Wednesday, June 06, 2007
Taking Advantage of Software Vendors who Blog
Maybe part of the issue in terms of believing that I am not offended is that there is no evidence to the contrary and therefore I have decided to put words into the mouth of others and will take the opportunity to offend myself in hopes that others will also take the lead.
If folks wanted to know the truth, I have been starving for feedback and an honest dialog. Blogging is an outlet for me in that work provides feedback only in a cordial civil way and therefore censors itself while I desire something a little bit more honest, transparent and raw. Take my thoughts and have fun with them.
John Newton of Alfresco
- You keep constantly attacking ECM vendors for not paying attention to enterprise security concerns. Sure, we keep duplicating identity stores by asking folks to make local copies. Sure, we think that ACL-based mechanisms are sufficient because ECM is all about us and not about other spaces you may want to integrate with and therefore XACML is irrelevant. If you believe that these things are important, instead of ranting, why don't you figure out how to solve the problem in terms of contributing. After all, our product is open source?
I believe that contribution could be potential option and I would love to contribute XACML support to lots of open source offerings. The problem that I have ran into is that support for other authorization models in most cases requires more than contributing a couple of libraries and usually involves heavy refactoring of an entire application. The problem says that even in modern architectures, folks are still spreading authorization logic throughout the codebase. If Alfresco ever decides to refactor their code so that all authorizations go through a single interface, then I will gladly extend Alfresco on my own dime to support XACML. If you want a great example of how authorization should be centralized within a product, I suggest checking out Liferay Enterprise Portal and their PermissionChecker class.
James Governor of Redmonk
- One of the most frustrating things about folks in enterprises is their stuffy media relations policies that don't allow industry analysts to have honest dialogs and gain insights into enterprise thinking. When will enterprise architects such as yourself start to acknowledge that you are part of the problem in terms of not only depth of coverage but also the vendor-centric focus that industry analyst firms take?
You may have noticed in recent Information Week magazine articles that there is a big attack on Gartner by those who are employed by software vendors without necessarily proposing solutions nor understanding that each analyst firm provides their own unique value proposition and that I would recommend to any software vendor that they should spread their monies evenly across both big and small. Many of my industry peers simply aren't competent and Gartner allows them to be successful in their duties by distilling complex topics into four to five page briefs. Consider the fact that the trend within the CIO community is to hire those from either a business background or process weenies that very few folks running IT actually understand IT. This causes a need for the enterprise to have sources of information where they can practice Management by Magazine.
In terms of other aspects of the dialog, I think that enterprises are more transparent than they are given credit for. I think the issue at hand is that many folks within the enterprise do use analyst services in a one-way scenario in that they figure they pay monies solely to have a conversation at will without acknowledging that they also have a responsibility to contribute. Maybe analyst firms should become more vocal in encouraging enterprises to have two-way conversations.
Encouragement though isn't about reversing the process where the analyst firm calls up the enterprise and asks questions but rather has to be to enable a forum where a face-to-face dialog can occur. Folks such as Raven Zachary, Nick Patience and his colleagues over at the The 451 Group do this all the time. Their conference format not only allows their analysts to gain insight but likewise allows them to also listen to the dialog that occurs across enterprises. If analysts want enterprises to participate more openly, then they have to acknowledge their responsibility in terms of bringing us together in a forum where dialog can occur.
Likewise, in terms of my own employer, we are pretty open and if any industry analyst wanted to meet with our staff and pick our brains they are more than welcome. Several months ago, Brenda Michelson of Elemental Links met with several executives and can testify that she was not censored by our folks in media relations in any form or fashion. Generally speaking, analysts that intend to write it up in terms of a formal publication tend to get more of our attention than those who don't. After all, it is simple human nature to fall in love with seeing your name in print.
Alex Fletcher of Entiva Group
- How can small analyst firms get on the radar of large enterprises or is this futile?
There are several ways I can answer this question and therefore let me try several different approaches. First, since you provide coverage of open source offerings, you have to figure out how to align the value proposition that open source provides with our own needs. Coverage of open source in terms of commodity software such as ECM platforms, J2EE application servers and operating systems simply won't capture our attention as we can get research on this stuff for free all over the place. What we can't find is research on open source from an industry vertical perspective. If you were to consider the economics of modern IT and were to ask yourself the question of: Which does an enterprise spend more monies on, software targeted at their vertical such as Policy Administration, Claims Administration and so on, or Linux Operating Systems, ECM products, etc. The value proposition should become more apparent.
My second thought is that enterprises tend to value face-to-face interactions and won't usually purchase something from someone whom they have never met. On the surface this problem feels insurmountable in that decision making isn't just about meeting one or two folks from the enterprise and relying on influence but rather engaging in a larger conversation with lots of folks. The one opportunity I see within my own vertical is for industry analysts to consider participating in conferences that are vertical specific as well as our consortiums. May I suggest folks have a conversation with ACORD?
Pat Patterson of Sun
- You have been known to give folks from Sun a hard time regarding the extreme focus on identity while you keep mentioning that fine-grained authorization is a bigger problem. Have you considered the fact that most Sun employees aren't responding because this might not be in their area of expertise?
I am a big believer in the notion of six degrees of separation and believe that while the bloggers from Sun I interact with may not have the knowledge or depth of talking about things such as XACML that there are other employees with Sun that do and that they can't be too far connected to them. Consider the fact that Sun shows leadership within the industry by creating reference implementations for incredibly valuable specifications such as SPML and XACML yet doesn't market it feels like a tragedy.
Sometimes, I also blog not because I expect a reply but do expect movement on a suggestion. For example, I believe that Sun has the ability to not just compete in the marketplace but to dominate yet they are in many ways wandering around alone in the wilderness. Consider the fact that on my side of town, Microsoft will at a moment's notice send in their staff to talk to not just our executives and architects but also the development community who has absolutely zero power to procure anything more than a candy bar on software development topics and do so without turning it into a thinly veiled sales presentation makes me ask myself what would it take for Sun to also step up in a similar capacity?
Sun has some really great employees they are hiding. I know that companies on my side of town would appreciate a two-hour conversation with Ramesh Nagappan on Core Security Patterns or even yourself in terms of Federated Identity. For the record, I would love to see this happen not as customer but also as a potential investor.
Ismael Ghalimi of Intalio
- You have figured out novel ways of integrating BPM with enterprise security yet you haven't shared this publicly. Would you be willing to speak at an upcoming OMG meeting?
Phil Gilbert of Lombardi Software did invite me to speak on this topic but I respectfully declined due to travel/budget considerations. I have committed though that the next time the OMG has an event on the East Coast, I will be more than glad to share my thoughts in this space.
Hopefully, this will serve as evidence as to the types of questions that vendor bloggers are more than welcome to ask. Let's engage in an open, meaningful dialog for all to observe without the need to censor oneself. If you feel there is merit in me putting words into other folks mouths, please leave a comment. Likewise, if you passionately object, then definitely trackback...
Links to this post: