Thursday, August 28, 2008

August 29, 2008 - Links and Commentary


Wi-Fi Warfare
Interesting article about how crooks stole 40 million credit card numbers through unsecured access points! How many companies check for rogue wireless access points? Anyone can plug one in.

University of Washington - An IT School To Watch
The University of Washington here in Seattle made this ComputerWorld list. Not only that, but they are also the least expensive of the schools listed.

Looking for a change? Quest has IDM related job openings:
At our Lindon, Utah office which primarily focuses on our Vintela products, authentication, authorization and Java. Click here.

At our Somerset, UK office which primarily focuses on our security products. Click here.

Upcoming events I'm attending or speaking at:
Digital ID World 2008, US
I'll be attending this conference being held September 8-10 in Anaheim, CA. I hope to sit in on some great sessions and meet up with various identity management cognoscenti. Will you be there?

Digital ID World 2008, Europe

Quest is sponsoring this event in Hamburg from Oct 7-8. I'll be speaking so I do hope to see you there!

Burton Group Catalyst Conference Europe, Prague
It's been a few years since I've attended a Catalyst Europe event - I think my last one was the 2004 event in Monaco. This one is in Prague from Oct 20-23! Quest is also sponsoring this one.

Gartner Identity and Access Management Summit
This is a (the?) key identity management event. It's being held in Orlando, Florida from November 10-12, 2008. Mickey Mouse will be there, will you?

Technorati Tags:
, ,

Privileged account mismanagement

I'm sure I've mentioned a few times how I think that privileged account management is a key aspect of identity management that most IDM vendors simply do not address in any way, shape or form. We have posted a white paper titled: Resolving the Privilege Management Paradox that discusses this problem so I invite you to take a look if you're unfamiliar with this area.

City officials lost administrative control of the network's routers and switches for more than a week after an IT worker allegedly reset passwords and refused to reveal them prior to and after his arrest on July 13.

If you would like to read about how the City of San Francisco is suffering through this right now here are some articles you may want to peruse:
This is a classic identity management problem.

Technorati Tags:
, , ,

Wednesday, August 27, 2008

Red Hat's push into identity management - part deux

It's time to following up on my previous post on this topic. Again, I'll make reference to Steve Coplan's (The 451 Group) impact report on "Red Hat identity management push takes shape" which was published on 24 July 2008 and Steve's analysis of Red Hat Enterprise IPA (Identity, Policy, Audit) product.

Steve makes this statement:
...it's useful to consider that AD is certainly the most pervasive directory and certainly there is no rational reason to try and displace it as the directory for Windows systems.

Obviously, you'll get no argument from me about that statement. However, what struck me is the inference to AD and Windows in a discussion of Red Hat's identity management push. I suddenly realized the complete and total vacuum that Red Hat and all of the other Linux (and Unix) operating systems have: a set of network and identity services that would provide similar benefits as Active Directory, Group Policy and Windows services like distributed system and security logs. Red Hat's IPA is the first step towards filling this vacuum and Red Hat has the advantage of seeing the mistakes that have been made and appear to be building something by starting with identity-based building blocks. Steve draws all this out very nicely in his paper.

I asked the question in my last post: Is this a strategic move for Red Hat or a tactical effort - as Steve paraphrases it - at "AD (Active Directory) containment"?

Answer: I think it is very strategic for Red Hat. I think AD containment is secondary but would be a benefit if the strategy is successful. In order for Red Hat to be successful they need to enable the management of Red Hat machines, identities and services in a distributed, replicated fashion. IPA v2 is the first step towards that goal. If Red Hat builds a foundation based on identity, externalizes authorization, incorporates roles and provides a centralized audit and log capability they will certainly have a leg up on achieving their goal. In the Web 2.0, Identity 2.0, whatever 2.0 world we are heading into there is a big need for "a distributed architecture that enables a policy-driven, dynamic model of managing how users interact with systems and data". That's where Red Hat is heading and it is very strategic. Without this, Red Hat will never break away from its traditional workloads in any significant way nor will it be significantly distinguishable from any of the other Linux or Unix systems that are out there today.

