Friday, February 26, 2010

Quest SaaS beta testers needed

Quest has launched its first two Software as a Service (SaaS) solutions in beta. These new solutions, called Quest OnDemand, securely provide Windows management services on a pay as you go basis without requiring on-premises deployment or maintenance. Designed to ensure 24 x 7 availability, Quest OnDemand solutions ensure reliable security of your organization's confidential data while reducing the storage footprint on your network.  Register to participate in the beta today at

Our OnDemand solutions are designed to remove many of the barriers that prevent mid-market organizations from adopting on-premises software. For example, OnDemand solutions require:

• No lengthy downloads
• No extensive setup and configuration
• No onsite hardware
• No need to maintain, monitor and patch the software

The two solutions are:

Recovery Manager OnDemand for Active Directory provides backup and object-level recovery of Active Directory data. It is designed to enable flexible, scheduled backups without manual intervention, facilitating quick and scalable recovery of Active Directory data.

InTrust OnDemand securely collects, stores, reports, and alerts on event data from Windows systems, helping organizations comply with external regulations, internal policies and security best practices.

We can certainly use the help testing these new services out so please register for the beta if you’re interested!

Thursday, February 25, 2010

Gerry Gebel to Join Axiomatics

Gerry Gebel, long time Burton Group analyst – recently acquired by Gartner - is joining Axiomatics to ramp up the company’s US presence. To quote Gerry’s blog entry:
After nearly 10 years at Burton Group, I’ve decided to join Stockholm-based Axiomatics to lead their U.S. operations. Working at Burton was a wonderful experience that benefited me immensely personally and professionally. This has been an amazing time in the IdM industry, and hopefully we were able to instigate some positive changes along the way.
Joining Axiomatics gives me an opportunity to work on the supplier side of the industry – and be more actively engaged in helping enterprises solve problems! This job is going to pose lots of new challenges for me, but I look forward to all of it.  Babak and Erik and their team in Stockholm have created a great authorization platform based on XACML, so you can to hear a lot about that from me in the future…
First, I want to congratulate Gerry. This will definitely be a challenge for him and one that I am sure he will both enjoy and be successful at. It's not easy taking a European company to the United States but the best step is to get someone from the US to run your US operation. So the first step has been accomplished. Congrats Axiomatics! In case you don’t know what Axiomatics does it is in the XACML authorization business.
Axiomatics can help you with this transformation using entitlement management based on XACML. Our products and services support all aspects of access policy life cycle management. We are not just another access control company. As an active member of the OASIS XACML committee, Axiomatics is not only following the XACML standard but driving it forward to ensure customers stay ahead.

Entitlement Management based on Attribute-Based Access Control (ABAC) and the XACML standard offers a solution. Standardized authorization services will be base components in all future IT infrastructures. Axiomatics offers solutions for enterprise-wide, fine-grained and context-aware access control based on these new standards and helps customers with this shift towards a sustainable enterprise architecture.
I’m beginning to see more customers thinking about both externalized authentication (SAML) and authorization (XACML) but the industry is still nascent. Will Microsoft’s release of Geneva (1H2010) raise the water level for everyone? Absolutely. The only problem I have with both SAML and XACML is they generally require that software products are written to those standards. Legacy applications are still legacy applications using hard-coded, older authentication and authorization systems unless they are re-written to support the new systems and many of these legacy applications will never be re-written.

Gerry’s got a tough row ahead of him. But, I know it’ll be a fun one! (Just like sailing in storm conditions can be fun if you know what you are doing!)

Good luck Gerry!

Wednesday, February 24, 2010

Cloud Privacy Heat Map

I came across this post by James Staten and Onica King over at Forrester just now and thought it was interesting enough to re-post. Be sure to check out the interactive heat map that they reference – this really gives you an easy way to see which governments to worry about from a snooping perspective, which governments have some data restrictions, pending legislation in the works or the like. Good information!
Geographic location plays a significant role in establishing data protection obligations in the cloud. And while many cloud services originated within the US, growing demand, global competition, and practical business models drive vendor proliferation of cloud services hosted across diverse geographic locations.


To help you grasp the varying scope of regulatory requirements at a high level, we’ve also created an interactive privacy heat map that denotes the degree of strictness — highlighting scope of protection, affected entities, ‘adequacy’ standards met, and heavily surveilled countries — across national data protection regulation.

Interactive Data Protection Heat Map

Remember, pay attention to where your data center will reside in the cloud. Country specific regulations governing privacy and data protection vary greatly, and can have an effect on data transfers, choice of security safeguards, and the rights of the data subjects.

