Sunday, December 31, 2006
"Start Your Own Blogging Business" Book
What does Outsourcing have to do with the Agile Manifesto?
Outsourcing is all about chasing a cheaper salary for an individual resource without necessarily getting any guarantee that total cost of ownership will be decreased. Many IT shops that outsource resort to accounting for costs at a macro-level and eschew efforts to increase the productivity at an individual level. The mantra of getting lower rates trumps developer efficiency so as long as the numbers work out in the end.
Likewise, there is a pattern amongst developers in the Ruby community in that their call to action is all about individual productivity without concern for macro-level accounting with the argument that if you increase efficiencies in the small, you also increase efficiences in the large.
The funny thing is that many enterprise architecture teams are in the middle of such opposed perspectives. Wouldn't it be interesting if we could have a conference panel where we took say the CIO of United Technologies and had in interact with the likes of David Heinemier Hannson? Of course this would need to be moderated. What would happen if we also added Kent Beck to the panel along with Richard Stallman? What if we were to get the likes of Robert McIlree and Nick Gall for good measure to represent the EA perspective on this subject? I would also throw the CEO of Accenture and Wipro on the panel as well for good measure. Would you want to see this discussion occur at a large industry conference?
If I were ever chosen as a moderator for such a panel, I would of course have a difficult time withholding my own opinions but would start the discussion off by asking the question:
- What is the difference between programmers and developers?
This would probably lead to a discussion that states that programmers are folks who specialize in writing code while developers provide more value such as writing specifications, automated test cases, writing documentation, and most importantly helping customers work out tough problems. It does beg the question if folks in India at best are nothing more than programmers?
Anyway, I think this question if properly discussed is more telling as it will lead to the union of several otherwise opposed thinkers. Enterprises who outsource are doing so because they feel there is value in getting cheaper programmers. These same enterprises probably have a good strategy to keep all the developers around. Likewise, the smart folks I have worked with in the Ruby community usually have figured out that they didn't want to be programmers in large enterprises and wanted to be developers in small enterprises who have the potential to be large.
Now the only disconnect that still remains is whether consulting/outsourcing firms who embrace agile methods will also attempt to destroy developers as well or figure out how to embrace them to the benefit of their client's competitive advantage or simply focus on their own mission. Should the Ruby community be fearful of those types of consulting firms?
Saturday, December 30, 2006
Saddam and how his greatness changed America...
The Foundation for the Defense of Democracies posted four videos of actual torture and murder that took place under Saddam Hussein's regime. Regretably, the videos will not be televised as Americans we are fearful of learning of atrocities that occur on the planet. Most Americans will only pay attention long enough to listen to the thirty second soundbites we have became accustomed to. If American's however were to see videos, then maybe they may stop waiting for the problem to go away, but instead will stand to reason and demand swift immediate action wherever atrocities occur. It may even cause us to spend more time on causes such as Darfur, Palestine and other places where freedom is elusive.
If a blogger who cares about the human condition reads this posting and amplifies it, then civiliation isn't a lost cause and my own heart will be filled with joy. Let's acknowledge that the masses will simply go on living their lives until they too become oppressed and choose the right to remain silent. Anyway, here is the link to the four videos: Chapter One, Chapter Two, Chapter Three and Chapter Four...
Enterprise Architecture and how we are envious of each other
Like many of my peers, I am guilty of attempting to find patterns in the human aspects of technology when this practice may be a recursive anti-pattern. Folks who think in patterns or at least use the word frequently use it because of the buzzword factor which helps increase its attraction to other demographics who may not be on the same page but want to.
They think "patterns are cool and good" and they also think what they've done is cool and good and therefore must be a pattern. This is kinda like me attacking George Bush and the idiots in the Republican party which makes folks assume that I am somehow Democratic without them ever really asking the question, is George Bush really an idiot?
Even more sinister is that many think they have a good, reusable solution to a recurring problem, but don't yet understand that the solution needs to recur as well as the problem. It is not enough to be reusable, it has to have already been used several times. This thinking by the way should also be applied to service oriented architectures.
Maybe architects who talk in terms of patterns need to stop reading the Gang of Four and instead need to use the pattern books to beat folks upside their heads when they do something stupid. I wonder if the below things could be considered patterns:
- Relying on industry analysts to tell you which products to acquire while not acknowledging they aren't telling you about all the potential products within a space (aka open source)
- Outsourcing Powerpoint presentations to software vendors who are hooked like Pavlov for requests to demo from enterprisey folks
- Not acknowledging that outsourcing is a form of a trap and that cost savings may not materialize
- Mistaking process for architecture
- Changing the meaning of words on the fly (aka distillation) so as to help others understand (in the short term) without acknowledging how this hurts all long-term efforts
- Not knowing the difference between management and leadership
Anyway, use patterns to describe situations and recurring themes but don't use them for tagging to every problem that happens to materialize along the way. Patterns should be applied within a context...
Friday, December 29, 2006
How to become an expert on Enterprise Architecture
For the superior performer, the goal isn't just repeating the same thing again and again but strive for higher levels of control over every aspect of their performance and interactions with others. Within the IT ecosystem, I often hear developers complaining that all architects do all day is draw pretty diagrams that no one pays attention to. While this may be true, reality says that they are cheating themselves out of making themselves better at their own profession.
Most of us want to practice the things we're already good at, and avoid the things we suck at. We stay average or intermediate amateurs forever. I wonder what would happen if project managers, software developers and if folks in the QA department asked themselves, I wonder if studying enterprise architecture would help me in my own position and what they would rationalize?
I would say at some level that I probably understand the discipline of enterprise architecture more than anyone else in the blogosphere yet I am not an expert. No this is not a humbling moment where I say I have so much more to learn. The ability to call oneself an expert is heavily dependent on changing the perceptions of others, something which I suck at.
Many enterprise architects who substitute process for competence are missing out where they have the most leverage which is those who are satisifed with what they are currently doing. In my travels, I frequently run across folks who say that they know there is a better way to do task X, but I already know how to do it my way. They acknowledge that there way is less efficient and less powerful but this continues to thrive because they feel comfortable.
This of course begs the question of should folks feel comfortable or not. Is work all about a coffee clutch where we have nice social conversations with each other or more about running a business. Should a business care more about folks feeling comfortable or making a profit? Yes, I get that you can do both, but really which is more important?
What would happen if I could convince all those HR generalists who love their competency models to throw them in the trash and even convince myself to move away from areas of strengths (note: strengths are different than competencies) that I have which have made me ultra-successful towards situations where even I don't feel comfortable.
I wonder if you put me in charge of a very large project that is doomed to failure or at least mediocrity because they used folks from India instead of folks with a vested interest in success and required me to actually add on even more people against every principle I believe and then required me to deliver a wonderful status to executives that all is well, would this make me a better architect? Maybe I have become a better architect because I have deferred obvious predictable failures to others.
Does outsourcing = failure? I believe so. Getting one's hands dirty makes one learn from their own experiences. If you don't make mistakes then how can one learn? At some level, outsourcing is a mistake, only I hope that folks will learn from it.
I guess I have too much integrity to do certain things. I wonder though if I could help make it easier for others to continue on the path to becoming expert? Remember, being better is better. Whatever you're better at becomes more fun, more satisfying, a richer experience, and it leads to more flow. Maybe, my next book should be on how to have fun doing enterprise architecture?
Thursday, December 28, 2006
Recent Thoughts on Azul Systems
- Would the folks over at the 451 Group consider this as an emerging category of grid?
- How come more industry analysts aren't providing coverage of this type of technology breakthrough?
- The average J2EE application may allow for configuration of multiple threads but will not support execution of hundreds of threads concurrently. When will someone publicly share results on which J2EE container best scales in this regard?
- The vast majority of enterprise applications tend to be more constrained in terms of addressable memory than needing more CPUs. From a hardware perspective, what prevents computers from the ability to address say 8TB RAM cheaply?
- Does the appliance support SAML and XACML or does it require its own identity store?
- Do industry analysts believe there would be lift if Azul Systems provided an SDK that allowed access to bare metal?
- So what are the best practices in certifying an application on Azul technology?
Charity Tag Meme
Let's see if this idea will work. I will start by tagging Stefan Tilkov, Scott Mark, David Heinemeier Hansson and one blogger whom I don't know (even virtually) but will tag via trackback in hopes that they will consider charity a higher priority over etiquette or other secondary concerns. Either way, this is a great way to learn not only what folks feel is important but what they feel is more important...
Why software vendors should consider pitching to bloggers in addition to industry analysts...
Here are some things for software vendors to noodle...
- Bloggers have literary licenses that journalists and industry analysts do not.
- Sometimes it is better to trackback than to post a comment. Bloggers tend to pay more attention to those linking to them than comments left on their blog.
- Bloggers are in many ways more influential than industry analysts as many of us are getting paid for our opinion removing bias in terms of thinking which aids (doesn't guarantee) in credibility.
- Bloggers tend to actually do more with whatever information you supply to them and have zero interest in terms of publishing only to paid subscribers. Free information sharing guarantees more eyeballs.
- Pitching to a blogger means you don't have to go through the dance of avoiding of fees in order to get coverage. If the topic is something that resonates with them, then they will cover it. Of course, you should think about paying them compensation by donating to worthy charities they favor.
- Bloggers have a bigger potential of becoming a customer. Analysts tend not to buy enterprise software, BPM, ESB, Portals, etc but some bloggers may.
Maybe open source isn't all that open?
Being Mr. Enterprisey, I suspect that many folks will be of the opinion that my peers aren't interested in contributing or are hampered by dinousaur antiquated corporate policy. While this may be true of some large enterprises there are other issues that need to be discussed. For example:
- So am now starting to wonder if the reason more developers don’t contribute to open source projects is that they have the perception, real or not, that they are not welcome.
This is 100% on the money for many open source projects. For example, have you ever observed anyone from the Ruby on Rails community ever reaching out to enterprise folks to ask them to contribute or at least participate? To feel welcome, one should be encouraged by the community itself to expand. One analogy would be the difference in me inviting someone into my home vs just expecting them to walk off the street, put their feet up on my couch and help themselves to whatever is in the fridge. A discussion is warranted on what communities can do to welcome outsiders.
