Friday, December 28, 2007

With PassGo we're #10...

IDC's "Worldwide Identity and Access Management 2007-2011 Forecast and 2006 Vendor Shares" has Quest Software listed as #15 in their table on revenue by vendor (report #207609) - just barely ahead of Microsoft.

IDC has PassGo listed as #24. The PassGo acquisition set to close on January 1st, but if you add up Quest's and PassGo's revenue we jump from #15 to #10. That puts Quest Software solidly ahead of Microsoft and Sun.

My personal stretch goal is to get in the top 5 (software vendors) within the next 5 years...

Technorati Tags:
, ,

Monday, December 24, 2007

Happy Holidays Everyone!

I just wanted to take a moment to wish everyone a Merry Christmas, Happy Holidays and all the very, very, very best for 2008.

If you haven't already "Elf'ed yourself" give it a whirl! Hurry, elfing ends on January 2, 2008!

http://www.elfyourself.com/

p.s. Here's ours - http://www.elfyourself.com/?id=1696536927

Tuesday, December 18, 2007

The perils of broken de-provisioning processes...

Interesting ComputerWorld story (Dec 17 issue) on page 36 - "Backing Up on Autoforward". Basically, the story is about an executive who left the company and for two months her e-mail continued to be autoforwarded to her - after joining a competitor!

The author identified the problem pretty directly:

We have a couple of problems. The first is that our employee termination proc­ess is broken. Ideally, we would have an identity management tool tied into our various enterprise systems. When an employee left the company, all access to our infrastructure and applications would be quickly removed. Unfortunately, we have neither the budgetary nor the human resources to do that.

I'd say that's a problem! I wonder if they have budget now?

Technorati Tags:

Monday, December 17, 2007

University of Manitoba buries their mainframe

Funny YouTube video of the burial of the Univeristy of Manitoba's mainframe. I love the part where someone places a DASD spindle in front of the box - brings back old memories. That spindle probably represents a few megabytes at best.

Oh those heady days...

Google's identity problems

This will not be pretty.

I read an interesting blog post about Google "Profiles" this weekend. Here's the nut of the problem:

In the early days of Google Apps the only way to sign up was by linking to an existing Google Account, in the format of myname@gmail.com. If you have one of those accounts, there is no way to tell Google that you are now myname@mydomain.com. This means that Google Apps think of your original @gmail and new, @domain identities and two different ones. You can directly access (via URL) your own Calendar, Docs, Groups ..etc. all under your own domain, however, programs that need to access those apps only find the other version, attached to your @gmail.com account. A simple example is trying to save an event from Upcoming.org, Zvents, or any other services: there’s no way to use them with your own domain.

Even the Google Groups is messed up: when I am logged in as myname@mydomain.com, Groups that I am a member of won’t recognize me. I actually have to have duplicate identities created in Google Groups: one to be able to send email (my own domain) and one to be able to access Group’s other features via the browser (@gmail format).

I'm not positive about this but I wonder if a federation-based solution using something like Microsoft's CardSpace on the front-end would help. That said, the bigger issue is the Google "namespace" on the back-end. I wonder if their directory supports aliasing? I think the ability for an end-user to have multiple aliases might solve the problem - user provisioned, of course. I'm sure Google isn't using Active Directory as their back-end server. Good thing because it doesn't support the concept of aliases. If Google wants to enable federation for their customers they have to solve this problem.

Of course, there is another alternative: Don't solve the problem. Hopefully, this option is not on the table.

Technorati Tags:
, , , ,

Friday, December 14, 2007

European version of the Japanese "tube" hotel

A friend of mine pointed out the new "Yotel" which seems to be a bigger (slightly) version of the Japanese tube hotels. So if you are ever over in Gatwick, Heathrow or soon Schipol (Amsterdam) you can try one out. I certainly will.

Everything you would expect from a luxury hotel in a small space. Located uniquely inside the airport terminal buildings at London Heathrow’s Terminal 4 and London Gatwick’s South Terminal. Just moments walk from check in, arrivals and minutes from the other terminals. YOTEL opens at Schiphol Airport, Amsterdam in early 2008.

Tuesday, December 11, 2007

No pooh-pooh anymore

Last year I commented that Dave Kearn's pooh-pooh'ed the Gartner Identity and Access Management conference. This year, Dave attended the show and revised his view in a positive way!

Quest Software attended again this year and signed up for next year. So we voted with our check book. It's a great conference!!

Technorati Tags:
, , ,

Monday, December 10, 2007

Speaking of authorization...

James McGovern asked in a recent post: "In the same way that Kim Cameron is running around Microsoft rallying for the need to rationalize identity, I wonder who his peer is for doing something similar with authorization?" I actually wonder, too. Is it (should it?) be my buddy Don Schmidt over at Microsoft? I don't know but it is about time for an authorization czar over there.

While I was thinking about this I stumbled across a post and a video that shows how to create and add roles to Microsoft's Systems Center Operations Manager 2007. As I watched the video I was pleasantly surprised to see that they really did use Active Directory users to "fill" the roles that they demoed. A nice step forward but are they open to enhancing that capability?

What you have enabled in SCOM 2007 is the ability to define a static role and a static set of users who fit that role. Who is maintaining the role and the users? Well, the SCOM 2007 administrator is. Every time a new user needs to be added to a role or a new role is required that admin has to do the work. You've basically shuffled the work from the help desk or Active Directory administrator to the SCOM 2007 administrator - that's just a shell game with no real productivity gain.

I'd recommend that you virtualize the user side of this equation. Specifically, most users in Active Directory have a series of attributes attached to their object such as title, manager, office location, phone number, etc. A role should have the ability to have attributes and specific values assigned to them so that role can be checked dynamically at use to see if a user is authorized for that function. An example might be that you'd like everyone who has title "SQL Administrator" to be able to manage and operate the monitoring of the SQL servers. This is easier than every new SQL Administrator having to email you to be added to the role manually. And, when they get promoted to "Product Manager" they automagically get dropped from that role - again, without the need for an email to you, Mr. SCOM2007 Administrator.

This way you enable the directory to do the work for you. I call that improving efficiency - yours.

It bothers me that at Microsoft this stuff isn't leaking through faster into everyday design and architecture...

Technorati Tags:
, , , ,

Saturday, December 08, 2007

New York City and Food Poisoning

As I mentioned previously I visited New York City last week to meet with customers and partners. I'll post about those meetings next week but thought I'd post about my first experience with food poisoning. Why? The ensuing dialog - after the fact - with some of our local sales execs:

Sales dude: "Let's go down to the cafe and get some pizza."

