Monday, July 16, 2007
Public Acknowledgement to Billy Cripe of Oracle
In many ways, Billy did since a trap of sorts but it was not what he thought it would be. In some ways, he actually avoided answering the question. His comment: The first question sets up a false dichotomy in asking whether I think enterprises *should* have multiple ways of doing IRM OR whether I think they should be able to integrate what they already have with Oracle ECM is much simpler than it appears.
For a moment, let's assume that all products discussed going forward meet business and technical requirements (with the exception of implementing standards). The question is merely to figure out whether software vendors understand that duplication of functionality is generally a bad idea which is separate and distinct from whether the duplication has already occured. I was hoping that Billy Cripe would have provided suggestions for how enterprises could for example leverage Oracle ECM while also leveraging existing IRM solutions they already have in-house.
Billy also avoids a trap that I didn't establish. He states: The second question is a better one. James asks what should happen to content and its protection if a non-oracle app is authoritative for determining usage and whether or not this should be based on standards. In this particular situation, I wasn't referring to IRM at all but merely referrring to the variety of ways that documents in a repository could be protected.
It is important to understand that the repository could implement ACL-based approaches where security is embedded within it. It could also externalize security using a variety of approaches, one of which is using IRM. The method less discussed is when you need to not only externalize security but it also needs to be syncronized with other enterprise products.
Consider for a moment a scenario in which a law firm was impressed by Ishmael Ghalimi and has purchased Intalio BPM suite (Yes, I know it is open source) where they want to define an entitlement for a set of documents stored within the ECM repository based on business process. One of the entitlements that they want to define is that only the current user of the process can access all documents that are associated with it. One could use IRM to possibly pull of this type of interaction but I believe that using XACML may be a better fit.
The ability to declare a security model on resources such as documents and combine it with roles as specified within a BPM system are powerful. Unlike IRM, I don't have to create yet another identity store nor deal with lots of little micro changes that will fail to scale over time. I will never run into an out-of-sync issue or other problems that manifest themselves in IRM implementations. Of course, one could argue that they are not mutually exclusive and in fact could be complementary in many regards, but I am trying to keep the example simple. Besides, acknowledge at any level of complementary may require that the product first implement both approaches.
Your statement: XACML and it's potential SAML payload are fine if the business decides to implement them and if both applications looking to share the data understand them. The providers have to decide whether or not it is in their interest to step up and be first given the little recognizable net benefit is a little confusing. Folks may decide that it is a good idea to leverage Oracle's purchase of Oblix and will want to use SAML to provide SSO throughout enterprise applications including ECM. One could conclude that if you ever wanted to integrate BPM with ECM that SSO would probably be an important business requirement.
I also know that many Oracle employees not only understand SAML and XACML but have managed to actually show industry thought leadership in this space and may feel hurt by your comments. Have you heard of Prateek Mishra, Rich Levinson, Nishant Kaushik, and Mark Wilcox. They have done wonderful things and have demonstrated great interoperability at the recent Catalyst event. I suspect that if you talked with them, that your opinion over time will change and you may even figure out that you have competitive advantage by considering implementing security standards such as SAML, XACML and SPML within Fusion ECM and just haven't realized it. You are already miles ahead of Documentum, Alfresco, FileNet and others when it comes to implementing services, why not sieze the opportunity when it comes to implementing enterprise security features...
Links to this post: