Wednesday, February 21, 2007


John Newton's wonderful feedback on my blog...

I would like to thank John Newton for providing feedback on my blog...

Here are some of his thoughts along with my reactions:

The funny thing is that I can't really attack the morality of traditional enterprise software vendors as it pretty much mirrors the decline of morality within IT at large. As far as Anna is concerned, the notion of overweight architectures does fit nicely.

Part of the disassociation is in managing vendor expectations. Do you know how many calls I get in a week where a vendor salesperson has read my blog and will immediately want to associate it with work? This causes not only a productivity headache as this takes away a lot of time on focusing on more important problems but likewise results in sales folks also blowing up my coworker's phones if I am not so fast in returning their calls. I have a strong desire to keep my day job disassociated with my blog for a myriad of reasons, but this shouldn't prevent me from sharing use-cases. The only thing I ask is that folks read it, without reading into it.

Since, you asked for use-cases, how about the five I am most passionate about in the security space. The first is that nowadays, no enterprise application should ever create its own credential store. It would be difficult to find a Fortune 1000 enterprise or the international equivalent that doesn't already have Active Directory. How come you can't simply bind to it at runtime and allow attributes to be mapped to the various parts of the tree?

My second use-case is that we all understand that ECM products usually are useful in conjunction with other technologies whether it be ERP, ECM or CRM. Shouldn't it be reasonable to have out of the box support for SSO based on industry standard protocols such as SAML, WS-Federation, SPNEGO, OpenID, etc? For a third use-case, you may have noticed lots of discussion in the blogosphere regarding identity management yet I haven't ran across a single ECM platform that is identity-management enabled. Support for the Oasis SPML specification would make sense here. Finally, support for compression and encryption should be built into the product but should only be done using open algorithms. Proprietary compression algorithms especially when they are closed source is ugly. In terms of encryption, don't think shared secret as no one is good at keeping them. Minimally, start noodling PKI where key escrow is externalized with the end game being the embracing of identity based encryption. Check out the offerings by the folks at Voltage in this regard.

For the fifth and final use case, I would really love to see ECM vendors start incorporating XACML support so that enterprises can externalize fine-grained authorization. Some folks aren't exploring this because they have rationalized that this would be too slow. Nothing is further from the truth. Open source Portals such as Liferay can be cleanly integrated into an XACML solution because the underlying design is clean. In Liferay, all you have to do is extend a single class PermissionChecker and you are enabled. Lots of folks have written horrific authorization code that isn't centralized which causes vendors to pretend that the problem doesn't really exist. NOTE: I haven't checked out Alfresco's source in detail in this regard to know if the problem exists or not.

You will find all of these technologies at play. There are several reasons why I tend to not speak about them. First, I don't really find they are worthy of writing about as others have already hyped them up. Second, a good enterprise architect should first leverage what they already have instead of chasing the hype of the minute.

Usage of open source vs. traditional models is something that my coworkers already talk about in public forums along with bringing an enterprise perspective on them. If the blogosphere at large wants to have a deeper conversation on this, I would suggest pinging all those conference chairs and getting them to get my peers on panels to discuss.

There is one form of advisory board that I tend to talk about more than others which has to do with the venture capital community. The investment models used by these guys is so disconnected from what we actually desire. It is intriguing that there are problem-spaces that large enterprises have had for years, yet the VC guys aren't even paying attention. I would like to solve this aspect first.

The second aspect of advisory boards is that they are not just useful for vendors to listen to customers but for customers to talk to each other. Consider that within the blogosphere, you will find lots of folks blogging on enterprise architecture but for the most part they are all employed by consulting firms. I only know of five individuals in the entire blogosphere that are directly employed by a Fortune 100 enterprise. No one to date has figured out a way to get enterprise architects to blog, so there is still value in traditional conversations.

Believe it or not, I really don't spend a lot of time blogging. Remember, I don't have the overhead that vendors and industry analysts have in terms of making sure my external communication is as polished as it needs to be as I am not really selling anything. In terms of topics, I have my own thoughts along with wonderful conversations I may have with my peers in other organizations, so ideas are plentiful. I also can type 85 WPM and have been able to since high school. I figured out at a young age that was where all the girls were. Anyway, I spend about 15 to 20 minutes a day blogging so time isn't really a factor.

Reading into your question, I know you are not really asking me for contact information for folks in procurement but really want to understand the thought process behind the scenes. The problem is that it varies depending on size of spend, whether the product in our mind is strategic or tactical (don't ask me to define as this is a rathole), the players involved (Business types, architect types, process weenies, etc), whether industry analysts have deep coverage in terms of research, the latest opinion of magazines along with indexing as to what industry peers also think. There is no one great roadmap that I could provide to make navigation in this regard easier.

This was an oversight on my part. Thanks for pointing this out...

Which would be better, a one-time post about how I am going to buy lots of support or a posting at least once a month of me encouraging my industry peers to download and evaluate Alfresco as the sole solution for the ECM space? Wouldn't it be better for me to be the first person blogging on the fact that Alfresco is the only ECM vendor that nailed all of the security considerations previously outlined and on top of it, embraces secure coding practices where they formed a deep relationship with Brian Chess from Fortify Software?

Links to this post:

Create a Link

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?