Thoughts on BPM and Security - James McGovern

Posted by Gary E Smith - THE SOA NETWORK at Saturday, December 23, 2006 4:17 PM and is filed under Blog of Interest
Thoughts on BPM and Security - James McGovern

James raises some good questions regarding security in the BPM space:
  • "External Authorization: Many folks are attempting to use BPM to build composite enterprise applications that may leverage SOA, ECM and so on. The idea says that if I want to optimize people and architecture I may use a BPM engine to manage tasks while storing documents the tasks need in a ECM repository. This of course causes a disconnected security model where BPM engines have their own thoughts on authorization which are different than what ECM thinks. Minimally it does beg the need for having the ability to externalize authorization via a standards based mechanism.
  • Active Directory: It would be pretty difficult to find a large enterprise that doesn't have Active Directory. In today's society since directory services are so pervasive, it no longer makes sense for each and every enterprise application to be creating their own separate and distinct identity store. How come BPM products cannot simply bind at runtime and get their own information instead of requiring enterprises to perform import/syncronization mechanisms. This approach is fugly.
  • Encryption: BPM implementations usually contain highly confidential information and therefore the need to encrypt data that is used in the BPM process is vital. NOTE: Encryption shouldn't equal shared secret as most folks are good at keeping them. How about also providing hooks into PKI mechanisms that don't require keeping a password/key in a configuration file in cleartext? Wouldn't it be useful to tag a process as encrypted so that no matter what it touches, all stuff about it can't fall into the wrong hands?
  • Single Signon: Revisiting the integration between BPM and ECM for a minute, this also begs the need to have a single signon capability. Why do I have to authenticate to each component which is solely based on a dated construct of ID and Password? Likewise, while there are product-specific ways of solving this such as using Netegrity Siteminder or Oracle CoreID, the better way is to support industry standards such as SAML and/or WS-Federation.
  • OpenID: I can't think of a better enterprise scenario for using specifications such as OpenID than to incorporate into a BPM workflow. Having a consistent understanding of identity throughout all business processes would be nirvana.
  • Logging: Have you looked at vendors such as LogLogic? If you have considered even for a second the problem of logging within a BPM context, you would see the need to close this gap.
  • Identity Propagation: As business processes hop from tier-to-tier, so should identity..."
Check out the complete blog at James McGovern's
Enterprise Architect: Thought Leadership Blog:

Thoughts on BPM and Security


___________________________________________________

>> Back to Main Page

Gary E. Smith
SOA Security Architect

 del.icio.us  Stumbleupon  Technorati  Digg 

 
Trackbacks
Trackback specific URL for this entry
  • Trackbacks are closed for this entry.
Comments
  • No comments exist for this entry.
Leave a comment

Comments are closed.