Having had the opportunity to sit on a panel with Marc Fleury at OSBC last year, I came to the conclusion that he was a great business man. Likewise, I also concluded that I would never make the effort contribute to a JBoss project. Part of the rationale for contribution is in having choices. JBoss is placing in spaces where they are innovating but that there is already choices in terms of other open source offerings. There are already sufficient J2EE containers, Portals and BPM engines that are open. In fact, while I would say that in the J2EE space, JBoss is equal in terms of functionality (some things they have that others don't and vice versa), JBoss is simply inferior in terms of its portal implementation (Liferay beats it by miles) as well as JBPM (Intalio and others are also ahead). The point is if one is going to make the effort to contribute, they will more than likely choose what they either use and/or feel will be the winner.
Of course, since I am employed by a Fortune 100 enterprise whose primary business model isn't technology, the reasons for contributing aren't so that I can gain consulting revenue by demonstrating participation nor embracing any notion of professional open source. If I spend time at home writing code for an open source project, the reason may be driven by ego which JBoss robs of its contributors. For example, I know that the folks over at Aviva contributed the JBoss ESB. What I would want to see is JBoss pumping up Aviva and not just themselves. Compensation comes in many forms and for those who are not employed by technology-oriented companies, compensation in the form of ego (marketing, sense of community, etc) is crucial to getting contribution. Maybe some hype can be created by JBoss employees of all of the wonderful contributions by non JBoss employees.
A third consideration not frequently discussed is that contribution can come in many forms. I would argue that open source doesn't really need more developers to contribute source code but really needs lots of folks writing good documentation. What if the open source community decided to encourage others to become published authors and writing books to help use products. As a series editor for Springer Verlag, I would love to receive book proposals on Enterprise BPM Patterns, Enterprise Rules Architectures and so on. Contributing to Wiki's is moderately useful but folks sometimes need more structure.
A final consideration (for now) says that contributions also can come in form of serving as a sounding board for ideas. In the same way, I encourage Venture Capital firms to bounce ideas off me and for that matter to reach out to architects in other Fortune enterprises. The open source folks can do the same what-if testing not just against those paying them to create features but in terms of making things generally applicable so that it attracts an even larger population.
The one thing that I often say at work is that we shouldn't adopt any open source product unless it has outside contributors. One thing that makes something sustainable is knowing that the community has your back. Just having folks from a single company being paid to write software doesn't equal community. I would be happy as hell to see industry analysts actually figure out the size of community for each open source project in this regard. Maybe folks from JBoss could provide this for JBoss projects?
In terms of my own planned 2007 contributions to open source, I will be commiting to contributing to the authorization specification as part of the OpenID community. The funny thing is that I will be going against my better judgement in that enterprises tend to desire to contribute to things that are measurable like implemented software as we really can't do anything with ideas alone. Ideas need to be turned into software. What I fear the most is folks from Sun such as Pat Patterson, Sara Gates,Simon Phipps, Robin Wilton, Don Bowen and folks from Microsoft such as Kim Cameron and Jason Matusow openly supporting initiatives such as OpenID but not taking deliberate steps within their respective employers to actually implement the OpenID specification and any resulting authorization enhancements. I too am somewhat constrained in that the perception of anything that isn't implemented will be perceived as an academic exercise that was a waste of time that will put the ability to contribute to open source projects in the future at risk...
Wednesday, December 27, 2006
Strategic Planning: Should you use a consulting firm or an Industry Analyst?
Imagine you want to align better and start embracing the notion of the Voice of the Customer and you hire an industry analyst to do so, they on average will charge an hourly rate in the $300 range. No where on the Internet is any thoughtful analysis as to what you get for higher hourly rates than you would see from typical consulting firms.
Some of the obvious advantages to going with an industry analyst over a consulting firm for strategy includes, but is not limited to:
- Industry analysts tend to talk to more enterprises and therefore have more insight and visibility into what others are up to, while the consulting firm is limited to whomever hired them for the same/similar work in the past
- I haven't yet ran across an industry analyst firm that hires truckloads of Kindergartners (aka Freshers aka folks just out of college) to do all the work while a partner simply provides guidance. Usually analysts have years of industry experience and therefore you will get the most efficient output and not paying for junior folks to learn on your nickel.
- If you also have outsourced delivery of the strategy then choosing an analyst over a consulting firm is even better as they tend to on average have great presentation skills and even better writing skills than most folks in corporate America
- If you desire a strategy that is not cookie-cutter, then an analyst even if they don't have the personal experience is usually only one degree away from someone who does and won't be constrained necessarily by that persons availability as it may not be about billing like consulting firms. They can also go outside their firm for expertise a lot quicker.
- Insights from other analyst firms: Remember, you are now paying for consulting services not research services and therefore it is more than reasonable to expect that insights will be more than just previously formed opinions. You also need differing opinions in order to find the right answer for you. Otherwise the information provided may be too general in order to be applicable.
- Seek conflicting opinions: In the course of normal industry analyst work, they tend to publish only elements in which there is strong consensus where as the enterprise benefits the most by understanding where folks in the past have been diametrically opposed. This provides insight as to hurdles you may run into. Don't let industry analysts sanitize this stuff out.
- Define notation and format: While each analyst firm has their own style, it is important for you to define things such as expected page counts (don't go extreme here) along with particular notations you desire. For example, if you are stategizing on an policy administration system, maybe they should show the typical executive-level Visio diagrams as well as UML diagrams that further expand the detail
- Forbid discussions around products: If you talk about products other than what is currently in-house, you may be either paying twice in order to get product recommendations and/or they may be charging you for their own research that benefits others.
