Wednesday, June 30, 2010

Sorry your token expired sir. Just open your wallet, this won’t hurt much!

Token that expires on 07/31/10
A friend of mine was ranting and raving about his soon to expire one-time password (OTP) token. He  uses it for on-line banking and if it expires he can’t access his accounts. He is in the process of figuring out how to get another shipped to him before this one stops working. When I talk to customers about Quest Defender one of the things that I highlight is that we do not sell tokens that expire on a pre-determined date – like my friends which stops working on 07/31/10. In fact, many of the OATH-compliant tokens that we resell or recommend to customers have a user replaceable battery so you could easily use the same token for many years.

I thought I’d include a picture of the token in question as I wanted to show you the expiry date printed on the back of it. Personally, I have a hard time accepting a product that will basically stop working on a pre-determined date. Yes, I know many companies have bought into this but that was because it was the only game in town but customers are waking up to this poor business practice and are getting tired of having money siphoned from their wallets on a pre-determined date every few years...

Monday, June 28, 2010

Great ADFS video and InfoWorld reading

I saw a reference to this video elsewhere and wanted to let you know about it. The video shows Matt Steele who is a program manger at Microsoft who works on ADFS V2. Matt gives a clear explanation of how you “project” your Active Directory identity to an outside-the-firewall application; where and why you might want to purchase a cheap, trusted, SSL certificate; high availability of ADFS; how a federation “broker” would eliminate needing 1:1 relationships with every federated application that you might want to connected to and how authorization policies and decisions are made within an ADFS environment.

If you’d like a excellent introduction to ADFS V2 check out Matt’s video – it’s well worth it. Here’s the synopsis of the video:
Matt Steele walks us through on a whiteboard all of the steps required on how to federate your identity to Windows Azure using ADFS 2.0 for single-sign-on.  This video is a great way to learn how ADFS works and to help you get started to deploy this scenario before you dig into deeper whitepapers.  We will help you answer questions like:
  • What kind of SSL certificate should we get and when to get it?
  • Should we open up the firewall to the ADFS server or just manually copy over the certificates to establish the initial trust relationship?
  • Should we use an ADFS broker or not?
Once you've watched the Matt's video you might want to read this article that recently appeared in InfoWorld: Does ADFS 2.0 deliver on its single sign-on promise?

Tuesday, June 22, 2010

First impressions of Gartner’s Security and Risk Management Summit

I mentioned last week that I’m attending Gartner’s Security and Risk Management Summit here in Washington, DC. I didn’t have any expectations about the conference since I’ve never attended this one before. Quest isn’t participating in the conference so for me it’s just an opportunity to attend some sessions and meet people. Based on the sessions that I have sat through so far, the vendor exhibits and who is attending this conference I will be back for sure. Here’s why:
  1. There’s an interesting intersection between Security, Risk and Identity Management. This conference seems to capture that. I typically attend identity management conferences and while they are great conferences there usually are not very many sessions that cross over to risk, security or compliance. All of these topics are inter-related and none of them should be thought of in isolation of the others.
  2. The Gartner speakers – including analysts from the Burton Group now – are really smart people. They talk to lots of customers. I like to learn from their experiences of talking to so many customers. It’s like getting 100 customers visits condensed into an hour long session. Invaluable for product managers like myself.
  3. The session topics have been very interesting. I like the fact that the last slide of each session is a concrete action plan. What you should do immediately, in 90 days, etc. I’ll be blogging about some of the individual sessions over the next two weeks.
  4. The attendees come from a wide cross-section of industry. Just because this conference is in Washington, DC I half-expected that the majority of attendees would be government folks. I was definitely wrong on that topic. Here’s a smattering of names of companies that I’ve seen walking around: Visa, Aetna, Bank of America, Canada Revenue Agency, Fidelity, Lockheed Martin, Nike, NY Life, TD Bank, Goodyear and Tyco. Of course there are lots of government (federal, state and local) along with education folks to. It’s a good mix of customers. There are probably 1,500 attendees at this show.
  5. Sponsors of the show get dedicated time to showcase their solution. This dedicated time does not conflict with other sessions. This means that if you are interested in a particular sponsor’s solution you don’t have to toss a coin between it and a Gartner session. I’m sure the sponsors appreciate that.
Over the next couple of weeks I’ll blog about sessions or topics that I found particularly insightful.

Example of a recommended action plan.

Friday, June 18, 2010

Anyone going to Gartner’s Security and Risk Summit in DC next week?

I’m actually attending this conference next week as a real attendee – not as an exhibitor. So I am really looking forward to 3 days of sessions on security. I read Neil MacDonald’s (Gartner) blog entry on the conference and was pretty pleased to see that he highlighted exactly the topics I am most interested in – and he’s presenting them:
1) Securely deploying virtualization and virtualization of security continues to be a major research area of mine and I’ll be presenting the latest research in this space, including securing “private clouds”. The session title is “Securing the Next-Generation Virtualized Data Center” and it is scheduled for Wednesday afternoon at 2:45.

2) Windows 7 is on most people’s minds, so I’ve put together an entire session that will look at the pros, cons and recommendations for each of the Windows 7 security capabilities. Some, like DirectAccess, are quite interesting so you’ll want to be sure to attend this session if you are planning on starting your Windows 7 rollout in 2010. The session title is “Planning and Deploying the Security Features of Windows 7” and it is scheduled for Tuesday morning at 9:15.

3) I’m also working with one of my colleagues, Debra Logan, on a session on SharePoint security and governance (actually expanding into other types of collaboration and social media as well). I presented on securing SharePoint last year and many of you asked us to provide more insight on governance for SharePoint so we’ve put together a workshop on this topic. This interactive workshop is titled “SharePoint, Social Software and Security“ and it is scheduled for Tuesday afternoon at 2:45.

If you’re going to be at the conference please give me a shout – it would be great to meet up! Jackson(dot)Shaw(at)Quest(dot)com – how’s that for security?!

Is Cisco’s Securent Acquisition Dead?

Nearly three years ago Cisco acquired Securent for approximately $100 million. Over the last month or so I have heard from different people that Cisco has canned the Securent technology and associated project. Things have been noticeably quiet on all fronts since the acquisition and I know that many of the original Securent team have moved on from Cisco. If you recall, Securent was an XACML-based policy platform.
Securent's scalable, distributed policy platform allows enterprises to administer, enforce, and audit access to data, communications, and applications in heterogeneous IT application environments. 
I don’t know if it is true or not but where there’s smoke…Anyone else heard anything?

Thursday, June 17, 2010

Would you be a “Good Witch of the North” or a “Wicked Witch of the East” Security Officer?

I skim any story I see about the iPad these days. A story last month – “iPad Intro Brings a Nasty Surprise” – caught my eye. The anonymous security officer spied a problem in his office:
A couple of weeks ago, I noticed that a lot of people were using Apple iPads in our conference rooms. We haven't bought any iPads. I wanted to know whether they were being used on our internal network. Oh, yes, the users assured me; it was no problem. Well, I thought, it should be a problem; it should be impossible, in fact.
To remedy this situation, I needed to find out why it was so easy for users to attach personal devices to our network and how that came to pass. I started digging.

I can't vouch for the integrity of any device that a user brings in. In many cases, these are machines that an employee's kids have used to play games, chat on Facebook and download who knows what. Since they aren't corporate resources, we have no control over what software, antivirus protection or security patches are installed. And then there are legal issues to consider, since we can't control a personal asset.
To me this is totally a story like the Little Dutch Boy who saved Holland by sticking his finger in the leaking dike. This security officer has stuck his finger in the leaking dike. The problem is that rather than actually stopping the leak he's enabled the water to come over the top of the dike. You cannot stop the iPad wave sir. Sure, you can play Wicked Witch of the East and fly around on a broom stick with your monkeys in tow trying to banish every iPad you see. I would have much preferred - as a reader of the article - how the security officer solved the problem in a positive way. What guidelines would have been appropriate to allow iPads on his network? That would have been much more informative to me.

