Sunday, December 31, 2006


"Start Your Own Blogging Business" Book

This is a clear sign targeted at those Management by Magazine types that blogging is in the trough of disillusionment...

| | View blog reactions


What does Outsourcing have to do with the Agile Manifesto?

Martin Fowler is an advocate of agile approaches to software development and his followers see agility as a mechanism to increase productivity and save jobs yet he also believes in agile outsourcing. I assume the community hasn't commented on this practice since their jobs have not yet been outsourced. I wonder if there will be an open outcry when it happens?

Outsourcing is all about chasing a cheaper salary for an individual resource without necessarily getting any guarantee that total cost of ownership will be decreased. Many IT shops that outsource resort to accounting for costs at a macro-level and eschew efforts to increase the productivity at an individual level. The mantra of getting lower rates trumps developer efficiency so as long as the numbers work out in the end.

Likewise, there is a pattern amongst developers in the Ruby community in that their call to action is all about individual productivity without concern for macro-level accounting with the argument that if you increase efficiencies in the small, you also increase efficiences in the large.

The funny thing is that many enterprise architecture teams are in the middle of such opposed perspectives. Wouldn't it be interesting if we could have a conference panel where we took say the CIO of United Technologies and had in interact with the likes of David Heinemier Hannson? Of course this would need to be moderated. What would happen if we also added Kent Beck to the panel along with Richard Stallman? What if we were to get the likes of Robert McIlree and Nick Gall for good measure to represent the EA perspective on this subject? I would also throw the CEO of Accenture and Wipro on the panel as well for good measure. Would you want to see this discussion occur at a large industry conference?

If I were ever chosen as a moderator for such a panel, I would of course have a difficult time withholding my own opinions but would start the discussion off by asking the question:

This would probably lead to a discussion that states that programmers are folks who specialize in writing code while developers provide more value such as writing specifications, automated test cases, writing documentation, and most importantly helping customers work out tough problems. It does beg the question if folks in India at best are nothing more than programmers?

Anyway, I think this question if properly discussed is more telling as it will lead to the union of several otherwise opposed thinkers. Enterprises who outsource are doing so because they feel there is value in getting cheaper programmers. These same enterprises probably have a good strategy to keep all the developers around. Likewise, the smart folks I have worked with in the Ruby community usually have figured out that they didn't want to be programmers in large enterprises and wanted to be developers in small enterprises who have the potential to be large.

Now the only disconnect that still remains is whether consulting/outsourcing firms who embrace agile methods will also attempt to destroy developers as well or figure out how to embrace them to the benefit of their client's competitive advantage or simply focus on their own mission. Should the Ruby community be fearful of those types of consulting firms?

| | View blog reactions

Saturday, December 30, 2006


Saddam and how his greatness changed America...

The blogosphere and television stations will publicize the death of Saddam Hussein but not remember those whose lives were wrongly taken away from them. On this day, regardless if you are Christian or Muslim, we should publicly attest to the fact that there is just but one God...

The Foundation for the Defense of Democracies posted four videos of actual torture and murder that took place under Saddam Hussein's regime. Regretably, the videos will not be televised as Americans we are fearful of learning of atrocities that occur on the planet. Most Americans will only pay attention long enough to listen to the thirty second soundbites we have became accustomed to. If American's however were to see videos, then maybe they may stop waiting for the problem to go away, but instead will stand to reason and demand swift immediate action wherever atrocities occur. It may even cause us to spend more time on causes such as Darfur, Palestine and other places where freedom is elusive.

If a blogger who cares about the human condition reads this posting and amplifies it, then civiliation isn't a lost cause and my own heart will be filled with joy. Let's acknowledge that the masses will simply go on living their lives until they too become oppressed and choose the right to remain silent. Anyway, here is the link to the four videos: Chapter One, Chapter Two, Chapter Three and Chapter Four...

| | View blog reactions


Enterprise Architecture and how we are envious of each other

A peer at work always tells that humans are silly little creatures and we as architects must get away from our coffee clutch thinking. I think it is all related to the problem of envy...

Like many of my peers, I am guilty of attempting to find patterns in the human aspects of technology when this practice may be a recursive anti-pattern. Folks who think in patterns or at least use the word frequently use it because of the buzzword factor which helps increase its attraction to other demographics who may not be on the same page but want to.

They think "patterns are cool and good" and they also think what they've done is cool and good and therefore must be a pattern. This is kinda like me attacking George Bush and the idiots in the Republican party which makes folks assume that I am somehow Democratic without them ever really asking the question, is George Bush really an idiot?

