Thursday, March 31, 2011
Top Three IT Leadership Mistakes
You Don’t Involve your people in Important Decisions
Sometimes, we forget what it feels like to be an individual contributor and leave the people who have the most to offer out of key decisions. Although making decisions on the fly probably allowed your company to grow large enough to actually hire people, continuing to run the company AROUND your employees instead of WITH them will eventually chase away any talented people you may have managed to attract. When employees don’t feel included in decisions, they will distance themselves not only from your initiatives, but from your company as a whole. If you’re going to hire smart, qualified and motivated people to take your company to the next level, you can’t be afraid to use them.
You Don’t Allow them to Challenge Your Ideas
Companies managed by people who realize they don’t know everything ALWAYS outperform those managed by people who think they know it all. The fact is, great leaders don’t simply allow their employees to question them; they DEMAND to be questioned. Unfortunately, the first instinct of many is to borgify their employees, stifle conversation and to react negatively toward employees who challenge them. Regardless of company size, the courage to stand in front of employees and say “Tell me why my idea won’t work” is something every manager should have, but very few do.
You Add Friends and Relatives to the Payroll
Adding friends and relatives to your company, especially in key positions is the single most damaging thing a manager can do when it comes to their credibility with other employees. Imagine a scenario where all of a sudden, everyone seems to have worked for Accenture in the past (and you haven't). Do you think that employees will feel like they got a shot at getting the same promotions? As I have mentioned dozens of times before, hiring friends and relatives can be a significant demotivator to existing employees who have spent years trying to earn your respect, a decent raise, or a spot on the management team.
Tuesday, March 29, 2011
Top Ten Mistakes a CIO makes in selecting an Outsourcing Firm
9. Underestimating the amount of effort it requires within your own company to manage the relationship with the outsourcing firm. It isn't true that you can eliminate one position for every position outsourced. Instead, you need to have staff allocated to negotiate and manage the relationship. You also need staff to quality-control the results of the outsourcing firm. How will you know that they are doing a creditable job otherwise?
8. Allowing price to override quality.
7. Unmatched Culture fit: Granted you can outsource and in order for the relationship with the outsourcing firm to last long-term they have to have similar values and be a culture fit with you organization. In some cultures it is very rude to say No so they may always say Yes but fail to deliver on time. Insufficient understanding of cultural differences can cause huge problems.
6. Selecting the wrong outsourcing model. For example: moving the work to India when the work requires extremely close client supervision. Remember: offshoring and outsourcing are not synonyms. Work that requires very close client supervision may be better handled domestically or near-shore by the outsourcer so that client personnel can easily and inexpensively travel to the work site and where daily communication is cheap.
5. Selecting an outsourcer whose core competencies do not include the one you need. You don't order pizza in a Chinese restaurant, no matter how good the Moo Goo Gai Pan is. Just because an established BPO is well-respected in other spaces does not mean they have any real experience with what you need.
4. Assigning too many people to interface with the outsourcer. If my outsourcer has deployed (per the contract) 7 supervisors, an Operations Manager, a QA/Trainer guy, and an Executive liaison, and I assign 16 people to interface with them... Well, how many meetings per week can my 16 people set up with the 10 management people running the outsource shop? Lots of them! And 16 people can ask for lots of read-outs and create many programs and action plans to boot. How much time will the supervisors have left to coach their people?
3. Not focusing enough attention on downstream cost implications and focusing all of the attention and effort on forcing the outsourcing firm to provide upfront cost relief. Achieving significantly reduced resource rates without putting in place protections against subsequent increases to the resource rates will quickly diminish the value achieved in solely pushing on the resource rates from a total cost perspective.
2. Squeezing every penny out during negotiation, which results in zero flexibility and thus unforeseen costs. It is simply impossible to foresee every possible scenario in a SLA.
2. Impact on morale of the organization - If outsourcing leads to any immediate layoffs, the consequent impact on the morale of the organization and its impact on productivity
1. The first question that a CIO needs to understand is, "Why outsource?" What are the goals of outsourcing, has the cost benefit analysis been done, have the risks been understood, are proper strategies in place to manage risk and maximize productivity? Very often this exercise has not been done properly.
Thursday, March 24, 2011
Does your Boss care about your Personal Growth?