Jackson (in a stage whisper): "Yah, they'll give you food poisoning like they gave me. It's included in the price."

Sales dudes all board the down elevator with me: "What happened?"

Jackson: "I ordered a peppered turkey sandwich with mayo and spent the night feeling like I was going to die."

Sales dude: "You ordered an already prepared sandwich out of the case or you had them make one in front of you?"

Jackson: "One from the case."

Sales dudes (all laughing): "Of course you got food poisoning! You don't get an already prepared sandwich from a New York City deli, you get one freshly made in front of your eyes. Where are you from anyway?"

Jackson (sheepishly): "Seattle"

Sales dude: "Oh, from the country, eh? First trip to the City? Welcome to New York."

Sales dude (as elevator door opens) to other sales dudes: "So it's to the cafe then for their freshly made pizza. Jackson, you up for a slice?" (insert sales dudes laughter here)

Technorati Tags:

Friday, December 07, 2007

Federation? Oh, you mean Star Trek!

Had to laugh at this one. I know that we all - including me - have the tendency to start breathing our own exhaust. This posting by Ping Identity brought back to mind a humorous comment that took place in a focus group market study I did on federation a few years back...

We asked the participants to write out a definition to a series of directory-related terms. We actually ran the focus groups in 3 cities (Chicago, New York and LA) and had 3 focus groups in each city (2 for enterprise-size companies and 1 for small/medium businesses). We filmed and taped the sessions which were professionally moderated. The participants did not know that Microsoft was "behind the glass".

When I presented the findings back in Redmond I did out-takes from the videos to highlight the unusual or interesting. The piece that drew that greatest laugh was when an attendee put up their hand to ask for clarification on the what we meant by the term "federation". His question:

"Do you mean like Star Trek?"

Have we progressed much further than that in the last 3-4 years? I'm not sure. I think the average IT director/administrator/manager, CxO, and CISO probably would ask the same question today.

What do you think? Scotty, will we ever get this bucket to warp speed?

Technorati Tags:

It's the Directory, Stupid

I've caught up on e-mail - now I'm catching up on my Google Reader and the 677 unread blog items in it. One of the first items I saw caught my eye immediately - "It's the Directory, Stupid", an e-Week article which I saw over at my friend Don Bowen's blog: Wizard of IdM.

Here's the gist of Jason Brooks' article:

Until Red Hat, Novell, or another party focuses around open-source directory services, Linux will be stuck playing catch-up with Windows 2000.

Well, how can I disagree with that? Especially since I was part of the Windows 2000 - and most specifically - the Active Directory launch team! However, it is a pretty sad commentary when basically you are saying that Active Directory is the thought leader. Yes, it is the market leader - absolutely and without a doubt. However, like any product Active Directory has its own set of warts that Microsoft hasn't cleaned up nor are they showing any particular leadership towards Active Directory V2. (Please! Don't get me started on schema modifications!!)

All that said, I'd recommend Jason - and others - take a look at what's going on over at Apache's Directory Project - I find it pretty intriguing. Lots of potential...

ApacheDS is an embeddable directory server entirely written in Java, which has been certified LDAPv3 compatible by the Open Group. Besides LDAP it supports Kerberos 5 and the Change Password Protocol. It has been designed to introduce triggers, stored procedures, queues and views to the world of LDAP which has lacked these rich constructs.

I love how they have bowed to incorporating two-factor authentication into the directory via their "Triple Sec" product along with an Eclipse-based directory studio. What better way to move to a services-oriented architecture than with a well thought out, Java-based directory service?

Technorati Tags:
, ,

Are you a Quest employee visiting New York City?

Take my advice and do what I did - stay in our corporate apartment in Hoboken, NJ. I know, that was my first reaction: Hoboken? Why the heck would I want to stay there??!!
  • It has an amazing view of the Manhattan skyline both day and, especially at night.
  • It's on the Hudson River. Any more "on" and you'd be in it.
  • It's "free", 3 bedroom, kitchen, TV, wi-fi, phone, multiple bathrooms and a balcony overlooking the river and the skyline.
  • Grocery, liquor and drug store within a 2 minute walk.
  • It's a $7 ferry ride from the foot of the apartment to Pier79 in Manhattan (39th Ave) or to the World Trade Center ferry terminal. Easy subway or cab from there. Free bus service from the ferry, too.
  • Washington Street in Hoboken is a block away and it has lots of great restaurants and pizza places.
  • Frank Sinatra was born in Hoboken - if it was good enough for him...

Also, I was shocked when our corporate travel folks booked me in the Sheraton Suites in Weehawken, NJ at ~$450/night. Manhattan hotels were +++$650/night! Even on an expense account I cannot stomach paying this much for a hotel room.

Interested in checking it out? Shoot me an e-mail, I'll hook you up!

Technorati Tags:

PassGo, Forrester, New York City & food poisoning

So much news and so little time to write but a deluge is coming...

- Quest to acquire PassGo

I am SUPER EXCITED about this acquisition!

- Forrester shows Quest Software as leader in their Active Directory Management Solutions wave

Nice proof point of the innovation and fine work that our product management team has been doing over the last few years.

- Lots of notes from my meetings in New York City including my bout with food poisoning (redacted version).

More shortly!

Technorati Tags:
, , ,


Saturday, December 01, 2007

Would you help me? My PC is...

I'm sure we've all heard this. Yesterday, I spent about 2.5 hours at a friends house working on her PC problem. She's a semi-pro photographer and makes a decent living from taking pictures of the kids in the local schools and selling the shots to the parents.

The situation for her was that she had some kind of a trojan that kept telling her machine was infected, slow or hijacked and then it would bring up a web browser that pointed to a site to download some software to solve the problem. I'm sure there's no connection between the trojan and the site/software that is brought up in the browser. Some interesting reminders came out of the house call:

  1. People, if you don't have an AV (anti-virus) program installed you are nuts. Get with the program. There are two types of computer users: Those that have been affected by a virus/trojan/malware and those that are about to be.
  2. Are you doing backups? If not why not?
  3. Are you checking that your backups actually work? Try restoring a file sometime and see what happens.

Oh, and a rant for Norton's product: I told my friend to drive over to Circuit City, grab Norton, install it and she'd be okay. I was wrong. COME ON YOU GUYS! Don't sit there telling me that the "hijack" has been taken care of and then have it pop right back up again. Idiots.