Wednesday, June 16, 2010

Quest satisfies Seneca Foods’ appetite for SAP single sign-on

We just published a case study on Seneca Foods use of our SAP single sign-on (SSO) solution. In a nutshell, here's the problem that Seneca Foods was faced with:
Seneca Foods runs its core applications, including its SAP applications, on about 60 Unix servers running IBM AIX. More than 500 employees must access the SAP applications from their Windows desktops, and many need to access as many as four or five different SAP applications. Each user had to log in to each SAP application separately, requiring them to keep track of multiple passwords or attempt to keep them in synch manually. Naturally, passwords were often forgotten, leading to lost productivity and a significant number of calls to the help desk for password resets. And because Seneca Foods has 25 manufacturing facilities throughout the United States, spread across all four time zones, requests for assistance could come at virtually any hour of the day or evening. This required help desk staff to be on call beyond the normal work day.

To make matters worse, as part of its commitment to IT security, Seneca Foods decided to implement current security standards that would increase password complexity. Now, not only were users going to have to use multiple passwords, they would also be more difficult to remember. IT staff recognized that the new security standards would result in more calls to the help desk for password resets than the current staff could handle, and also lead to increased frustration and loss of productivity on the part of employees unable to access the applications they needed.

For this reason, Seneca Foods decided to look for a single sign-on solution that would enable staff to use a single password for access to all of their SAP applications. Since each employee would have only one password to remember, the company could mandate more complex passwords. The organization also wanted the single sign-on solution to be easy to use and as transparent as possible.
I have always believed that identity management projects that have an effect on the every day user – like this one at Seneca Foods – are the most successful and easiest to justify. Seneca Foods is not only increasing employee productivity and security but they are also reducing help desks costs.

If you'd like more information on Quest's SAP SSO solution please visit

Tuesday, June 15, 2010

Are you “burgers up”?

I’ve been meaning to write this story up for a while now since it’s a story both about my son Jake and about the importance of metrics in product management or any job for that matter. When I worked at Microsoft I learned a lot about metrics. As a product manager my life revolved around metrics:
  • How much is Active Directory used by your customers Jackson?
  • Is Active Directory full deployed Jackson?
  • Which segments (small, medium, large) of companies have deployed Active Directory and to what extent?
  • What percentage of our customers are still using Novell eDirectory?
All of these metrics were state or discrete metrics – they were based at a moment in time. Then we had metrics related to every marketing spend. If I wanted to spend money to help raise awareness of how great Active Directory was or to help migrate customers from Novell’s eDirectory to Active Directory I needed to walk into a meeting with my current metric, how much the spend was and how much the spend would change the metric. I wasn’t allowed to spend a dollar unless I knew my current metrics and how the spend was going to affect that metric. How does this relate to my son Jake? Well…

My son Jake – he’s 18 - has been happily working in Southern California for In-n-Out Burger. Anyone who has ever tasted an In-n-Out burger knows how good they are and why they are so popular. A couple of months ago I was out to dinner with Jake after he had just finished some additional training with In-n-Out. While talking about the training I asked Jake how his store was doing generally. I expected him to say something like “Real good Dad” or “We’re really busy Dad”. Instead, he responded “We’re the #3 store in the area Dad and #26 nationally!”. Wow. Wow not just because this sounded great but also wow that he was aware of that. I decided to ask a few more questions:

Me: Do you track how many burgers you sell each day?
Jake: Yes. Today we were 243 “burgers up”.
Me: What does that mean?
Jake: It means we sold 243 more burgers today than we did on this day last year.

I was pretty surprised to find out how well versed in metrics Jake was (and still is). I think this is a testimony to In-n-Out Burger because having your workers understand the metrics that the store – and other stores – are being goaled on helps them to all work harder. After all, no one wants to be “burgers down”.

