Sunday, April 22, 2007


Take AIIM on Security

Out of all the ECM vendors in existence, Alfresco seems to not only have the most integrity but are most tuned into the needs of their customers...

John Newton appropriately noted that the folks at AIIM are negligent in that they haven't figured out how enterprise security concerns should converge with ECM standards. He also noted that ECM vendors consider security as a second-class consideration. Hopefully, over time when industry analysts such as Alan Pelz-Sharpe of CMSWatch, Barry Murphy of Forrester, Nick Patience of the 451 Group and Karen Shegda of Gartner start covering security standards that are applicable to the ECM space within upcoming research reports.

Anyway, I figured I would comment on some wonderful things said by John:

Interoperability is key which includes thinking about security considerations. ECM is no longer a standalone play and is starting to become integrated into enterprise applications. I suspect that will deeply integrate ECM into CRM such that the user believes they are working with one tool and not two.

In terms of politics, I would love to understand whether this can be solved by having more enterprises participate in standards creation? Is it that the agenda is too driven by software vendors who have their own insular issues to deal with? Maybe instead of complaining, I should actively participate? John, could you put me in contact with the speaker coordinator for this event so I can personally address this issue?

In terms of whether it should be ACL, role-based or policy-based, I have the following thoughts. First, I believe that customers should think of which model best suites them by having the ability to configure which model works best. Second, I would also say that the better model supports an open SDK where customers if they aren't happy, can write their own.

It seems as if many vendors in this space can leverage external authentication services but yet require their own identity services which is interesting at some level and flawed at another. Whether you choose OpenID because you want a vendor-neutral way of identifying users or something more proprietary such as CardSpace doesn't really matter much to me as long as you choose one and solve for this problem-space quickly. In terms of difficulty in implementation, it isn't that much code to actually support both at the same time.

If the industry embraces XACML, the enforcement could occur based on inspecting meta-data which does require enterprises to pay attention to controls on the content. I suspect that you are fearful in proposing this since many customers don't really have a sound, thoughtful metadata strategy and therefore it may fail for other reasons.

May I say that pass-through authentication approaches are also inadequate in that it sometimes becomes important to understand the credentials especially once we move away from username/password like constructs?

Should search leverage the same entitlements model? If search engines also supported XACML then having a layer that externalizes so as to make consistent would be a good thing.

John, I can tell you that enterprises such as AIG, Home Depot, Merck, J&J, Boeing, Washington Mutual, Bank of America, GE, Schwab and Merrill Lynch have all started to have this conversation in a public way and have started to engage the discussion at many industry analyst driven conferences as a first step. I can also say that if vendors would like for me to share additional insights, all they have to do is ask...

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?