Shopify Teams meetings backgrounds

Overview:  I like to use a custom background in my Zoom and Teams meetings as I don't need to worry about what people and clients can see in my home.  We used Shopify to sell digital good (the customized meeting backgrounds).  

Solution:  Users can select a background that the rights had been purchased for.  Then could upload the company logo and add their name. It makes a pretty cool background effect and we used Shopify to create a online shop to allow people to order.  Originally we planned to use a ReactJS application on Azure for the creation and ordering but Shopify had a plugin that stored all the digital assets on AWS for $10/month.  Coupled with Shopify's low fees it was better to keep the whole system under Shopify.

Shopify also provides Channel/Sales buttons that you can place on blogs and websites.  They get pretty advance as shown below.

Problem:  Customers, originally we planed to sell each customise image for about the price of a cup of coffee ($5, £4).  The hard part was finding a way to get customers and convert them into paying customers.  Also as you generally only use 1 image their is no returning customer to offset the cost of acquisition.  Adwords proved nonviable, the cost of attracting customers was way in excess of  the return.  Also convincing people to input credit card made the  conversion rate even more difficult to make Adwords a viable option.

Summary:  Shopify is a great ecosystem and I have setup a couple of stores using it now.  It is fast, customisable, well thought out, great for a new starter.  It has tons of plug-ins, lots of free and purchasable themes/templates.  There is a lot of documentation, and a lot of expertise to help out.  We used Fiver for some scaling on my theme as i couldn't get the scaling 100%, easy to find and they person helped me right out.  In the end, a good experience, Shopify is awesome and easy.    

APIM debugging, tracing, monitoring tricks and tips

Debugging APIM requests from Visual Studio code 

Has an extension for debugging APIM.

Azure API Management - Visual Studio Marketplace

It's also useful to have a APIM requesting/client extension installed

Tracing APIM

To get a full trace add the HTTP header "Ocp-Apim-Trace: true" to the request and the response shall contain a URL to retrieve the trace information.

App Insights for APIM

Logs in three places:

1. Incoming requests (come into APIM)
2. Dependency request (go to backend/outgoing)
3. if an exception occurs it is also logged in App Insights

So logging can be set at either the global or API level.

Setup in APIM > Monitoring > Application Insights (link APIM to the App insights Logger).

Documentation Tips

Ensure you fill in relevant descriptions and summaries.  It's also key to provide examples.  

https://swagger.io/docs/specification/adding-examples/

My Technical Working Notes for Microsoft Technology: APIM OpenAPI Specification Documentation Example within the Developer Portal (pbeck.co.uk)

APIM documentation updates on the Developer portal (after re-publishing).  It has a great UI, but ensure the summaries are added for param/attributes to get a truly rich integration set of documentation (it will save so many questions and time).   I also like to add a getting started guide, keep it short and simple and most importantly have a simple explanation of security/authentication and connectivity.

- in: query

  name: age

    schema:

      type: integer

      maximum: 3

    examples:       # Multiple examples

      max: # Distinct name

        value: 3   # Example value

        summary: The age is dependent on dob, min is 0, can't be negative 

PB APIM Series:

APIM Notes

APIM Testing with Postman (this post)

APIM Mocking

APIM Mocking part 2

APIM Mocking part 2

Secure APIM with AAD B2C

APIM debugging, tracing, monitoring tricks and tips (this post)

Developer Portal - Example documenting your API within YAML

Encryption Options for Azure SQL

Overview:  With all IT storage, we are looking for encryption at rest and making sure the data is encrypted “over the wire” until it is stored storage.  For encryption in transit, Azure SQL supports TLS/SSL versions 1.0, 1.1,and 1.2.  If possible got for TLS 1.2.

Azure SQL Server Transparent Data Encryption (TDE) related to encryption at rest by encrypting the log and data files on the storage; Azure enforces TDE as the default on databases.  TDE can be turned off on your Azure SQL instance.  The disks that the database files and backups are block encrypted automatically by Azure.

Backups should also be encrypted, and if TDS is enabled on Azure, your backups are also automatically encrypted.  Tip: Validate your restore of Azure Backups to another instance.

Column encryption is useful for encrypting a column within a table.  I prefer to use a Key Vault and use a SQL column to point to the database for things like tokens and secrets, but something like credit card numbers column encryption is ideal.

Always Encrypted allows for one or more columns to be encrypted within a database.  Client application shall decrypt and provides for separation where database owners/access cannot validate/view the encrypted column/columns.

Encryption at Rest on Azure SQL Server (PASS) Summary:

1. Disk Encryption - Always can't change
2. TDE - Server-Side - On by default (can be turn off)
3. Column level encryption - Server-Side (Needs configuration, encryption done inside SQL for columns)
4. Always Encrypted - Client-Side.  Columns are encrypted inside the db and only the application can unencrypt the column.

Tree Testing and Heuristic Reviews - Ux for dummies

I was speaking to two Ux experts in a meeting and they referred to Tree Testing when discussing Information Architecture and the users working there way around a new SaaS product.  "Tree Testing" is not a term I had heard before so they showed me this site and it fantastic.

https://www.optimalworkshop.com/learn/101s/tree-testing/

I'm more familiar with Heuristic Reviews - that I find useful for improving UI/UX using an iterative approach that suits Agile nicely.

API Economy Technology Breakdown for Strategy Leadership

 

XaaS - Everything as a Service.  Objects can be used as a service e.g. renting cars by the hour

CX - Customer Experience

AIP and Sensitivity Labels

Overview:  AIP has had many names and twists over the past few years.  The functionality has been improving, but the naming and changes made it difficult to implement well.  Finally, I feel Microsoft Azure Information Protection is implementable at scale.

Summary: Sensitivity labels have have the ability to allow documents and email to be classified to protect email and files.  One can track, and encrypt documents/email.  You can also use sensitivity labels to protect SharePoint sites, Teams sites and Microsoft 365 Groups.  Within AAD (B2C) I can assign sensitivity labels to Microsoft 365 Groups.

ISO 27001 Certification & OWASP

Overview:  I have been thru several ISO and security audits over the years for various companies offering SaaS products.  This post outlines a some of my note around the latest ISO 27001 audit I touched on.

ISO 27001 covers Information Security Management (ISMS) which is about protecting and managing your businesses information assets to reduce your business risks.  It demonstrates that your organisation has good security practices in place.

Note: ISO 27001 is a management of systems standard for an organisation, it is not done for a particular product.  

An ISO 27001 ISMS consists of policies, procedures and other controls involving people, processes and technology".  https://www.itgovernance.co.uk/iso27001

Parts to an ISO 27001 audit:

• Part 1 - Check you have the correct documentation.  

            Output is a go ahead and get a visit plan from the auditor.

• Part 2 - Checks you as a business are complying/working to the documentation.  Basically evidence based reporting based on visual confirmations and discussing with the staff using interviews to verify compliance (sample based auditing).  Findings normally grouped into 3 types of findings: 1)   Opportunity for improvement = suggestions, need to review before next audit to see if this is worth implementing 2) Non conformance - Minor = can have a few of these, look to fix 3) Non conformance - Major - won't get certification with a major.  There is a period to address/fix major issue/issues.  Always complete the phase 2 audit as they may discover other majors.

            Output Findings report and several weeks latter the certification.

• Certification
• Yearly: Need to repeat and show you are improving based on the findings and the audit will generally go into specific areas in more detail.

More Info:

Data Protection and Regulation note - see bottom of post for ISO27001

Notes: 

Business Continuity quarter check

Annual Security Policy & Standard Review 

Security training - different roles need different training

Annual penetration testing

Audit annual re-certification days

Risk Information: Non conformity & root cause analysis

Technical:  Encryption and REST, Encryption in Transit, DAST/SAST on code, =logically secure customer data/security, Azure Defender to harden infra and continuously monitor, vulnerability or external penetration testing, ASVS/OWASP.

ISO 27701 - "ISO 27701 extends the meaning of “information security” detailed in ISO 27001. While the privacy and protection of personal data is part of ISO 27001, the newer standard extends the scope to include the “protection of privacy as potentially affected by the processing of PI" source: https://www.learningcert.com/information-security/iso-27001-vs-iso-27701/

ISO 27017 - is a security standard developed for cloud service providers and users to make a safer cloud-based environment and reduce the risk of security source Wikipedia.  I think ISO27017 is now part of ISO27001 extended.

ISO 28000 - is the spec for security management systems for the supply chain (partner dependancies e.g. software vendor, hosting company service)

ISAE 3402/SOC 2/ISO 27001 - about verification of business processes/internal controls of the business of of a high standard.