Enterprise Architecture: From Incite comes Insight...

Have you ever noticed whenever coworkers become aggressive, defensive or generally an impediment that this may be a sign of being incompetent? Many folks use hostility to cover up a lack of subject matter expertise. Being hostile has an effect of limiting communication which reduces the possibility of discovering the real issue...

I find it intriguing that many software vendors spend $10K or even more to have a booth at an industry analyst conference or for other events when there are ways to attract influencers for a lot cheaper...



Many folks will spend 15K or more to get an audience with leading CISOs, CTOs and Enterprise Architects in order to pitch their value proposition. The funny thing is that as an enterprise architect who knows hundreds of others, this feels wasteful at many levels.

I wonder why more vendors haven't already approached me sponsoring the local Hartford Chapter of OWASP who will have planned for the first meeting over 200 attendees.

In looking at the various promotional items, I realized that a budget of $500 can go pretty far. It can purchase 200 Cinnamon Mint Tins, 80 Multi-tools, 100 Coffee Mugs or even 80 Aromatherapy Candles in a mug.

Sponsoring local user groups feels like a better value proposition. What am I missing?

Many folks know that I am organizing several OWASP meetings, but I decided that in 2008, the Northeast really needs a kick ass Barcamp...



If you aren't familar with a BarCamp, it is an unconference; it's open and free; it's organized bottoms-up instead of top-down; anybody can organize it and anybody can attend it. Folks on my side of town are so enterprisey where we to busy worrying about perception management that we don't actually talk to each other. I figured that it is long overdue for my industry peers to remove that stick shoved up their butt and learn what it feels like to have an honest conversation.

Unlike most unconferences though, we will not exclusively have newbie speakers and have lined up some pretty cool folks to speak on topics such as Smalltalk, Software Security, Web 2.0, Agile Software Development, SOA, and open source. You will recognize the names of many of the planned speakers. Of course, if you have a topic in which you would like to present, please don't hesitate to drop a suggestion.

Anyway, there are two things that still remain. I have many minor sponsors lined up and need one large software vendor to be the premier sponsor. I will also be pinging the folks at Rensselaer to see if they are willing to donate their facilities.

I am not sure if I am violating some unstated protocol, but I do plan on doing a mashup between the BarCamp, OWASP, COOUG, QAAC and whatever else happens to come to mind.

If you like this idea, please show your support by amplifying this blog entry. In the meantime, I need to get back to OWASP matters. Did I mention that the next OWASP meeting will have Gary McGraw of Cigital along with Chenxi Wang of Forrester? This event will be hot...

The often uncontrollable urge to coin a term (aka I think I am the first one to call it this) for a concept that doesn't need a new term to describe it...



One of the most painful things I struggle with in being an Enterprise Architect is in getting folks on the same page and the problem usually is when folks have abused a word and added their own meaning to an otherwise common term. Jargon proliferation will take place when others feel the uncontrollable urge to use the unneeded term for reasons which are not to clear. If enough acceptance and use accrues, the jargon may indeed become needed and perhaps preferred over the old term used to describe the concept. Use does seem to make the transition possible regardless of what some may feel or think about it.

The long term affect of folks within large enterprises allowing this behavior is that it confuses the living crap out of outsiders. Have you ever wondered why it takes so long for Indian outsourcing folks to understand your business? Get a clue and put an end to this insanity...

Gartner: Smell the Bacon
Gartner discusses Impediments and Drivers of Application Security without realizing that the solution may be to get other Gartner analysts such as Nick to cover security aspects along with their specialization.

Full disclosure is dead
Many software vendors will try to capitalize on the fact that less vulnerabilities will get reported and say it's result of "more secure software"

How to break through Checkpoint firewalls
Interesting read.

Viruses for the Mac
I really hate when Gunnar Peterson and other uber-smart security professionals show up with their fancy Apple laptops when I have to deal with the corporate issued locked-down Windows one. I see an opportunity for revenge.

