Tuesday, July 31, 2007
More Links for 2007-07-31
I wonder if Cindy Sheehan gets advice from Kathy Sierra?
An ECM system having a built-in job scheduler feels like a bad idea. Duplicating functionality built into pretty much every operating system while ignoring more important missing functionality is a curious behavior
Charles Babcock comments on open source databases and why Oracle should worry but gets it twisted by classifying EnterpriseDB in this category which is flat wrong. I defy anyone to produce 100% of the source code for EnterpriseDB. A product built on open source doesn't make it open source
Dan Morrill is doing homework. I wonder if he has thoughts on whether vendors should embrace secure coding practices and scan all of their code with tools from OunceLabs, Klocwork or Coverity
I am not sure that the bushitler crowd doesn't hate it as well
Links for 2007-07-31
The Public Company Accounting Oversight Board (PCAOB) spent $3 million on a document management system from Documentum, and it has been a complete waste of money. The PCAOB tries to blame itself for the waste, but the reality many within the blogosphere that it's a combination of overpriced and overly complex software wrapped in a proprietary license, and an effort to force-feed square-peg technology onto round-peg people. I wonder what it would have costed to inject security into their implementation?
If there are so many, why are enterprises still wasting good money by spending millions on closed source? There has to be at least one good one! I wonder if noted Alex Fletcher of Entiva has any thoughts?
I wonder why folks spend so much time comparing EA methodologies when most EA organizations don't use any of the one's they mention. In fact, I bet if you were to survey EAs in the financial services world, you would get less than 1% adoption of Zachman
Glad to see that others acknowledge that Federal Enterprise Architecture is a big fat joke!
I wonder the ratio of noted reviewers were from other software vendors and academia vs. the number of folks who actually are employed by large enterprises who have to comply to PCI?
I wonder if others in the blogosphere believe the world of enterprise content management has gone multi-vendor, and the proprietary-heavy Documentum was starting to look crusty and demanding next to the competition.
Hillary Clinton is partnering with Tata and helping move more IT jobs out of America. Bushitler will be done with his second term shortly. Clinton is incompetent and Edwards is an idiot, so I guess IT folks have no choice but to vote for Obama.
Books like these feel like chiche propaganda propagation guides
I wonder if JP Rangaswami allows his employees to telecommute?
Us folks in large enterprises are the biggest creators of large carbon footprints. What would it take for enterprise architects to encourage consulting firms to tell their folks to work from home and not to have so much face time with us
Monday, July 30, 2007
Even More Links for 2007-07-30
There is no GREATER feeling in the world than to know that you did something to make a difference in someone's life...
Glad to see that others are acknowledging that IT expense should not track the same as Corporate Revenue. If it does, it points to an enterprise architecture team that can't figure out how to add scale to the IT platform
I wonder what the opportunity for Flex is to integrate with Documentum?
San Fernando is kinda wild, hence the reason I lime in Sangre Grande
Brenda Michelson of Elemental Links is speaking so attendance is mandatory...
It feels strange at some level that vendors are spending more time taking care of industry analysts than their customers.
I wonder if Neil Ward-Dutton would inquire with the BPM vendor how they plan on integrating with enterprise security concerns such as out-of-the-box support for SAML and XACML and whether BPM should focus on process stores and not user stores similiar to what Brian Huff enumerated about an ECM should store content, not users?
Only a Gartner analyst (Jim Davies) would ask such a question without exploring whether expectations may be set too low!
More Links for 2007-07-30
Curt Devlin of Microsoft moves beyond the current over-focus on identity and provides prescriptive architectural guidance for an enterprise authorization strategy. It makes the case for developing an enterprise authorization gateway. Discussion touches on some of the enterprise-level requirements and challenges that motivate this approach.
The best way to get good at speaking in public is to speak in public. This is one skill that many Enterprise Architects lack and should make as a 2008 resolution
Finally, someone is talking about industry problems which don't get much airtime
Craig Randall mentions that customers expect ECM leaders like EMC to support industry standaards and to drive them to but doesn't mention which ECM standards EMC is driving. Is'nt this ironic?
Mark Masterson commented that he was researching the XACML standard. I wonder how his homework is going? Maybe he has already checked out Aqualogic Enterprise Security and Securent to understand the value proposition of ensuring a consistent security model across BPM and ECM implementations
David Linthicum and Andy Mulholland manage to get it twisted and have decided to ignore the phenomena that occurs within large enterprises especially where there are 30 year old legacy applications in production where IT knows more about how the business than the business and therefore can serve dual roles.
