Thursday, May 31, 2007

dunnhumby eliminates the cause of their headache

I love customer success stories as you know...

dunnhumby Saves Time, Reduces Costs and Creates a Secure
Mixed IT Environment with Vintela Authentication Services

Here's how the customer defined success...

1. Achieved time and cost savings by not needing to spend additional resource resetting passwords and creating multiple accounts. (End-users only need one account now)

2. Achieved up to six hours of time savings per week through reduced administration and maintenance of user accounts and permissions. (Everything occurs in one place now)

3. Reduced the risk of security breach. (De-provisioning in one place)

4. Removed the need for separate Windows and Unix support teams for account management. (The Windows guys do it all)

5. Expected complete ROI within 12 months.

This is about identity consolidation - not identity management. What's the difference? Consolidation is a simplification of your environment. Management is simply doing what you are doing today by either automating or improving the processes.

Why manage a problem when you can eliminate it??

p.s. This is a great example of my #3 tenet of identity management: Stop taking aspirin - Eliminate the cause of the headache

Technorati Tags:
, ,

Wednesday, May 30, 2007

Password management in Windows Server 2008

John Fontana wrote up a story on password management in Longhorn (Windows Server 2008). Here's a quote from his article: (emphasis is mine)

“This [fine-grained policy control] is solving a user pain point,” said Ward Ralston, senior technical product manager for Microsoft. He said users no longer have to worry about maintaining password policies in many different locations and segmenting users based on password policy requirements.

With the new Longhorn password policy feature, Ralston said administrators will use Active Directory Services Interface (ADSI) to create a new Active Directory password object. The object is then assigned to a user or group of users. The policy requires that the user create passwords that adhere to certain rules, including how often the password must be updated.

As always, the devil is in the details! How many administrators are proficient at using "ADSI to create a new Active Directory" anything? That translates to programming to create the object. Or, you could use LDP which is practically a fate worse than death.

There is already a great tool for creating and applying policies across your Windows network - it's called Group Policy. That's what customer's today already use for setting their Windows 2000 and Windows Server 2003 password policies.

Technorati Tags:
, , ,

Identity management survey

Kim Cameron is asking folks to help his buddy Marcus Lasance publisize his identity management survey so help out by passing on the news!

Marcus Lasance has a sterling reputation in identity management, having contributed to its evolution for many years now.

He was well known as managing director of MaxWare (recently acquired by SAP) and is now involved with Siemens. For those not familiar with the European landscape, both of these companies have done extraordinary identity work.

Marcus has put together an identity management survey that I promise isn’t an advertising gimmick, and has offered to share the results with the blogosphere, so why not help out? I did. Now I’m going to pass the URL on to some of my friends in the Microsoft IT department, since they will have more relevant answers than I do as an architect. You may want to answer it directly, or pass it on to your IT colleagues.

Technorati Tags:

We need a broad-scope identity conference

This is the title of Dave Kearns "Network World's Identity Management Newsletter" of 05/30/07. I totally agree with his comments...
Now, I do agree that we need more conferences of this type. We do have them in North America – things like Courion’s Converge, the Internet Identity Workshops and NetPro’s Directory Experts Conference come to mind – but it’s generally organized around a particular vendor, product or technology rather than as part of a conference covering a broad spectrum of identity. Maybe what we really need is an identity fair (or “identitie faire”) with PowerPoint presentations for those who need them and hands-on labs for those who don’t. Something for everyone, under the big top. Not just a “dog-and-pony” show, but a real three ring circus. Who’ll step up and organize this?

Count me in to help in any way but as a vendor I can't organize it otherwise it would be just another vendor show...Catch-22.

Technorati Tags:

Tuesday, May 29, 2007

Microsoft's Virtual Directory Takes Hold??

I just read an article titled "Virtual Directories Take Hold" that was published in the April 16, 2007 issue of Network Computing. Interesting to note that the author states it is "not surprising that Microsoft and Novell provide virtual directories".

I'd like to find Microsoft's. As far as I know it is still - at best - a virtual idea...

p.s. I'm still not a big believer of these things.