Even more sinister is that many think they have a good, reusable solution to a recurring problem, but don't yet understand that the solution needs to recur as well as the problem. It is not enough to be reusable, it has to have already been used several times. This thinking by the way should also be applied to service oriented architectures.

Maybe architects who talk in terms of patterns need to stop reading the Gang of Four and instead need to use the pattern books to beat folks upside their heads when they do something stupid. I wonder if the below things could be considered patterns:

Anyway, use patterns to describe situations and recurring themes but don't use them for tagging to every problem that happens to materialize along the way. Patterns should be applied within a context...

| | View blog reactions

Friday, December 29, 2006


How to become an expert on Enterprise Architecture

Surprise, the secret answer isn't to buy the bestselling book: A Practical Guide to Enterprise Architecture. The real secret is to be passionate about something...

For the superior performer, the goal isn't just repeating the same thing again and again but strive for higher levels of control over every aspect of their performance and interactions with others. Within the IT ecosystem, I often hear developers complaining that all architects do all day is draw pretty diagrams that no one pays attention to. While this may be true, reality says that they are cheating themselves out of making themselves better at their own profession.

Most of us want to practice the things we're already good at, and avoid the things we suck at. We stay average or intermediate amateurs forever. I wonder what would happen if project managers, software developers and if folks in the QA department asked themselves, I wonder if studying enterprise architecture would help me in my own position and what they would rationalize?

I would say at some level that I probably understand the discipline of enterprise architecture more than anyone else in the blogosphere yet I am not an expert. No this is not a humbling moment where I say I have so much more to learn. The ability to call oneself an expert is heavily dependent on changing the perceptions of others, something which I suck at.

Many enterprise architects who substitute process for competence are missing out where they have the most leverage which is those who are satisifed with what they are currently doing. In my travels, I frequently run across folks who say that they know there is a better way to do task X, but I already know how to do it my way. They acknowledge that there way is less efficient and less powerful but this continues to thrive because they feel comfortable.

This of course begs the question of should folks feel comfortable or not. Is work all about a coffee clutch where we have nice social conversations with each other or more about running a business. Should a business care more about folks feeling comfortable or making a profit? Yes, I get that you can do both, but really which is more important?

What would happen if I could convince all those HR generalists who love their competency models to throw them in the trash and even convince myself to move away from areas of strengths (note: strengths are different than competencies) that I have which have made me ultra-successful towards situations where even I don't feel comfortable.

I wonder if you put me in charge of a very large project that is doomed to failure or at least mediocrity because they used folks from India instead of folks with a vested interest in success and required me to actually add on even more people against every principle I believe and then required me to deliver a wonderful status to executives that all is well, would this make me a better architect? Maybe I have become a better architect because I have deferred obvious predictable failures to others.

Does outsourcing = failure? I believe so. Getting one's hands dirty makes one learn from their own experiences. If you don't make mistakes then how can one learn? At some level, outsourcing is a mistake, only I hope that folks will learn from it.

I guess I have too much integrity to do certain things. I wonder though if I could help make it easier for others to continue on the path to becoming expert? Remember, being better is better. Whatever you're better at becomes more fun, more satisfying, a richer experience, and it leads to more flow. Maybe, my next book should be on how to have fun doing enterprise architecture?

| | View blog reactions

Thursday, December 28, 2006


Recent Thoughts on Azul Systems

Azul Systems recently released a 768-core Java Processor which is impressive but begs a discussion in the blogosphere around several outstanding questions including, but not limited to:
I wonder if Peter Holditch could provide answers in a future blog entry...

| | View blog reactions


Charity Tag Meme

As a blogger, people may know you, but how good does anyone ever really know anyone? One way to get to know someone better is for them to talk about charities they support. What if bloggers were to go down a path of thinking about some of the people they only know of in the blogosphere and for a moment considered the human aspects of blogging and for a moment forgot about talking about business, technology or whatever their blog theme is. What if the game of Blog-Tag going around the blogosphere in which bloggers are sharing five things about themselves that relatively few people know, and then tagging five other bloggers to be "it" morphed into bloggers sharing the five charities they believe are most worthy of contribution?

Let's see if this idea will work. I will start by tagging Stefan Tilkov, Scott Mark, David Heinemeier Hansson and one blogger whom I don't know (even virtually) but will tag via trackback in hopes that they will consider charity a higher priority over etiquette or other secondary concerns. Either way, this is a great way to learn not only what folks feel is important but what they feel is more important...

| | View blog reactions


Why software vendors should consider pitching to bloggers in addition to industry analysts...

There are many advantages of dealing with bloggers who are not journalists and/or industry analysts as part of a media relations campaign...

Here are some things for software vendors to noodle...

| | View blog reactions


Maybe open source isn't all that open?

Tom Elrod of JBoss suggests maybe open source isn't all that open. I figured I would share my own thoughts on this subject...

Being Mr. Enterprisey, I suspect that many folks will be of the opinion that my peers aren't interested in contributing or are hampered by dinousaur antiquated corporate policy. While this may be true of some large enterprises there are other issues that need to be discussed. For example:

This is 100% on the money for many open source projects. For example, have you ever observed anyone from the Ruby on Rails community ever reaching out to enterprise folks to ask them to contribute or at least participate? To feel welcome, one should be encouraged by the community itself to expand. One analogy would be the difference in me inviting someone into my home vs just expecting them to walk off the street, put their feet up on my couch and help themselves to whatever is in the fridge. A discussion is warranted on what communities can do to welcome outsiders.

Having had the opportunity to sit on a panel with Marc Fleury at OSBC last year, I came to the conclusion that he was a great business man. Likewise, I also concluded that I would never make the effort contribute to a JBoss project. Part of the rationale for contribution is in having choices. JBoss is placing in spaces where they are innovating but that there is already choices in terms of other open source offerings. There are already sufficient J2EE containers, Portals and BPM engines that are open. In fact, while I would say that in the J2EE space, JBoss is equal in terms of functionality (some things they have that others don't and vice versa), JBoss is simply inferior in terms of its portal implementation (Liferay beats it by miles) as well as JBPM (Intalio and others are also ahead). The point is if one is going to make the effort to contribute, they will more than likely choose what they either use and/or feel will be the winner.

Of course, since I am employed by a Fortune 100 enterprise whose primary business model isn't technology, the reasons for contributing aren't so that I can gain consulting revenue by demonstrating participation nor embracing any notion of professional open source. If I spend time at home writing code for an open source project, the reason may be driven by ego which JBoss robs of its contributors. For example, I know that the folks over at Aviva contributed the JBoss ESB. What I would want to see is JBoss pumping up Aviva and not just themselves. Compensation comes in many forms and for those who are not employed by technology-oriented companies, compensation in the form of ego (marketing, sense of community, etc) is crucial to getting contribution. Maybe some hype can be created by JBoss employees of all of the wonderful contributions by non JBoss employees.

A third consideration not frequently discussed is that contribution can come in many forms. I would argue that open source doesn't really need more developers to contribute source code but really needs lots of folks writing good documentation. What if the open source community decided to encourage others to become published authors and writing books to help use products. As a series editor for Springer Verlag, I would love to receive book proposals on Enterprise BPM Patterns, Enterprise Rules Architectures and so on. Contributing to Wiki's is moderately useful but folks sometimes need more structure.

A final consideration (for now) says that contributions also can come in form of serving as a sounding board for ideas. In the same way, I encourage Venture Capital firms to bounce ideas off me and for that matter to reach out to architects in other Fortune enterprises. The open source folks can do the same what-if testing not just against those paying them to create features but in terms of making things generally applicable so that it attracts an even larger population.

The one thing that I often say at work is that we shouldn't adopt any open source product unless it has outside contributors. One thing that makes something sustainable is knowing that the community has your back. Just having folks from a single company being paid to write software doesn't equal community. I would be happy as hell to see industry analysts actually figure out the size of community for each open source project in this regard. Maybe folks from JBoss could provide this for JBoss projects?

In terms of my own planned 2007 contributions to open source, I will be commiting to contributing to the authorization specification as part of the OpenID community. The funny thing is that I will be going against my better judgement in that enterprises tend to desire to contribute to things that are measurable like implemented software as we really can't do anything with ideas alone. Ideas need to be turned into software. What I fear the most is folks from Sun such as Pat Patterson, Sara Gates,Simon Phipps, Robin Wilton, Don Bowen and folks from Microsoft such as Kim Cameron and Jason Matusow openly supporting initiatives such as OpenID but not taking deliberate steps within their respective employers to actually implement the OpenID specification and any resulting authorization enhancements. I too am somewhat constrained in that the perception of anything that isn't implemented will be perceived as an academic exercise that was a waste of time that will put the ability to contribute to open source projects in the future at risk...

| | View blog reactions

Wednesday, December 27, 2006


Strategic Planning: Should you use a consulting firm or an Industry Analyst?

Many industry analyst firms also provide consulting services to their clients on strategic initiatives...

Imagine you want to align better and start embracing the notion of the Voice of the Customer and you hire an industry analyst to do so, they on average will charge an hourly rate in the $300 range. No where on the Internet is any thoughtful analysis as to what you get for higher hourly rates than you would see from typical consulting firms.

Some of the obvious advantages to going with an industry analyst over a consulting firm for strategy includes, but is not limited to:
In corporate America, I have seen strategies be merely a collection of quotes from industry analysts assembled in cut-and-paste fashion with no differentiation nor value proposition that puts the enterprise ahead of others. These types of strategies tend to be cookie cutter where a mere search-and-replace can make it applicable to any enterprise. The hard part in terms of hiring an analyst is ensuring that you are getting something more than just cookie-cutter material, afte all, they have a bigger repository of stuff to cut-and-paste from than probably even all but the largest consulting firms. Below are my thoughts on what you should expect a strategy to contain, if you hire an analyst firm:
Maybe this is an opportunity for firms such as Tekrati and Lighthouse AR to not only provide analyst relations services to software vendors but to also help enterprise choose analyst firms for consulting gigs? I would say though that if an analyst firm doesn't publicly publish a rate schedule for services in this regard, then they shouldn't be considered. Of course, all rates are subject to discussion and negotiation, the enterprise should prefer openness over those who keep these aspects secret.

It is my thought that hiring an industry analyst to assist with strategy in some domains simply makes sense. While I haven't done so in the past, I hope to pitch this notion at work, at every opportunity. Hopefully, others within the blogosphere that have went down this path, can trackback and share their experiences in this regard...

| | View blog reactions


What is open source? Intalio sure is NOT.

The folks over at JBoss are calling out folks over at Intalio regarding whether they are really open source. I am hoping that they will use the definition of open source here and outline how they meet all ten principles.

Maybe it is time that industry analysts chime in and share with us what definition of open source they use. I have asked the folks at Zimbra and LogLogic the same thing...

| | View blog reactions


Service Oriented Architectures and Security

Ever noticed that many of the SOA industry thought leaders never talk about security and instead talk about the importance of business alignment. Is this because they don't have any perspective on security?

At a recent conference, folks from Sonic Software indicated that support for XACML was on their roadmap, yet their Chief Technology Evangelist: David A. Chappell never talks about it. I wonder why? I also searched the blog of Annrai O'Toole looking for similar insights into SOA and security and came up blank. Ignoring for a moment, he is of the belief that research reports are complete but later on acknowledges that many open source players are missing yet doesn't believe that anything is wrong with them being left out. I wonder if this is because open source ESBs such as ServiceMix may have better security postures than closed source ESBs. Maybe he will not only demand but amplify the need for industry analysts to include both closed source proprietary and open source product offerings in their research reports. Maybe not...

Likewise, I understand how Appliances help ease integration in SOA Integration is more than just a problem of moving around data to support business processes, security is also crucial. Every enterprise going down this path should ask themselves the following questions:

I wonder what Dana Blankenhorn, Denise Howell, Mitch Ratcliffe, Phil Becker, Joe McKendrick, Ronan Bradley's perspective are on SOA and Security?

| | View blog reactions


Do Outsourcing Firms understand Writing Secure Code...

I ran across this Press Release stating that Wipro has allied with application security vendor Fortify Software to increase the security of software applications that it builds for enterprise customers. I wonder if their competitors such as Cognizant, Infosys, TCS will follow their lead...

The press release is carefully worded but does mention Fortify Software. Let's analyze it:

Notice it didn't say that it was going to be used to assess their own software development processes only its customers. I guess turning things into revenue making opportunities is a smart thing on Wipro's part but I question whether this actually helps customers actually write secure software. I am of the belief that for software to become secure, each and every developer within an enterprise needs tools on their desktop. A once-in-awhile drive-by audit done by outsiders will not help reach this goal. At best, it will provide meaningless metrics to IT managers who won't know what to do with them. I guess fear, uncertainty and doubt still sell security-oriented software.

Likewise, within this press release it also didn't mention any initiative to train all Wipro development staff in writing secure code, so for enterprises who outsource to Wipro, don't even get a second-hand lift by internal folks using the tools.

I wonder if folks such as Brian Chess and/or Krishna Srikanth can provide their own perspective on this? I know that Mary Ann Davidson of Oracle and Michael Howard and Dan Sellers of Microsoft both have strong perspectives against this type of approach...

| | View blog reactions


Survey on Enterprise Architecture and Software Development...

Been busy studying the results of an interesting survey and have reached many conclusions. Would love the input of others...

| | View blog reactions

Tuesday, December 26, 2006


Ruby on Rails and Security

Citizen Duck made an interesting statement around Ruby on Rails that I felt needed amplification...

