Wednesday, January 31, 2007
Enterprise Architecture and Collaboration
Many enterprise architecture teams attempt to solve feudal issues by encouraging collaboration. Feudality says that different parts of the organization compete with each other even though they are from otherwise disparate parts of the enterprise. Likewise, an executive will compare two groups each whom have different missions and very little to do with each other, but when views through management goggles from a very high altitude, they appear similarly blurry.
Collaboration discussions are sometimes done for ceremonial reasons to show outsiders that groups can work together or at least they did something where the amount of meetings is the primary measure of progress. Under the hood, once we remove our heads from the clouds will think about these activities as yet another time-wasting management runaround and return to business as usual.
What if enterprise architecture teams embraced the notion of horse trading whereby the managers of two disparate groups were managed to what they produce and could actually use each others results then trading would be natural and not mandated. The Cathedral and the Bazaar, the Starfish and the Spider or whatever management book analogy you prefer should always be considered.
If your organization competes with itself, you should eschew collaboration and instead refactor your organization...
Enterprise Portals and Security
I downloaded the latest release of Liferay Enterprise Portal over the weekend to familiarize myself with all the latest features. Out of the box, it integrates with ServiceMix, the number one open source Enterprise Service Bus within Fortune enterprises along with integration with both Alfresco (Enterprise Content Management) and JBoss JBPM. A portal that integrates with an ESB, ECM and BPM out of the box is exactly what enterprises seek yet the large analyst firms seem to be ignoring them. Luckily, enterprises realize that the reason Liferay doesn't get coverage is that it has a higher goal than merely making money and therefore the pursuit of the magic quadrant or wave doesn't really matter. I suspect if the analysts changed their models to be more friendly towards open source then Liferay would be in the leaders category, but this is a topic for another blog.
In terms of security, Liferay also uses secure software development practices and is a participant in Fortify Software secure coding program. I haven't heard of the portal development teams from either BEA, IBM or Oracle using the same tools, nor evangelizing secure coding practices so this probably is a predictor.
Liferay also seems to be the only Portal, Commercial or Open Source that provides seamless out-of-the-box integration with Single Signon products ignoring Yale CAS, Netegrity Siteminder and others. As we know, SSO products help in the security challenge as it reduces the amount of passwords folks have to write down on sticky's.
Liferay also supports externalization of authorization via the XACML protocol. BEA Enterprise Portal is the only other in the marketplace that does so today. This is important especially in situations where portals are used to aggregate different products (BPM, ECM, ERP, CRM, etc) that may all have their own disparate authorization models.
Finally, if you decide to create your own identity store for the portal it supports the SPML protocol which integrates nicely with all those wonderful identity management tools in the marketplace. I wonder if there are other portals that plan on supporting both Cardspace and OpenID?
Will writing applications to a VM displace Linux?
This still leaves several questions in my mind including but not limited to:
- If I am a software vendor, how does this change how I may Build Software Appliances?
- Is anyone out there working on a book that will in detail, explain how to write an application to the VM layer?
- By hooking into the VM layer, wouldn't it provide additional licensing transparency to software vendors whom otherwise don't trust the enterprises who buy their products and deploy them in a virtualized setting?
- With virtualization, para-virtualization, Azul Systems, Solaris Containers and other approaches, how does a software vendor write their applications in a portable way if embarking on the model that BEA is leading?
- By removing the operating system, one could speculate that it could provide additional performance of 2% or so. Does this position BEA to win J2EE Benchmarks and beat out JBoss and IBM?
- Are the folks that develop VMWare using secure coding practices?
- Would the Microsoft .NET framework folks be well-served by considering doing the same even if it removes a Windows license?
- How long will it be before Ruby on Rails and Smalltalk communities do the same or do you believe they will stick to their ways and say that performance doesnt matter?
- It is my opinion that relational database vendors such as EnterpriseDB, Ants and MySQL would be well-served by incorporating this into their strategy. Whom else in the DB community should be paying attention?
Tuesday, January 30, 2007
Recent Thoughts on Rules Engines
Bet you didn't know that Ruby on Rails has its own Rules Engine. It doesn't seem to use the RETE algorithm, do any form of inferencing or chaining but it is declarative. Maybe someone from the Rules community could blog their own perspectives on this rules engine?
This does of course stimulate additional questions that I would love to know the answers to including, but not limited to:
- Are rules engine vendors doing themselves a disservice by only targeting Java and/or .NET?
- Where can I find the litmus test to tell if this is truly a rules engine or should be labelled as something else?
- Does anyone know of a Rules engine for Smalltalk that implements RETE? or should we continue to think of Smalltalk as a second-class citizen in this regard?
- How come folks such as James Taylor, Brad Appleton, William McKnight or Sandy Kemsley haven't ever compared/constrasted development done via declarative rules-based approaches vs. modern configuration-oriented approaches such as Ruby on Rails?
- Rules engines in most products are for the most part single threaded. When will Rules engines become useful in grid computing applications?
- When can we expect Barbara Von Halle to start talking about Rules from an architecture perspective vs project management perspective and actually blogging it?
Association of Open Group Enterprise Architects
First, they coupled membership to Certification which is generally a bad idea as this filters out really good folks in our profession who generally wouldn't make the effort to take a test. Most certifications are really good at establishing so-called credentials for folks who are employed by consulting firms who otherwise don't have the requisite background. If you have ever noted other certifications such as CISSP, you will note that pretty much the entire population works for consulting firms with the numbers at best representing 1% of full-time employees of end-user customers.
I learned of this certification from noted industry analyst Brenda Michelson whom also didn't provide in usual analyst form, any predictions on what types of folks will pursue, which will ignore and so on. She is probably aware that pursuit of certification within enterprises becomes important when IT executives who practice Management By Magazine read lots of articles in leading publications saying this is important. The Open Group simply isn't on the radar of most CIOs.
Another characteristic that any professional organization should strive for is in getting its members to share their knowledge with the public. To do so, is not just noble, it should be measured before one even becomes a member. Consider, all those enterprise architects who blog, present at conferences, write books and so on. Shouldn't they automatically be given fellow status?
Monday, January 29, 2007
Comparing Bush and Clinton
So when will ECM products include Document Composition features...
I would for Alan Pelz-Sharpe in upcoming blog entries and future research reports to talk about not only when document composition solutions will become engrained into ECM products but specifically what standards that yet don't exist that should be created.
For those in this space, they may be familiar with vendors such as Whitehill Technologies, Perfectus Solutions, Document Sciences, Exstream, ISIS Papyrus, Docucorp and Adobe, absolutely none of them integrate into ECM vendor offerings by Documentum, FileNet, OpenText or Alfresco using any standard mechanism...
The ECM space seems to be not only the least dysfunctional when it comes to thinking about ECM and Security but is even weaker when it comes to creating industry standard specifications for their own domain. What prevents John Newton of Alfresco from working with Howard Shao of Documentum to create some standards in this space and getting them submitted to some standards bodies? Maybe folks such as Matt Asay could start noodling all of the standards that should exist in the ECM space?
Alan Pelz-Sharpe pointed out that in the ECM space the Blind are leading the blind and mentions: you'll find not only old and unintegrated products elements, you will also find rag-tag sales teams who each may know a part of the puzzle, but claim to understand it all". This feels like a call to action for the ECM community to consider forming their own standards body that shows how integration and interoperability based on industry standards could possibly work. Maybe Alan could also provide guidance to the vendors in this space on how to get started!
In searching the blogosphere, I ran across an interesting competition between six vendors: Stellent, FatWire, Web Side Story, Red Dot, Interwoven and Ektron where they competed against each other at a recent Gilbane Conference. I was hoping that Erik Hartman, Lisa Welchman and Theresa Regli could provide perspectives as to why Filenet, Documentum and OpenText were not participants?
I wonder if the folks over at the 451 Group would consider hosting a similar competition at their 2007 Innovation Summit. Have to check with Nick Patience on also inviting the likes of Alfesco and Drupal to the table.
I do have one curious question for the blogosphere that I can't find the answer to. What are the best practices for logging in the ECM space? Has anyone integrating ECM, Content Creation and LogLogic?
There are many folks in the blogosphere named James Robertson. The smartest of the bunch recently published an entry entitled: Top 10 mistakes when selecting a CMS that I encourage folks to read...
Should Security Patches always be free?
It seems as if different vendors have different opinions on this topic. For example, Sun makes them freely available (in terms of cost) but requires registration while other vendors may take approaches that still require support contracts. Of course in open source, patches are always free but not always clearly delineated.
I wonder if folks such as Gunnar Peterson, Michael Howard, Mark O'Neill, Phil Windley, Bruce Schneier, Bill Gross, Jeff Jones, Anton Chuvakin, Tom Olzak, Lou Bolanis and Sol Tzvi have an opinion on what vendors should do in this regard?
Industry Vertical Standards and the Semantic Web
His thesis is how to use XML and apply meta-data to gain insight and increase both human and machine understanding of the data so that better decisions are made. He will probably avoid the below, but I hope he doesn't:
- How incremental should a standards body be in terms of semantic approaches? When do incremental approaches result in the wrong decisions?
- Semantic is a paradigm shift which usually requires starting from scratch to come up with an ideal approach. When should existing standards be scrapped?
- Whom within this vertical, do you think will be the first to implement a solution based on semantic approaches once standards emerge?
- What can vendors such as IBM, Oracle, BEA, Sun and Microsoft do to help encourage semantic approaches within industy vertical standards bodies?
- Celent Research will probably provide some industry analysis, but do you think that this topic is also worthy of research by Gartner, Forrester and The Burton Group?
Sunday, January 28, 2007
A Developers Perspective on Enterprise Architecture...
The bully mentality is at the root cause of the problems with enterprise architecture as we have an equal duty to not only work on concerns of IT executives such as outsourcing, business alignment, improving the portfolio, but to also focus on those whom from an organization chart perspective are junior to us.
In many enterprises, the EA team doesn't collaborate with development, they control them which results in paralysis. Sometimes developers are sincere in their intent to deliver business value yet they can't ask the EA team for advice but instead are of the mindset of asking for permission. If an enterprise architect says no, development doesn't proceed.
Of course, IT executives can trump enterprise architects but this is more about abstract authority and less about what is the right thing. Sometimes developers trump enterprise architects and come up with brilliant strategies but we think that no one can provide strategies except for those higher up the food chain. This puts developers in an interesting position whereby they can implement the strategy themselves without declaring their intent, they can attempt to get an enterprise architect and/or IT executive to consider the strategy whom will ultimately put their name on it and not provide attribution as to where it originated or three simply not bother and let the enterprise suffer from less optimal ideas.
Better software developers have a fourth choice and that is to take their ideas where they are appreciated and run away from enterprise environments towards either consulting and/or software companies. If you look at the blog of Robert McIlree, Todd Biske and others who blog on enterprise architecture, 99.9% of all of the information they share is from the perspective of the enterprise architect working up the ladder. Every once in awhile, they may share wisdom that is about enterprise architects working with other enterprise architects in other shops but it is rare for them to talk about the need for enterprise architects to work downward as well. For the record, I am equally guilty of this practice and hope that others will serve to keep me honest by achieving balanced discussions in the blogosphere.
Anyway, I wonder if Robert McIlree hasn't seen or is avoiding the sole question asked here...
Thoughts on Identity Bloggers...
- While the SAML specification supports the XACML specification, no one vendor has an implementation, so how should customers fill in the blank?
- Whether using OpenID or CardSpace, how should these two approaches solve for the need to not only model relationships but to also represent authorization around relationships?
- When do you see J2EE portals, Enterprise Content Management Systems and BPM Engines supporting OpenID and which vendors will emerge first?
- What should enterprises consider when embarking on user-centric approaches to identity? What are some of the evil things that enterprises will do out of years of indoctrinated habit and mediocre practices that need to change?
- How important is it for implementation of OpenID to also embrace the notion of secure coding practices?
- What are the ten things that industry analysts need to consider researching in terms of enterprise adoption of user-centric identity?
Analysis: John Newton of Alfresco
For the record, my day job nor personal interests requires me to understand ECM yet I find his pattern of thinking interesting. In his latest blog entry he discusses his experiences in listening to the likes of Tony Blair, C.K. Prahalad, Bernard Liautaud, Shimon Perez, Sergy Brin and Larry Page and John Chambers. The opportunity to sit down with the most brilliant people in the world and talk about the most extraordinary things is something that most humans have a quiet desperation to experience. My life is filled with mediocrity and in many ways, my blog lives through the eyes of others.
I can say that serving on a panel with the likes of John Newton and Marc Fleury, as they are two of the few within IT that I think are brilliant. Sadly, I haven't personally met anyone outside of IT that I consider truly brilliant. I can say that I know several NFL players who grew up in my town, I met Gail King who is Oprah's best friend, and even met several US senators and other famous folks, but I can't really call any of these folks brilliant. I guess I can say that in my travels, I have been priveleged to discuss politics with the likes of Chuck D. of Public Enemy and KRS-One. I can even say that I was enlightened by running into Flava Flav on Houston Street one day when he was out in the street cursing because someone stole the battery out of his Datsun, but insight isn't necessarily the same as brilliance.
If it isn't too late for me to change my goals, I hope that this year I will be fortunate to talk with folks whom I find as truly brilliant. I would love to talk face-to-face with the following brilliant individuals: Michael Savage, Guy Kawasaki, Jack Welsh, Jacques Aigrain, Muhammad Yunus, Carl Icahn, Bill & Melinda Gates, Ayman al-Zawahiri, Hank Paulson, Rajat Gupta, Kenneth Chenault, Zhou Xaiochuan, Azim Premji, Bill Gross and William Haseltine as they could each shortcut the necessary mentorship the journey for things that I would otherwise struggle to achieve.
In the meantime, I hope that John continues to share his thoughts, his journeys, his rants and screeds with others in the blogosphere so folks like me can at least aspire for something better...
How the Ruby Community keeps James McGovern honest...
In some ways, many bloggers are ranting because they are selling to folks who have already bought the party line while not brainstorming ways to get others to see the same value proposition they see. Let's stop talking about bottom up evangelism of open source, community 2.0 and the participation age but lets figure out how we can get those who can execute top down strategies to embrace it to better enable the strategic intent of the business they run.
My first blog was entitled: Thinking out Loud where the first step away from coffee clutch conversations is to throw ideas out in the public eye without necessarily waiting for them to be perfected (if there is such a thing). It minimally was the excerise that I put myself through in order to rid myself of the evil demons that have indoctrinated me into control the message thinking. Of course, I would love to reach higher levels of maturity with the notion of Loud Thinking being the highest on the maturity model but this is not something that will ever be seen, at least not within my own lifetime.
The second step for me was the notion of Thought Leadership where I would not only through out ideas in the public eye but attempt to plant seeds in which others could grow. Some have been wildly successful while others have turned into compost.
Last year, I commented that Ruby on Rails isn't enterprise ready by declaring facts that where true at the time so as to change the conversation. Of course this tactic caused many folks to respond passionately with matters of opinion instead of matters of fact but it did plant seeds that caused a few to get off their butts and create situations where they could factually prove me wrong.
