Friday, December 28, 2007

With PassGo we're #10...

IDC's "Worldwide Identity and Access Management 2007-2011 Forecast and 2006 Vendor Shares" has Quest Software listed as #15 in their table on revenue by vendor (report #207609) - just barely ahead of Microsoft.

IDC has PassGo listed as #24. The PassGo acquisition set to close on January 1st, but if you add up Quest's and PassGo's revenue we jump from #15 to #10. That puts Quest Software solidly ahead of Microsoft and Sun.

My personal stretch goal is to get in the top 5 (software vendors) within the next 5 years...

Technorati Tags:
, ,

Monday, December 24, 2007

Happy Holidays Everyone!

I just wanted to take a moment to wish everyone a Merry Christmas, Happy Holidays and all the very, very, very best for 2008.

If you haven't already "Elf'ed yourself" give it a whirl! Hurry, elfing ends on January 2, 2008!

p.s. Here's ours -

Tuesday, December 18, 2007

The perils of broken de-provisioning processes...

Interesting ComputerWorld story (Dec 17 issue) on page 36 - "Backing Up on Autoforward". Basically, the story is about an executive who left the company and for two months her e-mail continued to be autoforwarded to her - after joining a competitor!

The author identified the problem pretty directly:

We have a couple of problems. The first is that our employee termination proc­ess is broken. Ideally, we would have an identity management tool tied into our various enterprise systems. When an employee left the company, all access to our infrastructure and applications would be quickly removed. Unfortunately, we have neither the budgetary nor the human resources to do that.

I'd say that's a problem! I wonder if they have budget now?

Technorati Tags:

Monday, December 17, 2007

University of Manitoba buries their mainframe

Funny YouTube video of the burial of the Univeristy of Manitoba's mainframe. I love the part where someone places a DASD spindle in front of the box - brings back old memories. That spindle probably represents a few megabytes at best.

Oh those heady days...

Google's identity problems

This will not be pretty.

I read an interesting blog post about Google "Profiles" this weekend. Here's the nut of the problem:

In the early days of Google Apps the only way to sign up was by linking to an existing Google Account, in the format of If you have one of those accounts, there is no way to tell Google that you are now This means that Google Apps think of your original @gmail and new, @domain identities and two different ones. You can directly access (via URL) your own Calendar, Docs, Groups ..etc. all under your own domain, however, programs that need to access those apps only find the other version, attached to your account. A simple example is trying to save an event from, Zvents, or any other services: there’s no way to use them with your own domain.

Even the Google Groups is messed up: when I am logged in as, Groups that I am a member of won’t recognize me. I actually have to have duplicate identities created in Google Groups: one to be able to send email (my own domain) and one to be able to access Group’s other features via the browser (@gmail format).

I'm not positive about this but I wonder if a federation-based solution using something like Microsoft's CardSpace on the front-end would help. That said, the bigger issue is the Google "namespace" on the back-end. I wonder if their directory supports aliasing? I think the ability for an end-user to have multiple aliases might solve the problem - user provisioned, of course. I'm sure Google isn't using Active Directory as their back-end server. Good thing because it doesn't support the concept of aliases. If Google wants to enable federation for their customers they have to solve this problem.

Of course, there is another alternative: Don't solve the problem. Hopefully, this option is not on the table.

Technorati Tags:
, , , ,

Friday, December 14, 2007

European version of the Japanese "tube" hotel

A friend of mine pointed out the new "Yotel" which seems to be a bigger (slightly) version of the Japanese tube hotels. So if you are ever over in Gatwick, Heathrow or soon Schipol (Amsterdam) you can try one out. I certainly will.

Everything you would expect from a luxury hotel in a small space. Located uniquely inside the airport terminal buildings at London Heathrow’s Terminal 4 and London Gatwick’s South Terminal. Just moments walk from check in, arrivals and minutes from the other terminals. YOTEL opens at Schiphol Airport, Amsterdam in early 2008.

Tuesday, December 11, 2007

No pooh-pooh anymore

Last year I commented that Dave Kearn's pooh-pooh'ed the Gartner Identity and Access Management conference. This year, Dave attended the show and revised his view in a positive way!

Quest Software attended again this year and signed up for next year. So we voted with our check book. It's a great conference!!

Technorati Tags:
, , ,

Monday, December 10, 2007

Speaking of authorization...

James McGovern asked in a recent post: "In the same way that Kim Cameron is running around Microsoft rallying for the need to rationalize identity, I wonder who his peer is for doing something similar with authorization?" I actually wonder, too. Is it (should it?) be my buddy Don Schmidt over at Microsoft? I don't know but it is about time for an authorization czar over there.

While I was thinking about this I stumbled across a post and a video that shows how to create and add roles to Microsoft's Systems Center Operations Manager 2007. As I watched the video I was pleasantly surprised to see that they really did use Active Directory users to "fill" the roles that they demoed. A nice step forward but are they open to enhancing that capability?

What you have enabled in SCOM 2007 is the ability to define a static role and a static set of users who fit that role. Who is maintaining the role and the users? Well, the SCOM 2007 administrator is. Every time a new user needs to be added to a role or a new role is required that admin has to do the work. You've basically shuffled the work from the help desk or Active Directory administrator to the SCOM 2007 administrator - that's just a shell game with no real productivity gain.

I'd recommend that you virtualize the user side of this equation. Specifically, most users in Active Directory have a series of attributes attached to their object such as title, manager, office location, phone number, etc. A role should have the ability to have attributes and specific values assigned to them so that role can be checked dynamically at use to see if a user is authorized for that function. An example might be that you'd like everyone who has title "SQL Administrator" to be able to manage and operate the monitoring of the SQL servers. This is easier than every new SQL Administrator having to email you to be added to the role manually. And, when they get promoted to "Product Manager" they automagically get dropped from that role - again, without the need for an email to you, Mr. SCOM2007 Administrator.

This way you enable the directory to do the work for you. I call that improving efficiency - yours.

It bothers me that at Microsoft this stuff isn't leaking through faster into everyday design and architecture...

Technorati Tags:
, , , ,

Saturday, December 08, 2007

New York City and Food Poisoning

As I mentioned previously I visited New York City last week to meet with customers and partners. I'll post about those meetings next week but thought I'd post about my first experience with food poisoning. Why? The ensuing dialog - after the fact - with some of our local sales execs:

Sales dude: "Let's go down to the cafe and get some pizza."

Jackson (in a stage whisper): "Yah, they'll give you food poisoning like they gave me. It's included in the price."

Sales dudes all board the down elevator with me: "What happened?"

Jackson: "I ordered a peppered turkey sandwich with mayo and spent the night feeling like I was going to die."

Sales dude: "You ordered an already prepared sandwich out of the case or you had them make one in front of you?"

Jackson: "One from the case."

Sales dudes (all laughing): "Of course you got food poisoning! You don't get an already prepared sandwich from a New York City deli, you get one freshly made in front of your eyes. Where are you from anyway?"

Jackson (sheepishly): "Seattle"

Sales dude: "Oh, from the country, eh? First trip to the City? Welcome to New York."

Sales dude (as elevator door opens) to other sales dudes: "So it's to the cafe then for their freshly made pizza. Jackson, you up for a slice?" (insert sales dudes laughter here)

Technorati Tags:

Friday, December 07, 2007

Federation? Oh, you mean Star Trek!

Had to laugh at this one. I know that we all - including me - have the tendency to start breathing our own exhaust. This posting by Ping Identity brought back to mind a humorous comment that took place in a focus group market study I did on federation a few years back...

We asked the participants to write out a definition to a series of directory-related terms. We actually ran the focus groups in 3 cities (Chicago, New York and LA) and had 3 focus groups in each city (2 for enterprise-size companies and 1 for small/medium businesses). We filmed and taped the sessions which were professionally moderated. The participants did not know that Microsoft was "behind the glass".

When I presented the findings back in Redmond I did out-takes from the videos to highlight the unusual or interesting. The piece that drew that greatest laugh was when an attendee put up their hand to ask for clarification on the what we meant by the term "federation". His question:

"Do you mean like Star Trek?"

Have we progressed much further than that in the last 3-4 years? I'm not sure. I think the average IT director/administrator/manager, CxO, and CISO probably would ask the same question today.

What do you think? Scotty, will we ever get this bucket to warp speed?

Technorati Tags:

It's the Directory, Stupid

I've caught up on e-mail - now I'm catching up on my Google Reader and the 677 unread blog items in it. One of the first items I saw caught my eye immediately - "It's the Directory, Stupid", an e-Week article which I saw over at my friend Don Bowen's blog: Wizard of IdM.

Here's the gist of Jason Brooks' article:

Until Red Hat, Novell, or another party focuses around open-source directory services, Linux will be stuck playing catch-up with Windows 2000.

