Saturday, October 27, 2007
How Industry Analysts weaken Enterprise Security...
Bob Blakley, Dan Blum, James Governor, Gerry Gebel and others do a wonderful job of covering the potentials of identity and how it is game changing but the discussion almost always leads to a discussion around products and not the problems that are left unsolved.
Consider the simple fact that The Burton Group and Gartner have pretty good coverage of products that support XACML. They have provided coverage of all of the vendors that provide Policy Administration Points from vendors such as BEA, Securent, Jericho Systems, Oracle, Sun and so on. They will figure out if these products are interoperable yet won't tell you what is missing.
If you aren't guilty of practicing management by magazine and realize that you need to do your own analysis, it becomes apparent that XACML needs to be implemented within enterprise applications such as BPM, CRM, ECM and so on. Have you ever observed Alan Pelz-Sharpe or Bruce Silver ever ask Documentum, Hyperion, Stellent, Nuxeo, Intalio, Lombardi Software or Alfresco whether they implement this security specification or any security specification for that matter?
How difficult would it be for Anne Thomas Manes, Nick Gall or others who aren't security focused to understand whether the products they cover are secure?
Alex Fletcher of Entiva asked if industry analysts are doing their part to cover open source which is a great question. I wonder if a better question is whether industry analysts are doing their part to make software more secure?