Throughout one's career, one will have some really great bosses and others that leave a lot to be desired. So, as to not publicly point out shortcomings of anyone I worked with in the past or even my current boss for that matter, I will use examples of situations in which I was the boss and others reported to me.
The one thing that you will know about me as a leader is that I deeply care about the personal growth of anyone and everyone reporting to me. If you look at my profile on LinkedIn, there are at least a dozen testimonies to this regard. Without stroking my ego too much, the reason I think I have been successful in this regard is that I have figured out that a precursor to growth is the notion of autonomy.
In order for a person to grow, they can't be too closely controlled and many of my direct reports either consciously or subconsciously view control as the main growht opportunity. This doesn't mean that you can't control those who report to you, but rather acknowledging the simple fact that you cannot control someone completely.
Autonomy isn't something that should be doled out like a reward but rather something that is openly given if you genuinely care about the growth of people reporting to you. Autonomy can come in many forms from allowing a person to choose their work style, work location and even methods for collaboration. Giving people more leeway is the catalyst to enabling hypergrowth amongst members of your team.
It is vital that a person be allowed to make mistakes! If your direct reports have control only to the extent that they make the same choices as you would, then you need to acknowledge that they really didn't have any choices/options at all.
Many of the worst managers I have ever had the privilege of reporting to fail to acknowledge that the question of control comes up primarily in choice of methods to get work done. As designer/architect of the organization which you control, you may believe that it is your responsibility to select how each task should be undertaken. Should the financials, the solution, the deliverable, etc be presented in a simple PowerPoint or better as a combined Word/Excel document.
Ask yourself what you would do, but more importantly ask yourself what happens when team members decide otherwise. Let's face it, your team is it in for growth and the choices you as boss are making don't allow them to grow. That's why they will continue to look to approach work in a different way than you.
In order to keep control, you have to give it up. You have to use your authority so sparingly that no one notices that it's being used. You have to create a real sense that control is not completely centralized in your hands, but spread generously over the whole of your organization...
Wednesday, March 23, 2011
Worst Practices of IT Consulting and Outsourcing
Historically speaking, there was a profound difference between contracting and consulting. Nowadays, the line that separates them is increasingly and intentionally being blurred. The notion of a "blended" rate where you are sold both under the guise of getting the best of both worlds is a misnomer at best. While you may be receiving the "polish" of a consulting firm in terms of its documented deliverables, are you truly receiving thought leadership that drives your business forward? If I give you a challenge that requires you to do deep thinking, do you think that individuals who excel at solving problems are being responsibly leveraged by doing rote documentation? Ask yourself is it in your best interest to have separation in order to provide transparency over the ability to disguise? Does it benefit you to leverage an individual in areas of their strength or to look for a jack of all trades?
Have you considered that many consultancies use documentation as a way of creating additional billables? We all know that in today's society, no one actually reads anything, especially IT executives. If the average attention span of most IT executives is no more than a half-hour, then why are you creating documentation that takes longer than that to read? Have you ever asked yourself the true value of the documentation you are asking for? Of course the value to the outsourcing firm is that it allows them to learn on your nickel and is a low-risk activity, but what benefit does it provide to your organization. Documentation is a great tool for helping along organizational memory, but is less effective in terms of helping convey concepts within a project. Why create lots of documentation for some unknown future purpose and unknown future audience especially acknowledging the simple fact that few actually have time to read it now and the odds of this being addressed in the future are dismal.
Why are you outsourcing to India and not considering other parts of the planet? Did you know that there are many shops nearshore that can provide the same rates but deliver at a higher quality? If we can put aside political correctness for a moment and were to truly understand the technology in which we manage, we may conclude that some of the best and brightest talent in the IT industry exists within the vices. Want a content management strategy, I can think of several adult sites that effectively manage content better than most enterprises. Ever look at those otherwise illegal gambling sites? Did you know that they know how to load balance traffic across countries and never lose a transaction? Wouldn't you love to be able to say this about your current IT shop? Why are you getting rote strategies from the large guys when there are people who have obvious in-depth experience that are right in your backyard?
Have you ever analyzed the economics of traveling consultants? Many corporations have their consultants travel onsite every week incurring more expense than necessary. Sometimes, this is to keep a watch out on consultants which in reality is a code phrase for stating they really have no way of measuring that individual's contribution. Others will use the logic that says that it affords the opportunity for spontaneous interactions. This is ironic since many consultancies only allow the partner/director-level to have the interactions while the junior staff is usually buried away performing clerical tasks and rarely having any client interaction.
Imagine a scenario of a ten person team traveling from Dallas to Chicago every week in order to be on client site. If eight of the ten team members don't have significant client interaction, then you are paying for a $300 flight, at least $400 in hotels/meals/parking, etc for each person. That additional $700 per person per week equates to a total of $5,600 a week that could be used to hire additional full-time staff, perform necessary upgrades on software or other purposes that benefit the enterprise...
Monday, March 21, 2011
Five Things I want from my Government
You turned politics into a dirty word. I could care less about the dime's worth of difference between a Democrat and a Republican. I want authentic, deep democracy where everyone has the opportunity to choose their leaders. Choice is at the heart of any government worthy of followership and shouldn't be based on either how much money a candidate has or doesn't, nor should it be based on how politically connected one is, but should be based on giving a variety of differing options.
Unlike the assclowns in the media such as Michael Savage, Rush Limbaugh or even Glenn Beck, I have no belief one way or another as to whether Barack Obama is good or bad for America. What I do know is that our government's financial practices not only make zero sense, and are harmful to me, my family and my community. Why can't we have economics that makes sense for common people — not just banks, Wall Street or CEOs. While I agree we should eliminate welfare, I don't think eliminating it from the poor and shifting it to the rich is the right answer. Is it too much to ask for a little bit of fiscal discipline?
I believe in capitalism and was taught that capitalism exists to make society at large better. Is society now only comprised of those who care only about shareholder value? I want real value, built by people with character, dignity and courage. Make it easier for CEOs to care about the people in this great nation by finding ways for them to hire American's and not just focusing on making the rich richer and the poor poorer. Society thrives when we all truly have the same opportunities which are now under attack by the enemy within.
Stop telling me about the need for growth! I bet if you substitute the word greed, your intent would be exposed. I want to slow down — so we can all become better. We don't need to increase consumption but need to utilize the resources we have in a more responsible way. Does every household need multiple flat screen televisions hanging on the wall? I bet society could benefit if we built less cities and focused on providing healthier food to the general population. When the poor can only afford to eat McDonalds, we end up ingesting more salt and fat than we need. Happy meals aren't making us happy. Why worry about oil and rising gas prices when the focus should be on our food supply. Ever heard of Maslow's hierarchy of needs? Do some homework.
I could care less about modern debate of what constitutes marriage. I do however care deeply about the definition of family and how the government is allowing it to be destroyed. When people spend more time at their jobs, flying on airplanes to remote destinations, they aren't just ignoring the environment, they are also attack civilization. I laugh and cry at the same time as I watch many of the consultancies remain blissfully ignorant to flying their people every Monday hundreds of miles and conveniently ignoring the 2,000 gallons of jet fuel used only to ask them to carpool the last fifty miles.
There are obvious solutions to the environmental challenges that many aren't even willing to consider. What if there were incentives for employers to encourage telecommuting? This could relieve some of the congestion on our highways, reduce the dependency on oil from the Middle East and most importantly allow families to be families.
It would bring joy to my heart if Barack Obama asked executives as part of his next state of the nation to encourage executives who are divorced to remember why they got themselves into that situation and how they should help others avoid. Civilization starts with being civil and I need for my government to help people remember why we are still a great nation...
Friday, March 18, 2011
Six Things to do if you are a new practitioner of Enterprise Architecture
1. Ask lots of questions: Being the new guy or gal affords you the opportunity to ask really dumb questions and get away with it. Usually your first ninety days is when you will be forgiven for not understanding certain processes or practices. More importantly, having a fresh set of eyes on existing approaches may allow you to expose issues that others may not see. If you are in the right culture, the asking of questions will further increase the culture of dialog and collaboration.
2. Find ways to contribute early: Some call this quick hits, but even before that, relationship building is easier when it is two way. Don't worry about making yourself look good or at least hold off till annual review time and instead figure out ways to help others have a good day.
3. Listen: A popular management trend nowadays is to hire Enterprise Architects who are great conversationalists. In the end, the encouragement of those who take charge of conversations may feel right to some, but longer term sustainability requires someone who talks less and listens more. Set time to first engage, listen and learn.
4. Understand the business cycles: When are budgets done? When is the strongest quarter for sales? What are the milestone dates for the top X IT projects? Understanding dates will help you frame not just what is important, but what is more important.