Technorati Tags:

Monday, May 28, 2007

Tenet #4 - Success Lies With Your End Users, Partners And Customers

Here's tenet #4 from my whitepaper "Tenets of Identity Management". Part #1 of the "Tenets of Identity Management" podcast is posted on the Quest web site.

Success Lies With Your End Users, Partners And Customers

Identity management projects tend to be both time- and resource-intensive, which means they will probably be costly. At the end of the day, your success is going to depend on your end users, partners or customers seeing the benefit of the projects. If the end result is simply saving some administrative time within the IT department, you won’t really be successful. Your work should be highly leveraged: every employee, partner or customer of your company should see the benefits of your work. They don’t have to say, "Wow, that identity management stuff is the cat’s meow!" However, you do want them talking about how their day-to-day activities have been simplified by self-service password management or automated role management. The more people who feel the positive influence of your project, the more successful your project will be.

Technorati Tags:

Sunday, May 27, 2007

Tenet #3 - Stop Taking Aspirin—Eliminate the Cause of the Headache

Here's tenet #3 from my whitepaper "Tenets of Identity Management". Part #1 of the "Tenets of Identity Management" podcast is posted on the Quest web site.

Stop Taking Aspirin—Eliminate the Cause of the Headache

Sometimes you can’t see the forest for the trees. In organizations, this is often a problem. A company will be implementing an identity management project and, like most companies, it will have multiple LDAP-based directories that require synchronization—at least that’s what the company believes the solution to its problem is. My questions are always the same: What is the purpose of these directories? Why is there more than one? Why are they from different vendors? Once you start looking at the details, you usually discover that the company can consolidate one or more of those directories and eliminate the need to synchronize others. That’s solving the problem. It’s also making the environment simpler. Don’t get me wrong; I’m not saying you can consolidate all your directories into one, but I’m willing to bet you can eliminate a few of them. The fewer moving parts you have, the better—it simplifies your environment.

Additionally, think of the benefit across other departments in your company. If you can, consolidate around one vendor’s directory. Or, eliminate one vendor’s directory software entirely. By doing this, you eliminate the need to maintain additional licenses or track those licenses. Your operations people will thank you because they can toss the operational aspects of monitoring and backing up that directory or system. Everyone wins.

Technorati Tags:

Saturday, May 26, 2007

Tenet #2: KISS—Simpler is Always Better

Here's tenet #2 from my whitepaper "Tenets of Identity Management". Part #1 of the "Tenets of Identity Management" podcast is posted on the Quest web site.

#2 - KISS—Simpler is Always Better

The main reason most companies get involved in an identity management project is that their environment has gotten complex beyond their ability to control it either by manual or automated processes. You need to avoid the easy way out: simply automating what you currently have. While this may temporarily solve your problem, the end result will be an inefficient, but automated set of identity processes. Because they’re inefficient, these processes will probably break down at the most inopportune times. Or, when they break down, the effect will be noticed by senior executives at your company.

It is crucial to put all aspects of your identity management project and associated business processes under a magnifying glass. Always ask whether it is possible to simplify a process or to re-use a particular process in another part of your project.

An easy way to illustrate this is to examine where provisioning actually begins in your company. In most cases, once a decision to hire or retire an employee is made, it is typically the human resources department that begins the process. How does your provisioning software find out about the event? Hopefully, it is notified in real time. If not, it probably finds out by some sort of file transfer to a specific network directory where it then polls the directory looking for the file, and then acts on it. While both methods achieve the same result, the simpler method is for the provisioning software to be notified in real time of the event. A real-time update means faster provisioning (increased productivity) and de-provisioning (increased security) of the employee data occurs without additional moving parts. Provisioning via a file transfer makes you rely on the success of the transfer, the availability of the network location and your ability to handle all the errors to ensure that everything works properly. I can’t count the number of times a piece of code has failed and the result was that hundreds of accounts were accidentally deleted. Of course, Murphy’s Law will always ensure that a number of high-level executives are included in those deleted accounts.

Keep it as simple as possible. You’ll receive fewer late-night and weekend phone calls.