Maybe the problem is that folks in the Federal Government don't understand the real meaning of governance which is about changing a behavior model and not having the OMB do Hitler-like comprehensive documentation that sits on the shelf compliance programs. Maybe Andy Blumenthal needs to encourage Federal Chief Architects to stop being insular in their thinking and observe how folks in large enterprise practice EA as they may learn something
While I have suggested to others, that in Glock we trust, my personal weapon of choice is the EAA Witness 9mm loaded with Federal Hydrashok's. Consider giving a donation to the National Rifle Association and support the second amendment...
Mistakes made by software security vendors when interacting with large enterprises...
I had the opportunity of participating on a conference call with the CTO and the VP of Engineering for a security product we use where the context of the call was in gathering requirements of us as a client. The sales guy participated in the early part of the conversation but had to drop off in order to catch another call.
There was one point where they wanted to understand my perspective on a particular use case and the best method for understanding its relative importance. The CTO and the VP of engineering stated a pretty passionate debate with each other as I listened on. They probably broke every rule in the book when it comes to things you shouldn't do in front of customers.
The funny thing is that if the sales guy had hung around, emails would have been flying around about the behavior of individuals and how they displayed inappropriate conduct in front of customers and the whole perception is reality bullshit that has become so pervasive.
After the call, my peers and I reflected on what we heard and concluded that their behavior was not only inappropriate but highly desirable and we needed to figure out how to get other vendors to behave in this way. We felt special in that folks were displaying extreme passion in terms of understanding the problems we face, our thoughts and desires and weren't just giving us the usual scripted pre-rehearsed diatribe as practiced by vendors along the lines of the humorous monotone your call is important to us white lie.
We could tell without a doubt that they were savagely passionate about the topic. At the end of the call, they simply asked if it was OK to send us emails with additional questions. Over the next couple of days, I made it a priority to respond to their questions since they engaged my intellectual curiosity and I can honestly say that I haven't had a great dialog with a vendor in such a long time.
By ignoring the whole perception is reality culture, they have done more to get on my radar and ultimately win business than others within the blogosphere who respond cordially but otherwise provide little value.
I was ecstatic that they not only suggested in a friendly manner how I should alter my thinking but also provided factual reasons as to how to do it better. The realization that folks desire solutions and not just responses is something that others need to internalize...
Links for 2007-07-30
An enterprise canonical domain model (ECDM) is a model that is focused on the business events and the data+documents+messages needed as part of orchestrating the events into business processes by composing services. I have mixed opinions of the value of such an approach
The notion of complex event processing and business rules engines aren't deeply discussed within the blogosphere nor within the walls of most large enterprises. I wonder if folks aren't doing a good job in terms of explaining its value proposition.
Ismael Ghalimi is one of the brightest bloggers on the topic of BPM within the blogosphere. I wonder what his thoughts are when it comes to using AJAX with ECM products such as Alfresco, Stellent and Documentum? Unification of the Office 2.0, BPM and ECM ecosystems is in desperate need for standards.
A great read on the architecture of Java for all especially if you program in second-class languages such as Smalltalk
I wonder if Krishnan Subramanian believes that industry analysts may suffer from the same problem?
Dave Dargo has written a thoughtful piece on one problem with proprietary software today: it spends too much time isolating itself as a product, rather than opening up itself and combining to create solutions. This mentality is witnessed in the ECM space more than in any other ecosystem. If you want proof, visit the blogs of Craig Randall and James Robertson
Sunday, July 29, 2007
Why the tech media doesn't get open source
Alex provides insight into Why the tech media doesn't get open source which for the most part I agree but feel he could have also addressed the below considerations:
- Tech Media has less separation between coverage and advertising: Consider the fact that advertising revenues tend to drive more of the coverage of products than anything else. If open source projects don't advertise then they don't get coverage. In the newspaper industry, reporters are not shadowed by advertising sales executives yet if a software vendor in the technology industry wants to talk with Gartner, they are shadowed by a salesperson
- Coverage needs to be bi-directional: Alex mentions the need for proactive outreach yet doesn't discuss why the media can't reach in and are heavily dependent on being spoonfed information. Like crack addicts, maybe they need to break the habit. For example, if the media wanted to coverage Liferay Enterprise Portal and wanted to know which Fortune enterprises are using it, instead of sitting on their butts waiting for an official response, they could simply log into the listserv and pay close attention to the fact that the from address field may contact well known domains of Fortune enterprises
- Industry Analysts are the Media: Many analysts attempt to describe their value proposition in a way that is disconnected from the media but in all reality, no one truly believes it. From the perspective of a software vendor, industry analysts are the media where the sole goal is to get quoted. Industry analysts believe their value proposition is more than just quotes and customer leads but do software vendors? If analysts are frequently quoted by the media, how come they aren't proactively outreaching as well?
- Maybe they shouldn't cover open source at all: Open Source really shouldn't be thought about as product choices as this is degrading to the real value proposition. When I speak at conferences (borrowed from Doc), I ask folks to explain which story is easier to tell? The story told by a well-dressed sales executive and all the wonderful things they do for their clients or the story of the poorly dressed developer employed by a large enterprise and all the wonderful things they do for themselves but usually aren't allowed to talk about it due to media relations policies. Maybe the media should start telling the harder story...
Enterprise SOA: Not everything should be a service!
The browser is an important consumption point but so too are the growing syndication ecosystems of which the blogosphere is the largest example. More and more tools are willing to consume RSS and ATOM, often in preference to SOAP, including the forthcoming version of Vista where syndication-friendliness is a core value. Carefully consider offering your services in RSS form or even ATOM, which has a two-way REST model. Likewise, the ability to build on standards without regard to figuring out traps like common models will help you be successful faster.
Syndication will further increase consumption scenarios and therefore adoption. Content syndication is growing into a very potent force inside and outside the enterprise and plugging an SOA -- strategically or tactically -- into one of these ecosystems has terrific upside potential. Not every SOA service can or should be converted to a syndication model, but if you aren't considering this option with each service you create, you should be; there are tens of millions of RSS feeds available today, starting from zero in the beginning of 2003. How many SOAP services presently exist worldwide? Only a tiny, tiny fraction of this and there are good reasons for it.
I wonder if ECM vendors agree and believe this should be out-of-the-box functionality?
Links for 2007-07-29
Get familar with John Newton of Alfresco as he is one of the few examples of leadership with the world of ECM and will be the one that brings sanity to this domain
Good to see that SANS is focusing on the vulnerabilities of software. It would be interesting if they provided public metrics on which open source projects are the best example of secure software. In my travels, none has proven more secure than Liferay Enterprise Portal
I would like to see the next innovation be security application instrumentation, where you devise your application to report not only performance and fault logging, but also security and compliance logging.
Don’t be afraid of challenging the status-quo. True excellence as a security executive and leader demands you are willing to think differently.
I wonder if the folks over at AFLAC understand that their wonderfully accepted case study and success still puts them years behind the leaders within their industry vertical?
While I am happy that the folks over at Ping Identity stepped up to fill in the gap, how come no one is pressuring salesforce.com to embrace user-centric approaches such as CardSpace natively?
Is this a good approach of utilizing the SAML 2.0 infrastructure to help distribute trust in PGP/S-MIME e-mail PKI.
It seems as if all the ECM folks haven't listened as they savagely promote sub-optimal security models under the label of IRM
ECM: Insights despite the inciting
- I’m becoming rather bored of the barbs. Yet, despite them, it’s worth providing answers to reasonable questions
- I’ve said as much already in my blog, which by the way is a personal weblog and not a vendor weblog.
- I don’t think savagely of James or anyone else, supposedly thinking: “the easier it is to get rid of your product, the more we like you.” Actually, I’m fully of the mind that you should be in full control of your content, metadata, identity, etc. In this sense, I think that the opposite generally holds: the more you respect what flows in your platform, the more your platform will be relied upon.
- Being candid, I am not a security nor an identity expert, and I’ve never advertised myself as one. Regardless, these are critical aspects of any ECM platform, and DFS does afford greater openness via its support of SOAP, WSDL, WS-Security, etc.
I am not sure that any of my comments require anyone to be a security or identity expert. I think if you understand that DFS is a client tier API and that all one has to do to bypass it is to simply not use it, then it is inherently insecure. In terms of support for WS-Security, all this means is that there is a place to put security stuff in the SOAP header. It doesn't mean that just because you support WS-Security that support for SAML, Kerberos, WS-Federation and so on are supported. Was simply looking for a deeper understanding of your past blog entries. Some folks will say they support WS-Security only to have still stuck with username/password constructs which at some level is dishonest.
Likewise, one should acknowledge that there is a difference between server APIs and client APIs. I hope that you are noodling as part of your day job making both aspects of the equation extensible...
- DFS is a forthcoming enhancement to the EMC Documentum platform in its 6.0 release–one focuses on participation within and enablement of SOA, where not all services come from Documentum or into Documentum (e.g. WSDL from DFS bound into a capable third party BPM system, MEP’s between an ERP service and a DFS service, etc.).
Your previous blog entry talked about integration between Documentum and other BPM products from a UI perspective where I asked about what your thoughts were in terms of creation of industry standards were. Here you have mentioned using DFS which I understand is a service interface which of course you know is distinct from a UI way of integration.
- For example, providing XACML support means having an entitlement on every usage of every piece of content from an external source and not from Documentum’s security model.
I apologize if my questions make folks feel uncomfortable, simply attempting to understand the ECM domain at large. If I observe inconsistencies then should I not ask deeper questions about them in order to gain insight or would the ECM community prefer me to exercise my right to remain silent and only talk about the wonderful progress of features in this world kinda like the industry analysts do without understanding how ECM fits into the enterprise ecosystem?
Saturday, July 28, 2007
Identity Management Tools: Implementation is not the Issue
I got a $100 set aside to make a donation to World Vision whose mission is to feed hungry children if Pat Patterson and Mark Dixon respond to the above post as well as this one without resorting to a hybrid answer suggesting that an enterprise does both as more insight can be provided if you take the position of the extreme. It would be interesting to gain their insights on strategies around consolidation vs strategies around management especially if they are all about Active Directory.
Even greater would be if they could comment on whether vendors such not just support LDAPv3 but also support ADAM (I am not sure why non-MS employees don't think ADAM is V3 compliant and some facts would be appreciated if you are in this camp).
I will double it to $200 if Nishant Kaushik of Oracle does the same...
A Timely Example of Needed ECM Standards
Laurence Hart outlines the following situation:
- A client has a legacy Records Management solution. It works well, though is a little dated. The client is now going to implement a Web Content Management solution. The approved web pages need to be automatically declared as a record. If these were the same ECM platform, there wouldn’t be any problem. However, they aren’t. In fact, one is Microsoft based and the other is Java based. Neither of them is Documentum, though that wouldn’t change the problem significantly.
Craig Randall can also step up to say that he acknowledges this is a big problem in the ECM domain at large and is willing to start a working group as part of AIIM with him in the leadership spot to make this problem go away. Craig could also say that he has proactively picked up the phone and planned a three-way call with himself, John Newton of Alfresco and Billy Cripe of Oracle to talk about this problem space and others from the community at large are more than welcome to listen to the discussion.
Craig states that he is Not running for office but still hasn't proposed a single solution, workaround nor planned enhancement to missing security within ECM products. I guess though that he has stated the obvious with passion that one EMC product works with another. The revelation is mind blowing. I wonder what would happen if Microsoft bloggers mentioned that SQL Server and Exchange runs on Windows platforms?
I would be willing to make a sizable donation to Juvenile Diabetes Research Fund if Craig provided a as to how he believes customers who want to integrate Documentum with an entitlements management solution such as BEA AquaLogic Enterprise Security, Securent or other XACML based products. Of course, I am optomistic that he won't simply throw daggers at why customers may want to do this and focus purely on the integration aspects.
In fact, I will also make another sizable donation to a worthy charity in South America that fights hunger if he were to revisit his UI blog entry and instead of commenting on how one EMC product could work with another, how he envisions Documentum integrating from a UI perspective with NON-EMC BPM products such as Intalio, JBoss, Fuego or Lombardi. Likewise, if he believes that the appropriate industry standards do not exist, what are the steps and other vendors should take to make them happen...
Friday, July 27, 2007
How IT Consulting Firms contribute to Global Warming
Think about all the consultants in the blogosphere who travel Monday through Friday running from airport to airport consuming lots of energy that could otherwise be conserved.
Firms such as McKinsey, Diamond Consultants and E&Y may have their employees make multiple flights throughout the week while others such as Accenture and Bearingpoint do similar practices. How come no one ever calls them on the fact that they might be able to reduce carbon emissions by figuring out ways to work remotely? Is face time always necessary?
