Thursday, October 30, 2008

Microsoft's Geneva

I mentioned in my previous post about The Experts Conference that the most interesting sessions will be about identity as a service, identity in the cloud and software as a service. It's pretty clear from what's been going on down at the PDC that identity is being featured pretty darn heavily.

Let me draw your attention to Burton Group's Gerry Gebel and his post on this topic: Microsoft and the SAML protocol come together in Geneva which sums things up pretty well. Microsoft's support for SAML 2.0 is key and, in some ways, earth shattering. My hat is off to Kim because I am positive he help drive Microsoft to this conclusion. I've always believed that interoperability is the first step to migration. You may never migrate, or you may take a long time before you migrate but having interop gives you doors to go through that were previously locked.

Gerry asks the following:
The next step we’re waiting to hear about is entitlement management and policy enforcement. Today, that is still handled by the developer within the business application. Will Microsoft also externalize that function a la entitlement management tools?

I sure hope so. Oh, and if (when) they do, we will move from earth shattering to galaxy shattering. Whether you will use Microsoft Geneva or use the entitlement management tools they might (or might not be) building doesn't matter. What I do know is that when Microsoft enters a market they tend to put tremendous downward pressure on pricing. I don't know about you but I certainly don't want to pay hundreds of thousands of dollars for entitlement management tools or federated interoperability products. I absolutely want to see Microsoft jump into these pools! If you, Mr. Customer, are looking at any of these solution you will also want to see Microsoft jump into these pools.

Technorati Tags:
, , , , , , ,

Wednesday, October 29, 2008

Simplify identity management for compliance and security

Interesting tidbit in CIO Magazine -
One of the common requirements of regulatory compliance is to reduce complexities and redundancies in the network so data can be better tracked and protected. A side benefit is that fewer complexities means few opportunities for a security failure, especially in an organization where staffing and tech savvy is in short supply.

Simplify, integrate and consolidate - then manage.

Technorati Tags:
, ,

Tuesday, October 28, 2008

Shouldn't Single Sign-on be Child's Play?

I'm co-presenting this webcast next week - on election day - with Kevin Remde from Microsoft. Please join us - after you vote, of course!

ABSTRACT: Authentication technologies such as Single Sign-On (SSO) can help security personnel face the challenges of managing and securing user identities and passwords while also providing control across multiple applications and platforms.

Check out this webcast and learn about:

  • Different SSO options that are currently available and tips for choosing the best tool for your company
  • Enterprise SSO benefits and when synchronization is most appropriate
  • When directory consolidation and integration with Active Directory are the best choices
See you next week and what an exciting week it will be!

Technorati Tags:
, , , , , , ,

Friday, October 24, 2008

The Experts Conference - early bird registration

TEC 2009 early bird registration expires in just eight days – and this is the lowest price you will pay for TEC this year. You can visit the web site - - for details on the themes, speakers, topics, and workshops featured in the TEC 2009 line up. Here are my favorite sessions that are currently on the agenda:

  • Welcome & Keynote by Microsoft: Stuart Kwan, Group Program Manager, Federated Identity and Security; Alex Weinert, Group Program Manager, ILM; Group Program Manager, Directory Services. Obviously, this session will provide the latest and greatest view into Microsoft's IAM strategy.

  • Federation Gateways - The Key to Supporting Platform-Specific Applications in Heterogeneous Environments: Nick Nikols, Novell. Lots of talk about cloud computing, software and identity as services so I'll be interested in Nick's view on this hot topic.

  • Implementing an Identity-Based Solution using Microsoft's Cloud Based Infrastructure: Danny Kim, Full Armor. Identity as a Service - enough said!

  • Notes from the Field: Deploying Secure SSO to the Internet and Back: Dave Jones, Cisco. I'm interested in this to see if there's a tie-in between what Dave is going to talk about and Cisco's Securent acquisition.

Those are my top picks for TEC 2009 and there are many more awesome sessions. Check them out and take advantage of the early bird registration.

Technorati Tags:
, , , , , , , ,

Wednesday, October 15, 2008

NetPro integration roadmap announced

If you are interested in what the integration roadmap between NetPro and Quest is you an find it right here. In summary:

Decisions on the product roadmap were made in the following key areas:

· Active Directory: Quest will move forward with several NetPro products, providing superior auditing and reporting, efficiency, and availability.

· Identity Management: Quest will expand its leadership position by continuing to develop key NetPro products for identity management and compliance.

· Compliance: Quest will enhance its robust portfolio with key NetPro products to provide better visibility, auditing and alerting, and change prevention.

· Exchange Server: Quest will integrate the best features from NetPro’s Exchange Server products and technologies into the existing Quest product line.

· SharePoint: NetPro’s early SharePoint development efforts will be integrated into the development of upcoming Quest products that support SharePoint.

Product support for discontinued products will continue through the end of 2009. In cases where Quest has made the decision to end the sales and development of a product, customers on current maintenance contracts will receive the go-forward product at no additional license cost.

Technorati Tags:
, ,

Monday, October 13, 2008

Does the TSA need an IDM system?

I'm over in Amsterdam meeting with customers and the story on the front page of USA Today caught my eye: "Report slams TSA failure to track security passes". In reading the story it was quite apparent that the TSA has an identity management problem. What are the interesting facts?
Investigators found numerous cases in which former employees retained their passes long after they had left the agency.

I wonder if this means that they just never returned the passes and they were inactive or if the passes they had would still work? I wonder if the connection has been made between the physical access system and the IDM system? (Does an IDM system even exist?)

In 73 cases, officers left TSA jobs, but offices that monitor airport security passes were not properly notified.

No workflow or notification exists between systems obviously. Or, maybe one does exist and it simply isn't being responded to in a timely fashion. Sometimes, automation can only take you so far. (I've even seen cases where the workflow was being sent to an unmonitored or disabled mailbox.)

One security officer had an active pass to the airport's secure areas for 827 days after leaving the agency.

Ouch, more than two years? Proof positive that there either isn't an IDM system in place or that the TSA's implementation of an IDM system did not connect the physical and logical access systems together.

I was asked during a presentation last week how you justify an IDM implementation based on security. There's an answer above!

Technorati Tags:
, ,

Friday, October 10, 2008

New Defender5 case study - RSA switch

One of our customers - The Longaberger Company - has switched off of RSA's SecurID infrastructure on to Quest's Defender5. Why? Because of our integration with Active Directory and the Windows platform...
“With RSA SecurID®, our previous solution, we had to have a separate administrator manage the system. Since Defender integrated so nicely with Active Directory our AD administrators now support two-factor authentication as part of the responsibilities. The added functionality that integrating with AD provided, coupled with the cost savings of Defender enabled us to get a technically superior solution at a lower cost of ownership.”

It's much easier for a company to leverage their Windows helpdesk and Windows administrators than it is to spin up specialized staff and technically challenging synchronization between RSA's solution and Active Directory.

Just use Active Directory - it's no longer a specialized directory that few people know!

Technorati Tags:
, , , , , ,

Tuesday, October 07, 2008

Matt's Litmus Test

Matt Flynn posted on a litmus test for metadirectory versus virtual directory a couple of days ago. He quoted Divya Sundaram of Motorola:
If you front-end data (or a data store) that you don't own (or don't have control of), then you need to replicate/sync data (instead of virtualizing the view).
I might not be reading it correctly or maybe Matt's notes are slightly off but I always thought it was better to use a virtual directory for data that you don't own. A good example here would be HR data. The typical metadirectory or IT/IS project is not going to have read/write access to the HR system so there's no real need for a metadirectory, per se, as the metadirectory will never be writing back to the HR system. From my perspective if you "own" the data store then you can replicate or synchronize the data in it. If you don't own the data store then you can only pull (read) from it.

I completely agree with Matt that both virtual directories and metadirectories should be part of your overall toolbox. I look forward to the day we won't need to make this distinction anymore.

So I am not sure if we have a pure blue and pink litmus test for this yet...

Technorati Tags:

Monday, October 06, 2008

IDM conference in Asia

I saw some information on this conference that's taking place in Singapore a few weeks ago and thought I'd pass it on:

Take advantage of this unrivaled networking opportunity that’s combined with 2 days of cutting-edge content delivered by industry leaders and specialists. With our finger on the pulse of the region’s Identity management industry, we are proud to once again witness the remarkable development of this dynamic market.

Interesting how we are starting to see more and more of the traditional physical access management vendors attending and sponsoring these events. Makes you wonder if there's a convergence happening between physical and logical access? (That was a rhetorical question!)

Technorati Tags:

Sunday, October 05, 2008

Time-warped in Toronto

The reality tour took me to Ottawa, Montreal and Toronto last week. I was visiting with customers and partners like Avaleris and Itergy. On Friday, I had the opportunity to present to the "Federation of Security Professionals" in Toronto. The keynote speaker was Jim O'Donnell who is the CISO of the Royal Bank of Canada.

From Toronto

I was the second last speaker of the day and as I sat through the presentations - all of which were excellent - I began to feel like I had entered a time-warp. Back in 1993, my career forked from the mainframe world of my first employer to a new employer who wanted my technical evaluation of something called Banyan VINES. Fast-forward to Toronto and suddenly I am hearing, throughout the day, terms I have not heard in over 15 years...
  • Daz-Dee (DASD) - Direct Access Storage Device - A mainframe disk drive.
  • Vee-Talk (VTOC) - Volume table of contents - The "directory" for the DASD.
  • Jez (JES) - Job Entry System for MVS.
  • Emm-Vee-Ess (MVS) - Multiple Virtual System - The operating system for IBM mainframes.
  • Rack-Eff (RACF) -Resource Access Control Facility. Security and access control system for IBM mainframes.
  • Kicks (CICS) - Customer Information Control System. General purpose monitor for terminal-oriented and inter-system transaction processing in z/OS.
All those terms being thrown around made me realize that the mainframe was still very much alive and well, and I was old - but the worse part of the day was walking down Yonge Street (the longest street in the world) in downtown Toronto that evening and realizing that Sam the Record Man was closed down. For 60 years it was the place for records and now it's boarded up. Yonge Street is beginning to look more and more like Trafalgar Square or Times Square as the years go by. I'm not sure if that is good or not.

This week (Oct 5-7) I will be speaking at Digital Identity World 2008 in Hamburg, Germany. Will I see you there?

Technorati Tags:
, , , ,