Technorati Tags:

Friday, May 25, 2007

Tenets of Identity Management

A little while ago I finished a white paper I titled "Tenets of Identity Management". I've recorded a 3-part podcast on to go along with the white paper. Part #1 of the "Tenets of Identity Management" podcast has just posted on the Quest web site. I invite you to take a look at the white paper or the podcasts as they post. I'll let you know when the next parts of the podcast post.

Here's the first tenet...

1. Identity Management—Everyone defines it differently

The first thing you should recognize—if you haven’t already—is that the term “identity management” is very overloaded. If you ask 10 people to define identity management, you will get more than 12 definitions—guaranteed. One of your most critical tasks is to clearly define what identity management means to your company within the context of what you are trying to accomplish.

After you have defined identity management in the context of your company, you must get “buy in” from your colleagues, and more importantly, your sponsors, and management. Rest assured, someone will believe that single sign-on, password synchronization, or provisioning of office furniture will be part of your project if you don’t define and announce it!

Here’s an example from an identity management vendor: “Oracle Identity Management allows enterprises to manage end-to-end lifecycle of user identities across all enterprise resources both within and beyond the firewall. You can now deploy applications faster, apply the most granular protection to enterprise resources, automatically eliminate latent access privileges, and much more.”[1]

What worries me about this definition is the “and much more” phrase. Rest assured that one of your senior executives will decide what that means and you will soon be traveling the corporate road to perdition[2].

In the spirit of fair play, here’s another example: “Novell® Identity Manager is an identity management solution that automates user provisioning and password management throughout the user lifecycle—delivering first-day access to new users, modifying or rescinding access as necessary across all systems, and synchronizing multiple passwords into a single, strong password.”[3]

Notice any differences? Oracle’s definition implies that they can handle “resources both within and beyond the firewall”. Novell’s definition doesn’t seem to address identity management beyond the firewall but it synchronizes multiple passwords into a “single, strong password”. If you look further, you’ll see that the definitions that BMC, Computer Associates, IBM, and Microsoft use are all different in subtle and not-so-subtle ways.
You have identified a problem in your company and you have concluded that the problem is related to what the industry is calling “identity management”. You must clearly define in your project documents exactly what identity management means within the scope of your problem and proposed solution. If nothing else, it will help to prevent scope “creep” and will serve to ensure success once you’ve completed your work.

[1] Dec. 9, 2006 -
[2] Perdition–a state of punishment which goes on forever.
[3] Dec. 9, 2006 -

Technorati Tags:

Thursday, May 24, 2007

Human factors

I said in my previous post that my #1 priority resulted in choosing Banyan VINES as our network operating system. In rolling out the Banyan VINES network over the next year or so I learned a lot about e-mail, directories and directory synchronization. This on the job experience proved to be invaluable in understanding the complexities and human-factors side of these technological problems...

  • Our office in Kenya would regularly lose its connection to the X.25 network. It happened the same day every month. Turns out the technician for the Kenyan telephone company would disconnect us, go and sit in the bar across the street and wait for one of us to come over and buy him a beer and slip him a little something.

  • I sat outside the Indian communications agency's managing director's office for an afternoon because no one in his office would believe that their modems were all configured incorrectly - across the country! Turns out they were set to 7-bit operation and not 8-bit. No one seemed to care they couldn't transfer a binary file over their network.

  • One of the operations staff was reading the newspaper on a Sunday afternoon in the computer room. His feet slipped off the console, landed on a server that was on wheels, the server skated over to the open tile on the raised floor and fell a couple of feet. It continued to run. He picked the server up, replaced the tile and went back to work. A few days later we had a complete server failure.

  • We had just installed fiber optic connections to our servers in Singapore. A cleaner is mopping the floors and accidentally pushes a server back towards the wall and snaps off the fiber connections. Remote diagnostics of that one from Ottawa was a lot of fun. No one thought to get the cleaner on the call.

  • I'm standing on an overlook on Highway 1 on the coast of California and my cell phone rings. One of the managers says our new VINES server isn't working - we had just finished putting our first "VINES on Unix" server in production. He says "We're going to turn it off and turn it back on". I scream "Noooooooooooooooo" into the phone as I hear him click the switch. It's not a good idea to turn the power off to a Unix server - it takes the team three days to get it restarted.
I'm sure we all have stories like these. They're funny when you think about them now but they've left scars. I still won't buy a server that's on wheels...

Wednesday, May 23, 2007

My example of a disruptive technology

Back in 1989 I started my second job as an "analyst" at the International Development Research Center in Ottawa, Canada. Little did I know how much my first two priorities would change my life:

  1. Make a recommendation on which local area network to purchase and deploy from the vendors: 3COM, Novell and Banyan.

  2. Replace the $60,000/month Telex operation with electronic mail.
For the first task we did a pretty thorough evaluation and picked Banyan VINES as our network operation system. The main reason was because Banyan seemed much more efficient handling remote offices like we had in Nairobi, Cairo, Delhi, Singapore, Montevideo and Dakar.

For the second task we got all of our offices accounts on an email system sponsored by CGNet.

We managed to get #2 implemented before rolling out the world-wide Banyan VINES network. The savings were astounding. We went from $60,000/month to $6,000/month within the first two months. We then improved on that even further by implementing a product called "Zoomit RemoteLink Plus" which helped us reduce our costs another order of magnitude to $600/month. This was my first introduction to Zoomit and to what is now known as a "disruptive technology".

Technorati Tags:

Tuesday, May 22, 2007

Crossing the Chasm - or falling in?

Interesting post regarding MIIS SP2/ILM 2007 Timeouts, Out of Memory Errors and the Dreaded BAIL: MMS" over at Brad Turner's 1dent1ty cHa0s blog. I have been a long, long believer that MIIS is too complicated and suffers from being over-engineered and over-designed. It was okay when we released it in 1996 but now, 11 years later?

Time for some serious simplification in my humble opinion. Metadirectory and directory synchronization are mainstream technologies now and they must be simple to use. Unfortunately, nearly every solution has evolved from the mid-90's and has brought that over-engineered and over-designed architecture and philosophy of the "technology enthusiasts" market with them.

The solutions that win in this market will be easy to use. They may not do everything and solve every little issue but they will be simple to use.

Geoffrey Moore's seminal book titled "Crossing the Chasm" is a must read book. I recently had the opportunity to send the following snippet from his book to some folks...

"The Other Crack” (emphasis is mine)

“There is another crack in the bell curve, of approximately equal magnitude, that falls between the early majority and the late majority. By this point in the Technology Adoption Life Cycle, the market is already well developed, and the technology product has been absorbed into the mainstream. The key issue now, transitioning from the early to the late majority, has to do with demands on the end user to be technologically competent. Simply put, the early majority is willing and able to become technologically competent, where necessary; the late majority, much less so. When a product reaches this point in the market development, it must be made increasingly easier to adopt in order to continue being successful. If this does not occur, the transition to the late majority may well stall or never happen.”

I'm not sure that MIIS will cross the chasm successfully. The fact of the matter is that the market may be stalled - in fact I believe it is - due to the fact that many of the products out there are still too complicated to use.

Technorati Tags:
, ,

Monday, May 21, 2007

Authorization is the next battleground

James McGovern blogged about authorization a few days ago. His view is spot on to what I have been thinking. Enough already with authentication. Let's move on to the hard stuff like "provisional authorization" that James describes.

There's an elephant in the room out there folks and it's called authorization...

p.s. Gerry Gebel over at the Burton Group has a good blog entry on this topic.

Technorati Tags:

Active Directory Forest Recovery

There isn't a tool out there that will recover your AD forest if it is corrupted or you want to really back out a schema extension. Yes, Microsoft does have a 45-page prescriptive guidance document on forest recovery but no automated tool.

Quest just released an add-on to our Recovery Manager for Active Directory product that will automate forest recovery for you. Enterprise Management Associates published an article that you might be interested in reading about it.

In the event of a major AD failure (irreversible database corruption, unwanted schema extension, virus attack, etc.), Recovery Manager for Active Directory Forest Edition simplifies and accelerates the AD recovery process so that critical business operations suffer minimal delay. Recovery Manager Forest Edition provides full automation of forest recovery tasks from a single control console. Key features include selection of point-in-time (unaffected) backups for all domains, progress tracking of domain controllers (DC) restorations, quarantine of corrupt DCs (preventing their replication with the newly restored environment), and simultaneous restoration of all DCs in the forest to enable the fastest possible recovery.

As they used to say on Monty Python's Flying Circus: "No one expects the Spanish Inquisition!".

No one expects an Active Directory forest failure either...

Technorati Tags:
, ,

Saturday, May 19, 2007

Proof of extraterrestial life?

This picture taken was taken in the summer of 1993 by a friend. The man on the left is reasoning with the Remulakian on the right who was attracted by the immense bonfire in the friend's backyard. Apparently the discussion between the two centered around whether or not the Remulakian's identity would be disclosed further than between the two parties that were part of the conversation.

That visit and conversation became the germ of the "Laws of Identity" and specifically "user control and consent" and "limited disclosure for limited use". Little did they know that press hadn't read the laws yet...

Technorati Tags:

Friday, May 18, 2007

My Bottom 10

Over the years I've heard a lot of amazing things. I thought I'd entertain you with my "Bottom 10" list...
  1. Jackson: What software do you use to monitor Active Directory? A: Helpdesk. Jackson: Helpdesk? Who makes that? A: No, I mean our helpdesk calls and tells us there's a problem with AD and we look into it.

  2. Jackson: Why are you synchronizing all the identity information in Active Directory with the XXX directory? A: That's so our end-users can use the corporate white pages application to look up employee's phone numbers, manager, office location etc. The synchronization doesn't work that well, it takes a long time and tends to fail so we have data integrity problems. Jackson: How about pointing the corporate white pages application at Active Directory and eliminating the synchronization step entirely? A: We've always done it this way; I'm not sure we could do that. Could we?

  3. Jackson: You could use Active Directory to host that extranet application. The software cost to host the 60 million users (really!) would probably be a lot less than $10,000. You might want to consider that in your choice of identity stores. A: Well, we've got a really good discount on XXX's directory and we've used it in the past. Jackson: Do you use Active Directory? A: Yes, we use it for all of our employees - over 100,000 people are in it. Jackson: You're happy with it? A: Oh yes! Jackson: So why don't you talk to Microsoft and use it for the external project? A: Well, you see we have $5M to spend on the project and at $0.05/user for 60 million users we're getting a really good deal from XXX. Jackson: It's practically free from Microsoft. A: But we are really getting a good deal...

  4. Jackson: Have you implemented XXX's identity management product? A: Well, not really. Jackson: Why not? A: We haven't been able to get it to work. Jackson: Do you have a good consultant working with you? A: Oh yes, we have a large team from XXX working with us. Jackson: How long have they been working on it? A: Just over two years now.

  5. Jackson: We have that functionality available now. A: But XXX was in here last week and they said they'd have that functionality in mid-2008. Jackson: We have that functionality available now. A: We're going to wait for XXX. Jackson: If XXX had that functionality today would you buy it from them? A: Yes. Jackson: We have that functionality now. A: Yes, but...

  6. Jackson: How long ago did you migrate from NT to AD? A: It's been at least two years now since we finished our migration. Jackson: Awesome! You must be happy with the savings. A: Well, we've actually not seen any savings. Jackson: Why not? Aren't you using delegated administration, Group Policy etc etc etc? A: We just migrated each NT domain to its own AD forest so we haven't really been able to do any of that. Jackson: That really isn't the way you're supposed to upgrade. A: We know.

  7. Jackson: How long have you been working on integrating your Unix & Linux systems with Active Directory? A: Just over 18 months now. Our solution works great in the lab but when we try to roll it out across the enterprise it just doesn't scale. Jackson: Why do you think you've had that problem? A: The sheer number of versions of Unix and Linux that we have. Jackson: How many? A: At last count, over 30. Jackson: Have you thought about trying to reduce the number of versions of Unix and Linux that you use? Or, have you thought about a commercial solution to your integration problem? A: No, we're using an Open Source solution. Jackson: OK, but it's not working, right? A: Right.

  8. Jackson: What's your biggest priority right now? A: Setting up some external systems for our partners so they can do order access, inventory, shipping and the like. Jackson: So you're thinking of federation? A: You mean like in Star Trek? (I swear this is true!)

  9. Jackson: Have you considered a password reset product? A: We looked at one but we consider it a security risk. Jackson: Why? A: Because someone could guess the answers to the questions that let you reset the password. Jackson: How do you handle resets today? A: The user calls the helpdesk. Jackson: How does the helpdesk verify who they are? A: They ask them their name, department and extension. Jackson: Isn't that information published in Active Directory?

  10. Jackson: Why don't you automate the process with software? A: I don't want any more software running on my servers. Jackson: But the documentation on implementing the process manually runs to over 300 pages and it's wrong. Why don't you purchase some software to automate it? A: I don't want any more software running on my servers.

Technorati Tags:

Wednesday, May 16, 2007

Microsoft, Patents and the Soprano's

Steve Walli is an old buddy from Microsoft that came over via the Softway Systems acquisition a few months after Zoomit was acquired. He's since left Microsoft and has been very actively blogging about open source. His recent post about the whole Microsoft/Linux patent issue and holding customers for ransom really hit the mark...

First, to reiterate, as a customer I am completely uninterested in buying something from a vendor, and then paying every other vendor in the space a license to their possible additional but unproved patents. I'm not even interested in licensing their PROVED patents. Patents are vendor to vendor discussions. To make sure the license wonks in Microsoft Legal and Corporate Affairs understand what I mean: As a customer, when I buy my Xerox copier, I do not intend to additionally license patents from HP, Canon, Epson, or ANY other copier manufacturer. I buy solutions from my vendors, and I expect value for money. I am uninterested in your protection shakedown. Move on. The bullying of customers stops now.

It's a great post and puts an interesting perspective on the issue. Check it out!

Technorati Tags:

Tuesday, May 15, 2007

Is the tail wagging the dog or did I just realize I'm a tail?

SAP acquires MaXware. What does it mean? SAP wants the company. The MaXware guys have been around for a long time, have a good set of products and a customer base - albeit a small one for being around so long (300 customers according to the press release).

What is SAP going to do with MaXware? Well, we don't know. Those plans are being worked on according to the press release. Here are some nuggets I pulled from the press release...

SAP AG today announced that it is extending the identity management capabilities in the SAP NetWeaver® platform

    Message: NetWeaver is the future. Move to NetWeaver. Guess if that will cost you any money.

The addition of new identity management capabilities in SAP NetWeaver will deliver an integrated platform to work across systems and across business processes, to manage identities and ensure security in real-time

    Message: All your bases are belong to us. You thought identity management, platform integration and security were the pervue of IT?! Wake up and smell the kaffee we're brewing over here at SAP AG.

By combining MaXware’s proven, flexible and easy-to-configure identity management solution with SAP’s industry-leading business applications and SOA-based platform, SAP can offer an identity management solution that increases flexibility and agility of business units when managing employee identities and when managing identities across company boundaries with customers, distributors or suppliers.

    Message: That is, of course, if all those customers, distributors and suppliers are all sipping SAP AG's kaffee. If they're not, I guess you'll be on your own.

The addition of MaXware complements SAP’s business applications and platform and will enable customers to extend the value of their SAP investments. While the new MaXware capabilities in the platform will provide the functionality to centrally manage and provision identity information in SAP and heterogeneous environments, SAP GRC Access Control can deliver business value to the customer through its rich capabilities and content to support end-to-end compliance and risk management.

    Message: Ah, now we get to it. Take a look at SAP's GRC Access Control white paper and you'll see that they basically can manage and connect to: Oracle, SAP (duh), JD Edwards, PeopleSoft, Hyperion, "Legacy" and "Custom". I think that SAP AG's proposition of "managing identities across company boundaries with customers, distributors or suppliers" may fall flat on its face. Anyone out there have Active Directory, AS/400, mainframe, Unix, Linux, Siebel,, Novell eDirectory or...?

SAP AG is acquiring MaxWare because they believe that if they can control identities, security and roles from within SAP NetWeaver then they can "own" an organization. They can be the tail that wags the dog.

