Saturday, January 27, 2007


More Thoughts on Authorization

Ismael Ghalimi who is CEO of Intalio recently commented on BPM and Authorization and I figured I would analzye some of his statements...

I would challenge this statement as many products are not yet enabled in either the BPM or ECM space in order to support SSO. Can I out of the box via configuration support SSO via SPNEGO, SAML, WS-Federation or even OpenID in any BPM and/or ECM product today? I sure would love to know which ones do because I haven't yet ran across one that didn't force each and every customer to write code if they wanted to make this happen.

In my humble opinion, NIST is a good starting point and can be better implemented by folks in Europe whose organizational structure tends to be more hierarchical whereas NIST breaks down in the Americas due to our poorly thought out notion of dotted-line reporting, matrixed teams and frequent reorganizations. I would love to see security folks in the blogosphere propose what NIST 2.0 would need to look like.

It is my hypothesis that the large software vendors all have XACML on their radar but will not implement rapidly the PEP portion until they have their own PAP and PDP. The reasoning says that if they do the right thing by implementing PEP throughout their product line, they will view this solely as an expense where they can't make any money by making security better. If they however focus on PAP and PDP, then they can create another product to sell to us enterprisey folk. When there are lots of new products, analysts get excited. Hopefully though the marketplace has predicted the analyst behavior and hopefully they will be smart enough to talk about the importance of PEP in existing products.

Ismael, you missed a wonderful opportunity by using the word might. Now is the time to show the rest of the industry what leadership looks like by saying that Intalio will be the first vendor to support XACML PEP built right into the BPM engine. You have to acknowledge at some level that industry analysts who read blogs might be getting smart enough to ask some more challenging questions. Minimally, your competitors will detect your hesitancy and will pounce.

You are absolutely on the money. ESB vendors also need to pay attention to external entitlements. I know BEA will show leadership in this arena with their Aqualogic Service Bus. It is anyone's guess as to where Dave Chappell and Sonic is on this aspect. I do predict that ServiceMix will be number two with a close following by the guys over at MuleSource.

You are onto something with your comment about swimlanes as these show roles and priveleges very crisply. The question I would ask is if you believe that the vast majority of enterprises who are currently doing BPM model in a swimlane fashion? If not, what do you think needs to occur for them to adjust their thinking in this regard?

You are absolutely brilliant in this statement. Any predictions on which ECM vendor whether it be Alfresco, Documentum, Filenet, OpenText or others that will get their first?

The blogosphere looks forward to learning more about these interesting developments and I will commit to hopefully being one of the first to provide amplification. Please make sure you get the industry analysts at Gartner and Forrester to pay attention in this regard.

Best wishes to folks at Intalio and I hope that the 2007 Magic Quadrants and Waves are kind to you...

Links to this post:

Create a Link

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?