Friday, January 26, 2007
Why Enterprise Security will remain elusive...
The promise of externalizing fine-grained authorizations from enterprise applications is compelling as it provides numerous benefits to enterprises. Much of this will be accomplished by the folks at Oasis and the creation of the XACML specification.
XACML defines several components such as a Policy Administration Point (PAP) which allows for centralized administration, Policy Decision Point (PDP) which defines how rules/conflicts are resolved and the Policy Enforcement Point (PEP) which is responsible for the actual enforcement of all policies. The Policy Enforcement Point in the proper implementation is built directly into the architecture of the enterprise application itself.
The problem emerges in that the PAP and PDP are essentially new components within the enterprise and therefore can be productized. If a software vendor can create new products around things then analysts get excited as they can classify things and this is where the breakdown occurs. The need for PAPs is important but is heavily dependent upon enterprise application vendors also supporting the XACML PEP portion. Of course, to date analyst firms aren't even asking vendors where this is on their roadmap.
Consider the typical enterprise who may have 300 enterprise applications and the need to externalize authorization. Analyst firms will talk about the need for administration but will not research why the authorization can't be connected to all 300 enterprise applications. Part of the challenge for industry analysts is that security is not just something that needs to be discussed by security-oriented analysts but is more pervasive. For enterprises that buy enterprise software, if the analysts that cover the BPM, ECM, ERP, ESB, Portal and CRM space simply aren't asking the right security questions, then the ability to externalize authorization may never materialize.
To date, very few vendors have even discussed their implementations of XACML PEP. I have observed in the blogosphere positive support from Vordel, BEA, IBM, Identity Engines, LogLogic and Oracle but the masses haven't yet received the message. I would be keenly interested in understanding the perspectives of Ismael Ghalimi, Phil Gilbert and Matt Asay as to where XACML PEP is on their own employer's roadmap but may never hear back via trackback.
Likewise, the other security-oriented bloggers in the blogosphere are still hyping identity and have avoided conversations around authorization. The reasons range from lack of knowledge on the subject all the way to the usual excuse of focusing on what customers ask for to lets take an incremental approach, all of which results in avoiding talking about the needs of enterprises.
The funny thing is that Sun created the reference implementation of XACML but hasn't done much with it. It would be wonderful if Mark Dixon and Pat Patterson could outline in upcoming blog entries, how they see other vendors implementing XACML PEP along with thoughts as to how it will be incorporated into the Sun product offerings. Likewise, bloggers such as Dick Hardt, Kim Cameron and Identity Woman have been equally silent as it will probably result in a lot of work for them in terms of making their product align to it. Avoidance of opening Pandora's box may be another reason why XACML PEP isn't well discussed.
Luckily, there are two bloggers with tons of integrity that does have the courage to talk about the need. Kudos to Shekhar Jha and Todd Biske whom I hope can do more frequent blogging and help keep the conversations in the blogosphere more honest...