Saturday, January 27, 2007
More Thoughts on Authorization
- From an architecture standpoint, authentication has been largely solved with Single Sign-On architectures. It does not mean that companies have deployed it yet
I would challenge this statement as many products are not yet enabled in either the BPM or ECM space in order to support SSO. Can I out of the box via configuration support SSO via SPNEGO, SAML, WS-Federation or even OpenID in any BPM and/or ECM product today? I sure would love to know which ones do because I haven't yet ran across one that didn't force each and every customer to write code if they wanted to make this happen.
- For some time, one of the references in the space was the Role Based Access Control model developed by the National Institute of Standards and Technology (NIST).
In my humble opinion, NIST is a good starting point and can be better implemented by folks in Europe whose organizational structure tends to be more hierarchical whereas NIST breaks down in the Americas due to our poorly thought out notion of dotted-line reporting, matrixed teams and frequent reorganizations. I would love to see security folks in the blogosphere propose what NIST 2.0 would need to look like.
- The technology is good, but the challenge has been in getting multiple vendors to adopt it.
It is my hypothesis that the large software vendors all have XACML on their radar but will not implement rapidly the PEP portion until they have their own PAP and PDP. The reasoning says that if they do the right thing by implementing PEP throughout their product line, they will view this solely as an expense where they can't make any money by making security better. If they however focus on PAP and PDP, then they can create another product to sell to us enterprisey folk. When there are lots of new products, analysts get excited. Hopefully though the marketplace has predicted the analyst behavior and hopefully they will be smart enough to talk about the importance of PEP in existing products.
- They might also come from BPM vendors, for business processes provide the right set of scenarios for defining meaningful entitlement policies.
Ismael, you missed a wonderful opportunity by using the word might. Now is the time to show the rest of the industry what leadership looks like by saying that Intalio will be the first vendor to support XACML PEP built right into the BPM engine. You have to acknowledge at some level that industry analysts who read blogs might be getting smart enough to ask some more challenging questions. Minimally, your competitors will detect your hesitancy and will pounce.
- Security, alongside discoverability and resusability, is one of the services that should be offered by a good ESB, and entitlement is one of its critical elements.
You are absolutely on the money. ESB vendors also need to pay attention to external entitlements. I know BEA will show leadership in this arena with their Aqualogic Service Bus. It is anyone's guess as to where Dave Chappell and Sonic is on this aspect. I do predict that ServiceMix will be number two with a close following by the guys over at MuleSource.
- Essentially, entitlement definition becomes a simple by-product of process design
You are onto something with your comment about swimlanes as these show roles and priveleges very crisply. The question I would ask is if you believe that the vast majority of enterprises who are currently doing BPM model in a swimlane fashion? If not, what do you think needs to occur for them to adjust their thinking in this regard?
- The way an ECM system would fit into this picture is quite interesting as well. Access control is a critical feature of any ECM to be deployed within an enterprise environment, and sharing the same entitlement architecture with the BPMS and the ESB would provide significant benefits
You are absolutely brilliant in this statement. Any predictions on which ECM vendor whether it be Alfresco, Documentum, Filenet, OpenText or others that will get their first?
- As far as I know, no BPM vendor has ever adopted such a model in combination with an ECM and an ESB. Nevertheless, the technology exists today for building such a thing, and all we need is enough customer interest for getting it done. This is something that Intalio is actively pursuing today, and I would expect that we will be in a position to announce interesting developments in this area sometime this year.
The blogosphere looks forward to learning more about these interesting developments and I will commit to hopefully being one of the first to provide amplification. Please make sure you get the industry analysts at Gartner and Forrester to pay attention in this regard.
Best wishes to folks at Intalio and I hope that the 2007 Magic Quadrants and Waves are kind to you...
Links to this post: