Wednesday, November 14, 2007


Enterprise Architecture: How should BPM converge with Enterprise Security?

Phil Gilbert, CTO of Lombardi Software left an interesting comment in my blog that I wanted to share and of course analyze...

Below are snippets from his comments:So far we are in agreement.

It is good news to hear that Lombardi Teamworks acknowledges the importance of supporting SAML and that you have a capability that doesn't exist in Intalio, Pega and others. Of course, one should ask the question of why others don't have and whether the issue in terms of implementing it should be that difficult. Many of the BPM engines run on top of J2EE containers such as BEA Weblogic Server which provide support for SAML as well as other methods for passing around identity. In the world of BEA, a product vendor needs to hook into the Identity Asserter mechanism and simply leverage.
The rationale for storing policies centrally is more than just one product needing to be its own enforcer. In an integrated world where a BPM engine needs to talk with an ECM engine, the need for these two to have the same access control policies is important.
It is good to see that XACML checks are done to protect web services but they may also be leveraged by UI components as well as access enforcement may require displaying or not displaying a particular feature/function.
While everyone stores metadata inside the process definition, there is no technical reason why it can't also store a pointer to an XACML PEP there as well. Minimally, there is a semantic issue around whether a process can be self-contained within a single engine or spans them.
Could you in an upcoming blog entry explain in more detail not how things currently work today but what is the real constraint in terms of BPM engines leveraging XACML? Likewise, it would be equally interesting to understand other aspects of BPM engines such as their ability to support asymetric encryption, log management and the ability to leverage existing directory services. After all, I think many would agree that a BPM engine should store processes not users.

There are two dimensions to security with the first being security features which we have done a great job of talking about. The second dimension of security is one we haven't discussed yet as that is whether the design and coding of a given product is secure. I would be intrigued to learn what occurs within the walls of Lombardi Software when it comes to not just making sure a design meets the functional needs of customers, but also the often unstated security needs of your clients. Likewise, I would be even more interested in learning what tools Lombardi uses to ensure Secure Coding practices have been strictly adhered to. Do you leverage Ounce Labs, Fortify Software or others?

It is a good thing to see that CTOs are participating in the public discourse. In order to encourage others to participate, I ask that we trackback to each other. Likewise, it would be great to hear from Bruce Silver, Sandy Kelmsey and other industry analysts on their perspectives on BPM and Enterprise Security and how they should converge...

Links to this post:

Create a Link

<< Home
| | View blog reactions

This page is powered by Blogger. Isn't yours?