Below is his comment:

This is the first time that I have seen a blogger who likes Ruby on Rails talk about all aspects of productivity. Anyway, instead of throwing daggers, I wonder if the better call to action would be for me as Mr. Enterprisey to help the Ruby community become more secure?

What if I were to make a public committment to contribute that allowed Ruby on Rails to bind to LDAP and Active Directory, would I still be called enterprisey? What if I were to leverage the fact that lots of closed source vendors want my dollars and if I were to ask them to say contribute XACML support, how would the community perceive it? What if I were to take this one step further and not only ask Kim Cameron but his bosses at Microsoft to contribute support for WS-Federation and Cardspace, would they still rebel against the machine?

Taking this one step further, what if Mark Dixon and Pat Patterson pressured other developers from Sun to contribute support for SAML along with giving Ruby a proper way of interacting with Web Services, would they to be embraced or ignored? I wonder if anyone has asked the assistance of folks over at Fortify Software?

I wonder if the Ruby community understands the basic principles of marketing? What if I at least agreed to filling out all that wonderful paperwork (remember us enterprisey folks are good at this) required by industry analyst firms such as Gartner and Forrester to show that Ruby on Rails is truly enterprise ready and worthy of some coverage? Enterprises have access to a lot more capital and talent which is what Ruby needs to take it to the next level. Maybe, if you simply asked in a polite way, you might find lots of assistance in reaching your goals and may even realize that enterprisey folks aren't evil after all...

| | View blog reactions


A Cost Analysis of Windows Vista Content Protection

I wonder if the folks at Slashdot and GNU could amplify the Cost Analysis of Windows Vista Content Protection.

This tells me that even Microsoft isn't powerful enough to stop DRM...

| | View blog reactions

Monday, December 25, 2006


Thoughts on McDonalds and things to do in a drive through lane

Last week I watched the movie: Supersize me and encourage others to do the same...

Kudos to folks in NYC and the government stepping up to remove unhealthy products. Anyway, I suspect that with America becoming so fat that only forced protest will change things for the better as unhealthy food is highly profitable and we all know that answering to shareholders is more important than anything else.

If you are the type to express your opinion, consider the following:

| | View blog reactions


Response to Gary Short on the importance of educating children on IT (Part Two)

I previously responded to Gary Short on the importance of educating children on IT but thought of some additional things we can do as professionals...

Two things that IT professionals at large need to fix is first getting more women into our profession as if you look at what us men came up with (Outsourcing, inflated IT budgets, an enterprise with at least ten languages, the lack of strong technical leadership and the notion of diversity and inclusion that is neither diverse nor inclusive) then you would realize that the only solution may be to turn over IT to more women.

Second, we need to allow women to be IT professionals and still be women. No one should have to make the choice between being a mother which is the most wondeful thing that God can give to us and the notion of a career and climbing the ladder. If we had more successful women in IT as role models they may become the sorely needed missing role models that school children in our respective countries need and more importantly deserve.

The third thing that I think we as IT professionals can do is getting even those that have avoided large enterprises like the plaque to embrace the notion of enterprise architecture. Consider, for a moment that any enterprise architect worth their salt understands that every decision they make needs to be sustainable. The ones that have wholesale adopted practices such as outsourcing are derelict in their duties.

Sustainability says that wise enterprises will figure out ways to build talent that they will need twenty years from now and that working with high-school students is not just a matter of volunteerism but that someone should be on the payroll and working towards this notion full-time as part of their day job.

Part of the problem is that us enterprise architects sometimes can't see the forest for all those damn trees as we are too busy concocting strategies. We also fall prey to industry analysts and the pattern they promote instead of doing the right thing for ourselves.

I would like to compare/contrast conversations I had with two different women industry analysts to show a point. I do apologize if either is offended, but ask that they consider not their own perspective but the larger picture which are the children.

The two analysts are Anne Lapkin of Gartner and Brenda Michelson of Elemental Links Both provide coverage on the space of enterprise architecture and the notion of Talent Management.

Now consider from a tradition perspective senior executives have long been seen as the strategy-makers in the organization, their role in the process has been the most extensively written about and examined. In fact, the frequent in-depth analysis of the challenges facing the leader at the top of the organization may have considerable and unconsidered downside. When we focus all our attention and skills on the leader at the top of the organizational chart, we risk ignoring and minimizing the roles of the leaders at all levels who, cumulatively, can have more impact on the organizations actual strategy.

Taking this one step further, very few industry analysts study the bottom of the pyramid and therefore for IT executives who practice Management by Magazine tend to not gain a perspective of what a beginner needs to become aware of and tend to base things on their own perspectives which may not translate into any form of strategy that helps growth either from College, High School or anyone not on the executive track.