Well, how can I disagree with that? Especially since I was part of the Windows 2000 - and most specifically - the Active Directory launch team! However, it is a pretty sad commentary when basically you are saying that Active Directory is the thought leader. Yes, it is the market leader - absolutely and without a doubt. However, like any product Active Directory has its own set of warts that Microsoft hasn't cleaned up nor are they showing any particular leadership towards Active Directory V2. (Please! Don't get me started on schema modifications!!)

All that said, I'd recommend Jason - and others - take a look at what's going on over at Apache's Directory Project - I find it pretty intriguing. Lots of potential...

ApacheDS is an embeddable directory server entirely written in Java, which has been certified LDAPv3 compatible by the Open Group. Besides LDAP it supports Kerberos 5 and the Change Password Protocol. It has been designed to introduce triggers, stored procedures, queues and views to the world of LDAP which has lacked these rich constructs.

I love how they have bowed to incorporating two-factor authentication into the directory via their "Triple Sec" product along with an Eclipse-based directory studio. What better way to move to a services-oriented architecture than with a well thought out, Java-based directory service?

Technorati Tags:
, ,

Are you a Quest employee visiting New York City?

Take my advice and do what I did - stay in our corporate apartment in Hoboken, NJ. I know, that was my first reaction: Hoboken? Why the heck would I want to stay there??!!
  • It has an amazing view of the Manhattan skyline both day and, especially at night.
  • It's on the Hudson River. Any more "on" and you'd be in it.
  • It's "free", 3 bedroom, kitchen, TV, wi-fi, phone, multiple bathrooms and a balcony overlooking the river and the skyline.
  • Grocery, liquor and drug store within a 2 minute walk.
  • It's a $7 ferry ride from the foot of the apartment to Pier79 in Manhattan (39th Ave) or to the World Trade Center ferry terminal. Easy subway or cab from there. Free bus service from the ferry, too.
  • Washington Street in Hoboken is a block away and it has lots of great restaurants and pizza places.
  • Frank Sinatra was born in Hoboken - if it was good enough for him...

Also, I was shocked when our corporate travel folks booked me in the Sheraton Suites in Weehawken, NJ at ~$450/night. Manhattan hotels were +++$650/night! Even on an expense account I cannot stomach paying this much for a hotel room.

Interested in checking it out? Shoot me an e-mail, I'll hook you up!

Technorati Tags:

PassGo, Forrester, New York City & food poisoning

So much news and so little time to write but a deluge is coming...

- Quest to acquire PassGo

I am SUPER EXCITED about this acquisition!

- Forrester shows Quest Software as leader in their Active Directory Management Solutions wave

Nice proof point of the innovation and fine work that our product management team has been doing over the last few years.

- Lots of notes from my meetings in New York City including my bout with food poisoning (redacted version).

More shortly!

Technorati Tags:
, , ,

Saturday, December 01, 2007

Would you help me? My PC is...

I'm sure we've all heard this. Yesterday, I spent about 2.5 hours at a friends house working on her PC problem. She's a semi-pro photographer and makes a decent living from taking pictures of the kids in the local schools and selling the shots to the parents.

The situation for her was that she had some kind of a trojan that kept telling her machine was infected, slow or hijacked and then it would bring up a web browser that pointed to a site to download some software to solve the problem. I'm sure there's no connection between the trojan and the site/software that is brought up in the browser. Some interesting reminders came out of the house call:

  1. People, if you don't have an AV (anti-virus) program installed you are nuts. Get with the program. There are two types of computer users: Those that have been affected by a virus/trojan/malware and those that are about to be.
  2. Are you doing backups? If not why not?
  3. Are you checking that your backups actually work? Try restoring a file sometime and see what happens.

Oh, and a rant for Norton's product: I told my friend to drive over to Circuit City, grab Norton, install it and she'd be okay. I was wrong. COME ON YOU GUYS! Don't sit there telling me that the "hijack" has been taken care of and then have it pop right back up again. Idiots.

Raves for Microsoft. I went to their web site where they offered me a virus scan. They found the problem and eliminated it - for FREE. Stick that in your pipe and smoke it Mr. Thompson (CEO, Symantec) - looks like Microsoft one-upped you in your own back yard.

Technorati Tags:

December is announced with snow in Seattle

Technically, this is a picture taken in Bellevue, WA which is east of Seattle and closer to the mountains. However, it is very uncommon for us to get snow. That said, it was very nice to wake up to this scene.

I wonder if this winter we will see much more snow?
Posted by Picasa