Technology
Good architecture is documented, measurable, and secure by design
Technology determines how stable, secure, and maintainable digital systems remain. System architecture affects scalability, operating costs, and Technical Debt. Good architectural decisions are documented, measurable, and aligned with Security by Design.
Three System Guiding Principles
- Cloud Native and Platform Engineering: Internal Developer Platforms (IDP) provide standardised golden paths from source code to production. This reduces Cognitive Load and measurably increases Deployment Frequency.
- Zero Trust Architecture: No implicit trust based on network location, Never Trust, Always Verify. Authentication and authorisation happen before a session to a resource is established; the access decision draws on identity, device state, and context (NIST SP 800-207).
- Technological Standardisation (Boring Technology): Differentiating functions get more room than generic base services. Standard components run on established open-source standards. This lowers operational risk and relieves DevOps teams.
References
- Heroku The Twelve-Factor App. A methodological framework for developing scalable, cloud-native SaaS applications. 12factor.net/
- Team Topologies Team Topologies. Organisational principles for software teams with a focus on flow state and reduction of organisational dependencies. teamtopologies.com/book
- Dan McKinley Choose Boring Technology. Essay on the qualitative and economic advantages of proven, standardised infrastructure decisions. mcfunley.com/choose-boring-technology
Table of Contents
- System Architecture: Stable systems emerge from trade-off decisions along quality attributes, from a modularised modulith to services only where the forces require it.
- Conway's Law: System architecture reflects communication structures. Conway's Law turns team design into a lever for the desired architecture.
- Microservices: Microservices split applications into independently deployable services with bounded business functions, separate scaling and technology choices.
- API-First: Accessible data and functions start with API-First design: interfaces become the primary product for web, app and partner integrations.
- Event-Driven Architecture: Responsive systems use Event-Driven Architecture: application flow follows events, with asynchronous reactions instead of synchronous waiting.
- Tech Stack: A sustainable tech stack supports staffing, maintenance costs and market responsiveness through long-term economic technology choices.
- Standard Software: Standard software creates value when SaaS and COTS fit the architecture and integrate cleanly with data flows, identity and operations.
- CI/CD: Repeatable software delivery comes from CI/CD pipelines that build, test and release code with traceable validation and minimal manual variance.
- Platform Engineering: Developer teams gain autonomy through internal platforms that bundle recurring infrastructure tasks and reduce Cognitive Load in delivery.
- Cloud Native: Cloud Native applications use distributed cloud environments for elasticity, resilience and fast iteration cycles beyond simple server migration.
- IaC and GitOps: Reliable environments come from Infrastructure as Code and GitOps, with infrastructure defined in code and Git as the Single Source of Truth.
- FinOps: Cloud spending becomes visible and steerable with FinOps, linking engineering, finance and management around data-based cost decisions.
- Quality Assurance: Confidence in releases grows when Quality Assurance is part of every development step and Shift-Left testing validates changes early.
- DORA Metrics: DORA Metrics make software delivery performance measurable through throughput, recovery and failure rate instead of activity alone.
- AI Development: AI-assisted development shifts work toward orchestrating assistants and validating generated solutions, with architecture and quality remaining central.
- Security Strategy: Digital resilience comes from continuous risk management, Zero Trust principles and explicit verification across connected IT systems.
- Offensive Security: Stronger security posture comes from Offensive Security, using Penetration Testing and Red Teaming to identify vulnerabilities early.
- Zero Trust: Context-based access control replaces implicit trust with Zero Trust, where every user, device and service is verified before resource access.
- Compliance: Compliance becomes a technical discipline when policies turn into automated checks that monitor controls and create audit evidence continuously.
- Service Management: Service Management links technology to user value by combining stable ITIL structures with SRE practices such as automation and fault tolerance.
- Observability: Operational clarity comes from Observability, using telemetry to understand the internal state and root causes in distributed systems.
- SRE: Reliable systems grow from SRE, applying software engineering to operations and balancing reliability with change through SLOs and Error Budgets.
- Incident Response: Resilient systems and teams use Incident Response and Chaos Engineering to handle disruptions methodically and test recovery under deliberate stress.
- Disaster Recovery: Business operations stay recoverable when Disaster Recovery restores data and systems and Business Continuity keeps operations running.
- Post-Mortem: Lasting improvement follows from Post-Mortems that document incidents, responses and measures for recurrence prevention without blame.
- Backup and Restore Strategy: Recoverable systems depend on a Backup and Restore strategy that defines data, frequency, media, retention and proves restore through testing.
- Virtualisation, Containers and Serverless: Fit-for-purpose compute comes from choosing between virtual machines, containers and serverless by isolation, density, operations and cold start.
- API Gateway and Service Mesh: Clear service traffic control separates API gateways for north-south entry traffic from service meshes for east-west communication.
- Caching and CDN: Lower latency and load come from Caching and CDN layers that keep finished answers near requesters and handle invalidation correctly.
- WebAssembly: Portable execution comes from WebAssembly, a compact sandboxed bytecode format for browser, server and edge with stable host interfaces.
- Identity and Single Sign-on: Centralised access control comes from Identity and SSO, with one managed login for connected applications and one point for granting or revoking access.
- Software Supply Chain Security: Secure delivery depends on Software Supply Chain Security for dependencies, bought-in libraries and the build pipeline that assembles them.
- Non-Human Identity: Scoped and attributable access for machines, workloads and software agents extends Identity/SSO and Zero Trust to non-human actors.
Ask AI
These links open external AI services, the conversation and its content are sent to their providers.