Thursday, November 15, 2007
On Technology Security Standards: BPM, SAML, XACML
I asked: The rationale for storing policies centrally is more than just one product needing to be its own enforcer. In an integrated world where a BPM engine needs to talk with an ECM engine, the need for these two to have the same access control policies is important where Phil stated Yep, I agree. I didn't make reference to it in my post, but of course for any services you expose from a BPMS (or ECM, or ERP or other platform) you should be able to author them so that the centrally defined policies govern who has access to that service. I suspect that all BPMS allow for this. If we are in agreement, then it would mean that all BPMS products should implement not only a standards based way of defining/importing them but also support externalizing them. I would love to understand how Lombardi could consume policies at runtime from an XACML Policy Decision Point such as Securent, BEA or Jericho Systems. From what I know of other BPM products, they cannot implement this type of functionality. If Lombardi can then you have competitive advantage over others.
I also commented: It is good to see that XACML checks are done to protect web services but they may also be leveraged by UI components as well as access enforcement may require displaying or not displaying a particular feature/function. where Phil responded: Having UI's call the central policy server for presentation-layer rules on what aspects of a UI to show would be an interesting thing to debate. I'm not sure I'd agree with that as a good mechanism. Someone better tell all those portal vendors including BEA WebLogic Portal, IBM Websphere Portal, GlueCode, Liferay and others that they shouldn't use centralized policies to protect user interfaces as they have all implemented this pattern successfully in a highly performant way. All of these products support XACML, so what am I missing?
Phil commented: If, however, you want to drive your presentation-layer in this manner, you probably also want the presentation layer up and outside the BPMS. So while in Lombardi's BPMS (Teamworks) you can author UIs, we also give you the ability to easily plug in your own UIs for particular steps in the process. I wonder if this means that Lombardi can generate JSR-286 Portlets for you so that you don't have to hand code to a web services interface?
Phil then commented: At Lombardi, you don't have to manage users in our store, if you manage them elsewhere (like LDAP or AD) I wonder if he is aware that his competition doesn't have the same story and that he may be missing out on an opportunity to educate industry analysts such as Bruce Silver, Sandy Kelmsey, Alan Pelz-Sharpe and others as to the importance of this? Minimally, he should encourage enterprise architects who create RFPs in the BPM space to add this to their criteria.
Finally, Phil commented: As companies begin to measure more of themselves using process as the normalization, then these numbers of "matrix organizations" expands. So we think that organization modeling is part and parcel of the larger BPM discussion... and that these models will integrate with [LDAP or AD], but provide more extensive information. This is an area that I think will really change and expand in the coming decade, as the convergence of increasing security along with increased decentralization of computing resources gets mainstream emphasis. which is absolutely brilliant. The convergence of the identity conversation by the likes of Pat Patterson, Johannes Ernst, Nick Malik, Kim Cameron, Mark Dixon, Bex Huff, Laurence Hart, Jackson Shaw, Gerry Gebel, James Governor and others with other domains is a conversation that needs to break out of its insular mode. Phil has started the conversation and I hope that others will continue to not think of identity so insular...
Links to this post: