can leverage that knowledge to apply/enforce additional configurations/policies (example: pushing company polices settings to the device). Administrators can control who has access to company resources based on application, user, device, and location.

Practically speaking, Device Registration Service (DRS) is the new feature and part of Active Directory Federation Service (ADFS) role which allows users to register their devices in AD Domain, tracks the associated device’s certificate in order to represent the device’s identity and provides on-board mechanism for Single Sign-On (SSO) with appropriate/conditional access.

Single Sign-On (SSO) is the functionality that reduces the number of password prompts the end user has to enter when accessing company resources from known devices. This implies that Users will be prompted only once during the lifetime of SSO when accessing company applications and resource. For example, A User wants to access their different applications (SharePoint, Exchange and HR) from their devices – without SSO, user would be prompted for a login with every application user try to access. But with SSO, user will only be asked one time.

As above mentioned, Device Registration Service part of ADFS role allows claims-based authentication to occur based on trusted certificates. Once the user is authenticated (username + password + trusted device along with certificate), the claim is trusted/validated, can be used to launch company applications or access company data.

To get more detail on Single Sign-On – Join to Workplace from Any Device for SSO and Seamless Second Factor Authentication Across Company Applications Overview or Single sign-on Wikipedia, the free encyclopedia

Managing Risk through Web Application Proxy:

The Web Application Proxy is a new service part of Remote Access Role. Web Application Proxy “provides reverse proxy functionality for web applications inside corporate network to allow users on any device to access them from outside the corporate network. It pre-authenticates access to web applications using ADFS, and also known as an ADFS proxy.”

So, now SSO facilitated through DRS, the authenticated AD user with his/her own device can access applications on the corporate network and manage the risk with a reverse proxy secure layer without having a 3rd party VPN connection.

To get more detail on Managing Risk through Web Application Proxy – Connect to Applications and Services from Anywhere with Web Application Proxy Overview

Multi-Factor Access Control and Multi-Factor Authentication (MFA):

ADFS in Windows Server 2012 R2 supports more than just the permitted (or denied) user in ADFS claims. Microsoft added “Multiple Factors Authentication”, including user, device, data and location. Authorization claim rules have a greater variety of claim types.

“In ADFS in Windows Server® 2012 R2, Administrator can enforce multi-factor access control based on user identity or group membership, network location, and device (whether it is workplace joined)”

To get more detail on Multi-Factor Access Control and Multi-Factor Authentication (MFA) – Manage Risk with Additional Multi-Factor Authentication for Sensitive Applications Overview

Quote on Enterprise Architecture!

“Most of us who come from IT today are thinking of building and running systems and not about engineering and manufacturing enterprises. My argument here is that the end objective is to engineer and manufacture the enterprise, not simply to build and run systems” – John Zachman, Inventor of Enterprise Architecture

Preliminary Phase – TOGAF 9

[Preliminary Phase]

Preliminary Phase describes the preparation and initiation activities required to meet the business directive for a new enterprise architecture, including the definition of an Organization-Specific Architecture framework and the definition of principles.


                       Figure: Preliminary Phase

Preliminary Phase – Objectives:

The objectives of the Preliminary Phase are:

  1. Determine the Architecture Capability desired by the organization:
    • Review the organizational context for conducting enterprise architecture
    • Identify and scope the elements of the enterprise organizations affected by the Architecture Capability
    • Identify the established frameworks, methods, and processes that intersect with the Architecture Capability
    • Establish Capability Maturity target
  2. Establish the Architecture Capability:
    • Define and establish the Organizational Model for Enterprise Architecture
    • Define and establish the detailed process and resources for architecture governance
    • Select and implement tools that support the Architecture Capability
    • Define the Architecture Principles

Preliminary Phase – Approach:

This Preliminary Phase is about defining “where, what, why, who, and how we do architecture” in the enterprise concerned. The main aspects are as follows:

  • Defining the enterprise
  • Identifying key drivers and elements in the organizational context
  • Defining the requirements for architecture work
  • Defining the Architecture Principles that will inform any architecture work
  • Defining the framework to be used
  • Defining the relationships between management frameworks
  • Evaluating the enterprise architecture maturity

Preliminary Phase – Inputs:

This section defines the inputs to the Preliminary Phase.

