Tuesday, July 31, 2007


More Links for 2007-07-31

  • The Summer Of Fear And Loathing: It Ain't 1968, Anymore, Baby
    I wonder if Cindy Sheehan gets advice from Kathy Sierra?

  • Scheduling a Job in Documentum
    An ECM system having a built-in job scheduler feels like a bad idea. Duplicating functionality built into pretty much every operating system while ignoring more important missing functionality is a curious behavior

  • Open Source: Why Oracle should worry
    Charles Babcock comments on open source databases and why Oracle should worry but gets it twisted by classifying EnterpriseDB in this category which is flat wrong. I defy anyone to produce 100% of the source code for EnterpriseDB. A product built on open source doesn't make it open source

  • How much do you trust your vendor
    Dan Morrill is doing homework. I wonder if he has thoughts on whether vendors should embrace secure coding practices and scan all of their code with tools from OunceLabs, Klocwork or Coverity
  • Why do the Democrats hate free speech?
    I am not sure that the bushitler crowd doesn't hate it as well

  • | | View blog reactions


    Links for 2007-07-31

  • How to blow $3 million in taxpayer funds
    The Public Company Accounting Oversight Board (PCAOB) spent $3 million on a document management system from Documentum, and it has been a complete waste of money. The PCAOB tries to blame itself for the waste, but the reality many within the blogosphere that it's a combination of overpriced and overly complex software wrapped in a proprietary license, and an effort to force-feed square-peg technology onto round-peg people. I wonder what it would have costed to inject security into their implementation?

  • 80+ Open Source Content Management Systems
    If there are so many, why are enterprises still wasting good money by spending millions on closed source? There has to be at least one good one! I wonder if noted Alex Fletcher of Entiva has any thoughts?

  • Enterprise Architecture Methodologies
    I wonder why folks spend so much time comparing EA methodologies when most EA organizations don't use any of the one's they mention. In fact, I bet if you were to survey EAs in the financial services world, you would get less than 1% adoption of Zachman

  • DoDAF and RUP — The Department of Redundancy Department?
    Glad to see that others acknowledge that Federal Enterprise Architecture is a big fat joke!

  • Writing the book on PCI compliance
    I wonder the ratio of noted reviewers were from other software vendors and academia vs. the number of folks who actually are employed by large enterprises who have to comply to PCI?

  • Documentum 6 goes flexible
    I wonder if others in the blogosphere believe the world of enterprise content management has gone multi-vendor, and the proprietary-heavy Documentum was starting to look crusty and demanding next to the competition.

  • Clinton woos the outsourcers that workers fear
    Hillary Clinton is partnering with Tata and helping move more IT jobs out of America. Bushitler will be done with his second term shortly. Clinton is incompetent and Edwards is an idiot, so I guess IT folks have no choice but to vote for Obama.

  • Designing Enterprise Software
    Books like these feel like chiche propaganda propagation guides

  • What is wrong with telecommuting
    I wonder if JP Rangaswami allows his employees to telecommute?

  • On Redmonk's Carbon Footprint
    Us folks in large enterprises are the biggest creators of large carbon footprints. What would it take for enterprise architects to encourage consulting firms to tell their folks to work from home and not to have so much face time with us

  • | | View blog reactions

    Monday, July 30, 2007


    Even More Links for 2007-07-30

  • You Can't Buy Loyalty
    There is no GREATER feeling in the world than to know that you did something to make a difference in someone's life...

  • IT budgets are lagging behind corporate revenues
    Glad to see that others are acknowledging that IT expense should not track the same as Corporate Revenue. If it does, it points to an enterprise architecture team that can't figure out how to add scale to the IT platform

  • Flex & Web Services
    I wonder what the opportunity for Flex is to integrate with Documentum?

  • What Has Trinidad Come to?
    San Fernando is kinda wild, hence the reason I lime in Sangre Grande

  • SOA Consortium Meeting
    Brenda Michelson of Elemental Links is speaking so attendance is mandatory...

  • The Care and Feeding of Industry Analysts
    It feels strange at some level that vendors are spending more time taking care of industry analysts than their customers.

  • More Big vs Small Thinking: SOA vs BPM
    I wonder if Neil Ward-Dutton would inquire with the BPM vendor how they plan on integrating with enterprise security concerns such as out-of-the-box support for SAML and XACML and whether BPM should focus on process stores and not user stores similiar to what Brian Huff enumerated about an ECM should store content, not users?

  • JavaScript Hijacking: Who's Responsible?Brian Chess and others within the security have talked about bad usage of Javascript but haven't commented on products such as ClickTale that gives folks the ability to watch movies users' individual browsing sessions. Every mouse movement, every click and every keystroke are recorded for convenient playback. I suspect that folks like Gunnar Peterson have a perspective on how Enterprise Architects should think about either embracing and/or constraining its usage

  • Customer Relationship Management: Are Expectations too high?
    Only a Gartner analyst (Jim Davies) would ask such a question without exploring whether expectations may be set too low!

  • | | View blog reactions


    More Links for 2007-07-30

  • Enterprise Authorization Strategy
    Curt Devlin of Microsoft moves beyond the current over-focus on identity and provides prescriptive architectural guidance for an enterprise authorization strategy. It makes the case for developing an enterprise authorization gateway. Discussion touches on some of the enterprise-level requirements and challenges that motivate this approach.