Raves for Microsoft. I went to their web site where they offered me a virus scan. They found the problem and eliminated it - for FREE. Stick that in your pipe and smoke it Mr. Thompson (CEO, Symantec) - looks like Microsoft one-upped you in your own back yard.


Technorati Tags:
,

December is announced with snow in Seattle


Technically, this is a picture taken in Bellevue, WA which is east of Seattle and closer to the mountains. However, it is very uncommon for us to get snow. That said, it was very nice to wake up to this scene.

I wonder if this winter we will see much more snow?
Posted by Picasa

Tuesday, November 27, 2007

Jackson's upcoming tour dates...

Once business planning is over (this week - yay!) I'll be heading to New York City and Salt Lake City during the first week of December and visiting with a multitude of customers. Second week I'm in Chicago doing the same! During my NYC visit I'll be presenting with Microsoft and Unisys at a breakfast for CIOs that looks like it will be well attended - I'm looking forward to that.

As usual, I'll post a summary of my significant learnings after the fact.

Technorati Tags:
, ,

Sunday, November 25, 2007

Thanksgiving in Leavenworth, WA

Leavenworth, WA

We spent a couple of nights in Leavenworth, WA over the Thanksgiving holiday. It's about 2.5 hours from Seattle on the east side of the Cascade Mountains. In fact, it is almost due east of where we live. Leavenworth is known as "Washington's Bavarian Village" and if you check out the pictures you'll see some examples of the Bavarian architecture. You'll also see another thing they are famous for: their Christmas lights. In fact, this year they are being honored by Good Morning America...

Good Morning America Comes to Leavenworth

Good Morning America is doing a new segment called "Good Morning America Lights Up The Holidays". They will be doing a live feed from Leavenworth to begin Good Morning America's show in New York.

The special will take place for 5 days ONLY. We were selected as one of the top 5 in the United States for the filming of our Christmas celebration.

The Good Morning America film crew arrived November 15 under bright blue skies to film Leavenworth preparing for the upcoming Lighting Ceremony. These shots will be used as teasers to entice viewers to watch the show and some of the clips will be used on the 29th with the live feed.

Good Morning America host Sam Champion will be here for the live feed to New York City on November 29th from 4-6AM as we light our town. They encourage everyone to be here at 4am. Hot beverages and roasted chestnuts will be available. Come join the party!

This is unbelievable coverage for us and we invite you to join in the fun. We will be roasting chestnuts and serving hot coffee. Since the feed is live to New York after the fun we can tune in to Good Morning America at 7am our time to watch the show.


Try and check it out, if you can - or, Tivo it!

Thursday, November 22, 2007

Happy Thanksgiving you turkeys!

Happy Thanksgiving to everyone. For those that haven't seen a picture of a wild turkey see below. They don't naturally have all white feathers!

It's a time for friends and family - enjoy!

Tuesday, November 20, 2007

PowerShell AD/v-card utility

Recently, I wanted to grab someone's contact details out of Active Directory, save them as a v-card and send the v-card to a friend. It's not so trivial to do that manually so I wondered how it might be done in PowerShell - and, I'll admit, how I could get someone else to build the utility for me - so I talked to our resident PowerShell guru Dmitry Sotnikov.

Dmitry quickly whipped up a script for me, ran it through his powerful quality control process ("Here, see if this works!) and I was off to the races. Dmitry blogged about the v-card tool and recently told me that there's been significant downloads of it. It was even picked up on both the MSDN PowerShell and Windows PowerShell blogs.

Check it out...

Our local identity management guru Jackson Shaw tasked me with giving him an easy way to export contact information from corporate address book so you can then send it to someone for their reference. The standard format for Outlook to import contact information is vCard, but the problem is that Outlook can export to vCard only personal contacts, but not GAL entries. Needless to say, PowerShell is the answer.

This is the command-line which solves the task:

Get-QADUser "Dmitry Sotnikov" Out-vCard

This will locate a user in your AD whose name is "Dmitry Sotnikov" (which probably means you work for Quest) and create a file "Dmitry Sotnikov.vcf" at the c:\ drive root.

If you want to export all members of a DL - this will work too:

Get-QADGroupMember DL.ProjectA Out-vCard

This will create a vCard for each DL member.

And because it only reads data from your Active Directory you don’t need any administrative privileges. This will work for any domain user.

To make this work you need to:

Install PowerShell and AD cmdlets.
Copy/paste the following function into PowerShell command-line shell before running the commands or add it to your profile (My Documents/WindowsPowerShell/profile.ps1):
function Out-vCard {
$input ForEach-Object {

$filename = "c:\" + $_.Name + ".vcf"
Remove-Item $filename -ErrorAction SilentlyContinue
add-content -path $filename "BEGIN:VCARD"
add-content -path $filename "VERSION:2.1"
add-content -path $filename ("N:" + $_.LastName + ";" + $_.FirstName)
add-content -path $filename ("FN:" + $_.Name)
add-content -path $filename ("ORG:" + $_.Company)
add-content -path $filename ("TITLE:" + $_.Title)
add-content -path $filename ("TEL;WORK;VOICE:" + $_.PhoneNumber)
add-content -path $filename ("TEL;HOME;VOICE:" + $_.HomePhone)
add-content -path $filename ("TEL;CELL;VOICE:" + $_.MobilePhone)
add-content -path $filename ("TEL;WORK;FAX:" + $_.Fax)
add-content -path $filename ("ADR;WORK;PREF:" + ";;" + $_.StreetAddress + ";" + $_.PostalCode + " " + $_.City + ";" + $_.co + ";;" + $_.Country)
add-content -path $filename ("URL;WORK:" + $_.WebPage)
add-content -path $filename ("EMAIL;PREF;INTERNET:" + $_.Email)
add-content -path $filename "END:VCARD"
}
}

Note that the script is something I put together in 15 minutes to help Jackson, so it still needs a few improvements when I have time:

Need to add an optional parameter for the output folder.
Need to actually look at vCard spec to make sure all attributes translate right.
Need to look whether I need to check whether attributes are present. Does vCard format permit empty values or should their keys be in that case omitted?
Anyways, this seems to solve the task for now, I hope I have a few hours later to make it perfect. Feel free to do so yourself if you are interested.


Technorati Tags:
, , ,

Monday, November 19, 2007

Superuser

James McGovern had a comment on my re-cap of Ant Allan's session on privileged user management:

I wonder if Jackson Shaw will acknowledge that the real reason identity management vendors aren't solving for this problem is that they believe that this should be a separate and distinct product and their customers are too stupid to know better.

