Tuesday, February 27, 2007


No, it's not a prime number. It's a patent number. It's a patent that is owned by one Mr. William Reid of Texas who says that Microsoft violates it with their implementation of Active Directory and therefore so does Windows 2000 Server and Windows Server 2003. He's not only lobbed in a lawsuit against Microsoft but also Halliburton, Schwab and GM. Apparently those companies use Active Directory and presented various architectural diagrams at the Burton Group Catalyst conference last year which Reid attended. So as far as Reid is concerned they are also violating his patent. According to an Information Week article Halliburton has already asked Microsoft for indemnification.

You can read the whole patent on-line if you'd like all the details. I've cut out the summary and pasted it below for your reading pleasure.

Some interesting points from my perspective...

- If Reid is successful in his pursuit of damages then that number in the title of this post might be way too low based on the fact that nearly every company of any size in the United States is using Active Directory.

- With all the hub-bub around intellectual property and indemnification it will be very interesting to see if Microsoft does indemnify Halliburton - and all the other companies out there.

- Directories were in use before this patent was filed. Reid even mentions NDS. I wonder if Reid's patent can stand up to the scrutiny of prior art with respect to what Netscape did with their LDAP Directory Server (RTM in ~1996 if memory serves me) and a true WAN-based directory called "StreetTalk" for Banyan's VINES Network Operating System. Anyone remember Banyan VINES? I rolled out a world-wide network based on Banyan VINES StreetTalk in 1989 (Singapore, New Delhi, Cairo, Montevideo, Dhaka, Nairobi and Ottawa all networked using VINES over X.25)

The "invention" - "Enterprise Network Management Directory Containing Network Addresses Of Users And Devices."

The present invention extends the concept of directory services to the management and control of enterprise networks by integrating directory technology, router/gateway management, and server management to form an enterprise network management and network security solution. By integrating directory services to perform these extended functions, a firewall can be deleted or omitted and a stronger implementation of firewall functions can be integrated into other network elements controlled by a master directory. From an architectural standpoint, the present invention provides supervisory control in the network and data link layers, rather than in the application layers as such control is traditionally provided.

An enterprise directory residing on a directory server stores the names, workstations, router/gateways, servers, IP addresses locations, passwords, and encryption keys for individuals. Periodically, the directory server downloads to each router/gateway across the WAN router/gateway access lists (RALs), thereby controlling all network access across the WAN. Also periodically, the directory server downloads user control files (UCFs) to servers in the network, thereby controlling all server access across the WAN. This directory-based invention thus provides enhanced network control, and enhanced network security.

Technorati Tags:

Monday, February 26, 2007

Novell's CTO speaks on interop

Looks like Jeff Jaffe - Novell's CTO - is blogging about their Novell/Microsoft interoperability efforts. Jeff discusses the announcement and lays out the major interoperability projects which includes identity management and interop with Active Directory. According to Jeff...

In the next posting, I will describe the actual roadmap in detail.

I for one will certainly be watching for it! I'll let you know - as I usually do - if there's any meat on the bones that get thrown our way.

Technorati Tags:

A prodigal son returns

Earl Perkins is back at Gartner! Many of us knew Earl from his days as an analyst with Meta Group which Gartner acquired. Earl joined Microsoft a few years ago and moved up here to Redmond, WA. The fact that Earl - a long, long time resident of New Orleans - moved up here came as a big shock to me. His bio at Gartner says he's located in New Orleans so I hope that's true. New Orleans is better for having Earl back there (and so is Gartner!).

Earl, let us know if you made it back home and how things are. Best of luck to you, sir!

Technorati Tags:

Friday, February 23, 2007

Google? Samba? What does it mean?

Samba developer Jeremy Allison quit Novell in late December to join Google. In Jeremy's words he's going to continue his work and how it applies to Google.

Responsibilities will be continuing my work on Samba and working out where it fits for Google.

Today, Google launches Google Apps Enterprise Edition. The enterprise word is intriguing because clearly that means what it means: enterprise. What directory do most enterprises use for employee authentication? Answer=Active Directory. What problem is Samba designed to solve? Let's get an answer from Samba's website:

Samba is software that can be run on a platform other than Microsoft Windows, for example, UNIX, Linux, IBM System 390, OpenVMS, and other operating systems. Samba uses the TCP/IP protocol that is installed on the host server. When correctly configured, it allows that host to interact with a Microsoft Windows client or server as if it is a Windows file and print server.

OK, so put Samba together with Google and what do you get? Answer=Google integration with Windows and Active Directory. But, why would Google want to do that when end-users simply use a web browser to access Google's site? Will big enterprises want to trust the Internet for hosting their enterprise applications? I doubt it. The idea of financial emails and spreadsheets flying around the ether probably makes the legal folks in the executive suite all wiggly.