Reference Materials External to the Enterprise

  •        TOGAF
  •        Other architecture framework(s), like Zachman or others if required

Non-Architectural Inputs

  •       Board strategies and board business plans, business strategy, IT strategy, business principles, business goals, and business drivers, when pre-existing
  •       Major frameworks operating in the business; e.g., portfolio/project management
  •       Governance and legal frameworks, including architecture governance strategy, when pre-existing
  •       Architecture capability
  •       Partnership and contract agreements

Architectural Inputs

Pre-existing models for operating an enterprise Architecture Capability can be used as a baseline for the Preliminary Phase. Inputs would include:

Organizational Model for Enterprise Architecture (see Organizational Model for Enterprise Architecture), including:

  • Scope of organizations impacted
  • Maturity assessment, gaps, and resolution approach
  • Roles and responsibilities for architecture team(s)
  • Budget requirements
  • Governance and support strategy

Existing Architecture Framework, if any, including:

  • Architecture method
  • Architecture content
  • Configured and deployed tools
  • Architecture Principles
  • Architecture Repository

Preliminary Phase – Steps:

The TOGAF ADM is a generic method, intended to be used by a wide variety of different enterprises, and in conjunction with a wide variety of other architecture frameworks, if required. The Preliminary Phase therefore involves doing any necessary work to initiate and adapt the ADM to define an organization-specific framework.

The order of the steps in the Preliminary Phase (see below) as well as the time at which they are formally started and completed should be adapted to the situation at hand in accordance with the established architecture governance.

The steps within the Preliminary Phase are as follows:

Preliminary Phase – Outputs:

The outputs of the Preliminary Phase may include, but are not restricted to:

Organizational Model for Enterprise Architecture (see Organizational Model for Enterprise Architecture), including:

  • Scope of organizations impacted
  • Maturity assessment, gaps, and resolution approach
  • Roles and responsibilities for architecture team(s)
  • Constraints on architecture work
  • Budget requirements
  • Governance and support strategy

Tailored Architecture Framework (see Tailored Architecture Framework), including:

  • Tailored architecture method
  • Tailored architecture content (deliverables and artifacts)
  • Architecture Principles (see Architecture Principles)
  • Configured and deployed tools

Initial Architecture Repository (see Architecture Repository), populated with framework content

Restatement of, or reference to, business principles, business goals, and business drivers (see Business Principles, Business Goals, and Business Drivers)

Request for Architecture Work (optional) (see Request for Architecture Work)

Architecture Governance Framework (see Architecture Governance Framework)

Architecture Development Method (ADM) – TOGAF 9

[Architecture Development Method (ADM) cycle, adapting the ADM, architecture scope, and architecture integration]

ADM Overview

The TOGAF (The Open Group Architecture Framework) ADM (Architecture Development Method) is the result of continuous contributions from a large number of architecture practitioners. It describes a method for developing and managing the lifecycle of an enterprise architecture, and forms the core of TOGAF. It integrates elements of TOGAF framework as well as other available architectural assets, to meet the business and IT needs of an organization.

The TOGAF ADM defines a recommended sequence for the various phases and steps involved in developing an architecture, but it cannot recommend a scope – this has to be determined by the organization itself, bearing in mind that the recommended sequence of development in the ADM process is an iterative one, with the depth and breadth of scope and deliverables increasing with each iteration. Each iteration will add resources to the organization’s Architecture Repository.

The ADM, Enterprise Continuum, and Architecture Repository

The Enterprise Continuum provides a framework and context to support the leverage of relevant architecture assets in executing the ADM. These assets may include architecture descriptions, models, and patterns taken from a variety of sources, as explained in Enterprise Continuum & Tools.

The Enterprise Continuum categorizes architectural source material – both the contents of the organization’s own enterprise repositories and the set of relevant, available reference models and standards in the industry.

