Thursday, December 14, 2006
Enterprise Content Management and Security
Over the past several years, many vendors have invited me to serve on their vendor advisory boards. This week alone I have gotten two pings from security vendors with this request. I need to ask myself whether this is just a part of vendor relationship management or simply a way to lull me into sleeping at the helm.
After all, why can't us enterprisey folks who desire features to be put into vendor products simply request them and have vendors do a little homework on their own to figure out how to make them globally applicable to all of their customers. Being on an advisory board doesn't guarantee me that the features I need to build truly world class enterprise applications will actually show up. It only guarantees that I will have a conversation with lots of folks, something of which I believe is already fulfilled via my blog.
Anyway, over the last several months I have had the opportunity to talk with architects at Boeing, Pfizer, Merck, Allstate, Wachovia, Bank of America and others and realize from a security perspective that ECM vendors are treating us enterprise customers like a step-child.
It was intriguing to learn that all of these players have asked of features of their vendor which we all have in common where the vendor has responded cordially indicating that those are great ideas but no other customer has articulated them.
In the ECM space, I have uncovered that we all desire the following features to be implemented immediately and in a high quality way:
- External Authorization: Many folks are attempting to use ECM to build composite enterprise applications made up of a variety of technologies including BPM engines. The idea says that if I want to optimize people and architecture I may use a BPM engine to manage tasks while storing documents the tasks need in a ECM repository. This of course causes a disconnected security model where BPM engines have their own thoughts on authorization which are different than what ECM thinks. Minimally it does beg the need for having the ability to externalize authorization via a standards based mechanism. I wonder if either Phil Gilbert of Lombardi and/or Alan Pelz-Sharpe have ever noodled this type of integration deeply?
- Active Directory: It would be pretty difficult to find a large enterprise that doesn't have Active Directory. In today's society since directory services are so pervasive, it no longer makes sense for each and every enterprise application to be creating their own separate and distinct identity store. How come ECM or BPM products cannot simply bind at runtime and get their own information instead of requiring enterprises to perform import/syncronization mechanisms. This approach is fugly.
- Encryption: Both BPM and ECM in their future state will contain highly confidential information and therefore the need to encrypt needs to be built-in. Encryption shouldn't equal shared secret as most folks are good at keeping them. How about providing hooks into PKI mechanisms that don't require keeping a password/key in a configuration file in cleartext.
- Electronic Signatures: Folks would like to automate stuff as much as possible and e-signatures is a capability that helps get them there. If you think about how much paperwork an enterprise has to store physically due to the need to have a wet signature then you would understand the potential of using ECM technologies to make this problem space better.
- Single Signon: Revisiting the integration between BPM and ECM for a minute, this also begs the need to have a single signon capability. Why do I have to authenticate to each component which is solely based on a dated construct of ID and Password? Likewise, while there are product-specific ways of solving this such as using Netegrity Siteminder or Oracle CoreID, the better way is to support industry standards such as SAML and/or WS-Federation. I am sure that Ping Identity will OEM their technology to the ECM vendors as a way to implement quickly.
I wonder how open source ECM vendors such as Alfresco align with this thinking. If closed-source vendors don't nail the problems of large enterprises then this may be the opening they need. I suspect though that Matt Asay is already on it.
If you happen to be employed by a Fortune enterprise and would like to see ECM vendors improve their security posture and would like to participate in a conference call with other Fortune enterprises on this subject, please leave a comment specifying your work email address and I will send you an invite...