The Future of Documentum Security in the SOA World

A month or so ago, I asked people to post questions that I would try and get answered at EMC World. Every question had to do with security. Unfortunately, I was unable to track down all the right people to ask the right questions in a timely fashion. Part of this was my fault as I didn’t keep on top of the questions that I had promised to get answered. There was one situation where I was told by person X that I needed to talk to person Y. The irony was that I had spend half an hour the previous night socializing with person Y, never realizing that I should ask that question and I never saw person Y again.

So if I don’t answer your question, I didn’t ask it and I am sorry. If it is any consolation, I didn’t get all of my questions answered either. So to Robin, no idea about the future of Common Criteria certification. James, I neglected to ask about about Ounce Labs and static code testing as a whole (whenever I remembered the question, I was invariably talking to a marketing person and not one of the product managers).

I would like to thank all the product managers for patiently letting me ask my questions repeatedly until we were sure that we were talking about the same thing. I also want to thank Craig Randall for all the time that he spent with me during the conference, and later via email. He was very helpful and worked with me to more fully understand my business scenarios. He successfully directed me to the correct product managers to give the scenarios to directly. Now I am bothering them, leaving Craig to talk about more relaxing topics (at least until my next hard question).

SAML and Documentum

This was a confusing topic. Not because nobody knew what it was or why it was important. It was confusing because the people not involved in the development of SAML support had varying ideas of when it was coming-out. Luckily, the people that were supposed to know the answer all gave the same answer.

My favorite answer, and a WRONG answer, was that is would be part of D6.5. This was from some EMC Professional Services consultants that said that they had implemented it for some clients and it would be rolling-out in the next release. This was doomed, of course. Their custom implementation, built upon DFS, most likely handled authentication at the application level. Authentication needs to be handled at the server. DFS should accept the encrypted SAML authentication and then pass to the Content Server for evaluation.

Even if that wasn’t the problem, it is the rare component from Professional Services that makes it directly into the product. From the time frames that I heard, even assuming that it was 90% of the way to completion, it would have have been a rush job to get it into D6.5. One should not rush new security implementations

The official answer is in the D7 timeframe with the release of the full collection SaaS services. This was said to be, I believe, Q4 2009. That slide went by really fast. As it is over a year away, take that date with a grain of salt. I have heard from several people at EMC that the desire to get it out before that estimate is very strong.

Now, some may say, SAML has applications outside of SaaS and would solve problems now. I am one of those people. I am writing-up several more business cases to see if it can happen sooner. I suspect that officially it would have to be D7 based upon their release schedule. I am going to push anyway. If you have a need for SAML, chime in and help.

XACML, I Can Has Feature?

James asked a simple question. Is anyone noodling this. The simple answer is Yes! I suspect that James would like to know more, so I will oblige him now rather than wait for the explosion.

XACML had not gotten very much penetration among those I talked to about it. To be fair, I didn’t get to everyone. That said, I think some real progress was made. They all knew what it was already and, to various degrees, saw benefit to supporting it.

As with SAML, I was able to propose several scenarios to multiple product managers about the problem that my clients are about to face in the world of authorization and that their own solutions are facing now. I saw several light bulbs go off. That is progress.

They probably haven’t gone out to put it on the product roadmaps yet, but it is closer. As with SAML, I am putting together scenarios for submission to various product managers. Many will combine the two.

Driving Forces for Standards Support in Products

Speaking purely around Authentication and Authorization, I think that they are beginning to get it. I stressed, especially around authorization, that I didn’t care what standard, just one that is being adopted in the wild that I can use.

There are two drivers for adoption of these standards. One is the market. The more clients, existing and potential, that they hear giving them actual situations for their use, the more likely the standard will be supported in an upcoming release.

I was able to demonstrate how some of their own products would work much better if all the players used these standards. I am going to be getting as many clients as possible to submit these scenarios in the context of their business.

The second driver that I heard directly from EMC was the realization that in order for ECM to become a discipline, rules and best practices need to be defined. Design patterns need to be documented and flushed-out. Standards need to be developed and supported. Standards from disciplines that interact with your own, like ECM with Identity Management, need to be supported.

This is going to be a busy year. I spent the last year learning and raising some awareness in the community. This year I am going to start enlisting people to help me move things forward.

If you want to help now, write the scenarios and be prepared to share them with the community. I will find an organized way to share them with the ECM world, even if we have to start with just EMC for now. The more people that tell me something, the faster I will find a way.

The clock is ticking. Product managers are watching. What’s your move?