For the past couple of months, one of the projects I have been working on is integrating MetaCarta into Window to My Environment (WME)- The deep integration is achieved through the use of SOAP calls from within the WME application to the search appliance. Writing the code, parsing the results, and plotting them in ArcIMS was fairly trivial (WME is a legacy ASP / ArcIMS ActiveX Connector implementation).
On the other hand, the task that has been far more daunting is the enterprise security aspect. EPA, like many agencies and enterprises, has guidelines and testing parameters for applications. In the instance of appliance-based technology and this era where hardware and software begin to blur, such as routers with embedded linux, the standard practice of the appliance industry is to build a box that has its own OS, typically Linux-based, that has then been stripped of unnecessary functionality wherever possible, locked down for security, and tweaked to optimize device performance, wherever possible. In the process, they typically go through their own security audits as well, and get various security certifications from their target markets.
With Metacarta, we ended up going through several months of tests and probes by EPA IT security staff- finally the unit emerged, passing with flying colors. We got the unit back in our development environment and finished developing the application in a few weeks. Now, we're again waiting more weeks for the unit to be stood up again at EPA so that the app can be deployed.
It seems to me that this process is overly cumbersome. Perhaps part of the issue, not to blame Linux, is that Linux is so customizable, to the point of being a very different OS from one implementation to the next. The other part that leads to things being cumbersome is that it seems every agency and organization has differing security criteria and concerns. The appliance in question has already been used in DoD and intel applications, which one would think would have extremely stringent security requirements, as opposed to a civilian agency. I would think there should be a certain core set of criteria which go across the board between all customers- this type of common certification would certainly go far, as would acceptance of other agencies' certifications.
Just my humble $0.02...