What if there was a Google appliance that they could deploy at their own premises? Well, that would solve the security problem wouldn't it? Now, what if that server - based "on a platform other than Microsoft Windows" could integrate with Microsoft Windows (and Active Directory)? Then employees would get single sign-on via Windows integration authentication to the Google Apps Enterprise Edition appliance.

Is there a Google Apps Enterprise Edition appliance in the works? Not that I know of... ;)

Technorati Tags:

Thursday, February 22, 2007

80% reduction in administrators?!

Yes, you read that right. There's a great article in Baseline Magazine about how Inergy reduced many of their IT operating expenses - some of which was achieved through the use of Quest ActiveRoles Server.

...after Inergy added Quest Software's ActiveRoles Server for simplified Active Directory account creation and management in 2003. In all, the number of full-time equivalent employees required for domain administration dropped from 15 to three...

Technorati Tags:

Tuesday, February 20, 2007

Even small companies benefit from identity management!

There aren't enough success stories out there about identity management so please forgive me when I blog about Quest's. Especially when the story is about a small company that is implementing an identity management strategy for 230 employees and they are already seeing the benefits from it!

The story also fits nicely with my previous post on self-service scenarios because the company - Red Energy - implemented Quest Password Manager to eliminate password reset calls to their helpdesk. Click on the title below to read the whole press release.

Red Energy Chooses Quest Software to Simplify Identity Management

Customer quote: “It was important to get our identity management solution right from day one,” said Steve Byrne, enterprise architect, Technology & Development, Red Energy. “Quest’s solutions make things simpler by enabling us to efficiently manage users across multiple systems, and extending Active Directory benefits like stronger passwords and Group Policy to all platforms. Quest’s tools were extremely easy to get up and running – the choice was essentially a no-brainer.”

Microsoft quote: “It is important for our mutual customers, such as Red Energy, to have a secure IT environment,” said Peter Houston, senior director of marketing for Identity and Access at Microsoft Corp. “They have chosen the strength and security that Active Directory provides to manage their digital identities, and Quest helps simplify this management in an automated, more secure way.”

Jackson's after-the-fact quote: AWESOME! And, thanks for selecting Quest!

Technorati Tags:
, , , ,

Monday, February 19, 2007

Top security technology planning related to identity management

There's an interesting article over at eWeek on current and planned use of security technologies.

What were the top 5 areas that people were planning for or installing?

  1. Encryption for storing data and documents (22%)
  2. Digital signatures (22%)
  3. Digital identity management software (22%)
  4. Biometrics (21%)
  5. Federated identity management software (18%)

What the message in the numbers? Each one of these areas is related to identity management.

Technorati Tags:

Self-Service Scenarios, Active Directory & Applications

In my last post on self-service scenarios, Darren Mar-Elia commented that application self-service is another potential scenario. I totally agree. In fact, in my mind I lumped application self-service into entitlement self-service. In other words, I simply see applications as a type of entitlement that you may or may not be authorized for.

Did you know that in an Active Directory world application self-service is already built-in? You can "publish" applications to Active Directory and they are deployed via Group Policy. When you publish an application in Active Directory it becomes available from the Add/Remove Programs for those users to whom the Group Policy object (GPO) applies. You could also assign the applications to a particular set of users (or computers) via the GPO and the application would be automagically installed on that user's machine when they logon.

I am not sure how many people out there know about this capability but it's available. Check it out.

Technorati Tags:
, ,

Friday, February 16, 2007

Self-Service Scenarios

I was on the phone yesterday with one of our star architects who was picking my brain about self-service scenarios on behalf of a customer. So, rather than send an e-mail I figured I would blog a response for everyone's benefit. A special hello/bonjour to my banking friends in Toronto who we're working with on this. My biggest regret when I moved from Ottawa to Seattle was giving up my Aerogold card! This one's for you...

Definition: Self-service is basically defined as empowering the end-user to accomplish IT-related tasks without the intervention of the helpdesk (hopefully). An end-user could be an employee, manager, contractor or customer.

Being a marketing guy I also have to break this feature into a "so what?", why would a customer pay for this?

Business Value: Self-service basically benefits a company in three ways: Reduced costs, improved productivity and improved security.

Reduced costs: Every task that an end-user can perform on their own is a task that the helpdesk doesn't have to do. The savings here can be direct or in-direct depending on whether or not your helpdesk is outsourced or not. When I was at Microsoft we had an outsourced helpdesk. Every call resulted in a charge. Every task that we could get an end-user to do, via self-service, resulted in a tangible savings. Companies that don't have an outsourced help desk can also reduce costs if they are willing to either "retire" helpdesk staff if volumes drop enough or move them to more valuable positions.

Improved productivity: Without self-service an end-user has to call the helpdesk. So you have the cost of that call plus the cost of having the end-user on the phone with the helpdesk versus doing their work. Eliminate the time on the call with the helpdesk and the end-user hopefully will be working. Typically, this is a soft cost which is a cost that's very hard to quantify to a CFO.

