Hybrid Identity Options

March 11, 2019

Today, many corporations are using SaaS applications. Leveraging the cloud can be a better option from both a cost and maintenance standpoint. This post is not about the pros and cons of SaaS, but rather about hybrid identity. Maintaining a common user for on-premise and cloud-based application access is known as hybrid identity.

Using a hybrid identity is beneficial in multiple ways:

  • Allows access — with the same credentials — to both on-premise and cloud-based applications
  • Syncs up joiner/leaver/mover changes between on-premise applications and cloud applications
  • Simplifies use of personal devices to access cloud applications outside the office (if approved and required)

A Common Hybrid Identity Scenario

An organization wants its employees to use the same credentials when accessing both on-premise and cloud-based applications. With Active Directory (AD) as their standard authentication method for those applications, its IT team choses Microsoft Azure as their cloud vendor. To use the same credentials across applications, the on-premise AD must sync up with the Azure AD. This is done with Azure AD Connect.

With an Azure subscription and Azure AD configured, Azure AD Connect is installed on-premise and connects to both the on-premise AD and the Azure AD. It is configured to sync one way (on-premise to Azure) or two-way.

Here is a logical representation:

Hybrid Identity logical diagram

The AD Sync Service in AD Connect will keep Azure AD in sync with the on-premise AD. A built-in scheduler controls the frequency of these syncs.

Two Simple Hybrid Identity Implementation Options

Azure AD Password Hash Synchronization In this option, AD domain data and the on-premise password hash are uploaded to Azure AD. Cloud-based applications can then authenticate with Azure AD, and on-premise applications can continue to be authenticated using the local AD.

Azure Active Directory Passthrough Authentication In this option, passwords are not synced to Azure. When a user attempts to sign into a cloud-based application, Azure encrypts the entered password with a public key, and places the username and encrypted password in an Azure queue. The on-premise Authentication Agent listens to the queue and receives the queued credentials. It decrypts the password with a private key and validates the credentials against the on-premise AD. It then responds to Azure AD with the results. This option is best when there are security rules or concerns with storing the password off-premise.

There are several advantages to these two methods:

  • They have a small on-premise footprint
  • No new servers are needed
  • The only required components are the Azure AD Connect application and the passthrough agent that connects to the queue
  • All connections are outbound to the Azure subscription, so the connection is less of a security concern

Upcoming: I’ll discuss more complex methods to implement hybrid identity — federation and seamless single-sign-on using Azure AD and on-premise AD.

Virtual Machines vs Containers

March 4, 2019

Virtual machines (VM) and containers are similar in concept, but very different in their implementation and use. Conceptually, both allow the running of multiple services on a single platform. Both are quicker and less expensive to deploy than physical servers. And, horizontal scaling is easier since there is no need to spin up and configure new physical infrastructure. That’s where the similarities end.

Virtual Machine Implementation Overview

Virtual machines are akin to software implementations of physical servers, thus virtualizing hardware servers. Many virtual machine instances can run on one physical machine. This is accomplished by a hypervisor.

A hypervisor application creates and maintains the virtual machines. Each VM is allocated CPU, memory, and storage. Each VM also has its own operating system, the Guest OS. VMs with different operating systems can run side by side. Applications that run on a virtual machine don’t see a difference between a VM and a physical server.

Here is a logical view of a virtual machine implementation:

Container Implementation Overview

Containers are run in native OS processes that share the same kernel. These containerized applications package all the required components together, which allows them to be deployed quickly in different environments. My recent Containers blog post goes into more detail on what these are.

Here is a logical view of containers on a server:

Notice that the container instances all share the underlying Host OS.

Here is a quick comparison of containers and virtual machines:

Containers Virtual Machines
Startup Time Seconds Minutes
OS Shares OS Has its own OS
Virtualization OS-Level Hardware
Memory Less is required More is required
Cost Less More

Let’s examine the above comparison traits.

Startup Time is much quicker with containers, mostly due to the virtual machine having its own operating system.

The OS is virtualized for containers. Virtual machines have their own allocated OS and virtualize their underlying hardware. Thus, VMs can run on a server that has different Guest OS types.

Virtualization for a container is a type of operating-system-level virtualization. This is because a program running inside a container does not have access to the underlying operating system. It only has access to what has been allocated to the container. VM is considered hardware virtualization since, looking in from the outside, a VM appears to be a physical server with it’s own CPU, memory and disk.

The memory footprint is smaller for containers. This means a physical server can run more containers than virtual machines.

Cost would normally be less when using containers. One reason is that a container does not require its own Guest OS, and thus, many more containers can run on a host server than on VMs. 

In the end, there are good reasons to use containers and VMs. Both can be supported on-premise or through a cloud-hosting option, such as Amazon, Google, Microsoft, IBM, and others. Both have their uses and related costs. And architects can help inform the appropriate choice.

Containing Your Container Excitement

February 22, 2019

Containers are becoming mainstream as companies aim to cut costs and increase performance. And, with increased use of PaaS (Platform as a Service) offered by vendors such as Microsoft, Amazon and Google, organizations take advantage of built-in support for containers.

So, what are containers?

Containers are a method of operating system virtualization that provides the ability to run an application in resource-isolated processes. Containers can help package an application’s code, configurations, and dependencies into easy-to-use building blocks that deliver environmental consistency, operational efficiency, developer productivity, and version control.

Why use them?

  • Containers help ensure that applications deploy quickly, reliably, and consistently regardless of deployment environment.
  • Containers provide more granular control over resources, and thus improve infrastructure efficiency.

How do they work?

A container engine must be running on a server. This engine manages the containers, and sits on top of the host server OS. It starts and stops the container instances running on the host server. Here is a logical view:

The container engine manages the container instances (eg, the starts and stops).

Container images are read-only template files that describe what the container’s running application will look and act like along with the dependencies such as required libraries and binaries. The container engine uses these image files to create the container instance.

The container instance is the running implementation of the container image. It can be any number of things, such as:

  • Application
  • Service
  • Database

Pros to using Containers

  • Allows easier movement of an application across environments
  • Runs within a process, thus allowing more instances of an application
  • Starts up and scales quickly

Cons to using Containers

  • Security can be a concern, as containers share the OS and kernel
  • Networking access within containers can be more complex

Now what?

Migrating to containers is not for everyone nor for every scenario. Some legacy applications are not easily migrated, and it might makes sense to only move new applications to containers.

Docker and Google Kubernetes are currently two popular container management products. And, if you don’t want to do an on-premise install of the container engine and associated applications, excellent cloud-based container options are available with Microsoft Azure and Amazon AWS.

I’ve only scratched the surface on what containers are. Many tutorials are available; and as with many technologies, you can experiment on your own by either downloading container software or getting a free account on Azure or AWS.

In my next blog post, I’ll describe the differences between containers and virtual machines — it can get confusing since there are similarities.

The Time Dimension in Enterprise Architecture Diagrams

September 4, 2018

Including the time dimension in Enterprise Architecture models enables the modeler to depict the interaction of the events, tasks, and actors depicted in the model in a way that indicates the order of the interactions. There are many diagrams or modeling options to chose from to illustrate timing of events within a system or process.

A few favorites that are helpful in capturing the dynamic artifact-time relationship are:

  • Event Sequence Diagrams
  • Collaboration Diagrams
  • Activity Diagrams

Let’s look at how to capture time in event sequence diagrams. But first, we need to make sure we know the difference between 2-D and 3-D diagrams.

2-D versus 3-D Diagrams

Event sequence diagrams, collaboration diagrams, and activity diagrams stand in contrast to static diagrams such as the system context diagram.

In a previous article, we created use case examples for a fictitious company called ABC Corp. ABC Corp provides services to a customer who needs to log into a system and provide personal information to complete their customer profile. For the customer to successfully log in, a system administrator must provide login credentials by logging in and manually provisioning the customer.

To expand on this example, assume that there is also a customer service rep who logs into the system to provide services to customers. To represent this diagrammatically, we have several options depending on the goal. As mentioned above, if we wanted to depict a time perspective, then a system context diagram will not work.

As you can see, a system context diagram is two-dimensional; it shows the system artifacts and relationships of the artifacts to the system but makes no reference to the timing of events.

Show Time with Event Sequence Diagrams

Adding a time dimension to diagrams allows for a three-dimensional view of a model. However this does not mean you are adding hours and minutes, but rather you are adding a sequence to the activities.

Let’s take the ABC Corp example. In this example, we can show how rendering services is represented when a time sequence is added to a diagram. To illustrate, we will use the event sequence diagram.  Since event sequence diagrams are typically done from one user perspective at a time, we will start with the system admin. In the sample event sequence diagram below, you can see the sequential execution of each activity as the system admin interacts with the system. Each step in the process flow is accounted for and its occurrence within the sequence is known.

Similarly, for the customer, the event sequence diagram would look something like this:

Let’s explore the last perspective of the customer service rep.

In comparison to the system context diagram, the event sequence diagram clearly shows when each step in a process occurs and when and why each user is interacting with the system.

Event Sequence Diagram Considerations

One drawback to consider when representing time in a diagram is that a single diagram will, for the most part, contend with the viewpoint of a single actor/stakeholder. Even though it does not show when activities are supposed to take place, the system context diagram has all actors and all possible activities performed on the system on one diagram, whereas the event sequence diagram has to be done from each individual actor’s perspective in order to be effective.

Next Page »