Note: This is the second post in my Freedom within a Framework series, which is about enabling the coexistence of enterprise and opportunistic applications. You can read the introductory post here.

As I stated in my introductory post, I believe that it is possible to achieve a balance between the need for stability in enterprise applications, and the need for quick and agile innovation in opportunistic applications. They key to this balance lies is in determining where the domain of control for IT can safely transition into a environment of open access to information. This is a “line of demarcation” that allows for a clean separation of certain types of applications. The best way to picture this concept is to imagine a line on an X-axis, with control of technology at the left side, and anarchy at the right. “Command and Control IT” typically lives as close to the left as is possible, while the world of “consumer-driven IT” lives quite far to the right. There are opposed to be sure, but it is possible for IT to reconcile these differences and foster both sides by creating a shared understanding around which classes applications should be enterprise-class and which can and should be treated as opportunistic.

Another way to visualize this concept is with the “Long Tail,” which is depicted in Figure 1 below. The “Long Tail” was a term coined by Chris Anderson in Wired Magazine to describe how the business models of companies like Amazon or Netflix enables them to profitably offer a wider range of goods and services than traditional organizations. The concept (also referred to as a heavy-tail or Pareto distribution) is a well-known statistical occurrence where a high-frequency population (depicted by the region in green below) is followed by a very long low-frequency population that gradually diminishes in area (or “tails off”). In many cases, the long tail portion of the graph, colored in yellow below, can actually represent the majority of the area under the line in the graph, even though the frequency is lower along that portion of the line than it is in the green area.

Figure 1 - The Long Tail

When applied to Amazon and Netflix, this concept is used to illustrate that organizations with powerful distribution channels can make just as much or more selling ten copies each of 10,000 obscure books as they could selling 100,000 copies of one best-selling book. The application to many organizations is just as powerful when information is the product. Assume for a moment that the green portion of the graph represents enterprise-class applications with a large internal user base and the “long tail” or yellow portion represents opportunistic applications with a much smaller number of users. This is depicted in figure 2 below.

Figure 2 - The Long Tail for Applications

In this scenario, the “long tail” theory argues that an organization could serve more users with several hundred opportunistic applications than it does with a small number of enterprise-class applications, but at a much lower cost. Thus, a “long tail” model can enable an information-driven organization to serve its customer base effectively without greatly increasing the cost of software delivery. Such a model does so by enabling the kinds of opportunistic development which most IT organizations would likely never have the bandwidth or justification to pursue because they are applications which are tactical in nature and which may only serve a small number of users.

While a “Long Tail” mindset enables us to create a clear line of demarcation, simply classifying one type of application or information set as enterprise and another as opportunistic isn’t enough. It is entirely possible for IT to pursue this demarcation with good intentions, and then stifle innovation by requiring that all applications, including opportunistic ones, be developed using only one type of platform or programming language. Thus, another key to creating “Freedom within a Framework” is that IT must give up as much control as is possible, while at the same time recognizing the assets and information over which the enterprise should retain control. In my next post, I’ll discuss the concept of an IFaP architecture which, I believe, provides a powerful architecture for enabling open innovation while, at the same time, providing IT with a framework to manage its information assets.

For the past several weeks, we’ve been working on creating a viewpoint of our future-state architecture that enables a greater degree of low-hurdle innovation with technology than we currently enable. The goal is to enable anyone across the globe, inside of the organization or out, to make use of public information we provide to create applications of value, even if that value is only seen by a single individual. Call it Web 2.0; Call it Enterprise 2.0. Call it what you will. We’re calling it either Freedom within a Framework or the Framework for Rapid and Empowering Development (FRED) depending on to whom we’re currently pitching the idea. The latter is our EA marketing savvy at work…

The idea is simple: We want to create an environment when enterprise applications can be created and managed in an enterprise way, and opportunistic applications (i.e. ad-hoc process applications and mashups) can be created freely and with little to no involvement from the IT organization. IT does what it does best, but explicitly steps back from “owning” all information and technology in an organization. From concept to implementation, I believe that one way to foster such an environment is to allow the world of WS-* and the world of REST to co-exist within the enterprise. Rather than an either/or decision, we want enable and encourage both styles for certain types of situations.

The culmination of our work around this idea was a paper published internally at the end of November, along with a demo that provides an example RESTful interface (which depends on our existing SOA) and a couple of applications which consume information presented by those interfaces.

