For this week’s “In the News”, research and article that discusses today’s approach to Enterprise Architecture. Specifically, how has a recent organization modified their architecture to meet an acquisition, divesture, or change in business?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Oby Okereke says
Asurion Digital Transformation based on Continuous innovation Delivers Quick, Efficient Solutions Tailored to its Customers’ Needs.
_______________________________________________________________________________________________
Asurion, a technology a leading provider of mobile device insurance, and warranty and support services, for cell phones, consumer electronics, and home appliances and support restructured its enterprise architecture model to center primarily on continuous innovation and this change brought about and promoted well the company’s digital transformation to deliver fast solutions that are tailored to support clients’ needs.
The enterprise architecture program based on continuous innovation has helped Asurion’s business to be more customer-led, insight-driven, fast and connected. Asurion’s enterprise architecture team implemented agile Devops methodology using cloud-native tools and breaking down silos between IT and application developers. Essentially the enterprise architecture model helped Asurion in defining the strategies, roadmaps and solutions to embrace the value of the public cloud as well as ensure the protection of Asurion’s infrastructure, applications and data for cloud and Hybrid architectures.
Asurion EA took a pragmatic approach to EA and to create what Asurion calls “journey teams” composed of product development and business people set on achieving common business outcomes with shared goals of success in the customer’s context. Asurion’s journey teams is tasked with addressing specific business needs and achieving defined business outcomes. This lets the EA team remain as close as possible to the reality of business, technology, and product development needs.
Asurion started its EA transformation by meticulously assessing its staff and their needs, making significant investments in getting the very best people and providing them with all necessary tools and professional development. In a span of about 24 months, Asurion converted its EA team from one comprised of engineers with traditional commercial off-the-shelf product skills to one firmly rooted in cloud-native development, devops methodology, automation engineering, and data analytics. That prepared EA to lead Asurion’s product and organizational transformation.
Despite the revolutionary advantages of containers, they also come with a host of new challenges.
The EA team laid out a path to break down the core lines of businesses into several discrete capabilities using a methodical business architecture and modeling approach, then transforming that into an IT strategy of building discrete functional blocks using microservices-based architectures deployed in a cloud-first model. The EA team enabled an agile Devops methodology using cloud-native tools
This let product and development teams quickly build and release features continuously to customers.
The foundation of Asurion’s platforms are loosely-coupled, capability-driven functional microservices. These microservices are exposed as capability-oriented APIs to several consuming channels that drive the digital strategy by meeting their customers where they operate and providing a rich experience.
The result? Enabled by EA-driven changes, Asurion can now connect and mix core lines of business into customizable packages that customers can pick and choose based on their specific needs. Using a cloud-based Devops methodology, the firm can deliver these solutions far more quickly than was possible in the past.
https://www.infoworld.com/article/3309916/the-2018-enterprise-architecture-awards.html?page=2
William Bailey says
As I read your post regarding Asurion, there is discussion about the APIs, and “devops”, which is a software development approach, but in order to do so, Asurion (broke) “down the core lines of businesses into several discrete capabilities using a methodical business architecture and modeling approach, then transforming that into an IT strategy of building discrete functional blocks using microservices-based architectures deployed in a cloud-first model.” The Agile methodologies are used, but the decision to use cloud-first was based on the business architecture, with the architecture supporting the business, rather than the business molding itself to the technology.
Rommel R. Miro says
We have started adopting the principles for Agile methodology at work.
In the article below, it describes how the movement is becoming more instrumental, often requiring cultural shifts where enterprise architects work closely with various stakeholders across the organization.
It talks of how enterprise architects and agile teams should not be working in silos and how their respective approaches should complement each other instead of clash. This works if the enterprise architects are actually part of or embedded in the agile teams and with common or homogenized strategic goals and objectives, wherever possible.
https://www.cio.com/article/3397089/the-enterprise-architects-ecosystem-in-an-agile-enterprise.html
“Traditional organizations are built around a static, siloed, structural hierarchy, whereas agile organizations are characterized as a network of teams operating in rapid learning and decision-making cycles. Traditional organizations place their governance bodies at their apex, and decision rights flow down the hierarchy; conversely, agile organizations instill a common purpose and use new data to give decision rights to the teams closest to the information. An agile organization can ideally combine velocity and adaptability with stability and efficiency.”
Now, failing fast in not frowned upon and swarming is not a far-fetched idea. Various members from different areas across the organization can get pulled in a moments notice to remove a blockage or address a critical issue leading to quicker deliverables.
Ahmed A. Alkaysi says
Thanks for sharing Oby. Adopting DevOps and the re-architecting of the legacy systems into microservices to better adapt and deliver business needs, is a cultural change as much as technological endeavor. From the article, I felt that the most critical element of this successful shift was “making significant investments in getting the very best people and providing them with all necessary tools and professional development.” allowing Asurion to convert “its EA team from one comprised of engineers with traditional commercial off-the-shelf product skills to one firmly rooted in cloud-native development, devops methodology, automation engineering, and data analytics.” This shows that it wasn’t just about procuring the best tech, it’s really about providing the training, tools, and guidance to the employees.
Steve Pote says
Septa is one of my favorite targets of scrutiny. I trust them to get me places eventually, especially with some planning. As a paradigm shift from collected fairs and pay booths as a significant risk to both the conductors and station clerks as well as the cash carrying public, Septa has gone electronic. The Key Cards partner with ~payment card~ tech and a company who has been in that vertical for a long timed. You card charge the Key Card much like the Owl Card.
This is great for eliminating cash on the lines but I see Cyber trouble and PCI DSS 12 issues in the dark clouds of Septa’s future.
https://kywnewsradio.radio.com/articles/news/what-do-if-your-septa-key-card-one-nearly-40000-expiring-july
https://www.septakey.org/info/about-septA-key
William Bailey says
Using a card instead of cash reduces some risks, but as you pointed out, in order to process card payments, will require Septa to change their infrastructure in order to support the electronic payment(s). With such a drastic change in infrastructure, what kind of approaches should Septa consider?
Rommel R. Miro says
In the Gartner article “Navigating the Digital Commerce Payment Market”, some of the key points mentioned when considering digital payments includes some challenges and recommendations outline below. Septa or any organization should make sure they have full awareness of who is actually providing the payment processing service and how in a lot of cases, the flow changes drastically depending on the specific role the vendor is playing.
Challenge: Payment vendors may creatively partner, white-label and otherwise outsource various parts of their technology stack, obfuscating the true provider of these components and further hindering the application leader’s ability to accurately compare vendors.
Recommendation:
Verify the source of any technology you consider using to accept payments. Know whether the technology is built it in-house (build), is someone else’s technology being resold (buy), has been integrated (partner), or is some combination of these.
Also, application leaders responsible for digital commerce payments are challenged to compare and contrast various potential vendors, as it is often unclear what technology is being provided and maintained by whom. Gartner has seen an increase in RFP processes in which the same solution is essentially competing against itself under a different brand name; yet the decision maker is unaware of this.
Many digital payment vendors now play multiple roles, and so it can be difficult to determine who is providing and maintaining the underlying technology. Many acquiring banks outsource the actual processing to large, wholesale processors like First Data or TSYS. An independent sales organization (ISO) is often simply selling another company’s solution under its own brand but may look to the untrained eye like an acquirer, a processor or a gateway. Frequently, ISOs do not build any of their own technology, but some providers with deep technology stacks may also be licensed as an ISO. Understanding the roles and asking direct questions of any potential technology provider can help navigate this confusing landscape.
The market shift toward more “all-in-one” providers often results in reduced transparency into the fees charged by each provider in the value chain. Some providers offer all-inclusive pricing that may include not only the gateway, processing and acquiring, but also fraud detection, conversion optimization, hosted payment pages and tokenization, recurring billing and more. These types of providers are difficult to compare on an apples-to-apples basis with providers that offer line item “a la carte” pricing. All-inclusive pricing will likely appear more expensive at first glance, but needs to be comprehensively modeled with all line items factored in to create a meaningful cost comparison. Many enterprise-class providers offer services to consume data about your historical activity and fees from your previous provider and create a pro forma cost model based on the fee schedule being proposed for your business.
https://www.gartner.com/document/3901573?ref=solrAll&refval=223638363&qid=ae309a94a180ba846f34ad2
Scott Radaszkiewicz says
Kaspersky Announces New Branding, Mission Statement
https://www.securityweek.com/kaspersky-announces-new-branding-mission-statement?fbclid=IwAR2uSkJW79Bqx-E2wpLefA_H4HYeaFSht8cU9ETxFWiOxB7-yewq61eP04E
I found this article very interesting. Kaspersky was once one of the leading technology security companies in the world. Kaspersky labs is founded in Russia. Suggested ties to the Russian government and concerns that the company has worked with the Russian Federal Security Service in helping them with their espionage has tarnished the name of the company. So much so, that the software has been banned by the United States Department of Homeland Security, and can’t be installed on any government devices.
This re-branding attempt is Kaspersky’s hope to distance itself from these past allegations. The new logo, to me looks softer, a stark contrast from the hard looking font prior. The old logo, almost looking Cyrillic in nature. The new logo, a contrast, moving away from the Russian roots.
I’m curious to see how this works, if at all. My personal opinion is the name Kaspersky is the major flaw now. Any re-branding that took place, in my opinion, would have to involve a name change, not just a new mission statement and logo. Time will tell if this changes anything.
Elizabeth V Calise says
I think it is going to take a very, very long time for Kaspersky to come back from this. I think it would be different if Kaspersky experienced a breach or some other event that would tarnish its reputation because most companies can come back from that by improving controls, etc. Kaspersky has been accused of helping the Russian Federal Service with espionage. I would be surprised if they will ever get back on track and I do not see the US allowing their software use any time soon.
A new logo is not going to fix this. I could not agree with you anymore, Scott. They will have to “start from the beginning” if they want to have trust again. I do not see them making any progress and will continue to be stuck unless they decide to make the drastic changes that are required. That may not even be enough.
Elizabeth V Calise says
Humana: Architecting for Change
Over the tears, Humana has transformed from a health insurance company into a combination of more than 40 companies and business units. Also, the health care industry has been subject to regulatory changes with a shift in the way customers purchase and interact with health care services. In response, Humana has been growing through M&A and BD, launching of new LOB and subsidiaries.
This transformation demanded an enterprise architecture strategy to deliver on the new business strategy. The company identified synergies across the focus areas, which became the foundation of a Future State Architecture (FSA). The FSA is complied of business domains, data subjects, systems, and services that enable a business competency.
IT Leadership observed the value of the FSA and the challenges and responded by aligning the IT operating model organizationally with the FSA.
Transformational initiatives require culture chance. To drive the change and to ensure success of the IT strategy and the FSA, the EA was embedded into the IT leadership and helped make the architectural approach more strategic. To drive this forward, Humana educated teams on embracing transitional architecture.
To make the FSA actionable, Humana established a centralized enterprise integration competency within EA. This enabled EA to provide a reference architecture through integration patterns, standards, and guidance.
Humana believes “Enterprise Architecture” is a verb and a noun.
https://www.infoworld.com/article/3121107/the-2016-enterprise-architecture-awards.html
Brock Donnelly says
I’m sorry but I chose to go rouge this week. While this article isn’t directly about architecture change it will most likely be the cause of new policies or controls. Quest diagnostics just announced the data breach of 12 million patient records. Have you used Quest for a blood test? Millions have and now their financial data, Social Security numbers, and medical information will be the next stolen dataset to be auctioned off on the black market. The breach was the result of billing services being outsourced to the second power.
“The breach happened through a contractor of a contractor, Quest outsource billing services to Optum360, which in turn using American Medical Collection Agency(AMCA) to handle that service.”
How is that for service? Higher one company who enlists another to do the same service. I realize this scenario is no uncommon but clearly a review of controls is needed for Quest as well as third party vendor agreements.
Quest is quoted saying, “Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information…” I believe that but I’m sorry the cat is out of the bag. This breach will have repercussions, most likely financial and if Quest is out for their best interest they will make changes in who they trust. Quest should inspect their administrative controls, intrusion detection systems, and logs for modifications or changes necessary to prevent such a breach in the future.
https://gbhackers.com/quest-diagnostics-data-breach/
Elizabeth V Calise says
Brock,
I appreciate this share and update since I have gone to Quest numerous times for blood work, etc. I could not agree with you more on your opinion towards this breach. What irritates me the most (more so because I could be one of the 12 million) is that better controls were not in place knowing you are outsourcing your billing services. When the data involves an individual’s SSN, financial data, medical information…I do not understand why the outsourcing was not more closely looked at or their controls.
Is it not possible for them to outsource this? I know outsourcing is big, but I just think there are some things a company should not be outsourcing especially with PII, sensitive data, etc. I way have this mindset because of who I work for, but I work for a company where I can’t think of one thing off the top of my head where a service is outsourced. We try to minimize that as much as possible.