I'm not sure if that's the reason or not, James. I had a long discussion after the session with Ant Allan and I asked him why he thought more identity management vendors were not involved in this corner of the identity business. After all, none of the usual suspects have products in this area: Sun, Microsoft, Novell. His answer was quick and short: There's not enough services revenue required for these products.

I'm not sure how true that is but I will report back to you on that. Quest Software has OEMed PassGo's privilege management products so once we have some more experience with them I'd be happy to share further.

Technorati Tags:
, , ,

Friday, November 16, 2007

What a blague!

I'm sitting in the LAX airport - what a hole - waiting for my flight to Seattle so I'm doing e-mail, of course. I happened to come across this and said to myself "What a joke!". For some reason my brain burped and the French word (or is it a Quebecois word?) for joke popped out: blague

So here's the blague...

The OASIS IDtrust Member Section, http://www.oasis-idtrust.org/ , is pleased to co-sponsor the 7th Symposium on Identity and Trust on the Internet (IDtrust) 2008 – formerly known as the PKI R&D Workshop. The event will occur on 4-6 March 2008 at the NIST facility in Gaithersburg, Maryland.

What cracked me up was the "formerly known as the PKI R&D Workshop". So my question to myself was: Is this just simply a PKI R&D Workshop warmed over to attract more people to it or is it really about Identity and Trust on the Internet? I agree with the rename from a marketing perspective. Imagine Kentuck Fried Chicken being marketed as "Hot, Dead Chicken" - they might want a rename, too.

I thought 2007 was the year of PKI so why rename the workshop? (Some old timers will get this blague, I hope)

Have a good weekend everyone. I'm glad you're not sitting here at LAX with me.

Technorati Tags:
,

Getting to the problems of the root: Effective and efficient management of superuser privileges and shared account management



So, it's day 3 of the Gartner IAM conference and my first session is the above being hosted by Gartner's Ant Allan. I've blogged before that many (most, all) of the IAM vendors have either forgotten or avoided how to control superuser privileges.

Apparently, Apple has done a good job in Mac OS X handling the superuser and privilege management problems. I'll have to take a look at it.

Why are vendors building kernel-intrusive products to manage these privileged users? It seems crazy to me. If you are the vendor - why not simply fix the darn problem to begin with?! Making a tool kernel intrusive means you are reliant on the vendor to update the tool when the OS is updated otherwise you can't upgrade your systems. Additionally, and worse(!), who the heck wants a kernel intrusive tool anyway? That's a freakin' recipe for disaster ladies and gentlemen - "Please wait while I swap out parts of your operating system for these specialized components that will protect you better." - Ya, right - don't let the door hit you in the rear while you leave...

Who are the key vendors in this space (according to Ant)?

On Unix/Linux: fortefi, PassGo, OSM, S4 and Symark (Quest has OEM'ed the PassGo product)
On Windows: dotNet factory, NetIQ, Quest (hooray!)
z/OS: IBM, Vanguard, Powertech, betasystems
Superuser (i.e., kernel intrusive) tools: CA, foxt, IBM
Network level: eDMZ, Xceedium

Fisher and M-Tech both come from the provisioning world and have pushed into the "superuser privilege management" space. Not surprising.

Interesting that nothing was mentioned for managing database admin passwords and those type of privileged accounts. Ant does not think that the major IAM vendors are not going to be embracing these types of scenarios - which is stupid.

Ant's recommendations...
  • Minimize the number of users with full superuser privileges - This one is obvious
  • Eliminate shared passwords for shared accounts - Indeed
  • Eliminate hard-coded passwords for service accounts - Yes, please! Hearing that someone had one hard-coded for 18 years made my stomach turn.
  • Look for tools from your preferred IAM vendors - Don't hold your breath.

OK, that's it from me here at the Gartner conference. I'm heading back home to Seattle - from sun and fun to wet and wild!

Have a great weekend everyone!


Technorati Tags:
,

Thursday, November 15, 2007

Microsoft's Identity Vison and Strategy

Microsoft presented their vision and strategy today here at Gartner. They managed to bring up a customer (NewEgg.com) to talk about what they've done with Microsoft's Identity Lifecycle Manager product. Always good to have a customer talk about their experience! (see notes at the bottom of this post)

I thought it was funny that the presenter mentioned that too many people didn't know about Microsoft's fine certificate (X.509) server that is built into the server platform. I agree, it is a great solution and people don't know about it. With all the push around security you'd think they might trumpet this a bit more.

I blogged about this in the past but again noticed that they don't mention BizTalk server in their architecture slides even though BizTalk has an enterprise single sign-on service built into it along with other identity-based services. I'm more surprised that BizTalk is not mentioned because both BizTalk and the other IDM-related technologies all come under the same vice-president at Microsoft (Robert Wahbe).

They're still saying that ILM "2" and ADFS "2" will be released in 2H08. ILM "3" was mentioned for the first time (at least to me) as being released 18 months after ILM "2" and it will be focused around integration of all the components into a single offering - so I guess that's sometime around 2010 or 2011?

One happy thing was that I didn't see any of the slides I had authored while I was at Microsoft being used in this presentation!

NewEgg presentation

NewEgg's drivers were regulatory compliance, management of user entitlements and secure access to the network. They user Active Directory as their core identity repository so going with Microsoft certainly made sense especially when you add in the fact that their collaboraton platform is Exchange 2003. Interesting that NewEgg is using Remedy for their workflow and trouble tickets. They integrated with Remedy over web services. They deployed the system in 180 hours - so less than two months - that's really awesome especially when you consider that they needed to integrate SAP and they had no common attributes across the various systems.

As a next step NewEgg did mention that they might use CardSpace for external authentication to their e-commerce site!

Technorati Tags:
, , , ,

Identity as Application Infrastructure: Evolution or Revolution?

It's the second day of Gartner's conference and I'm sitting in this talk being given by Earl Perkins and Neil MacDonald. Neil focused on the vision of the service-oriented enterprise and how abstraction and de-coupling of identity services (provisioning, authorization, "security") is the way that we introduce fluidity to the enterprise. Of course, identity is at the center of this fluidity - or, to put this another way, enabling fluidity depends on driving application-enabled identity services. Folks need to check out the "Services Modeling Language" draft standard that helps to abstract this.

Earl spent some time talking about how roles-based access control is the linchpin for process security models and how there's an impedance mismatch in a lot of cases between roles in HR, groups in your directory (role proxies) and general inconsistency. RBAC is critical to this evolution but, as they say, the devil is in the details here. I personally am not sold that we have solved this problem from a business perspective yet. However, there are no problems - only opportunities, right?!