I wonder if the same tactic could be used to attack enterprises for not participating in a larger context? Don't focus on me as I am a needle in a haystack. The important thing is to solve for the masses and figure out ways to also encourage them to participate while making it easier for those who take that small but important step towards being open. External conversations do have an effect on internal conversations but it is up to folks in the blogosphere to ensure that for those who participate that those effects alway remain positive...
Saturday, January 27, 2007
The Lack of Christianity in the workplace...
More Thoughts on Authorization
- From an architecture standpoint, authentication has been largely solved with Single Sign-On architectures. It does not mean that companies have deployed it yet
I would challenge this statement as many products are not yet enabled in either the BPM or ECM space in order to support SSO. Can I out of the box via configuration support SSO via SPNEGO, SAML, WS-Federation or even OpenID in any BPM and/or ECM product today? I sure would love to know which ones do because I haven't yet ran across one that didn't force each and every customer to write code if they wanted to make this happen.
- For some time, one of the references in the space was the Role Based Access Control model developed by the National Institute of Standards and Technology (NIST).
In my humble opinion, NIST is a good starting point and can be better implemented by folks in Europe whose organizational structure tends to be more hierarchical whereas NIST breaks down in the Americas due to our poorly thought out notion of dotted-line reporting, matrixed teams and frequent reorganizations. I would love to see security folks in the blogosphere propose what NIST 2.0 would need to look like.
- The technology is good, but the challenge has been in getting multiple vendors to adopt it.
It is my hypothesis that the large software vendors all have XACML on their radar but will not implement rapidly the PEP portion until they have their own PAP and PDP. The reasoning says that if they do the right thing by implementing PEP throughout their product line, they will view this solely as an expense where they can't make any money by making security better. If they however focus on PAP and PDP, then they can create another product to sell to us enterprisey folk. When there are lots of new products, analysts get excited. Hopefully though the marketplace has predicted the analyst behavior and hopefully they will be smart enough to talk about the importance of PEP in existing products.
- They might also come from BPM vendors, for business processes provide the right set of scenarios for defining meaningful entitlement policies.
Ismael, you missed a wonderful opportunity by using the word might. Now is the time to show the rest of the industry what leadership looks like by saying that Intalio will be the first vendor to support XACML PEP built right into the BPM engine. You have to acknowledge at some level that industry analysts who read blogs might be getting smart enough to ask some more challenging questions. Minimally, your competitors will detect your hesitancy and will pounce.
- Security, alongside discoverability and resusability, is one of the services that should be offered by a good ESB, and entitlement is one of its critical elements.
You are absolutely on the money. ESB vendors also need to pay attention to external entitlements. I know BEA will show leadership in this arena with their Aqualogic Service Bus. It is anyone's guess as to where Dave Chappell and Sonic is on this aspect. I do predict that ServiceMix will be number two with a close following by the guys over at MuleSource.
- Essentially, entitlement definition becomes a simple by-product of process design
You are onto something with your comment about swimlanes as these show roles and priveleges very crisply. The question I would ask is if you believe that the vast majority of enterprises who are currently doing BPM model in a swimlane fashion? If not, what do you think needs to occur for them to adjust their thinking in this regard?
- The way an ECM system would fit into this picture is quite interesting as well. Access control is a critical feature of any ECM to be deployed within an enterprise environment, and sharing the same entitlement architecture with the BPMS and the ESB would provide significant benefits
You are absolutely brilliant in this statement. Any predictions on which ECM vendor whether it be Alfresco, Documentum, Filenet, OpenText or others that will get their first?
- As far as I know, no BPM vendor has ever adopted such a model in combination with an ECM and an ESB. Nevertheless, the technology exists today for building such a thing, and all we need is enough customer interest for getting it done. This is something that Intalio is actively pursuing today, and I would expect that we will be in a position to announce interesting developments in this area sometime this year.
The blogosphere looks forward to learning more about these interesting developments and I will commit to hopefully being one of the first to provide amplification. Please make sure you get the industry analysts at Gartner and Forrester to pay attention in this regard.
Best wishes to folks at Intalio and I hope that the 2007 Magic Quadrants and Waves are kind to you...
Friday, January 26, 2007
Enterprise Architecture: Learning to be Human
Sometimes us enterprisey folks get caught up in strategies around saving money, spending money, wasting money or even once in awhile making money but we often forget to not only act like humans but treat others the same. Below is a list of rules in being human:
- You will receive a body. You may like it or hate it, but it's the only thing you are sure to keep for the rest of your life.
- You will learn lessons. You are enrolled in a full-time informal school called "Life on Planet Earth". Every person or incident is the Universal Teacher.
- There are no mistakes, only lessons. Growth is a process of experimentation. "Failures" are as much a part of the process as "success."
- A lesson is repeated until learned. It is presented to you in various forms until you learn it -- then you can go on to the next lesson.
- If you don't learn easy lessons, they get harder. External problems are a precise reflection of your internal state. When you clear inner obstructions, your outside world changes. Pain is how the universe gets your attention.
- You will know you've learned a lesson when your actions change. Wisdom is practice. A little of something is better than a lot of nothing.
- "There" is no better than "here". When your "there" becomes a "here" you will simply obtain another "there" that again looks better than "here."
