General Architecture Principles for Everyday Decision-making
It is understood that formal Policies, Standards, Procedures, etc. will never exhaustively encompass every single aspect of I.T. work within the State of Maine . Yet, each I.T. worker is faced with critical decisions as an integral part of their everyday work. Such everyday decisions frequently have lasting consequences. But it is difficult to anchor such everyday decisions in the absence of a general framework of principles. Therefore, a set of easy, general architecture principles have been developed to aid in such everyday decision-making.
- The State is a single, unified enterprise.
- Information is a statewide asset.
- Security and Privacy are core missions.
- Limit the buffet of product/technology options.
- First reuse, then buy, then build.
- Optimally exploit existing products/technologies.
- Ensure orderly sunset & support of legacy products/technologies.
- Follow a set of well-defined criteria for selecting new products/technologies.
- Centralize identity authentication. Federate authorization as necessary.
- The State is a single, unified enterprise (1). A single I.T. enterprise with shared products and policies lowers costs and improves service. Further, any attempt at optimization is more likely to be fruitful when it targets the State as a whole rather than a single agency or program. Economies of scale not only extract deeper discounts from vendors but also facilitate interoperability and cross-training, thereby lowering costs and improving supportability. Historically, this was the rationale that led to the consolidation of email in the State. In the present, this is already forcing consolidation of license management and document management applications, just to cite two random examples. It is in the best interests of all parties to continue this trend and explore greater opportunities for collaboration and standardization across the State.
- Information is a statewide asset. Quality information is critical to effective government decision-making and accurate reporting to its citizenry. Currently, common data elements are dispersed across multiple information systems, with disparate formats, contexts, and meanings. Authoritative sources of particular data elements are often not well-documented, and stewardship is not codified. Such a state of affairs impedes statewide information flow, leading to poor governmental decision-making and underserved citizenry. Lacking effective data/information standards, agencies and programs are currently left to creating ad-hoc solutions, leading directly to the fragmentation of the State's information assets, compromised accuracy and integrity of its reports, and increased operational costs. A concerted, statewide effort needs to be launched to standardize data elements, codify systems of record and stewardship, and move toward XML-based exchanges.
- Security and Privacy are core missions. Security and privacy of information are essential to government operations in order to retain the public trust. Citizens expect the government to apply security and privacy consistently and monitor compliance. Security controls must be clearly defined so that costs and risks may be balanced appropriately. The State should implement security and privacy practices at all levels of government to ensure the confidentiality, integrity, and availability of its information assets. The State must do everything in its power to protect its information assets from unauthorized or accidental use, disclosure, disruption, modification, or destruction.
- Limit the buffet of product/technology options. In the past, individual arms of the State have acquired technologies on their own without much consultation or coordination with one other. The accumulative effect of that is the current reality, viz., a smorgasbord of competing technologies. This has some obvious disadvantages: lack of interoperability, lack of adequate support, lack of depth of coverage, lack of economies of scale, etc. In order to ensure greater success of I.T. in the State, it is critical to limit the buffet of technology options. This will enhance interoperability for there will be fewer moving parts to interface with. This will increase the level and depth of support for there will be a higher headcount per technology option, directly leading to higher in-house expertise. This will increase economy of scale for there will be a higher market share per technology option, directly leading to increased pressure on vendors to provide deeper discounts, dedicated training, etc. Taken together, limiting the buffet of technology options promises to reduce I.T. costs and improve service.
- First reuse, then buy, then build. Clearly, the best value to be extracted from sunk investments is to reuse them to the maximum extent possible. If it is determined without a doubt that an existing I.T. asset cannot meet current requirements, then the State should explore an off-the-shelf product that comes the closest to satisfying such unmet requirements. It is likely that the State will need to modify its workflows and business processes in order to utilize an off-the-shelf product, but that is still preferable to creating a custom product exclusively for its requirements. Only if it is ascertained that there does not exist any off-the-shelf product that comes even close to meeting its requirements should the State explore the option of building a custom product. While all generalizations are subject to caveats, it is extremely likely that the lifetime total cost of ownership for a custom product will far exceed that of an off-the-shelf product.
- Optimally exploit existing products/technologies. It should go without saying that the State should fully utilize what it already owns. Unfortunately, due to the pace of innovation in I.T., as well as the aggressive nature of marketing, the technology sector is more susceptible to hype than other sectors. Nevertheless, the State needs to summon the discipline to stick with the products/technologies that it already owns, as long as they continue to deliver an acceptable level of performance to its customers, and as long as vendors continue to support said products/technologies Specifically, the State should consider exploiting additional capabilities of products it already owns that are still supported by their vendors, even when they may not be the best-of-breed in a particular niche.
- Ensure orderly sunset & support of legacy products/technologies. Legacy products/technologies invariably support business-critical processes. And yet they become increasingly less sustainable over time due to two reasons. One: vendor support declines over time, and ultimately ceases to exist. Two: there arises a bidirectional pincer attack on the resource-pool for legacy technologies. The original resources are subject to retirement and attrition. At the same time, lack of market opportunity discourages younger personnel from acquiring the necessary legacy skills. But the diminution in sustainability does not reduce the business criticality of legacy products/technologies. Therefore, there needs to be proper planning, as well as an orderly sunset and support strategy for legacy products/technologies.
- Follow a set of well-defined criteria for selecting new products/technologies. The marketplace continues to explode with new products/technologies at a rapid pace. Clearly, no single entity, least of all the State, can afford to sample them all indiscriminately. That said, the State also cannot allow itself to fall too far behind the technology curve, lest it deprives itself of viable superior options. Therefore, it needs to chart a prudent middle course that can both filter out the hype, and yet discern lasting trends that have the potential to deliver higher returns. The selection criterion for a product/technology are as follows, in descending order of importance: Customer Value (Return on Investment), Installed Base within the State & Supportability, Scalability, Sustainability (Viability), General Excellence & Market Position, and Alignment with Long-term Architecture . Customer Value (Return on Investment) should command the highest weight. Cost considerations should be holistic, not just the one-time cost of acquisition, but a best guesstimate of the lifetime total cost of ownership. If a product/technology has a large installed base within the State and the State is already comfortable supporting it, it makes sense to continue with that product/technology and negotiate a deeper volume discount from the vendor. Scalability and Sustainability (Viability) are important from an enterprise perspective. There exist I.T. products that were originally acquired by individual agencies, which may have been adequate for meeting the requirements of those individual agencies, but do not scale, and therefore, cannot be sustained on an enterprise basis. It goes without saying that it is in the best interests of the State to bank on products that command positions of excellence in the marketplace. Finally, it is also in the best interests of the State to select products/technologies that are in alignment with its long-term architecture vision.
- Centralize identity authentication. Federate authorization as necessary. Authentication of computer and user identities should be centralized to improve service, allow unified credentials and/or single sign-on, and reduce application development and support costs. Centralization of authentication permits appropriate management and security controls to be applied universally. Make applications & appliances consume authentication from external directories. Microsoft Active Directory (A.D.) remains the authoritative directory for all internal IT resources within the State. All internal applications & appliances should be fully A.D.-aware. The State currently does not have a unified directory for its external users (citizens, vendors, and partners), but it is working toward developing one. Individual applications and appliances are free to maintain their own dedicated authorization (roles) modules. However, wherever two or more applications or appliances require to share authorizations, they should consider federating such authorizations to a neutral repository, with the system of record granted complete control to manage such authorizations.
(1) Even though the Office of Information Technology is limited to the Executive branch, according to 5 MRSA, Chapter 163, Section 1973, the CIO still provides "central leadership and vision in the use of information and telecommunications technology on a statewide basis".