Auditing open source software
A model for finding vulnerabilities by google.

The Hartford CT Chapter of OWASP
If you reside in the CT/MA/NY area and read this blog, you need to get your butt to this event.

101 Things to Know about Single Signon
Pretty decent list. Check it out...

IT Obsolescence Criteria
Only if Enterprise Architects were as good retiring applications as they are in procuring new ones. No wonder business folks don't understand our value proposition.

The risks of open source focus
Intriguing post by Alex Fletcher that others should think deeply about.

Are you experienced?
Experienced people are not afraid to be wrong and are not easily flustered.

Size is the enemy
We need to figure out how to write less code. More importantly, we need to figure out how to get commercial software vendors to write less code.

This is the season to be giving...



Listed below are the five gifts that I wanted but didn't receive...

• Power Tools: I really would have loved to receive a pin nailer and a 12" sliding miter saw.
  
• Food: I would have loved for each reader of my blog to have donated $25 to Deepalaya
  
• Networking: My 100 Enterprise Architects Meme wasn't as successful as it should have been. I fell short by eight folks.
  
• Piety: So many people have gotten it twisted and allowed Satan to divide the believers in one God. Regardless if you are Christian, Muslim and Jewish, we all need to come together under the believe that there is just but one God and to unite against those who think that there are multiple.
  
• Poverty: The final touch would have been for everyone on my blogroll to add the one.org banner to their own blog and to help make poverty history...
  

I suspect that most enterprise architects aren't savvy enough to lobby for the right clauses in outsourcing contracts...



I am always amazed at how many folks complain about the low quality of code produced in India yet haven't done their part by specifying how to measure quality in terms of a deliverable. Likewise, many enterprises are paying for insecure software and aren't bright enough to ensure that their web applications are at least compliant to the OWASP top ten.

One of the things that allows an enterprise to sustain competitive advantage is the savage protection of intellectual property. Did you know that IP rights enforcement is, for example, weak in China and Russia but strong in Ireland? Why do you find out what IP rights enforcement is like in the provider's country. Do you know what it is in India?

I was thinking about a posting from Mike Kavis who talked about how communication is at the heart of failure of many projects. Nothing could be further from the truth...



Have you heard of an operating system named Linux? Did you ever hear of the thousands of contributors piling into a large meeting room to hear the sage wisdom of a project manager? Is the grand Linux comprehensive documentation stored on a sharepoint? I bet if you ask yourself how come open source projects can deliver high quality on time when folks don't even talk to each other, then the problem may not be communication after all...

The model used by Indian outsourcing firms is all about taking otherwise junior IT folks and making them usable regardless of their actual individual competencies. Outsourcing works because they have convinced others that process can become a substitute for competence while open source communities tend to prefer competence over process and hence can develop higher quality software.

Maybe enterprises should stop thinking about open source as a way to acquire products cheaply and instead think of open source as a methodology for software development. If you look at approaches such as Extreme Programming, you may come to realize that notions such as pair programming were created to fix fundamental deficiences in enterprise behavior by encouraging at least one other person to look at code before moving into production. Reality says that more than one person needs to review code in order for it to be of high quality and if only one does, it is more ceremonial than not.

Likewise, in an open source project, the architect is king and folks follow him not because of abstract authority but because of real leadership while enterprises tend to make project managers king whom manage but cannot lead. Architects via stewardship can ensure conceptual integrity while project managers with budgets and deadlines are handcuffed to delivery of perception management at the expense of high quality software.

Maybe open source projects work better than outsourcing because they have better acceptance criteria. If you consider for a moment all of the wonderful standards I have at work, it is still fundamentally easier for me to put crap code into production at work than it is for me to do the same with almost any open source project such as Liferay Enterprise Portal.

Ask yourself, what is the average years of experience for the offshore team working on your enterprisey software and then compare it to average years of experience for open source. I bet you will note that with experience and a desire to participate in a community comes quality...

Did You Accidently Outsource Your Enterprise Architecture?
My take is if you use insulting firms you run this risk.

In Search of Patterns in the Enterprise
Pankaj Arora believes that enterprises s need to define Architecture Policies, Standards, Best practices to abolish the pattern of re-inventing the solutions for the recurring problems at Enterprise level which is the essense of enterprise architecture. I suspect what he really is asking for is the notion of open source enterprise architecture as the same practices get reinvented across enterprises as well.

IT doesn't matter, EA does
we have the privilege of living in the future and as such thinking wisely about the past.

India offers to help Trinidad's agriculture
Good to see these two countries creating synergistic relationships.

Across the board, analyst firms are ignoring the importance of static analysis tools and aren't talking about how they may be used to write secure software. I know that vendors such as Ounce Labs, Fortify Software and Coverity are currently tiny in terms of revenue and therefore don't have huge budgets to spend on analysts, but that doesn't mean that coverage isn't warranted.



Likewise, I also have attempted to find evidence that industry analysts are participating in security-oriented users groups such as The Open Web Application Security Project (OWASP) and have found folks from Forrester Research, The Burton Group, Yankee Group and The 451 Group but haven't found evidence saying that other analyst firms such as Gartner, RedMonk, ZapThink or Ostermann Research are participating.

I would think that Barbara French of Tekrati and other analyst relations firms would appreciate the importance of not only their customers interacting with analysts, but their potential customers and them interacting together with attendees of these users groups who happen to actually procure the software.

A critical analysis of a blog entry by Mike Kavis is in order...



Mike asked the question: why do we hate process so much anyways? which the answer is simple. No one hates process, everyone hates bad processes.

I was working on small teams and sometimes I was simply the only one on the team. There was no established architecture and no standards. Since this was the norm and nobody cared, why bother me with tons of documentation.

Architecture always exist regardless of whether it was documented or even acknowledged. Likewise, I bet that while no standards where documented, you were alot more rigorous to the ones you held in your own head and didn't deviate creating standards that are defacto which isn't a bad thing.

As I moved through my career I worked on larger projects that spanned multiple user groups and application silos. Suddenly, the lack of process became a recipe for failure.

I wonder if it was a lack of process or a lack of either an architecture that worked across silos as well as no one who ensured conceptual integrity across them (aka Chief Architect)?

or those who don't like process, I can meet you half way. I believe in a lightweight process that supports agile development but not process that creates bureaucracy and results in 12-18 month projects that are doomed for failure.

Hybrid approaches are a sign of a mental disorder. If you allow everyone to heist their legs and add their own unique smell, then you will loose conceptual integrity and at best achieve mediocrity. You should encourage others to standard for principles over processes as well.

In addition we are working towards 12 week deliverables where we work on multiple workflows concurrently that need to plug in together at the end

I hope you realize that you made a massive mistake by having such long intervals. Have you ever heard of daily builds and the Agile Manifesto? 12 weeks is a very long time to get way off track.

The trick is to not create so much process that you stifle creativity and make technical decisions based on process instead of business need

You should measure process based on quantity but also result. Many enterprises rollout processes without figuring out their ROI and more importantly if it does achieve an ROI, they don't attempt to make it lighterweight over time to make the ROI even higher.

Outsourcing is a decision our company has made so my job is to make it work regardless of what I think about outsourcing. I can complain about it and allow us to fail or I can make it work.

Yes, it is the job of every employee to have the vested interests of their employer in mind and you should make it your duty to ensure that outsourcing works. The key thing though is that failure sometimes is also the right answer.

One of the most important tools is clear direction and good communication.

Agilists would consider communication as one of those people things and not through it into the tools category. In terms of tools though, I wonder if Mike Kavis is allowing his outsourcing firm to deliver insecure software or was he wise enough to ask them to write code securely by standards such as the OWASP Top Ten?