  • On Public Speaking
    The best way to get good at speaking in public is to speak in public. This is one skill that many Enterprise Architects lack and should make as a 2008 resolution

  • Managing Security in Large Organizations
    Finally, someone is talking about industry problems which don't get much airtime

  • Standards and ECM
    Craig Randall mentions that customers expect ECM leaders like EMC to support industry standaards and to drive them to but doesn't mention which ECM standards EMC is driving. Is'nt this ironic?

  • BPM/Workflow and Security (Standards)
    Mark Masterson commented that he was researching the XACML standard. I wonder how his homework is going? Maybe he has already checked out Aqualogic Enterprise Security and Securent to understand the value proposition of ensuring a consistent security model across BPM and ECM implementations

  • Enterprise Architects versus Business Architects
    David Linthicum and Andy Mulholland manage to get it twisted and have decided to ignore the phenomena that occurs within large enterprises especially where there are 30 year old legacy applications in production where IT knows more about how the business than the business and therefore can serve dual roles.

  • Why was Human Capital left out of the Federal EA?
    Maybe the problem is that folks in the Federal Government don't understand the real meaning of governance which is about changing a behavior model and not having the OMB do Hitler-like comprehensive documentation that sits on the shelf compliance programs. Maybe Andy Blumenthal needs to encourage Federal Chief Architects to stop being insular in their thinking and observe how folks in large enterprise practice EA as they may learn something

  • While I have suggested to others, that in Glock we trust, my personal weapon of choice is the EAA Witness 9mm loaded with Federal Hydrashok's. Consider giving a donation to the National Rifle Association and support the second amendment...

    | | View blog reactions


    Mistakes made by software security vendors when interacting with large enterprises...

    I normally don't provide a status of work-related things in my blog but figured that I couldn't resist commenting on a typical mistake made by software vendors when interacting with folks from large enterprises...

    I had the opportunity of participating on a conference call with the CTO and the VP of Engineering for a security product we use where the context of the call was in gathering requirements of us as a client. The sales guy participated in the early part of the conversation but had to drop off in order to catch another call.

    There was one point where they wanted to understand my perspective on a particular use case and the best method for understanding its relative importance. The CTO and the VP of engineering stated a pretty passionate debate with each other as I listened on. They probably broke every rule in the book when it comes to things you shouldn't do in front of customers.

    The funny thing is that if the sales guy had hung around, emails would have been flying around about the behavior of individuals and how they displayed inappropriate conduct in front of customers and the whole perception is reality bullshit that has become so pervasive.

    After the call, my peers and I reflected on what we heard and concluded that their behavior was not only inappropriate but highly desirable and we needed to figure out how to get other vendors to behave in this way. We felt special in that folks were displaying extreme passion in terms of understanding the problems we face, our thoughts and desires and weren't just giving us the usual scripted pre-rehearsed diatribe as practiced by vendors along the lines of the humorous monotone your call is important to us white lie.

    We could tell without a doubt that they were savagely passionate about the topic. At the end of the call, they simply asked if it was OK to send us emails with additional questions. Over the next couple of days, I made it a priority to respond to their questions since they engaged my intellectual curiosity and I can honestly say that I haven't had a great dialog with a vendor in such a long time.

    By ignoring the whole perception is reality culture, they have done more to get on my radar and ultimately win business than others within the blogosphere who respond cordially but otherwise provide little value.

    I was ecstatic that they not only suggested in a friendly manner how I should alter my thinking but also provided factual reasons as to how to do it better. The realization that folks desire solutions and not just responses is something that others need to internalize...

    | | View blog reactions


    Links for 2007-07-30

  • SOA ECDM: Ask for More
    An enterprise canonical domain model (ECDM) is a model that is focused on the business events and the data+documents+messages needed as part of orchestrating the events into business processes by composing services. I have mixed opinions of the value of such an approach

  • Bending CEP for Rules
    The notion of complex event processing and business rules engines aren't deeply discussed within the blogosphere nor within the walls of most large enterprises. I wonder if folks aren't doing a good job in terms of explaining its value proposition.

  • OpenSAM is Promising
    Ismael Ghalimi is one of the brightest bloggers on the topic of BPM within the blogosphere. I wonder what his thoughts are when it comes to using AJAX with ECM products such as Alfresco, Stellent and Documentum? Unification of the Office 2.0, BPM and ECM ecosystems is in desperate need for standards.

  • Java's Fear of Commitment
    A great read on the architecture of Java for all especially if you program in second-class languages such as Smalltalk

  • Tech Media doesn't get open source
    I wonder if Krishnan Subramanian believes that industry analysts may suffer from the same problem?

  • The Problem with Software
    Dave Dargo has written a thoughtful piece on one problem with proprietary software today: it spends too much time isolating itself as a product, rather than opening up itself and combining to create solutions. This mentality is witnessed in the ECM space more than in any other ecosystem. If you want proof, visit the blogs of Craig Randall and James Robertson

  • | | View blog reactions

    Sunday, July 29, 2007


    Why the tech media doesn't get open source

    If you haven't read the blog of noted industry analyst Alex Fletcher of Entiva, you should...

    Alex provides insight into Why the tech media doesn't get open source which for the most part I agree but feel he could have also addressed the below considerations:

    | | View blog reactions


    Enterprise SOA: Not everything should be a service!

    Hype is the plaque on the house of software. Luckily folks such as Dion Hinchcliffe encourages others to consider syndication over "service-izing."

    The browser is an important consumption point but so too are the growing syndication ecosystems of which the blogosphere is the largest example. More and more tools are willing to consume RSS and ATOM, often in preference to SOAP, including the forthcoming version of Vista where syndication-friendliness is a core value. Carefully consider offering your services in RSS form or even ATOM, which has a two-way REST model. Likewise, the ability to build on standards without regard to figuring out traps like common models will help you be successful faster.

    Syndication will further increase consumption scenarios and therefore adoption. Content syndication is growing into a very potent force inside and outside the enterprise and plugging an SOA -- strategically or tactically -- into one of these ecosystems has terrific upside potential. Not every SOA service can or should be converted to a syndication model, but if you aren't considering this option with each service you create, you should be; there are tens of millions of RSS feeds available today, starting from zero in the beginning of 2003. How many SOAP services presently exist worldwide? Only a tiny, tiny fraction of this and there are good reasons for it.

    I wonder if ECM vendors agree and believe this should be out-of-the-box functionality?

    | | View blog reactions


    Links for 2007-07-29

  • The Bottom Line - John Powell Interviewed on the BBC
    Get familar with John Newton of Alfresco as he is one of the few examples of leadership with the world of ECM and will be the one that brings sanity to this domain

  • Raj Samani applauds a move to raise security standards among coders
    Good to see that SANS is focusing on the vulnerabilities of software. It would be interesting if they provided public metrics on which open source projects are the best example of secure software. In my travels, none has proven more secure than Liferay Enterprise Portal

  • Enterprise Visibility Architect
    I would like to see the next innovation be security application instrumentation, where you devise your application to report not only performance and fault logging, but also security and compliance logging.

  • Leadership Lesson: Think Differently
    Don’t be afraid of challenging the status-quo. True excellence as a security executive and leader demands you are willing to think differently.

  • BPM: Practitioner's Case Studies
    I wonder if the folks over at AFLAC understand that their wonderfully accepted case study and success still puts them years behind the leaders within their industry vertical?

  • Single Sign-On to Salesforce.com
    While I am happy that the folks over at Ping Identity stepped up to fill in the gap, how come no one is pressuring salesforce.com to embrace user-centric approaches such as CardSpace natively?

  • Email PKI and SAML 2.0
    Is this a good approach of utilizing the SAML 2.0 infrastructure to help distribute trust in PGP/S-MIME e-mail PKI.

  • Copy protection isn't just bad for users, it's bad for business
    It seems as if all the ECM folks haven't listened as they savagely promote sub-optimal security models under the label of IRM

  • | | View blog reactions


    ECM: Insights despite the inciting

    My final look at the responses of Craig Randall when it comes to ECM standards...

    I apologize profusely for asking difficult questions. I guess it is unreasonable for anyone reading up on ECM to surely expect folks to consider security in today's marketplace. Security should be solely limited to whatever makes folks feel comfortable and avoid discussion of things that could be labeled as unreasonable if they might have to do some homework.

    You will note that my blog as well is a personal blog and in no way associated to anything with my employer. That being said, this doesn't prevent me from providing commentary on things I belief. For example, as an Enterprise Architect, I have opinions on open source that are in many ways opposed to my thoughts outside of work. I am not looking for a status of Documentum's roadmap as that would be of nebulous value. I am always curious though of what is bouncing around in other folks brains. If someone were to asking me what I am currently working on at work, I would avoid the question as it is status-oriented. If you however were to ask me what do I think about on a daily basis, I would respond with full transparency.

    My statement was related to portability and avoidance of vendor lock-in. For example, a buyer may feel more comfortable choosing an open source database because if it doesn't work out, they can quickly migrate to another product. Standards such as ANSI-SQL allow for this to happen. Your statement was about leveraging something you have already purchased which is a different dimension. Our collectively statements both hold true and in some situations are complementary while in others are in conflict.

    I am not sure that any of my comments require anyone to be a security or identity expert. I think if you understand that DFS is a client tier API and that all one has to do to bypass it is to simply not use it, then it is inherently insecure. In terms of support for WS-Security, all this means is that there is a place to put security stuff in the SOAP header. It doesn't mean that just because you support WS-Security that support for SAML, Kerberos, WS-Federation and so on are supported. Was simply looking for a deeper understanding of your past blog entries. Some folks will say they support WS-Security only to have still stuck with username/password constructs which at some level is dishonest.

    Likewise, one should acknowledge that there is a difference between server APIs and client APIs. I hope that you are noodling as part of your day job making both aspects of the equation extensible...

    Your previous blog entry talked about integration between Documentum and other BPM products from a UI perspective where I asked about what your thoughts were in terms of creation of industry standards were. Here you have mentioned using DFS which I understand is a service interface which of course you know is distinct from a UI way of integration.

    My commentary wasn't related to Documentum but the ECM domain at large who seem to have fell in love with IRM/DRM type constructs while pretty much the rest of the world understands and embraces the notion of declarative security models that can be externalized away from the product. Yes, IRM/DRM is a separate product in terms of a SKU mindset but where I can make a BEA WebLogic Portal interoperate with Securent, I can also take BEA Enterprise security and make it interoperable with say Vordel. I simply want to understand the mindset of ECM folks at large and hope to understand why they are on a different page than the rest of the industry at large.

    I apologize if my questions make folks feel uncomfortable, simply attempting to understand the ECM domain at large. If I observe inconsistencies then should I not ask deeper questions about them in order to gain insight or would the ECM community prefer me to exercise my right to remain silent and only talk about the wonderful progress of features in this world kinda like the industry analysts do without understanding how ECM fits into the enterprise ecosystem?

    | | View blog reactions

    Saturday, July 28, 2007


    Identity Management Tools: Implementation is not the Issue

    Check out this wonderful blog entry that speaks to Identity Management Tools: Implementation is not the Issue.

