The Right Technology

The Right Technology

We are frequently asked which environment or technology we specialize in for development.  Many development firms will specialize in a specific environment, language, or technology because that is what their developers know.  We do not advocate that approach.  Solutions need to solve problems, not create a new one by trying force a square peg into a round hole.

The Systems Development Lifecycle (SDLC)

There are significant variations of the software development cycle(also referred to as SDLC), and each has their benefits and drawbacks. Instead of weighing the disadvantages and advantages of those philosophies, it is best to approach the issue from a systems development lifecycle perspective.  This high-level overview of the SDLC is to highlight the steps of the process briefly.  The SDLC consists of five phases:  Planning, Analysis, Detailed System Design, Implementation, and Maintenance.

Planning and Analysis

The planning and analysis phases are the most crucial for a client seeking software development, as this is the basis for the business rules of a system being identified.  Planning involves more of asking the questions of needing a new system vs extending an existing system.  The analysis phase focuses on the feasibility of implementing a new system based on how the questions are answered in the planning phase.

Detailed System Design and Implementation

As the process moves forward, the detailed system design phase is where ideas become concepts.  Modeling and system design will help ensure that business rules are being met.  Additionally, the business rules need to be thoroughly vetted during the design phase.  Proper vetting will assure feature creep doesn't occur, which slows down the release/deployment of a system.

The implementation phase involves the development, testing, and debugging of the system.  In the software development industry, communication from the development team slows down significantly.  While most development teams have a liaison with the business side of an organization, this isn't always the case.  Establishing a regimented schedule for updates will increase the transparency of the development effort.

The graphic below demonstrates how the software development integrates minimally with the SDLC. Despite the graphic connecting the two at the implementation phase, interactions will vary among different development teams. Development teams should be involved throughout the process if at least as a an advisory role.

Artboard-1

Maintenance

When discussing software development specifically, the maintenance phase begins with User Acceptance Testing (UAT).  The purchaser or product owner, whether internal or external, will conduct a thorough evaluation of the system or product to ensure business rules are met, verify the stability of the system or product, identify if any corrective maintenance is needed.

The maintenance phase is the best means of ensuring feature creep doesn't occur.  System and software development inherently expects that new requirements are identified during the SDLC.  The maintenance phase is where enhancements and business rule changes are reviewed.  If improvements or business rule changes are required, the process begins again.

Having a general insight into the development process demonstrates that the technology in which to implement a solution becomes more significant.

Extending Existing Systems

Extending existing systems always provides the most cost-effective route as there is a form of infrastructure, logical and physical, already in place.  The primary concern from a software development and a cybersecurity perspective is if that infrastructure has reached its end-of-life status.  If existing systems are have achieved or are close to reaching end-of-life, it is best to move forward in exploring new systems and infrastructure.

Most development teams will hesitate in working with existing systems or infrastructures for multiple reasons.  The most apparent reason is the developer is pigeon-holed into a specific technology, limiting their options for implementing a solution.  The developer will have to review the systems to determine what effort and resources are needed to bring the system or infrastructure to modern standards.  A security analyst should examine the infrastructure and systems to ensure there are no known security concerns.  If an infrastructure and system have been adequately maintained, these vulnerabilities are typically kept to a minimal.

Developing New Systems

In the past, developing new system has been avoided, simply because of the cost of acquiring resources. Developing new systems also provides the developer more freedom in designing a solution to implement, to a point. The development team should review the current ecosystem of the organization's IT operations and try to conform the solution to that ecosystem.

Nested Virtualization / Cloud Computing

Virtualization has drastically changed the way organizations approach IT systems. The ability to freely stand up and tear down systems within a few clicks has transformed how systems are implemented. For small business organizations, virtualization has provided the capability of these organizations to compete with medium and large businesses. Virtualization should at a minimum be addressed in the planning phase for feasibility in developing new systems. Virtualization for systems can be broken down into expected use, internal (private) or external (public).

Cloud Computing Differences

Cloud computing can generally be broken up into two categories, public and private. Those can be expanded to 4 categories, usually defined as public, private, hybrid and virtually private. Public cloud computing is what is most recognizable with providers such as Amazon Web Services, Oracle Cloud, Microsoft Azure, and IBM Cloud. The virtual or managed private cloud is a private network within a public cloud network to strengthen the security of the network. There is debate as to whether these cloud networks should fall under purview of private or public clouds. A hybrid cloud network involves the combination of public and private cloud components to implement as system.

The private cloud network was saved for last due to the ongoing debate of virtually private cloud network being truly private. A private network is viewed as being under the control of a single organization, either on or off premise. A purely private cloud network will be on-premise network operating off an organization's own physical infrastructure.

Conclusion

One of the primary security concerns for cloud computing is the ability for a third party to gain access to the network. The ability to secure a network, public or private, is only as good as the security implemented at the network per se. The general rule of thumb is to determine the end-users. If those users are external to the organization, the solution should incorporate a public cloud solution, otherwise internal tools should only be implemented on a private network.

Choosing technology also incorporates compliances requirements. Compliance rules covered under regulations such as PCI, Sarbanes Oxley, and HIPAA have their own requirements for technology and the collection and storage of data.

Follow the SDLC and identify the feasibility of the technology to be implemented for the solution. Focus deriving a solution that fits the ecosystem of the organization and conforms to the overall goals of the organization. The solution and technology should be flexible enough to scale with the organization.