I see how we are moving from the "metadirectory" approach to identity to the "proxy"-based approach to SOA for delivering the security and identity characteristics and functions that the applications require. So will we have the same types of problems we have experienced except now at the SOA level? Vendor A provisions well to Oracle but lousy to Active Directory?

I do believe this will be the future. However, I remember that in 1996 Netscape's LDAP Directory server started to take off and customers started demanding integration in order to externalize authentication. Here we are nearly 12 years later and we still have lots of problems here. What Earl and Neil are talking about is a much bigger change - where will we be in 2019 twelve years from now? Will we be further ahead than where we are today with externalizing authentication? By then I won't care because I'll be on a beach somewhere with an umbrella-decorated cocktail in my hand - retired.

I'm not making light of what Earl and Neil are saying. They are sharp guys and I do agree that we need to get there but inertia can be a very, very, very powerful force.

Do you think that virtualization might be the force that can overcome the inertia? Maybe, maybe.

What do you think?

Technorati Tags:
,

Wednesday, November 14, 2007

Everything You Know About Identity Management Is Wrong

Gartner's Neil MacDonald spoke on this topic. I have to say the title absolutely intrigued me so I had to be here. How could you not like a presentation where the speaker mentions Banyan VINES during his intro?!

Neil believes we are nearing a revolutionary change in identity management.

"Too many IAM vendors, too much complexity, too many products and you are paying too much." -- here here!!!

Put identity and security administration in the business units - not in the high priced security professionals hands. If we can't achieve that then we have failed.

Key trends according to Neil: (Neil in italics - my comments not)

  1. Security-service oriented applications will require security-as-a-service, including identity services. Clearly what Cisco is thinking isn't it?
  2. Identity Becomes Application Infrastructure (aka authorization or entitlement application). As I have stated before, this is the next "battleground".
  3. Business Process Management Services as a new starting point for application development.
  4. ERP as a new center for identity-centric application serices. Clearly what SAP was thinking with their MaxWare acquisition. ERP is the starting point isn't it?
  5. Context delivery architecture. What you need is what you get services - and it needs to be federated.
  6. Grid computing and virtualization. Traditional security approaches tied to physical characteristics will fail and externalized policy management (security, identity) are absolute requirements.
  7. The Rise of identity-aware applications and sites. As I mentioned in a previous post it is these type of applications (e.g., SharePoint) that will drive federation and federated identity. Have you looked at OpenSocial yet? You need to (so do I)!
  8. The impending collision of consumer and enterprise identities. Who hasn't seen this one coming?
  9. Convergence in multiple dimensions: Of IAM point products, into platforms, into services, of mature security infrastructure into operations.
What mistakes are organizations doing wrong and how should they be done differently?
  • Thinking of IAM as a collection of products or projects. It's not, it's a set of inter-related processes. We're moving from IAM suites of products to suites of IAM services.
  • Overlooking the synergy between middleware and IAM. Neil pointed out how Microsoft has moved to one workflow platform and set of connectors based on BizTalk in order to reduce cost and complexity. Now if MIIS/ILM was also using those same connectors and vice-versa wouldn't that be nice? I loved this point on this slide: "Don't assume legacy IAM vendors are best positioned for the future application- and process-centric requirements of identity infrastructure." I agree - some of those legacy guys are going to die off.
  • "I've implemented RBAC...I'm done" - Neil says the root cause of this problem isn't too many roles, it's a lack of governance and automation (creation and destruction). Role management needs to be a part of provisioning solutions.
  • Requiring application programmers to code to LDAP. - Externalizing authentication and authorization is a pre-requisite for applications. Neil believes there are viable commercial solutions (e.g., Layer7, BitKoo) available today to make this happen.
  • Thinking HR is the trigger for all things user provisioning-related. Yes, HR for hires and fires but what about role changes? Does that have to to HR in order to make something happen?
  • Information security administers all security, including user/role assignments. Business units must assume the risk, not IT. How true!
  • Limiting the scope of identity projects to just people. Any resource may require identity services. How do we do this in a virtualized environment?
  • Treating user provisioning as a strategic technology. Indeed. We need identity-aware applications: Kerberos, SAML, WS-* etc.
  • Paying too much. No kidding! Why are identity vendors charging 3-4X the software cost to install and deploy?! Use Microsoft to pressure the other vendors!
  • I've deployed UP, WAM, SSO...I'm done. Again, no kidding! It all starts again my friends, it all starts again. Interesting how Neil has modified Gartner's operational efficiency grid: Basic, Centralized, Standardized, Rationalized, Virtualized, Service-Based, Policy-Based (fyi - moving left to right is better and Gartner's grid stopped at Rationalized before)

To reduce cost and complexity you should: leverage convergence and not be afraid to change vendors; look for "proxy" capabilities and set a long term goal that developers don't write security code.

All in all this was a great presentation. Lots of clapping whenever Neil mentioned how costly something was!

Technorati Tags:
,

The Internet is like a bad-news petri dish

Keynote - Gartner's Toby Bell on "Reputation: The Next Revolution"



I loved his comments on "reputational persistence". Negative or incorrect information may last forever. This is so true. Are you competitors using this against you? Toby's most illuminating comment...

"The Internet is like a bad-news petri dish! Reputation is useless in an anonymous world."

Some cool websites mentioned during Toby's talk:

Do you know what Google thinks of you or your company? Check it out at http://www.googlism.com/.

What's your reputational management strategy? Do you have a policy against allowing your employees to place co-worker

Check out http://www.touchgraph.com/ to see how you or your company relates to others and how its reputation is built and http://reputica.com/.

Technorati Tags:
,

Gartner Identity Access Management Summit 2007



I'm at the Hyatt Regency Century Plaza, Los Angeles for the next three days attending Gartner's big identity shindig. Ray Wagner (pictured) just kicked off the conference.

I'll post tidbits and highlights over the next few days...

Technorati Tags:
,

Wednesday, November 07, 2007

Quest helping federal federation initiatives

If you carefully read this Quest press release you'll see the word federation used. I just wanted to point it out to you because you probably either didn't read the press release or if you did you may have missed that word entirely (I did).

Lockheed-Martin is enabling federation of a B-2-B application that is built on SAP. They be using a number of our Vintela products to enable the scenario. It's pretty cool stuff - maybe someday they'll let us publish a case study about it. Of course, it's all Active Directory integrated...