    I got a $100 set aside to make a donation to World Vision whose mission is to feed hungry children if Pat Patterson and Mark Dixon respond to the above post as well as this one without resorting to a hybrid answer suggesting that an enterprise does both as more insight can be provided if you take the position of the extreme. It would be interesting to gain their insights on strategies around consolidation vs strategies around management especially if they are all about Active Directory.

    Even greater would be if they could comment on whether vendors such not just support LDAPv3 but also support ADAM (I am not sure why non-MS employees don't think ADAM is V3 compliant and some facts would be appreciated if you are in this camp).

    I will double it to $200 if Nishant Kaushik of Oracle does the same...

    | | View blog reactions


    A Timely Example of Needed ECM Standards

    Laurence Hart posted a thoughtful writeup on a A timely example of needed ECM standards that I know Craig Randall will dance around...

    Laurence Hart outlines the following situation:One answer that Craig Randall could say is that Documentum is working on ways to not only import metadata from other platforms but to also export to them as he has been savage in thinking about many things said by James McGovern such as the easier it is to get rid of your product, the more we like you.

    Craig Randall can also step up to say that he acknowledges this is a big problem in the ECM domain at large and is willing to start a working group as part of AIIM with him in the leadership spot to make this problem go away. Craig could also say that he has proactively picked up the phone and planned a three-way call with himself, John Newton of Alfresco and Billy Cripe of Oracle to talk about this problem space and others from the community at large are more than welcome to listen to the discussion.

    Craig states that he is Not running for office but still hasn't proposed a single solution, workaround nor planned enhancement to missing security within ECM products. I guess though that he has stated the obvious with passion that one EMC product works with another. The revelation is mind blowing. I wonder what would happen if Microsoft bloggers mentioned that SQL Server and Exchange runs on Windows platforms?

    I would be willing to make a sizable donation to Juvenile Diabetes Research Fund if Craig provided a solution as to how he believes customers who want to integrate Documentum with an entitlements management solution such as BEA AquaLogic Enterprise Security, Securent or other XACML based products. Of course, I am optomistic that he won't simply throw daggers at why customers may want to do this and focus purely on the integration aspects.

    In fact, I will also make another sizable donation to a worthy charity in South America that fights hunger if he were to revisit his UI blog entry and instead of commenting on how one EMC product could work with another, how he envisions Documentum integrating from a UI perspective with NON-EMC BPM products such as Intalio, JBoss, Fuego or Lombardi. Likewise, if he believes that the appropriate industry standards do not exist, what are the steps EMC and other vendors should take to make them happen...

    | | View blog reactions

    Friday, July 27, 2007


    How IT Consulting Firms contribute to Global Warming

    It seems as if industry analysts have focused on power consumption within data centers as its impact on global warming but haven't had the courage to analyze the impact of consulting firms and how they may even contribute more to global warming than all data centers combined...

    Think about all the consultants in the blogosphere who travel Monday through Friday running from airport to airport consuming lots of energy that could otherwise be conserved.

    Firms such as McKinsey, Diamond Consultants and E&Y may have their employees make multiple flights throughout the week while others such as Accenture and Bearingpoint do similar practices. How come no one ever calls them on the fact that they might be able to reduce carbon emissions by figuring out ways to work remotely? Is face time always necessary?

    Even many industry analyst firms contribute to global warming. I suspect that the folks at RedMonk are probably more energy efficient than folks at Gartner? Not to let my fellow Enterprise Architects off the hook, but we too are guilty as many of us habitually kill lots of trees printing off pretty PowerPoint presentations as a matter of convenience which we bring to meetings of nebulous value...

    | | View blog reactions


    Links for 2007-07-27

  • BPM and SOA ThinkTank
    Sandy Kemsley discusses a BPM and SOA thinktank that somehow doesn't include actual end-users of products. I find this curious

  • What is hot and what is not in technology
    I wonder if industry analysts disclosing compensation relationships in terms of quadrants would be hot or not?

  • New SAML 2.0 X.500/LDAP Attribute Profile
    Interesting read for security folks. I wonder what if there is any scenario in which CardSpace can leverage?

  • Presentation has its price
    Whenever I read Craig Randall blog, I get the feeling that he should be running for political office. His blog says a lot and says nothing at the same time. Hey Craig, how about discussing potential solutions? If you think that BPM could be a user interface to ECM, then how about suggesting better ways for them to interact?

  • Cambodian Blogger Summit
    I like this notion. In fact, I am thinking about contacting Taran Rampersad to see if he would be interested in organizing one with me in Trinidad over the holidays

  • A New Marketplace greets Documentum d6
    Have you ever seen the research from the folks over at CMSWatch? It is actually of pretty good quality and has more depth than you would find from Gartner or Forrester. It still amazes me that enterprises will spend millions on ECM platforms but won't spend money to get access to the right research

  • ECM Security
    The ECM blogger crowd has went silent on open discussions around the lack of security standards implemented within their products. I wonder if this behavior is good or bad for their customers?

  • | | View blog reactions

    Thursday, July 26, 2007


    Links for 2007-07-26

  • Open BSD Foundation
    BSD is a great operating system and in many ways better than Linux. We need to move past the hype of the minute...

