Wednesday, November 14, 2007
Enterprise Architecture: How should BPM converge with Enterprise Security?
Below are snippets from his comments:
- With respect to security, as you know, there are two fundamental issues: who are you? and what do you have access to? In general, the OASIS SAML specification deals with the former, and the OASIS XACML specification deals with the latter.
- Lombardi Teamworks explicitly supports SAML as a means of identifying who you are and passing that around. Very few, if any other, BPMS vendors support SAML and it's a non-trivial specification to implement. Lombardi Teamworks does support SAML and as a result, we have many very secure implementations and customers.
- Authorization is a bit different. Generally speaking, XACML defines (1) the mechanics of defining a central set of authorization policies, and (2) how a service accesses those policies. That is, and this is key, you want the service being accessed to be its own enforcer, based on policies set in the central policy repository.
- You want the called service to ask the calling application for credentials, and you want the called service to be the one that _allows_ access based on the policies. So as we see, the XACML check is done under the covers of the web service that "houses" the resource being called.
- BPMSs (not just Lombardi's, but all of them) don't actually house the interfaces to external services, but rather hold pointers to those services. These are held as metadata inside the process definition. For example, the service endpoint address URI is stored, but not the WSDL. Therefore, the [XACML-based] security implemented under the covers of the web service operates independent of the BPMS [or any other client].
- However, in most advanced organizations it relies on the SAML (or other) assertion of who you are and what context (application) you are running within. This is why it's the SAML implementation that forms the basis for security in the BPMS world.
- Hope this helps... Lombardi has invested significant R&D to insure that our systems are secure, scalable and reliable. We want to make sure the public discourse about them is accurate.
There are two dimensions to security with the first being security features which we have done a great job of talking about. The second dimension of security is one we haven't discussed yet as that is whether the design and coding of a given product is secure. I would be intrigued to learn what occurs within the walls of Lombardi Software when it comes to not just making sure a design meets the functional needs of customers, but also the often unstated security needs of your clients. Likewise, I would be even more interested in learning what tools Lombardi uses to ensure Secure Coding practices have been strictly adhered to. Do you leverage Ounce Labs, Fortify Software or others?
It is a good thing to see that CTOs are participating in the public discourse. In order to encourage others to participate, I ask that we trackback to each other. Likewise, it would be great to hear from Bruce Silver, Sandy Kelmsey and other industry analysts on their perspectives on BPM and Enterprise Security and how they should converge...
Links to this post: