Thursday, January 31, 2008

My first haiku

My first haiku...

Kerberos is hound
Active Directory makes
Logon gets better

Yah, sorry, kind of lame but it conforms (3 lines, 1st and 3rd lines have 5 syllables, second line has 7) and it is all about conforming to the standard...

Wednesday, January 30, 2008

Federation - it's not getting better

I like this post...
Federation is about trust

A conversation today set me thinking (yet again) about why things are not getting better. Once again, I must ask why is it that the identity management situation does not seem to be improving much? In particular, surprisingly little seems to be happening in federated identity. Not because the standards needed to do it don't exist, or exist but don't work, but because they don't overcome the trust barrier. Why should a company trust another company's credentials? Or, at least, why should a company trust another company's credentials unless the both belong to a "gang"?

Don't get me wrong, I do want federation to be super, wildly successful but in the software business what's worse than taking a dependency on someone else's product? Trusting them to deliver on time.

Federation is very similar but as David Birch intimates, the trust just ain't there.

p.s. If I read a single "2008 is the year of federation" prediction I'll be happy to act as that person's kaishakunin on New Year's Day 2009.

Technorati Tags:

Tuesday, January 29, 2008

The SUN does not shine as bright as it use to!

Check this out - freakin' hilarious! From the PingID blog:

On January 24th, Sun threw down the gauntlet by releasing this video. I guess our new Auto-Connect™ feature got their attention. Yea, Auto-Connect IS good marketing, but it's also real, you can download it and see for yourself.

Now, to be honest, we didn't really know we were in an epic battle with Sun (we need to see them in competitive deals for this to be true), but we can't very well be the leader without a challenger, and we won't be challenged without a response.

So, in the spirit of having a bit of fun with Sun and ourselves, we prepared our response.

Technorati Tags:
, , ,

Monday, January 28, 2008

A $7.2B password mistake?

In case you haven’t heard, Société Générale was the target of a fraud perpetrated by an employee. That fraud, so far, has amounted to $7.2B – yes, that’s a “b” for billion. You can read up about it here, here, and the European Central Bank’s call for additional controls here.

The news broke on Thursday afternoon. So what does this $7.2B fraud have to do with passwords? Well, it appears, a lot. Here’s what was reported in the Wall Street Journal:

“…Mr. Kerviel (the fraudster) used the computer log-in and passwords of colleagues both in the trading unit and the technology section” to help cover his tracks.

I translate this to mean the following:

  • SocGen did not have a password or security policies that enforced frequent changes or other related safeguards (password length, reuse, etc.)

  • SocGen did not use two-factor authentication otherwise Kerviel would not have been able to use a colleagues log-in and password

  • SocGen did not audit their logons effectively

  • SocGen did not audit logons against building access (i.e., logged on inside the building but already keyed out of the building)

The next time you talk about ROI to a potential customer also ask them about the cost of doing nothing. Might they be the next Société Générale?

Technorati Tags:

Tuesday, January 22, 2008

On Active Directory's Schema

I read an interesting comment today by Tyson Kopczynski over at Network World. A couple of highlights and my opinions:

Schema changes can actually be reversed, after all AD is based on LDAP. However, Microsoft prevents schema changes from being reversed.

Yes, how true and how silly. There are some architectural decisions that were made by some (now) Microsoft millionaires that never made sense to me. This is one of the biggies. of our clients recently ran into a problem attempting to test the OCS schema update (yes, notice I used the word test). While performing the test, in a lab environment, the update failed with a conflicting LinkID error. After researching the issue, we found that another previous schema update (from a well known software vendor whose name I shall not mention) used a LinkID that was reserved for Microsoft (or maybe it was the other way around, we are still looking into this). In other words, I would even scrutinize schema updates that come from well known sources, this includes Microsoft.

Definitely a best practice - test your schema update even if it is from Microsoft before updating your production forest.

I've seen so many customers our there run into schema problems. Worse, you still find many customers out there that are just simply afraid to extend their schema. Either way, test your schema, read Microsoft's guidance on the topic and consider a product like "Recovery Manager for Active Directory Forest Edition" which can protect you from that potential career limiting mistake.

Technorati Tags:
, ,

Tuesday, January 15, 2008

EXIT light is well lit at Microsoft!

Wow, lots of executive departures at Microsoft. Pretty soon I'll know no one:
  • Rob Short, corporate vice president on the Windows Core Technology team
  • Bruce Jaffe, the company's acquisitions chief
  • Charles Fitzgerald, general manager of platform strategy
  • Jeff Raikes, president of the Microsoft Business Division

There has certainly been a groundswell at Microsoft to bring in new, fresh, young talent. That's been going on for some time now in the lower-mid level ranks. With BillG going I wonder if this is now starting at the top. I worked a bit with Rob and Charles while I was at MS - both very sharp and talented guys.

Well, sometimes change is good!

Technorati Tags:

The Wizard of IdM - Don Bowen

My old friend and one of the original Zoomit VIA customers while he was at Caterpillar is Don Bowen. Don owns "The Wizard of IdM" blog and has been a regular blogger except for recently.

I found out today that he just came out of a successful surgery to remove a benign brain tumor. What good news. Speedy recovery, Don!

Monday, January 07, 2008

PassGo Defender gets SC Magazine Best Buy!

SC Magazine just published a great review of the PassGo Defender two-factor authentication product and awarded it "best buy". PassGo was compared to a bunch of different products including: ActiveIdentity, Alladin, Encentuate, Vasco, TriCipher and a few others.

Defender 5 deploys strong two-factor authentication controlled within Windows Active Directory to ensure that only authenticated users have access to protected resources. The Defender 5 also boasts administration for multiple token types, including hardware, software and Mobile SMS.

Congrats, guys!

Technorati Tags:
, , , ,

Sunday, January 06, 2008


I'm over in the UK visiting the folks from PassGo. I arrived yesterday and a few of us took a run out to Stonehenge. Check my pics out - pretty darn cool.

Friday, January 04, 2008

2008 Security Trends

I read Jon Oltsik's article on this topic over at CNet. In a couple of places he is attributing some of the trends to Windows (Server) 2008. For example:

Public key encryption: This one will trickle in on the back of federal government initiatives, PKI-ready applications, and PKI-friendly Windows 2008. To ease PKI complexity, look for service provider offerings as well from firms like Chosen Security, RSA Security, and Verisign.

I'm not sure where he gets the idea that WS2008 is any more PKI friendly than previous versions. If you really want to do anything significant/enterprise-ready you'll need to purchase "Identity Lifecycle Manager" which includes "Certificate Lifecycle Manager" the former Alacris product. Why this simply isn't included in the OS or isn't free escapes me.

Federated identity: This, too, rides the Windows 2008 wave but I'm also hearing about service providers and large financial service vendors that have built "ready to federate" Web-based applications for their partners. Like PKI, federated identity has been overpromised in the past so don't expect it to garner major headlines. Nevertheless, federated identity will experience good growth under the radar all year. Aside from Microsoft, expect IBM, Oracle, and Sun to benefit as well.

Again, I am not sure how WS2008 makes federation any easier. I talked with a customer yesterday who made the strategic decision to go the Active Directory Federation Service (ADFS) route for federation and has since abandoned the project. Why? Too difficult to configure and maintain. As far as I know, this problem has not been solved in WS2008.

Personally, I want to see both PKI and Federation take off but there are still technical issues let alone the usual 8th-layer of the stack problems (politics, lawyers, etc.).

Technorati Tags:
, , , ,

Thursday, January 03, 2008

Not the way I'd want to start 2008

Our backyard neighbor's house caught fire last night. Certainly not the way I'd want to start 2008 off. Our local TV station published the pictures ("Bellevue House Engulfed In Flames") I took after I got over the shock of seeing a 50 foot column of fire shooting from the back of their house. (You can also see the pictures on my Picasa site.)

This is the second house in our area that has caught fire over the last few years. Interestingly enough both occurred during the Christmas/New Year time frame...

Wednesday, January 02, 2008

Welcome PassGo!

We closed the acquisition of PassGo today and I'd personally like to welcome the team to Quest Software! I'm really looking forward to 2008 and the addition of Unix Privilege Manager, SafeKeeping, Defender and all the other PassGo products to the fold.

Quest is going to make a significant investment in sales and marketing around these products so get ready, strap in and prepare for lift-off.

I'll see many of you next week when I am over in the UK!

Happy New Year everyone!!

Technorati Tags:
, ,