The contract will support a Lockheed Martin identity convergence initiative and serve as guidelines towards working with federated identity infrastructures as the U.S. defense contracting community collaborates on identity management in future Department of Defense initiatives. - Emphasis is mine.

I also liked the fact it was a $2.3M sale but that's another story, eh?!

Tuesday, November 06, 2007

Leopard eats Active Directory

I've commented a couple of times about vendors and how they need to beef up their Active Directory integration (if they even integrate to start with). Now the opposite happens: Apple's Active Directory integration has blown up in their latest OS X incarnation - Leopard.

I heard about this yesterday when I was at the Vintela offices in Lindon, Utah (yes, downstairs from the evil Canopy Group and across the street from the eviler than yesterday SCO Group).

Here are some details...

Leopard Problems: Active Directort integration - First, Active Directory integration is broken. It centers mostly around authentication issues. If the Mac was joined to the domain before it was upgraded, it can’t log on after. Directory Utility returns a “Server can not be contacted” error. If the machine was not joined to the domain, it fails while trying to with an “unknown error” in step 3 of the bind process.

The other issue is in Safari through a Microsoft ISA 2006 proxy server. When going to an SSL website, Safari crashes after it tries to authenticate. Firefox still works.

Avoid an Active Directory 10.5 upgrade issue - If your Mac is bound to Active Directory (AD), make sure you unbind it before upgrading. Also make sure you have a local admin account (that was not created via AD) beforehand. I had a tough time with a Mac here -- the only account on the machine was created through authenticating via AD. In case this happens to someone else, and they find this, here's a fix:

Start up in single user mode (power on while holding Command-S) and enable the root account by giving it a password (by typing passwd and entering a password). Then reboot and log in as root. Once you've logged in (it was very slow for me), go into Directory Utility (/Applications » Utilities) and you will see the AD entry listed there.

For me it showed as connected, but was not getting the proper info. Unbind it, and as soon as it's done, you should see an immediate improvement. I was not able to log into my old account; I had to create a new (local) one, and then transfer the old home folder to my new one. I think I added that hint before, but here it is again, in case I didn't:

Create new user newuseraccount. In Terminal, do:
$ sudo -s (enter password)
$ cd /Users
$ rm -rf newuseraccount
$ mv olduseraccount newuseraccount
$ chown -R newuseraccount:staff newuseraccount

I guess Apple's QA team didn't include any cases for testing their Active Diretory integration?

Technorati Tags:
, , ,

Saturday, November 03, 2007

Identity Management and Photography


Ian Glazer asks a couple of really interesting questions about identity management and photography in his recent post titled "Identity Management and Photography". Like the best questions they are hard to answer because they are "core" - at least core to me. This post is just to say that I believe there is some sort of link, Ian.

There are a bunch of people in the greater identity management world who would consider themselves amateur photographers. I wonder if there is commonality of photography and IdM that practitioners of both find compelling.

Anyone else want to sound off?

p.s. My photos usually end up here: http://picasaweb.google.com/jackson.shaw

Technorati Tags:

Friday, November 02, 2007

Google's GrandCentral Service



OK, kinda weird post, eh? This is GrandCentral from Google. You can use the "Call Me" button to literally call me...Enter your name and the phone number you are at and GrandCentral will call you and then connect you to me!

Cool stuff as it will call all my lines (home, business, mobile) simultaneously and route the call wherever I pick up. Neat.

Thursday, November 01, 2007

Cisco to acquire Securent

OK, looks like the first move in consolidation in the authorization marketplace has happened...not bad: $100M! (Analysis and commentary by Phil Schacter at Burton Group can be found here.)

Congrats to the folks at Securent!

Cisco Announces Definitive Agreement to Acquire Securent

Cisco® today announced an agreement to acquire Securent, Inc., a leading provider of policy management software for enterprises. Securent's scalable, distributed policy platform allows enterprises to administer, enforce, and audit access to data, communications, and applications in heterogeneous IT application environments. Securent is privately held and based in Mountain View, Calif.

Securent's software will enable Cisco customers to protect and secure valuable application data regardless of vendor, platform, or operating system while still allowing ubiquitous access to the content workers and their collaborative communities need to be productive. By delivering policy from the network, Cisco will simplify entitlement decisions for all communications, collaboration and other third party applications.


Technorati Tags:
, , ,

Is federation stillborn?

I was party to a short, but interesting internal e-mail debate yesterday about federation. One view was that it was never going to amount to much due to politics and complexity. The other view was that it is starting to take off in certain scenarios and could potentially grow much bigger albeit the socio-political and complexity ramifications still loom.

I figured the debate was more or less over after a few e-mails but then I happened to read John Fontana's Network World article titled Microsoft switching SharePoint to claims-based authentication. So I'll switch the debate from internal e-mail to my blog and state that it will be scenarios that applications like SharePoint enable that will propel federation forward. Second, to see that Microsoft is opening up such a critical piece of their collaboration platform to federation and non-Active Directory authentication is both amazing and awesome.

I learned a lot about making products and technologies "viral" while I was at Microsoft. Bundling SharePoint services with the server operating system did just that - it introduced SharePoint to tens of thousands of companies and, at the same time, enabled those pesky administrators to build SharePoint sites with no IT oversight. Result? Hundreds of SharePoint sites at most companies before IT even knew how to spell SharePoint. Now Microsoft is going to enable SharePoint to be downloaded without having to purchase a server. The result will be that nearly everyone will become infected. (Need some free software to determine how many SharePoint sites you have? Click here.)

Add federation to the mix and the result is a federated, collaboration solution that nearly anyone will be able to "stand up". Yes, it may be complicated to set up but the admins can figure that out and while the various IT committees and internal standards groups are meeting in conference rooms with poor air circulation and no windows a whole new class of federated SharePoint sites will be springing up from the earth...

Technorati Tags:
, , , , , , ,

Wednesday, October 31, 2007

Matt Flynn's Identity Management Blog: Surviving an Identity Audit

Check out Matt Flynn's Identity Management Blog: Surviving an Identity Audit and Matt's associated white paper on this topic. Good reading. There's not enough info on how identity and identity audits in particular map to compliance - despite the fact that compliance is a big driver/stick for getting your identity house in order. (You need to overlook the commercial reference at the end of Matt's whitepaper. Unfortunately, we sometimes have to support our employer in our writings.)

Identity audit solutions reduce organizational risk by providing reports and monitoring of the identity systems which grant or deny system access and the user accounts empowered to act within the environment. Having effective audit and monitoring in place also has the additional benefit of acting as a deterrent for system users who might otherwise attempt to subvert policy.

While flipping through the channels tonight I happened across an old favorite - "The Exorcist". I was reminded of that famous line "The Power of Christ" while I read Matt's whitepaper where he talks about the "Power of Identity". Unfortunately, it was the Catholic priests at my school that forbade us to see The Exorcist that made us run out to see it immediately (of course).

Matt, maybe you should forbid people from reading your whitepaper? Nice work.

See you at the Gartner conference?


Technorati Tags:
,

Archive the box!

If you liked the Quest Idol video that I posted about in February then you'll like our "Archive the box" video that the same group of guys here at Quest put together...It's all about our Exchange archive manager product.





Technorati Tags:
, ,

Tuesday, October 30, 2007

Identity and the "50 greatest arguments"

Network World recently published this interesting story:

Perhaps the only thing more fun than working on and playing with network technologies is arguing about them. Macs vs. PCs. Ethernet vs. Token Ring. Outsourcing vs. keeping it in-house. Here's our take on the nastiest, most colorful and in some cases, still unresolved network industry arguments. Read up and weigh in.

Yes, a few of their top 50 "arguments" are identity related! Here they are:

X.500 vs. LDAP - Directory services battle took turn with advent of Internet

This architectural argument would pack networking conference sessions, divide the room and ignite heated shouting matches in the early-to-mid-1990s. It was a case of the student overtaking the mentor as the Lightweight Directory Access Protocol was at first a simple alternative to X.500’s Directory Access Protocol (DAP). LDAP was used for accessing X.500 directories via the TCP/IP protocol. With the advent of the Internet and its reliance on TCP/IP, X.500 faded into the background even though it was later modified for use over TCP/IP.

Flashback: I'm at the DISA conference on the Defense Message System (DMS) in Resto, VA circa 1995. I'm talking to the DMS Project Manager - a distant relation of my wife - and tell him that DMS is doomed to failure if it continues to ignore TCP/IP and LDAP over OSI and X.500. He tells me that I'm crazy. Who's crazy now, Wayne?! See the associated argument about SNA and OSI versus TCP/IP in the same list!

Industry standards vs. proprietary technologies

It’s hard to imagine now, but there used to be a rigorous debate about which strategy was best for corporate IT buyers: industry standards or proprietary technology. Standards have won this debate, but that doesn’t mean there weren’t advantages to buying proprietary technology.

Oh, really? Standards have won the debate? Do we have to go back to that argument I recently had about MIT Kerberos and Windows Kerberos? Will the real standard please stand up - you know, the one that is used by more people. After all, isn't it usage that defines success and standards versus "Should", "Must" and "Optional" statements in a piece of paper emitted from the IETF or United Nations?

Let's not even go back to the discussion of X.400 (an ISO standard) versus SMTP (an IETF standard). Why didn't they both win? They are both standards?

P.S. to Network World (John, you missed this one): How come you didn't mention X.400 vs. SMTP? That was a good argument while it lasted buddy!

Technorati Tags:
, , , ,

Thursday, October 18, 2007

Quest acquires eXc Software

Not much fanfare about this acquisition on our end but if you go to http://www.excsoftware.com/ you'll see our logo on eXc's home page. I'm excited about this for a few reasons...

  • Agentless connectivity to non-Windows systems - lots of applications in Quest for this set of products
  • Single sign-on with mainframes - what else can I say here, I'm interested!
As with any acquisition we're figuring out how and where to specifically integrate eXc's bits but in the meantime the eXc team will continue doing business as usual except with a much larger team backing them up!

Technorati Tags:
,

Tuesday, October 16, 2007

ActiveRoles Management Console for Active Directory

Both my friends Dmitry and Bob have written about the RC1 release of the Management Console for Active Directory that is based on Quest's Active Roles product and built on PowerShell. I've copied the info direct from Bob's blog...

We just shipped RC1 of our Active Directory (and ADAM) managment commands for PowerShell. Congratulations to our awsome dev team... See below for details of what we provide for free by simply downloading our CMDLETs from http://www.quest.com/activeroles-server/arms.aspx.


CMDLETS at a Glance
Windows Server 2008 CMDLETS 1-4
General Object Management CMDLETS 5-11
Group Management CMDLETS 12-17
Computer Management CMDLET 18
User Management CMDLETS 19-24

CMDLETS Description

***Manage Windows 2008 Password Policy
1. Add-QADPasswordSettingsObjectAppliesTo
Add PSO links on a Password Settings object. Windows Server 2008 is required.

2. Get-QADPasswordSettingsObject
Retrieve Password Settings objects that match the specified conditions. Windows Server 2008 is required.

3. New-QADPasswordSettingsObject
Create a new Password Settings object (PSO). Windows Server 2008 is required.

4. Remove-QADPasswordSettingsObjectAppliesTo
Remove PSO links on a Password Settings object. Windows Server 2008 is required.

*** Object Management
5. Move-QADObject
Move the specified object to a different location (container) in Active Directory.

6. Remove-QADObject
Delete the specified objects in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

7. Rename-QADObject
Change the name of the specified object in Active Directory.

8. Get-QADObject
Retrieve all directory objects in a domain or container that match the specified conditions. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

9. New-QADObject
Create a new object of in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

10. Set-QADObject
Modify attributes of an object in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

11. Convert-QADAttributeValue
Convert attribute values of a directory object to the specified .NET type.

***Group Management
12. Set-QADGroup
Modify attributes of a group in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

13. Add-QADGroupMember
Add one or more objects to a group in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

14. Get-QADGroup
Retrieve all groups in a domain or container that match the specified conditions. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

15. Get-QADGroupMember
Retrieve the members of a group in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

16. New-QADGroup
Create a new group in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

17. Remove-QADGroupMember
Remove one or more members from a group in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

***Computer Management
18. Get-QADComputer
Retrieve all computer objects in a domain or container that match the specified conditions.
(This command looks lonely...)

*** Users Management
19. Get-QADUser
Retrieve all users in a domain or container that match the specified conditions. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

20. Enable-QADUser
Enable a user account in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

21. Disable-QADUser
Disable a user account in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

22. Unlock-QADUser
Unlock a user account in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

23. New-QADUser
Create a new user account in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

24. Set-QADUser
Modify attributes of a user account in Active Directory. Supported are both Active Directory Doman Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).