- Rethink NDA: Part of the dilemma that industry analysts face is what they can and can't talk about. On one hand, the enterprise wants to gain insight from them on what others are doing yet may not desire to share their own strategies. This model is simply not sustainable nor practical. Maybe the better answer is to hire the analyst firm to do strategy work with the commitment that they shall not disclose anything about your strategy for some period of time or at least until it is in production and then they will do a case study on how you were successful in implementing it. The enteprise benefits by gaining publicity while the analyst retains the ability to talk about it. Likewise, this will cause the analyst firm to avoid cookie cutter as they have better incentive to work harder because they may be part of the study itself.
It is my thought that hiring an industry analyst to assist with strategy in some domains simply makes sense. While I haven't done so in the past, I hope to pitch this notion at work, at every opportunity. Hopefully, others within the blogosphere that have went down this path, can trackback and share their experiences in this regard...
What is open source? Intalio sure is NOT.
Maybe it is time that industry analysts chime in and share with us what definition of open source they use. I have asked the folks at Zimbra and LogLogic the same thing...
Service Oriented Architectures and Security
At a recent conference, folks from Sonic Software indicated that support for XACML was on their roadmap, yet their Chief Technology Evangelist: David A. Chappell never talks about it. I wonder why? I also searched the blog of Annrai O'Toole looking for similar insights into SOA and security and came up blank. Ignoring for a moment, he is of the belief that research reports are complete but later on acknowledges that many open source players are missing yet doesn't believe that anything is wrong with them being left out. I wonder if this is because open source ESBs such as ServiceMix may have better security postures than closed source ESBs. Maybe he will not only demand but amplify the need for industry analysts to include both closed source proprietary and open source product offerings in their research reports. Maybe not...
Likewise, I understand how Appliances help ease integration in SOA Integration is more than just a problem of moving around data to support business processes, security is also crucial. Every enterprise going down this path should ask themselves the following questions:
- How should integration appliances play within my common security realm? Should they support SAML and/or WS-Federation along with identity propagation?
- As a business process involves multiple tiers and architectures, how do I ensure that authorization is consistently applied? Should the appliance support XACML policy?
- If integration involves sensitive data, how do I protect data as it travels over the wire? Can it leverage standards-based PKI approaches?
- Auditing is crucial in terms of a business processes and may even be part of your enterprise SoX controls. Should appliance support a common logging standard? How should they play with vendors such as LogLogic?
- Identity is the key to SOA. Shouldn't ESBs in general and SOA in specific incorporate the notion of identity as a pervasive goal?
I wonder what Dana Blankenhorn, Denise Howell, Mitch Ratcliffe, Phil Becker, Joe McKendrick, Ronan Bradley's perspective are on SOA and Security?
Do Outsourcing Firms understand Writing Secure Code...
The press release is carefully worded but does mention Fortify Software. Let's analyze it:
- Fortify SCA is expected to boost Wipro’s security and audit services by expanding its ability to assess its customers’ software development processes and recommend improvements when it comes to application security.
Notice it didn't say that it was going to be used to assess their own software development processes only its customers. I guess turning things into revenue making opportunities is a smart thing on Wipro's part but I question whether this actually helps customers actually write secure software. I am of the belief that for software to become secure, each and every developer within an enterprise needs tools on their desktop. A once-in-awhile drive-by audit done by outsiders will not help reach this goal. At best, it will provide meaningless metrics to IT managers who won't know what to do with them. I guess fear, uncertainty and doubt still sell security-oriented software.
Likewise, within this press release it also didn't mention any initiative to train all Wipro development staff in writing secure code, so for enterprises who outsource to Wipro, don't even get a second-hand lift by internal folks using the tools.
I wonder if folks such as Brian Chess and/or Krishna Srikanth can provide their own perspective on this? I know that Mary Ann Davidson of Oracle and Michael Howard and Dan Sellers of Microsoft both have strong perspectives against this type of approach...
Survey on Enterprise Architecture and Software Development...
Tuesday, December 26, 2006
Ruby on Rails and Security
Below is his comment:
RoR is lacking too much of the needed security features in an enterprise environment and is not ready for mission-critical applications. There is no integration of external authorization engines, no integration of groupware systems or the active directory, no support of LDAP. There is no real security model at all. You have to develop many security functions on your own which makes RoR very unproductive when compared to Java EE or .NET.
This is the first time that I have seen a blogger who likes Ruby on Rails talk about all aspects of productivity. Anyway, instead of throwing daggers, I wonder if the better call to action would be for me as Mr. Enterprisey to help the Ruby community become more secure?
What if I were to make a public committment to contribute that allowed Ruby on Rails to bind to LDAP and Active Directory, would I still be called enterprisey? What if I were to leverage the fact that lots of closed source vendors want my dollars and if I were to ask them to say contribute XACML support, how would the community perceive it? What if I were to take this one step further and not only ask Kim Cameron but his bosses at Microsoft to contribute support for WS-Federation and Cardspace, would they still rebel against the machine?