The few systems that SAP GRC can connect today stands out like a sore thumb. Who could take them seriously? Now, with MaxWare they'll be able to connect to many more systems but will they be taken seriously?

I think SAP AG should stick to what they can do well and I don't think it's going to be this. Don't get me wrong - I'm happy that MaxWare has been acquired and I am happy to see a new injection of excitement into identity management, roles, security and compliance since this serves to float everyone's boat higher. But, if SAP AG's vision is to own this problem space soup-to-nuts I think they'd better wake up and smell what the Rock is cookin'...

Technorati Tags:
, , ,

Monday, May 14, 2007

SAP acquires MaxWare

The identity consolidation continues!! Here's the news. More comments later... (notice the SOA spin though)

SAP Extends Identity Management Capabilities in SAP NetWeaver with Acquisition of MaXware

SAP is Enhancing CIOs’ Ability to Centralize Identity Management and Increase Security Across Heterogeneous SOA Landscapes

Technorati Tags:
, , ,

Wednesday, May 09, 2007

BizTalk & ILM

You've probably heard that ILM - Identity Lifecycle Manager - is coming from Microsoft. ILM 2007 just released. ILM has connectors to a pile of systems like Lotus Notes, SAP, mainframes, LDAP directories, Novell, Oracle, etc.

On April 24 a new version of BizTalk was released. This release includes "identity services" which are defined as "authentication access control and federated identity support; based on the WS-Trust specification". Of course, BizTalk also supports workflow services. Oh, and BizTalk has a pile of connectors to systems like SAP, mainframes, Oracle, JD Edwards, etc.

Two products, both similiar and also dissimiliar. Each having parts the other doesn't (e.g., MIIS does password synchronization while BizTalk does single sign-on). Both products are managed out of the same group at Microsoft.

What's the chance that they might be combined sometime in the future?? That might yield an interesting product: Legacy single sign-on, provisioning, password synchronization, password management, workflow services and connectors to a ton of systems. Interesting...

Technorati Tags:

Sunday, May 06, 2007

Red Rock Canyon

Red Rock Canyon
Funny how many times I've been to Vegas and never knew there was anything to see that wasn't on the Strip.

This trip I managed to visit Red Rock Canyon just outside Vegas a couple of weekends ago. It was awesome. A perfect day for pictures of the amazing rock colors and formations. Click on the picture above if you'd like to see some of the pics I took...

Saturday, May 05, 2007

Never Give Up, Never Stop Trying: 7 Points To Success

We had a motivational speaker on the last day of Quest Software's Club 2006 trip. I didn't have any expectations that Rulon Gardner was going to rock my boat - but he did. After all, what was an Olympic wrestler going to teach me?

Well, I can tell you that Rulon certainly humbled me. Not only was he an amazing speaker but here's a guy that won a couple of medals at the Olympics, cheated death not once but twice and is now living his dream of teaching kids and giving back to society. He regularly turns down million dollar offers to wrestle on TV because his passion is teaching kids that they should never give up and never stop trying.

If you ever have the opportunity to see Rulon speak grab it. Next time you walk into Barnes and Noble or electronically stroll through pick up a copy of his book "Never Stop Pushing" and enjoy the ride.

What an amazing man. What an inspiration.

p.s. The image above is myself, Rulon and my wife Kathie getting the treatment from Rulon!

Technorati Tags:

Friday, May 04, 2007

SAP certification - It's important

Our Vintela Authentication Services (VAS) product just received SAP Integration Certification.

Why is this important? It's important because if you are using a component that interoperates with SAP and it is not certified then SAP will not support you if you call in with a problem.

As most of us know SAP is typically the first system where someone is provisioned and it is the kickoff for many internal provisisioning and identity managment tasks for new hires, retires, etc. You want to be using a component that is SAP Certified Integration. In fact, your company will probably demand it...

Technorati Tags:
, , ,

Thursday, May 03, 2007

What, there are already standards for this?

John Fontana writes about how the new proposed Microsoft, IBM identity protocol standard is spawning controversy.

A protocol developed by IBM and Microsoft for standardizing the sharing of user identities between companies was turned over to a standards body on Wednesday amid controversy that it overlaps with similar protocols already recognized as standards.

I absolutely agree with the issue raised that some critics are concerned with WS-Federation’s dependency on protocols such as WS-Transfer that are not yet standards. I find it a bit difficult to want to build products that are not built on standards. Usually, it works the other way... LDAP V3 builds on LDAP V2 which builds on LDAP - all of which have already been approved as standards...

Technorati Tags:
, , ,

New products for Active Directory and Exchange

We released a couple of new products last week. One that helps to recover AD forests in case of a complete corruption or to roll back a schema change. The other is for auditing non-owner access to Exchange mailboxes. Both pretty cool tools. Some information below...

Quest Strengthens Exchange, Active Directory Tools
Published: May 2, 2007
by Alex Woodie

Checking somebody else's e-mail is a fairly common occurrence. But what happens when the administrative assistant, for example, begins deleting or forwarding sensitive e-mail? Windows server tools maker Quest Software unveiled a new plug-in for its InTrust security and compliance tool last week that tracks and audits all Exchange mailbox activity. The Southern California company also updated Recovery Manager for Active Directory.

Quest's InTrust helps IT administrators by collecting, storing, reporting, and alerting administrators about activities occurring across their servers, databases, firewalls, and Web servers. With the new Plug-in for Exchange, managers can record all "unusual owner and non owner access activity," including which e-mails are read, deleted, and copied, and by whom. It can also track changes made to Exchange configurations and permissions. Quest says it's the first product that can provide such capabilities.

"Business-critical information is sent via e-mail every day, and when misdirected, that information could potentially harm an organization," says Jackson Shaw, senior director of product management for Quest Software. "We can now help customers prevent this type of problem, and also help them meet compliance requirements."

Quest InTrust Plug-in for Exchange 1.0 is available now. Pricing starts at $20 per mailbox. This price also includes the Quest InTrust Plug-in for Active Directory, which is required to use this product.

Quest also unveiled a new release of Recovery Manager for Active Directory, a backup and recovery tool designed to speed the process of recovering damaged Active Directory objects due to application or human error.

With Recovery Manager version 7.6, Quest now provides automated restoration of an entire Active Directory forest to a point in time before the corruption occurred, which the company says should greatly simplify the disaster recovery process.
Shaw says Quest is the first disaster recovery software vendor to offer support for forest-wide recovery. "Our customers need to ensure the availability of their Active Directory 24 by seven," he says.

Even Microsoft applauded the development in Recovery Manager 7.6. John G. Chirapurath, director of identity and access product management at the software giant, says the addition of forest-wide recovery makes Recovery Manager "stronger than ever."

Pricing for Recovery Manager for Active Directory starts at $10 per managed user.

Technorati Tags:
, , ,

Tuesday, May 01, 2007

Identity and Access Management is Critical to Operations and Security

Aberdeen Group has just published a research study on identity management that you might find interesting.
“Identity and access management limits access to an organization’s resources to just those with legitimate access. The fact of the matter is that without it, organizations are at risk. The larger the organization, the more resources are in need of protection, the greater the stakes,” said Carol Baroudi, senior research director, security, at Aberdeen. “Unless mitigated by automation, the greater the complexity, the longer it takes to grant and revoke access. Decreasing time to legitimate access translates to a gain in productivity. Decreasing time to denying unauthorized access translates to narrowing a window of vulnerability.”

Quest Software co-sponsored the research - after the fact - but as part of our deal you get free access to Aberdeen's report. Just click on the link above to access it. What I liked about this study is how Aberdeen compared "best in class" companies to "industry average" and "laggards" with respect to their implementation of identity and access management. Here's a tidbit:

  • Provisioning - Best in class: Provision/de-provision in less than 4 hours! Industry average: 3 days or less. Laggards: 4 days or more.

As someone who spends money on market research this was the very first study that I (co-)sponsored after the report was written. Quest didn't get to participate in the research definition, methodology or surveys but I liked the results enough to sponsor it.

I hope you find it useful. I did!

Technorati Tags: