Tuesday, October 31, 2006


An Enterprise Perspective on Analyst Relations

My significant other has decided to jump back into IT after several years of rest. She has figured out that working for a large enterprise where she would all day go from one useless meeting to another exchanging low-density information with folks who simply don't get it doesn't appeal to her. She has figured out that she has no interest in collaborating and therefore wants to be a CTO for a startup idea she has been noodling. Of course, she has used me to provide validation of the idea along with assigning me homework of understanding the other side of analyst relations...

I remember awhile back, I had a conversation with a Gartner analyst at work regarding not only our usage of a particular open source project but also my personal contributions to it. My take would have been that he would have been so excited to talk with someone who loved a product so much as to participate on both sides but of course I got it wrong. The perspective instead I got was that I somehow violated protocol by attempting to brief as a customer and that it removed any opportunity to sell additional services.

About a week later, I had another call with the same Gartner analyst on the same open source project and got an interesting response when I asked him what exactly would it take for Gartner to list an open source project in the magic quadrant in the leaders section. I got a response that was somewhat abstract in that there was nothing actionable that I could do as a contributor and user to change it.

Not being one to give up so easily, I asked the same question of the folks at Forrester. They told me that their Wave is primarily centered around the characteristics of a vendor which is distinct from a customers view of a product. For example, a large enterprise can use open source products such as ServiceMix without having a single interaction with the folks at LogicBlaze. While this perspective does have merit for the vast majority of large enterprises that may have enterprise architecture teams, it does have a negative effort on large enterprises who want to not only use but contribute to open source themselves without the assistance of a vendor.

Many folks in the blogosphere know that I am a big fan of small nimble analyst firms such as RedMonk, Elemental Links, ZapThink and others but in terms of my wife's homework, I too have a dilemma.

The thing that I do understand is that large analyst firms on a daily basis interact with folks like myself where as I cannot tell what the interactions of small analyst firms with large enterprises whose primary business isn't technology is. At some level, folks invest with analyst organizations because they desire sales leads. Yes, I understand there is more value than that, but leads are what have the best potential of putting monies into one's pocket.

Likewise, I understand that there is value in terms of being mentioned in industry magazines. The value of being mentioned in the press is in many cases more important than being given leads but I too cannot observe whether small analyst firms will be more useful in terms of spend over large analyst firms.

In terms of budgeting, it would be wonderful if someone simply published the fee schedule for all analyst firms in one place. My gut feel tells me that the average small vendor pays an industry analyst firm $25K per year and gets several strategy sessions with them. Am I headed in the right direction?

I still need to do some homework in terms of figuring out the budget for writing case studies? Do analyst firms charge extra to speak at their conferences? Anyway, we have some time to figure out what it means to be a vendor. We have determined that it is best to get three large enterprises (I already got five committed) to deploy the solution and serve as references. Of course, this will take a lot of time away from me blogging as my wife figures out how to assign more homework to me...

| | View blog reactions

Monday, October 30, 2006


Facts you didn't know about Service Oriented Architectures...

Bet you didn't know that:

For other SOA facts, click here...

| | View blog reactions


The blog of an Iraqi Sniper...

Iraqi insurgents also blog. Here is the blog of Juba, an Iraqi who has killed many coalition forces...

| | View blog reactions

Sunday, October 29, 2006


IT folks are richer than you think...

This is officially my 500th blog entry and I figured I would use my pulpit to talk about wealth in hopes that IT folks could start changing their perspectives about money...

Many folks within IT and society at large don't save money and choose to piss away their earnings on bullshit. These same folks constantly rant that they don't make enough money and are chasing something that is not sustainable. Of course they could go to a financial planner and learn a lot about money management but the problem is more sinister. I have concluded that instead of talking like folks on Wall Street and talking about stock market indexes, American IT workers need to start indexing themselves to the incomes of folks in other countries.

Maybe the best thing one can do for themselves when it debt is to start becoming more charitable. What would happen if you reached into your pocket right now and decided to give monies to folks in poor countries. Would it make you feel uncommonly good. You could improve the lifes of many instead of simply being caught up in the mix of attempting to only make yourself happy.

What would happen if every blogger decided to donate just one hour's salary? The following things are potential outcomes:

Did you know that Three billion people live on less than $2 per day while 1.3 billion get by on less than $1 per day. Seventy percent of those living on less than $1 per day are women. Of course bloggers in the blogosphere can excercise their right to remain silent or they can choose to trackback and make a difference by helping spread the word...

| | View blog reactions

Saturday, October 28, 2006


A politically correct way to tell IT folks to close their pie hole...

There are lots of Americans who are losing their jobs to folks in other countries when it comes to outsourcing. Yes, our government is filled with losers and it is time to throw George Bush and his republicrats out on their butts and get someone who puts their own country first.

One characteristic of leadership that isn't talked about much is who a leader represents and how much they waiver in their beliefs. Within the African American community there are two examples that come to mind. First, there is Jesse Jackson who seems to chase agendas yet many folks in their ignorance assume he is a leader when they should think of him as an idiot. On the other side there are folks such as Minister Farrakhan who never waivers in terms of who he represents. Folks may not like what he says but he stands for something.

Maybe it is time for IT folks of all races, religions and nationalities to emulate Minister Farrakhan and avoid those collaborative types like Jesse Jackson who don't know when to close their pie hole...

One thing that feels racist to me is some of the conversations I hear in private regarding outsourcing. Yet another person shared a feeling with me yesterday while at Lowes (Sorry Home Depot for being a traitor) regarding the fact that they were the only white guy in a meeting room full of Indians. My perspective on this issue is different than most in that folks are starting to feel something I have always felt pretty much every single day of my entire life.

What I tell folks is that you were too freakin stupid to have embraced diversity in terms of quotas several years ago and got caught up in worrying about the two chinese guys and the Puerto rican entering IT. Since diversity wasn't important to you, it is now being used against you. Diversity and support for it go both ways and you shouldn't only embrace it when it works for you.

Another thing that I often hear folks talk about is in helping creating jobs in otherwise poor countries and how it hurts the wealth of our own. Yes, Americans should have a preference for keeping jobs in America but they should also help economically. The real question is how.

I wonder if folks would feel better helping out a country such as Trinidad over countries such as India? After all, Trinidad is more diverse in terms of race and religions. In an outsourcing context, one can achieve the same cost efficiencies as well. If you look at moving IT jobs to Trinidad would it be less evil than India? I think so.

Maybe you should embrace championing the notion of outsourcing but likewise embrace championing diversity. If you look at a country such as Trinidad, they don't make their own cars or pretty much anything and lots of goods are purchased directly from the United States. Would you rather give someone in another country $1 making them rich only to have them turnaround and have the need to buy everything back from the US or watch our monies leave our own economy by outsourcing to less diverse countries such as India?

| | View blog reactions

Friday, October 27, 2006


How should Enterprise Architects invest their money?

Enterprise Architects on a daily basis tend to talk in terms of IT portfolio management but never seem to get their own priorities straight when it comes to investing in the stock market. This week, the stock market has reached new highs and I figured I would share what I am investing in...

Below are the top five holdings in my investment account:

Anyway, I have also added medium sized positions recently in Toyota (TM) and Cognizant (CTSH). The interesting stereotypical thing that I have recently noticed is that lots of folks of indian descent tend to drive Toyota's. If American enterprises keep up the pace of outsourcing then Toyota will benefit on multiple fronts.

I added Cognizant to my portfolio because they are the most ethical (if there is such a thing) of all of the outsourcing firms. They were the first to get the principles of the Agile Manifesto, they tend to get hire billing rates than their competitors at Wipro, Infosys, TCS and so on. Cognizant when they outsource since they are US Based also have a re-badging practice for employees who are displaced that is non-existent in other firms. I also suspect that Cognizant is most in-line with the spirit of EEOC laws well beyond their competitors which should result in superior growth opportunities.

Next week I will share how I invest for retirement...

| | View blog reactions

Thursday, October 26, 2006


Los Angeles and the Lunatic Fringe in the Blogosphere...

I heard an interesting story yesterday from a former blogger who was harrassed by someone in the blogosphere and they had to get law enforcement involved. The funny thing is that I previously heard the story from others which indicates an interesting pattern...

Apparently this person had called him at work not understanding that most financial services firms in order to comply with various regulations record all calls. Even funnier is the fact that they were working with the FBI as part of their Infraguard program and actually started harrassing the person who by chance picked up the phone to dial when at the same time the phone rang.

Phones are the absolute worst way to harrass someone. Some even think they are clever by using VoIP when in all reality they have made things worse as this is regulated by the FCC and all crimes that cross state borders become escalated to federal offenses. Anyway, it does take a little bit for law enforcement to cross jurisdictions, but they always find their man...

| | View blog reactions


A Challenge to Open Source Vendors...

I would like to send a challenge to Alfresco, Intalio and ServiceMix to prove that their software is secure...

I am firm in my belief that we as an industry need to build security into each and every product we develop. It seems as if magazines such as Infoworld can provide lots of coverage on patch management and the Microsoft bug of the day but won't lift a finger to publish thoughtful articles on how we can improve the software development lifecycle in not only software companies but corporate America in general to ensure that all software developed is secure.

What would happen if we had organized a big fat code review day where everyone reading this blog agreed to first learn what secure software looks like and then were sent out on a mission to find holes in open source software? Maybe vendors such as ouncelabs and Fortify may be willing to freely contribute copies of their software for this undertaking?

Even if these vendors are solely focused on short-term revenue at the expense of letting a larger population understand their value proposition, there are people who really will look at code for security problems with or without a tool. There are altruistic types who simply want to see a safer world, but most people who do this are trying to promote themselves or their company. Either way, both groups want to make the biggest impact possible, and as a result, what tends to attract the eyeballs in the open source world is the popular, widely adopted software.

Most of these people who look for security problems will start by looking for the low-hanging fruit, focusing on the potential problems that could have monumental impact. In practice, this means that people tend to look for straightforward instances of common problems such as buffer overflows, format string problems, and SQL injection.

Less sexy risks tend to get ignored completely. For instance, plenty of open source programs use SSL improperly and are subject to network-based eavesdropping and tampering attacks (a problem I'll explore in more detail soon). People who publish security advisories aren't really publishing risks like this. This happens because folks are far more interested in finding more immediately demonstrable problems. After all, we understand that most folks would love to participate in security but simply don't have the brain power necessary.

Ignoring the commercial tool offerings for a minute says that maybe the open source community needs to create their own tools to help themselves. There is actually an opportunity in that most products attempt to scan in a black box fashion which only finds superficial errors. The problem with black-box testing for security is that most programs are complex and have states that an automated crawler isn't likely to find. Security problems are often buried in complex systems. Finding them with such an approach would require heavy user interaction to put the system into a large number of different states.

So, I have lots of respect for the contributors of Alfresco, Intalio and ServiceMix but I too have no clue as to what is done to ensure that not only functionality works as advertised but is secure. I know the folks that contribute to Liferay have ensured that Liferay Enterprise Portal is certified as being more secure than their commercial offerings. Wouldn't it be more interesting if say Alfresco were deemed more secure than Documentum and/or Interwoven?

It would be really cool if Intalio proved out its offering was more secure than say Pega or Lombardi. I suspect this would light a fire under many BPM vendors and step up to the challenge. In fact, I suspect he would actually become the first BPM vendor to fully embrace the XACML specification.

Even though the blogosphere and pretty much everyone in corporate America understands that ServiceMix benchmarks faster and supports more industry standards than Sonic or CapeClear in the ESB space, the two big analyst firms: Gartner and Forrester don't seem to cover this fact. I wonder what would happen if ServiceMix also got its code certified as being more secure and implemented XACML. Would this but ServiceMix into the leaders quadrant or would the Gartner and Forrester analysts continue to ignore its value proposition?

| | View blog reactions

Wednesday, October 25, 2006


Enterprise Architecture: Why do businesses shy away from open source?

Awhile back, Chuqui in his blog commented on why businesses shy away from open source. I figured I would provide my own two cents...

I think there are three different perspectives that he should have mentioned.

Many enterprisey folks aren't capable of researching the marketplace for themselves and therefore rely on large analyst firms to put things into nice charts and graphs for them. If the large analyst firms don't have enough integrity to also list open source projects in their matrix then enterprisey folks will not even learn about what benefits them.

Another perspective says that the vast majority of enterprise architects nowadays aren't even technical and therefore cannot download software themselves and get things to work. With the advent of outsourcing, folks in the US represent agendas vs architectures and outsource the details to other folks. Many of us have even gotten good at outsourcing the need to socialize in corporate America by putting this responsibility into the hands of strategic vendors partners who will gladly come in and show their thinly veiled chock-a-block eye candy powerpoint presentations that lack substance so that we don't have to.

Think about how much work I avoid say if I wanted to bring Smalltalk to my enterprise. Which would be easier, to line up someone like James Robertson and waste a lot of his time under the guise of a sale or for me to do this myself? Maybe I should noodle dragging in David Hansson Heinemier to get us enterprisey folks to pay attention to Ruby on Rails. I wonder what trinkets would he leave with us?

Anyway, the third perspective that wasn't discussed is a simple fact of how budgeting occurs in corporate America. Imagine if I wanted to prove out something in the federated identity space. I could either request a consulting firm to come in and build something for me which if I didn't use could blow threw money. Likewise, I could find a nice expensive closed source vendor to do a free proof of concept and not spend a cent.

Folks in the open source community tend to only think about the cost of software and how this is attractive to large enterprises. This is tiny in the overall budget. What matters is in reducing our costs for integration and consulting. Remember that humans cost more than technology nowadays. If I can get folks to do work for free, then this will challenge the open source business model...

| | View blog reactions

Tuesday, October 24, 2006


An interesting perspective on Agile Software Development

Joel Spolsky express an interesting opinion on agile development methodologies and quotes Steve Yegge of Google who dislikes agile as much as every employee in corporate America doesn't think Ruby on Rails is ready for the enterprise. Anyway, Yegge shares with the agile community what "good agile" is:

Of course the founding members of the agile alliance will keep their traps shut and not publicly respond to this perspective as doing so may jeorpardize their own credibility. Imagine if the Agile Alliance started acknowledging that agile can have bigger uptake in large shops if they were to stop strangling its growth at the expense of maintaining consulting revenue...

| | View blog reactions

Monday, October 23, 2006


Jolt Awards: History repeats itself...

If you thought last year's scandal with the Jolt Awards was bad, this year will be even worse...

Last years scandal started with an issue where Liferay Enterprise Portal had the most nominations out of any product yet did not get an award. There were several problems that the folks running the award didn't want to address. First, there was a category for portal software in which JBoss Portal was the only nomination as they slotted Liferay Enterprise Portal in a project management category. When this was brought to the attention of SD Magazine, they refuse to fix the issue and stated that while it was an error it was too late to do anything about it.

The real issue however was a little different in that products that were from the open source community were able to be nominated freely of charge while products that were commercial oriented had to pay an entry fee. Of course, if you look at the results, not a single free nominated product when competing against a paid entry won an award.

This year in order to bring equality, they decided of instead of making the awards about the products they use and eliminating all fees went in a direction that further reduces the credibility of the awards by charging everyone. Of course, I emailed the committee and asked how to I as an employee of a Fortune enterprise whose primary business isn't software nominate products that are of high quality regardless of whether they are open or not. They in essence told me that my opinion doesn't matter and that it was important for vendors to champion their own causes. I wonder if it is wise for any software vendor to advertise in a publication that wants to remove the ability to participate from a large portion of their readership...

Another non-software scandal on this same topic occured in the publishing space as well. One of the books from the Ruby on Rails camp also won an award. Of course the publisher paid the fee and this book did not compete against any other Ruby books. When the author of this book gloated about the award, some thought that this had an effect on comprimising the ethics of the Ruby community at large.

Folks such as Martin Fowler, Scott Ambler, Dave Thomas, Uncle Bob and other agilists serve on panels that help choose the winning products but only choose from a filtered list may be risking their own credibility if they continue to participate. I hope that they will step up and use their influence to bring integrity back to the process and not just excerise their right to remain silent..

| | View blog reactions

Sunday, October 22, 2006


Certified Outsourcing Professionals

The International Association of Outsourcing Professionals recently came out with a certification programming named the Certified Outsourcing Professional Program. I wonder what would happen if I came up with a keep jobs in America certification?

It seems as if Filippo Passerini, who is the CIO of Procter & Gamble is the ringleader of this undertaking. I wonder if his bosses perception of outsourcing would change if the blogosphere started a campaign to stop buying their products? I wonder if Warren Buffett who is probably one of their biggest shareholders even knows?

Anyway, in order to achieve the James McGovern Institute for Keeping Jobs in America certification, all you have to do is positively provide the correct answers to the following questions:


| | View blog reactions

Saturday, October 21, 2006


What Conference Chairs could learn from the TechForum...

I served on a panel this week at the TechForum that was probably the absolute best gathering I have been to in years...

There were several things this conference did right that others need to seriously pay attention to. The very first thing that they did was understand that conferences for folks who are employed by large enterprises should be free. Attendance at paid conferences has been dropping rapidly over the last few years which has caused many conferences to miss expectations not only in terms of their own revenue but also serve to disappoint vendors who spend their own time and money on booths to market to enterprise folks who aren't there.

Conferences need to move away from charging for conferences and simply make them free. This will have the effect of increasing the number of folks who attend which will make your vendors happy and who may even be willing to pay you more for attendance.

The second thing they got right was that every single vendor had a raffle. If you only have a few grand prizes, most folks of a technical nature will calculate the odds of winning and therefore not participate. If you have each vendor raffling off iPods, Portable DVD players and other gadgets this has the effect of increasing the number of prizes which causes more folks to participate.

The third thing they did right was to move away from individual presenters and have a lot more moderated panels. Vendors are infamous for presenting thinly veiled sales presentations chock-a-block eye candy lacking substance. Maybe someone should inform vendors that just because they pay shouldn't mean that they automatically get the right to present. Panels provide more value in that they allow folks to participate in a dialog vs simply listening to a canned speech that may or may not align with the reason they attended.

Being fair to vendors, most presentations (except for the ones done by my peers) done by folks in corporate America are of equal bullshit. Most media relations departments make enterprisey folks sanitize their presentations to the point where they too provide very little information. Since it is impossible for a dialog to be sanitized in advance, they tend to allow more details to emerge. I wonder if I could get Matt Asay and Jon Udell to change their upcoming conferences in this regard.

The final thing that this conference did right was that the panels were staffed by IT executives who weren't just management but actually had a clue. The topic for this event was security-oriented and the room was at least fifty percent filled with CISO's from firms such as Pershing, Marsh, US Trust, Con Edison, and other respected firms. When you staff the panels filled with executives of high caliber, the vendors know beyond a doubt that high quality leads will be in attendance.

Conferences that ignore pursuit of executives in terms of panels will tend to get lower grade enterprise attendees since executives will usually defer to those lower in the foodchain. Since one's name in print is usually not something deferred as ego is king.

Anyway, in terms of vendors, I had some great dialogs with folks from Securent, Secure Computing, Intel, Symantec, and Cisco. Based on my own observations, I saw first-hand who was attending their booths and suspect that their competitors will be sorely disappointed once they learn that they have been spending their monies unwisely by sponsoring the wrong conferences...


| | View blog reactions

Friday, October 20, 2006


A tip for industry analysts who want to sell services to large enterprises...

Over the last couple of weeks I have gotten pitches from industry analysts who want us to buy their services. Figured I would share some of my thoughts...

While the value proposition of deeper research is intriguing, the thing that would cause me to get off my butt and actually think about truly considering your offering is something that you haven't been paying much attention to. Many have commented on the fact that they read my blog but yet none of them actually understand nor take action on any of the things I have asked of this community.

Do you think that I really want to spend say $40K for even more reading material (aka research) and to engage in conversations? I have more than enough to read and suffer like most folks from information overload. Of course the canned response from analysts is that they distill information so that I don't have to but of course this misses the point.

If I were to truly think about what I need from an analyst firm it is not access to research but for them to be a customer advocate in a way that I can observe. For example, if I could buy a contract from an analyst firm that stated they would have the responsibility of not only talking to all of my software vendors about building in support for XACML into their products so that I don't have to then I would gladly pay $40K

Another thing that you can do to stay on my radar is to do case studies on things that are of interest to us. So far, most of the case studies tend to be things that the analyst themselves are interested in. Sometimes these two things align, sometimes they don't. If you want to sell to us, then they better align.

You can make a great impression on us by offering to do a case study to be shared with others in printed form (sorry, blogging it doesn't cut it). If you know anything about large enterprises, we all have big fat egos that need stroking and case studies is one of many ways to accomplish this goal...

| | View blog reactions

Thursday, October 19, 2006


Thoughts on Analysts at Forrester

Mike Rothman made an interesting comment in his blog and said the following:

Somebody please tell me how to get any analyst firm to be an advocate? I have been on my pulpit evangelizing why enterprises need to pay attention to XACML, telling stories about how the Liberty Alliance is incomplete and needs a different perspective on federated identity and have even offered up opportunities for industry analysts to do case studies on our own enterprise in the space of application rationalization, building compliance-oriented architectures and so on with absolutely zero response.

Is Mike Rothman full of it or he simply is on to something and it will just take ten lifetimes for analysts to catch up. Anyway, I learned that vendors can buy quotes from industry analysts for only $1000. Maybe I could get the folks over at Intalio to buy some in the BPM space. Maybe even James Robertson for SmallTalk and the Ruby Community could use this tactic to get enterprisey folks to pay attention to dynamic languages...

| | View blog reactions

Wednesday, October 18, 2006


Do industry analysts understand how and why Fortune enterprises buy research?

Do industry analysts understand how and why Fortune enterprises buy research?

Periodically I get pitches from small industry analyst firms attempting to sell their value proposition and wonder if they have any understanding of the marketplace. Us enterprisey folks do understand that top talent tends to gather in small firms who have a particular focus and that the analysts that work at these places tend to be the types that have in the past worked for large analyst firms and got tired of working with other analyst boneheads.

So selling on your unique and deep knowledge is intriguing at some level but isn't sufficient for most enterprises to pull the trigger. Part of the problem is that we at some level have gotten out of the habit of buying research. Do you understand that all of those small VC driven firms usually provide us with the reports simply for the asking?

Some of the new world industry analyst firms tend to not produce formally written research and have fell in love with blogs. At some level blogging appeals to me as I have been doing every single day for over a year without interruption. Yet, I understand that many of my peers would prefer something a little more formal. Maybe you shouldn't stick strictly to blogging and consider doing both.

Engaging in a dialog via the blogosphere is a new method of interaction that could provide us enterprisey folk with more value than traditional approaches to industry analysis ever could. Just the ability to observe a dialog between two parties is something we really dont see today. Keep in mind though that the masses in corporate environments barely know what a blog is. Maybe you are too early?

Anyway, if you were to ask the opinion of any enterprise architect they would tell you that they have an initiative/directive to reduce the amount of vendors they interact with. The notion of consolidation really shouldn't be foreign. You have probably guessed that the average enterprise probably has relationships with over 500 distinct IT vendors and the thought of casually adding another one is frought illusions of pain and frustration. We do understand that from your perspective, you are easy to work with and any pain is more than worth it, but shouldnt you attempt for a second to understand ours?

Just so you folks don't get it twisted, how about coming up with a mechanism such that an enterprise could from a procurement perspective buy research from all small analysts under one fixed fee contract just like the big guys? Do you think us enterprisey folks would pay more attention if say we could buy the research of Redmonk, Zapthink, Nemertes, 451 Group, Elemental Links and Tolly in one swoop instead of having eight different conversations?

Maybe you could do industry analysis on the industry analyst vertical to figure out whether what I am suggesting makes sense and not only blog about it but make it easier for us to do business with you?

| | View blog reactions

Tuesday, October 17, 2006


Governance and the miseducation of enterprise architects...

Only if more enterprise architects were prior military...

Most branches of the United States Government when it comes to enterprise architecture are dysfunctional and lack leadership (They have an aweful lot of management though). The one branch that gets the notion of both leadership and enterprise architecture is the Marines. In fact, they don't get it twisted and understand that governance is more about behavior and less about financial controls.

The Marine Corps battle the analysis paralysis that today's governance practices encourage with the notion of a 70% solution. If you have 70% of the information, have done 70& of the analysis and feel 70% confident, then act. The logic is simple: less-than-ideal action, swiftly executed stands a better change of success, whereas no action stands no chance. The worst decision is no decision at all. As the folks from the Connecticut lottery say, you can't win if you don't play.

If you are familiar with Seymour Cray who invented some of the fastest computers in his day, you would know that he built two things: sailboats and computers. Each new Cray supercomputer was its own masterpiece, a thing of beauty yet Cray himself understood that there is no such thing as timeless perfection; only obsolescense. To make his point, Seymour Cray had an annual ceremony where he would build beautiful boats in the spring and then burn them down in the fall. I guess you could probably guess he isn't a fan of rationalization...

| | View blog reactions


How technology can catch sex offenders...

Myspace predator caught by code. Kudo's to the New York Suffolk Country Police Department for thinking smart...

| | View blog reactions

Monday, October 16, 2006


How XACML fixes lies told about identity management and enables SoX compliance...

Since industry analysts are negligent in telling the story on XACML and how it may enable compliance to Sarbanes Oxley, I figured I would...

There are tons of bloggers from Sun (Pat Patterson, Sara Gates, Don Bowen all come to mind) and Oracle telling the story of how their wonderful products can help enterprises with the problem space of identity management. Sure, many enterprises have no handle or even the ability to report from a centralized perspective who comes and goes from their enterprises.

Prior to my current employer, I consulted for Fortune enterprises such as Bank of America (Back when it was Shawmut), Aetna, First USA, and others. I suspect that my test IDs that were used for production checkout probably still work. The main problem is that prior to systems in this space, all provisioning was done in a local context. Enterprises that still behave in this manner should move forward with whatever story you hear told from industry analysts with the understanding that they aren't telling the whole story.

It is reasonable for auditors to expect an enterprise to have a handle on basic identity. What if the auditors in the future started asking enterprises to start producing reports not only on who, but who can do what from a central perspective? Most shops will be in trouble because the who can do what goes well beyond basic identity and in many cases even goes beyond the basics of role based engineering and tools such as Eurikify, Vaau and others.

So, if you think about the problem for a minute, you may realize that the problem of reporting on authorization from a centralized perspective is harder than it sounds. For one, I suspect your enterprise architecture team is spending too much time drawing executive cartoons Powerpoint explaining the latest management by magazine while allowing your software development team to continue embedding authorization logic into the code. I defy you to find the magic bullet to apply centralized reporting to this problem.

Of course, you probably also have some boneheads who pontificate the repeat after me, buy-vs-build blah blah blah and instead let software vendors and their chosen insulting firm partners help you embed it into each and every product your enterprise owns in a proprietary manner. I suspect if you are the normal Fortune enterprise, you may have at least 500 (if you are lucky) distinct IT products in which they have all done it to you.

Maybe, you should wake up and figure out how to procure software that allows for compliance to be built in? Maybe if you start asking vendors to comply to industry standards it may be easier to solve for this problem later so as to avoid knowing how to do it to hundreds of products all with their own special twists? Maybe if you have courage, you might even consider asking vendors to put XACML into their product and hold up payment if they don't.

I have been quoted as saying that most forms of security don't translate into competitive advantage and therefore tend to share my thoughts. Maybe in this situation, for enterprises that don't ask demand more from their vendors and industry analysts may end up with future inflexible IT architectures that will cost then a ton to fix which translates into show me da money...

| | View blog reactions

Sunday, October 15, 2006


Speaking Engagements for October

There are two events I will be speaking at in the month of October. If anyone in the blogosphere will be in attendance, please leave a comment and lets hook up.

The first event is the TechForum in New York City on October 19th. This event is free for those who are employed by Fortune enterprises, so budget justification is easy.

The second event is the Innovation Summit sponsored by the folks at the 451 Group in Boston on October 31st.

| | View blog reactions

Saturday, October 14, 2006


A week in the life of an enterprise architect

Figured I would share some of the things I did throughout the week...

On Friday, I had a deep conversation with some folks at Goldman Sachs on the notion of entitlements. Several months ago, our team had a conversation with one of their executives (Phil Venables) who is probably one of the most technical IT executives I have ever had the privelege of talking with. It was time to repay the favor and share what we have learned since our initial conversation with them. As you are aware, security usually doesn't result in competitive advantage and therefore it doesn't make sense to keep security innovations secret.

Anyway, the team at Goldman Sachs rocks. We have had open security architect positions for awhile now and I know in what direction I should point our own recruiters. Seriously though, they have their act together and are pretty thoughtful about this space. Our conversation centered around the usage of XACML and where we are planning on taking our vendors. XACML is not just something to be talked about in context of portals such as BEA or Liferay, nor J2EE containers such as JBoss. XACML is relevant to document and content management and BPM engines as well.

This week I had a very deep conversation with folks at EMC and their adoption of XACML on the roadmap for Documentum. I suspect that they will beat the folks at Alfresco in incorporating this specification. I also learned that other Documentum customers such as Bank of America and CSFB are also paying attention to how XACML will converge with the ECM space.

Likewise, I got positive confirmation that another vendor we use in the BPM space will be supporting both SAML, SPNEGO and XACML into their future product roadmaps as well. I hope to have a similar conversation next week with the folks at Mercury Interactive to encourage them to incorporate XACML into the former Systinet products along with their ITG suite.

Another conversation I had this week that was thought provoking was with the folks from Voltage who are known for Identity Based Encryption. Awhile back, Pat Patterson from Sun commented on one dimension of it. I will have some work on my plate to convince him that he needs to revisit his position as there is merit in using IBE and combining it with SAML and WS-Federation. Likewise, Sun has an opportunity over its competitors to merge IAM with IBE to allow customers to do things such as build in-house e-signature platforms which are on a lot of folks radar.

I have given myself several pieces of homework based on conversations. I have come to realize that industry analysts aren't having the right conversations when it comes to security. I periodically ping Dan Blum and Gerry Gebels of the Burton Group on my thoughts surrounding XACML but realized that the folks I need to bother are really Anne-Thomas Manes. I wonder what it would take for her to include in upcoming research projects to ask vendors a couple of simple questions such as are they building in XACML support into their portals, application servers, CRM platforms and so on. The notion of building security-in is not just something for Dan and his team.

The biggest highlight of the week for me was related to a program named Math Buddies in which employees volunteer time to teach math skills to fourth graders in inner-city schools. The student I will have as my buddy is named Juan Nunez. Fourth grade is a critical turning point for inner-city children and to know that my peers are spending time not just in donating monies to charities such as United Way but more importantly donating time brings joy to my heart. The most interesting part is that I got to see a list of folks who are volunteering and there are an aweful lot of IT executives on the list. In fact, they are showing up us Enterprise Architects. It is rare to find IT executives in corporate America who know how to be human and I guess I am blessed to work for an employer who has more than their fair share...

| | View blog reactions

Friday, October 13, 2006


Best Practices for Software Vendors and Appliances

Looking for any documented best practices that are used by software vendors who want to realize their offering in hardware form factor. Ideally seek guidance on pricing, industry analyst research in this space, and useful open source around the following components:

Any guidance in this regard is greatly appreciated and will be rewarded with a donation to Nine Million...

| | View blog reactions

Thursday, October 12, 2006


Spirituality in Corporate America

Usually within corporate environments, in the name of being inclusive and acknowledging diversity we have over time shifted away from that in which we seek. Having realized that I have avoided talking about the spiritual aspects (this is distinct from religion) that I believe in, I take this opportunity to declare that I believe in one nation under one God...

| | View blog reactions


A new addition to the family...

My nephew Mitchell Salazar and his wife Jillian who reside in Trinidad just had a healthy baby girl. Haven't yet received pictures and they haven't yet thought up a name. Anyway, if there are folks in Canada that can get me a box of Cuban's I would love to send them down...

| | View blog reactions

Wednesday, October 11, 2006


BEA hits out at open source...

Did the folks at Infoworld get it twisted when discussing the BEA Perspective on open source?

Large enterprises are starting to pay attention to open source which causes the vendors that do business with them to device plans that align with this notion. In the early days, enterprisey folks were happy with vendors simply contributing to open standards (this of course is distinct from open source) but this no longer makes folks happy. I suspect that the biggest pain point in many large enterprises is the need to account for licenses. I know whenever I am at work, the word "inventory" periodically comes out and in my own mind is a four letter word.

Open source has the ability to free enterprise architecture teams from the notion of inventory and instead focus in on paying for things not when they are used but when they start to add business value. BEA as a company is IMHO a company that gets the notion of adding value.

I wonder what the folks at Infoworld would say if BEA were to publicly commit to making Weblogic Server 10.1 100% open source? Would they respect BEA or would they say that they are late to the game and that they are jumping into a crowded field that JBoss and others already occupy?

For the record, most magazines frustrate me in that they tell the story that is easiest to tell without regard to actually doing any deep research. I wonder what it would take for them to equally pick on all the other large software vendors who also don't have a strong open source story such as CA or Oracle?

BEA has contributed source code to the community such as XMLBeans and other components used by software developers. I would like to know if Infoworld, Gartner and Forrester would provide deeper coverage on the BEA value proposition if BEA were to not only evangelize their own product offerings but were to contribute software development expertise to existing open source projects in the ESB space such as ServiceMix, in the Portal space such as Liferay and even in the security space by helping other products implement the XACML PEP specification that I frequently mention?

Maybe I should ask BEA bloggers such as Josh Bregman, Jon Mountjoy, Kavindra Patel, and Wendy Bales to provide their own perspective of open source independent of BEAs direction in this regard in a public manner...

| | View blog reactions

Tuesday, October 10, 2006


The trials and tribulations of being a book author...

Several royalty statements showed up today. Some were incredible, others were disappointing...

My latest book: Enterprise Service Oriented Architectures will be going to its third printing and has been selling well. The royalty statement indicates that international sales are increasingly making up more and more of the sales of my books. Several years ago, 10% of all books sold were international, and nowadays I am seeing over 50%. Are American's not buying books and surrending to the onslaught of outsourcing?

It seems as if no one is purchasing books on XQuery anymore. Sales across even competitive books have came to a halt. Anyway, as series editor for Springer Verlag, I am working on putting together a hot author team to cover the next generation of service oriented architectures and would like for folks to comment on what they feel is missing from the current series of books...

| | View blog reactions


Thoughts on Enterprise Architecture and Compensation

David Packard, one of the founders of Hewlett Packard once said: "Recognize, reward and compensate your people on where you want to be, not where you are today and they will get you there..."

| | View blog reactions

Monday, October 09, 2006


Open Source Security Strategy

In the past, noted industry analysts such as James Governor of RedMonk has commented on his desie to see the strategies that are created by large enterprises. I was thinking of a way to make his wish come true...

Since security in most situations doesn't really lead to competitive advantage, maybe there is merit to make it open source. I was thinking though that I needed to understand how much work this would be to accomplish relative to the amount of folks who would be interested in consuming it.

My current thought right now says that if I could get firm commitments from Jon Udell of Infoworld, and analysts from four different firms with one of them being Gartner then the effort would be worthwhile. Just so that I don't disappoint folks, please trackback as to what you would like to know about the security strategy of a large enterprise and I may consider granting your request. Of course we won't tell you anything that will compromise our security, but this shouldn't prevent us from sharing other aspects...

| | View blog reactions

Sunday, October 08, 2006


How NOT to recruit Enterprise Architects

There are tons of companies that seek top talent for their enterprise architecture teams which causes my phone to ring off the hook. Right now, I think I am probably the most difficult person on the planet to recruit as I am happy doing what I am doing. Maybe if recruiters called with a better story such as:

Sadly, I never get these types of calls. I did however get a call where a recruiter left the following voicemail:

Do you think that this type of message would be successful with any enterprise architect?

| | View blog reactions

Saturday, October 07, 2006


Questions for Alfresco

While our enterprise already has a solution in this space, we are still following what the folks at Alfresco are doing and have several outstanding questions...

Jon Newton awhile back commented on what fine-grained authorization may look like in an ECM product but never specifically commented on whether the XACML specification was on Alfresco's roadmap. It would be cool if Alfresco were the first CMS to use an open industry standard in this regard.

ECM vendors seem to love to create their own identity stores against the industry trend of using an identity store that may already exist. How come ECM vendors aren't putting in functionality where identity stores such as Active Directory can be used?

What is the relationship between ECM and records retention? I did see some press regarding open source records retention products but can't find any detail on it. I do know that records retention is on my work radar and know that it also requires components such as rules engines and adapters to enterprise applications. Hopefully, we will see analyst coverage of anything open source in the records retention space by Gartner and Forrester shortly?

One of my criteria for selecting a vendor who uses open source approaches in their business model is to understand who other than employees of the company itself are also contributing to the code base. If I learn that developers of Fortune enterprises whose primary business isn't technology have made investments into the code base then I become very interested. Could someone knowledable about the Alfresco community comment on this?

Folks such as Alan Pelz-Sharpe of Wipro have in the abstract talked about the need for an enterprise content integration (ECI) layer within an ECM architecture. I assume this goes above and beyond simple JSR-170 compliance. What should products that integrate with an ECI layer subscribe to in terms of functionality and APIs?

| | View blog reactions

This page is powered by Blogger. Isn't yours?