Improved security: One can make an argument that self-service scenarios can help to increase security by making it easier for a manager or application owner, for example, to revoke access without having to call the helpdesk. In other words, closing the window on a potential security threat faster.

Now that we have defined the topic, the business value and the benefits let's examine some of the supporting scenarios. I'm sure I won't get them all so if I miss something please send me an e-mail or comment so I can include. OK? Here we go...

Password Reset: This is probably the most valuable scenario of them all. You can probably read any analyst report and see figures that show anywhere from 45%-75% of all helpdesk calls are password related. And, guess what? They're true. I ask almost every customer I meet with how big of a problem it is and on average I would say most customers respond with ~50%. So, implement a password reset solution and re-deploy half of your helpdesk staff. (You define what re-deploy means.) This level of ROI is exactly why products like Quest Password Manager are so popular.

Identity Update: Everyone should be familiar with this. Basically, it's a way that your end-users can update their own identity information. For example, mobile phone number, home address, etc. This is more than just the typical "white pages" application. It's white pages with some R/W access delegated to the end-user. Again, why does an end-user have to call IT or HR if they change their mobile phone number or their home address.

Entitlements: This is less familiar to most end-users. Basically, an end-user should be able to go to a web site and see a list of things that he or she is entitled to. For example, access to the expense submission system, travel reservations, etc. Depending on their role in the company this list of things would be context sensitive. If I were to get promoted to a management job perhaps I'd be entitled to sales reports, HR access and payroll information in addition to what I have as a regular end-user. Again, no reason to call IT for access plus you hopefully eliminate the dreaded wait of x hours, days or weeks in getting the entitlement. As a stretch goal one would want the entitlement request to be workflow-enabled so the person's manager and perhaps others could easily "okay" the request via e-mail.

Reporting: Another great self-service option. If you need reports go to a web site and request the report. If you're not entitled to the report, see the last point as hopefully you have a web site to request that entitlement!

Attestation: Another ones that's a bit out there. In other words, there aren't a lot of products that do this yet. In this regulated world we managers every once in a while have to attest that our employees should have access to certain systems, applications or files. So, every month (or whatever) I should be able to both review what my people have as entitlements and attest that those are required. All of this would of course flow up the management chain so that we not only have regular entitlement reviews but those reviews actually turn into something that the CEO can sign off on for regulatory reasons. Also, the flip side is this will improve security. When was the last time you reviewed what your staff have access to? What you have access to? Do you even know?? Don't we all have friends at our company that used to work on an executive's staff and he or she still gets emails or still has access to files even though they left that department two years ago? My point exactly. (Don't get me wrong, I value those friends!)

In my opinion the password reset scenario is the one that offers the biggest and fastest ROI for a company. All of the other scenarios are excellent scenarios and absolutely should be pursued but their ROI tends to get softer - unless of course you have regulatory problems in which case reporting and attestation can be serious pain points.

I am also looking at ways for Quest to incorporate new technologies into the self-service mix. A good example is Microsoft's Speech Server product. I had a demo of our integration of Speech Server with Quest Password Manager last week and it was pretty cool. The main reason I pushed for it was for remote and traveling users. How do you get online to self-service reset your password if you are traveling? It can be difficult. By integrating with Speech Server you can sit in your hotel room, call up and talk it through your secret questions to get your password reset. Awesome.

In conclusion, I think that implementing self-service is on of the most valuable things any IT department can implement. Also, let's not forget the political reasons for implementing self-service:

- When you (IT) successfully implement self-service your end-users love it. Happy end-users talk about what a great job you've done. That's good.

- When you (IT) successfully implement self-service your managers - the guys that signed the check and, more importantly will be signing future checks - see a tangible result in happy users, reduced costs and fast ROI. Plus, it's something they can see with their own eyes versus projects that only make an administrator's life easier.

Let me know which scenarios I missed. I'm sure there's a few!

Technorati Tags:
, ,

Thursday, February 15, 2007

Customer roundtable in Manhattan

You guys all know how much I love customer roundtables. Well, here's another one! This time, in Manhattan. If you fit the profile, let Kim know so you can get your invite. I'll also be meeting with customer in the NYC/NJ area during the days before and after.

An Evening with Quest Software --
Bar Americain, Thursday March 1, 2007

Quest Software invites you to an Identity Management Roundtable Discussion & Dinner, exclusively for our valued National and Strategic Accounts.

Join Quest Executives, Product Managers and fellow Quest customers interested in Identity Management for cocktails and dinner at Bar Americain, Bobby Flay’s ode to regional American cooking in Midtown. Dinner & Discussion begin at 6:30 p.m.152 West 52nd Street (between 6th & 7th Avenues) New York City.

This is an exciting opportunity to meet with Quest Software Product Management & customers like yourself to share your thoughts on the challenges of Identity Management and influence future product direction.
What to Expect:

An open forum with informal, interactive discussion on the challenges and issues you face in Identity Management (including: authentication, access management, single sign-on, audit, provisioning, password management, role management & federation)

Gain valuable insight into Quest's Identity Management strategy and direction through conversations with Quest experts like Dave Wilson (VP, Identity Management Products), Matt Peterson (CTO, Identity Management Products) and Jackson Shaw (Quest Senior Director of Product Management)

  • Influence the direction of Quest's Identity Management offerings

  • Learn from other Quest customers about their project plans and implementations

  • Meet other IT Executives facing Identity Management challenges within a heterogeneous IT environment

We look forward to having you for an evening of good food, good company and open dialog. To register, call Kimberly Myers at 917-472-4629 or email Kimberly.myers@quest.com.

Technorati Tags:
, , ,

Wednesday, February 14, 2007

More Microsoft/Novell interop news

In a previous post I mentioned that there were no real details on the directory interoperability that Microsoft and Novell were working on. Sam Ramji from Microsoft blogged details about this over at Port25.

Directory and Identity: Directory interoperability is the basis of identity interoperability - directories contain the structure and content that provides the raw material for identity. Through our ongoing testing in the lab, Microsoft and Novell will improve directory and identity interop between Active Directory and eDirectory, using open specifications such as WS-Federation and WS-Security.

Does that mean Novell will specifically build in support for WS-Federation and WS-Security into products like iChain? Maybe.

Does it mean they'll drop their own independent (i.e., SAML, Liberty) efforts? Doubtful.

Does it help SuSe Linux clients or servers join an Active Directory domain? No.

I do wonder about the phrase "such as" though. What does that mean? That maybe open specifications such as Kerberos and LDAP will be supported?

People, such as me, wonder.

Technorati Tags:
, , , , ,

Ignite Deux Seattle

No, it's not another French post from Jackson. Tonight I did something a bit different. I headed over to the Capital Hill Art Center in downtown Seattle to watch Ignite Deux. There were 21 speakers scheduled including Scott Kveton the CEO of JanRain the folks behind OpenID. As you probably know, my buddy Kim Cameron is the man behind the curtain for Microsoft's CardSpace initiative ( I guess I should stop calling it an initiative - it is actually part of Vista now) and at the RSA conference Microsoft announced that CardSpace would be interoperable with OpenID.

I thought since Scott was going to present I might as well go over and see what all the hub-bub was about. The format of the evening was interesting in itself. Presenters had 5 minutes - only - to present their 20 slides! That's 15 seconds a slide. Scott was third presenter in the first volley of speakers. The first talk was from Matthew Maclaurin of Microsoft Research on Programming for Fun/Children/Hobbyists/Hackers. The second was from Elisabeth Freeman (Author in the Head First Series, Works at Disney Internet Group) on The Science Behind the Head First Books: or how to write a technical book that doesn’t put your readers to sleep. Then Scott was to speak.

First, I was shocked to walk into this "art space" that was packed to the rafters with people. Was I in the wrong place? Apparently not. On the website they stated the space would hold 400 people and it was jam packed. I had this vision of a few people sitting around some tables chatting. Not so! It was pretty cool; folksy; kinda out there but very engaging. Second, what was I going to get out of a 5 minute talk? Well, the speakers kind of had the pressure on them to make their points. The ones that I saw all got to the point quickly and they all engaged the with the audience, did their thing and got off.

Check out my photos on Picasa if you want to see the shots I took which included many from Scott's talk. So, what did I learn from Scott's talk?

  • OpenID is single sign-on for the web
  • Simple, light-weight, easy-to-use, open development process
  • Decentralized
  • Lots of companies are already using it or have pledged support
  • 12-15M users have OpenIDs; 1000+ OpenID enabled sites
  • 10-15 new OpenID sites added each day
  • 7% growth every week in sites

Scott predicts that in 2007 there will be 100M users, 7,500 sites, big players adopt OpenID and that OpenID services emerge. Bold predictions but something that is viral, like OpenID has a shot at it.

I have to say I was impressed. Scott finished up with a call to action that included learning more about OpenID at openidenabled.com. I'm definitely heading over there to learn more.

I'll report back.

p.s. Here's an interesting read:

Technorati Tags:
, , , , ,

Tuesday, February 13, 2007

RSA Customer Roundtable

We had a customer roundtable (cocktails and dinner) while we are at the RSA show. The event took place at Harris' - The San Francisco Steakhouse - which is a truly awesome steak house. Best steak I have had in a long time.