5. Look for burning platforms: Yes, the dates will drive priorities but it is equally important for you to hunt down the issues, especially the ones no one else recognizes.
6. People over Process: Sure, doing the interview, they may have asked you about TOGAF, The Zachman framework and so on. Now, isn't the time to refresh your memory on the latest EA frameworks. Likewise, it is equally vital that you eschew conversations related to emerging technology such as the Cloud, Social Media, etc. Save your reading material for idle time while sitting on your porcelain throne and instead focus on people and relationship first, process second and technology a distant third.
Wednesday, March 16, 2011
Enterprise Worst Practices: Overtime
There are four reasons why overtime hurts enough to offset the effect of the added hours. These are the invariable side effects of extended overtime:
- Reduced quality
- Personnel burnout
- Increased turnover of staff
- Ineffective use of time during normal hours
Sadly, extended overtime is not just something that companies do to their workers, as many employees do it to themselves! Overindulgence in work, like overindulgence in anything else, will eventually lead to burnout. Over time, burned-out workers have no heart for anything - not for more overtime or even putting in a sensible eight hours a day.
Have you ever thought of your coworkers as zombies who wander to corridor but otherwise have never given it a second thought? There are way too many people nowadays simply going through the motions but otherwise not contributing.
Organizations with a lot of burnout begin to have a weighty, lethargic feel, just what you'd expect of a staff made up largely of the living dead. While many enterprises have attempted to awaken the zombies via various "leadership" tactics, they haven't dealt with reality and figured out how to not work hard but to work smart.
Sadly, way too many managers are blissfully ignorant to the costs of employee turnover and myopically look at cost solely in terms of a salary paid. Did you know that the cost of turnover in most IT shops is often second or third in the cost category.
Recent studies within several universities and think tanks have proven that working longer days doesn't accomplish more than shorter ones. The best predictor of how much work a knowledge worker will accomplish is not the hours that he or she spends, but the days. Way too many people I and you both know have come to realize that we are working longer hours but otherwise are delivering less. What prevents us from doing anything about it? Inquiring minds would love to know.
Anyway, in conclusion you should come to understand that twelve-hour days don't accomplish any more than the eight-hour days and that overtime is a wash...
Monday, March 14, 2011
The Corporate Culture of Meetings...
Bet you didn't know that collaborative cultures tend to cause people to work harder but don't necessarily have better business outcomes.
Meetings are one of the most frequent ways that overtime organizations waste the time of their most essential human resources. Another way is that workers tend to drop their interrupt discipline during daylight hours, knowing that their peers will be working long into the night as they feel to interrupt them willy-nilly during "normal" working hours.
In many cultures, meetings aren't just a problem, but an obsession. Meetings in many companies account for nearly a third of all people's time. To make matters worse, meetings are not only too frequent but also have way too many people. Have you had a day with multiple meetings where the smallest in attendance was still over a dozen? Doesn't this remind you of what it feels like to be part of MC Hammer's entourage...
The best and biggest waste of time is when a new person attends. We spend a lot of time bringing this person up to speed while making dozens of people endure the same material they have seen at least a dozen times.
All of these meetings cause people to become overworked and do more overtime than they should. Many people are of the mindset that overtime only impacts the employee and not the company since the company isn't paying additional for the time wasted, but nothing could be further from the truth.
Think about a business practice where there is a tendency to waste normal workday hours? Don't you think that this time could be better used than in meetings? Ask yourself why do the basic hygienic acts of management to reduce daytime waste are for some reason suspended?
A culture that is wildly successful will attempt to achieve balance for all involved. It is common sense that people think better when they aren't tired and therefore it is in management's best interest to keep people fresh.
If you want to stump a CIO, ask him/her what would they do if overtime were forbidden and they still had to make a schedule? Until your enterprise can answer this fundamental question, there is no hope in either truly obtaining IT efficiency nor in achieving sustained competitive advantage...
Friday, March 11, 2011
Does cutting headcount increase or reduce efficiency?
Expense reduction should never result in pushing clerical work upward (usually to managers or to knowledge workers). I would think it would be more efficient and cost saving if a company introduced even a few gofers. When a low-level employee off-loads someone who makes four times as much, the organization is a big winner.
Why do we classify people who handle clerical tasks as overhead? The obsession in eliminating anything that is labeled as overhead has resulted in many organizations where high-priced knowledge workers spend as much as a quarter of their time being their own overhead. Is this an economy?
The absence of low-level support becomes even more important when knowledge workers are arrayed in team. Companies that are maintaining competitive advantage in this new economy have figured out how to better leverage knowledge workers and it aint by giving them more clerical tasks...
Thursday, March 10, 2011
Thoughts on Outsourcing: Should I admit this in public?
As an Architect and Agilist, I understand the value proposition of finding and fixing faults early in the lifecycle but for some strange reason have been blissfully ignorant in applying these principles until now. What could be earlier in the lifecycle that the actions taken by the onshore staff of an IT outsourcing firm?
Many developers in India, Sri Lanka and other IT outsourcing destinations sit back and wonder why they are always put into situations that require heroics and almost always setup to fail. In their minds, they may be led to believe that it is the client who is demanding. I think this perspective is inaccurate and somewhat dishonest.
Consider for a moment that a client can and should ask for anything and everything under the sun. There is nothing wrong with this. The key breakdown is when the onshore people haven't figured out how to say No!
In consulting, we are taught to never say no, but everything has limits. If I ask you to jump off a cliff, kick your dog, cheat on your wife and assassinate some Middle Eastern leader, the answer should be less collaborative and more direct.
Do you believe in your heart that clients will respect someone who never pushes back? The art of saying no requires discipline that is increasingly not found in the mouths, hearts and minds of those onshore. Consider for a moment, how easy it is for an onshore person to say yes to anything. After all, they aren't the ones who won't be seeing their spouses and kids.
Another consideration that I haven't found anyone discussing is the need for the onshore team to have extensive interactions with the client. Sure, a little sucking up goes a long way but generally speaking, does it make sense to anyone that the average onshore person spends at least eight hours with the client only to then when really tired spend another hour on a conference call at night collaborating with the offshore team?
Wouldn't it make more sense that the onshore team spend more time with the offshore team than the client and all the unproductive socialization that doesn't contribute one iota to producing quality deliverables? The current practice is upside down and backwards.
I can say first hand that I have met some truly talented developers from India, Sri Lanka and Brazil that I would hire in a heartbeat if I had my own company. Sadly, their self-worth is being manipulated and destroyed by the decision or should I say the indecisions of those who work for their firms onshore.
A lot of people onshore will disagree with me with passion, but I felt that it is important to keep the conversation honest and hopefully from incite comes insight and we can all find better ways to not only develop high quality working software but do so in a manner that provides us all with work/life balance.
Without some introspection, we all become a little less human. For me, I care about all the people on the planet and acknowledge that spending time with friends and family is so precious and work should not be an impediment to something that is a gift from our creator...
Monday, March 07, 2011
Part Two: Insurance Authorization Scenarios with Gerry Gebel
Click here to read the first installment.
Here is the next installment in a series of posts on the applicability of XACML-based authorization for the insurance industry:JM: We had a great discussion covering basic entitlement scenarios and how they can be applied to the insurance vertical. Are you ready for some scenarios that are more challenging?
GG: Absolutely…JM: Let’s dive into two additional insurance-oriented use cases. First, let’s talk about the concept of relationships and how they challenge the traditional notions of authorization and role-based access controls. Imagine you are a vacationing in sunny Trinidad and have left your nine-year old child home alone. Your son having been raised by responsible parents decides to renew your automobile registration in order to avoid paying a late penalty but realizes he needs to also get an automobile insurance card first. How does the insurance carrier determine that your son is authorized to request an insurance card for your policy, the answer is via relationships.
Relationships in an insurance context may be as simple as confirming whether the subject is listed as a named insured on a policy or could be more complicated in scenarios where there is a power of attorney in place where someone with a totally different name, address and otherwise unrelated may be authorized to conduct business on your behalf.
GG: This is an excellent case where the PIP interface of the policy server can call out to a directory, customer database, or web service to determine if the requestor has a relationship with the policy holder. Having the policy server, the PDP in XACML parlance, make the query simplifies things for the PEP and application. Instead, the PDP figures out what additional attributes are necessary to satisfy a particular policy.JM: Relationships can be modeled in a variety of manners but generally speaking can be expressed in either a uni-directional or omni-directional manner. For example, a husband and wife have a bi-directional relationship to each other than can be named as a spouse while an elderly person may have a uni-directional relationship where the person holding the power of attorney can take actions on behalf of the individual but not vice versa.
GG: Again, XACML policies and the PDP can evaluate relationships between entities to resolve access requests. In this example, a person with power of attorney for a parent’s account can make changes to that account because a condition in the XACML rule can dynamically validate access. Spouses can have common access to update insurance policies that they co-own because each is named on the insurance policy – again the XACML condition easily evaluates the relationship: user_attempting_access == named_insured. In this example, named_insured could be a multi-valued attribute that lists parents and children on the insurance policy. The PDP must be able to parse through the multiple values when evaluating access policies. To add another layer of context, each of the persons in the named_insured list could have different privileges where children are allowed to view the insurance policy, but not able to update or cancel it.JM: In the model of delegation, the power-of-attorney may have a specified scope whereby the person holding the power-of-attorney can do actions such as make bill payments or make endorsement changes but may not have the right to cancel.
GG: The flexibility of XACML policy is evident for this case as well. For example, Policies can have a “target” so that particular effects can be implemented in each scenario. In the above example, a policy with a target of “action=cancel” can have a rule that denies the action, while other actions are permitted. Alternatively, policies could be created for each action and combining algorithms resolve any conflicting effects. Combining algorithms are defined for deny overrides, permit overrides, first applicable, and several other results.JM: Let’s look at another insurance scenario. Within the claims administration process, you can imagine that the need for a workflow application (BPM) along with a content management application (ECM) would be frequently used. From a business perspective, you may have a process known as First Notice Of Loss (FNOL) whereby a claimant can get the claim’s process started. The BPM process would handle tasks such as assigning a claims handler to adjudicate the claim while the ECM system would capture all the relevant documentation such as the police reports, medical records if there were injuries and photos of the car you just totaled.
Now, let’s imagine that a famous person such as Steve Jobs or Warren Buffett is out driving their Lamborghini and get’s into an accident. For high-profile people, you may want to handle claims a little differently than for the general public and so you may define a special business process for this purpose. The big question then becomes, how do you keep the security models of the BPM and ECM systems in sync? More importantly, what types of integration would be required between these two platforms.GG: First, access policies should be designed to restrict claims processors to only handle claims that are assigned to them, or their team. This can be accomplished dynamically through the use of conditions, independent of what users get assigned to teams or groups. As noted earlier, the PIP interface is able to look up group or team membership at runtime. In addition, the insurance company may choose to implement an extra policy to further restrict access to celebrity or VIP clients. An example of where this would have been useful is the “Octo-mom” case where employees were found to have inappropriately accessed her records. The “celebrity” policy can be targeted to resources associated with an individual or they can be tagged with metadata indicating a special handling policy applies. In the PDP, results from multiple policies are resolved with the combining algorithms defined in XAMCL – first applicable, deny overrides, permit overrides, etc.
Regarding integration between BPM and ECM systems, it appears there are multiple options here. In one example, the ECM system can defer access decisions to the BPM layer, which can be effective if the only access to records is through the BPM layer. If access to ECM records flows through different applications, then both ECM and BPM should use the same authorization policies/system. If they use the same authorization system, BPM and ECM are using the same policies by definition and can therefore implement access controls consistently.JM: It is a good practice to not only assign the claim to a team but for people outside of that team to not have access (in order to respect privacy). The challenge is that teams aren’t static entities and may not be statically provisioned. This model doesn’t just occur within business applications but is a general challenge in many enterprise systems. As you are aware, the vast majority of enterprise directory services tend to have a view of the organization and its people through the lens of reporting relationships and not team composition and how work actually gets done. The notion of the matrixed organization can further blur authorization models.
GG: I agree that directories are not always able to easily represent matrixed relationships within an organization. Ad hoc groups can be created for projects or teams, but can be difficult to manage and keep current. In some cases, virtual directories can provide a more flexible way to surface different views of directory data. The bottom line is that you can’t implement dynamic policies if the necessary relationship data is not available.
JM: Are there practices you recommend that enterprises should consider while modeling directory services to support authorization scenarios described so far?GG: Yes, there are a number of things to consider regarding directory services when dealing with attribute based access control systems. In general, here are some key points:
- We tend to prefer using existing, authoritative attribute sources – rather than force any kind of directory service re-design. In typical organizations, this means that privilege-granting attributes could be stored in several repositories that include directories, as well as databases or web services. At some point, the organization may choose to implement a virtual directory product, which gives them a lot of flexibility in aggregating attributes and providing custom schemas for the various consuming applications – including ABAC systems.
- When constructing XACML policies, the policy author does need to think about where attributes are stored because of performance implications. Attributes may be local to the application or possibly remotely stored in another security domain. Even local attribute lookups can be an expensive operation if the repository does not operate efficiently. There are many techniques to deal with performance, but they must be dealt with in order to achieve adequate response times for interactive users.
- A corollary to the previous point is the question of what component does the attribute lookup, the PEP or PDP? The PEP will naturally have access to several attributes, such as userID, action, target resource, and some environmental variables. The PEP could look up additional attributes, but it does not necessarily know which policies will be evaluated. Therefore, it is normally better for the PDP to do attribute lookup after it determines what policy(ies) to evaluate.
- Data quality is always an issue in directory services. As a former colleague, Larry Gauthier, was fond of saying, “Even if you admit your directory data is dirty, it is most likely filthy.” Once an organization starts writing access policies that utilize dirty data, it’s possible that incorrect decisions could be the result. The solution isn’t necessarily technical, but could impact processes that are responsible for updating and maintaining user data – whether that’s in the HR system, enterprise directory, CRM database, or other repositories.
GG: I am not aware of any BPM or ECM vendors that support XACML today. Documentum has published how to add an XACML PEP to their XDB, but I don’t know of their broader plans, if any, to support XACML.I think customers need to continue pressing vendors to externalize authorization and other identity management functionality from their applications. Customers can do this directly via their product selection process and by proxy through their industry analyst resources. ISVs should not expect to operate in a silo any more because applications have to interact with each other. It is extremely difficult to implement consistent access policy across multiple policy domains and you would think that application vendors have gotten this message by now. Further, XACML is a very mature standard that can be easily integrated into new application development and also feasible for retrofitting many existing applications. Again, the key is for customers and analysts to force the issue with application and infrastructure vendors.
Stay tuned for Part Three…
Wednesday, March 02, 2011
Status Meeting Worst Practices
OK, picture the senior most IT
When Manager X is speaking his/her piece, you might see Manager G, a bit further down the table, making a few notes. Do you think that the pen is moving has anything to do with what they are saying in the meeting?
Manager G is more than likely making notes for his/her own few minutes of addressing the
Yes, I used the word as this is most certainly not a meeting. In real meetings, n number of people put their heads together to arrive at some conclusion or to take some new direction that requires both the input and participation of all.
Taking turns to talk to the boss is the biggest meeting farce ever invented and only serves as a ritual to celebrate the bossness of the boss. Of course the premise for the meeting is so that the management team can have an opportunity to converse. Maybe the challenge is in first acknowledging that there is no such thing as a management team.
Can we start with acknowledging that a team is a group of people who have joint responsibility for an outcome such as a work product? People who own nothing in common may be called a team, but they aren't. This construct primarily exists to spread responsibility and accountability over the management team without actually doing any real management.
This worst practice trumpets the advantages of having each manager entirely responsible for whatever is allocated to him/her. The flip side of this worst practice is the simplistic accountability scheme that results in managerial isolation...
Tuesday, March 01, 2011
Why rating employees on a curve is a worst practice!
Have you ever heard an executive wax poetic by saying "I guess a little healthy competition won't hurt". This is a sad example of a the self-destructive authoritarian who assumes that anything that happens must necessarily have been exactly what he/she intended to happen.
For the record, there is no such thing as "healthy" competition within a knowledge organization; all internal competition is destructive! The nature of work in IT is that it cannot be done by any single person in isolation. Knowledge work is by definition collaborative.
The necessary collaboration is not limited to the insides of lowest-level team; there has to be collaboration as well between teams and between and among the organizations the teams belong to.
Many executives have brainwashed themselves into thinking that competition won't inhibit cooperation. They reason that the obligations of "professionalism" will oblige their subordinate managers to help each other out when it is in the common good. When that doesn't happen, they grumble loudly about "unprofessional" behavior.
Think for a moment and you will find yourself laughing hysterically at this form of executive stupidity as this is beyond insane optimism. When managers are given direct and explicit incentives to compete with their peers, it makes zero sense to expect them to refrain from playing the game at all out of respect for a fuzzy abstraction like professionalism.