
[03:30.000 --> 03:44.000]  I prepared some questions and I prepared some slides with these questions so you don't need to remember what I'm saying. You can just read it from the screen. So I'll share the screen now.
[03:44.000 --> 04:01.000]  It's working on it. No worries.
[04:14.000 --> 04:41.000]  Okay. Yeah, so regarding the recording of this interview. So I record audio only and I have a tool that will transcribe it and then the text will be anonymized. So your name and the company name will not be kept.
[04:41.000 --> 04:54.000]  And yeah, then we will analyze the answers and only use them for a scientific paper next month. So we plan to submit to a scientific paper by 1st of July.
[04:55.000 --> 05:11.000]  And the answers are, I mean, there could be a chance that we quote something from you, but of course without any names. But most likely the answers are just summarized with the other participants. There are seven other participants.
[05:12.000 --> 05:23.000]  Like before we actually publish, you can say, okay, I don't want to publish my answers anymore. That's fine. But after the 1st of July, that's a bit difficult.
[05:23.000 --> 05:26.000]  I see. Yeah, I got it.
[05:26.000 --> 05:35.000]  Okay. So did you manage to watch the video? Yes, I watched the video. Do you have questions about it?
[05:35.000 --> 05:52.000]  Not as of now. Okay. Yeah, maybe something comes up during the discussion. Yeah. Okay. So let's start with some demographic questions. So what's your current role in the company?
[05:52.000 --> 06:21.000]  I'm a solution architect, and I'm responsible for the architectural part for about three teams, three teams of developers. And there I'm responsible for only one product and how that one product interacts with systems of our internal customers and other back-end systems systems that we require.
[06:21.000 --> 06:38.000]  It's about a commerce application with commerce tool. Okay. So this already answers question two. So question three is about estimating your proficiency in IAC in general.
[06:38.000 --> 06:49.000]  So assuming you have enough time and you get the IAC script of some language you are familiar with,
[06:49.000 --> 06:55.000]  can you, by reading this script, can you understand the architecture it is trying to describe?
[06:55.000 --> 07:14.000]  I guess so. But I'd like to add that infrastructure is mainly not always only a small part of my day-to-day work, if at all.
[07:14.000 --> 07:22.000]  Because infrastructure is taking care of, just as background information, infrastructure is taking care of by other teams.
[07:22.000 --> 07:32.000]  But you're aware of their output at least, right? Yeah. I'm aware of the output. I'm aware of what we're using, what we have deployed.
[07:32.000 --> 07:41.000]  But we don't operate them. So they operate it by the infrastructure team.
[07:41.000 --> 07:47.000]  Okay. Okay. So how large is the company you currently work for? If you don't.
[07:47.000 --> 07:52.000]  Oh, fuck. I don't know. It's pretty large. I would say here, more than 100,000.
[07:52.000 --> 07:58.000]  I can double check that later. It's not a big issue. Okay.
[07:58.000 --> 08:06.000]  And now the technical questions, mostly regarding your practices and the video.
[08:06.000 --> 08:15.000]  So you can answer based on what you personally do in the company or what you know is being done in the company.
[08:15.000 --> 08:17.000]  Okay.
[08:17.000 --> 08:26.000]  And you can clarify anything in the questions and go beyond the limit of the question itself, if you want.
[08:26.000 --> 08:33.000]  Okay. So how do you check the compliance of software applications in your company?
[08:33.000 --> 08:53.000]  So first off, I'd say there's a tool we are using where all applications are modeled or at least presented in what they are offering and what they require and what side effects they might bring with them.
[08:53.000 --> 09:02.000]  It's called Lean I X. And they actually can, for example, there's stuff modeled like also the dependency, maybe between systems.
[09:02.000 --> 09:08.000]  So if you're looking, you can go in there, look for, I need some, I don't know.
[09:08.000 --> 09:13.000]  Because my area, I need some, I want to sell some stuff online. Yeah. I need some.
[09:13.000 --> 09:17.000]  I need to sell hardware or I need to sell software digital products.
[09:17.000 --> 09:22.000]  And then you can find solutions that are already in place within our company.
[09:22.000 --> 09:29.000]  And then you might also see which dependencies they have on other systems.
[09:29.000 --> 09:38.000]  This is mainly related, for example, to back end SAP systems for ERP systems.
[09:38.000 --> 09:41.000]  This is required in commerce most often.
[09:41.000 --> 09:53.000]  And you can also see, so we, as the owners of the product, as the architects, we take care of the information there's up to date.
[09:53.000 --> 09:59.000]  And there's also information about whether there's PI information handled.
[09:59.000 --> 10:07.000]  So personal identifiable information or how the GDPR process looks, for example, if you get this place.
[10:08.000 --> 10:13.000]  So there's that. And then there is.
[10:13.000 --> 10:17.000]  And then do you, do you feed this information or is it okay?
[10:17.000 --> 10:25.000]  So you prepare a list of this, this information in the entry of your product within this large application.
