Thursday, December 31, 2009

Happy New Year everyone!

As 2009 draws to it's end I want to wish everyone a very happy and successful 2010.

Thanks for your support, comments and continued readership!


Wednesday, December 30, 2009

PKI is too hard for even the US military!

I end up in debates about the use of smartcards (PKI) and one-time passwords (OTP) fairly frequently. Which one is “safer” or “better” and which one is easier to implement. I love PKI. I love the math around public-key cryptography. But what I hate about PKI is the implementation of a PKI. It is not easy. Have you ever set up a certificate authority (CA)? I tried once but I stopped when I noticed my hair had turned white. It is not for the faint of heart. Once mis-step can lead to having to re-do everything and imagine a re-do after you have already deployed certificates to your end-users! When I first got involved in the Defense Message System (DMS) and NATO ACP123 for secure message interoperability I felt I had entered the world of spy-versus-spy. This stuff is really complicated. That’s probably why it’s been “The year of PKI” for the last 20 years and why it might be “The year of PKI” for the next 20 if we can’t figure out how to un-complicate it.

Well, it seems that this stuff is pretty darn complicated for the US military, too. I was dumbfounded when I read in the Wall Street Journal that our “enemies” were able to watch the real-time video feeds from Predator aircraft. All they needed was a satellite dish and a program (“SkyGrabber”) that was put together in Russia that costs $30 or so. My first thought, aside from “You must be kidding!!!” was that the insurgents must have found some sort of vulnerability but it turns out they hadn’t. The military just wasn’t encrypting the video feeds and they even admitted to knowing about the problem since the Bosnia conflict in 1990s.

Monday, December 28, 2009

Jeremy Moskowitz’s comments on Privileged Account Management

My thanks to Jeremy for taking the time to comment on my earlier post on this topic. I thought it would be useful to highlight his comment below for all readers and to give my perspective on it:
Microsoft already owns a BeyondTrust-like solution gained in the acquisition of Winternals. 99% of the Winternals acquisition went out with MDOP. 1% did not. This product. The real question is, with the ownership of that technology AND the fact that they specifically passed up the Beyondtrust piece... WHY would Microsoft WILLINGLY decide NOT to get into that business. My feeling is that they need to maintain "plausible deny-ability" in security cases. In other words, there is no middle ground: there are Admin users and there are User users. The Winternals and BeyondTrust pieces allow you to dial up or down privilege rights. Microsoft clearly doesn't want to be in that business. So they aren't. (PS: No internal knowledge here.. just a hunch.) -Jeremy Moskowitz, Group Policy MVP
I wasn't aware of the fact that the acquisition of Winternals brought a lot of this technology to the table. I'm sure Jeremy or my old friend Darren Mar-Elia can comment on the penetration of Microsoft Desktop Optimization Pack (MDOP). My experience - and it's by no means definitive - was that not many customers were purchasing it. Or, at least not the majority of customers were purchasing it. In either case, I'd love to hear Jeremy's or Darren's comments on the uptake of MDOP.

Friday, December 25, 2009

Happy Holidays

Best wishes, happy holidays and Merry Christmas to everyone!

P.S. To Santa: I really like these flying wing things that these guys were piloting over the cliff at Huntington Beach yesterday...They just fly on the wind currents, no engine - very cool.

Thursday, December 24, 2009

Privileged Account Management’s Star to Rise in 2010?

Martin Kuppinger over at Kuppinger Cole+Partner just blogged about this topic: Will IBM change the way we do PAM (or PIM or PUM)? His post is worth reading in its entirety but I thought I’d comment on one particular portion of it:
An interesting question in this context is whether this will affect the overall PAM market. First of all, it confirms what I’ve described earlier in my blogs: There will be a convergence of PAM with provisioning and other IAM solutions. And with more vendors providing such integrations (some are providing some integration or are working on that), customers are likely to pick the “integrated PAM”. However, there is no doubt that at that point of time the PAM specialists in most cases have more feature-rich offerings, which might complement even these integrated PAM approaches or replace them in case that specific features are required. Thus, there will be a “stand-alone” PAM market for the foreseeable time. On the other hand I expect more acquisitions of PAM specialists to happen given that the larger vendors might want to speed-up the development of their integrated PAM offerings by acquiring a product and integrating it. Another point to mention: IBM’s approach shows that PAM is moving out of a niche towards a mainstream IAM market segment.
I completely agree that we are going to see a greater tie-in between provisioning and privileged account management systems. After all, isn't a privileged account a special type of account and isn't my provisioning application used for creating accounts? "QED" as my old math professor would say. I think the traditional stack vendors (IBM, CA, Sun, Novell, etc.) are going to have to address privileged account management within their platforms sooner than later. Regulators and compliance professionals are starting to wake-up to the fact that companies do not have a good handle on their privileged accounts, who has them, what they are doing with them and who has authorized them to have one. Just ask yourself who has an Active Directory domain administrator account in your organization, why they have one, who authorized them to have it and what they do when they use it? That’s not an easy question for most organizations to answer today. The same goes for “root” on your Unix or Linux systems. In fact, on Unix and Linux the question is even more difficult to answer.
Privileged account management as a subset of identity management is new. Provisioning has been around a long time and is somewhat “old news”. In 2010 I think we will see a lot more market turbulence around privileged account management and I agree with Martin’s prediction to expect more acquisitions.
Hmmm, did Microsoft make a mistake in their purchase of Desktop Standard in 2006 by allowing the BeyondTrust bit to escape? In retrospect, they would have been better to keep the PAM (BeyondTrust) portion – they need it like the other stack vendors!

Wednesday, December 23, 2009

The Right Authentication for the Right Risk

Last week I blogged about Gartner’s story on beating strong authentication. Today, I wanted to point out another Gartner article which I thought was useful and re-enforced what I said about choosing the right level of authentication (strong or otherwise) depending on the risk of the transaction. Gartner’s "Good Authentication Choices for Workforce Remote Access" by Ant Allan and John Girard was published on December 21, 2009. If you are a Gartner client you can look the article up by it's ID number: G00173177. You have to be a Gartner client to access the report.
...we recommended that, for each use case, an enterprise must consider at least the required minimum authentication strength (commensurate with the level of risk), ease of use and the maximum justifiable total cost of ownership (TCO).
I agree that authentication strength should be matched against risk but that's not the only factor that should be considered. We are talking to more and more customers who are willing to enhance their authentication strength because costs for some two-factor solutions are declining. The typical conclusion I see a customer reaching is that for less than what they paid to protect higher risk transactions they can now protect all access to their network. So rather than simply replace the higher-risk transactions with a cheaper - but as effective solution - companies are considering increasing the footprint of their strong authentication deployment to cover more users even if they are doing less risky things. So for the same or even less money they are increasing their overall security posture.
So while I agree with Gartner that risk plays into the authentication mechanism a company might use I would also recommend that a company look at overall cost. Why protect only high-risk transactions if you can extend strong authentication to all users in your company?

Tuesday, December 22, 2009

Santa's Identity Crisis

Dave Kearns (re-)posted a humorous slant on identity management from the perspective of Santa's many identities:
It's that time of year when it seems our biggest identity problem is "will I remember who and where I am if I have another round of egg nog?" But there's one guy who goes through a major identity crisis each year at this time.

Every year, from Dec. 6 through Jan. 6, someone visits many of the children of the world and brings them presents. If you think remembering all your user names is tough, think of the problem he has! In various places around the world he's known as:

Agios Vassilios
Black Peter
Bozic Bata
Christmas Bock
Ded Moroz
Dedek Mraz
Diado Coleda
Dun Che Lao Ren
Father Christmas
Father Frost
Fur Clad Nicholas
Gaghant Baba
Grandfather Frost
Hagios Nikolaos
Jolly Old Elf
Kaledu Senis
Karácsony Apó
Kriss Kringle
Mos Craciun
På norsk
Pai Natal
Papa Noel
Papai Noel
Pére Noel
Saint Nicholas
San Nicolás
Santa Claus
Santa Klausam
Santa Kurohsu
Shakhta Babah
Shengdan Laoren
Sing dan lo ian
Sint Nikolass
Sion Corn
Star Man
Svaty Mikulas
Swiety Mikolaj
Vovo Indo
Winter Holiday Old Man
Wise Man
Ziemmassve'tku veci'tis

That's almost 60 different usernames! And those are only the most popular ones. Now since he does have to travel around the world, he probably needs a passport in each name as well as a description and picture. This part is hard to explain, though, as the pictures I've seen show both a tall thin man as well as a short round one. It may be that we're dealing with multiple people rather than multiple personas. I understand that the U.S. Department of Homeland Security is investigating.
Dave, thanks for reminding us that identity spans more than just IT!

Technorati Tags:

Friday, December 18, 2009

Gartner on beating strong two-factor authentication

Gartner just released a document titled “Where Strong Authentication Fails and What You Can Do About It”. Various articles have been published reporting on Gartner’s findings including here, here and here. Most of Gartner’s comments and guidance revolve around protecting yourself from “man-in-the-browser” attacks. If you don’t know what an MitB attack is here’s a link to Wikipedia’s MitB definition – check it out. A good example of an MitB program is “Silentbanker” (click to link to Symantec’s description of it).

The author’s advice is:

Enterprises need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high risk transactions.

I completely agree with the advice but also want to point out that last phrase “high risk transactions”. I hope everyone recognizes that security is graduated. That means for high risk transactions that you are placing much more security around those types of transactions while for low risk or no risk transactions you are placing lower levels of security around them. After all, the best security against MitB attacks would be not to be connected to the Internet but that’s probably not what companies have in mind. Hopefully, consumers and are all running up-to-date anti-virus software that helps to prevent and eradicate these types of attacks and companies are doing the same for their employees.

So does this mean that strong two-factor authentication is of no value anymore? Not at all but we all should be re-evaluating our security posture based on risks and threats. The author emphasizes the use of out-of-band authentication due to growing MitB attacks. If your evaluation of this new risk versus your current security – two-factor or otherwise – leads you to believe you need to ratchet your security tighter then that’s good advice for you. Security should always be evaluated against risk. If you are never going to drive 200 MPH then why buy a car that can drive this fast? It’s the same concept for security.


Cool features in the latest Release of Quest Password Manager

My thanks to our Moscow development lab in getting out the latest release of Quest Password Manager (V4.6 which is available at our website here). I also want to thank our development lab in Horton (UK) for their help with this release because it marks another great area of product integration between a Quest product (Password Manager) and a former PassGo product (Defender). For those that have been following my blog for a while you'll remember that we acquired PassGo two years ago. Stuart Harrison who is the product manager for QPM has blogged about the release and features already so I won’t re-hash them all other than the specific product integration work that has happened with Quest Defender.

The integration with Quest Defender adds a twist to traditional password reset products like QPM. Most password reset products have the capability of storing a number of question and answer responses that an end-user must correctly enter in order to reset their password. By integrating with Quest Defender it is now possible for a company to protect the registration, or initial entry, of those answers by requiring an end-user to verify their identity via their Defender one-time-password. In addition, if Quest Defender is installed it is possible to totally bypass the question and answer procedure by simply having the end-user verify their identity via their Defender one-time-password and letting them reset their password. After all, Defender is proving a stronger authentication than simply being able to answer some questions.

We are not done with integration between these two products yet. I would like to see integration the other way so that a customer who has both products installed could use the QPM questions and answers as a means of verifying someone’s identity when they call the helpdesk to have their Defender pin-code reset. After all, the users have all registered this information already so why not leverage it within other products?


Monday, December 14, 2009

Ash's Healthcare Observations

Fellow blogger Ash Motiwala blogged about the Microsoft/Sentillion acquisition over the weekend. He has some great insights into the healthcare angle as to why this was important to Microsoft:
1. The healthcare IT market is pretty unique, and healthcare specific software tends to take precedence over the larger generic software providers. This has caused 100's (if not 1000's) of applications within a typical healthcare IT environment. Healthcare IT shops want to buy software from companies who understand them (with doctors in the exec board), and they'll pay top dollar for the special attention. For example, McKesson brought in over $100b in 2008 vs. Microsoft's $60b in all verticals.

2. Until about the mid 2000's, Microsoft's healthcare strategy was pretty bad. They might disagree with me, but anecdotal evidence suggests that they were trying to sell generic technology (like BizTalk, SharePoint, etc.) with a healthcare twist. In my opinion, that approach caused them to lag in healthcare, and was a major cause of complaint for Microsoft's healthcare account reps that I had dealt with in the past.

3. In 2005, Microsoft hired Peter Neupert as VP of their Health Solutions Group. Prior to that, Peter was the CEO of, and co-chair'd the healthcare IT committee for the President's IT Advisory Committee. In 2006, Microsoft acquired Azyxxi, a healthcare app that pulls and displays patient info from disparate sources, and competes with the Cerners and McKessons of the world. Good move. (They also brought over a doc with the acquisition to lead the software team!) They followed that up with the acquisition of Hospital 2000 by GCS, then Rosetta Biosoftware and the launching of HealthVault. At HIMMS 2008 in Orlando, Microsoft renamed their healthcare line 'Amalga'.

4. In line with their seemingly new strategy of going more vertical, this past June - Microsoft signed a licensing agreement with Sentillion to supply Sentillion's SSO and Context Management technology as part of Amalga. A few days ago, Microsoft announced its plan to acquire Sentillion.

The one thing I will add is I do know that the healthcare vertical in Microsoft is an important one. They have their own dedicated teams and there is clearly a lot of room for revenue growth for Microsoft - which is exactly why they purchased Sentillion. Ash's commentary certainly helps me understand Microsoft's actions better.

Technorati Tags:
, , , , ,

Thursday, December 10, 2009

Further reflection on the Sentillion acquisition brings more questions

Earlier today I blogged about Microsoft's acquisition of Sentillion. After letting this percolate in my mind for a while I thought I'd share some of the questions that have come up for me about this acquisition:
  • If you carefully read the press release you will see that there's a quote from Sentillion's CEO and a quote from Peter Neupert, corporate vice president, Microsoft Health Solutions Group. Why no quote from anyone on the Forefront Identity Management (FIM) team? My conclusion - possibly wrong: This acquisition was driven by the Health Solutions Group - not the FIM team.
  • Single sign-on (enterprise, web or federated) is a key identity management concept. Question: Will any of Sentillion's products or technology be integrated into the FIM stack? Microsoft owns Sentillion now. It would make sense to do this. However, if Sentillion will be exclusively run by the Health Solutions Group this could lead to a split identity management strategy at Microsoft and that would not be good. Imagine having to speak to the FIM sales guys about FIM and the healthcare sales guys about Sentillion/ESSO.
  • The Sentillion product line includes a product called "ProVision" which is focused on user provisioning. Question: What happens to that? Can Microsoft afford two user provisioning solutions? Even if one is for healthcare only? Will FIM replace ProVision? Will Microsoft keep any of Sentillion's IDM stack at all other than the healthcare-specific "context switching" stuff?
  • Why did Microsoft acquire Sentillion versus leveraging FIM? I can guess at a whole bunch of reasons why this didn't happen: Time to market of a FIM-based solution for the healthcare people; FIM being a more general purpose solution versus Sentillion's healthcare focus; or the healthcare people simply focusing on their market and Sentillion being a market leader was the obvious play.
I'm guessing that this was not an identity management acquisition but a healthcare acquisition meant to strength Microsoft's position in the healthcare market. That would lead me to believe that none of the Sentillion solution ends up in FIM. In either case, time will tell.
    Technorati Tags:
    , , , , ,

    Microsoft expands into enterprise single sign-on

    Microsoft announced this morning that they are acquiring Sentillion:
    Sentillion has successfully combined patented technology with a deep understanding of the healthcare industry to deliver the most comprehensive set of solutions for single sign-on, clinical workstations, advanced authentication, identity management and desktop virtualization.
    While the emphasis on the acquisition is healthcare focused I'm sure that Microsoft will want to roll some or all of the Sentillion technology into their FIM/identity management product line eventually.

    Technorati Tags:
    , , , , ,

    Wednesday, December 09, 2009

    Password Security for Boneheads

    That's the title of an interesting article I just read over at InfoWorld. The author points out that many web sites are just not secure with respect to how they store or require passwords:
    More disturbing is the way password recovery works on some of these sites. At least half the time, when I get the (unencrypted) recovery e-mail, my password is right there in the message, in plain text. That means the site is storing all those passwords in plain text in a database -- one that's being backed up somewhere and is probably readable by a significant number of admins and possibly anyone who happens to snag a backup tape. It's a catastrophe waiting to happen.
    I agree - and I am sure most of you do also - that this is catastrophes waiting to happen and many have already happened! The problem is so much is now tied to our identities that it is nearly impossible to protect ourselves effectively. I once asked a lady in front of me at the grocery store why she wrote a check rather than use a debit/credit card to pay for her purchases and she responded with "I've never had my identity stolen via a check". Good point lady.

    Technorati Tags:

    Friday, December 04, 2009

    Saving (AD) Forests

    A successful Active Directory forest recovery relies primarily on planning and documentation, so if you don’t have those in place now—jump on it.

    Don Jones, a Microsoft MVP has written a white paper for Quest that provides real-world customer examples of forest failures and why you should be prepared for this sort of a disaster. It's definitely worth reading just to understand the magnitude of a forest recovery.

    Technorati Tags:

    Wednesday, December 02, 2009

    Windows Access Rights Explained

    Fellow blogger Matt Flynn has published a white paper titled “Expert Insight on Windows Access Rights” which I managed to read yesterday. Matt gives a great overview of Windows  Access Rights, how they are granted and, most importantly, how they are evaluated by the operating system. If you feel your knowledge of Windows Access Rights is a bit weak or you need a refresher on this topic I’d suggest reading Matt’s paper. It’s only 8 pages long but Matt packs a lot of great information in those pages…

    If you think you know who has access to files by looking at the security tab, you’re dead wrong. Access to Windows file system resources is controlled via a complex web of interwoven components. And in most cases, users manage permissions on their own files and folders making centralized access management extremely difficult to achieve and audit of access rights near impossible without help. In this paper, we break down the elements that combine to control access to files on shared Windows network resources.

    As Matt says, the Windows file system is complicated!