Attendees included Bloomberg, Coca Cola, Goldman Sachs, Chevron, Starbucks, Ford, Manulife and General Mills. Definitely a good crowd! I won't go into the specifics of what each customer is up to but here's some of the most interesting points that came out of the meeting:
  • One customer actually has an Active Directory Federation Services (ADFS) project underway. Not a test lab or proof-of-concept but a real project that involves E-2-P (employee to partner) federation . They are also using Ping Identity's product as a federation bridge. I was impressed that they were pushing so far with ADFS. They did tell me they figured they were the first or first and only company out there doing this. Doesn't say much about Microsoft in the federation market does it?

  • Another customer was kind enough to tell me why they were going with a different password management product other than Quest Password Manager. Seems they really want IVR - interactive voice response. Well, the good news out of that was at least we identified the need to add IVR last year so it is in process. In fact, I saw a demo of Quest Password Manager's integration with Microsoft Speech Server while I was down at Quest's corporate office to attend our internal "Innovate" conference. Pretty cool stuff!

  • Mainframe, mainframe, mainframe. They're never going away!

  • My buddies from Mycroft are starting to make some money off of our partnering relationship. Awesome! Thanks to both Liz and Jon for coming to the dinner - it was great to see you guys!

Next customer roundtable is in Manhattan on March 1. I'm looking forward to it!

Monday, February 12, 2007

Quest Idol on YouTube

Here's your music video covering migration, identity management, Active Directory, Exchange, overcoming the competitors and more...

It's just too funny. I love watching it. These guys are all Quest employees and they produced this totally on their own.

Technorati Tags:
, ,


So I'm out walking the dog - literally - and there are these guys spray painting the road to mark services, electrical, cable etc. I figure we are getting ready for a world of hurt with roads being dug up for new sewers or whatever.

Further down the road there's a little sign stuck in a lawn saying "Verizon, working for you" with a tube underneath with a flyer inserted. Being the inquisitive guy I am I figure it must be something interesting because we already have Verizon wires coming into our house.

Low and behold, they start talking about FTTP - fiber to the premises - and my mouth immediately begins to water. I didn't tell you but I was walking the dog with my wife. Here's what transpired...

  • Jackson: Wow, this is excellent. I can't wait. Gonna get me some of that FTTP FiOS stuff!
  • Wife: What's that?
  • Jackson: FTTP = fiber to the premises
  • Wife: So they're going to run fiber to our house?
  • Jackson: Yup. Cool, eh?
  • Wife: So what? What does that mean?
  • Jackson: It means a fast internet connection, IP phone, IP TV.
  • Wife: So we'll be spending more then. (Note this is a statement - not a question)
  • Jackson: Who knows. I haven't seen any prices yet.
  • Wife: You mean our phone will be like those people down the street who have Vonage and it never works and they sound like they're at the bottom of a barrel? Why do we want that? I'm not getting that.
  • Wife: What's wrong with what we have now?
  • Jackson: This'll be faster and cooler.
  • Wife: So? Why do you need faster?
  • Jackson: So we can have all the cool stuff.
  • Wife: You mean like the people down the street who sound like they're in a barrel when we call them? Right. Plus we'll be paying more.
  • Jackson: OK, let's just wait and see what the pricing is.
  • Wife: We're not going to pay more than we're paying now. I don't care how fast or cool it is. When is all this friggin' digging going to be done anyway?

Why don't wive's understand faster and cooler?

Want to see what this really means? (I hope it's what it means for me!) Read this article over at Microsoft Watch by Joe Wilcox on what it meant for him.

Oh, and help me out convincing the wife...Don't you want faster and cooler? I'll help you out if you'll help me out.

Still no real details on the Novell/MS interop...

Novell issues a press release that goes into the details of the interop between them and Microsoft. Generally there was some detail about most of the initiatives but the directory and identity interoperabilty still leaves something to be desired...

Microsoft and Novell are working toward improving directory and identity interoperability between Microsoft and Novell products and technologies using standards-based protocols designed to result in improved access control for IT resources managed with either Novell eDirectory or Microsoft Active Directory.

I wonder when we are going to hear/see something concrete?

Technorati Tags:
, ,

Oxford Computer Group Selected As Partner For Leading Password Management Solution

Guess what the leading password management solution is? You got it: Quest Password Manager.

I love the guys over at Oxford Computer Group (OCG). They have their act together around Microsoft Identity Integration Server (MIIS). James Booth and I worked together with Kim Cameron at Zoomit. Neil, Hugh and the gang at OCG have a great business built up around MIIS so this is a fit made in heaven for both of us.

Even Microsoft thinks so...

"Customers tell us that enabling end users to reset their own passwords is a key area which contributes to reduction in help desk costs,” said Peter Houston, senior director of marketing for Identity and Access at Microsoft Corp. “We're happy to see Oxford Computer Group and Quest Software teaming together to solve this problem for customers who have invested in Microsoft's identity and access platform."

You can read the press release over at OCG by clicking here.

Technorati Tags:
, , , , ,

Quest Scores an A+ in Password Management from Manteca Unified School District

Nice press release today about Quest Password Manager being deployed by Manteca Unified School District. Self-service tools are the fastest way to get ROI around your identity management project.