The practical implementation of the Enterprise Continuum will typically take the form of an Architecture Repository (see Architecture Repository) that includes reference architectures, models, and patterns that have been accepted for use within the enterprise, and actual architectural work done previously within the enterprise. The architect would seek to re-use as much as possible from the Architecture Repository that was relevant to the project at hand. (In addition to the collection of architecture source material, the repository would also contain architecture development work-in-progress.)

The criteria for including source materials in an organization’s Architecture Repository will typically form part of the enterprise architecture governance process. These governance processes should consider available resources both within and outside the enterprise in order to determine when general resources can be adapted for specific enterprise needs and also to determine where specific solutions can be generalized to support wider re-use.

While using the ADM, the architect is developing a snapshot of the enterprise’s decisions and their implications at particular points in time. Each iteration of the ADM will populate an organization-specific landscape with all the architecture assets identified and leveraged through the process, including the final organization-specific architecture delivered.

“Architecture development is a continuous, cyclical process, and in executing the ADM repeatedly over time, the architect gradually adds more and more content to the organization’s Architecture Repository. Although the primary focus of the ADM is on the development of the enterprise-specific architecture, in this wider context the ADM can also be viewed as the process of populating the enterprise’s own Architecture Repository with relevant re-usable building blocks taken from the “left”, more generic side of the Enterprise Continuum”

In fact, the first execution of the ADM will often be the hardest, since the architecture assets available for re-use will be relatively scarce. Even at this stage of development, however, there will be architecture assets available from external sources such as TOGAF, as well as the IT industry at large, that could be leveraged in support of the effort.

Subsequent executions will be easier, as more and more architecture assets become identified, are used to populate the organization’s Architecture Repository, and are thus available for future re-use.

The ADM and the Foundation Architecture

The ADM is also useful to populate the Foundation Architecture of an enterprise. Business requirements of an enterprise may be used to identify the necessary definitions and selections in the Foundation Architecture. This could be a set of re-usable common models, policy and governance definitions, or even as specific as overriding technology selections (e.g., if mandated by law). Population of the Foundation Architecture follows similar principles as for an enterprise architecture, with the difference that requirements for a whole enterprise are restricted to the overall concerns and thus less complete than for a specific enterprise.

ADM and Supporting Guidelines and Techniques

ADM Guidelines and Techniques is a set of resources – guidelines, templates, checklists, and other detailed materials – that support application of the TOGAF ADM.

Architecture Development Cycle

Key Points

The following are the key points about the ADM:

The ADM is iterative, over the whole process, between phases, and within phases (see Applying Iteration to the ADM). For each iteration of the ADM, a fresh decision must be taken as to:

  • The breadth of coverage of the enterprise to be defined
  • The level of detail to be defined
  • The extent of the time period aimed at, including the number and extent of any intermediate time periods
  • The architectural assets to be leveraged, including:
    • Assets created in previous iterations of the ADM cycle within the enterprise
    • Assets available elsewhere in the industry (other frameworks, systems models, vertical industry models, etc.)

These decisions should be based on a practical assessment of resource and competence availability, and the value that can   realistically be expected to accrue to the enterprise from the chosen scope of the architecture work.

As a generic method, the ADM is intended to be used by enterprises in a wide variety of different geographies and applied in different vertical sectors/industry types. As such, it may be, but does not necessarily have to be, tailored to specific needs.

Basic Structure

The basic structure of the ADM is shown in below diagram:

Throughout the ADM cycle, there needs to be frequent validation of results against the original expectations, both those for the whole ADM cycle, and those for the particular phase of the process.


Figure: Architecture Development Cycle

The phases of the ADM cycle are further divided into steps; for example, the steps within the architecture development phases (B, C, D) are as follows:

  • Select – reference models, viewpoints, and tools
  • Develop – Baseline Architecture Description
  • Develop – Target Architecture Description
  • Perform – gap analysis
  • Define – candidate roadmap components
  • Resolve – impacts across the Architecture Landscape
  • Conduct – formal stakeholder review
  • Finalize – the Architecture
  • Create – Architecture Definition Document

The Requirements Management phase is a continuous phase which ensures that any changes to requirements are handled through appropriate governance processes and reflected in all other phases.

An enterprise may choose to record all new requirements, including those which are in scope of the current Statement of Architecture Work through a single Requirements Repository.

Adapting the ADM

The ADM is a generic method for architecture development, which is designed to deal with most system and organizational requirements. However, it will often be necessary to modify or extend the ADM to suit specific needs. One of the tasks before applying the ADM is to review its components for applicability, and then tailor them as appropriate to the circumstances of the individual enterprise. This activity may well produce an “enterprise-specific” ADM.

One reason for wanting to adapt the ADM, which it is important to stress, is that the order of the phases in the ADM is to some extent dependent on the maturity of the architecture discipline within the enterprise –

For example, if the business case for doing architecture at all is not well recognized, then creating an Architecture Vision is almost always essential; and a detailed Business Architecture often needs to come next, in order to underpin the Architecture Vision, detail the business case for remaining architecture work, and secure the active participation of key stakeholders in that work. In other cases a slightly different order may be preferred; for example, a detailed inventory of the baseline environment may be done before undertaking the Business Architecture.

The order of phases may also be defined by the architecture principles and business principles of an enterprise.

For example, The business principles may dictate that the enterprise be prepared to adjust its business processes to meet the needs of a packaged solution, so that it can be implemented quickly to enable fast response to market changes. In such a case, the Business Architecture (or at least the completion of it) may well follow completion of the Information Systems Architecture or the Technology Architecture

Another reason for wanting to adapt the ADM is if TOGAF is to be integrated with another enterprise framework (as explained in Using TOGAF with Other Frameworks).

For example, an enterprise may wish to use TOGAF and its generic ADM in conjunction with the well-known Zachman Framework, or another enterprise architecture framework that has a defined set of deliverables specific to a particular vertical sector: Government, Defense, e-Business, Telecommunications, etc. The ADM has been specifically designed with this potential integration in mind.

Other possible reasons for wanting to adapt the ADM include:

  • The ADM is one of the many corporate processes that make up the corporate governance model. It is complementary to, and supportive of, other standard program management processes, such as those for authorization, risk management, business planning and budgeting, development planning, systems development, and procurement.
  • The ADM is being mandated for use by a prime or lead contractor in an outsourcing situation, and needs to be tailored to achieve a suitable compromise between the contractor’s existing practices and the contracting enterprise’s requirements.
  • The enterprise is a small-to-medium enterprise, and wishes to use a “cut-down” method more attuned to the reduced level of resources and system complexity typical of such an environment.
  • The enterprise is very large and complex, comprising many separate but interlinked “enterprises” within an overall collaborative business framework, and the architecture method needs to be adapted to recognize this. Different approaches to planning and integration may be used in such cases, including the following (possibly in combination):
    • Top-down planning and development – designing the whole interconnected meta-enterprise as a single entity (an exercise that typically stretches the limits of practicality)
    • Development of a “generic” or “reference” architecture, typical of the enterprises within the organization, but not representing any specific enterprise, which individual enterprises are then expected to adapt in order to produce an architecture “instance” suited to the particular enterprise concerned.
    • Replication – developing a specific architecture for one enterprise, implementing it as a proof-of-concept, and then taking that as a “reference architecture” to be cloned in other enterprises.
  • In a vendor or production environment, a generic architecture for a family of related products is often referred to as a “Product Line Architecture” and the analogous process to that outlined above is termed “(Architecture-based) Product Line Engineering”. The ADM is targeted primarily at architects in IT user enterprises, but a vendor organization whose products are IT-based might well wish to adapt it as a generic method for a Product Line Architecture development.

Architecture Governance

The ADM, whether adapted by the organization or used as documented here, is a key process to be managed in the same manner as other architecture artifacts classified through the Enterprise Continuum and held in the Architecture Repository. The Architecture Board should be satisfied that the method is being applied correctly across all phases of an architecture development iteration. Compliance with the ADM is fundamental to the governance of the architecture, to ensure that all considerations are made and all required deliverables are produced.