Tuesday, February 23, 2010

TEC2010 - Exclusive Training and Networking Events for Quest Customers

ActiveRoles Server User Group Meeting – Wednesday, April 28 | 1:30 -4:30 pm
Please join us for an exclusive ActiveRoles Server User Group Meeting at TEC on Wednesday, April 28, from 1:30 to 4:30 pm at the JW Marriott Hotel Los Angeles at L.A. LIVE.

We’ll discuss how to best leverage ActiveRoles Server’s provisioning and day-to-day Active Directory management capabilities. We’ll cover deployment scenarios and, best of all, you’ll learn more about ActiveRoles Server from your peers, you’ll have direct access to Quest Product Management, Global Product Directors and Solutions Architects for one-on-one discussions, and we’ll have the rare opportunity to hear from you in person!

To attend this user group, please send an email to

ChangeAuditor User Group Meeting – Wednesday, April 28 | 1:30 – 4:30 pm
Do you own Quest ChangeAuditor? If so, please join us for our User Group Meeting at TEC on Wednesday, April 28, from 1:30 to 4:30 pm at the JW Marriott Hotel Los Angeles at L.A. Live.

We’ll provide an exclusive sneak peak at the new ChangeAuditor 5.0 (coming soon) and discuss the new capabilities and features that are being added as well as what’s in store down the road. Then, join in a discussion with your peers on how other organizations are leveraging ChangeAuditor to track, audit, report and alert on changes in their environment.  Whether you use ChangeAuditor to monitor Active Directory, Exchange or your Windows file servers, you’re sure to get some relevant take-a-ways from this meeting. 

To attend this user group, please send an email to

Monday, February 22, 2010

The Experts Conference 2010

More Directory & Identity MVPs and Hands-On Training Sessions than Any Conference in 2010
The Experts Conference (TEC) 2010 will have 28 sessions focused on Microsoft Directory & Identity technologies, led by some of the world’s leading gurus and MVPs. With a packed agenda, there will be several points throughout the three-day conference when every room will have identity focused sessions all at once! Needless to say, I'm pretty excited about the amount of knowledge we'll have for all of our delegates and can't wait to get into these session myself. I've picked out some of the ones I know I'm not going to miss, but it was hard to narrow it all down. Folks can get a full list of session online at, but here are my picks so far:

  • Brian Puhl, an architect from Microsoft who worked on the AD team and has been working on MSIT's own identity projects, shares how the Microsoft IT IDM team has been leading through the adoption of Online Services (such as Exchange), integration with Live ID applications, and the mass migration of internal LOB applications to Windows Azure, while trying to maintain their sanity and security.
  • Dmitri Gavrilov, a senior developer from Microsoft and one of ADAM's original creators, will touch on rarely discussed areas of ADAM personality, such as user proxies, bindable objects, the minimalistic schema, password policies, and the life without GCs.
  • Einar Mykletum, Quest's own security guru, will dive into security concerns holding back cloud computing, concerns specific to Azure, what concerns are just perceptions and how to design for real security concerns. He'll also investigate whether we can gain security by applications for Windows Azure.
  • Kevin Kampman, senior analyst for Burton Group Identity and Privacy Strategies covering identity and role management, directory services, provisioning, and electronic commerce, will provide insight and recommendations enabling you to overcome the difficulties bridging the gap between technology and business value in identity and articulate the value of identity in today's dynamic environment.
  • Laura Hunter, a 15 year identity veteran and Microsoft Certified Master in Windows Server 2008 Active Directory, shares a collection of tips and tricks for troubleshooting Microsoft's federation technology and its underlying components gleaned from untold hours of PKI and AD FS experience in the field.
  • Danny Kim, CTO at FullArmor, a Microsoft MVP and recognized industry expert on Windows Group Policy, Active Directory, and PowerShell, will cover a cloud computing case study of an identity implementation using Microsoft's Windows Identity Framework ("Geneva") that addresses both the consumer case in an emerging market and the corporate scenario in an on-premise cloud. It will show the simplified computing model for developing identity services that is claims based, cloud agnostic and Active Directory integrated.
Make sure you spread the word to anyone who you know that's interested in identity. This should be a great set of sessions this year. TEC 2010 for Directory & Identity takes place April 25-28, in Los Angeles. Register today!

P.S. Yes, I'll be there too!  

Technorati Tags:
, , , , , ,

Friday, February 19, 2010

Step-Across Authentication

Martin Kuppinger’s blog post on “Simplifying or over-simplifying authentication” got me thinking about what I am calling “step-across” authentication. Many vendors have and bloggers have talked about “step up” authentication. That’s authentication where in one case a userid and password might be acceptable but in another case you need stronger authentication so you may have to “step-up” to a smartcard or a one-time password. Martin spiked this thought into my brain with his point:
My point is: It is not about choosing the authentication mechanism but it is about choosing the best mix of few mechanisms, depending on your use cases. That requires an authentication (and authorization) strategy. That requires platforms for versatile authentication like the ones offered by vendors like ActivIdentity, Entrust, Oracle, and others. That requires a clear understanding of the risk and thus the security requirements of different use cases. Than it is about choosing the appropriate mechanism or a mix of them, to use step-up authentication if required and so on.
The appropriate mechanism or a mix of them. Quite right. Rather than step-up you may also want to step-across the authentication barrier and go out-of-band. Late last year I blogged about the right authentication for the right risk and this is not that different. In one instance a userid and password might be fine. In another you may want to step-up to a smartcard or a one-time password or maybe you want to step-out of the normal channel and send the user an SMS one-time password on their phone? Or how about an email that they need to respond to on their phone? Martin is right, strong authentication could be easier if we had more choices.

Thursday, February 18, 2010

Now the lawyers are involved!

Of course this blog post title caught my interest: The Legal Thicket of Federated Identity Management by Thomas Schmendinghoff of E-Commerce Times. I’ve said many times that the legal issues around federation – not technology – are what might derail this technology. Thomas gives a good overview of federation and some great use cases. However, it was Thomas’ mention that the American Bar Association has gotten involved that really caught my attention...
The ABA Legal Task Force has undertaken two key projects to address these challenges. The first is to identify the legal issues and risks that must be addressed in a federated identity management system. These legal risks can come from a variety of sources, including statutes and regulations, common law, applicable standards, contractual obligations, and self-imposed obligations. They vary depending on the jurisdictions involved, further complicating the operation of a cross-border identity management system -- but until they are fully known and understood, they cannot be addressed.

A second key project undertaken by the ABA Legal Task Force will be to consider what legal frameworks might work best for addressing and controlling these legal obligations and risks. This will involve identifying and evaluating structures for contractual relationships among the various roles in an identity system. It will also include analysis of various contractual approaches that define the rights and obligations of each role, recognize the requirements of applicable law, allocate the risks among the roles, and provide an appropriate enforcement mechanism.
Is this a good thing? Is it ever a good thing when the lawyers get involved? As long as I am not paying the bill I guess it's okay. Good luck guys!

Wednesday, February 17, 2010

Happy Birthday Active Directory!

Ten years ago today – February 17, 2000 – Windows 2000 was released and with it: Active Directory. Imagine going from not being wanted to being the most widely deployed directory ever. Imagine how no one’s career was dependent on it to how many are dependent on it today. Despite being “free” just imagine how much money Active Directory has made independent software companies around the world who build products for it. How many people are “employed” by Active Directory. Imagine an identity management project that doesn’t somehow involve Active Directory. It’s pretty amazing.

Happy Birthday Active Directory!

Tuesday, February 16, 2010

SPML – Not dead yet!

Lots of commentary over the last few weeks on SPML. Each of these is worth reading:
- Mark Diodati, Burton Group: SPML Is On Life Support
- Ingrid Melve, Feide: Provisioning, Will SPML emerge?
- Nishant Kaushik: Oracle: SPML Under The Spotlight Again?
- Jeff Bohren, Identity guru: Whither SPML or Wither SPML?

Mark Diodati kicked this all of with his post on SPML. Mark makes some pretty good points in his article.
None of the major provisioning vendors have developed an SPML v2-conformant product. Many of the vendors who have created commercial SPML connectors tell us that they must create specific SPML implementations for each of the major provisioning products. An SPML reference implementation does not exist, but would surely help.
Many of us in the industry waited around for the SPML v2 standard. It really was a V2 of the standard adding things like "modify" and "password" capabilities which actually made SPML useful. It's really unfortunate that many of the vendors haven’t adopted it. I dearly want to see SPML as the enabler of loosely-coupled identity architectures. Unfortunately, software vendors usually equate loosely-coupled with “easily replaceable” and the best way to prevent that is to either not support the standard or use custom capabilities that require a specific implementation like Mark refers to above.

My experience so far with SPML has been good. Quest Software supports SPML V2 in our ActiveRoles Server product. We have a number of customers who have used Sun’s Identity Manager to provision and manage Active Directory, Exchange and SharePoint by via ARS and its SPML provider. When SPML works it really works and the benefit is quite clear to the customer.

Jeff challenges us all with his comment “Until the enterprise systems support a common interface of some kind, provisioning will still be as problematic as it was 10 years ago.” I couldn’t agree more. We’ve done it. Is our implementation perfect? No, it’s not but if you use it and feel we’ve missed something or need to add something I’d like to hear from you.

Nishant states that perhaps Oracle is ready to take some leadership here: “I believe Oracle (led by folks like Prateek Mishra) will be looking to take some leadership in the evolution of the standard. Let’s see if we can turn things around.” I like what Nishant wrote and I liked his architectural view of how things could evolve. So my challenge to Nishant and Oracle is to show some leadership and just do it and do it right. Maybe if you do Microsoft and others might follow your lead? I’m hoping they will. There’s more to being a leader than just being in the upper-right of the magic quadrant!

Monday, February 15, 2010

John Fontana to Join Ping Identity!

For those that didn't see this tweet on Friday:
@JohnFontana: Leaving Network World next Friday after 11 good years to join Ping Identity and help define how to play in the social media world.
All I can say is “Wow!” and congrats to both John and all the folks over at Ping. This will definitely be a new challenge for John but one that he’s totally up for.

I remember those halcyon days at Microsoft when someone in PR – usually with their hair on fire – would run down the hall screaming about a story John just published – oh the memories!

Best of luck John! Even though you won’t be with Network World anymore I’ll still return your calls!

Technorati Tags: ,

Shell’s Active Directory Contents Published

Some people say it is no big deal and some people are saying the opposite about the publication (leaking) of Shell’s entire Active Directory of 170,000 employees. As the author of the article on this states it is a big deal (“spelling” mistakes below are due to the use of proper English versus what us American’s use):
Because leaked staff directories are not as safe as handing out business cards. The reason is: social engineering. Not some kind of Orwellian concept; it’s a well-known method for computer hackers to get into an organization's network. Dumpster diving and dressing as a contract repairman are a couple of the more entertaining types of social engineering, but just knowing someone’s job title and phone number can create an easy guise for, say: impersonating a senior manager, calling the internal IT helpdesk, and demanding a password. Most companies have security proceeds to guard against it; but there are plenty of tales of hackers getting a crucial piece of information with just a name, job title, and a persuasive phone manner.
Forget about the security and hacker issues with this leak. Imagine the telemarketing bonanza this will set off!

Tuesday, February 09, 2010

Do you provision database accounts?

Do you provision database accounts to Oracle, Microsoft or your favorite database product? How much more secure do you feel your identity and access management system makes you? Frankly, I think many customers end up thinking they are more secure than they should feel. The main reason I believe that is simply because I rarely run into a customer that is willing to state that they cover 100% of their systems from a provisioning and de-provisioning perspective. Usually, the two biggest culprit systems are Unix/Linux and databases. I’m pretty sure that the reason these two systems typically aren’t handled that well is because there are so many of them and that corporate IT just doesn’t fully know what systems or databases are out there and if you don’t know about them then you can’t manage them.

A case in point is this article by Ericka Chickowski over at DarkReading: Database Account-Provisioning Errors A Major Cause Of Breaches. This really highlights the need for better database account provisioning and the use of security incident and event monitoring (SIEM) software. This is a good read…

Monday, February 08, 2010

Microsoft case study on Quest’s SaaS solutions

We’ve been on the Microsoft Azure bandwagon since that parade started. Early last month Microsoft published a case study about our solution:
Quest Software wanted to enable its customers to share access with their partners and with Quest support staff, to manage user roles centrally, and to log in just once to use multiple Quest services. Using Windows Identity Foundation, Active Directory Federation Services 2.0, and Windows Azure, Quest can provide strong data security, centralized role management, and single sign on and direct access capabilities.
We have three Quest products that we have SaaS enabled so far. You can find them all at:

Recovery Manager OnDemand for Active Directory provides backup and object-level recovery of Active Directory data. It is designed to enable flexible, scheduled backups without manual intervention, facilitating quick and scalable recovery of Active Directory data.

InTrust OnDemand securely collects, stores, reports, and alerts on event data from Windows systems, helping organizations comply with external regulations, internal policies and security best practices.

Site Administrator Reports OnDemand for SharePoint provides free overview reports for an unlimited number of SharePoint sites. The information in these reports allows you to assess the scope of the site you’re reviewing, understand how it is being used, and determine site storage metrics.

Thursday, February 04, 2010

Apple’s iPad

Things have died down enough for another post on this topic by yours truly. Let me also point out a few really excellent posts on the iPad (both pro and con):

Doc Searls: “Up the creek without an iPaddle
Rod Simmons: “Why was the Apple iPad announcement BORING
Jason McC. Smith: “The Apple iPad, explained to geeks

My view is pretty simple: I’m buying Apple stock while selling both Microsoft and Amazon (if I had any Amazon stock that is). The iPad is going to be a big seller. Maybe not on day 1 but just like the iPod and iPhone the long-term result will be huge for Apple, Steve Jobs, consumers and Apple shareholders (like me). Consumers are key. I wouldn’t buy my father or mother a PC but I’ll buy them an iPad. Explain a netbook to them? You’re kidding, right? Apple will win the consumer over and that’s where the money is. Once Apple wins over the consumers they’ll simply chip away at Amazon and the netbook manufacturers.

I’m a Kindle user. I’d rather travel with a dual-capable device like the iPad (and my netbook) rather than a Kindle (and my netbook). It will be interesting to see how Amazon reacts to this but I have a feeling they are in deep trouble. All the water is draining out of the ocean Amazon because an Apple tsunami is coming. You’d better head to higher ground - quickly! Hint, if you aren’t working on a Kindle app for the iPad you’d better be! (Is Amazon already starting to play defense? Check out this blog post: "Coming to the Kindle: A flexible color touch screen.")

Netbooks are in trouble. If I had one device that I could use I'd chose the iPad. I probably won't be able to toss everything out in favor of an iPad when they start shipping but I bet I might be able to in a few years. I loved reading Jason’s post (above) and this passage in particular:
Until now, the PC world has been differentiated by the cost of the hardware, which is a measure of the raw power possible. Pay more, get more power. But you have exactly the same experience on each machine, just slower or faster.
EXACTLY! My wife, father and mother don’t need a less expensive piece of hardware (netbook). They need a better EXPERIENCE! I expect the iPad will deliver that experience. Money is going to be diverted from netbook purchases to iPad purchases. All the water is draining out of the ocean netbooks because an Apple tsunami is coming. You’d better head to higher ground - quickly!

Many of us in this business travel a lot. Let’s start keeping count of how many iPads we see on planes after they release. I have been tracking Kindles and I will bet $100 right now that within 2 quarters after the iPad release you will see more iPads on your plane than Kindles.

Oh, and if you happen to be in corporate IT you’ll be supporting the iPad soon. It’s really hard to say “No, we don’t support those” to your CEO when he walks in the office with one. (And, it’ll be worse if he walks in and you say: “What’s that?”)

Technorati Tags: ,,,,

Wednesday, February 03, 2010

I want my XDrive!

I caught Mary-Jo Foley’s post on this topic last week…
Microsoft is making available to testers a beta of Windows Azure Drive (formerly known as XDrive), which will allow them to create automatic backups of Windows applications that they may want to move to the Azure cloud.
I think this is a great thing for Microsoft to do. Basically, XDrive will enable Windows applications to be run against an Azure-based cloud “drive” that supports NTFS. Now wouldn’t that be nice to have your application work against your C: drive one day and then re-configure it the next to run against your XDrive? Voila, your data is in the cloud. This is certainly something that I would want as a configuration option for any new, green-field application – an out-of-the-box configuration option to use cloud storage.

Microsoft is clearly doing this to help migrations to the cloud and that’s awesome just in itself. As a consumer, I really want to point – for example – NTBackup at my XDrive.

Technorati Tags: ,,,

Tuesday, February 02, 2010

Microsoft’s 'Cloud Computing Advancement Act'

I took the time on my flight to New York City to review Microsoft’s call for a “Cloud Computing Advancement Act”. Microsoft’s senior vice-president and general counsel Brad Smith spoke about this at the Brookings Institute last week. You can read Mr. Smith’s speech (PDF) by clicking on the link in the previous sentence. Smith focuses on a number of key areas in this speech: privacy, security and international sovereignty.

While Smith focuses on the U.S. Bill of Rights and the Fourth Amendment to the Constitution he pretty much summarizes my concerns with this statement:
…one obvious attribute of the cloud is that information typically is stored on a server computer that is controlled by a third party. This makes it all the more important for service providers to be thoughtful and clear in deciding and communicating what they will do with this information.
How true! I think many of us take for granted that the information we store in the cloud is private. I use a cloud-based backup service that provides an offline (from my PC) backup of all information on my laptop. I never read their privacy policy. Maybe it's time for me to do that but wouldn't it be nice if we knew that there was a minimal privacy baseline imposed by the government? Is it time for a set of "Miranda Rights" for our cloud-based data?

Monday, February 01, 2010

Five Years Ago...

Was my first day at Vintela after more than 5 years at Microsoft. A short 6 months later we were acquired by Quest.

Time flies!