[10:25.000 --> 10:32.000]  Yeah, basically it, it's like a knowledge base. So we create information directly in there.
[10:33.000 --> 10:38.000]  Is it text based? Is it text based? Or does it have?
[10:38.000 --> 10:43.000]  Yes, it's tagging and text based. Yeah, so it's, it's a web tool.
[10:43.000 --> 10:49.000]  And there, it's text based, but it creates charts. So you can see Venn diagrams.
[10:49.000 --> 10:54.000]  This is connected to that application, for example, or something like that.
[10:54.000 --> 11:00.000]  And then there's also, there's a.
[11:03.000 --> 11:10.000]  Yeah, it always started. It's like a framework. I think they call it actually a solution architecture framework, for example,
[11:10.000 --> 11:18.000]  where they provide like some best practices or how you should approach a certain problem, for example.
[11:19.000 --> 11:24.000]  And if you face it and there is a, but this is of carbon, there's a.
[11:26.000 --> 11:31.000]  The incentive is given to check with your colleagues, do an architecture check, like just have a,
[11:31.000 --> 11:35.000]  another pair of eyes, look at what you did who.
[11:36.000 --> 11:41.000]  And this other person is not really familiar with what you do in your day to day business or just that you have a.
[11:41.000 --> 11:44.000]  And another person look over that. So that is.
[11:45.000 --> 11:55.000]  Yeah, entice, but it's not governed. So nobody, there's no, no process in place that whatever I do, for example,
[11:55.000 --> 11:58.000]  or the, the outputs of my work are.
[11:59.000 --> 12:06.000]  Going through some process and checked and whatnot, we have something established like a review process internally,
[12:06.000 --> 12:12.000]  just for the teams, but this is not governed neither in the department nor in the.
[12:12.000 --> 12:15.000]  And at least not in the company because it's not.
[12:16.000 --> 12:17.000]  Okay.
[12:19.000 --> 12:30.000]  So just focusing on, on, on compliance rules, so, so things that you can consider as policies or regulations.
[12:31.000 --> 12:39.000]  Are these like stored basically in text form or do they have some sort of structure?
[12:40.000 --> 12:47.000]  They are, they are formed in text, in text form. So I wouldn't say it's like any machine readable format.
[12:47.000 --> 12:58.000]  It's for humans because also the, the review process, which are basically, they are, they are quality gates.
[12:58.000 --> 13:06.000]  And there are certain, and these quality gates either are basically interviews by in-house quality managers.
[13:06.000 --> 13:10.000]  I don't know what they are called directly. And there are different levels of that.
[13:10.000 --> 13:14.000]  And for certain systems, you need to achieve higher level.
[13:14.000 --> 13:18.000]  You need to, yeah, process higher level quality gates.
[13:18.000 --> 13:20.000]  And these are done.
[13:21.000 --> 13:27.000]  Think after, I'm not sure about the, how often they are.
[13:27.000 --> 13:35.000]  They are at least with every major release, if you release, even if you do like a major update on your cloud software.
[13:36.000 --> 13:46.000]  But yeah, you need to go then through a human process and conduct this into with someone who's asked the question about compliance stuff.
[13:48.000 --> 13:51.000]  And that's why it's not important to be machine readable, right?
[13:51.000 --> 13:52.000]  It's because...
[13:52.000 --> 13:53.000]  Exactly. At the moment there's no...
[13:53.000 --> 13:55.000]  Checking itself is done by humans.
[13:55.000 --> 14:03.000]  Exactly. It's, it's basically a, you fill out the access spreadsheet, I think, with some prepared questions.
[14:03.000 --> 14:07.000]  And then they will ask further questions in the interview.
[14:07.000 --> 14:09.000]  Okay.
[14:09.000 --> 14:17.000]  So in the following, when I say complexity, I mean the need for an expert to do something.
[14:17.000 --> 14:26.000]  And when I say effort, it just means it needs time, regardless of its time spent by a novice or an expert.
[14:27.000 --> 14:34.000]  So we talked about like defining compliance rules and checking compliance rules.
[14:34.000 --> 14:44.000]  So do you think that having well-defined machine readable formats for compliance rules reduces the complexity with checking them?
[14:44.000 --> 14:46.000]  Not defining them.
[14:46.000 --> 14:47.000]  Yeah.
[14:47.000 --> 14:49.000]  I would say so, yes.
[14:49.000 --> 14:50.000]  Yeah.
[14:50.000 --> 14:51.000]  Okay.
[14:52.000 --> 14:59.000]  And uncertainty means that you interpret the compliance rule.
[14:59.000 --> 15:01.000]  You don't know how to interpret it.
[15:01.000 --> 15:03.000]  That's, that's uncertainty.
[15:03.000 --> 15:05.000]  So you have some text.
[15:05.000 --> 15:06.000]  Sorry.
[15:08.000 --> 15:16.000]  Some text that describes the compliance rule, but you are not sure how, how to do it or what it means.