- Others are only mirrors of you. You cannot love or hate something about another unless it reflects something you love or hate in yourself.
- Your life is up to you. Life provides the canvas; you do the painting. Take charge of your life -- or someone else will.
- You always get what you want. Your subconscious rightfully determines what energies, experiences, and people you attract -- therefore, the only foolproof way to know what you want is to see what you have. There are no victims, only students.
- There is no right or wrong, but there are consequences. Moralizing doesn't help. Judgments only hold the patterns in place. Just do your best.
- Your answers lie inside you. Children need guidance from others; as we mature, we trust our hearts, where the Laws of Spirit are written. You know more than you have heard or read or been told. All you need to do is to look, listen, and trust.
Why Enterprise Security will remain elusive...
The promise of externalizing fine-grained authorizations from enterprise applications is compelling as it provides numerous benefits to enterprises. Much of this will be accomplished by the folks at Oasis and the creation of the XACML specification.
XACML defines several components such as a Policy Administration Point (PAP) which allows for centralized administration, Policy Decision Point (PDP) which defines how rules/conflicts are resolved and the Policy Enforcement Point (PEP) which is responsible for the actual enforcement of all policies. The Policy Enforcement Point in the proper implementation is built directly into the architecture of the enterprise application itself.
The problem emerges in that the PAP and PDP are essentially new components within the enterprise and therefore can be productized. If a software vendor can create new products around things then analysts get excited as they can classify things and this is where the breakdown occurs. The need for PAPs is important but is heavily dependent upon enterprise application vendors also supporting the XACML PEP portion. Of course, to date analyst firms aren't even asking vendors where this is on their roadmap.
Consider the typical enterprise who may have 300 enterprise applications and the need to externalize authorization. Analyst firms will talk about the need for administration but will not research why the authorization can't be connected to all 300 enterprise applications. Part of the challenge for industry analysts is that security is not just something that needs to be discussed by security-oriented analysts but is more pervasive. For enterprises that buy enterprise software, if the analysts that cover the BPM, ECM, ERP, ESB, Portal and CRM space simply aren't asking the right security questions, then the ability to externalize authorization may never materialize.
To date, very few vendors have even discussed their implementations of XACML PEP. I have observed in the blogosphere positive support from Vordel, BEA, IBM, Identity Engines, LogLogic and Oracle but the masses haven't yet received the message. I would be keenly interested in understanding the perspectives of Ismael Ghalimi, Phil Gilbert and Matt Asay as to where XACML PEP is on their own employer's roadmap but may never hear back via trackback.
Likewise, the other security-oriented bloggers in the blogosphere are still hyping identity and have avoided conversations around authorization. The reasons range from lack of knowledge on the subject all the way to the usual excuse of focusing on what customers ask for to lets take an incremental approach, all of which results in avoiding talking about the needs of enterprises.
The funny thing is that Sun created the reference implementation of XACML but hasn't done much with it. It would be wonderful if Mark Dixon and Pat Patterson could outline in upcoming blog entries, how they see other vendors implementing XACML PEP along with thoughts as to how it will be incorporated into the Sun product offerings. Likewise, bloggers such as Dick Hardt, Kim Cameron and Identity Woman have been equally silent as it will probably result in a lot of work for them in terms of making their product align to it. Avoidance of opening Pandora's box may be another reason why XACML PEP isn't well discussed.
Luckily, there are two bloggers with tons of integrity that does have the courage to talk about the need. Kudos to Shekhar Jha and Todd Biske whom I hope can do more frequent blogging and help keep the conversations in the blogosphere more honest...
One person's thoughts on methodology...
His opening was intriging:
- Methodology is killing software development. Pre-occupations with standards and enterprise architecture are taking away the creativity from software. Instead of being the software developer’s best friend, architecture oversight groups are assuming the role of armchair dictators and throwing a spanner in the software development life cycle.
I would love to know where he works, the characteristics of the executives above him and has he in the past stepped in their great leadership. More importantly, what can we bloggers due to help him make his enterprise better or at least give him a perspective as to why all of these things are happening...
The Department of Homeland Stupidity and how they are weakening identity...
Thursday, January 25, 2007
Refining the definition of enterprise architecture...
It is OK, if you decide to remain silent on this question...
Top Talent and what to do when they depart...
What if the enterprise architecture team as part of talent management convinced the cordial but otherwise clueless folks in human resources to figure out better ways to transition work to others under the supervision of architects. The key word that you should focus on is transition which implies that there are abrupt cutoffs, milestones, hurdles, gates, etc. What if transition included the ability to pay the departing employee two additional weeks of pay after their last official day on the job? Would an employee be more than likely to help you down the road after they have transitioned?
The real problem with why such approaches will never go anywhere is that within large enterpries, the actions and policies are not in harmony. The proper value system that IT executives such encourage includes:
- Placing heavy value on the contributions of top talent
- Establishment of an alumni network prior to departure
- The expectation of every new hire that they if they leave, the company expects a professional transition
- Strong indication from management by putting egos aside and setting the tone for their return in the future if mutually agreeable
- A reward even when it is the individual's decision to depart which sends a message that you otherwise couldn't buy
I wonder if I could get Brenda Michelson to figure out other aspects of talent management that us enterprisey folks should be paying attention to? Anyway, John Meaney gave me some thoughts on this topic, so I can't take all the credit...
Assessments and Evaluations
- I’m guessing that it must be annual review time at his place of employment.
For the record, this posting has absolutely zero to do with work. It has to do with observations of my industry peers and their rants and screeds. I figured I would comment on their perspective and some of it may or may actually differ from my own (my disclaimer already states this though).
- You need to know your strengths and you need know your weaknesses, and you need to be objective about them.
Absolutely, it is important that each and every individual constantly self-reflect on their experiences and tune accordingly. I guess there is subtle distinctions though between self-reflection and self-evaluation...
- The successful leaders don’t go out and find people with the exact same strengths as their own. They go out and find people that complement their strengths.
Whoa, you are using a definition of success that most folks probably aren't familiar with. I bet it wouldn't be too difficult for you to name at least one hundred IT executives you have met in your travels that have risen the ranks of many organizations who are otherwise clueless but are successful because they surrounded themselves by folks that are less than them. We have all heard the analogy, A's hire other A's but B's go and hire C's.
- So, when I’ve been assigned to a project in a leadership position
Stop abusing the word leadership. Leaders are never assigned but management is. Management and leadership as words are not interchangable.
- key to success is to understand your strengths AND your weaknesses, and surround yourself with people who can complement you.
If you are an A, go and hire another A. But if you are a B, you better go and find as many C's as possible...
- It will usually stem for the reference model that is used for comparison. If this reference model is documented, and both parties agree to it beforehand, you’ve at least eliminated one variable from the equation. The less that is formally documented, the more difficult the assessment becomes.
Reference models are beautiful things when comparing SOA approaches but yet they don't exist for humans (at least in the United States). You probably are aware that you are being compared to someone whom you may not even know nor if you did, wouldn't have a sense to understand the characteristics which lead to their score since all of that is HR confidential. Individuals sometimes need a bearingpoint so that they can tell how they are positioned relative to others. Since the notion of a bearingpoint is HR confidential most folks wander around lost in the wilderness.
I would say that my fellow IT professional in India got this right as it is typical for them to trade information on their reviews, salary increases and so on. If pay is a yardstick to measuring success then the folks over in India who will openly discuss their salaries are afforded an opportunity to build their own social bearingpoint. I wonder if our Indian bloggers could provide tips on how us Americans can inject this into our own culture?
- This reference model has to be independent of what your boss wants or what your company wants.
You are onto something here. I would challenge you though to not think of the needs of a company as being distinct of the needs of an individual. We need to find ways to achieve a chaordic balance. Success is in the mix. How about encouraging companies to consider incorporating external factors into their internal human reference models. The enterprise is no longer insular and minimally needs to index itself not only in terms of IT strategy but the caliber of individuals on its payroll against other enterprises it either competes with and/or partners with. This would be a better predictor of success.
Wednesday, January 24, 2007
RSA Conference: PingIdentity and OpenID
- Getting RSA to implement support for OpenID not only within its own products but all applicable EMC products
- If you see folks from salesforce.com, ask them if they would consider embracing OpenID?
- A lot of the discussion in the blogosphere has been cordial when it comes to the PKI discussion and the ability of OpenID to integrate with PKI approaches that use Client Certificates. I would love for you to talk about how OpenID can displace Client Certificate approaches in consortiums such as the SAFE initiative in pharmaceuticals.
- I have failed miserably in getting folks to discuss incorporating relationships, authorization and attestation into OpenID due to the fact that these concerns may not work if they are supporting as a layer on top of an existing technology and may require vendors to start from scratch. I know you have tons of integrity and would love to at least see you share your thoughts in your blog regard relationship.
Why most Enterprise Architects are afraid to blog...
Some folks will say it is because their employer won't let them but the real reason is more personal. Of course, Easy external conversations have an effect on internal conversations but this too really doesn't matter in the big picture.
Reality says that many enterprise architects don't really know enough about any particular topic to talk about it for a sustained period of time. Consider many folks can survive by coming up with one and only one idea periodically and amplifying it throughout their enterprise for years. If they were to blog, their vulnerabilities would show.
Blogging at some level provides a measure of one's intelligence, knowledge and a peek into the thought processes of one's mind. Some folks if you were to get this view, it would be frightening. Others are interested in putting themselves up on a pedestal where they portray themselves as authoratative, knowledgable and certain on a variety of topics and by blogging, it may allow others to knock them off.
One of the more humbling experiences is in being published. You put your heart and soul into writing a book where you deny access to your friends and family for months, all in the name of waiting for the very first review on Amazon. Someone has called your baby ugly in public is humbling and too drastic for many to bear but of course they have done it to others.
Blogging requires individuals to embrace the notion that critics are your best friend. For me, folks such as James Robertson, Robert McIlree, Chris Petrilli and others would be on the top of my friends list. Sharing of ideas in the blogosphere helps folks develop respect for each other. These individuals have taken somewhat ill-formed ideas and instead of attempting to beat the crap out of them, instead used that idea to create a better one. In my book, offered something more. In order to earn the right to criticize, you have to show what the alternative is; you have to construct an alternative which is better known as constructive critisism.
Many times in blogging, the problem isn't usually with the solution; it's usually with the understanding of the problem. If you say that it sucks and tell why it sucks, you are helping with the understanding of the problem. Or are you? Therein lies the difference between destructive criticism and constructive criticism. Enterprise architects simply aren't used to constructive critisism...
Why most Enterprise Architecture Teams are incapable of innovation...
Thinking out loud is the act of expressing in recoverable and external form new thoughts which you encourage your mind into exploring. Often these lead to new avenues of thought. When you think out loud you detect and explore ideas and concepts which are either unknown, or as yet unexplored. Enterprise architecture teams should ask themselves when was the last time they established a forum for this sole purpose?
Listed below are some of the ways that enterprise architecture teams can first attempt to innovate themselves before forcing it on others:
- Offer thoughts for all to see before they are fully baked: Let those around you hear what you're thinking and invite input on your thoughts. The effect of doing thinking out loud and publicly is that it will probably evoke opinions which either support, amplify or contradict and minimize. Ideas that are ultimately reflected on will most certainly lead to better interaction and dialog. Don't ignore the notion of the Wisdom of the Crowds.
- Brainstorm out loud: One of the best ways to brainstorm is to blog. When you have a thought, write it down, whether at work, at home, on your throne, etc. One can come back at a later time and review the thoughts having had additional time to think about whatever you were noodling at the time. Of course, if the idea is of competitive advantage then don't make it public, otherwise if it can benefit others, then share it publicly.
- Intellectual property rarely exists: Of course you will meet folks who are only capable of having a singular original idea in their career but for those who are truly innovative, we shouldn't attempt to protect them. Consider that I share lots of original ideas in my blog so that others can benefit from what I have learned and experienced. Innovation comes faster by others not starting from scratch. For me, ideas are like going to the faucet, they simply flow. Some think, if you give away all of your ideas you will have nothing when it reality, giving away ideas is more like giving away a photocopy and not like giving away physical property.
Tuesday, January 23, 2007
Analyst Influence diminishing further?
There is only so much time in a day and if folks shift whom they pay attention to, this can be important for all those vendors spending lots of dollars on analyst relations. In 2004, I had zero clue who Redmonk, The 451 Group or Elemental Links were. In 2006, however they are probably more influential on my thinking than the large guys (with the sole exception being The Burton Group. Would you still use the word sharing in 2010 when these guys become the only source I read?
The point of comparing large analysts to small analysts wasn't really about the analyst firms themselves but to say that a larger part of my day involves understanding the direction of the industry at large and blogs are one of the best ways to accomplish this goal. These analysts choose to blog and I would read them even if they weren't analysts. Likewise, I also have increased the reading of blogs by industry peers.
So this begs the question of if analysts want to retain their fair share of influence, then they must blog. The analyst firms I mentioned are credible not only because they blog, but because they also allow for commenting and trackback. Sometimes the one-way approach to blogging simply doesn't allow for us enterprisey folks to get what we need. The ability to observe conversations is crucial and in fact more important than getting the opinion of just one body.
Credibility is increased in many ways. For example, James Governor of Redmonk once commented on one of my blog entries. Most analysts wouldn't have attacked a customer in such a fashion, and even more so done it publicly, but that the point as to why I read him and encourage others to do the same. Insight doesn't emerge from briefings, rather insight emerges from folks who share their perspectives in a public manner and aren't fearful of political correctness.
If analysts want to increase credibility, I would suggest that they do some real research. Too many of them sit back and wait for vendors to call them up and spoonfeed them information and think their only job is to distill things into cohesive presentations. Research requires sometimes doing homework where folks aren't going to know all the answers.
For example, if I were to call up any analyst firm that covers open source and wanted to understand more about Alfresco or Liferay or Subversion and wanted to understand not only which Fortune enterprises use their products but which ones are openly contributing to them, would you know the answer?
Vendors in terms of briefings are too busy telling you all about their value proposition, and not the proposition of others that have helped make them successful. Maybe, credibility can be increased if analysts started asking thoughtful questions not only focused on the product itself but how it may implement other important considerations such as security. For example, I would love to know how Alfresco, Documentum, OpenText and others aligns ECM and Security. Likewise, I have been fascinated by Azul Systems and their 384 CPU Java Appliance but would also love to know which J2EE application server scales the best on this platform?
Maybe credibility is increased by not responding to us enterprisey customers who already have subscriptions with various analyst firms via our blogs and not just having phone dialogs. Maybe someone could even increase their credibility by responding with a matrix of vendor products that implement the XACML specification or OpenID?
Monday, January 22, 2007
XACML PEP Support
- We've used the XACML PEP/PDP model for some time now. But, I can see the vendor rationale for not implementing it. If the "Security Glue" you use is proprietary, then it's frankly more difficult to throw out your product, and you become a "necessary evil" (as I've heard one or two security products called in the past).
Hopefully Mark and others will step up and help keep the vendors who should be implementing XACML PEP within their products honest. Of course this list includes vendors that play in the following spaces: ESB, ERP, CRM, ECM, Portals, J2EE Containers, BPM and so on.
You should never really show your documentation page as folks like me will of course find a product that isn't listed. I would love to see Vordel join the OpenID conversation where you get to interact with folks such as Dick Hardt and Johannes Ernst...
Humans are lousy at self-evaluation
One phrase that I use often is the need for strong technical leadership within IT. It is human nature to either trivialize and/or underestimate capabilities in other folks that they do not possess. Likewise, imaginative folks perennially underrate efficient ones. Evaluating oneself will result in over-evaluations, under-evaluations and just plain confusion. People who might otherwise be brilliant, just plain suck when it comes to applying those same sets of criteria to themselves.
Consider how many bloggers in the blogosphere that talk about enterprise architecture and the practices of others but would never admit to any faults of their own. Is it because their blog is a marketing tool? maybe, but the issue may also be that they simply don't know why they suck. There is a huge objectivity block ingrained into our nuggests when we attempt to evaluate ourselves.
Maybe the problem is with the theory of relativity. For example, 95% of all parents think their children are above average. On the surface, this statement is both amusing and contradictary in that it implies that people are not objective on self-evaluation. An alternative explanation may be that they simply have no bearing point in which to compare themselves to others and therefore choose their own mental model.
Would HR types acknowledge that a method that has more integrity would be instead for folks to institute a culture of blaming oneself? Imagine an enterprise where an individual enterprise architect could go up to their boss and tell them, that they are a big fat idiot and really don't understand technology. The boss could immediately decide to cover up for this individual by encouraging them to read the latest industry analyst reports and practice management by magazine. Likewise, the boss could become a mentor to help this individual improve.
Maybe, the real test of objectivity would be to not only remove both the employee and his boss from the objectivity aspects of self-evaluation but to consider implementing a mentor-oriented culture where a neutral third-party could observe characteristics that are good and those that need improvement.
- So one question, is how far do you propagate the user's credentials? Do you keep a record on each user in all six systems?
The question of depth of propagation is an important topic that should be discussed by others. In the scenario you outlined, it assumes that all downstream interactions are 100% controlled by the enterprise. What if the enterprise decides on a strategy of SOA where they consume services outside their enterprise? Of course, identity propagation becomes more important. One of course needs to ask themselves whether using a pooled credential is wise (acknowledging problems with auditability) or whether they need to actually propagate deeper. I would say this should be left up to the discussion of the enterprise and their own policies.
The untold story however is that many enterprises can't decide anything about depth of propagation because the standards don't yet exist to support it. Maybe it is because industry analysts aren't yet asking vendors about this problem space or maybe it is because it is a lot of work on the part of standards bodies such as Liberty Alliance and there are more important things to discuss such as the flavor of one's coffee.
SAML would be a good specification to start figuring out how not only identity propagation could work from web application all the way down to the relational database one stored their information in. Of course, someone would need to figure out the JDBC/SAML relationship and how to make identity-based pooling a reality.
- From a IDM standpoint how complex do you want your provisioning to be?
Provisioning doesn't have to be deep if I can do everything at runtime. For example, imagine a situation where I didn't have to pre-register to access my bank to do wire transfers but could at runtime use the credentials of my employer who would tell them based on prior established trust relationships that I am me but that I am also authorized to make certain transactions. Oops, this would require SAML/XACML authorization discussions that no one really wants to talk about.
- Mark O'Neill weighs in on authorization in general, XACML in particular and how Vordel's products help you deal with it.
I absolutely believe that everyone should read Mark's thoughts but my original response stated that XACML should be built into applications and not simply proxied by an intermediary. I would like to see industry analysts ask CRM, BPM and ECM product vendors where on their roadmap is XACML support as making it part of an application provides functionality that can be used for deeper attestation constructs which cannot be done if using intermediary approaches.
- A combination of the patterns needs to limit the amount of authentication and instead use previously authenticated attributes to authorize access.
I want to jump out the nearest window with all these consumerish scenarios where the conclusion that authorization has to occur from the same source as authentication. Let me provide an example in the real world that hopefully will invalidate this type of thinking.
Consider a scenario where a Blackhawk Helicopter fell out of the sky and landed in my basement and crushed my computer so I can no longer blog. Of course, I would like to submit a claim to my favorite insurance company. I pull out the handy dandy Yellow Pages and find a total of three contractors each with their own specialization. All three contractors work for Handyman Matters. I would like for Handyman matters to not only provide strong proof in terms of authentication that they say who they are but to also check that they are licensed to do home repair in my state. Of course, I wouldn't trust any contractor who says that they are licensed without validating it so I would want the State of Connecticut to provide authorization in terms of not only whether their license is valid but that they can do certain types of work. Likewise, I would also want whatever insurance carrier they used for workers compensation to also perform authorization that their insurance is current before they initiate anything in my basement.
Having authorization come from different sources in many circumstances provides more credibility than from situations originated by authentication alone. The key is that we have to move the conversation away from stupid consumerish discussions and talk about how business works in the real world. Of course, my scenario is 1000% fictitious but hopefully folks can get the general idea. By trusting the insurance company over the contractor who provided the credential provides me with reduction in risk. The same thing can be said of the State of Connecticut.
One question for you Gunnar, what would it take to get the folks participating on OpenID to also embrace secure coding practices?