***Other
25. Get-QADPSSnapinSettings
View default settings that apply to all cmdlets of this PowerShell snap-in.

26. Set-QADPSSnapinSettings
Modify default settings that apply to all cmdlets of this PowerShell snap-in.

27. Connect-QADService
Connect to the ActiveRoles Server Administration Service via the ActiveRoles Server ADSI Provider, or to a certain Active Directory domain controller or a certain server running an Active Directory Lightweight Directory Services (AD LDS) instance via the regular LDAP ADSI Provider.

28. Disconnect-QADService
Close the connection, if any exists. A connection could be established by using the Connect-QADService cmdlet.

Technorati Tags:
, , ,

Friday, October 12, 2007

Listen up Oracle and IBM!! You should support direct authentication against Active Directory

I caught this post and the original post about Oracle 11g security over at over at James McGovern's blog. If you aren't regularly reading his blog you need to.

Oracle 11g Password algorithm revealed: Kinda interesting how easy it is to crack Oracle passwords. Maybe this begs the question of whether databases should store passwords anyway? I am of the belief that Oracle and IBM should within their products support direct authentication against Active Directory for this type of functionality.

I totally agree with what James states - IBM, Oracle and others should be supporting direct authentication against Active Directory. What does that *really* mean? Good question, I'm glad you asked. Well, for one thing, it doesn't mean just LDAP authentication, in my opinion. Let's go a step further and request the Holy Grail, please! We want Kerberos-based authentication.

If we have Kerberos-based authentication the world of SOA, protocol transitioning, web services and multi-tier architectures is opened up in addition to enabling the Holy Grail - true end-to-end single sign-on. There's no reason for you guys (IBM, Oracle, etc) to feel that you have to own this piece of the puzzle. Isn't there enough value-add in the rest of your platform?

Technorati Tags:
, , , ,

Wednesday, October 10, 2007

An extensible admin console based on PowerShell

It's PowerGUI. We released a new version last night and you can see the excitement in my friend Dmitry Sotnikov's email that he sent out...

Yesterday night we put PowerGUI 1.0.11 on the downloads page, I posted the announcement on my blog, and (eventually after my wife started threatening me with divorce) went to bed.

Today when I came to the office PowerGUI went well over 25K downloads – 500+ of which happened during the night, and my blog is having the best day ever with 1000+ visits already.

There are quite a few references on the web:

We are in the middle of incredible growth – the one we never had before, and I think in retrospect this is basically because a few factors played together in a perfect storm:

  • We implemented a great feature – lightweight PowerShell editor – and significantly improved it thanks to internal feedback.
  • We pre-announced the feature right before the weekend. This generated interest and made people wait for what was coming.
  • The catchy name of the announcement – Notepad for PowerShell – helped as well.
  • Good execution by the team on all sides: listening to feedback, implementing well, setting up perfect guerrilla marketing.
There are loads of videos, documentation, cmdlets and a community that are contributing to this free tool. If you haven't checked it out yet you should...

P.S. It keeps getting better: 2,000 blog hits and almost a 1,000 downloads at this point today!

Technorati Tags:
, ,

Tuesday, October 09, 2007

Quest Experts

We (Quest Software) recently published a web page with a list and description of our "experts". Very useful information for me because even in a 3,000 person organization you don't get to meet everyone plus we are a global organization and expertise exists in more places than the United States after all.

In the Microsoft area there are nine chaps featured on the page. Check them out. Their expertise crosses Active Directory, Exchange, PowerShell, SharePoint and Identity Management. In fact, a couple of them are MVPs (Microsoft Value Professionals).

Technorati Tags:

Monday, October 08, 2007

Do you have an Identity management disaster plan?


I'm sure some folks will disagree with me here but I think there is a difference between a business continuity disaster plan and an identity management disaster plan. Most companies, I hope, have a business continuity disaster plan which basically documents what needs to get done if a server room is flooded, the mainframe catches on fire or the really bad scenarios of buildings or locales being "destroyed".

However, how do you handle the situation of your primary authentication directory "blowing up"? New hardware and restore the latest backup? What about the new identities that were created between the last backup and the incident? Just lost? Sorry, you can't pay your credit card bill?

I know of a bank which moves millions of dollars a day based on a Linux system that authenticates to Active Directory. What happens if AD is not available for 5 minutes? What then?

Let's even go further down the food chain. Your AD (or name your favorite directory) administrator decides to leave on a Friday and deletes or changes a bunch of information. What do you do? Do you restore from the last backup? What about all the changes? What if the admin accidentally deletes an OU? What about any changes that occured between the last backup and the incident?

I would posit that you need near continuous backup for your identity and authentication repositories. If you aren't there yet you really need to be thinking about it...

Technorati Tags:
,

Thursday, October 04, 2007

InTrust for Active Directory is Microsoft certified

InTrust for Active Directory has been certified by Veritest for Windows Server 2003 Standard and Enterprise edition! The certification statements have finally been posted by Veritest. That's a total of 13 Quest products that are now Veritest certified for Windows Server 2003 - and there are more on the way - including preliminary Windows Server 2008 certifications!




Technorati Tags:
, ,

Tuesday, October 02, 2007

We have a position open...

If you or anyone you know is interested as clearly those that read this blog would be awesome candidates...

The job description can be found here. Summary below...

We are currently seeking to identify a P&L minded Product Manager to manage the strategic direction of the InTrust product line to ensure a competitive market advantage and champions the development of new solutions to meet emerging market opportunities consistent with the organization's short- and long-term goals and objectives.

RESPONSIBILITIES:

  • Participate as a proactive member of the Quest Product Management team and contributes to the company by meeting short- and long-term revenue results for the InTrust security platform-centric product line;
  • Take accountability and resolve issues preventing the achievement of timely, quality, and cost effective results;
  • Take strategic risks toward achieving operational excellence;
  • Create and maintain an accurate and up-to-date executive overview of product(s) including market, financial, and strategic data analysis to ensure effective
    communications of goals, key issues, and progress towards objectives;
  • Develop accurate and timely Market Requirements Documents (MRDs) that
    contain feature functionality descriptions to be used by development team and
    Business Requirements Documents (BRDs) to assess the validity of proposed new features or new product offerings;
  • Conduct market analysis to determine product relevancy and adjust course as needed;
  • Influence industry Analysts to maximize market position and share;
  • Understand the competitive landscape and provide direction accordingly. This includes exploring strategic acquisition opportunities as well as analyzing build/buy options;
  • Provide necessary content to Product Marketing team to ensure effective product collateral materials to support short- and long-term revenue objectives;
  • Work effectively, cross-functionally, with Development, Support, Marketing,
    etc. to ensure the efficient operation of product development and release;
  • Work with management to set revenue forecasts.

Technorati Tags: