How to analyse system architecture?

Question

Hi All!

I hope this is not to off-topic for this site.

Recently I have had the opportunity to review banking systems for a client. Given how much time I have had to ponder over architecture in my own projects and for a overall system architecture, it is remarkable how difficult I find this task.

I started off writing a list of features but found that too limiting since it would only be a matter of the vendor giving me the "yeah we do web services" answer. Would it be a nice extensible solution or a thin wrapper to their proprietary API?

I have since then decided to approach the task by using a few subjects and in a conversational manner let the vendor give me the gist (nuts and bolts) of the system.

What topics would you suggest for a system review?

The one topic I find most important is extensibility and the way the system supports changes while still allowing for upgrades. Also discover ability of programming interfaces is an important one.

Answer 1

You may want to add:

• Security
  How is access to the system managed?
  What process is used?
  How is it implemented technically?
• Auditing
  What audting requirements do you have?
  Are all changes to the system logged?
• Reporting
  What reports are needed?
  How is access to these reports controlled?

Answer 2

I don't know about you, but in my enterprise the more challenging question is: "What do you have?" How many servers? How many databases? How many instances of software X? After that, breaking the systems down by business functions seems a bit easier ("General ledger? That's here. Other there - payouts.")

Another problem is redundant data. There should be one source/owner for each bit of information, but the fact is that it's redundant and duplicated in many places.

To be able to go into each system and identify which ones hold their own versions of client data is a huge challenge.

We don't have one architecture. It's more like a little bit of everything: mainframes, client/server with Oracle forms, web, some services, Excel and Access desktop apps - some of which perform key functions for the company - Java and .NET. It's very complex.

I hope your situation is better.

Tools like Altiris help some. Port scans can identify apps that stick to their default ports. Web services that expose WSDL are easy targets.

Answer 3

Maybe you could have a look here:

http://www.sei.cmu.edu/architecture/ata_method.html

and more specifically here:

http://www.sei.cmu.edu/architecture/evaluation_methods.html

for some inspiration.

Answer 4

I think all general principles apply like what Bravax has pointed out. But i would like to add that you should watch out for "HOME" grown solutions. I know of a banking system that has a custom queue, a custom cache layer. So home grown solutions is something to watch out for.

Answer 5

I guess my first question would be - what are you reviewing it for? What questions are you answering for your client?

You mention extensibility, others mention security, auditing, etc. I could chuck in scalability, performance, latency, reliability, the list of 'ilities' goes on but without knowing what it is you're setting out to assess you may be wasting your time and your client's time.

Answer 6

When it comes to reviewing banking systems and similar piece of software systems I have found it a valuable resource to have some kind of research institute to lean on. (thinking about Gartner/Forrester/etc...)

This was important for severeal reasons.

First; There is a lot of politics involved and the definition of the areas you need to cover are defined in some detail by these firms. Secondly; this makes it easier to gain approval for your evaluation once finished. Third; You can communicate with the vendor in a vocabulary that they understand.