Gary, we need to get industry analysts to start talking about the introductory aspects of IT and what is needed to be successful in the new world. While many folks will say that this is intuitive and common sense, I beg to differ. Any study on talent management needs to have not only an executive perspective but one of the high school student as well.

FYI. I also forgot to mention that at work, I also have reporting to me, a wonderful high-school student who knows how to program but isn't yet old enough to drive. Don't assume that all tasks require college degrees as I can factually prove that many tasks don't even require a high school diploma...

| | View blog reactions


Thoughts on BPM and Security

Several folks pinged me privately including strong satisfaction for organizing a discussion amongst Fortune enterprises and how we can get ECM Vendors to pay attention to security but challenged me to do the same thing in the BPM space as they felt this was even more important...

One industry analyst that I have a ton of respect for, Alan Peltz-Sharpe said something intriguing in this Blog Entry that I have been noodling. The phrase: I'm sure many ECM vendors will be secretly annoyed about this, for they pride themselves on their security capabilities made me ask myself several questions, including:Anyway, in terms of BPM I was noodling whether to do the same thing in the February/March timeframe in the BPM space. When I combine those who have contacted me privately along with those in my Address Book who also have similiar needs, I came up with the following list:Honestly, organizing such a call is more work than I want to take on and would love to get someone else to own it. The problem is that I can't figure out who else has a vested interest in seeing BPM and security converge? Is there an industry analyst that would like to own the conversation? I think there will be a ton of insight that would emerge from doing so.

The goal is to start a conversation around BPM and the following topics:

If you happen to be employed by a Fortune 200 enterprise (whose primary business isn't technology) and would like to see BPM vendors improve their security posture and would like to participate in a conference call with other Fortune enterprises on this subject, please leave a comment using your work email address and the BPM vendor you use and I will send you an invite...

| | View blog reactions


James Brown dies at 73

News here...

| | View blog reactions


Thoughts on Zimbra

Awhile back, the folks over at Redmonk had wonderful things to say about Zimbra. I figured I would take a peak at it to see how relevant it is to our enterprise...

The notion of software as a service is intriguing to me as the ability to focus on the core business problems within IT without getting distracted by infrastructure is compelling. It seems as if Zimbra's value proposition is to displace Microsoft Exchange which is noble as having a choice is always good for users.

In terms of analysis, the product begs answering of the following questions:

I wonder if Conrad Damon, Kevin Henrikson, Satish Dharmaraj or Scott Dietzen would be able to provide their perspective on the above questions in a future blog entry...

| | View blog reactions


Thoughts on OpenID and how enterprises can participate...

Johannes Ernst responded to one of my postings on Federated Identity and Authorization and provided Some things to noodle. One particular aspect he mentioned was that anyone could contribute to the OpenID specification and suggested that a contribution in the authorization space would be useful which I am more than interested in talking on...

I am a contributor to a variety of specifications, mostly within our particular industry-vertical and the variety of standards bodies that cover them and have had reasonable success. Part of the reason for success is that the demographic of the implementers are known and more importantly they are willing to state upfront their commitment to implement. I wonder if I publicly commit to defining the authorization portion for OpenID will Kim Cameron and his MS friends publicly commit to changing the UI for Cardspace to handle or will this result in another useless industry specification?

I know that other Fortune enterprises whose primary business model isn't technology will back this initiative and this is surely enough to get lots of things to happen. For example, I know that bringing a total of ten enterprises to discuss the problems of ECM and Security will result in the software vendor taking steps to make their customers happy, but I honestly can't say the same if I spent the same amount of effort in a space that Microsoft plays in.

Part of the problem is that for smaller vendors, identifying who their top sources of revenue from an enterprise perspective is relatively easy. The only way such an effort wouldn't be futile is if I could know whom are Microsoft's top ten Fortune customers in terms of spend and figure out how to get all ten on board. The problem space could be articulated in the fact that while my own employer is a Fortune 100 enterprise, they are by no means even in the top 100 Fortune enterprises in terms of spending monies with Microsoft. This says that for my contribution to not go to waste, I really do need the help of others...

The second question that I think begs an answer is why would I spend time on such an initiative? With a full slot of stuff to do at work, this would turn into my own homework at home. While I could easily connect it to business initiatives, I would still have trouble coming up with an ROI. Not that all of my efforts should be ROI driven (NOTE: I do work on compliance-oriented stuff which defies ROI because its law) but there should be some return even if it isn't monetary.

One aspect of return is of course all of the wonderful potential press that enterprises can gain by showing to the marketplace how innovative their folks are but this too is highly problematic. First, it requires certain forms of acknowledgement in that enterprises tend to think of industry analysts as the media and therefore require coverage in the form of case studies from time-to-time. Other than the wonderful folks over at Macehiter Ward-Dutton (A top-notch UK analyst firm), industry analysts in the blogosphere have been notoriously silent on OpenID.

The problem is further compounded in that many analyst firms love to talk about products developed by software vendors and I am neither which will further guarantee specification shelfware. If folks don't know about it, then they certainly can't use it. At some level, I could attempt to do this work by joining a standards body such as the Liberty Alliance but unless they are willing to change their model for membership to become more enterprise friendly then this too will fail.

Spending lots of money in enterprises is easy. The key though is that spending of money on external entities usually comes in the form of statements of work, deliverables, etc. Simply being allowed to participate in a conversation will not allow the masses of enterprises to spend money to become a member. Hence, this is the reason why the Liberty Alliance only has four of the Fortune 500 whose primary business isn't technology.

The discussion around OpenID and authorization is vital to being able to conduct meaningful commerce over the Internet in a modern way yet even the Liberty Alliance seems caught up in the hype known as two dot O ism...

Johannes, you have my full committment to contribute but I really need the help of other identity thought leaders to brainstorm or at least amplify the following problem spaces:

| | View blog reactions


Understanding Others

On this pagan holiday, I bear witness that there is just but one God...

I ask that folks study different religious faiths in order to understand other people. Otherwise, you will be condemning yourself to a lifelong journey of hatred and misguided judgement. Many people have strong religious convictions, and it would be impossible to understand them without first understanding their beliefs.

Judaism, Christianity, and Islam are monotheistic faiths practiced by about half of the world’s population. Monotheism refers to the belief in one God. People are often mistreated for their beliefs. In the last century as many as six million Jews were murdered in the Holocaust. Religious conflicts persist in Ireland, the Middle East and in many other parts of the world. The attacks on the World Trade Center and the Pentagon on September 11, 2001 are likely the result of religious conflicts. By understanding one another, we can hope to not just develop tolerance but respect for all people.

| | View blog reactions


Jews and Keeping Kosher

Yesterday, I went to Crown's Supermarket which is a Kosher grocery and found many items which definetely aren't Kosher...

At home, I tend to eat either Kosher or Zabihah as this is what God commanded of all humans. Of course many Christians have gotten it twisted and have strayed towards unlawful foods. Even for those who aren't religious, eating Kosher is more healthy than not. Have you ever seen how they slaughter cows? Ever think about all that dripping blood that other supermarkets leave in the packet for you to purchase and how healthy it is for you to consume?

I have lots of interactions with Jewish folks and many are my friends. At some level, they have frustrated me though by introducing me to Crowns Supermarket which has one of the absolute best bakeries on the planet. Have you ever had their TV Bars? They are easily good for a 1000 calories.

Anyway, yesterday I saw that they are now selling bacon bits and Digornio Pepperoni Pizza. The thought of a Kosher grocery store selling pork blows my mind. Jewish people are blessed by our creator with one of the most wonderful faiths on the planet , is it too much for us Goyim to ask that you stick to it...

| | View blog reactions

Sunday, December 24, 2006


Response to Gary Short on the importance of educating children on IT...

Gary Short of Smalltalk fame responded to an earlier post of mines here and asked me since software engineering is not taught as a subject in schools in the UK, how can we get more of our young people interested in becoming software engineers?.

My response to his question is simple and I have several thoughts:

First, the US and the UK have similar problems, so my advice is universal. I would minimally the problems of universities in terms of teaching software engineering are directly correlated to the notion of tenure. To be a really good software engineer requires experience in the real world working on enterprise scale applications. The folks who get really good at this tend not to be the ones who desire to be tenured professors.

I suspect that if you were to name the ten folks you respect the most in IT, maybe at best two or three of them have their Masters with the masses only having a Bachelors and probably none of them actually have a non-engineering oriented degree. Universities in many ways are some of the biggest walled gardens and it is up to us to destruct themthem in order to save our profession. Teaching software engineering shouldn't be coupled to the notion of credentials. If others agree, then they need to start talking about it.

Each and every IT blogger in the blogosphere should consider volunteering at the high school level and teaching computer skills. If a young individual only sees their jobs going to India (bad experience) or even worse, no experience then how can we expect kids to take an interest in our profession? Over the summer, I volunteered and taught inner-city children Java which I blogged about here.