Over the next few weeks, I plan to post excerpts from this paper and some of the meat from the demos. My intent in doing so is twofold:

1) To posit an alternative to the REST vs. WS-* debate. I am certainly not the first to argue for cohabitation of these styles. I only wish to add my voice and provide another perspective.

2) To obtain feedback from Enterprise and SOA Architects who have either already considered, are considering, or have implemented a similar design. I’d love to hear feedback in the coming weeks from anyone wanting to way in on any of the topics below.

I’ll publish the first post tomorrow, and the subsequent ones every couple of days after that. Here are the topics I plan to post about, in order:

• Embracing the Long Tail
• IFaPs: Enabling the Long Tail and Protecting the Enterprise
• REST: The Entry Point for Innovation
• Benefits of a RESTful Interface
• REST and Security
• A Demo RESTful Interface
• Demo Opportunistic Applications

As I add posts, I’ll return to this post and add the hyperlinks.

Looking forward to the discussion!

I’m sitting in a session at the Gartner EA Summit entitled “Security Architecture Best Practices.” I’ll be the first to admit that I don’t pay enough attention to the Security side of Enterprise Architecture, which is why I am in this session and plan on attending another complementary session tomorrow. I am surprised to see that, though there are 600 people at this portion of the Summit, there are only about 50 people in this room. So is EA really that far behind the curve in getting on board with Security? What are we all doing beyond adding a vertical “Security” bar to our models? Not much, in my case, but I am feeling that that ought to change, especially in light of some things I am starting to work on which I will blog more about in the coming weeks.

I know that James McGovern cares about security. In fact, he has stated before that he sees it as a form of competitive advantage, which, if true, explains why there are only 50 people in this room. I would expect that to grow year by year.

As for the session itself, so far so good. One salient point that I’ve heard Gartner preach before, but am now seeing tied to the Security space is that the “Consumerization of IT” should lead us to drive our Security Architecture and Design to enable choice and distributable trust. Personally, I feel that lock down security, the knee-jerk of most Enterprises, is an over-engineering step that will leave us inflexible and closed off from a younger generation of employees and consumers. Thus, I’m glad to see that backed up with some analysis from Gartner.

I’m glad to see Gartner offering sessions such as this in to an EA audience. My advice to them is to continue to offer sessions like this, even if the attendance from this year’s summit doesn’t suggest that there is an interest. Those numbers will grow.

The Microsoft Architecture Journal has been one of my favorite print periodicals lately. The articles are top-notch, relevant and very well-written. If you don’t have a subscription, I would highly recommend it, even if you’re not in an MS shop. Yes, there is a Microsoft bent, but there are also some gems that, I feel, have been universally relevant.

I noticed in Simon Guest’s blog this morning, that Microsoft has released an Architecture Journal Reader that provides digital access to all thirteen issues of the journal, with search, favorites, annotation, etc. I’ve already downloaded it and It will be nice to have all of that information closer at hand. You can download a beta of the reader here, and go check out Simon’s post here.

…and I’ll charge you an arm and a leg to make it better. Looks like IBM is starting up a dysfunctional SOA practice. Not surprising really. Consider this quote: “Some organizations may not be happy with their service oriented architectures (SOAs). They may have “unhealthy” SOAs as a consequence of partnering with inexperienced system integrators. They may have proprietary SOA technology in the mix, and it may be difficult to scale operations.”

They will probably make a killing since no one agrees on what SOA really means and all IBM has to do is figure out what you think it is, then convince a few key executives that that’s the wrong idea, thus rendering them instantly unhappy. It was bad enough when selling the buzzword ruled the day, but selling the band-aid will be worse, I fear. This, my friends, is why we never should have let our executives hear “SOA” in the first place. 

Here’s a question: what happens if an organization worked with IBM as their Systems integrator in the first place and is now unhappy with what they got? Would IBM ride in to rescue that organization too? <unrealistic>Maybe for the sake of good-will and a case-study, they’d do it for free.</unrealistic> I wonder how IBM would sell that engagement? Probably by blaming your internal management.

I can’t help but think that this is a case of selling me poison, then following that up by telling me I have a deadly poison in my system and that you just so happen to have the antidote. Not that I am calling SOA poison in any way. Conceptually, it’s just the opposite.

Maybe I’m overreacting or being too negative here. Any one care to chime in with excitement about this announcement?

From December 3-7, Gartner will be holding two back-to-back summits on Application Architecture, Development and Integration and Enterprise Architecture at the Rio in Last Vegas. It looks to be a informative week with some valuable sessions and insight. Todd Biske will be there in two panel discussions and I am looking forward to both of those, along with a number of others currently on the agenda.

Aside from the sessions, I’ve found that I gain the most value from these events when I have a chance to interact with other attendees. Are any other folks reading this planning to attend? If so, drop me a line in the comment section or via email at bsatrom at gmail dot com and we can try to connect during the week. I am always looking to gain the perspective of others in the opportunities and challenges that my EA group faces, as well as hear about the exciting and innovative things that other enterprises are doing. Hope to see you there!

Last week, Jean-Jacques Dubray published an article on InfoQ regarding Microsoft’s recent announcement of Oslo, a strategy designed to “…take composite applications to the mainstream.” Rather than revolving around a single product, Oslo sets strategic direction for Visual Studio, BizTalk, the .Net Framework, Microsoft System Center and a new product called BizTalk Services. On a side note: Arnon Rotem-Gal-Oz hopes that this final project’s association with BizTalk is more about branding than actual product similarity, a sentiment I share.

After posting this article, Jean-Jacques sent me an email and asked me to share some of my thoughts on Olso for a follow-up article to be published at InfoQ. I sent my thoughts along on Friday, but thought that I would post them here as well.

When we developed a long-term strategy for Composite Applications at my organization, it was obvious that while Microsoft technologies would have a major role to play in many areas of our future-state architecture, there were several vital pieces missing in the Microsoft stack that we would likely need to find elsewhere. I’ve always felt that we weren’t alone in that sentiment, and the Oslo announcement suggests that Microsoft is also well aware of the gaps in their current offerings. While products like Dynamics CRM and MOSS 2007 offer composition scenarios which I regularly point to as examples of end-user and/ or business analyst composition, Microsoft has long been missing the technologies to unify these experiences under a common framework. Though missing in the products themselves, the Composite Applications vision is one that I have seen preached by Microsoft Architects and blogger’s like Mike Walker and others who seem to have a good grasp on the long-term potential of composite applications. The good news about the Oslo announcement is that those individuals are no  longer in the minority. With Oslo, I believe Microsoft has unveiled merely the beginning of a unification strategy that enables composite applications. I believe that this bodes well for clients and non-clients of Microsoft alike.

That being said, There are two reasons why I’m a bit skeptical about the Oslo announcement: For starters, I believe that Microsoft’s stated vision for Composite Applications is too narrow. While the Software + Services and SOA visions are needed, I believe that the end goal of any Composite Applications strategy should be to gradually enable composition up the stack toward the end-user. This is done first by providing a SOA which enables true service and process composition, then by extending those principles to developers of customer applications, business analysts and, ultimately, end users. Oslo speaks well to the former, but the latter is auspiciously missing. I actually don’t believe that such a goal is absent in the halls of Microsoft, but I do believe that it hasn’t permeated across the organization and thus, isn’t given a place in the conversation yet.

The second reason I am hesitant to praise Microsoft for the Oslo vision is because their announcement is related to technologies which are anywhere from 1 year to 3 years or more away from release. Most of the tool updates are two releases away. Microsoft is correct when they say in their press releases that 21st century business is moving faster than IT can deliver, but that statement is true today. Organizations need solutions today, not announcements of solutions coming tomorrow. My organization, for example, cannot wait for a repository to manage models, metadata and services (one of the gaps we knew about in our strategy) when our ability to manage all three is already beyond our control. I honestly believe that Microsoft’s vision for Oslo is a good one, but they are just now announcing plans to provide functionality that most organizations already know they need, which puts them at a disadvantage with those organizations. I can see a day in my company where many of the pieces in the Oslo stack make their way into our architecture, but today we need to keep moving. Of course, the good news is that when SOA and composite applications are done right, vendor lock-in is reduced and organizations can focus on delivering for the business today instead of waiting for the remaining puzzle pieces to fall in place tomorrow.

Back in September, I published a couple of excerpts from an internal paper I wrote on Composite Applications (you can read them here, here and here). At the end of my second post, (which I probably should have broken up into 2-3 posts at least) I discussed the four types of Application Composers. If you missed that section, (which would be proof that I should have broken them up) here’s a recap:

1) Business Service Developers - These are IT developers focused on providing value-added common business services to all customer solutions teams. Their technical depth is high and a CAF targeted at these users would be similar to what is provided by SOA today.

2) Customer Solution Developers - These are IT developers focused on creating customer-centric solutions by leveraging software infrastructure. Their technical depth is moderate to high and a CAF targeted at these users would need to abstract away service creation and assembly.

3) Business Analysts - These are customer consultants focused on helping customers determine which business needs are best met with technology. Their technical depth is moderate and a CAF targeted at these users would draw many features from current BPM platforms.

4) End Users - These are the users of the solutions created by customer solutions teams. Their technical depth is low and a CAF targeted at these users would need to abstract away nearly all of the technical aspects of application creation and should provide very intuitive context- and metadata-driven methods for application assembly and customization.

While these still make sense to me, I think I completely missed number five on this list. It’s a bit of a wildcard, and it may not apply to every organization, but I think it will apply to more and more organization in the coming years. Here it is:

5) External Developers - These are developers who reside outside of one’s own IT organization, but who have development expertise that they wish to leverage to create value-added services that benefit your organization. Their primary interest is in consuming available organizational data and recombining this data with external data or services to create new composites not offered or envisioned by the organization itself.

Now I think that the reason I missed this was because I was thinking internal only when laying out a strategy for Composite Applications in my organization. However, my fearless leader and I have been talking at length about creating a framework by which certain subsets of our information (the right information, of course) could be made available to anyone with the wherewithal to create useful services that we never thought of. Thus, our framework for Composite Applications now has another persona to enable.

So what do you think? Is this a valid addition, or did I have it encompassed in another one of the four? Furthermore, is just one more enough? That fifth category encompasses a ton of people, so do I need another for the technically savvy end user who doesn’t write code, but who screams at creating inventive Yahoo! Pipes applications. I suspect that #4 could represent this individual with a slight modification, but what do you think?

I’ve worked for organizations where IT moves too fast (and thus wastes money and alienates customers) and others where IT moves too slow (and thus the customers go around IT as much as possible). I’ve also worked in places where IT does both, often in the same day.

This week, I have the pleasure of sitting in all-day meetings related to a series of IT infrastructure projects we are pursuing. The folks in charge of coordinating this effort brought in a vendor to lead a brief engagement designed to help IT project teams and key business stakeholders better understand how to proceed with these key projects. This is a noble goal, and it’s one I support. However, I fear that the engagement was put together too quickly and with almost no deliberation. It’s just my opinion, of course, and I’m sure that this engagement will have some value. I, for one, want to make sure that we obtain that value even though the process has been a bit hasty. But will it have equal value to the dollar amount on the contract? That I don’t know.

To be fair, I’m certain that we’re moving quickly in this effort because we’ve been far too slow with similar efforts in the past. But, it seems as though the pendulum has swung the other direction. So here is the underlying question: How does IT get things done, without moving too fast or too slow? Here are a couple of my thoughts off the top of my head:

1) Empower people in the right places - IT doesn’t need to poke it’s nose into all areas of the business just because something smells like technology. The question is, what information technologies do we need to be involved in?

2) Respect the Business and Keep them Informed - IT managers like to talk about getting users in the room, then they go and demand they be present without respect for the ever-crushing workload which they have to deal with. If you need to move fast, and you need your customer, it’s your responsibility to move mountains for them, not ask that they do so for you. 

3) Remember who you are working for - An extension to number 2. Sometimes is looks like IT is the tail wagging the organizational dog, as if our business units exist to use our technologies. If IT feels the need to get things done fast, then I would imagine that there is a good business reason for doing so (there had better be). If that’s the case, its our responsibility to help the business understand how moving fast is our best bet for meeting that need. When we help the business understand that, they get in our corner and help us move as a partner, not someone we feel the need to drag along.

What else am I missing here? Quite a bit, I’m sure, so additional thoughts would be appreciated.

Saw this post from Brady Forest on O’Reilly Radar, which points to the official announcement on the AWS blog. This may not mean as much to many of you who have been using S3 for a while now, but it’s big news for a guy like me because I know better than to bring technologies like S3, EC2 and Mechanical Turk into any serious internal conversation unless I can say “yes” to that SLA question. Looks like AWS is getting ready for prime time. And why not? Most of us have been expecting this for a while now.

I will echo Arthur’s request for more to the SLA, specifically for stats on uptime and availability. I think that all services should provide information like this to be as clear as possible in letting you know what you are getting by consuming said service (and our internal guidelines say as much), but this kind of information is especially vital with services in the cloud. I’m confident that they’ll get there, but in the meantime, I’ll echo that feature request.

On another note, why the heck is O’Reilly charging $149 for a glorified whitepaper on developing applications for Facebook? I use Facebook. I like Facebook. I think there is something to be said about developing applications for it… in certain situations. But could we just take a moment to breathe here before they hype train carries us all away?