Taking this one step further, what if Mark Dixon and Pat Patterson pressured other developers from Sun to contribute support for SAML along with giving Ruby a proper way of interacting with Web Services, would they to be embraced or ignored? I wonder if anyone has asked the assistance of folks over at Fortify Software?
I wonder if the Ruby community understands the basic principles of marketing? What if I at least agreed to filling out all that wonderful paperwork (remember us enterprisey folks are good at this) required by industry analyst firms such as Gartner and Forrester to show that Ruby on Rails is truly enterprise ready and worthy of some coverage? Enterprises have access to a lot more capital and talent which is what Ruby needs to take it to the next level. Maybe, if you simply asked in a polite way, you might find lots of assistance in reaching your goals and may even realize that enterprisey folks aren't evil after all...
A Cost Analysis of Windows Vista Content Protection
This tells me that even Microsoft isn't powerful enough to stop DRM...
Monday, December 25, 2006
Thoughts on McDonalds and things to do in a drive through lane
Kudos to folks in NYC and the government stepping up to remove unhealthy products. Anyway, I suspect that with America becoming so fat that only forced protest will change things for the better as unhealthy food is highly profitable and we all know that answering to shareholders is more important than anything else.
If you are the type to express your opinion, consider the following:
- Drive through backwards
- Repeat everything the order taker says
- Order confusing items such as a Large Orange Coke and a small medium fries
- Drive through with someone on the hood to accept the food
- Have a friend hide in the trunk. When you approach the window to pickup your order, have him start yelling and banging his fists on the trunk.
Response to Gary Short on the importance of educating children on IT (Part Two)
Two things that IT professionals at large need to fix is first getting more women into our profession as if you look at what us men came up with (Outsourcing, inflated IT budgets, an enterprise with at least ten languages, the lack of strong technical leadership and the notion of diversity and inclusion that is neither diverse nor inclusive) then you would realize that the only solution may be to turn over IT to more women.
Second, we need to allow women to be IT professionals and still be women. No one should have to make the choice between being a mother which is the most wondeful thing that God can give to us and the notion of a career and climbing the ladder. If we had more successful women in IT as role models they may become the sorely needed missing role models that school children in our respective countries need and more importantly deserve.
The third thing that I think we as IT professionals can do is getting even those that have avoided large enterprises like the plaque to embrace the notion of enterprise architecture. Consider, for a moment that any enterprise architect worth their salt understands that every decision they make needs to be sustainable. The ones that have wholesale adopted practices such as outsourcing are derelict in their duties.
Sustainability says that wise enterprises will figure out ways to build talent that they will need twenty years from now and that working with high-school students is not just a matter of volunteerism but that someone should be on the payroll and working towards this notion full-time as part of their day job.
Part of the problem is that us enterprise architects sometimes can't see the forest for all those damn trees as we are too busy concocting strategies. We also fall prey to industry analysts and the pattern they promote instead of doing the right thing for ourselves.
I would like to compare/contrast conversations I had with two different women industry analysts to show a point. I do apologize if either is offended, but ask that they consider not their own perspective but the larger picture which are the children.
The two analysts are Anne Lapkin of Gartner and Brenda Michelson of Elemental Links Both provide coverage on the space of enterprise architecture and the notion of Talent Management.
Now consider from a tradition perspective senior executives have long been seen as the strategy-makers in the organization, their role in the process has been the most extensively written about and examined. In fact, the frequent in-depth analysis of the challenges facing the leader at the top of the organization may have considerable and unconsidered downside. When we focus all our attention and skills on the leader at the top of the organizational chart, we risk ignoring and minimizing the roles of the leaders at all levels who, cumulatively, can have more impact on the organizations actual strategy.
Taking this one step further, very few industry analysts study the bottom of the pyramid and therefore for IT executives who practice Management by Magazine tend to not gain a perspective of what a beginner needs to become aware of and tend to base things on their own perspectives which may not translate into any form of strategy that helps growth either from College, High School or anyone not on the executive track.
Gary, we need to get industry analysts to start talking about the introductory aspects of IT and what is needed to be successful in the new world. While many folks will say that this is intuitive and common sense, I beg to differ. Any study on talent management needs to have not only an executive perspective but one of the high school student as well.
FYI. I also forgot to mention that at work, I also have reporting to me, a wonderful high-school student who knows how to program but isn't yet old enough to drive. Don't assume that all tasks require college degrees as I can factually prove that many tasks don't even require a high school diploma...
Thoughts on BPM and Security
One industry analyst that I have a ton of respect for, Alan Peltz-Sharpe said something intriguing in this Blog Entry that I have been noodling. The phrase: I'm sure many ECM vendors will be secretly annoyed about this, for they pride themselves on their security capabilities made me ask myself several questions, including:
- If vendors truely have pride in their security capabilities and us customers want them to do even more, why wouldn't the vendors actually appreciate this?
- I should have articulated that the idea behind the approach wasn't my own but actually came from a very smart enterprise architect that is employed by Johnson & Johnson as part of a conversation at the Enterprise Computing Strategy put on by industry analyst firm: The 451 Group. While I wish I could take credit for it, I in all honesty can't. I am simply providing amplification of his thoughts.
- I have been debating the merits of standards bodies in which many folks will get twisted and think of as being anti-social. The thesis of my argument is why would an enterprise pay to participate and get the right to vote? Should I care about my right to vote which may or may not result in commercial and open source vendors actually implementing or are enterprises better off by trying other approaches?
- What approach would an industry analyst firm such as Alex Fletcher and Entiva, the folks over at Macehiter Ward-Dutton or even your firm recommend as an alternative approach to getting sorely needed specifications implemented by their vendors in a expedient way? Would also love for you to share insights on how an industry analyst firm can provide acceleration and amplification in this regard?
- Part of the thing that slows down participation yet at the same time increases implementation is that this needs to occur one vendor at a time. This is primarily driven by the fact that participants in a conversation may leak things that the vendor and their NDA wouldn't want discussed with outsiders. Likewise, if the vendor hears the same requirement echoed in the same words at the same time by dozens of Fortune enterprises they will have competitive advantage over vendors who choose to stay annoyed and not listen to the desire of the many. Once implemented, other vendors in this space regardless of whether a standard exists or not, will have no choice but to implement as they wouldn't want to be left out by the same industry analysts who put them into matrixes comparing vendor A and their features to another...
- Likewise, this notion was discussed with the vendor in advance whom thought that the opportunity to understand requirements across multiple customers at the same time, removing the ability to have to distill each and every distinct conversation across vendors provides them with a level of increased efficiency and benefits them as well. In fact, the idea was discussed with the target vendors in detail before it was even mentioned in my own blog.
- New York Life
- Bank of America
- Wells Fargo
- American Express
- Washington Mutual
The goal is to start a conversation around BPM and the following topics:
- External Authorization: Many folks are attempting to use BPM to build composite enterprise applications that may leverage SOA, ECM and so on. The idea says that if I want to optimize people and architecture I may use a BPM engine to manage tasks while storing documents the tasks need in a ECM repository. This of course causes a disconnected security model where BPM engines have their own thoughts on authorization which are different than what ECM thinks. Minimally it does beg the need for having the ability to externalize authorization via a standards based mechanism.
- Active Directory: It would be pretty difficult to find a large enterprise that doesn't have Active Directory. In today's society since directory services are so pervasive, it no longer makes sense for each and every enterprise application to be creating their own separate and distinct identity store. How come BPM products cannot simply bind at runtime and get their own information instead of requiring enterprises to perform import/syncronization mechanisms. This approach is fugly.
- Encryption: BPM implementations usually contain highly confidential information and therefore the need to encrypt data that is used in the BPM process is vital. NOTE: Encryption shouldn't equal shared secret as most folks are good at keeping them. How about also providing hooks into PKI mechanisms that don't require keeping a password/key in a configuration file in cleartext? Wouldn't it be useful to tag a process as encrypted so that no matter what it touches, all stuff about it can't fall into the wrong hands?
- Single Signon: Revisiting the integration between BPM and ECM for a minute, this also begs the need to have a single signon capability. Why do I have to authenticate to each component which is solely based on a dated construct of ID and Password? Likewise, while there are product-specific ways of solving this such as using Netegrity Siteminder or Oracle CoreID, the better way is to support industry standards such as SAML and/or WS-Federation.
- OpenID: I can't think of a better enterprise scenario for using specifications such as OpenID than to incorporate into a BPM workflow. Having a consistent understanding of identity throughout all business processes would be nirvana.
- Logging: Have you looked at vendors such as LogLogic? If you have considered even for a second the problem of logging within a BPM context, you would see the need to close this gap.
- Identity Propagation: As business processes hop from tier-to-tier, so should identity...
James Brown dies at 73
Thoughts on Zimbra
The notion of software as a service is intriguing to me as the ability to focus on the core business problems within IT without getting distracted by infrastructure is compelling. It seems as if Zimbra's value proposition is to displace Microsoft Exchange which is noble as having a choice is always good for users.
In terms of analysis, the product begs answering of the following questions:
- Open Source: What is the definition they are using? The most popular definition of open source can be found here. I cannot tell whether it complies with all ten principles.
- Provisioning: In terms of a hosted model where an enterprise already has an identity store, am I required to create yet another User ID / Password for every one of my users? Can I at least automate provisioning of an email inbox via an industry standard protocol such as SPML by using my identity management toolset?
- SSO: How do I implement Single Signon via the hosted model? Does it support SAML and more importantly WS-Federation? Is Zimbra working on exposing additional use-case profiles to make SAML better?
- Entitlements: I would love to use an industry standard markup language such as XACML to specify what other users such as my administrative assistant can do with my inbox and calenar. Where is XACML on the roadmap?
- Encryption: I may need to stay compliant with HIPAA and decide to encrypt sensitive outgoing emails based on lexical constructs. Is there an open source equivalent to Zix or a way to use identity based encryption such as Voltage?
- Retention: How do I specify my unique retention policies in order to comply with SEC guidelines in a hosted model?
- Analysts: Which industry analyst firms provide the deepest coverage of your product? Are you on the radar of Raven Zachary and Macehiter Ward-Dutton?
I wonder if Conrad Damon, Kevin Henrikson, Satish Dharmaraj or Scott Dietzen would be able to provide their perspective on the above questions in a future blog entry...
Thoughts on OpenID and how enterprises can participate...
I am a contributor to a variety of specifications, mostly within our particular industry-vertical and the variety of standards bodies that cover them and have had reasonable success. Part of the reason for success is that the demographic of the implementers are known and more importantly they are willing to state upfront their commitment to implement. I wonder if I publicly commit to defining the authorization portion for OpenID will Kim Cameron and his MS friends publicly commit to changing the UI for Cardspace to handle or will this result in another useless industry specification?
I know that other Fortune enterprises whose primary business model isn't technology will back this initiative and this is surely enough to get lots of things to happen. For example, I know that bringing a total of ten enterprises to discuss the problems of ECM and Security will result in the software vendor taking steps to make their customers happy, but I honestly can't say the same if I spent the same amount of effort in a space that Microsoft plays in.
Part of the problem is that for smaller vendors, identifying who their top sources of revenue from an enterprise perspective is relatively easy. The only way such an effort wouldn't be futile is if I could know whom are Microsoft's top ten Fortune customers in terms of spend and figure out how to get all ten on board. The problem space could be articulated in the fact that while my own employer is a Fortune 100 enterprise, they are by no means even in the top 100 Fortune enterprises in terms of spending monies with Microsoft. This says that for my contribution to not go to waste, I really do need the help of others...
The second question that I think begs an answer is why would I spend time on such an initiative? With a full slot of stuff to do at work, this would turn into my own homework at home. While I could easily connect it to business initiatives, I would still have trouble coming up with an ROI. Not that all of my efforts should be ROI driven (NOTE: I do work on compliance-oriented stuff which defies ROI because its law) but there should be some return even if it isn't monetary.
One aspect of return is of course all of the wonderful potential press that enterprises can gain by showing to the marketplace how innovative their folks are but this too is highly problematic. First, it requires certain forms of acknowledgement in that enterprises tend to think of industry analysts as the media and therefore require coverage in the form of case studies from time-to-time. Other than the wonderful folks over at Macehiter Ward-Dutton (A top-notch UK analyst firm), industry analysts in the blogosphere have been notoriously silent on OpenID.
The problem is further compounded in that many analyst firms love to talk about products developed by software vendors and I am neither which will further guarantee specification shelfware. If folks don't know about it, then they certainly can't use it. At some level, I could attempt to do this work by joining a standards body such as the Liberty Alliance but unless they are willing to change their model for membership to become more enterprise friendly then this too will fail.
Spending lots of money in enterprises is easy. The key though is that spending of money on external entities usually comes in the form of statements of work, deliverables, etc. Simply being allowed to participate in a conversation will not allow the masses of enterprises to spend money to become a member. Hence, this is the reason why the Liberty Alliance only has four of the Fortune 500 whose primary business isn't technology.
The discussion around OpenID and authorization is vital to being able to conduct meaningful commerce over the Internet in a modern way yet even the Liberty Alliance seems caught up in the hype known as two dot O ism...
Johannes, you have my full committment to contribute but I really need the help of other identity thought leaders to brainstorm or at least amplify the following problem spaces:
- How do we get Microsoft, BEA and IBM to participate and not champion their own competing specifications?
- How do we get industry analysts to not just tell the story through the eyes of vendors, but also of users?
- How do we get software vendors to implement whatever specifications emerge in this space quicker starting with folks in the BPM, ECM, SOA, CRM and ERP space?
- How to we embrace all of the languages that an enterprise may use and not just Java, .NET and limited support for Ruby on Rails? We need solutions for legacy mainframes, Smalltalk, and the scripting languages too
- What do bloggers such as Phil Gilbert, Ismael Ghalimi, Tom Baeyens, Dana Blankenhorn, David Berlind, Dion Hinchcliffe, Richard Stiennon, Joe McKendrick and Phil Wainewright and others need to discuss in terms of identity within their own subject areas as they aren't talking about it yet?
I ask that folks study different religious faiths in order to understand other people. Otherwise, you will be condemning yourself to a lifelong journey of hatred and misguided judgement. Many people have strong religious convictions, and it would be impossible to understand them without first understanding their beliefs.
Judaism, Christianity, and Islam are monotheistic faiths practiced by about half of the world’s population. Monotheism refers to the belief in one God. People are often mistreated for their beliefs. In the last century as many as six million Jews were murdered in the Holocaust. Religious conflicts persist in Ireland, the Middle East and in many other parts of the world. The attacks on the World Trade Center and the Pentagon on September 11, 2001 are likely the result of religious conflicts. By understanding one another, we can hope to not just develop tolerance but respect for all people.
Jews and Keeping Kosher
At home, I tend to eat either Kosher or Zabihah as this is what God commanded of all humans. Of course many Christians have gotten it twisted and have strayed towards unlawful foods. Even for those who aren't religious, eating Kosher is more healthy than not. Have you ever seen how they slaughter cows? Ever think about all that dripping blood that other supermarkets leave in the packet for you to purchase and how healthy it is for you to consume?
I have lots of interactions with Jewish folks and many are my friends. At some level, they have frustrated me though by introducing me to Crowns Supermarket which has one of the absolute best bakeries on the planet. Have you ever had their TV Bars? They are easily good for a 1000 calories.
Anyway, yesterday I saw that they are now selling bacon bits and Digornio Pepperoni Pizza. The thought of a Kosher grocery store selling pork blows my mind. Jewish people are blessed by our creator with one of the most wonderful faiths on the planet , is it too much for us Goyim to ask that you stick to it...
Sunday, December 24, 2006
Response to Gary Short on the importance of educating children on IT...
My response to his question is simple and I have several thoughts:
First, the US and the UK have similar problems, so my advice is universal. I would minimally the problems of universities in terms of teaching software engineering are directly correlated to the notion of tenure. To be a really good software engineer requires experience in the real world working on enterprise scale applications. The folks who get really good at this tend not to be the ones who desire to be tenured professors.
I suspect that if you were to name the ten folks you respect the most in IT, maybe at best two or three of them have their Masters with the masses only having a Bachelors and probably none of them actually have a non-engineering oriented degree. Universities in many ways are some of the biggest walled gardens and it is up to us to destruct themthem in order to save our profession. Teaching software engineering shouldn't be coupled to the notion of credentials. If others agree, then they need to start talking about it.
Each and every IT blogger in the blogosphere should consider volunteering at the high school level and teaching computer skills. If a young individual only sees their jobs going to India (bad experience) or even worse, no experience then how can we expect kids to take an interest in our profession? Over the summer, I volunteered and taught inner-city children Java which I blogged about here.
I choose Java for two reasons, first it the language that I know best (I also know C, C++, COBOL, Powerbuilder, Pascal, Ada, RPG and Forth) and two it gives them a hope that they could actually get a job when they turn 16 using it. Likewise, folks such as Yakov Fain graciously donated copies of his wonderful book: The Java Tutorial for the Real World. If I could get authors of Ruby on Rails books such as David Heinemeier Hansson to contribute books for the upcoming Summer, then we will definetely use them. Gary, I unfortunately don't know of a suitable book in SmallTalk that is targeted at younger demographics.
I think the second part of the equation is that as IT professionals, we have to do our part and get out and talk with folks at universities. In the past, I have spoken as a guest lecturer at University of Connecticut to MBA students as well as CS and MIS students at Rensselaer in hopes of sharing my own journey into IT and providing perspectives they otherwise wouldn't get to here.
As part of my 2006 goals I did state that I also planned on lecturing at the University of West Indies during vacation. Sadly, I have missed this goal but can say that I have firm dates scheduled for next year in this regard.
So, Gary I hope I answered your question from what I am doing. Now the real question is whether folks who read this blog entry will also take swift deliberate action in helping both of us further get others to also volunteer and/or at least amplify the call to action to others. Sadly, I believe that most bloggers will exercise their right to remain silent and watch out jobs in America become outsourced...
Boneheaded teacher admonishes student for being too charitable, accused her of making less charitable students feel bad!
Closing Thoughts on Federated Identity and Authorization...
Pat Patterson pointed me towards the Liberty People Service which allows you to understand the relationship between two identities but stops short of one of the business use cases in that only knowing relationship is sufficient in a consumer social networking scenario but won't work for businesses as relationships also need authorization. For example, just because I am the father of my daughter doesn't automatically give me the right to see her medical records when she decides to have an abortion next week (NOTE: I don't have a daughter).
Hopefully, Johannes and Kim can tell me if Cardspace as a user interface and open ID as a protocol will be extended in the future to support authorization or should some other standards body start a similar initiative. Of course being able to specify via Cardspace the relationship between me and my daughter and whether I can see her medical records would be cool. I would assume that OpenID would support carrying XACML?
To date, the discussion and more importantly the reference implementations have all been done in either Java or .NET. Should Ruby on Rails and Smalltalk become second-class citizens in this regard? Anyone have thoughts on how federated identity should work against RACF?
So, the community has been successful in demonstrating how federated identity works and has even shown us enterprisey folks on how to write better code but ignores one truth. Enterprises nowadays have a preference to buy vs build. So this begs the question of whom in the identity space is working with small software vendors in the ECM space (e.g. Documentum, Alfresco, Filenet), in the BPM space (e.g. Intalio, Lombardi, Pega), in the CRM space (e.g. Salesforce, SugarCRM, Siebel), in the portal space (e.g. Liferay, BEA, Oracle), in the ESB Space (e.g. CapeClear, Sonic, ServiceMix, JBoss) and so on? Or are we hoping that they will take their own initiative to get it themselves and simply build in?
How should federated identity be thought of in a provisioning context? Do specifications such as SPML and/or WS-Provisioning still matter? What other security specifications should federated identity connect to that hasn't already happened?
Anyone ever discuss how SAML needs to support identity propogation? For example, if I have Cardspace running via Firefox and it submits identity to Liferay Enterprise Portal who is running on JBoss talking to a SQL Server Database, would'nt it be great if SQL Server understood not only SAML but could understand all of the attributes of a user without breaking current J2EE pooling mechanisms?
I would love to know if anyone has a real implementation where they have converged federated identity with technology traditionally used in the physical world. There is an emerging trend of converging logical and physical access whereby if I log onto my PC at work but haven't badged into the building then alerts are triggered. What if I were to take my Citigroup Employee ID and as a pre-registered guest could automatically enter the building of United Healthcare?
Is it possible for a NON-Sun employee to tell the world why anyone would want to join Liberty Alliance if your primary business model isn't technology? It seems as if those whose primary business model isn't technology is outnumbered by at least twenty to one. Even the industry analysts no longer talk about the Liberty Alliance which hints that it is no longer relevant...