No matter what we do in our jobs it is pretty important to know your metrics, how to measure any money spent to affect those metrics and what your overall goals are and how you will measure them. We all want to be “burgers up” with our salaries. The same goes for our efforts in our job. You need metrics to help achieve your goals.

Monday, June 14, 2010

Changing passwords a waste of time?

While I’m waiting for Bell Canada’s DSL internet service to be installed I’ve had some time to catch up on my reading. I was glancing through CIO Magazine and came across this short tidbit: “Study: Changing Passwords a Waste of Time” by Cormac Herley over at Microsoft Research. He says that changing passwords is basically a waste of time.
“A lot of advice makes sense only if we think user time has no value,” Herley explained. His back-of-the-envelope calculations suggest that if strict password requirements cost workers a minute of their time each day, that adds up to about $16 billion worth of lost time annually. Security recommendations, he reasons, should prevent at least that much in losses to be worth implementing.

For example, many U.S.banks reimburse customers who’ve been the victims of phishing attacks, but such payouts cost the entire industry only about $60 million a year. Herley estimates that if 10 percent of Wells Fargo’s customers need a customer service rep to help them reset a password, at $10 a reset, that costs the company $48 million – far more than its share of the industry total.

The answer, he says, is basing cost estimates on actual victimization rates, rather than worst-case-scenario projections, and prioritization accordingly.
I have a couple of comments about Herley’s study. The first one is I can’t blame him for picking Well’s Fargo as an example. I believe that somewhere I have read a case study that they actually implemented a solution to reduce the number of password resets they were doing so they probably aren’t the best example but how would he know? Also, most companies nowadays have implemented some sort of self-service password reset solution so I am again not so sure about his theory. Anyway, while sitting here I figured I’d do the math on this problem:
  • $48 million/year at $10/reset = 4.8 million password resets per year
  • 4.8 million password resets/365 = 13,150 password resets per day
  • 13,150 password resets per day/1440 = 9 password resets per minute (let’s round up to 10 resets per minute)
  • Assume 3 shifts of 10 workers at a generous $50K/worker = $1,500,000
$1.5M is a far way from $48M even if you feel my numbers are low but I don’t think they’re off by a factor of 30 or so. Anyway, the moral of the story is two-fold:
  1. Check your math – both ways to make sure things make sense.
  2. It may be cheaper not to put locks on your doors because you have insurance but is it really worth the hassle of having to spend so much time with the insurance people, the police and who knows who else every time you have something stolen from you?
I’ll stick to a strong policy regarding passwords thank you very much.

Friday, June 11, 2010

Unix Server Sales Down

Interesting story in ComputerWorld about Unix server sales being down substantially in the first quarter of 2010. Probably no big surprise due to the economy and the Sun/Oracle situation.

An IDC report, released last month, tallied worldwide Unix revenue of $2.3 billion -- about 22% of total spending on servers -- during the first quarter of this year. The Unix share of server revenue was down 10.5 percentage points from the same quarter a year earlier.

The story didn't detail where that server revenue went. Did it go to purchase Linux servers or Windows servers? My bet is most of it went to Linux.


Technorati Tags: ,

Thursday, June 10, 2010

Homeland Security gets dinged on their Active Directory security

The Inspector General of Homeland Security just published their findings regarding the security of Active Directory at DHS - “Stronger Security Controls Needed on Active Directory Systems.” You don’t often get to read documents like this especially those that are related to Active Directory so I thought I’d call it out. Below are two paragraphs from the executive summary that more or less tell you exactly what the Inspector General’s concerns were:
Systems within the headquarters’ enterprise Active Directory domain are not fully compliant with the department’s security guidelines, and no mechanism is in place to ensure their level of security. These systems were added to the headquarters domain, from trusted components, before their security configurations were validated. Allowing systems with existing security vulnerabilities into the headquarters domain puts department data at risk of unauthorized access, removal, or destruction.

Also, the department does not have a policy to verify the quality of security configuration on component systems that connect to headquarters. Interconnection security agreements are present for each connection between headquarters and components to secure shared services; however, neither the agreements nor other policy define specific security controls required for connecting systems. Stronger management and technical controls are needed on trusted systems to protect data provided by the department’s enterprise-wide applications.
Some of the specific issues called out include:
  • A default privileged account enabled on a Windows server
  • Missing security patches
  • Local password policy not set to DHS standards
  • A protocol in use that is specifically identified in DHS policy as vulnerable
I don’t want to second guess how difficult a job any enterprise has with respect to enforcing security policy especially an enterprise the size of Homeland Security. I wonder how much, if at all, Microsoft’s Network Access Protection would help? In this report “federation” is mentioned a few times. I’m not sure if the authors really mean federation in the ADFS sense or some other sense but if it is in the ADFS sense you have to wonder how you enforce security policy on federated users. How do you do that?

This report illustrates how difficult it is to enforce a consistent security policy. Yes, there are built-in tools like Group Policy and commercial tools that would help DHS enforce security policy. Yes, you can have written policies. However, at the end of the day, reports like this help to define areas to focus on.

Read the report. Do you have any of the problems that were highlighted? How are you remediating them, or are you?

Wednesday, June 09, 2010

To the Google privacy core – Is it rotten?

Kim Cameron has been blogging about Google’s Wi-Fi tracking. If you care about your own privacy on the internet you need to read his posts on this topic. The current one, “The core of the matter at hand” nicely illustrates exactly how your privacy is possibly (probably?) being violated without you even knowing it. I read Kim’s post and immediately decided to turn off Google’s Latitude service on my phone but, as Kim illustrates, it probably won’t make any difference. I’m sure Google knows where I am regardless of having Latitude turned on or off.

I took a few minutes to check out Google’s privacy policy around Latitude and found out this much:
If you choose to 'Hide your location', you can hide from your Latitude friends all at once, so they won't be able to see your location. If you hide in Latitude, we don't store your location.
I’m not worried about hiding in Latitude. I wish I could hide from Google!

Just before I published this post I came across an interesting article in Wired that goes into the legality of what Google did by collecting all this Wi-Fi information: "Former Prosecutor: Google Wi-Fi Snafu ‘Likely’ Illegal" Unfortunately, I hate the fact that it is only "likely" illegal and the crimes are only misdemeanors. The article is a good read if you have the time.

Tuesday, June 08, 2010

Consolidation in the privileged account management space?

As you know, I’m at TechEd 2010 here in New Orleans. If you’ve followed any of my Facebook posts I won’t bore you with how hot it is here – and it’s not really even the height of summer yet. My glasses fog up whenever I step outdoors. Last night I was at the reception in the exhibit hall and I spent a few minutes talking with the folks at Avecto – thanks for your time guys! An Avecto press release caught my eye about these guys and it got me to thinking. Here’s the digest:
  • Avecto Announce Strategic Partnership with Cyber-Ark Software: “…joint customers benefit from the industry’s most comprehensive solution for securing, managing and tracking all privileged and administrative activities across an organization’s entire infrastructure, from Windows desktops and laptops, to servers, databases, hypervisors, network devices and any other system within the organization.”
What is interesting here is the fact that Cyber-Ark – who I acknowledge as the leader in this space – is partnering with Avecto. First, I think it’s cool whenever vendors get together to try to work together. Second, what I find especially interesting is the fact that there’s a market for this partnership. Clearly, Avecto has something that Cyber-Ark doesn’t and vice-versa. Further, the market is obviously asking for a combined solution which, I believe, led to this partnership. Is this the first sign of consolidation in the privileged account management space? I think so. And, as I have said before, I think we’ll be seeing more of this in 2010.

Monday, June 07, 2010

Heading to TechEd and other conferences this summer…

Yes, it’s conference season. It’s been conference season. Today, I’m sitting in the airport waiting to head to New Orleans to attend Microsoft TechEd 2010. Will you be there? Drop by the Quest booth or shoot me an e-mail. It would be great to hook up! Here are some of the other conferences I’ll be attending over the next two months:
Perhaps I’ll see you at one of these conferences!