Even many industry analyst firms contribute to global warming. I suspect that the folks at RedMonk are probably more energy efficient than folks at Gartner? Not to let my fellow Enterprise Architects off the hook, but we too are guilty as many of us habitually kill lots of trees printing off pretty PowerPoint presentations as a matter of convenience which we bring to meetings of nebulous value...
Links for 2007-07-27
Sandy Kemsley discusses a BPM and SOA thinktank that somehow doesn't include actual end-users of products. I find this curious
I wonder if industry analysts disclosing compensation relationships in terms of quadrants would be hot or not?
Interesting read for security folks. I wonder what if there is any scenario in which CardSpace can leverage?
Whenever I read Craig Randall blog, I get the feeling that he should be running for political office. His blog says a lot and says nothing at the same time. Hey Craig, how about discussing potential solutions? If you think that BPM could be a user interface to ECM, then how about suggesting better ways for them to interact?
I like this notion. In fact, I am thinking about contacting Taran Rampersad to see if he would be interested in organizing one with me in Trinidad over the holidays
Have you ever seen the research from the folks over at CMSWatch? It is actually of pretty good quality and has more depth than you would find from Gartner or Forrester. It still amazes me that enterprises will spend millions on ECM platforms but won't spend money to get access to the right research
The ECM blogger crowd has went silent on open discussions around the lack of security standards implemented within their products. I wonder if this behavior is good or bad for their customers?
Thursday, July 26, 2007
Links for 2007-07-26
BSD is a great operating system and in many ways better than Linux. We need to move past the hype of the minute...
Noted Microsoft employee Marc Mercuri has published his book on Information Cards and CardSpace. The only deficiency I have noted is that they ignore Java. Maybe Mike Jones could figure out other authors to write the equivalent
Why are we still having conversations about how horrible project management is within large enterprises?
I wonder if James Robertson of Cincom could provide his vision for an ESB implemented in Smalltalk or will he still allow for SmallTalk to remain a second-class language?
I wonder if these folks have realized that part of evaluation is the ability to learn from others their experiences? I am willing to share if they leave a comment/trackback outlining their work contact information
Has Freeman Dyson become an evolution denier?
So, what does it mean to be enterprise ready?
Is there anything else I should add to the list?
Wednesday, July 25, 2007
Links for 2007-07-25
Sorry to hear about James Governor of Redmonk and his recent event. I wonder though if this is a situation that could have been avoided if he believed in the phrase: in Glock we trust...
I wonder if Sumanth Molakala has ever wondered why Documentum required its own user store and couldn't directly bind at runtime to something that already existed?
I wonder if the question really should be: Should EA wholesale abandon the Zachman Framework and instead focus on the human aspects instead of the comprehensive documentation that never gets used if you do use Zachman?
Alfreso has the possibility of displacing other closed source ECM platforms due to better integration
The notion of an identity governance framework as championed by Oracle needs the help of the community in order to make it stronger. Here is where I think folks from Sun could add value
Good to see that there is support for this platform. I wonder if donations to charity such as Not in my name is considered candy?
Consulting Opportunity: Security Architects
Leave a comment with your work email address, daily rate and the URL where I can view your resume...
Blogging in the Corporate World
Being a student of the human aspects of technology, over the last several weeks I have been using my peers in one of my experiments. I have been attempting to understand the notion of how memes work in our environment and concluded that several interesting behaviors exist.
Much of the communication within large enterprises is of the corporate spam type where everyone is CC'd regardless if they need to receive the information. In terms of my experiment, I decided to try several tactics related to sharing security information to measure how long it would take before it started to spread as a meme. For email's where I specified 100% of all participants that needed to know the information in the to field, it didn't spread at all. I later adjusted my technique by sending information only to select individuals and encouraged them to forward to those whom they felt would be interested and the notion of the meme was a lot better.
The former is obviously more efficient in terms of communication and definitely easier on the email infrastructure but the latter had the effect of leveraging two characteristics that are pervasive in enterprisey types. The first characteristic is that folks want to know something that others don't. The mindset of being in the know is pervasive. The second characteristic is that folks respond better to things that they feel have been personalized to them than information that is available to the public at large.
The notion should be in order to be more open, you sometimes need to behave more closed. I would be curious if folks such as Scott Mark, James Tarbell and others who are employed by Fortune enterprises have also observed this.