Sheena L. Thomas says
Did you hear that LabCorp had a breach as well, from the same 3rd party vendor that was used by Quest Diagnostic. Hopefully, both Lab companies made sure American Medical Collection Agency (AMCA) had cyber insurance.? I wonder if they performed yearly IT Security Audits? It’s unfortunate, that both breaches was caused by a 3rd party vendor, but everyone is only paying attention to the Labs were their PII is stored.
Sadly, I use LabCorp. they have all of my family’s PII, along with my credit card information. I never stored my credit card but I used the system to pay LabCorp bills. Breaches are becoming so common, I wonder if the general public is getting immune to these reports?
Elizabeth V Calise says
Hi Sheena,
I did not hear LabCorp was breached recently. Wondering if that third party will be getting any backlash due to being the cause for two breaches. From your personal experience/comments, I was thinking about when the hospital I go to bills me and as the norm, you can pay online or by phone. I remember going to the website on my work laptop and getting the notification that the website is insecure. I have paid online int he past, but now call them via phone to make my payments.
I am not sure if calling them on the phone is going to prevent anything but the insecure website threw up a red flag for me.
Ahmed A. Alkaysi says
https://techcrunch.com/2019/06/02/google-cloud-is-down-affecting-numerous-applications-and-services/
Although not an article specific to an organization changing its enterprise architecture, I still believe it is relevant to the topic. If you haven’t heard already, a couple of days ago, Google Cloud experienced an outage that took down many critical applications. These applications included Gmail, Nest, Discord, and other Gsuite services. This news is important not just because many of the popular apps reside on Google Cloud, but because many organizations are in the process re-architecting their systems by migrating much of the data to the cloud, as well as breaking the monolith (legacy code) into microservices and hosting them in the cloud.
These organizations might think by migrating to the Cloud, they will automatically have maximum availability and resiliency. However, that is further from the truth. It is still important to have an architecture strategy for the cloud, which includes implementing load balancers, multiple instances of the application across multiple availability zones, and backup servers/databases, as you would have in an on-prem solution. Organizations should also define a BCP strategy and plan a contingency in case the cloud goes down, like what happened at Google.
Sheena L. Thomas says
I totally agree with you “These organizations might think by migrating to the Cloud, they will automatically have maximum availability and resiliency”. But we to understand that outages will happen, whether in the cloud or on prem. Backups and redundancy is still critical to our infrastructure. Our group was trying to work on the Risk Assessment when google had it’s outage. We were definitely affected and didn’t have a backup plan.
Frederic D Rohrer says
A pen-testers nightmare
Source: https://threader.app/thread/1063423110513418240
This article is a chronological encounter that a penetration tester had with a client with the most secure infrastructure that the tester had ever seen. Although this article is not written by an established journalist and is written very informally, it perfectly describes how and why a hacker takes some steps and which architecture can protect against it.
Key takeaways for defensive architecture are these:
– Least Privilege Model
– Least Access Model
– MultiFactor Authentication
– Simple Anomaly Rule Fires
– Defense in Depth
One major takeaway is that often the simplest rule is the most reliable one. In this case, knowing what your employees usually use and looking for the smallest discrepancy is what protected this company.
Scott Radaszkiewicz says
Frederic,
I replied to this, but didn’t see it post, so here it goes again. Loved reading this. It shows what a hacker would actually go through from his/her eyes. And I love the statement : “80% of my job is user error, 56% is skill, 63% is adaptability, 90% is abusing “features”, and a solid 80% is luck.” We always here that employees are the biggest risk to any organization, and it shows in this example. Propping doors open, etc. But then too, I see proper training of staff in effect. The lady, when she noticed something odd, notified IT staff right away and they were able to find the suspect. It’s a great story. But scary how many things we must worry about to cover an organization securely.
Duy Nguyen says
Many big retailers are deploying more and more self-checkout terminals without considering the risks associated with the change in architecture. While there are many benefits to implement self-checkout processes such as reduce labor cost and quicker checkout time, there are many vulnerabilities these POS has to be exploited. Many organizations that have already deployed this kiosk technology are still reluctant to further invest in its security.
https://www.kioskmarketplace.com/articles/how-vulnerable-are-kiosks-to-hacking/
Dima Dabbas says
Duy,
Interesting example, Indeed, self checkout makes it more convenient for users to checkout but it poses additional risks that retailers may not have taken into consideration. There is the potential for increased thefts since there is no human contact. Also the self checkout machines may be more expensive than the regular machines. Organizations need to consider all the risks that self checkouts pose before introducing these machines to the users (customers).
Dima Dabbas says
Why Do We Need Enterprise Architecture in Digital Transformation?
https://iasaglobal.org/why-do-we-need-enterprise-architecture-in-digital-transformation/
This article discusses how organizations need to focus on their enterprise architecture to meet their business objectives and goals. This article shows the differences between organizations implementing an enterprise architecture and between organizations that do not have one. Before implementing an enterprise architecture, there is the constant need for IT development and support which requires the existence of money and resources without organizations focusing on the idea of how these new developments support the business mission of the organization. The non-existence of an enterprise architecture creates a disconnect between IT and business. It is hard to keep track of the changes and IT began to become a hurdle to the business as any changes or upgrades to applications, software can affect the whole IT environment and impact the business continuity. An enterprise architecture aims at helping IT and the operational groups work and communicate together to achieve the mission and goals of the organization. An enterprise architecture maps out the enterprise design towards understanding the business value and it helps in troubleshooting and tracing back an issues that occur within the organization. It also takes the necessary steps to adjust the enterprise architecture to address any issues that occurred within the organization.
Oby Okereke says
Hi Dima:
Reading through your article summary, I quickly picked on a very key statement which thus states “the non-existence of an enterprise architecture creates a disconnect between IT and the business”. You couldn’t have said it any better. EA occupies a center point of most organizations’ business strategies, missions and objectives; thus successful organizations initiate an EA structure rather than operate on a free-wheel basis or even deviate from agreed-on plans as stated in the EA. A good example of an organization that failed is Nokia – Nokia’s failure can be traced to so many factors inclusive of a disjointed EA, strategic stasis as well as dysfunctional organization structure.
Jonathan Duani says
Instead of finding a specific company that is doing something I found a rather interesting article that explains an overall picture of the cybersecurity aspects of mergers and acquisition. I think it is really important to under the different things that can happen during a merger that effects different things in cybersecurity. The biggest thing is inherited problems. These are problems that effect a company before the merger or acquisition. They do not go away when a company is purchased and need to be delt with. If the proper due diligence is done during the merger it should not be as big as a problem. The next thing I found was that it could mess with the value of a company where I hack could be taking place during the merger and loosing value even while the documents are being signed. Again, make sure everything is legit before going through with it would help mitigate the risk. Finally there is contamination. If a company mergers or another company buys another one and that other company is infected then they can pass these virus onto another company. It is important to make sure everything is in order and clean before the merging happens.
Link: https://securityboulevard.com/2019/03/you-need-to-know-how-cybersecurity-affects-mergers-and-acquisitions/
Sheena L. Thomas says
There were many major acquisitions 2018/2019 such as
IBM acquisition of Red Hat
Microsoft acquisition of GitHub
Broadcom acquisition of CA Technologies
SAP acquisition of Qualtrics
I am sure each of these acquisitions came with some type of merge of data, infrastructure and possible physical location. However, I couldn’t find out specifics of the acquisitions above besides how much each company paid for the acquisitions.
Temple University merged with Apple to develop OwlCard Mobile. According to Temple News, “Current student, faculty or staff member, you can now set up and use your Temple ID OWLcard in Apple Wallet for your iPhone and/or Apple Watch. OWLcard Mobile is also available for Android. OWLcard Mobile works just like your current OWLcard. Show or tap your phone/watch on the Main and Ambler campuses for building access, meal plans, Diamond Dollars, Recreation Services, printing, entry to front door residence halls and residence hall laundry.” During this partnership/merge the identity mgmt team and security department had to figure out how to enable multi-factor authentication before the users can setup their mobile owl card. The blackboard team had to work closely with Apple to make sure the proper infrastructure was in place for both Apple (iphone) and Android users.
https://finance.temple.edu/owlcard-access-and-identification/owlcard-mobile%C2%A0
Dima Dabbas says
Sheena,
Temple merging with Apple to implement the OwlCard Mobile was a great move for Temple but it required understanding the enterprise architecture to confirm that only authorized current students, faculty and staff could use it to gain access to Temple buildings. This requires the collaboration of the appropriate teams in this case, the identity management and the security team to make sure that only authenticated users are able to use this OwlCard Mobile app. The internal teams within Temple worked together as well as with Apple to make sure that the users despite which type of phone they had would be able to use this app and gain access to Temple’s buildings.