SAP LeanIX Intro

• LeanIx is an SAP Saas product that facilitates Enterprise Architecture (EA) in businesses, utilising dashboards and diagrams to support informed decision-making.   
• To create the roadmap, align business goals with IT strategy by generating 'As-is' and 'To-be' architectures.
• Improve integration, reduce complexity, and eliminate duplicate systems to make better decisions.

Note: Using Leanix is an all-in or don't bother tool.  LeanIx provides a comprehensive view of your applications, business processes, and interactions with IT assets.

3 Products make up LeanIX:

1. Application Portfolio Management: The base product for recording the application landscape allows for inventory dependencies and identifying redundancies to optimise the application landscape.
2. Architecture and Roadmap: Using the Application Portfolio, visualise the 'As Is' and 'To Be' architectures and visualise the impacts of change.
3. Tech Risk and Compliance: We verify technology standards and can fund projects to help address data residency rule breaches.

Twelve fact sheets, such as the application fact sheet template, are essential. The meta model is the plan that shows how information in the fact sheets is interconnected.  

The "LeanIX Meta Model" at a high level shows the 4 EA architectural views:  

1. Data Architecture
2. Application Architecture
3. Business Architecture
4. Technical Architecture 

On top of the four architectural pillars sits Strategy & Transformation, covering:

• GAP & Roadmap, 
• Principles, 
• Requirements and Assumptions.

What I Like:

1. Inventory of Products, dependencies and link to documentation
2. Nice predefined reports and the ability to collaborate with stakeholders
3. Visualise dependencies, excellent reporting capabilities

Note: LeanIX is based on The Open Group Architecture Framework, i.e. TOGAF.  TOGAF's Architecture Development Method (ADM).

Technology Landscape

I love this picture, unfortunately, I don't know where it comes from..

Consultant Bingo - A master class

I love a useless term to baffle the room as much as the next fellow, but watching a master in a meeting today:

STRIDE Model is Microsoft's Security/Threat classification model.  I had to look it up and found another acronym.  STRIDE is for Threat modelling as part of risk management.  Acronym for: 

1. Spoofing a server
2. Tampering a file
3. Interlude: Scope and timing
4. Reputing an order
5. Information Disclosure
6. Denial of Service
7. Elevation of Privilege's

The DREAD Model is pretty much the same as STRIDE.

CIS framework or MITRE framework—a Security framework for benchmarking. It is closely related to the SOC (Security Operation Centre).

'RESPECT' for: "I evaluated my DTAP environments across Federation services using the STRIDE model over the DREAD model because it is simpler.  Of course, all the cross-cutting concerns have been dealt with." 

Three Amigos—Backlog review: The PO, SM, and Team members meet to discuss design, development, and testing.

YAGNI is an XP principle: "You Aren't Gonna Need It." This principle essentially means creating code only for the requirements, not for what you may feel is needed later on.  

Pareto Rule - roughly 80% of consequences come from 20% of the causes.  Or 80% of outputs come from 20% of inputs.  So 80% of the revenue may come from 20% of your clients.  Also referred to as the 80-20 rule. The same principle applies to the 90-10 rule.  Pareto analysis 80% of a project's benefits can be achieved by doing the correct 20% of the work.

Rindelmann Effect - Individual members become less effective as the size of the group grows.  I opt for small, focused teams even for large programmes as more people do not equal more technology delivery. 

A hockey stick pattern is a chart pattern that exhibits a rapid increase following a period of relative stability.  For example, pizza sales might drastically increase when a pandemic strikes, as people no longer go out to eat and tend to order more delivery pizza.

GIGO - Garbage In Garbage Out.  It is the same idea as FIFO or LIFO.  

WSJF (Weighted Shortest Job First) is a technique for prioritising tasks in the scalable Agile Framework (SAFe). It is pronounced "Wiz-jiff." I'm not a fan of this technique.

The CIA Triad is confidentiality, Integrity, and data Availability. Basically, as part of DevOps, SecDevOps, and BizOps, all stakeholders must continually consider the CIA.

OMGA - (Owner, Member, Guest user, Application User) is a security structure used to control access.

6 hats/ Six hat thinking - helps with creative thinking within group decision-making.  

ProActivity Hunt - SOC tries to imagine scenarios/hypothetical situations and, using data capture, verify if there are security risks.  I've only ever heard this term at Microsoft.

Red Teaming - A Team used to simulate attacks.

FAIR data is data which meets the FAIR principles of Findability, Accessibility, Interoperability, and Reusability (FAIR)

Standard Methods for API Testing:

USE Method of instrumenting - utilisation, saturation, errors (basically used in most old monitoring, such as servers).

The RED Method - Monitor API's using logs that pick up request rate, errors and performance.  Similar to "The Four Golden Signals": Latency (time to serve a request), Traffic, Error rate, and Saturation.

TV pickup is a phenomenon that occurs in the United Kingdom, involving sudden surges in demand on the national electrical grid, which happens when a large number of people simultaneously watch the same television program and an advert break or half-time happens as we all switch on our tea kettles, etc.  

Normal Accident - (Charles Perrow) complex systems that are tightly coupled with subsystems have potential for catastrophic failures.  Preventative measures help, but it may always happen, e.g. Fukushima.  We may have to abandon complex technologies.

Useful Glossary:

The Architecture Review Board (ARB) serves as a governance body to ensure that IT projects/programs align with the business's IT Architecture and that IT initiatives align with the company's IT goals.

Change Advisory Board (CAB) - a board of members that evaluates changes and the associated risks to the business.  It has a strong technological influence, not only in a technical sense.  Sometimes, CABs in companies are IT-focused, dealing with IT change requests, and are more like an ARB.

ExCo (Executive Committee) - a collection of decision makers, mainly board members/higher-ups, who make strategic decisions.

MMSP (Managed Security Service Provider) - People, Processes and Technology to protect your business. Outsource service that manages & monitors enterprise security.  IAM, Cloud security, app security, data security, and network security.  Includes MXDR - Core monitoring.

Kill Chain - the steps that trace stages of an attack from the early reconnaissance stages to the exfiltration of data.

SOC (Security Operations Centre) - usually the CoE/security team within a business. 

PAM (Privilege Access Management)—CyberArk and Azure have a PAM that allows temporary recorded privilege escalation for users with dedicated admin accounts.

Enterprise Architecture is one level up from solution architecture. The primary frameworks are TOGAF (I am certified in version 9.1), the Zachman framework, and the Federal Enterprise Architecture Framework (FEAF), also known as FEA. I have used ArchiMate and, briefly, LeanIX (SAP) for modelling within the TOGAF framework to describe the Architecture of a government department; it's okay.

BCM (Business Capability Map) describes what a business does to help build IT services strategically and reduce cost and complexity. It is helpful for Asset/Portfolio management and "as is" and "To Be" Architecture.