In the past, I have commented on the fact that within large enterprises my observation that They aren't going to read it also applies to blogs and wiki's within the walls of most enterprises. Most of the movement regarding the push to use wikis in enterprise environments makes the argument regarding efficiency of finding, searching and publishing information while ignoring the consumption aspects.
Enterprise Architects are pretty good in terms of producing comprehensive documentation as many of us spend time tweaking PowerPoint documents for different internal audiences. We do this not because folks can't simply go to the SharePoint and find what they need nor that previous iterations of other documents didn't have the necessarily information, we do this because IT Executive X wants to see it one way while Business Executive Y wants to see it another. In other words, enterprise architects spend a lot of time making things personal.
Before enterprises consider using Wikis they first have to transform their culture and not focus on the publishing aspects nor fall into the trap better known as knowledge management and instead figure out if they can be successful in changing the perspective of those who consume information. Usually, enterprise architects tend to interact with many parties spread throughout the enterprise and at some level are forced to adapt their style to meet the needs of consumers. If your business customers still prefer monolithic Microsoft Word documents sent to them personally via email then Wikis will fail...
Tuesday, July 24, 2007
Links for 2007-07-24
What do you stand for?
It seems as if FileNet, Optika, InvesDoc, DocStar and others are guilty of not supporting security standards
I bet bloggers from Sun in the identity management world will exercise their right to remain silent on this topic
I am disappointed that I didn't have the opportunity to present on security concerns in the world of BPM.
Good to learn about certification. Bad to learn that it is focusing on the wrong things
Ever notice how Gartner avoids depth and prefers high-level statements? I suspect that if you asked the analysts that cover ECM about security, you would be reminded of deer in headlights
Good to see Oracle demonstrating leadership in this space
Mike Walker certainly chose the right graphic for us Enterprise Architects as blowhard jamboree comes to mind.
The wisdom of do not model the past is something more EAs need to noodle. Too many folks are caught up in the whole current state, future state, gap analysis paradigm where they focus on current state because they have no clue about the future
The agile elephant statest that he blogs for completely business-driven reasons which is actually a good thing. No one truly blogs about technology solely for noble purposes and as long as you are transparent about your intention, the blogosphere welcomes you with open arms
Thoughts on ECM and Security - Part Alfresco
Alfresco seems more aggressive in terms of supporting ECM specific standards such as JSR-170. I didn't have the opportunity to dig into the codebase as to whether they could expose documents via RSS and/or ATOM nor did I get to determine whether they fully support WebDAV including functionality such as locking but hope to analyze this later.
In terms of the design of Alfreso, it feels a lot like Documentum only in that it was written in a modern language. Missing from Alfresco is the notion of the usual Core J2EE patterns as the code base, while functional could do with some major refactoring.
Bex Huff recently commented that an ECM Should Store Content, Not Users which Alfresco is also guilty of repeating. It seems as if vendors have figured out a slick response when enterprise architects inquire in this space by mentioning that they can authenticate against external stores which is semantically different than binding at runtime and gathering all information without requiring a local copy. I hope my industry peers start separating out their questions into user stores vs authentication.
In terms of the ability to easily inject XACML and externalizing authorization, it also suffers from the same problem that Documentum does but for different reasons. The issue at hand is that permissions checking in Alfresco isn't centralized as access control checks are littered through different classes. Since Alfresco has a great relationship with Liferay, I would suggest that a future implementation refactor to something similar to com.liferay.portal.kernel.security.permission.PermissionChecker which is a great way to approach extensible security.
Even though they have committed the sins of duplicating user stores, it does seem that they are well-positioned to support protocols such as SPML to allow identity management tools to remotely provision/deprovision users without resorting to arcane syncronization routines.
In terms of supporting SAML, I believe based on current documentation that Alfresco does have an advantage over Documentum. They leverage JAAS and have the notion of an abstract authentication component that can be extended. It would be very easy to connect this to BEA Weblogic and their notion of an Identity Asserter to allow the container to handle some of the SAML interaction while Alfresco focuses in on the JAAS aspects.
In terms of other ways to SSO, they also support the Kerberos SPNEGO protocol which is useful in shops that run Active Directory which 499 of the Fortune 500 run (Sun Microsystems is the oddball). Likewise, the design does seem better than other products in that they also assume the ability to plugin other search providers. I am still researching whether they have the ability to plugin other compression routines and to externalize transformations to third-party hardware providers such as DataPower...
Monday, July 23, 2007
Understanding ECM Security
When Laurence mentioned APIs and extension, I think he may have simply resorted to constraining the solution to whatever was exposed without asking the question of what APIs are missing. Can we acknowledge that there are a distinction between Client APIs and Server APIs? DFC seems analogous to ODBC/JDBC and typically runs in the client tier. Security, in order to be done correctly requires server APIs which run in the address space of Documentum itself which DFC doesn't address.
The issue at hand is that DFC seems like ODBC in that it abstracts the Documentum Query Language. If the grammar for Documentum or any ECM system for that matter doesn't support security constructs then, at best it is possible to write security features but they will be implemented in an insecure manner.
So, the only way I can see this working if Laurence were to take this on would be to remove all ACLs from the server and then extend the DFC by writing a filter that would intercept all requests by applying XACML policy and processing accordingly. The issue though is that another client not using the modified DFC could bypass any security customizations and create a big hole.
Laurence also mentioned that Documentum will be building Documentum Foundation Services on top of Documentum Foundation Classes and believes that support for SAML should be handled by the product. A security professional could conclude two scenarios both of which are bad security:
- Documentum releases DFS with zero support for WS-Security and leave clients on their own
- Documentum releases DFS with SAML and folks bypass this layer
Laurence, what am I missing? I am curious if all ECM vendors use this notion of query languages and whether it has been standardized across vendors kinda like ANSI-SQL has been standardized across databases? I am curious if all vendors also limit the available APIs to the client tier or do they also support server APIs as well?
There was one additional thing that I am curious about. I never ran across any instructions on how to enable SSL so that the DFC could communicate over a secure channel. Curious how this is accomplished?
Maybe this is an opportunity for Gunnar Peterson to ask the ECM community at large to pay attention to Dealing with Security in an SOA World and help vendors with an architecture overhaul? The beautiful thing is that I can take a peak at Alfresco to see if it suffers from the same design deficiencies or did they do something more progressive. I will post my findings shortly...
Sunday, July 22, 2007
Links for 2007-07-22
Sometimes advice in the blogosphere is dangerous. I wonder if those demanding stronger password complexity have ever thought about the correlation between strong passwords and weak security. The harder you make something, the faster someone will write it down and store in an insecure manner. Besides, what if the password is complex yet the web site stores it in plaintext? You wouldn't know...
Maybe the better answer is to not name drop clients using your technology and instead provide ideas of how it could be used for those that aren't. For example, none of the names listed in this blog are Fortune Enterprises from the Insurance vertical. Maybe suggest how it could be best used to sell automobile insurance
It is ashame that Kathy Sierra convicted folks in the court of public opinion and then decided to hide. Maybe she needs to stop being the example of what modern women shouldn't do
Pretty cartoons for Federal Enterprise Architects
James Taylor of Fair Isaac probably has thoughts on where enterprises should draw the line in terms of letting business users do programming.
If Java, .NET, Ruby and other languages have rules engines, how come Smalltalk doesn't? I wonder if James Robertson of Cincom is a reactive product manager and does only what his customers ask or is proactive and supplies what they need?
Nicholas Carr is usually the plaque within the house of IT but has a thoughtful posting on old fat men
I suspect most of the identity community will avoid these questions
It's okay if most blogs suck, because most people are irrelevant to any one individual. I wonder what others think about my blog?
Thoughts on Software Advisory Boards
The first step in creating a successful business is to make sure a company has the right roles and that they are filled with the right people and this isn't limited to employees. On a macro level the advisory board stays outside the day-to-day company operations and provide selected expertise when needed. Your advisory board has to be more about expertise and less about sales leads.
Software vendors would be well served by thinking of enterprise architects as product managers. They are a company’s think tank, architects of its design, guardians of its focus and cheerleaders. They also must be a company’s conscience, using clear eyes to bring the truth, both good and bad to the forefront.
A company doesn’t need a passionate businessperson at the helm, a robust and diverse board, and a talented executive corporate team to survive. Companies survive well enough without them all the time. What they fail to do is thrive.
Saturday, July 21, 2007
Links For 2007-07-21
Standards-compliant general-purpose LDAP browser that can be used to read and search any LDAP directory, or any X.500 directory with an LDAP interface. Written in Java and available for free download under a standard OSI-style open source licence.
