Thursday, January 31, 2008
Kerberos is hound
Active Directory makes
Logon gets better
Yah, sorry, kind of lame but it conforms (3 lines, 1st and 3rd lines have 5 syllables, second line has 7) and it is all about conforming to the standard...
Wednesday, January 30, 2008
Federation is about trust
A conversation today set me thinking (yet again) about why things are not getting better. Once again, I must ask why is it that the identity management situation does not seem to be improving much? In particular, surprisingly little seems to be happening in federated identity. Not because the standards needed to do it don't exist, or exist but don't work, but because they don't overcome the trust barrier. Why should a company trust another company's credentials? Or, at least, why should a company trust another company's credentials unless the both belong to a "gang"?
Don't get me wrong, I do want federation to be super, wildly successful but in the software business what's worse than taking a dependency on someone else's product? Trusting them to deliver on time.
Federation is very similar but as David Birch intimates, the trust just ain't there.
p.s. If I read a single "2008 is the year of federation" prediction I'll be happy to act as that person's kaishakunin on New Year's Day 2009.
identity management, federation
Tuesday, January 29, 2008
On January 24th, Sun threw down the gauntlet by releasing this video. I guess our new Auto-Connect™ feature got their attention. Yea, Auto-Connect IS good marketing, but it's also real, you can download it and see for yourself.
Now, to be honest, we didn't really know we were in an epic battle with Sun (we need to see them in competitive deals for this to be true), but we can't very well be the leader without a challenger, and we won't be challenged without a response.
So, in the spirit of having a bit of fun with Sun and ourselves, we prepared our response.
identity management, federation, PING, Sun
Monday, January 28, 2008
The news broke on Thursday afternoon. So what does this $7.2B fraud have to do with passwords? Well, it appears, a lot. Here’s what was reported in the Wall Street Journal:
“…Mr. Kerviel (the fraudster) used the computer log-in and passwords of colleagues both in the trading unit and the technology section” to help cover his tracks.
I translate this to mean the following:
- SocGen did not have a password or security policies that enforced frequent changes or other related safeguards (password length, reuse, etc.)
- SocGen did not use two-factor authentication otherwise Kerviel would not have been able to use a colleagues log-in and password
- SocGen did not audit their logons effectively
- SocGen did not audit logons against building access (i.e., logged on inside the building but already keyed out of the building)
The next time you talk about ROI to a potential customer also ask them about the cost of doing nothing. Might they be the next Société Générale?
identity management, passwords
Tuesday, January 22, 2008
Schema changes can actually be reversed, after all AD is based on LDAP. However, Microsoft prevents schema changes from being reversed.
Yes, how true and how silly. There are some architectural decisions that were made by some (now) Microsoft millionaires that never made sense to me. This is one of the biggies.
I've seen so many customers our there run into schema problems. Worse, you still find many customers out there that are just simply afraid to extend their schema. Either way, test your schema, read Microsoft's guidance on the topic and consider a product like "Recovery Manager for Active Directory Forest Edition" which can protect you from that potential career limiting mistake.
...one of our clients recently ran into a problem attempting to test the OCS schema update (yes, notice I used the word test). While performing the test, in a lab environment, the update failed with a conflicting LinkID error. After researching the issue, we found that another previous schema update (from a well known software vendor whose name I shall not mention) used a LinkID that was reserved for Microsoft (or maybe it was the other way around, we are still looking into this). In other words, I would even scrutinize schema updates that come from well known sources, this includes Microsoft.
Definitely a best practice - test your schema update even if it is from Microsoft before updating your production forest.
Microsoft, Active Directory, Quest Software
Tuesday, January 15, 2008
- Rob Short, corporate vice president on the Windows Core Technology team
- Bruce Jaffe, the company's acquisitions chief
- Charles Fitzgerald, general manager of platform strategy
- Jeff Raikes, president of the Microsoft Business Division
There has certainly been a groundswell at Microsoft to bring in new, fresh, young talent. That's been going on for some time now in the lower-mid level ranks. With BillG going I wonder if this is now starting at the top. I worked a bit with Rob and Charles while I was at MS - both very sharp and talented guys.
Well, sometimes change is good!
Monday, January 07, 2008
Defender 5 deploys strong two-factor authentication controlled within Windows Active Directory to ensure that only authenticated users have access to protected resources. The Defender 5 also boasts administration for multiple token types, including hardware, software and Mobile SMS.
Quest Software, PassGo, Defender, Active Directory, identity management
Sunday, January 06, 2008
Friday, January 04, 2008
Public key encryption: This one will trickle in on the back of federal government initiatives, PKI-ready applications, and PKI-friendly Windows 2008. To ease PKI complexity, look for service provider offerings as well from firms like Chosen Security, RSA Security, and Verisign.
I'm not sure where he gets the idea that WS2008 is any more PKI friendly than previous versions. If you really want to do anything significant/enterprise-ready you'll need to purchase "Identity Lifecycle Manager" which includes "Certificate Lifecycle Manager" the former Alacris product. Why this simply isn't included in the OS or isn't free escapes me.
Federated identity: This, too, rides the Windows 2008 wave but I'm also hearing about service providers and large financial service vendors that have built "ready to federate" Web-based applications for their partners. Like PKI, federated identity has been overpromised in the past so don't expect it to garner major headlines. Nevertheless, federated identity will experience good growth under the radar all year. Aside from Microsoft, expect IBM, Oracle, and Sun to benefit as well.
Again, I am not sure how WS2008 makes federation any easier. I talked with a customer yesterday who made the strategic decision to go the Active Directory Federation Service (ADFS) route for federation and has since abandoned the project. Why? Too difficult to configure and maintain. As far as I know, this problem has not been solved in WS2008.
Personally, I want to see both PKI and Federation take off but there are still technical issues let alone the usual 8th-layer of the stack problems (politics, lawyers, etc.).
Active Directory Federation Services, federation, PKI, Microsoft, Active Directory
Thursday, January 03, 2008
Wednesday, January 02, 2008
Quest is going to make a significant investment in sales and marketing around these products so get ready, strap in and prepare for lift-off.
I'll see many of you next week when I am over in the UK!
Happy New Year everyone!!
Quest Software, identity management, PassGo