P.S. My thanks to Steve and The 451 Group for allowing me to quote from their report.

Technorati Tags:
, , , , , , , , ,

Friday, August 22, 2008

Quest receives another SAP certification!


On Monday (8/18) we successfully passed our SAP certification test for our Vintela Single Signon for NetWeaver product. This was a significant milestone for us. In addition to being our second SAP certification - the other one was for Vintela Authentication Services - we now can offer our customers a complete, client-less SSO solution for their SAP environments no matter how they access their SAP systems: SAPGui (the traditional thick, desktop-based client) and NetWeaver (the thin, browser-based client).

In my first post on this topic I stated why having an SAP certification was so important:
It's important because if you are using a component that interoperates with SAP and it is not certified then SAP will not support you if you call in with a problem.

I can't tell you how many customers actually take this certification to heart. No certification = no sale. Now we can move forward with a packaged solution for any SAP customer that ties their Active Directory identity and credential to SAP regardless of how they access SAP.

Technorati Tags:
, , , , , ,

Friday, August 15, 2008

Red Hat's push into identity management

I just finished reading Steve Coplan's (The 451 Group) impact report on "Red Hat identity management push takes shape" which was published on 24 July 2008 (Quest is a client of The 451 Group). It was a real interesting read and here are some of my thoughts and commentary...

I think that Steve is the first analyst who I've seen state that "identity consolidation" is a market.

Centralization is essentially the first step toward applying a uniform set of controls on all users and establishing the foundation for defining and enforcing identity management policies in an automated fashion.

For obvious reasons (i.e., Vintela) I clearly agree with this statement and Steve's (and the market's) drivers for this: compliance, compliance and compliance. The bulk of Steve's report talks about Red Hat's recent release of their IPA (Identity, Policy, Audit) software (you thought I meant beer, right?). The more interesting parts of the report to me is the fact that Red Hat is coming out in the identity consolidation/management market and this release coincided with Red Hat's acquisition of Identyx and their Penrose product:

Penrose is an open source identity integration platform which enables you to have a single, consolidated view of, and easy access to, all available attributes of an identity, regardless of location.

Sounds like a virtual directory, eh? In v2 of IPA the plan is to incorporate roles, consolidation of audit (log) information and incorporate machine identities for resource-based policy definitions. This practically sounds like a 10,000 foot description of Active Directory, Group Policy and the benefits of domain membership except it is Red Hat's IPA, Fedora Directory Server, Identyx and magic pixie dust (Kerberos) which is going to make it all happen. Interesting. Kudos to Red Hat.

Is this a strategic move for Red Hat or a tactical effort - as Steve paraphrases it - at "AD (Active Directory) containment"? My answer to this question in my next post.

P.S. My thanks to Steve and The 451 Group for allowing me to quote from their report.

Technorati Tags:
, , , , , , , , ,

Wednesday, August 13, 2008

Kim doesn't like SSO?

My inbox continues to fill with people asking me about this - or, more accurately, saying that Kim doesn't like single sign-on and what do I think of that?

Kim Cameron, Microsoft’s chief architect of identity, is an enthusiastic advocate of information cards, which are not only vastly more secure than a password-based security system, but are also customizable, permitting users to limit what information is released to particular sites. “I don’t like Single Sign-On,” Mr. Cameron said. “I don’t believe in Single Sign-On.”

I don't want to put words in Kim's mouth but I'm guessing - let me say that again: I'm guessing - he's talking about externally focused personal, or Internet-based single sign-on -versus- internally focused enterprise single sign-on (e.g., Kerberos). There's certainly a difference in my mind from the perspective of disclosure of personal, private information.

In addition, many companies, Quest included, protect their internal networks via two-factor authentication, IPSec encryption, 802.1X, Group Policy enforcement of screen locks, etc., as a means to prevent unauthorized access to data (or sites) from workstations or snooping on-the-wire.

Do I see a day where an enterprise single sign-on (ESSO) product would support InfoCards? Absolutely. The lines continue to blur between what you do at home versus what you do at work, which machine(s) you use at work versus at home and as part of that blur third-party ESSO vendors are going to have to support what customers demand whether it be Kerberos, InfoCards, SAML or even pixie dust (should I ever get that to work)...

Technorati Tags:
, , , , , , , ,

Friday, August 08, 2008

August 8, 2008 - Links and Commentary


Sara Gates ex-Sun IDM VP surfaces at Agiliance
She's their VP, Marketing. Maybe I never saw the announcement but I was wondering where she had disappeared to. She sort of vaporized over at Sun - must be a story there, eh?

Our Jumbled Web Personas

Interesting article on a new Web venture called Pageonce which addresses: "...the sad truth that our online personas have become so complicated that now we need some kind of Web-based personal organizer to provide a single and hopefully safe place to keep all our log-in data."

Upcoming events I'm attending or speaking at:


Digital ID World 2008, US
I'll be attending this conference being held September 8-10 in Anaheim, CA. I hope to sit in on some great sessions and meet up with various identity management cognoscenti. Will you be there?

Digital ID World 2008, Europe

Quest is sponsoring this event in Hamburg from Oct 7-8. I'll be speaking so I do hope to see you there!

Burton Group Catalyst Conference Europe, Prague
It's been a few years since I've attended a Catalyst Europe event - I think my last one was the 2004 event in Monaco. This one is in Prague from Oct 20-23! Quest is also sponsoring this one.

Technorati Tags:

If all companies disclosed data breaches...

If all companies disclosed data breaches of any kind I wonder how many of these types of letters I'd get? Care to guess?

I noticed that Nishant over at Oracle blogged about this and he cited Slashdot's article on the same. I actually own a Clear card - and I registered at the San Francisco airport location...

(Emphasis below is Clear's - not mine, but I sure hope it is true!)

Dear Jackson Shaw,

We take the protection of your privacy extremely seriously at Clear. That's why we announced on Tuesday that a laptop from our office at the San Francisco Airport containing a small part of some applicants' pre-enrollment information (but not Social Security numbers or credit card information) recently went missing. None of your information was in any way implicated. However, we were prepared to send those applicants and members who were affected the appropriate notice on Tuesday detailing that situation.

Before we could send out that notice, the laptop was recovered. And, we have determined from a preliminary investigation that no one logged into the computer from the time it went missing in the office until the time it was found. Therefore, no unauthorized person has obtained any personal information.

Again, none of your personal information was on the computer in any form, but we nonetheless wanted to give you details of the incident that could have affected others applying for Clear memberships because the incident involves Clear's privacy and security practices and policies.

We are sorry that this theft of a computer containing a limited amount of applicant information occurred, and we apologize for the concern that the publicity surrounding our public announcement might have caused. But in an abundance of caution, both we and the Transportation Security Administration treated this unaccounted-for laptop as a serious potential breach. We have learned from this incident, and we have suspended enrollment processes temporarily until all pre-enrollment information is encrypted for further protection. The personal information on the enrollment system was protected by two separate passwords, but Clear is in the process of completing a software fix - and other security enhancements - to encrypt the data, which is what we should have done all along, just the way we encrypt all of the other data submitted by applicants. Clear now expects that the fix will be in place within days. Meantime, all airport Clear lane operations continue as normal.

As you may know, our Privacy Policy states that we will notify you of any compromise of your personal information regardless of whether any state statute requires it. This letter is a good example of our policy: no law requires that we notify you of this incident because our investigation of the recovered laptop revealed no breach and because in any event none of your own information was affected. But we think it's good practice to err on the side of good communication with all Clear members, especially when, in this case, we did make a mistake by not making sure that limited portion of information was encrypted.

Please call us toll-free with any questions at (866) 848-2415. Again, we apologize for the confusion.

Sincerely,

Steven Brill
Clear CEO

P.S. A reminder: One of Clears unique privacy features is that all members and applicants are given an identity theft protection warranty which provides that, in the unlikely event you become a victim of identity theft as a result of any unauthorized dissemination of your private information by - or theft from - Clear or its subcontractors, we will reimburse you for any otherwise unreimbursable monetary costs directly resulting from the identity theft. In addition, Clear will, at its own expense, offer you assistance in restoring the integrity of your financial or other accounts. So had there been any actual compromise of your personal information, you would have been additionally protected.


Technorati Tags:
,

Thursday, August 07, 2008

SSO Summit Commentary


Unfortunately, the gods of travel did not smile on me as I traveled to this conference so I arrived at the SSO Summit quite late. Throw in "altitude sickness" - KeyStone is at 12,500 feet above sea level and I normally live at sea level - and my Day 1 was a wipeout. The end result was that I was there only for the Day 2 talks but they started off with a bang:

Gunnar Peterson gave a great talk on Security Architecture. Not only did he really give some great visualizations to help state the problems and solutions that he envisioned but he also had a lot of great quotes like:
  • Identity Super Soaker: Spray accounts everywhere, provision accounts across the enterprise (As one method of enabling better audit but it isn't the real answer to the problem.)
  • Information Security people do not know that their careers are an oxymoron (As in information security is an oxymoron.)
You should check Gunnar's presentation out! In fact, all presentations have been posted by Ping - enjoy!

All of the presentations on Day 2 were awesome and I must say I especially liked the customer presentations and the fact there were a lot of customers presenting. To me, this makes it all worthwhile. I am going to single out Bob Brandt's (3M) presentation and highlight some of the interesting points I gleaned from his talk:

  • 95% of their end users manage a single password that exists in a single location (Active Directory) that works with 200+ internal web applications that include J2EE, ERP, CRM, Portals, Wikis and 3rd party apps. They've been so successful that their employees simply expect SSO now! Isn't this awesome?!
  • They specific SAML capabilities in their RFIs. They have 5 production SAML integrations.
  • They've never purchased an IDM suite or framework but have chosen best-of-breed solutions instead.
During the panel that Dave Kearn's hosted a question came up regarding how these guys handle failover and high availability with respect to their ESSO implementations. I loved this answer that they all agreed with:

We use Active Directory to store our ESSO credentials and if we can't keep AD up I am not worried about SSO!

I also wanted to point out that it was great to meet up with some old colleagues and friends so shout-outs to:

Marc Boroditsky, CEO PassLogix
Barry Crist, CEO Likewise
Gerry Gabel, The Burton Group
Dave Kearns, Network World
Bob Brandt, 3M - Bob, thanks for the compliment during your keynote - it means a lot to me!
Omar Hussain, CEO Imprivata
Mike Neuenschwander, Mycroft (formerly of The Burton Group)

There's been some great coverage of the conference so I'd certainly invite you to check out Dave Kearn's, Andre Durand's, and Christopher Paidhrin's commentary on the conference.

p.s. I'll be back next year!

Technorati Tags:
, , , , , , , , , ,

Tuesday, August 05, 2008

Planning in Park City


Just got back home from planning meetings we held up in Park City, Utah. As part of the meetings we had Gerry Gebel - Vice President and service director for Burton Group Identity and Privacy Strategies - come in and meet with our team. We had a great time talking about the identity management market, what challenges customers are having and how those challenges have been changing. It was great having Gerry join us to give us his views - thanks, Gerry!

We also had a team event out at the Olympic facility. It was awesome to watch the Australian Olympic Ski Team honing their skills. What was even better was seeing all the young kids who were at ski camps - really amazing. Click on the image below if you'd like to see a slideshow of the pictures I took.


Technorati Tags:
, ,

Sunday, August 03, 2008

Where it all began...


I happened to be visiting customers in Toronto a few weeks back and on my way to the airport from downtown I was going to pass right by the old offices of Zoomit so I swung in an grabbed a picture. Not much has changed althought the building looks better than when we were there.

Ah, the memories...

Zoomit Corporation
Suite 200, 20 Maud Street
Toronto, ON
M5V 2M5
Canada