One of the problems, as was pointed out before, is that software and computers don't have a fixed use that can be anticipated during the development cycle, and consequently saying that software isn't "fit for purpose" is a really tough judgment call.
Andrew Blumental performs EA for the United States Coast Guard. I welcome him to the blogosphere and hope he can share his thoughts on how the Federal Government could learn to adopt some of the practices from corporations when it comes to Enterprise Architecture and drop heavyweight processes and frameworks based on Zachman. Maybe he could even help me track down folks I served with in the Coast Guard starting from the days of basic training: USCG TRACEN Lima 121
PING is a live Linux ISO that can backup and restore whole partitions. It sounds like Symantec Ghost(tm), but has even better features, and is totally free.
Here is a great blog entry that I would love to know what Craig Randall, John Webber, Laurence Hart, Phil Hunt and Luis Sala think?
As I understand, Cuba has a higher babe factor than India
One of my pet peeves in the blogosphere is when bloggers publish information in an introductory manner without including any additional insight. How come bloggers can't move beyond introductory context towards more advanced topics? If I wanted to know about introductory stuff, I would go to the vendor's web site and not search the blogosphere for introductory material especially on information cards and cardspace
There is a key phrase: Members join for various reasons and benefits, based on their business objectives which is a code phrase for it is doomed to mediocrity. This means that it will be dominated by software vendors and consulting firms jockeying for position to empty the wallets of our government while minimizing the value they have to deliver. The only hope for the Federal Government is to leverage corporate Enterprise Architects as their review board and remove the profit motive from decision making
I wonder if Jesse Wilkins has any thoughts on making content more discoverable? A more interesting question that I haven't seen talked about is how do ECM vendors recommend migrating from their competitors products? The funny thing is that I haven't seen any migration guides.
It seems to me that Alfresco and Oracle are stealing a lot of business from Documentum. I would assume that folks are leveraging bulk import utilities or industry standards such as WebDAV to move content from one repository to another, but how do they move the metadata that is associated with it? More importantly, are they forced to reconsile the disparate approaches to ACL models between products? In this situation, the ability to have a markup language such as XACML where it is portable and declarative could ease portability.
Within J2EE, I can take an application developed for WebLogic and have it running on JBoss is less than a day. I can take a database that ran on Oracle and port it to EnterpriseDB just as fast and it would not only be the data, but the metadata around it and the security model to protect the data as well. If I wanted to migrate a portlet from BEA Portal and embrace Liferay then it is pretty straightforward. How come ECM can't be as simple as other domains in terms of portability?
I am keenly interested in learning how folks migrate from one product to another, which tools they use, how much of what they do is manual could be turned into a standard and what others believe is the responsibility of software vendors to provide guidance on migrating from competitor products. Let the discussions begin...
India names its first female president...
Don't buy my book...
Generally speaking, programming books are a waste of time. Although my book isn't about programming some of the rationale still applies. What if folks spent more time doing instead of reading? Likewise, what if folks understood that there is more to read than programming books? What would happen if we all read classic literature or some of the holy books on Christianity, Judaism or Islam?
This is not to say that one cannot learn alot about SOA from reading my book as it is jam packed with knowledge. The funny thing about my book is that international sales have now crossed the number of sales in the Americas. I suspect that many developers have taken the atitude that they are not going to read because either they know it already or if the firm wants them to do something new they should get sent on a course, why should they read on their own time? Maybe those folks who think this way shouldn't bother reading Enterprise Service Oriented Architectures and instead should read books on polishing up their resumes...
Links for 2007-07-21
Good to see that open source ECM products such as Alfreso are actually showing leadership and making the likes of closed source entities such as Documentum play catch up.
Laurence, the best solution to getting any vendor to implement functionality is to make sure that their competitors know about it. For example, I am of the belief that John Newton of Alfresco and Billy Cripe are observing the dialog. Likewise, I believe that they may make their own respective sales staff smarter in terms of selling against their competition. Any vendor worth their salt would only let this occur for so long before realizing that they should lead and not follow
A vendor shares his perspective on the management of RFPs but doesn't comment as to their value. I suspect he deep down believes that enterprises that desire them could be better served by not using them at all. I know that I avoid them like the plague as I believe in proving out working software over reading comprehensive documentation. In fact, in an upcoming book, I am writing chapters on how to make RFPs agile. Besides, everyone knows that this process is ceremony. For example, if I were to ask any ECM or BPM vendor how they support XACML, the response would of course be positive and bullshit