[15:16.000 --> 15:17.000]  That's uncertainty.
[15:18.000 --> 15:27.000]  So do you think having well-defined machine readable format for compliance rules reduces the uncertainty of interpreting them?
[15:27.000 --> 15:35.000]  I would say this, I would rank this.
[15:35.000 --> 15:40.000]  If I do a ranking, it's like, I would say the, the complexity parts or question eight.
[15:40.000 --> 15:41.000]  Was it clear?
[15:41.000 --> 15:42.000]  Yes.
[15:42.000 --> 15:44.000]  That it reduces this for nine.
[15:44.000 --> 15:46.000]  We do have this.
[15:46.000 --> 15:47.000]  So that's the next slide.
[15:47.000 --> 15:48.000]  Yeah.
[15:48.000 --> 15:50.000]  So 12 is the complexity.
[15:50.000 --> 15:56.000]  You, you say this is totally agree or, or four or five, something like this for complexity.
[15:56.000 --> 15:57.000]  Yeah.
[15:57.000 --> 15:58.000]  So, um, the effort.
[15:58.000 --> 16:01.000]  So there I was, I would say I definitely agree.
[16:01.000 --> 16:06.000]  So because it's, it's quite the effort to go, to conduct these interviews and go to this process.
[16:06.000 --> 16:11.000]  So there I would say, uh, so for question 11 here, it would say it's a five.
[16:12.000 --> 16:22.000]  And for the other one, I'm not really sure because it heavily depends on how good those rules and those client compliance rules are formulated.
[16:22.000 --> 16:25.000]  And there I would, I would go with a three maybe.
[16:25.000 --> 16:26.000]  Yeah.
[16:26.000 --> 16:29.000]  So there I'm not really sure for the answer for reducing the uncertainty.
[16:29.000 --> 16:31.000]  Or for reducing.
[16:31.000 --> 16:37.000]  So can reducing complexity means you don't need.
[16:37.000 --> 16:38.000]  Yeah.
[16:38.000 --> 16:39.000]  Sorry.
[16:39.000 --> 16:40.000]  I missed them up.
[16:40.000 --> 16:41.000]  Yeah.
[16:41.000 --> 16:42.000]  So a complexity definitely.
[16:42.000 --> 16:46.000]  So if you don't need like, um, I'm experts who know the products inside out.
[16:46.000 --> 16:47.000]  So there I agree.
[16:47.000 --> 16:48.000]  Sorry.
[16:48.000 --> 16:49.000]  Exactly.
[16:49.000 --> 16:51.000]  And 13 about the uncertainty.
[16:51.000 --> 16:52.000]  Yeah.
[16:52.000 --> 16:53.000]  There I would go with a three.
[16:53.000 --> 16:54.000]  Okay.
[16:54.000 --> 16:55.000]  Okay.
[16:55.000 --> 16:56.000]  Yeah.
[16:56.000 --> 17:04.000]  Um, so you saw probably in the, in the tool that, um, it's,
[17:05.000 --> 17:11.000]  works by first creating a representation of the architecture of a running application.
[17:11.000 --> 17:12.000]  Yeah.
[17:12.000 --> 17:13.000]  In a step.
[17:13.000 --> 17:19.000]  So winery is, I mean, the video had two examples.
[17:19.000 --> 17:21.000]  The first example was, was really simple.
[17:21.000 --> 17:26.000]  So basically the, the user had to create this representation themselves in, in winery.
[17:27.000 --> 17:28.000]  Yeah.
[17:28.000 --> 17:29.000]  But the, the system was simple.
[17:29.000 --> 17:32.000]  It was just a simple one, uh, virtual machine.
[17:32.000 --> 17:35.000]  No, that's not, not like a big system.
[17:35.000 --> 17:42.000]  But in the second example, there was a plugin, uh, that, uh, was able to, uh, like reconstruct
[17:42.000 --> 17:46.000]  an initial, uh, instance model that describes the system.
[17:46.000 --> 17:50.000]  And it does that by communicating with, uh, with the IAC tool.
[17:51.000 --> 17:56.000]  So I, some IAC tools have internal representation of running applications.
[17:56.000 --> 18:00.000]  Like which nodes there are, which resources they are and how are they are related.
[18:00.000 --> 18:06.000]  So the, the, the framework communicates with that, with the IAC tool and reads this information
[18:06.000 --> 18:10.000]  basically and creates a graph out of it, which we call the instance model.
[18:10.000 --> 18:17.000]  And then the, the, this graph, so certain nodes in this graph, uh, in order, they are
[18:17.000 --> 18:19.000]  interesting for some compliance rules.
[18:19.000 --> 18:23.000]  So in the second example, the database was, was really interesting for the compliance
[18:23.000 --> 18:24.000]  rule.
[18:24.000 --> 18:27.000]  And the information known by the IAC tool is not enough.
[18:27.000 --> 18:32.000]  So it doesn't know like which users there are in that have access to a certain database.
[18:32.000 --> 18:38.000]  So that's why we have, we had like an additional, uh, step which we called refinement.
[18:38.000 --> 18:46.000]  And then we, we used a plugin, a new plugin for, uh, getting information from my SQL database.
[18:47.000 --> 18:53.000]  So it's technology specific plugin that, uh, refines the model with additional information
[18:53.000 --> 18:58.000]  for, for a certain type of, of nodes, of, of, uh, software components.
[18:58.000 --> 19:01.000]  And, uh, so this is like the general idea.
[19:01.000 --> 19:07.000]  You start from an instance model that is, uh, like created with the help of the IAC tool.
[19:07.000 --> 19:13.000]  And then you refine it in one or more steps, uh, in order to get more information about
[19:13.000 --> 19:14.000]  some nodes.
[19:14.000 --> 19:19.000]  Because, because these nodes are important for the compliance rule that you want to check.
[19:19.000 --> 19:23.400]  Uh, so if the compliance rule didn't have to do anything with databases, we don't need
[19:23.400 --> 19:26.000]  that, uh, plugin for, for MySQL.
[19:26.000 --> 19:28.000]  It's, it's unnecessary for that use case.
[19:28.000 --> 19:37.000]  So, um, the, the initial creation and then these refinement steps in total is called architectural
[19:37.000 --> 19:38.000]  reconstruction.
[19:38.000 --> 19:46.160]  But this is, we use this for compliance checking, but it's in general, um, useful or it could
[19:46.160 --> 19:47.160]  be useful.
[19:47.160 --> 19:51.920]  I'll, I'll ask you if this is useful to you, uh, for, for other purposes, for example,
[19:51.920 --> 19:56.000]  for understanding the architecture of an application instance you have.
[19:56.000 --> 20:04.000]  Like so if you, if you, this is now question 14, if you, uh, have the task of understanding
[20:04.000 --> 20:09.400]  the, the architecture of an application system that is currently running, what would
[20:09.400 --> 20:10.400]  you do?
[20:10.400 --> 20:20.000]  So, if I don't know the system, if it's not my system basically, um, I would ask a person
[20:20.000 --> 20:21.000]  responsible.
[20:21.000 --> 20:22.000]  Yeah.
[20:22.000 --> 20:25.400]  I would ask, oh, I will look for information about the architecture we've designed that
[20:25.400 --> 20:31.840]  and I would look at that one for, for the systems we are responsible.
[20:31.840 --> 20:40.000]  We would be, um, I would resort to our monitoring.
[20:40.000 --> 20:47.760]  So monitoring mainly through New Relic, for example, where we do some APM application
[20:47.760 --> 20:55.400]  for once monitoring and where you could also see, um, the connected databases, for example.
[20:55.400 --> 20:56.400]  Yeah.
[20:56.400 --> 21:03.640]  So, so this monitoring application, uh, shows you the details about which, which level.
[21:03.640 --> 21:08.800]  So, so about the application itself and the databases, does it show you resources below
[21:08.800 --> 21:09.800]  the application?
[21:09.800 --> 21:14.160]  Like, like which virtual machine is, is you being, you know, no, that it doesn't.
[21:14.160 --> 21:21.520]  I probably about it shows, it shows information here about the, about the operating system,
[21:21.520 --> 21:27.120]  for example, about the heap that is being used about, about the resources, basically,
[21:27.120 --> 21:36.280]  that is being used by the instance and, and the throughput and, uh, requests and response
[21:36.280 --> 21:37.280]  times.
[21:37.280 --> 21:42.680]  So this is what you can, for example, do with APM or any other also monitoring solution.
[21:42.680 --> 21:44.680]  That is out there.
[21:44.680 --> 21:45.680]  Yeah.
[21:45.680 --> 21:46.680]  Okay.
[21:47.680 --> 21:54.880]  So that's, that's question 15, 15, uh, this, this tool is, uh, automatic handle flight.
[21:54.880 --> 21:56.680]  Monitoring is always, always running.
[21:56.680 --> 21:57.680]  Yeah.
[21:57.680 --> 21:58.680]  This is always on this.
[21:58.680 --> 22:00.680]  New Relic is always running.
[22:00.680 --> 22:01.680]  Yes.
[22:01.680 --> 22:02.680]  Mm hmm.
[22:02.680 --> 22:03.680]  Okay.
[22:03.680 --> 22:10.520]  Um, do you think that, uh, if you use the, uh, the framework for this purpose, uh, would
[22:10.520 --> 22:15.080]  this reduce the effort or not?
[22:15.080 --> 22:22.240]  So, uh, let's assume that you do, you do have the plugins that you need, uh, you just
[22:22.240 --> 22:28.220]  need to like set up this, uh, pipeline, like which, which plugins that you will need and
[22:28.220 --> 22:32.160]  then, uh, visualize the architecture.
[22:32.160 --> 22:33.160]  That's first case.