The management of all architectural artifacts, governance, and related processes should be supported by a controlled environment. Typically this would be based on one or more repositories supporting versioned object and process control and status.

The major information areas managed by a governance repository should contain the following types of information:

Reference Data (collateral from the organization’s own repositories/Enterprise Continuum, including external data; e.g., COBIT, ITIL): Used for guidance and instruction during project implementation. This includes the details of information outlined above. The reference data includes a description of the governance procedures themselves.

Process Status: All information regarding the state of any governance processes will be managed; examples of this include outstanding compliance requests, dispensation requests, and compliance assessments investigations.

Audit Information: This will record all completed governance process actions and will be used to support:

  • Key decisions and responsible personnel for any architecture project that has been sanctioned by the governance process
  • A reference for future architectural and supporting process developments, guidance, and precedence

The governance artifacts and process are themselves part of the contents of the Architecture Repository.

Scoping the Architecture

There are many reasons to constrain (or restrict) the scope of the architectural activity to be undertaken, most of which relate to limits in:

The organizational authority of the team producing the architecture

The objectives and stakeholder concerns to be addressed within the architecture

The availability of people, finance, and other resources

The scope chosen for the architecture activity should ideally allow the work of all architects within the enterprise to be effectively governed and integrated. This requires a set of aligned “architecture partitions” that ensure architects are not working on duplicate or conflicting activities. It also requires the definition of re-use and compliance relationships between architecture partitions.

Four dimensions are typically used in order to define and limit the scope of an architecture:

Breadth: What is the full extent of the enterprise, and what part of that extent will this architecting effort deal with?

  • Many enterprises are very large, effectively comprising a federation of organizational units that could validly be considered enterprises in their own right.
  • The modern enterprise increasingly extends beyond its traditional boundaries, to embrace a fuzzy combination of traditional business enterprise combined with suppliers, customers, and partners.

Depth: To what level of detail should the architecting effort go? How much architecture is “enough”? What is the appropriate demarcation between the architecture effort and other, related activities (system design, system engineering, system development)?

Time Period: What is the time period that needs to be articulated for the Architecture Vision, and does it make sense (in terms of practicality and resources) for the same period to be covered in the detailed architecture description? If not, how many Transition Architectures are to be defined, and what are their time periods?

Architecture Domains: A complete enterprise architecture description should contain all Four Architecture Domains (Business, Data, Application, Technology), but the realities of resource and time constraints often mean there is not enough time, funding, or resources to build a top-down, all-inclusive architecture description encompassing all four architecture domains, even if the enterprise scope is chosen to be less than the full extent of the overall enterprise.

Typically, the scope of architecture is first expressed in terms of breadth, depth, and time. Once these dimensions are understood, a suitable combination of architecture domains can be selected that are appropriate to the problem being addressed. Techniques for using the ADM to develop a number of related architectures are discussed in Applying the ADM across the Architecture Landscape.

The four dimensions of architecture scope are explored in detail below. In each case, particularly in large-scale environments where architectures are necessarily developed in a federated manner, there is a danger of architects optimizing within their own scope of activity, instead of at the level of the overall enterprise. It is often necessary to sub-optimize in a particular area, in order to optimize at the enterprise level. The aim should always be to seek the highest level of commonality and focus on scalable and re-usable modules in order to maximize re-use at the enterprise level.

Architecture Integration

Architectures that are created to address a subset of issues within an enterprise require a consistent frame of reference so that they can be considered as a group as well as point deliverables. The dimensions that are used to define the scope boundary of a single architecture (e.g., level of detail, architecture domain, etc.) are typically the same dimensions that must be addressed when considering the integration of many architectures. Figure below illustrates how different types of architecture need to co-exist.

At the present time, the state of the art is such that architecture integration can be accomplished only at the lower end of the integratability spectrum. Key factors to consider are the granularity and level of detail in each artifact, and the maturity of standards for the interchange of architectural descriptions.


Figure: Integration of Architecture Artifacts

%d bloggers like this: