Projects Passions CertitudesYou are Welcome
Values are the engine of Action
A Full satisfaction can only be reached when you push your capabilities to their limits
Act as a bulldozer, once you start the tunnel do not stop before you see the light at the other end
Share your knowledge and your success, in retourn you will get 10 times your investment. Coollaborate to preserve the cultural biodiversity.
The IT/IS Architecture Should Be
-a BUSINESS ENABLER : to provide a simple, efficient and fast way to implement and use all the applications requested by the business
-a COST REDUCER (TCO): via an extensive standardization, synchronisation, use of Open Source, iVPN, unified Administration, new low TCO technologies
-a USER FRIENDLIer: offering simple and unified authentication technology, desktop environment, extensive mobile connectivity
-a COMPANY ASSETS PROTECTOR: linking the processes and the organization with the IT/IS architecture and embedding security components
- a) GOVERNANCE: Principles of governance. Acceptance by the High Management
- b) Key PROCESSES: design and implementation.
- c) BASELINES: Basic but global rules.
- d) ORGANISATION: choice and setup of organization.
- e) ARCHITECTURE : implementation of a central and distributed architecture
- f) pre AUDIT : adapt Baseline's rules to precise requirements
- g) post AUDIT : control the implementation and permanently adapt
No Work, No success, Without Tools
a) ITIL and BS15000 as the best practices guide.
b) ISO 9001/2000 5S and its Road Maps and Action Plans
c) ISO 27000 for security rules, policies, procedures
d) META-DIRECTORY to synchronize all the components
e) DIRECTORY to implement the distribution of IS objects
How Did I Implement My Vision.
For more than 10 years now, in different companies and with different technologies I try to realise , step by step, the Ideal IT/IS architecture where each application, specialised to be as efficient as possible, is cleverly synchronised with the others, where each end every component is a unique part of a sophisticated ecosystem interconnected with the others by an engine executing a set of exchange rules. The HR component provides the identity to all the others via a centralised and distributed authentication system. The CAD component provides major characteristics to the project management, and financial application, Where collaborative platforms metacollaborate ‚?¶
The very first and Basic component of an architecture is the Directory. The information shared between several application is stored in a structured and standardised format: the DIT (Directory Information Tree). Because of its performance in terms of the access time (using LDAP) and replication between servers , but also because of its imbedded level of security and object architecture it is the only technology able to offer a consistent and efficient image of the company supplied to all the business , web, security ‚?¶ applications.
This is especially fundamental for a security architecture which checks permanently user's identities, profiles and object's characteristics. The directory is the container of the authorised employee and company information, including: organisations, credentials, passwords, certificates, tokens and complemented by a set of legalised data coming from HR, Mail , Business, Finance .. applications.
The directory distributes these information to all the IS architecture components but specially to FWs, Authentication Systems, Accounting Systems, QoS components. The information managed by the Directory is automatically updated by a MetaDirectory connected to the HR, Mail, Finance ... systems.
The MetaDirectory synchronises all the heterogeneous data sources between them : SQL Bases, Mail Address Books, SAM bases , Active Directory and any other format of storage.
The flow engine of the MetaDirectory, programmed with appropriate rules, is able to determine who is the owner of each information to be legally distributed to the others. This tool guarantees the consistent view and automatic update, from a unique source, of the whole Information System. The DIT is populated by the MetaDirectory and it is the most efficient container to be used by all the LDAP enabled applications.
MY CONTRIBUTION as Project Manager and Architect
1- The Security Policy: Top-Down approach based on ISO 17799
a) Design of The Policy based on ISO 17799, adapted to business requirements
b) High Management support
c) Implementation of a light security organisation in all the countries
d) Organisation of the census and roadmaps to reach the policy
e) Audit of sites and update of the Policy
2- The Security Architecture: Bottom-up approach based on best practices
a) Choice of a limited but consistent number of technologies and products
b) Adaptation of products to Interoperate in a common Architecture
c) Design of Standard Components based on products but with a specific setup
d) Design of projects based on standard components to reach policy requirements
As Enabler and Cost Reducer, iVPN is a security technology which offers a level of connectivity and pricing impossible to reach with other network solutions. iVPN means: Virtual Private Network over Internet. Because Internet is now available everywhere, at any time, it is the cheapest and fastest way to interconnect people. iVPN is an elegant way to deviate the goal of the Internet which is normally used for browsing, but here, it is a support for a virtual cable between 2 sites, or a laptop and a site. A very advanced usage of this technology bypasses its well known drawback : best effort QoS. iVPN and VPN (over the IntrAnet) is here used to connect Mobiles, Small and Home Offices, Sites but also to download objects, rules and information to all the components of the architecture. The Security Key, a powerful cryptographic engine, managing strong authentication, disk encryption, system logon, document signature, mobile connections and many other functions can be also updated inside an encrypted tunnel.
We use this technology from the very beginning (1997) and substantial savings were realised.
MY CONTRIBUTION As Project Manager and Architect
Basic iVPN TECHNOLOGIES
a) Implementation of fundamental iVPN components as SKIP, IKE, IPSEC, and several Encryption protocols.
a) Design of large International iVPN Architectures
b) Implementation of iVPN Hubs, Spokes
c) Link and Provider Qualification methodology
d) Deployment on 20 sites in 10 countries
MOBILE iVPN Architecture
a) Design of large Mobile iVPN architectures
b) Deployment for 1500 users in 1999 and for 10 000 till 20O6
Enabling the function is often not sufficient because 2 dimensions are missed: the Availability and the Quality of Service, both parts of the SLA. These 2 dimensions have to be permanently measured and corrected if not consistent with the requirement of the customer, declared in the Directory. A special set of sensors is able to test the local and End to End availability and QoS. These sensors are able to adjust the setup of QoS agents Installed on QoS Gateways to enforce the QoS, according to the Directory based QoS policy.
The goal of each IT organisation is to Develop, Sale and Maintain the service it is supposed to deliver, according to the contractual SLA. To measure, report and invoice the usage of the Information Infrastructure and the Information System, is an important element of the relationship with the customer. It is why this architecture has the Reporting, Healing and Accounting system on board. Composed of sophisticated sensors for LEA (FW1) , Radius, SysLog, Mail ... then of a concentrator and a reporting Web site it is able to report (according to Directory information) on the usage of each resource of the Infrastructure or the IS by each user. This Information can be consolidated for the whole organisation (multi matrix) from the finest user/resource to the more global point of view.
This set of components provides also the Tracability when requested by the application owner.
MY CONTRIBUTION as The Architect
a) Design of the QoS architecture
b) Co - Implementation of Sensors
c) Implementation of QoS Enforcement Modules
a) Specification of the System
b) Design of the architecture
c) Implementation in the existing environment
d) Link with the Directory
e) Design of policies and reports
f) Beta testing of Radius and LEA clients
The global architecture is rather simple : a Meta Directory automatically retrieves a legalized information from HR, Finance, Mail, Business applications to build a real time company model based on several classes of objects and organisations : people, units, servers, hierarchical and geopolitical organisation of the company. This information is structured and stored in a format of a Hierarchical Directory model , accessible by LDAP, to be used by all the security (and other) applications. Firewalls, Mobile System, Reporting and QoS systems, User access ‚?¶ are all customers of this directory. This is the Key of all the items of my Security Sales Policy (1: Enabler, 2: Cost Reducer, 3: User Friendly system, 4: Protection of assets) because every user in any place and at any time is able to reach the IT resource he needs and is authorized to use without any complications and delays.
Even if several technologies, used in this project are virtual: VPNs, VM machines ... To interoperate, this huge architecture has to be based on a real Network with real Servers ... As its components are located in strategic points of all the IT Architecture, they have to obey to a set of very strong requirements from the Availability point of view. In fact several basic components were built to support all the Architecture :
a dedicated hardware (special configuration of a standard system) with High Availability embedded capabilities; 2 secure operating systems W2K and Linux; standard setup and deployment mode defined for all the components. From the geopolitical point of view: an operation center was equipped with the whole Configuration system: Master Directory Server, Meta Directory, Master FW system , Master Accounting and Administration of Strong Authentication. On the backbone side all the real time systems Directory , FW, Accounting, Strong Authentication servers were deployed.
MY CONTRIBUTION as Project Manager and Architect
a) Design of all the architecture
b) Design and Implementation of major elements
c) Deployment of FWs, Authentication and LDAP servers
As Enabler, the Security Architecture has to provide to the user the way to connect to the Information System wherever and whenever he has/wants to connect. This system has to provide/chose the best available way, from the technical and financial point of view, but also to apply to a complex set of end user requirements. A laptop, out of the office, needs an efficient and secure mobile solution to connect over the Internet or a private (dial, radio ..) network to the office mailbox or a business application. Sometimes, confidential information has to be encrypted. To participate in specific applications, a PKI (Public Key Infrastructure) enabled interface is necessary. WiFi (Wireless connection) is more and more requested by end users. In mixed or out of office environment, Logon control and disk protection are required.To meet these needs the End User System was built. It provides a sophisticated Mobile subsystem with several strong or medium authentication solutions: the Win Logon system, to base the user logon on a Strong Authentication function; the iVPN client, to provide a connection over the Internet; sSSO module to make this system User Friendly, with 1 pin code and 1 token to access everything; Disk encryption for files, directories and partitions (confidentiality), PKI support for certificate based applications as signature and TLS, Personal FW to protect the laptop; WiFi client to enable wireless secure connection. All these components are based on the Directory and a common set of components. With the iVPN technology the cost of telecoms decreases and then the system is also a Cost Reducer.
MY CONTRIBUTION as Project Manager and Architect
a) STRONG AUTHENTICATION SYSTEM: Specification of the Strong Authentication Key, Server , Deployment Tools; Co Implementation with ActivCard; Integration of these elements in the existing IS (Development of some components); Deployment of the user client software for 10 000 users (20 000 as a goal)
b) MOBILE SUBSYSTEM: Specification of the universal Dialer; Co Implementation with Equant - Sita; Integration of Strong Authentication plug-ins; Packaging
c) WinLOGON: Integration of Gina.dll cascaded elements
d) iVPN client; Design and Implementation of FW1 central Mobile iVPN Policy; Standard setup of the client; Implementation of the Strong Auth and LDAP connection; Interface with the Dialer, ADSL, GPRS and WiFi Clients
e) SSO: Implementation of the Certificate Authority; Connection with LDAP and Strong Authentication system; Development of MetaDirectory and eMail SSO components
f) DISK ENCRYPTION: Co -Integration with Protec and MSI of the PKI link
g) PKI: Integration in the existing Environment
h) PERSONAL FW: Design and Implementation of the Desktop/laptop security policy; Integration of the Secure Client.
i) WiFi: test and implementation of the TLS/EAP WiFi Client: Integration with LDAP and Strong Authentication.
Metacollaboration is based on a heavy usage of telecommunication mechanisms. as it is the domain of dataflow routing .and many parallel data flows are crossing the Metacollaborative infrastructure. The gateway is a component which is connected to the platform and to the hub , sometimes via Internet It is permanently submitted to many constrains : security , performance , availability ‚?¶ To match does constrains a special architecture was built, called Spherical Architecture . This architecture was developed to face similar conditions in the synchronisation system of nuclear power plants. The application is devided in Spheres : a set classes and objects linked with only 1 interface (platform, network, user ‚?¶), communicating with other spheres by a bus or pipeline. Spheres does not share common resources , stacks, heaps, pools. Each sphere is independent , can run alone , on a separated machine , or with the others. There is a lot of literature about this architecture but all the main rules are described in the document called 10 commandments.
Where Did I Implement My Vision.
During 30 years I did actively Implement my vision in Industrial projects all over the word. And these projects were very far away one from each other in very different fields : Power Plants, Dams, Nuclear Reactors, Electric lines, Metro and trains , Iron mills, Finance, Aeronautic industry‚?¶ I did choose to remind hereafter 3 of My preferred projets : The Tokamak : a nuclear fusion reactor , Themis : the solar power plant , Nuclear Security and automation as i did work on HTR (submarines) and PWR nuclear reactors.
Nuclear fusion is the reaction combining light elements of Mendeleyev table. This reaction, experienced on the TOKAMAK is based on association of 2 isotopes of hydrogen : Deuterium and Tritium. One fusion of 2 atoms of tritium generates 17,5 MeV, compared to the fission of 1 atom of uranium 235 producing only 3,5MeV. The stars are based on this reaction. Our Sun is also powered by the nuclear fusion. For instance: with 1litre of H2O, a car can be powered during all its life without any smoke (just a bit of Helium). This is potentially a universal solution against poverty and pollution but there is a serious problem to recreate the Sun on the Earth. The energy produced during the reaction by the tritium plasma can not be stabilised and quickly stops. Tokamak is, in fact, a huge transformer with a classic primary circuit but the secondary coil is composed of a short circuited Tore with tritium inside. The electric power applied to the primary circuit makes a short circuit in the tore, the tritium is ionised (plasma). The Molecular accelerator increases the plasma temperature to reach the fusion hyperbole and to start the fusion. Then the plasma is stabilized by a very strong (several Tesla) magnetic field to maintain the fusion. The production of electricity starts...a new star, created by a man, for several seconds, minutes, years ‚?¶ is born!
a) Co-Design and Implementation of the accelerator
b) Co-Design of the automation system
Themis is the most advanced Solar Power Plant. It is based on an experimental thermal process. It is located in Font Romeu, on the Spanish border.
A field of 200, individually managed, 50m2 mirrors, transmits a 10MW solar beam to a solar heater, installed on a summit of a 100m tall tower. The liquid transporting this energy to the steam generator, is based on 95 chemical components. A 2MW steam turbine, transforms the solar power to mechanical force then, to electrical current, thanks to the generator. Not only the process but also the automation system is fully experimental: the first Bus based network to collect and dispatch actuator information and measures, powerful i8086 based multiprocessor Logic Controllers and micro computers, X25 protocols to communicate with the back office and with a group of scientific computers; advanced mathematic subsystem to compute the position of the sun and solve a set of complex functions based on differential equations. Finally, the system was 100% commissioned and after 2 years of production, declared as technically ready but non viable financially at the geographic parallel of Font Romeu. Today Themis is a Cosmic Radiation laboratory but several technologies, tested and industrialized for/in this plant, are today used in many other plants.
MY CONTRIBUTION as Project Manager and Architect
1- The industrial BUS (FIP)
a) Test and qualification with the customer of all the components of the Network and the Automation system Architecture : Industrial Redundant Ethernet physical layer , Fip Network Layer, Industrial Computer and Logic Controller Interfaces ...X25
b) Design and Development of the X25 protocol (simplified by EDF)
2- Logic CONTROLERS
c) Design and Development of a complex generator of programs for logic controllers based on one of first versions of Pascal on Vax/VMS.
d) Commissioning of the Power Plant.
After the catastrophe of TMI, EDF and Nuclear Security (ASN : Ministry of Industry) decided to increase the level of security of Nuclear Power Plants and to multiply by 3 the number of digital and analogue Information provided by sensors, actuators and measures. To be able to acquire and analyse 100.000 logic and 20.000 analogue information in 50ms, a special industrial information system is built. It is based on a very ambitious, Inmos designed, serial/parallel system composed of Transputers. A Bus, FIP based network is also developed. The Specification of process and security provided by engineers from the Nuclear Security is analysed by a natural language analyser, then a model of the process, based on objects and rules declared in the spec, is built. From this model is generated the source code for logic controllers and process computers, as well as the software for the process simulator. The security and process spec is then tested and validated before to be applied to the real process.
MY CONTRIBUTION as Project Manager and Architect
1- Artificial Intelligence (AI) techniques in Industrial processes
a) Design and Development of a Natural Language analyser based on Prolog order 1 Inference machine
b) Design and development of a real time object database linked with the inference machine.
2- INDUSTRIAL UNIX
a) Spec and test of Porting of UNIX System 5 on a Motorola Multiprocessor architecture
b) Porting of an Industrial SQL database on UNIX System V c) Development of a software engineering system to manage all the developments and documentation.
3- REAL TIME ARCHITECTURE
a) Design and development of a SPHERICAL real time architecture based on virtual machines connected by Pipes around the Object database.
b) design and development of a Man machine interface and archiving system.
Every person has sevaral faces
I was so happy and proud to work with
Do not hesitate to contact me