Enterprise architecture initiatives would be a whole lot more successful if we focused on what makes folks happy and not just blindly following processes...



Nowadays, many enterprise architects aren't struggling with technical problems, but are struggling with social issues. One of the common patterns is the advent of Indian outsourcing. I run across lots of folks who deal with poorly written code so full of bugs that you can't even compile it. In jest, I do ask folks whether they asked for the code to be compilable as a requirement.

Part of the modern career path for those within large enterprises is to find ways to escape heavyweight processes and the tedium of much of the work that is rote which pervades many projects. Nothing destroys morale more than etting off of a project that you didn't much care for to work on something fun, only to be repeatedly dragged back for firefighting problems caused by outsourcing firms.

American IT workers likewise experience the other side of frustration in having to defend code that they didn't actually write. Getting blamed by users for crappy software when you are the single person in an IT department innocent of all blame because you have been advocating refactoring the damn mess for a year.

Outsourcing has brought along some worst practices by allowing process weenies to make decisions they really have no business making. Imagine having all technical decisions made by the least technical person, then being force fed their incompetence, then getting blamed for the resulting poor quality...

Many people seek out an informed opinion on many subject areas from me yet fail to acknowledge that sometimes advice doesn't work...



The best advice in the world is there is no substitute for experience. The nature of humans is to experiment and experience - even if someone else has done it before and reported back. We want to know what it would be like for us, from our viewpoint. As a species we can not live vicariously. Why is looking at a view so much better when you are then than through a picture? Why does hearing the sound of a real bird feel so much better than listening to a recording? We have to experience to "be" and the more intense the experience the more real we feel.

Within enterprise architecture, sometimes it is important for enterprises to repeat the same mistake of others such as outsourcing to india, focusing on processes such as CMMi instead of people and so on. Someone can tell you how to do something but until you have done it yourself you don't really understand why.

When you are a newly minted developer, you start off with writing hello world. Experiencing the familiar in a strange environment. It helps us relate what has gone before to where we are now. Enterprise architects need to help others have more experiences with hello world...

Two years ago, James Governor of RedMonk and I had an interesting conversation on how much money large enterprises waste on software licenses. Sadly, there was no great way to understand waste when one purchases enterprise licenses. I have been thinking about what he said which made me think of many antipatterns though...



Every year about this time, venture capitalists and software vendors alike ping me in order to gain insight into how large enterprises procure software. The intriguing thing is that this remains an enigma for even enterprisey insiders such as myself as there is much repeatable or disciplined about it as it relies heavily on the notion of influence. I wonder if influence is a best practice for enterprise architecture or will be its downfall?

Anyway, here are three antipatterns in terms of enterprise budgeting and software procurement:

• I dont understand and therefore it is not important: Nowadays, budgeting is no longer done locally and many hands touch the budgeting process. A local manager may have clear understanding of the need for a piece of software and has articulated this need up the chain. The problem becomes that if communications are linear yet decision-making isn't, it will result in disconnects. Someone not in the food chain may see the budget line item and not have an understanding of its importance and therefore decide that it is unimportant by removing it from the budget. They may also do so without communicating it to the person who put it into the budget originally.


• Playing with Dead Snakes: Folks continually step in the governance and that even if it made the budget and has been justified, it will be constantly revisited. The same presentation may need to be made several hundred times at stages such as getting the funds released, contract procurement, major milestones and so on. Managers and the vendors they work with both wrongly conclude that one a decision is made that it is somehow conclusive.


• Process over People: The stuff that usually survives the budgeting ceremony is the stuff related to process. While we know that initiatives that Todd Biske discusses such as exposing services to your customers are game changing and more important than internally focused insular initiatives discussed by Robert McIlree, the process weenies continually win. The sad fact is that in order to build SOAs or Portals to solve for customer issues tends to take a lot more effort, involve many more parties than simply proposing process oriented initiatives such as CMMi, ITIL or PMI. Delivering process is more of a matter of plaigarizing someone elses playbook than the innovation required to do SOA correctly and hence will feel like lower risk even though it will not have any real ROI.

If you know of other budgeting antipatterns, please share...

The ROI Analysis: Starbucks vs Espresso Machine at Home
Alex Barnett improperly calculates the price of coffee and doesn't factor in labor to clean coffee pots and the soap used at home to wash his cup.

Colorado decertifies voting machines
Voting machines in many states ignore good good voting practices

What is a CIO?
Is there a clear role for a CIO or is it a bad collection of 'all things digital' that really needs rethinking? Are CIOs strategic, tactical or distractical?

Around and around...
An interesting response to James Governor of Redmonk.

Enterprise Software Companies don't own their customers
Software companies don’t “own” their customers. In the case of Alfresco, any company may already have Documentum, FileNet, Interwoven or Vignette. The reality is that there is only a 5% to 10% penetration of this software – either on a desktop or on the shelf. What is critical is to focus on people and users in companies and not companies as software fiefdoms.

Processes or Individuals?
The next big challenge for the Agile community is to set aside some of its principles for the sake of making a much bigger difference in our development environment

The Need for Reference Material
Todd Biske states Reference materials are a tool in the arsenal and the degree to which they are used is dependent on how you architects work with the end consumer of the reference material which is spot on.

LDAP: Liferay Enterprise Portal
Liferay leads the portal marketplace in terms of innovation. Scott Lee discusses how portals should integrate with directory services and how Liferay makes it easy. Imagine if the BPM vendors such as Pega, Lombardi Software and Intalio took the same approach?

The Importance of Business IT alignment
Managers of businesses need to understand the fundamental features of cooperation if they are to efficiently analyze and restructure their industrial relationship. One should ask if relationship equals alignment?

Executive Architect - Open Source
It is good to see that there is appreciation for architects focusing on open source. I am curious though if this job pay is low or do architects in Europe generally make lower than their US counterparts taking into consideration exchange rates?

Have you ever ran across folks when confronted with two distinct paradigms, attempt to combine them and glow that they are using a hybrid approach? Sometimes paradigm potpourri is a mental disorder...



In the same way enterprise architects attempt to govern software development by limiting the piling on of features on top of enterprise applications, we sometimes need to govern ourselves when it comes to paradigm adoption as we diminish the benefits of a pure approach. In software development, each additional feature will give one more options that may simplify certain aspects of the code, but because the different ways to do it grows with each feature, it is increasingly less likely that any new feature will make a significant difference. The same thing can be said about enterprise architecture.

When will we stand up and have enough courage to ask ourselves whether we should be pursuing SOA, BPM, ECM, CMMi, Six Sigma, IT outsourcing, Business Rules, ESB, etc strategies all at the same time? We are delusional to think that we are like the building trades where the focus is on enterprise architects creating building codes and handing out permits as part of governance. Of course, we never think about the fact that the building trade also has the notion of occupancy certificates which many of our systems fail miserably at.

If we are to take on so many initiatives at the same time, don't we need to stop for a moment and consider the learning curve of both producers and consumers of our grand strategies? Like a carpenter or plumber, the bigger your toolbox, the more you have to lug around...

Leading in the Technical Environment
Do Enterprise Architects that focus on the human aspects of technology have a more rich, rewarding career than those who focus strictly on process?

If I were President of the United States
This blogger believes that the United States is plunging into a Human Katrina where we have Mexicans colonizing us and millions of the world's poorest immigrating to our shores illegally. Is outsourcing the answer?

Acknowledging Bloggers for their efforts
It is easy to throw daggers at bloggers who take the time to share their thoughts with others on their own time and without compensation while very few take the time out to say thanks.

Single Sign-on, SAML, Authentication in Documentum
Security, in order to be done correctly requires server APIs which run in the address space of Documentum itself

Report: Many U.S. Parents Outsourcing Child Care Overseas

I spent the last several hours putting together my Powerpoint presentation for an upcoming conference in India when my kids reminded me that spending time with them is more important.

Conference attendees spend lots of money to attend conferences but none of this goes to the folks who give presentations. We spend time sharing our knowledge with others traveling thousands of miles yet rarely receive positive public feedback that our efforts are acknowledged.

What would it take for conference attendees to acknowledge the hard work put in by the speakers? Please note that I am not looking for acknowledgment of my contribution but most certainly would love to see my industry peers who make the effort get more appreciation for their efforts...

Ignore Gartner
This blogger doesn't feel that Gartner has a great value proposition. I wonder how widely held this belief is?

How I gained 5lbs in one week
Ramit Sethi loves making bets with delusional people

Hey Johannes Ernst Delivered
I would like to declare that enterprises do care about user-centric approaches as they change the potential for third-parties to charge exorbitant rates for being an identity provider in a traditional federated approach.

ECM: Catch the Wave
Alfresco is on Forrester's Wave but not Gartner's Magic Quadrant. Nuxeo didn't appear on either. I wonder what this means?

Open Source Economics: Money, metrics and those that work
Gartner and IDC are predicting an increase in open source sales which is bad news as enterprises will continue to believe they can have their cake and eat it too when they need to figure out how to participate.

UK Airline Terror Plot Suspect Escapes from Jail
Rashid Rauf, who was arrested on suspected links to plot to blow up airliners flying between the U.S. and Britain, escapes from Pakistani custody.

America's Death by a thousand cuts
Today, America bleeds to death by a thousand cuts. We’re bleeding from every sector of our society. At some point, the United States of America cannot and will not survive the bleeding. Why? Take a look.

Are social networks in business a white elephant or is Gartner's report a red herring?
Gartner have recently released a report, Three Potential Pitfalls of Corporate Social Networking by Brian Prentice, with the tagline "Investing in social networking solutions from enterprise vendors is no guarantee that users will embrace the technology". You will get the opportunity to pay $195 for a four page report. Sounds like great value to me.

Providing a clear point of reference
I haven't heard about the need for reference architectures between discussed amongst enterprise architects in the blogosphere and wonder what the perspective on them are from noted individuals such as Todd Biske, Nick Malik, Scott Mark and Robert McIlree are? Anyway, here is a good article explaining the concept.

My older son came home from school yesterday with news that he is student of the month. He is currently in first grade and was previously student of the month in Kindergarten as well. So much for following in his dad's footsteps...

New Principles of Governance: The Natural Laws of Federation
With Enterprise Architecture on the rocks these days, organizations are looking for a fresh approach to governance. Most folks become frustrated or ambivalent after a few years of being squeezed between centralization and localization.

Caribbean: Poor but Mobile
Technology has caught on a lot faster in the Caribbean than it has in India which by the way makes a better destination for outsourcing.

A tale of being employed by Accenture
Joel Spolsky comments that typically a company like Accenture or IBM would charge $300 an hour for the services of some recent Yale PoliSci grad who took a 6 week course in dot net programming, and who is earning $47,000 a year and hoping that it’ll provide enough experience to get into business school—anyway, it costs so much to hire these programmers that you’re not going to allowed to build things with Ruby on Rails no matter how cool Ruby is and no matter how spiffy the Ajax is going to be. I wonder if there are other perspectives?

XACML - A standard that I wish I had known about earlier
had created security components that handled the respective requirements adequately but were slightly different in each case. I knew that they all shared the same core idea of access control based on authentication and authorization but just didn’t get to the point of building a generic framework that handle all those cases with little customization. It is curious though why developers are concluding the need for a generic authorization framework but not software vendors such as Microsoft, EMC and others?

What does a Technical Architect do next?
Becoming an Enterprise Architect is either really simple or really difficult depending on your background. Most Enterprise Architects have spend sufficient time understanding business challenges while also focusing on technology issues where a consulting background only usually leads to spot skills while missing out on the opportunity to see the big picture. My recommendation for anyone wanting to become an enterprise architect would be to actually join a technology firm such as Microsoft, EMC and Oracle as the need for having an Enterprise Architecture program that is internally focused is starting to appear on the radar as is a lot faster career path than the traditional enterprise.

Some Great Questions about PMP and Agile Development
Several great perspectives about SCRUM, PMBOK and other PM considerations

Internal Audit and Enterprise Architecture
Todd Biske comments on the role of internal audit. I bet if you had a deep conversation with them, they would you understand otherwise unstated business challenges that aren't being addressed by current enterprise architecture activities. You will also find that internal audit is generally supportive of improving enterprise security and could become a business sponsor for initiatives such as log management, entitlements management (XACML) and data masking. I wonder why Todd didn't mention that for perception management reasons it is also a good idea to network with them as they tend to have the ear of the CFO and CEO...

Cardspace vs Phishers
Eric Norman asks a great question regarding Cardspace and what happens when a relying party changes its public key? I would love for Mike Jones to provide his perspective.

XML Security Gateways as Policy Enforcement Points
Anil John comments on the need to centralize authorization policies in a non-proprietary manner and references how Mark O'Neill and Vordel support this functionality. The IBM DataPower appliance also has equivalent functionality. The real question that I can't find an answer to is what does it take to get software vendors pay more attention to XACML in a bigger way?

CIO SOA Concerns
Isn't it interesting that industry conferences still have panels regarding the concerns of CIOs but don't actually have a real-world CIO on it?

Adapt and Improvise
I really hate when folks talk about how enterprise architecture as practiced in large enterprises in a negative way. Especially when they are right! First companies need to determine a strategy for keeping up with their vendors. Too often the attitude is why upgrade? You just want me to spend money… In some cases this is true but is also a trap for the company. Ignore the vendor upgrades for too long and you get a heck of a technology gap and no one to blame but yourself.

Creative expression with Boku
The architecture of participation is something that needs to be discussed more widely and read by my fellow enterprise architects. When was the last time you had a meaningful conversation with someone outside your four walls?

Speaking of authorization
Jackson Shaw talks about the need for having an authorization czar at Microsoft. This question should be extended to Oracle, Sun and EMC as well. From what I can tell, Oracle has informally appointed Mark Wilcox, Sun has John Domeninchini while I have no clue about EMC.

Getting involved with JBI
Serge Blais of Sun talks about how JBI could converge with XACML. I would if folks that are working on ServiceMix and MuleESB are also following this important step? Would be curious to understand if Sonic and BEA will take the same approach?

Identity Oracle: Does it make sense?
Eric Norman comments that the examples for an identity oracle don't make much business sense and reacts to postings by Bob Blakely and Kim Cameron. Eric is spot on with his closing remarks.

Update from ConferenceLand
It is intriguing that many folks in the identity community still don't appreciate the value of XACML while the ECM, BPM and CRM vendors continue to ignore the problem space because it is either too difficult to undo their suboptimal product designs and/or they aren't working on it because it isn't a new product offering. Luckily Gunnar Peterson and enterprises are starting to wakeup. For vendors that fell asleep and could have capitalized on it early, don't worry, the open source community will do your job for you.

Conceptual Integrity
It’s a well known fact that deciding what exactly to build is the hardest part of software development. So how does one deal with complexity and uncertainly? Sanity is retained and complexity managed by maintaining conceptual integrity in your solution. This goes beyond the conceptual integrity of the architecture, but the conceptual integrity of a solution.

AJAX: A new timing threat to web delivered applications
Vulnerability to Timing Attacks = Increasing Function of Interactivity

Security and the Naked Emperor
Is data leakage the norm and not the exception?

The Purpose of Security Programs
At the end of the day, it is all about loss. If you don't like experiencing loss then you must do something to avoid, minimize, or control it. Welcome to the world of Security.