  • Beginning Information Cards
    Noted Microsoft employee Marc Mercuri has published his book on Information Cards and CardSpace. The only deficiency I have noted is that they ignore Java. Maybe Mike Jones could figure out other authors to write the equivalent

  • Project Management 3.0
    Why are we still having conversations about how horrible project management is within large enterprises?

  • Blackbird: Enterprise Service Bus in PHP
    I wonder if James Robertson of Cincom could provide his vision for an ESB implemented in Smalltalk or will he still allow for SmallTalk to remain a second-class language?

  • Workflow Evaluation
    I wonder if these folks have realized that part of evaluation is the ability to learn from others their experiences? I am willing to share if they leave a comment/trackback outlining their work contact information

  • Bill Gates Considered as Evil Primitive Bacterium
    Has Freeman Dyson become an evolution denier?

  • | | View blog reactions


    So, what does it mean to be enterprise ready?

    Have you ever ran across an enterprise architect who said that a piece of open source software isn't enterprise ready? Figured I would highlight what they are really attempting to say...

  • It may mean that they have been successful at being an enterprise architect but have no technical ability and need assistance in terms of getting something up and running. The problem is that enterprises have habitually not budgeted monies for consulting in the upfront processes as they have gotten used to vendors doing this for them for free.

  • It may mean that until Gartner in terms of their Magic Quadrant and Forrester in terms of their Wave start listing open source projects next to proprietary closed source implementations, they don't have outside cover. They know that there is no possibility of these analyst firms ever putting vendors who don't pay them side-by-side next to ones who do and therefore won't comment.

  • It may mean that they are technically savvy and don't really care about the lack of integrity in the industry analyst world but may not have visibility into who else is using it. Sometimes, knowing that your competition is using it becomes stimulus for you to also consider it. Most enterprise architects mistake leadership for followership.

  • It may mean that none of the above apply and the real problem is that no one won't pay them any attention and they acknowledge that only outsiders will grab the mindset. After all, folks in large enterprises want to hear from folks other than whom they are forced to interact with on a daily basis. For open source, there is no one that will entertain folks within their enterprise by coming in and doing a wonderful four-color chock-a-block eye candy powerpoint presentation.

  • It may also mean that if you don't have a vendor visiting your enterprise, then there is no one to provide you with wonderful trinkets, golf trips or even t-shirts

  • Finally, it may mean that while the enterprise architect understands that open source can save their enterprise money, it may be detrimental for their resume. We know with closed source products, they can get training from vendors where as in most cases, open source requires them to figure much of it out for themselves

  • Is there anything else I should add to the list?

    | | View blog reactions

    Wednesday, July 25, 2007


    Links for 2007-07-25

  • Stoke Newington Police: Thanks and Praise
    Sorry to hear about James Governor of Redmonk and his recent event. I wonder though if this is a situation that could have been avoided if he believed in the phrase: in Glock we trust...

  • LDAP Documentum Debugging Techniques
    I wonder if Sumanth Molakala has ever wondered why Documentum required its own user store and couldn't directly bind at runtime to something that already existed?

  • Would you change the Zachman Framework?
    I wonder if the question really should be: Should EA wholesale abandon the Zachman Framework and instead focus on the human aspects instead of the comprehensive documentation that never gets used if you do use Zachman?

  • Open Source Applications...Magnets for Open Source Infrastructure
    Alfreso has the possibility of displacing other closed source ECM platforms due to better integration

  • Recruiting Models - What's Yours?
    How about using your blog to recruit Security Architects?

  • Johannes Comments on CARML
    The notion of an identity governance framework as championed by Oracle needs the help of the community in order to make it stronger. Here is where I think folks from Sun could add value

  • From Incite comes Insight - Candy or Controversy
    Good to see that there is support for this platform. I wonder if donations to charity such as Not in my name is considered candy?

  • | | View blog reactions


    Consulting Opportunity: Security Architects

    I really hate using my blog for work purposes but really, really, really need to identify a strong candidate with the following background:

  • Knowledge of User-Centric approaches to Identity (e.g. CardSpace and Information Cards)

  • Hands on coding experience in Java

  • Prior experience with Netegrity Siteminder with coding experience using their SDK a plus

  • Knowledge of Entitlements Management (e.g. XACML)

  • Available to start in August

  • Leave a comment with your work email address, daily rate and the URL where I can view your resume...

    | | View blog reactions


    Blogging in the Corporate World

    Todd Biske comments on blogging in the Corporate World and I would like to extend several of his thoughts regarding use of wiki's...

    Being a student of the human aspects of technology, over the last several weeks I have been using my peers in one of my experiments. I have been attempting to understand the notion of how memes work in our environment and concluded that several interesting behaviors exist.

    Much of the communication within large enterprises is of the corporate spam type where everyone is CC'd regardless if they need to receive the information. In terms of my experiment, I decided to try several tactics related to sharing security information to measure how long it would take before it started to spread as a meme. For email's where I specified 100% of all participants that needed to know the information in the to field, it didn't spread at all. I later adjusted my technique by sending information only to select individuals and encouraged them to forward to those whom they felt would be interested and the notion of the meme was a lot better.

    The former is obviously more efficient in terms of communication and definitely easier on the email infrastructure but the latter had the effect of leveraging two characteristics that are pervasive in enterprisey types. The first characteristic is that folks want to know something that others don't. The mindset of being in the know is pervasive. The second characteristic is that folks respond better to things that they feel have been personalized to them than information that is available to the public at large.

    The notion should be in order to be more open, you sometimes need to behave more closed. I would be curious if folks such as Scott Mark, James Tarbell and others who are employed by Fortune enterprises have also observed this.

