Content, Security, and Standards

imageI am about to do what I stopped doing several years ago, start paying attention to James McGovern. Why? Because he is talking about several important issues that need to be dealt with in the industry.

Years ago, James and I discussed Security standards around Identity Management, primarily SAML. While my focus on the time was on Documentum, the issues were universal. Since we last interacted online, James has moved on to HP in an advisory role for clients.

Sadly, the issues we discussed are still prevalent in the industry. In fact, these issues are becoming more important with the advent of new players in the cloud space.

Sure, the new vendors support integrations and work with existing Active Directory installations. That’s nice. So did the established vendors. The problem remains, there is no standard way to pass both Authentication and Authorization.

Advancing Standards

Here’s the thing. The traditional vendors all jumped on board the Content Management Interoperability Services (CMIS) standard. There is even a new version, CMIS 1.1, coming out soon that addresses most of the gaps that people always pointed towards in 1.0.

Of course there are two problems. The first problem is that the cloud-based vendors seem to be ignoring standards. When challenged on this point, they say that the market isn’t demanding standards.

To that viewpoint, I have two things to say. The first is that to be a platform for solutions, you need to support standards. Standards enable people to use your solution as a platform without having to learn your custom API. It also allows for things to work consistently even as the platform evolves.

Second, You can’t be a Leader in an industry if you don’t Lead. This means leading across the board, not just in things that directly drive the bottom line.

That Second Problem

I said there were two problems and I wasn’t kidding. The other issue is the different user and security models across all these solutions.

Now, I’ve visited this problem before. When introducing the concept of Omnipresent Content Management, I stressed that only standards can make this happen and that the Identity Management standards were sadly lacking in adoption.

Let’s take a basic scenario. I’m working in a Case Management system and I’ve attached content to a Case. All my content is stored in a separate, dedicated system. If I’m lucky, some sort of Single-Sign-On is deployed and I don’t have to worry about authenticating multiple times. If I’m really lucky, this is a secure process.

Let’s ask some questions:

  • If I create the content within the context of the Case Management tool, what security is applied to the content? Does it have to be specified explicitly or does it default to something? If it defaults, is the default based upon the context of the Case Management system or the underlying Content Management System (CMS)?
  • Once set, how is the access managed? What if the case gets locked down? Does that security trickle down to the CMS?
  • What if new people are granted authorization to access the case? Do they get granted rights in the CMS?
  • Is there a chance that users could exist in one system and not the other?
  • Can users go into the CMS directly and change the permissions, essentially hiding the content from everyone working on the case?

That is just one basic scenario. The key here is that Authorization to access Content or any Information needs to be managed simply. Let’s think on the Omnipresent Content Management example.

If I have a piece of Content that I want to share with James, I should just grant him access to it without regard for the application he will use to consume it. If I later decide it is a final copy and not a draft, I should be able to lock it down, even after I send him the link.

In essence, if I lock it down, all my sharing rules should adjust.

The trick is that this should be true even if we don’t have any systems for which we both have accounts.


imageThink of email. It just works. If you have an address you can send an email. Simple as that. Why?

Because of the SMTP standard.

That is what we need. We have the CMIS standard which seems committed to evolve with our needs. We still need the Authentication and Authorization standards to match. That includes adoption as well as simple creation.

That will allow people to work together, regardless of their preferred system, in a common manner.

In addition, it will make integrating information between different business systems streamlined and consistent. It makes the world a more open place because any system implementing the standards will work in the greater universe.

As a bonus, standards help people identify those that are serious about the industry and solving the big problems versus those that just want to make a splash.

3 thoughts on “Content, Security, and Standards

    • Peter, thanks. I don’t view Alfresco as one of those “new” vendors. Your cloud offering came after your traditional offering. That isn’t to say that it isn’t awesome that Alfresco is supporting and implementing standards.

      OAuth is a positive step, yet adoption is far from universal. If a vast majority of vendors don’t adopt a standard, it isn’t that much better than a vendor’s API.

      We need to get customers to understand the importance of standards and start insisting on them. It is up to the community to educate them, even if it is one at a time.


Comments are closed.