Monday, December 28, 2009

Jeremy Moskowitz’s comments on Privileged Account Management

My thanks to Jeremy for taking the time to comment on my earlier post on this topic. I thought it would be useful to highlight his comment below for all readers and to give my perspective on it:
Microsoft already owns a BeyondTrust-like solution gained in the acquisition of Winternals. 99% of the Winternals acquisition went out with MDOP. 1% did not. This product. The real question is, with the ownership of that technology AND the fact that they specifically passed up the Beyondtrust piece... WHY would Microsoft WILLINGLY decide NOT to get into that business. My feeling is that they need to maintain "plausible deny-ability" in security cases. In other words, there is no middle ground: there are Admin users and there are User users. The Winternals and BeyondTrust pieces allow you to dial up or down privilege rights. Microsoft clearly doesn't want to be in that business. So they aren't. (PS: No internal knowledge here.. just a hunch.) -Jeremy Moskowitz, Group Policy MVP
I wasn't aware of the fact that the acquisition of Winternals brought a lot of this technology to the table. I'm sure Jeremy or my old friend Darren Mar-Elia can comment on the penetration of Microsoft Desktop Optimization Pack (MDOP). My experience - and it's by no means definitive - was that not many customers were purchasing it. Or, at least not the majority of customers were purchasing it. In either case, I'd love to hear Jeremy's or Darren's comments on the uptake of MDOP.

Now, on to Jeremy’s comment: WHY would Microsoft WILLINGLY decide NOT to get into that business. My feeling is that they need to maintain “plausible deny-ability in security cases.” I believe – and I, too, have no internal knowledge here – that Microsoft simply didn’t know what they had and that there was a breakdown of communication internally. Here’s how I think it went down:
  • The acquisition was driven by the Windows Enterprise Management division (WEMD) because that’s who was quoted in the press release
  • In 2006, the year of the acquisition, WEMD had no interest in anything outside of Group Policy, Systems Center and Operations Manager. So “securing” administrative accounts was not a Group Policy issue whereas backup and operations of Group Policy was; hence why they kept the Desktop Standard Group Policy management software but jettisoned the security stuff. (Which still makes me wonder because the executive quoted in the press release – Praerit Garg – worked in the Windows security group before moving to WEMD.)
  • The Desktop Standard acquisition was never shopped around to other divisions. In other words, WEMD never told the Windows Server or Identity Management team about the acquisition and the BeyondTrust technology. Or, they did tell them but in 2006 they had no idea what the BeyondTrust technology was because they didn’t understand the problem completely.
  • When Zoomit was acquired by Microsoft we had an innovative directory-enabled single sign-on product that Microsoft didn’t look at yet threw out. They only were interested in the meta-directory technology. So my personal experience generally is that the acquirer can be short-sighted about some of the assets they end up acquiring. Did this happen with the BeyondTrust technology?
  • Or, was the BeyondTrust technology simply not ready for prime time back in 2006?
I guess we’ll probably never know what really happened. Jeremy might be right. Jackson might be right. Or, there might very well be another reason. In either case, it is fun to play armchair quarterback.

1 comment:

gpoguy said...

Hey Jackson-
I can't really comment on MS' motivation around the Beyondtrust stuff. With respect to MDOP, customers don't really buy it. They get it if they have "Software Assurance" or whatever its called now. Frankly, I wish customers could buy it, since there's a lot of useful technology in MDOP that would be nice to make available to everyone. As such, I think there is good uptake of MDOP today amongst enterprise customers who are licensed for SA, especially around stuff like App-V and AGPM.

With respect to PAM, I agree with you about the tie-in to IAM. I think there are several challenges around that. One, I view that there is a difference between the problem of PAM on desktops and servers. I don't think that Beyondtrust's product today solves the server PAM problem. 2nd, the process of provisioning users day-to-day is often disconnected from PAM, because PAM so often depends upon "local" decisions. So, I think its a process and technology gap today.

Anyway, my .02. I think there are some important problems to solve out there but its not a one-size fits all solution.

Darren Mar-Elia