    In the past, I have commented on the fact that within large enterprises my observation that They aren't going to read it also applies to blogs and wiki's within the walls of most enterprises. Most of the movement regarding the push to use wikis in enterprise environments makes the argument regarding efficiency of finding, searching and publishing information while ignoring the consumption aspects.

    Enterprise Architects are pretty good in terms of producing comprehensive documentation as many of us spend time tweaking PowerPoint documents for different internal audiences. We do this not because folks can't simply go to the SharePoint and find what they need nor that previous iterations of other documents didn't have the necessarily information, we do this because IT Executive X wants to see it one way while Business Executive Y wants to see it another. In other words, enterprise architects spend a lot of time making things personal.

    Before enterprises consider using Wikis they first have to transform their culture and not focus on the publishing aspects nor fall into the trap better known as knowledge management and instead figure out if they can be successful in changing the perspective of those who consume information. Usually, enterprise architects tend to interact with many parties spread throughout the enterprise and at some level are forced to adapt their style to meet the needs of consumers. If your business customers still prefer monolithic Microsoft Word documents sent to them personally via email then Wikis will fail...

    | | View blog reactions

    Tuesday, July 24, 2007


    Links for 2007-07-24

  • Principles for Enterprise Architects
    What do you stand for?

  • Proprietary ECM
    It seems as if FileNet, Optika, InvesDoc, DocStar and others are guilty of not supporting security standards

  • Beyond Roles: A practical approach to enterprise user provisioning
    I bet bloggers from Sun in the identity management world will exercise their right to remain silent on this topic

  • BPM Think Tank
    I am disappointed that I didn't have the opportunity to present on security concerns in the world of BPM.

  • Defining a Documentum Architect
    Good to learn about certification. Bad to learn that it is focusing on the wrong things

  • Gartner report on ECM
    Ever notice how Gartner avoids depth and prefers high-level statements? I suspect that if you asked the analysts that cover ECM about security, you would be reminded of deer in headlights

  • Identity-Enabled Document Management
    Good to see Oracle demonstrating leadership in this space

  • Calling in the EA Troops
    Mike Walker certainly chose the right graphic for us Enterprise Architects as blowhard jamboree comes to mind.

  • Practical Enterprise Architecture
    The wisdom of do not model the past is something more EAs need to noodle. Too many folks are caught up in the whole current state, future state, gap analysis paradigm where they focus on current state because they have no clue about the future

  • Why I blog
    The agile elephant statest that he blogs for completely business-driven reasons which is actually a good thing. No one truly blogs about technology solely for noble purposes and as long as you are transparent about your intention, the blogosphere welcomes you with open arms

  • | | View blog reactions


    Thoughts on ECM and Security - Part Alfresco

    Laurence Hart has been gracious in helping me understand Limitations of ECM Products with the focus on Documentum. I figured I wanted to understand if all ECM products have the same design flaws and have decided to analyze Alfresco to see how it measures up...

    Alfresco seems more aggressive in terms of supporting ECM specific standards such as JSR-170. I didn't have the opportunity to dig into the codebase as to whether they could expose documents via RSS and/or ATOM nor did I get to determine whether they fully support WebDAV including functionality such as locking but hope to analyze this later.

    In terms of the design of Alfreso, it feels a lot like Documentum only in that it was written in a modern language. Missing from Alfresco is the notion of the usual Core J2EE patterns as the code base, while functional could do with some major refactoring.

    Bex Huff recently commented that an ECM Should Store Content, Not Users which Alfresco is also guilty of repeating. It seems as if vendors have figured out a slick response when enterprise architects inquire in this space by mentioning that they can authenticate against external stores which is semantically different than binding at runtime and gathering all information without requiring a local copy. I hope my industry peers start separating out their questions into user stores vs authentication.

    In terms of the ability to easily inject XACML and externalizing authorization, it also suffers from the same problem that Documentum does but for different reasons. The issue at hand is that permissions checking in Alfresco isn't centralized as access control checks are littered through different classes. Since Alfresco has a great relationship with Liferay, I would suggest that a future implementation refactor to something similar to com.liferay.portal.kernel.security.permission.PermissionChecker which is a great way to approach extensible security.

    Even though they have committed the sins of duplicating user stores, it does seem that they are well-positioned to support protocols such as SPML to allow identity management tools to remotely provision/deprovision users without resorting to arcane syncronization routines.

    In terms of supporting SAML, I believe based on current documentation that Alfresco does have an advantage over Documentum. They leverage JAAS and have the notion of an abstract authentication component that can be extended. It would be very easy to connect this to BEA Weblogic and their notion of an Identity Asserter to allow the container to handle some of the SAML interaction while Alfresco focuses in on the JAAS aspects.

    In terms of other ways to SSO, they also support the Kerberos SPNEGO protocol which is useful in shops that run Active Directory which 499 of the Fortune 500 run (Sun Microsystems is the oddball). Likewise, the design does seem better than other products in that they also assume the ability to plugin other search providers. I am still researching whether they have the ability to plugin other compression routines and to externalize transformations to third-party hardware providers such as DataPower...

    | | View blog reactions

    Monday, July 23, 2007


    Understanding ECM Security

    I spent some time at a popular Documentum Developer site attempting to understand the Documentum Foundation Classes mentioned by Laurence Hart and now understand why ECM people either can't and/or don't understand the needs of enterprise security concerns...

    When Laurence mentioned APIs and extension, I think he may have simply resorted to constraining the solution to whatever was exposed without asking the question of what APIs are missing. Can we acknowledge that there are a distinction between Client APIs and Server APIs? DFC seems analogous to ODBC/JDBC and typically runs in the client tier. Security, in order to be done correctly requires server APIs which run in the address space of Documentum itself which DFC doesn't address.

    The issue at hand is that DFC seems like ODBC in that it abstracts the Documentum Query Language. If the grammar for Documentum or any ECM system for that matter doesn't support security constructs then, at best it is possible to write security features but they will be implemented in an insecure manner.

    So, the only way I can see this working if Laurence were to take this on would be to remove all ACLs from the server and then extend the DFC by writing a filter that would intercept all requests by applying XACML policy and processing accordingly. The issue though is that another client not using the modified DFC could bypass any security customizations and create a big hole.

    Laurence also mentioned that Documentum will be building Documentum Foundation Services on top of Documentum Foundation Classes and believes that support for SAML should be handled by the product. A security professional could conclude two scenarios both of which are bad security:

    Laurence, what am I missing? I am curious if all ECM vendors use this notion of query languages and whether it has been standardized across vendors kinda like ANSI-SQL has been standardized across databases? I am curious if all vendors also limit the available APIs to the client tier or do they also support server APIs as well?

    There was one additional thing that I am curious about. I never ran across any instructions on how to enable SSL so that the DFC could communicate over a secure channel. Curious how this is accomplished?

    Maybe this is an opportunity for Gunnar Peterson to ask the ECM community at large to pay attention to Dealing with Security in an SOA World and help vendors with an architecture overhaul? The beautiful thing is that I can take a peak at Alfresco to see if it suffers from the same design deficiencies or did they do something more progressive. I will post my findings shortly...

    | | View blog reactions

    Sunday, July 22, 2007


    Links for 2007-07-22

  • Weak Passwords
    Sometimes advice in the blogosphere is dangerous. I wonder if those demanding stronger password complexity have ever thought about the correlation between strong passwords and weak security. The harder you make something, the faster someone will write it down and store in an insecure manner. Besides, what if the password is complex yet the web site stores it in plaintext? You wouldn't know...

  • Myth: BAM Works Bottom-Up
    Maybe the better answer is to not name drop clients using your technology and instead provide ideas of how it could be used for those that aren't. For example, none of the names listed in this blog are Fortune Enterprises from the Insurance vertical. Maybe suggest how it could be best used to sell automobile insurance

  • Blog under your real name and ignore the harassment
    It is ashame that Kathy Sierra convicted folks in the court of public opinion and then decided to hide. Maybe she needs to stop being the example of what modern women shouldn't do

  • Secure Information Sharing Architecture
    Pretty cartoons for Federal Enterprise Architects

  • Allowing Business Users to Program your System is a recipe for Disaster
    James Taylor of Fair Isaac probably has thoughts on where enterprises should draw the line in terms of letting business users do programming.

  • Ruby Rules Engines
    If Java, .NET, Ruby and other languages have rules engines, how come Smalltalk doesn't? I wonder if James Robertson of Cincom is a reactive product manager and does only what his customers ask or is proactive and supplies what they need?

  • No fatties allowed
    Nicholas Carr is usually the plaque within the house of IT but has a thoughtful posting on old fat men

  • Outstanding Questions on CardSpace and Security
    I suspect most of the identity community will avoid these questions

  • It's okay if most blogs suck
    It's okay if most blogs suck, because most people are irrelevant to any one individual. I wonder what others think about my blog?

  • | | View blog reactions


    Thoughts on Software Advisory Boards

    While I commented on the lack of value when it comes to having IT executives on your advisory board, maybe it is time to critique boards in general. Boards are filled with founders, and don’t often draw on a vast pool of experience that exists outside the company. So they end up as giant rubber stamps or petulant micromanagers.

    The first step in creating a successful business is to make sure a company has the right roles and that they are filled with the right people and this isn't limited to employees. On a macro level the advisory board stays outside the day-to-day company operations and provide selected expertise when needed. Your advisory board has to be more about expertise and less about sales leads.

    Software vendors would be well served by thinking of enterprise architects as product managers. They are a company’s think tank, architects of its design, guardians of its focus and cheerleaders. They also must be a company’s conscience, using clear eyes to bring the truth, both good and bad to the forefront.

    A company doesn’t need a passionate businessperson at the helm, a robust and diverse board, and a talented executive corporate team to survive. Companies survive well enough without them all the time. What they fail to do is thrive.

    | | View blog reactions

    Saturday, July 21, 2007


    Links For 2007-07-21

  • JXplorer - An Open Source LDAP Browser
    Standards-compliant general-purpose LDAP browser that can be used to read and search any LDAP directory, or any X.500 directory with an LDAP interface. Written in Java and available for free download under a standard OSI-style open source licence.

  • Pharmaceutical Liability vs Software Liability
    One of the problems, as was pointed out before, is that software and computers don't have a fixed use that can be anticipated during the development cycle, and consequently saying that software isn't "fit for purpose" is a really tough judgment call.

  • What is user-centric EA?
    Andrew Blumental performs EA for the United States Coast Guard. I welcome him to the blogosphere and hope he can share his thoughts on how the Federal Government could learn to adopt some of the practices from corporations when it comes to Enterprise Architecture and drop heavyweight processes and frameworks based on Zachman. Maybe he could even help me track down folks I served with in the Coast Guard starting from the days of basic training: USCG TRACEN Lima 121

  • Ping - Partimage Is Not Ghost
    PING is a live Linux ISO that can backup and restore whole partitions. It sounds like Symantec Ghost(tm), but has even better features, and is totally free.

  • Search Engines and a Document Management Protocol that integrates with XACML
    Here is a great blog entry that I would love to know what Craig Randall, John Webber, Laurence Hart, Phil Hunt and Luis Sala think?

  • Outsourcing to Cuba
    As I understand, Cuba has a higher babe factor than India

  • Introduction to Information Cards
    One of my pet peeves in the blogosphere is when bloggers publish information in an introductory manner without including any additional insight. How come bloggers can't move beyond introductory context towards more advanced topics? If I wanted to know about introductory stuff, I would go to the vendor's web site and not search the blogosphere for introductory material especially on information cards and cardspace

  • The Federation for Identity and Cross-Credentialing Systems
    There is a key phrase: Members join for various reasons and benefits, based on their business objectives which is a code phrase for it is doomed to mediocrity. This means that it will be dominated by software vendors and consulting firms jockeying for position to empty the wallets of our government while minimizing the value they have to deliver. The only hope for the Federal Government is to leverage corporate Enterprise Architects as their review board and remove the profit motive from decision making

  • | | View blog reactions


    Proprietary ECM

    Nowadays, ECM has become a strategy for complying with various legal and regulatory considerations yet customers aren't doing the right thing to ensure that their ECM systems don't end up trapping enterprise documents in a proprietary lockbox...

    I wonder if Jesse Wilkins has any thoughts on making content more discoverable? A more interesting question that I haven't seen talked about is how do ECM vendors recommend migrating from their competitors products? The funny thing is that I haven't seen any migration guides.

    It seems to me that Alfresco and Oracle are stealing a lot of business from Documentum. I would assume that folks are leveraging bulk import utilities or industry standards such as WebDAV to move content from one repository to another, but how do they move the metadata that is associated with it? More importantly, are they forced to reconsile the disparate approaches to ACL models between products? In this situation, the ability to have a markup language such as XACML where it is portable and declarative could ease portability.

    Within J2EE, I can take an application developed for WebLogic and have it running on JBoss is less than a day. I can take a database that ran on Oracle and port it to EnterpriseDB just as fast and it would not only be the data, but the metadata around it and the security model to protect the data as well. If I wanted to migrate a portlet from BEA Portal and embrace Liferay then it is pretty straightforward. How come ECM can't be as simple as other domains in terms of portability?

    I am keenly interested in learning how folks migrate from one product to another, which tools they use, how much of what they do is manual could be turned into a standard and what others believe is the responsibility of software vendors to provide guidance on migrating from competitor products. Let the discussions begin...

    | | View blog reactions


    India names its first female president...

    Indian lawmakers have selected the nation's first female president in a vote seen as a symbolic victory for women contending with widespread discrimination. Now, if America were to only stop pretending that it doesn't have widespread discrimination and step up to solving it. Congrats to folks in India for demonstrating real leadership...

    | | View blog reactions


    Don't buy my book...

    As a co-author of the bestselling book: Enterprise Service Oriented Architectures I came to the conclusion that folks shouldn't buy my book...

    Generally speaking, programming books are a waste of time. Although my book isn't about programming some of the rationale still applies. What if folks spent more time doing instead of reading? Likewise, what if folks understood that there is more to read than programming books? What would happen if we all read classic literature or some of the holy books on Christianity, Judaism or Islam?

    This is not to say that one cannot learn alot about SOA from reading my book as it is jam packed with knowledge. The funny thing about my book is that international sales have now crossed the number of sales in the Americas. I suspect that many developers have taken the atitude that they are not going to read because either they know it already or if the firm wants them to do something new they should get sent on a course, why should they read on their own time? Maybe those folks who think this way shouldn't bother reading Enterprise Service Oriented Architectures and instead should read books on polishing up their resumes...

    | | View blog reactions


    Links for 2007-07-21

  • Smart Space, Hot Folder and Workflows
    Good to see that open source ECM products such as Alfreso are actually showing leadership and making the likes of closed source entities such as Documentum play catch up.

  • ECM Standards, SAML and the DFC
    Laurence, the best solution to getting any vendor to implement functionality is to make sure that their competitors know about it. For example, I am of the belief that John Newton of Alfresco and Billy Cripe are observing the dialog. Likewise, I believe that they may make their own respective sales staff smarter in terms of selling against their competition. Any vendor worth their salt would only let this occur for so long before realizing that they should lead and not follow

  • Wikis and RFPs
    A vendor shares his perspective on the management of RFPs but doesn't comment as to their value. I suspect he deep down believes that enterprises that desire them could be better served by not using them at all. I know that I avoid them like the plague as I believe in proving out working software over reading comprehensive documentation. In fact, in an upcoming book, I am writing chapters on how to make RFPs agile. Besides, everyone knows that this process is ceremony. For example, if I were to ask any ECM or BPM vendor how they support XACML, the response would of course be positive and bullshit

  • | | View blog reactions

    Friday, July 20, 2007


    SSO and ECM

    The SPNEGO Project provides a Kerberos over SPNEGO plugin for Java applications. These are security technologies which can support complex integration scenarios such as single signon (SSO) all the way from your operating system to the ECM platform. It would be interesting to know if Craig Randall knows of an easy way to inject this type of approach into Documentum DFC so that Laurence Hart doesn't have to spend time thinking about it?

    | | View blog reactions

    This page is powered by Blogger. Isn't yours?