Manteca Unified School District has successfully implemented Quest's Password Manager solution to automate its password management activities and processes. Supporting a widespread Windows-based user community of 1,800 employees across 30 sites, Manteca's IT department was spending a considerable portion of its time resetting forgotten passwords. Forrester Research reports that for many companies, password resets are the most common type of call, often constituting 30% to 50% of all calls. Quest Password Manager allowed the school district to increase IT efficiency by immediately resolving 25 percent of its password management issues.

"Password Manager efficiently addresses our help desk issues, without over complicating what we needed," said Sean Colt, director of IT at Manteca Unified School District. "Quest's roadmap with Password Manager perfectly matches our direction toward Microsoft Vista. We look forward to continuing our partnership with Quest and expect to achieve full ROI from our Password Manager purchase in less than one year."

Technorati Tags:

IDC paper on Identity Management & Active Directory

Well, it's actually a Microsoft paper since Microsoft sponsored it. IDC authored the paper. Official title:

Optimizing Infrastructure: The Relationship Between IT Labor Costs and Best Practices for Identity and Access Management with Active Directory

Here are some of the specific best practices cited in the paper:

  • PCs managed by Group Policy Objects (GPOs) (labor savings of $120 per
    PC per year). Requires PCs to authenticate into Active Directory and individual PCs to receive configuration, software installation, and desktop configuration through GPOs.
  • Comprehensive directory solution (labor savings of $120 per PC per year).
    Requires a single directory for authentication, single sign-on capability for all computing resources, and automated password reset.
  • Reduction of third-party application directories (labor savings of $90 per
    PC per year). Requires the use of a single directory service both for operating system management and for application directory services. Very few companies in this study reached this goal, but those that did achieved significant IT labor savings.
  • Automated user provisioning (labor savings of $50 per PC per year). Requires single directory or synchronized directories with a metadirectory service and IT processes for automated user provisioning. Users are provisioned (including adds, removes, and changes) once in a primary directory, and the changes are propagated to all related directories.

What are the interesting messages in the numbers above??

  1. Group Policy is far more beneficial than automating user provisioning! You've read previous posts about Group Policy and how much I think companies should be using it. Here's yet another proof point. Plus, Quest Software has built some excellent software that can help you manage Group Policy.
  2. Consolidating your directory infrastructure is far more beneficial than automating user provisioning! That's exactly what Vintela Authentication Services enables. Then throw on top Vintela Group Policy to extend your Group Policy benefits to Linux/Unix for added value.
  3. Getting more applications to use Active Directory is far more beneficial than automating user provisioning! This follows the directory consolidation story.
  4. User provisioning is a last step! I'm a big fan of less moving parts. If you follow #1-#3 above you can reduce your need for a metadirectory, get significant savings and probably pay less for that metadirectory software you're looking at. Of course, Quest's ActiveRoles Server is available to help you here.

I won't bank on the numbers in the Microsoft/IDC paper but I really do like the contrast in the value of the best practices: Simplify and consolidate first, provision last.

p.s. With Microsoft's "ILM 2007" product if you include provisioning a certificate for a user part of your solution then you'll be paying even more and saving even less which makes #1-#3 above even more important.

Technorati Tags:
, ,

Sunday, February 11, 2007

Styles of Communication

Last weekend I attended a seminar in Sacramento called "Styles of Communication". This was probably the best seminar I have attended in many years. It really opened my eyes to the fact that everyone has a different style of communicating. The key take-away for me is that if you ask a few questions you can figure out someone's style and that helps you to adjust your style of communicating with them. The end result is a more effective relationship with that person - whether it is a business or a personal relationship.

Wilson Learning offers this course. Here's a summary...

Building Relationship Versatility: Social Styles at Work provides participants with results-oriented Versatility skills that help them to improve their ability to work effectively with others. Individuals are better able to build productive relationships, handle conflict, and create more focused and productive teams. This program can transform how your organization, your teams, and your individual contributors work together to create value.

Check it out. I highly recommend it!

Friday, February 09, 2007

Est-tu, Titus?

What, another Ottawa-based good idea? Apparently! Titus Systems is making in-roads around "information classification". In other words, tagging files and documents with classifications like secret and confidential. Couple that with Microsoft's Rights Management Server (RMS) and maybe some of those documents that we author here at Quest Software wouldn't end up over at my competitor ("Company G") so fast. Well, they'd probably end over there just as fast but at least they'd be unreadable.

It seems Titus is closing some big deals in this area. I'm hopeful that RMS might actually go somewhere. It's still not ready for prime time in an internet environment (Ever try to read an RMS-enabled document sent from another company? It's not exactly a perfect user experience - if it works) but most companies start with cleaning up their own house before they start worrying about external communications.

Keep your eye on Titus...

