1 Architecture: DTAP - Generic Pattern Applications Infrastructure: SAS / DBMS / file transfer –...
-
Upload
lizette-barry -
Category
Documents
-
view
222 -
download
2
Transcript of 1 Architecture: DTAP - Generic Pattern Applications Infrastructure: SAS / DBMS / file transfer –...
1
Architecture: DTAP - Generic Pattern
Applications
Infrastructure: SAS / DBMS / file transfer – Middleware
D T A P
D T A P
Infrastructure: OS / Network / Security - Base level
D T A P
D T A P
Every artifact has is own Life-cycle
So still not all, we end up with a very lot of D,T,AP’s
Segregation Application:Consequence of Security
• Business Logic • Business Data
ApplicationsMirrors
D T
D T A P
Segregation Infrastructure:• Middleware • Base LevelConsequence of Behavior
Time Lifecycle
IT DT AC PB
PF
IT
Configuration: DTAP Bu’s appl
Configuration: DTAP Infra Base
Logical Machines
Configuration
-
Business / IT Infrastructure
Configuration
Appv1n6
B
Infrastructure
SAS / DBMS / file transfer – Middleware
2
Appv1n6
MF
B
Infrastructure
OS / Network / Security - Base level
I1
S
Architecture: SAAS - Generic Pattern not just SAS
PBPF
Configuration: Vertical3
Configuration: Infra Base
Business / IT Infrastructure
Configuration
SAS & SAAS
-
Appv3n5
B
S
Appv3n4
B
S
Appv1n3
B
S
Appv1n2
B
S
Appv1n1
B
S S
Appv1n5
B
S
Appv1n4
B
S
Appv2n3
B
S
Appv2n2
B
S
Appv2n1
B
S
Appv2n6
B
S
Appv2n5
B
S
Appv2n4
B
S
Appv3n3
B
S
Appv3n2
B
S
Appv3n1
B
S
I2 I3 I4
Configuration: Vertical2Configuration: Vertical1
Logical Machines
Configuration
MD MSMJ MW
Middleware Base Level]
Supporting multiple verticals multiple business-clients
3
BU application DTAP policy
Business-logic ….So you have build a nice design
What will happen if the production versions has to be changed afterwards.
Beware the dependencies D depend to T
T depend to A
A depend to P
The setup of maintenance DTAP has to rebuild
Business-data ….DTAP environments are not strictly related
Just in case of automated processing you have to take
Applications
D T A P
D T A P
-
D
T
A
P
D
T
A
P
D
T
A
P
D
T
A
P
D T A P
D T A P
RW-(*)
R - -RW-
R - -RW-
R - -RW-
RWX(*)R-X
R-X
R-X
R-X
R-X
R-X
R-X
R-X R-X
4
BU application security
Business-logic ….Approved logic: may be read and executed,
but not updated.
To be able to regression testing higher level must be visible
Beware the requirements at development.
Maintenance BU-Logic (t,a,p visible)
The only environment to change BU logic
Business-data ….According to business needs, possible
actions are read and also update.
Fore testing (A , T) same rules as P
Beware the requirements at development.
Maintenance on DATA structure implies more open access.
Architecture: Securing Bu-application - Generic Pattern not just SAS
Applications
D T A P
D T A P
-
D
T
A
P
D
T
A
P
D
T
A
P
D
T
A
P
D T A P
D T A P
RW-(*)
R - -RW-
R - -RW-
R - -RW-
RWX(*)R-X
R-X
R-X
R-X
R-X
R-X
R-X
R-X R-X
5
BU application security
Securing Business Software: • Every Stage gets its dedicated owner/NPA: <applid>_s<dtap>• Every Stage gets its related group: <applid>_s<dtap>Every relevant BU user is member of the related group
Architecture: Securing Bu-application - Generic Pattern not just SAS
Securing Business Data: • Every Stage gets its dedicated owner/NPA: <applid>_b<dtap>• Every Stage gets its related group: <applid>_b<dtap>Every relevant BU user is member of the related group
Applications
D T A P
D T A P
Behavior security concept: • There is no relationship needed to machines. Segregation is guaranteed.• Accidental mixing of stages business-data is impossible at Server-side.• Can be controlled to detail (RBAC -Soll) in choosing the right Bu-groups.• Change Maintenance must be done by the owner NPA’s.
-
Software Library
6
BU Life Cycle Management
Business Logic SCM
D
D
T
A
P
T PA P
DT DT AC PB PF
-
We focus on how components between the stages and the machines:• are copied == Analyses develop changes required. • Are moved == Concatenation must be possible
Preferred is: concatenation as all analyses requirements are eliminated
Preferred is: shared development as all check’s who is working on something are eliminated
Z
Promote
Delete
Maint
Deploy
Software Library
7
BU Emergency fix / parallel development
E-fix - U V W
With more work parallel executing there is need to implements this.
This Life-Cycle figure just zooms in to the developers work.The goal emergency fix is fixing production as soon as possibleThe goal of U,V,W is bigger projects developing a new future
release
-
D
T
A
P
Z
8
BU DATA Segregation with DTAP
D T PA P
DT DT AC PB PF
-
D T A P
D T A P
General Company’s network - intranet
9
BU DATA Segregation with DTAP
Requirements Network Needed with SCM • Network must allow connections (Life Cycle Management)
-
Common design/architecture mistakes leading to failures:• Trying to indicate the iron-boxes into D,T,A,P • Not taking having noticed the possible networked interconnections• Supposing that different roles always are done by different people• No notice of the requirements with outsourcing contracts
Requirements Network Needed with Business data • Network must not allow connections of different stages
Solution: • The session/processes for an BU-application must be
DTAP aware. Both for BU-Logic and BU-Data.• With this awareness is must not be possible by the
users (business) to pass into forbidden areas.
Applications
D T A P
D T A P
10
Data Exchange, getting your data
-
D T PA P
DT DT AC PB PF
SAS Meta: Lev4 SASMeta Lev2 Meta Lev1 Meta Lev1 SAS Meta: Lev3
D T A P
D T A P
General Company’s network - intranet
Segregated Definitions
Segregated Keys access
An user (business) is not allowed to define his own connections. All is predefined
11
The SH team (SAS Hosting – middleware support) takes care of:
• Defining Physical locations of the Business data and logic It is implemented by a script.
• Defining the logical connections (libname filename) and other settings and options in favor of the businessIt is implemented by a variety of tasks.
• Helps the Business to get all the IT requirements organized.This requires al lot of time and effort because of the tremendous complexity with ING’s internal processes and procedures. To mention A_Soll Itram ABP LPAD CSD ITIM RBAC and all the service-partners Atos Logica KPN HP.
Define, Support & Configuration TI<->Business
To be able to do this, the administrator SH-team must be authorized to use the BU: NPA data-owner (SUDO) <applid>_b<dtap>. NPA logic-owner (SUDO) <applid>_s<dtap>.There are more situations like this where SH-team is using these BU NPA’sSegregation responsibility in DTAP is implied. Logging actions is implied by SUDO
-
12
Applications
Infrastructure: SAS / DBMS / file transfer – Middleware
D T A P
D T A P
Infrastructure: OS / Network / Security - Base level
D T A P
D T A P
The Middleware Configuration must be designed developed tested and evaluated.• At lower infrastructure level• To the business applications
Segregation Application:Consequence of Security
• Business Logic • Business Data
ApplicationsMirrors
D T
D T A P
Segregation Infrastructure:• Middleware • Base LevelConsequence of Behavior
Time Lifecycle
IT DT AC PB
PF
IT
Configuration: DTAP Bu’s appl
Configuration: DTAP Infra Base
Logical Machines
Configuration
-
Business / IT Infrastructure
Define, Support & Configuration TI<->Business
Configuration: DTAP Infra Base
13
Needed is an crash-dummy like the an business application. Naming edu rcr sec. To be able the configuration to:• Maintain related to configuration• Test behavior the whole chain• Monitor usage dedicated to tool SAS
Define, Support & Configuration TI<->Business
So the applications edu rcr sec are owned by the middleware SH team. They are not part of the middleware but are set up like a business application.
-
Applications
D T A P
D T A P
The security is set up with the 8 NPA’s / groups
There is no real business logic or business data involved
The business impact is that when this work can’t be done isolated, it will influence the business applications directly.