[22:33.160 --> 22:39.080]  Second case is you don't have at the moment these plugins, but, uh, you can ask someone
[22:39.080 --> 22:46.000]  to create them for you once and then use them often in, in these two cases, do you,
[22:46.000 --> 22:53.000]  do you think this reduces the current efforts of, uh, architecture reconstruction?
[22:53.000 --> 23:00.800]  I have to say from my personal point of view, it wouldn't create too much difference.
[23:00.800 --> 23:08.000]  So maybe it would even, because it's easy to just ask the human that did that and they
[23:08.000 --> 23:12.600]  explain it to you and it's like half an hour and it's done more or less.
[23:12.600 --> 23:20.080]  If you don't understand it, um, so I would rather, yeah, I mean, I'm rather on the left
[23:20.080 --> 23:21.280]  side of the scale here.
[23:21.280 --> 23:24.760]  So I would say rather to like, uh, disagree.
[23:24.760 --> 23:25.760]  Yeah.
[23:25.760 --> 23:26.760]  It's, it's totally fine.
[23:26.760 --> 23:30.000]  Don't hesitate to, to share your opinion.
[23:30.000 --> 23:31.000]  Yeah.
[23:31.000 --> 23:32.000]  I agree.
[23:32.000 --> 23:37.720]  I mean, it depends on, uh, the, for you, the degree of details needed, right?
[23:37.720 --> 23:44.040]  So, uh, whether discussion, you, you wouldn't know, like, most likely, like, which port is
[23:44.040 --> 23:49.240]  some database is running on that is this degree of details is, yeah, this, the, the, the,
[23:49.240 --> 23:52.040]  the tier of good day is, is, is not important to me.
[23:52.040 --> 23:53.040]  Yeah.
[23:53.040 --> 23:54.040]  Sure.
[23:54.040 --> 23:55.040]  Yeah.
[23:55.040 --> 23:56.040]  So we, we expect that.
[23:56.040 --> 24:01.880]  Like it depends on, on the, on the tasks that you need this reconstruction for.
[24:01.880 --> 24:02.880]  Yeah.
[24:02.880 --> 24:07.680]  Um, so in the video, uh, we had a kind of a pipe.
[24:07.680 --> 24:13.360]  Or a pipeline or a process, basically we, we created this, uh, representation of the
[24:13.360 --> 24:18.520]  architecture and we have a, uh, a presentation of compliance rules and then we checked them
[24:18.520 --> 24:19.920]  against each other.
[24:19.920 --> 24:25.400]  And then we could find violations and what we do with violations is called violation
[24:25.400 --> 24:26.400]  fixing.
[24:26.400 --> 24:30.160]  And this is the set of questions about violation fixing.
[24:30.160 --> 24:37.640]  So if you find out that one of the applications you are responsible for has some.
[24:37.720 --> 24:40.200]  Violations, uh, in terms of compliance.
[24:40.200 --> 24:41.960]  What would you do?
[24:41.960 --> 24:43.960]  And, and this application is running now.
[24:43.960 --> 24:50.440]  Yeah, this application is running, uh, depending on like, I would, I would email or call the
[24:50.440 --> 24:51.640]  person responsible.
[24:51.640 --> 24:56.840]  So I would either, if it's an infrastructure issue, if it belongs to an infrastructure team,
[24:56.840 --> 24:59.440]  I would call them.
[24:59.440 --> 25:05.520]  If it's one of our own dev teams, I would call the responsible tech lead, what's under
[25:05.520 --> 25:08.240]  who I'm in contact with.
[25:08.240 --> 25:12.120]  And they have an idea what, what they would do, like, especially the infrastructure team.
[25:12.120 --> 25:17.680]  They would do, they would, I mean, from the infrastructure team, I don't have this deep
[25:17.680 --> 25:20.080]  insight knowledge of our developers.
[25:20.080 --> 25:23.520]  They would fix it code and push a new version.
[25:23.520 --> 25:24.520]  Yeah.
[25:24.520 --> 25:26.320]  So, so what is that?
[25:26.320 --> 25:29.200]  If it needs to be done, right?
[25:29.200 --> 25:34.560]  If it's a, if it's more like a configuration aspect, they might do it without code deployment,
[25:34.560 --> 25:37.160]  but it, it's not automatic.
[25:37.160 --> 25:38.160]  Mm-hmm.
[25:38.160 --> 25:39.160]  Mm-hmm.
[25:39.160 --> 25:40.160]  Okay.
[25:40.160 --> 25:45.520]  And what if the issue relates to a database, something that you cannot simply just redeploy
[25:45.520 --> 25:47.760]  in because you might lose the data?
[25:47.760 --> 25:48.760]  Yeah.
[25:48.760 --> 25:53.000]  I'm, this is, this is then, for example, a job for the infrastructure team because they,
[25:53.000 --> 25:55.600]  they operate the databases.
[25:55.600 --> 26:00.320]  So what, whatever their DevOps would do, so this is, this is difficult for me to answer
[26:00.320 --> 26:05.320]  because this is like a, I just expect them to do the right thing, right?
[26:05.320 --> 26:10.520]  Because it's not the, they are offering the service of, of doing the operations for the
[26:10.520 --> 26:12.520]  databases.
[26:12.520 --> 26:20.680]  And if there's some authorization issue or whatnot, I'm not sure how they fix it, but
[26:20.680 --> 26:22.040]  they need to fix it.
[26:22.040 --> 26:23.040]  Yeah.
[26:23.040 --> 26:24.040]  Okay.
[26:24.040 --> 26:25.040]  Yeah.
[26:25.040 --> 26:26.040]  Yeah.
[26:27.040 --> 26:31.040]  So, so for your team, this is mostly done manually, you say, right?
[26:31.040 --> 26:32.040]  Yes.
[26:32.040 --> 26:35.040]  This is done manually.
[26:35.040 --> 26:38.320]  So how much do you agree with the following statement?
[26:38.320 --> 26:48.960]  Using the framework reduces the effort associated with fixing compliance violations.
[26:48.960 --> 26:53.760]  Probably it does.
[26:53.840 --> 26:57.360]  So fixing also used plugins because it's not.
[26:57.360 --> 26:58.360]  Yeah.
[26:58.360 --> 26:59.360]  Yeah.
[26:59.360 --> 27:00.360]  Yeah.
[27:00.360 --> 27:06.040]  For each category or type of possible issues or violations, we have a plugin.
[27:06.040 --> 27:11.960]  So most likely at this current state, the, the, the plugins we have are just three.
[27:11.960 --> 27:18.760]  So most likely they, they won't solve immediately your, your issues for, for, for your specific
[27:18.760 --> 27:19.760]  application.
[27:19.760 --> 27:26.080]  So in the current state, you, you will have your, your developers create a plugin.
[27:26.080 --> 27:27.760]  The other scenario is okay.
[27:27.760 --> 27:30.240]  You have a repository full of plugins.
[27:30.240 --> 27:37.560]  You most likely can like quickly find a suitable plugin and just use it in two, in these two
[27:37.560 --> 27:38.560]  cases.
[27:38.560 --> 27:41.040]  Do you think there's a difference?
[27:41.040 --> 27:42.680]  I would assume so.
[27:42.680 --> 27:49.360]  So when looking at the infrastructure guys, so they are not just doing that fast, they're
[27:49.360 --> 27:55.560]  doing this for other, um, post entities as well with other departments.
[27:55.560 --> 28:04.640]  And I would assume, so there are some basic rules that every, so how a database is set
[28:04.640 --> 28:12.640]  up or how it is protected, how authentication works is all the same for all databases within,
[28:12.640 --> 28:16.680]  within use, for example, in Azure.
[28:16.680 --> 28:22.360]  And yeah, I guess maybe they have already something in place, but that, that they're
[28:22.360 --> 28:27.120]  like, I would, I would assume that if they need an set up a new database, they don't
[28:27.120 --> 28:34.680]  click through the Azure, um, and web UI, but they deploy some terraform or whatever.
[28:34.680 --> 28:41.440]  Um, so, and if, if there's a, an issue or something has been fixed by hand and it produces
[28:41.440 --> 28:45.440]  side effects, yeah, I would probably assume it would help them.
[28:45.440 --> 28:48.400]  So let's go with a four.
[28:48.400 --> 28:49.400]  Okay.
[28:49.400 --> 28:55.360]  And now in the video, there was this concept of a compliance job.
[28:55.360 --> 29:03.520]  So a compliance job is basically a set of related compliance rules and the specific application
[29:03.520 --> 29:06.240]  system that these rules apply to.
[29:06.240 --> 29:10.200]  And then for each viable, possible violation, what to do.
[29:10.200 --> 29:14.960]  So it's kind of telling the, this process how to work.
[29:14.960 --> 29:19.960]  Not only what the compliance rules are, but also what to do if they are violated.
[29:19.960 --> 29:29.560]  Um, so assuming that, uh, you have a model for this compliance job, uh, do you think this
[29:29.560 --> 29:37.840]  reduces the uncertainty of what to do if you find violations?
[29:37.840 --> 29:42.640]  So it's not now about how to check, but okay, you know, there is a violation, but you don't
[29:42.640 --> 29:43.640]  know what to do.
[29:43.640 --> 29:49.160]  Do you think that having like a specific model for this whole story, for this whole
[29:49.160 --> 29:55.200]  compliance job, do you think this makes it less, uh, uncertain on what to do if you do
[29:55.200 --> 30:07.480]  find a violation difficult for me to answer, um, but go with a three there.
[30:07.480 --> 30:08.480]  Okay.
[30:08.480 --> 30:09.480]  Not sure about that.
[30:09.480 --> 30:10.480]  Yeah.
[30:11.480 --> 30:18.320]  I mean, if you don't deal with it, it's unfair to expect you are certain about the
[30:18.320 --> 30:19.320]  answer.
[30:19.320 --> 30:20.320]  Okay.
[30:20.320 --> 30:26.920]  Uh, so some general questions, um, according to your knowledge, of course, how do you evaluate
[30:26.920 --> 30:36.080]  the novelty of the framework of which framework is the amount of what, not the one you saw
[30:36.080 --> 30:44.840]  on the video, like, uh, okay, um, it allows to model compliance rules, check them and
[30:44.840 --> 30:51.240]  then, uh, um, fix issues and then report the whole process.
[30:51.240 --> 30:52.240]  Mm hmm.
[30:52.240 --> 30:56.200]  That's, that's kind of a summary of, of this framework.
[30:56.200 --> 31:00.720]  I'd say it's, it's, I would, I would say it's, it's interesting.
[31:00.720 --> 31:05.080]  So I haven't, I haven't seen this before, or not to my knowledge.
[31:05.080 --> 31:13.280]  So I'm with, with the limited knowledge I have from my day to day business, because not
[31:13.280 --> 31:22.760]  with our demo, but I'd still say that it's, um, yeah, it's worth, worth to pursue, uh,
[31:22.760 --> 31:25.640]  to, or to investigate in this regard.
[31:25.640 --> 31:26.640]  Mm hmm.
[31:26.800 --> 31:27.240]  Okay.
[31:27.240 --> 31:30.680]  And now a question about the extensibility of the framework.
[31:30.680 --> 31:34.840]  So extensibility means you can extend its functionality.
[31:34.840 --> 31:38.960]  And majorly, I, I refer to the plugins that you can program.
[31:39.760 --> 31:41.840]  So, um, two questions.
[31:41.840 --> 31:44.600]  Do you think extensibility is useful?
[31:44.880 --> 31:47.680]  And second, do you think the framework is extensible?
[31:48.920 --> 31:53.720]  So I would say extensibility is, it's, it's very useful.
[31:53.800 --> 32:02.840]  So this is most often required because there are many systems, um, out there, or even in,
[32:02.840 --> 32:11.120]  in, in, at [redacted] company, right, which have some form of, um, customization.
[32:11.920 --> 32:12.160]  Yeah.
[32:12.200 --> 32:15.720]  Or they, they have some special rule about something.
[32:15.720 --> 32:21.800]  So, so even if it's the same product, um, that there are, that they are heavily
[32:21.800 --> 32:23.840]  customized in one regard or another.
[32:24.440 --> 32:35.120]  And with that, this is maybe also why this might prove difficult to implement in all
[32:35.120 --> 32:36.720]  situations, like the plugins.
[32:37.960 --> 32:45.880]  Because if you're, if, if you govern, like the example with databases, that every
[32:45.880 --> 32:48.520]  database is governed the exactly same way.
[32:48.600 --> 32:51.800]  You have authorization needs to be done in that way.
[32:51.840 --> 32:55.200]  Authentication is super and done in this way and so on.
[32:55.600 --> 32:59.320]  But as soon as you, as you then then introduce.
[32:59.320 --> 33:02.400]  So yeah, but this one is governed differently.
[33:02.440 --> 33:08.480]  And that one is governed even in another flavor, then you would need to create
[33:08.480 --> 33:12.840]  extensions like specifically just for these special cases, more or less.
[33:13.520 --> 33:17.520]  And then I could already hear the argument.
[33:17.520 --> 33:25.560]  Now, uh, if we need to create just to automate it, we need to create additional,
[33:26.160 --> 33:31.560]  additional code, additional effort for these things, which might then come, I
[33:31.560 --> 33:36.000]  don't know, the compliance issue, like once every half a year or something like
[33:36.000 --> 33:41.800]  that, we would rather pay the person to fix that by hand manually.
[33:42.520 --> 33:48.720]  Uh, then paying the person, paying persons to write like an automated task,
[33:49.160 --> 33:57.520]  which would not, like the cost benefit would maybe come down the line in like five
[33:57.520 --> 34:02.200]  years or 10 years, so this would be the argument against that.
[34:02.400 --> 34:05.760]  Um, so extensibility is very important.
[34:06.960 --> 34:08.480]  Um, yeah.
[34:08.840 --> 34:14.040]  Yeah, but you say when the, when it becomes like very niche situations, maybe
[34:14.040 --> 34:15.600]  it's not worth it anymore.
[34:16.240 --> 34:16.720]  Exactly.
[34:16.720 --> 34:21.400]  They might think, okay, sounds cool, but we will need to create a thousand
[34:21.400 --> 34:23.560]  rules for something like a thousand plugins.
[34:24.160 --> 34:30.920]  Um, yeah, but this is, this is the problem in, in, in, in many situations.
[34:30.920 --> 34:33.800]  So this is not scoped to this framework now.
[34:33.800 --> 34:39.240]  This is, um, there have been just from, from my experience, there have been
[34:39.240 --> 34:45.680]  many in the past and there will also be in the future and that was to consolidate
[34:45.680 --> 34:49.920]  stuff to make it like, hey, we can just group this together and make it easier
[34:49.960 --> 34:58.080]  in some way or another, but most often then at first, everything on, on paper
[34:58.080 --> 34:58.600]  looks good.
[34:59.200 --> 35:04.000]  But then as you dig down, you, if you find these, these niche things that
[35:04.680 --> 35:08.800]  deviate and then everyone, everyone needs to have a
[35:10.040 --> 35:16.440]  in German extra worst needs to have their own, own little, own little castle.
[35:16.800 --> 35:20.160]  Uh, they can, they can build and they can, they can customize.
[35:20.200 --> 35:28.520]  So, um, yeah, it's just, this just might,
[35:28.520 --> 35:33.120]  my feeling that most, most often if you, if you think very big and want to
[35:33.120 --> 35:36.120]  consolidate lots of stuff, hey, let's move all to the same platform.
[35:36.120 --> 35:42.400]  Let's all use this and that, whatever, um, this in that service, this
[35:42.400 --> 35:48.360]  and this and that technology, then there are always, always somewhere in a big
[35:48.360 --> 35:56.440]  company, there are, um, several, um, deviations from, from that, from that
[35:56.440 --> 36:02.760]  approach was, which then make it overly complex to generalize, uh, everything.
[36:03.320 --> 36:03.600]  Yeah.
[36:03.680 --> 36:05.120]  That's, that's my two cents.
[36:05.320 --> 36:05.560]  Yeah.
[36:05.560 --> 36:06.880]  That's very interesting point.
[36:08.320 --> 36:09.280]  Um, okay.
[36:09.280 --> 36:13.400]  So hypothetically, would you use this framework and your work?
[36:13.720 --> 36:16.280]  And in my personal, probably not.
[36:16.280 --> 36:16.560]  No.
[36:16.560 --> 36:16.920]  Okay.
[36:18.200 --> 36:21.240]  Uh, would you suggest it to the infrastructure team?
[36:22.040 --> 36:22.400]  I would.
[36:22.400 --> 36:23.000]  So, yeah.
[36:23.160 --> 36:27.440]  Uh, I, I, I will, I will actually, that's also my plan.
[36:27.440 --> 36:29.160]  I will, uh, talk to them.
[36:30.080 --> 36:34.880]  When, when I next have a meeting with them and yeah, ask them what they, what
[36:34.880 --> 36:36.840]  they maybe have there in place.
[36:37.040 --> 36:37.520]  Do you have that?
[36:38.200 --> 36:42.440]  That would be, if you find something really, really interesting, it would be
[36:42.440 --> 36:45.440]  very interested in learning about it for this paper.
[36:46.720 --> 36:47.040]  Yeah.
[36:47.280 --> 36:47.560]  Okay.
[36:47.560 --> 36:48.280]  That would be great.
[36:48.800 --> 36:50.800]  Uh, so what's your general impression?
[36:50.920 --> 36:54.480]  If you, if you want to add anything more, you can do that.
[36:54.480 --> 36:55.680]  Now that's the last question.
[36:57.480 --> 36:58.240]  No worries.
[36:58.360 --> 37:05.920]  So general pressures, um, as said before, that, um, also for question 21, that, uh,
[37:05.920 --> 37:07.120]  I found really interesting.
[37:07.800 --> 37:19.120]  Um, and as I said, uh, over the last few minutes, um, I'm not sure.
[37:21.000 --> 37:28.840]  In what scale it could be applied at a big company because of this niche or, um,
[37:30.280 --> 37:37.720]  deviations from, from, from general protocol, uh, so to say, but that, that
[37:37.720 --> 37:43.320]  doesn't mean that it, um, has no, has no appliance or no, there's no application
[37:43.320 --> 37:43.680]  for that.
[37:44.120 --> 37:49.680]  So I, I still to make, summarize, I find it very interesting.
[37:49.680 --> 37:54.720]  And I think it's a, um, it's something that should be investigated further.
[37:54.720 --> 37:55.000]  Yeah.
[37:55.120 --> 38:02.840]  And definitely something that is not, um, so at least I have not heard about
[38:02.840 --> 38:04.080]  something like that before.
[38:04.240 --> 38:12.840]  So, and I think for, um, there are definitely applications I would say, uh,
[38:12.880 --> 38:14.120]  where this could be used.
[38:14.520 --> 38:14.880]  Okay.
[38:16.320 --> 38:16.640]  Yeah.
[38:17.240 --> 38:18.120]  Thank you very much.
[38:18.160 --> 38:19.480]  That's it for the interview.
[38:20.080 --> 38:25.960]  Thank you for this interesting, um, yeah, look into, look into research.
[38:26.160 --> 38:28.880]  It's been a while for me, um, as you might heard from [redacted].
[38:28.880 --> 38:30.520]  I mean, uh, I was studying with it.
[38:31.240 --> 38:33.200]  So yeah, uh, thank you.