I choose Java for two reasons, first it the language that I know best (I also know C, C++, COBOL, Powerbuilder, Pascal, Ada, RPG and Forth) and two it gives them a hope that they could actually get a job when they turn 16 using it. Likewise, folks such as Yakov Fain graciously donated copies of his wonderful book: The Java Tutorial for the Real World. If I could get authors of Ruby on Rails books such as David Heinemeier Hansson to contribute books for the upcoming Summer, then we will definetely use them. Gary, I unfortunately don't know of a suitable book in SmallTalk that is targeted at younger demographics.

I think the second part of the equation is that as IT professionals, we have to do our part and get out and talk with folks at universities. In the past, I have spoken as a guest lecturer at University of Connecticut to MBA students as well as CS and MIS students at Rensselaer in hopes of sharing my own journey into IT and providing perspectives they otherwise wouldn't get to here.

As part of my 2006 goals I did state that I also planned on lecturing at the University of West Indies during vacation. Sadly, I have missed this goal but can say that I have firm dates scheduled for next year in this regard.

So, Gary I hope I answered your question from what I am doing. Now the real question is whether folks who read this blog entry will also take swift deliberate action in helping both of us further get others to also volunteer and/or at least amplify the call to action to others. Sadly, I believe that most bloggers will exercise their right to remain silent and watch out jobs in America become outsourced...

| | View blog reactions


Boneheaded teacher admonishes student for being too charitable, accused her of making less charitable students feel bad!

See this article...

| | View blog reactions


Closing Thoughts on Federated Identity and Authorization...

This will be my last post this year on the topic of Federated Identity and Authorization and I would like to thank Pat Patterson, Shekhar Jha and Conor Cahill for jumping in and providing their perspectives. Sadly, I didn't get a response from Kim Cameron, Kapil Sachdeva, Andre Durand, Johannes Ernst, Radovan Janecek or Dick Hardt but I am still hopeful. Anyway, here are some additional considerations that folks thinking on identity need to noodle?

Pat Patterson pointed me towards the Liberty People Service which allows you to understand the relationship between two identities but stops short of one of the business use cases in that only knowing relationship is sufficient in a consumer social networking scenario but won't work for businesses as relationships also need authorization. For example, just because I am the father of my daughter doesn't automatically give me the right to see her medical records when she decides to have an abortion next week (NOTE: I don't have a daughter).

Hopefully, Johannes and Kim can tell me if Cardspace as a user interface and open ID as a protocol will be extended in the future to support authorization or should some other standards body start a similar initiative. Of course being able to specify via Cardspace the relationship between me and my daughter and whether I can see her medical records would be cool. I would assume that OpenID would support carrying XACML?

To date, the discussion and more importantly the reference implementations have all been done in either Java or .NET. Should Ruby on Rails and Smalltalk become second-class citizens in this regard? Anyone have thoughts on how federated identity should work against RACF?

So, the community has been successful in demonstrating how federated identity works and has even shown us enterprisey folks on how to write better code but ignores one truth. Enterprises nowadays have a preference to buy vs build. So this begs the question of whom in the identity space is working with small software vendors in the ECM space (e.g. Documentum, Alfresco, Filenet), in the BPM space (e.g. Intalio, Lombardi, Pega), in the CRM space (e.g. Salesforce, SugarCRM, Siebel), in the portal space (e.g. Liferay, BEA, Oracle), in the ESB Space (e.g. CapeClear, Sonic, ServiceMix, JBoss) and so on? Or are we hoping that they will take their own initiative to get it themselves and simply build in?

How should federated identity be thought of in a provisioning context? Do specifications such as SPML and/or WS-Provisioning still matter? What other security specifications should federated identity connect to that hasn't already happened?

Anyone ever discuss how SAML needs to support identity propogation? For example, if I have Cardspace running via Firefox and it submits identity to Liferay Enterprise Portal who is running on JBoss talking to a SQL Server Database, would'nt it be great if SQL Server understood not only SAML but could understand all of the attributes of a user without breaking current J2EE pooling mechanisms?

I would love to know if anyone has a real implementation where they have converged federated identity with technology traditionally used in the physical world. There is an emerging trend of converging logical and physical access whereby if I log onto my PC at work but haven't badged into the building then alerts are triggered. What if I were to take my Citigroup Employee ID and as a pre-registered guest could automatically enter the building of United Healthcare?

Is it possible for a NON-Sun employee to tell the world why anyone would want to join Liberty Alliance if your primary business model isn't technology? It seems as if those whose primary business model isn't technology is outnumbered by at least twenty to one. Even the industry analysts no longer talk about the Liberty Alliance which hints that it is no longer relevant...

| | View blog reactions

This page is powered by Blogger. Isn't yours?