Splunk. The search engine for IT data.

I headed over to the Splunk booth to see their product which is used for searching log files (and other files). My first question, before even seeing the demo, was: Why would I buy this when I could go out and purchase one of those new Google Mini appliances? I guess I wasn't the first to ask that question!

I was then treated to a pretty amazing demo that showed how a typical administrator would start to search for an event - like a failed logon - and how you could drill down through months of logs, do additional drill-down, context sensitive searches, output SQL tables, build graphics and "play" with the data in the most amazing ways - all from the browser. I absolutely understand why they are getting so much market attention...

- Very sexy and capable interface
- AJAX-based
- Intuitive
- Cross-platform, including Mac OSX
- Very, very fast

My only negative is they only run on Unix/Linux. No Windows! I can't refrain from this product management suggestion: Get a Windows version out as soon as possible guys. Please!

Thursday, February 08, 2007

Omada's Identity Manager

I had a personal demo of Omada's Identity Manager product which sits on top of Microsoft Identity Integration Server (MIIS). Really interesting product that makes setting up workflows and business processes really easy - nearly trivial. It also enables roles based access control; again via MIIS. Even though I had to bite my tongue a number of times during the demo - I wanted to make some pretty strong suggestions regarding the product - I think it's pretty neat. I really like the fact that Omada uses SharePoint as their interface.

If you have MIIS you should take a look at Omada's product. It is pretty cool.

But if I were them I'd add...and I'd change, bite bite bite... (sorry).

Technorati Tags:

Active Directory integrated Biometrics

I ran into my friends Vance Bjorn (CTO) and Fabio Righi (Prez & CEO) of DigitalPersona while I was at RSA. It was really great to see them. They are making tremendous progress with their biometric fingerprint readers. They've never told me but I am pretty sure they have OEM'ed their readers to the likes of IBM for use in their ThinkPad computers. I hope so because I have a ThinkPad and use my fingerprint to login to Windows all the time. I know that they are the OEM for the Microsoft fingerprint reader.

Their stuff is really, really well integrated with Active Directory. They were one of the first companies to jump on using ADAM (Active Directory Application Mode) to get around the need for a schema extension to Active Directory. In addition, they can control almost every aspect of the reader via Group Policy.

If you buy a reader from DigitalPersona you can use it to enable domain logon. If you use the Microsoft OEM version you'll find out that this is specifically disabled. Seems that the nitwits over in the security group think it isn't as secure as a password. We all know how secure passwords are, right?!

Anyway, I wish them the best of luck. They've worked so hard on this and it's really great to see it taking off!

p.s. When I made the decision to leave Microsoft there were two companies on the top of my list that I wanted to work at. One was Vintela and the other was DigitalPersona.

Technorati Tags:
, ,

Wednesday, February 07, 2007

Identity Lifecycle Manager

Microsoft announced Identity Lifecycle Manager 2007 (ILM 2007) at the RSA show along with their strategy for the next couple of years. ILM 2007 is basically the current MIIS 2003 revved up with a new management agent for Microsoft Certificate Lifecycle Manager (CLM) and reduced pricing ($25K/CPU to $15K/server).

ILM 2007 is also the ship vehicle for CLM which was the Alacris product that Microsoft acquired last year. Alacris was - yes, you got it - another Ottawa company! If you want to manage the lifecycle of a certificate through ILM 2007 you'll have to purchase the product for $15K per server and then pay $25/CAL for the certificate piece.

Also announced was ILM "2" which is due out "late 2008". Microsoft stated that ILM "2" will enable you to manage your identities in Active Directory much better than you can today. Of course, if you want to actually do that today you could achieve that with some fabulous Quest Software products! Of course, Quest Software is also an ILM partner.

Technorati Tags:
, , ,

Got a sec for IPSec? Apparently Deloitte does!

In a previous post, I asked about IPSec and what people were doing with it - if anything. I truly believe that in this world "there are no accidents" and this belief was supported by having Deloitte Consulting at the booth across from Quest Software's booth touting IPSec!

In another "there are no accidents" coincidence it turns out that Derek Street who was staffing the Deloitte booth is from Ottawa - my home town. Amazing. Derek is a big believe in IPSec. In fact, I would call him an IPSec crusader. It was interesting to fill Derek in on what we were doing with our Vintela products around IPSec and how I was marrying some of our Windows research into the mix. Derek handed me a very nice brochure and white paper that describes Deloitte's solution and technical details. I'm sure if you dropped Derek an e-mail at destreet@deloitte.ca he could send you a link to the materials. They're quite good.

Keep up the crusade, Derek. I'm with ya!

Technorati Tags:

Who is using CardSpace?

Well, that's an interesting question. Clearly, Microsoft needs to get some web properties behind CardSpace. It's part of Vista and people are buying Vista. Who can I use CardSpace with today? As far as I know, you can't use CardSpace with anything other than some test web sites. But, I sat through a demo of CardSpace today and took the picture you see below (click to supersize). Notice that the Wachovia logo is being used in the demo.

Their logo wouldn't be on this demo unless there was something to it. Let's hope that Wachovia is one of the banks that has committed to CardSpace! Who is next?

Technorati Tags:
, , ,

The Coolest Booth Gadget at RSA...

I seen a lot of booth gadgets in my time but this is about the coolest one that I've seen in years. This was in use at the Arbor Networks booth. Basically, the gizmo released a very cold stream of gas that caused the air to condense around it as it "poured" towards the floor. It almost looked like a waterfall - a "fogfall". Then they used a project to project images and text onto the fog as you see in the photo above.

No matter how many times I entered the exhibit floor I always wanted to walk by and see the effect...

Tuesday, February 06, 2007


Congrats to my good friend Kim Cameron. His "InfoCard" creation, now called CardSpace, was a highlight of Bill Gate's & Craig Mundie's RSA keynote today...

Mundie: ...one of the things I personally really like is the work that was done in Windows Vista with this capability we call CardSpace. What I think we tried to do there is to create a vehicle that allows people to have a GUI for credentials that represent their identities or different personas in any of these situations. It should be no more difficult for someone, given a particular situation, whether they're shopping or applying for some e-government transaction, it should be no more difficult for them to identify themselves in a relevant way, in a controlled way online than it is for them to walk into somebody's office or a counter or a grocery store, and reach in their pocket or purse and take out a credit card or a driver's license

Gates: ...that's one thing we're announcing today is that we're going to support this Open ID 2.0, and there extending what they've done so that this credential capability moving beyond passwords, the CardSpace capability, they're going to have that as a standard capability, partly because they see that it solves some problems, some attacks and some complexity for the user that a pure password approach is always going to have

Kim has posted and blogged about the coverage of the announcement far better than I could so I leave it to you to head over to his blog if you'd like to read more about all of the coverage...

Interoperability is always a good thing so it's pretty easy for me to applaud Bill's announcement. I hope it helps to bring the camps together. I can tell you from both my personal and professional knowledge of Kim that he is the real deal. He is not a Microsoft "stooge" as soon have made him out to be and I am willing to bet a fine bottle of wine that he was the primary driver behind this interoperability statement.

Technorati Tags:
, , ,

Monday, February 05, 2007

Backstage at RSA

Many years ago I used to help organize conferences for the Association of Banyan Users International. I had the privilege of being the association president for a few years. Anyway, we worked with an association management company called Danieli & O'Keefe Associates and in particular Phyllis Danieli. Fast forward a bunch of years and a bunch of jobs and Phyllis now works for Nth Degree who organize and manage the RSA conference.

Phyllis and some of her staff took me on a tour and showed me around backstage. The picture above is the team getting prepared for Art Coviello's keynote session. There are over 15,000 attendees at this year's show. The show floor is maxed out at 400 exhibitors and the show has been growing about 20% a year. Not bad, eh?

I admire what Phyllis and her team have been doing. Not only keeping the conference theme fresh but all of the research and focus groups they hold in order to bring a better conference to the industry year after year. I'm sure it's not an easy job.

I've been visiting lots of booths and seeing new and old products. I'll blog about a few of those over the next few days.

Technorati Tags:

Friday, February 02, 2007

I'll be at RSA next week...

This year I'm hoping to spend more time on the show floor checking out new (and old) products and companies. I'll be trying "mobile" blogging with my cell phone. I will certainly be blogging about interesting Active Directory and Identity Management companies and tools that I see!

Of course, Quest Software has a booth on the show floor and we'll be demoing our identity management, Active Directory and compliance solutions. We'll also be participating in the Microsoft Partner Pavillion and hosting a customer dinner. If you are at the show drop by and say hello - we'd love to see you!

Technorati Tags:
, ,

Thursday, February 01, 2007

Google Mini appliance to support Active Directory

The new Google Mini appliance will support Active Directory. The support for AD will be available in the 2.2 version of the appliance which releases next week. Adding the support for AD makes perfect sense. If you're going to index documents in a corporate network you need to support AD.

I understand that it will also serve up results based on your own identity/authorization. So, you may search for "Quarterly results" and it may have 50 search results for this term but if you don't have access to those directories or files then the Mini will not serve up the results to you.

This implies to me that it is caching the ACLs. Hmmm, interesting. I can see a lot of potential here. If I was an administrator or, even better, an application, how could I access that ACL cache? Assuming Google knows how to search (!) wouldn't it be great if there was a complete enterprise ACL cache out there that is searchable? If Google Analytics could report on the ACL cache? If Google Analytics could show the changes over times, the changes to a file or directory's security settings, answer questions like "What files does Jackson have access to?", etc.

The "Google Compliance Appliance"?

Very interesting...

Technorati Tags: