Wednesday, March 01, 2006
Venture Capital and Enterprise Architecture: Part One
A long, long time ago Ed Sim and I exchanged blog postings on why venture capitalists should make it a habit to network with us enterprise architects and later expanded on the thoughts here. Today's blog entry takes into consideration a prior blog entry by Bill Burnham.
In the past, the only VC firm that has gotten this connection and uses it frequently is Dan Gordon over at Valhalla Partners but luckily other VCs are starting to catch up. This week I have had the opportunity also network with folks at Accel Partners and Crosslink Capital regarding thoughts that I have had on enterprise security. Part of the dialog was focused on what types of solutions are on our radar and what are the recurring problems faced by large enterprises. For folks that religiously read my blogs, I tend to talk about XACML a lot because it can be at the core of many potential problems that the enterprises has today. While there are many products that handle coarse-grained authorization, there are only two or three that have the right approach to handling fine-grained entitlements at the enterprise-scale.
You may see a lot of noise in the blogosphere from other bloggers who talk about identity. They mainly seem to be creating products around the provisioning aspects of identity which is a good first step but by no means complete. Identity provisioning, attestation and other capabilities these products bring are good for complying with Sarbanes Oxley but large enterprises have more legislation to deal with. Consider whenever the SEC, Elliot Spitzer or some other Attorney General, etc want to investigate wrong-doings in a financial services company. Knowing a particular individual was granted access to a system via authorized means is one aspect (aka provisioning) but they would more than likely also want to what did this individual do and when (aka runtime fine-grained entitlements).
The blogosphere seems to be caught up in the Liberty Alliance of which I am lukewarm on and all the wonderful discussions around SAML vs. WS-Federation vs InfoCard vs Higgins which is interesting but doesn't have the ability to be as important from an enterprise perspective as XACML. The enterprise needs consistent ways to declare and enforce at runtime, security policies not just for J2EE applications but all applications that run with their nervous system and even outside. I would love to see folks in the blogosphere start amplifying the need for pervasive implementation of the XACML spec in all J2EE Portal Servers (FYI. Liferay Enterprise Portal will be the first portal with this support), Enterprise Applications such as Siebel, Peoplesoft, SAP and even ASP-oriented software such as Salesforce.com.
I think in my conversations, I did walk away with two different perspectives that I hopefully will be successful in changing and will savagely put tons of energy into blogging about. First, there are security spaces not even touched or discussed in the venture capital community in which they may be leaving a lot of money on the table. One space is in the notion of data masking. The notion of protecting personally identifyable information within enterprise applications after the choicepoint debacle is pretty much on everyone's radar yet no one has stepped up to create meaningful product in this area. There are two vendors that play in this space (datamasking.com and datamasker.com) but the enterprise has more platforms that these two solutions can currently solve for. This is a problem-space for pretty much everyone, yet no one is focusing on it. Imagine the value proposition for both the VC and the Enterprise if a solution could appear for say $100K that would keep a large enterprise out of the newspaper. We all know that the stock of Choicepoint dropped 15% along with their recent $15 million fine and lost business relationships that cannot be quantified. Enterprises would snap it up...
Tomorrow, I will blog on the second perspective I have learned from the VC marketplace but will conclude with the thought that I have allowed the conversations with folks in the venture capital community to date be all about them (seek first to understand then to be understood). Hopefully, someone from the community can pay back this favor by responding to several of my Outstanding Questions for the Venture Capital Community...