Monday, February 28, 2011

Extending Unix Command Control with Sudo 1.8–slides and software release

Slides from Todd Miller’s presentation at SCALE 9X on “Extending Unix Command Control with Sudo 1.8” have been posted to the sudo website. In addition, sudo 1.8 which is the latest release of sudo that adds support for dynamically-loaded policy and I/O logging modules was released yesterday is available on the sudo website now. My estimate is that we had about 100 people that came to Todd’s talk and Matt Peterson’s demo. Not only was the session very interactive with lots of questions from the audience but there was also quite a lot of appreciation for Quest’s sponsorship of the project and this effort.

Here's Todd Miller presenting sudo 1.8 at SCALE yesterday...

Technorati Tags: ,,,,,,,

Saturday, February 26, 2011

Can't attend SCALE? Watch sessions streamed live!

In case you can't get to SCALE in Los Angeles this weekend you can watch the keynotes and sessions via live streaming. Details below...
Saturday’s SCALE 9X kicks off with Leigh Honeywell’s keynote on ‘Hackerspaces and Free Software’ at 10 a.m. in the La Jolla room, for those of you at the show. The keynote will be streamed live. To watch the keynote, visit

The other sessions on Saturday will be streamed live by ConferenceByWire, a video-conferencing and video content distribution solution that brings live and on-demand conferences and conventions directly to one's computer.

Non-keynote sessions will be streamed at

Technorati Tags: ,,,,,,,

Thursday, February 24, 2011

Quest Software Continues Contribution to Open Source Community Through Sponsorship of the Sudo Project

We just issued this press release that further re-iterates what our capabilities and plans are around sudo

ALISO VIEJO, Calif., Feb. 24, 2011
  • Quest Software, Inc. (Nasdaq: QSFT) has taken another step to expand its contribution to the open source community around identity and access management with sponsorship of the Sudo project.
  • The open source Sudo project will release version 1.8 of Sudo, which allows a system administrator to delegate authority and give certain users (or groups of users) the ability to run some (or all) commands as root or another user. The newest version includes a new pluggable framework that makes it possible to add extended functionality simply by loading a module. As an open source project, the API is available for anyone who wants to develop new modules that can plug into Sudo.
  • Quest will offer a free community edition and two commercial editions of Quest One Privilege Manager for Sudo, adding further capabilities in identity and access management through the Quest One Identity Solution
  • Quest One Privilege Manager for Sudo Community Edition targets Unix administrators who want an easier way to manage sudoers, the default Sudo policy file. Using the community edition, Unix administrators will be able to have all their Sudo clients retrieve a policy from a central policy server, eliminating the need to maintain and distribute a master copy of sudoers to each client. The community edition includes a new module that plugs into Sudo 1.8 and a central policy server.
  • The commercial editions will include additional features to help Unix, Linux and Mac administrators extend and enhance their Sudo environment. 
  • Quest One Privilege Manager for Sudo provides enhanced centralized sudoers management. It is a module that is pluggable into Sudo 1.8 to secure the corporate Sudo experience.  It provides role-based access control and separation of duty features for centrally managing Sudo policy.  It increases productivity by providing tools to run pre-installation readiness reports and remotely deploy Sudo plug-ins.  It also simplifies auditing by providing a Sudo access control report to see which users have been granted which elevated privileges via Sudo.
  • Quest One Privilege Manager for Sudo Keystroke Logging enables administrators to easily add central keystroke logging and reporting to Sudo. It is also a pluggable module for Sudo 1.8, and delivers a simple way to enable, gather, store, and play back keystroke log sessions for Sudo.
  • Included with the commercial offering is the Quest One Management Console for Unix, which provides centralized management and reporting of local Unix/Linux users and groups, and now acts as the management console for the Quest One Sudo plug-ins.

Todd Miller, maintainer of open source Sudo project and Software Developer at Quest Software
“Sudo has come a long way over the past 15 years, and is now available on most Unix and Linux systems. As a result, I often receive requests to add new functionality, not all of which are suitable for inclusion directly in Sudo itself. By adding a modular framework to Sudo, it is now possible for third parties to extend Sudo's functionality via pluggable modules. These modules can be configured to load at run time so that, for example, Sudo can use an external policy server. I am excited to see how the open source community extends Sudo by building new modules as Quest has done.”

Jackson Shaw, Sr. Director of Product Management, Quest Software
“Quest greatly values the work of the open source community, and our commitment is demonstrated by our support of the Sudo project, as well as development of the plug-ins to support the new architecture. By sponsoring the Sudo project, Quest is enabling project maintainers to move Sudo a major step forward, while expanding Sudo’s relevance in the larger identity and access market. Most importantly, this ensures that Sudo will always remain a true open source solution.”
  • Sudo version 1.8 will be available for free on Feb. 27. Both source code and pre-compiled binaries can be downloaded from the main Sudo website:
  • Quest Privilege Manager for Sudo Community Edition is expected to be available Q2. It will be available for download at no charge. Quest Privilege Manager for Sudo Commercial Editions is also expected to be available in Q2. It will have two options available, with North American pricing beginning at $59 a module per server. A beta program is currently being conducted. Contact Jason Fehrenbach to join the beta program.
  • Learn more about the new version of Sudo and Quest Plug-ins from Todd Miller and Quest Software Identity and Access Management architect Matt Peterson at Southern California Linux Expo (SCALE) in Los Angeles, Sunday, Feb. 27, at 1:30 p.m. PST, in the Carmel room.
Talk To Us Directly:
We can arrange a quick phone conversation with our experts, or on-site interviews at SCALE Feb. 25-27– just ask! Or stop by booth 11 at the show.

Technorati Tags: ,,,,,,,

Extending Unix Command Control with Sudo 1.8

At the Southern California Linux Exposition (SCALE) conference this Sunday, Quest Software will be participating in this presentation with Todd Miller who is the Sudo open-source project maintainer. Here’s a copy of the abstract:
Sudo is used by millions of Linux/Unix users to delegate access to users to run Unix commands as root or another privileged user. Come listen to the Sudo Project Maintainer, Todd Miller, talk about relevance of Sudo in environments seeking to adhere to modern access control requirements. Todd will introduce the next major release of Sudo, and highlight important new “pluggablity” features that allows developers to add policy check, and keystroke logging functionality to Sudo 1.8. Also, learn from a real-world case study where developers from Quest Software have written Sudo 1.8 Plugins to allow Sudo 1.8 users to access important management and auditing functionality from a free version of their commercial product.
I really believe that the work that Todd has done to implement the capability to plug 3rd party extensions into sudo is going to significantly change the way privilege management is handled on the Unix and Linux systems that support sudo. Finally customers will be able to manage their sudo policy files easier and extend sudo to support important security enhancements like keystroke logging and enhanced auditing.

Matt Peterson from Quest Software will be on-hand - and co-presenting - to discuss how Quest Software has developed Sudo 1.8 plugins that provide new Unix Command Control functionality for enterprise Unix/Linux users. If you are attending SCALE and have an interest in sudo please come to this session.

Tuesday, February 22, 2011

Southern California Linux Exposition–We’ll be there!

Please come and see Quest Software at the Southern California Linux Exposition (SCALE) from February 25-27, 2011. I’ll be attending the show and my money is on me being the oldest guy there – or at least with the whitest hair. If you’re in the Los Angeles area at the time please drop by and see us. It’s the best conference bargain in the world at $70 for a full pass!
The premier Open Source conference in the U.S., now in its 9th year, will have content for everyone! If you're looking to learn, you can choose talks from the developer's track, the new sysadmin track, the beginner track, or the general interest track.

Monday, February 21, 2011

RSA is over, e-DMZ Security joins Quest


The 20th RSA Conference is over. Once again it was 5 whirl-wind days of press and analyst briefings, customer dinners and meetings, business development and trying to take in as many of the delights of San Francisco as possible. We had a great turnout for our cocktail reception and excellent booth traffic. Note to self: We need a banner or something of the like so people can find us easier in the sea of booths.

There were a number of companies that debuted last year at RSA and were absent this year – a definite case of here today, gone tomorrow. The Novell booth was scaled back to a 10x20 – same size as Quest. A few new companies that had some interesting stuff:

- Digital Persona: They have built a delivery vehicle for SaaS applications in the cloud. A centrally-managed console that enables a company to deliver a wide variety of cloud-hosted applications to a client computer. They were showing this off in conjunction with HP and delivering centralized management, access recovery, two-factor authentication, enterprise single sign-on, full-disk encryption and secure communications to HP computers and servers. There’s lots of potential for this – especially in the SMB (small-medium business) space.

- PasswordBank: This Spanish company has an innovative way to do enterprise single sign-on to on-premise and off-premise (cloud) applications.

I did a quick interview along with Kris Zupan of e-DMZ Security while we were at the RSA Conference in San Francisco last week. You can see it below. Don’t be surprised with how excited I am about this acquisition. I have to say it was fun ribbing my friend Rik Weeks over at Cyber-Ark about the acquisition. Rik, the offer is still on the table if you guys would like to resell the e-DMZ suite...

Monday, February 14, 2011

Quest Software Acquires e-DMZ Security to Strengthen Privileged Identity Management Solutions

Today, we announced the acquisition of e-DMZ Security. A fitting way to kick off the RSA show in San Francisco. The acquisition of e-DMZ Security represents our belief in both the privileged identity market and how important it is becoming for companies to get control of their privileged users.

With the acquisition of e-DMZ Security we are expanding our capabilities in this important market and in the identity management market overall. I have firmly believed that identity management encompasses the management of privileged identities. This acquisition further strengthens Quest’s ability to provide a broad range of products for a customer’s needs in this area by being able to provide a defense-in-depth approach to securing access to computing resources whether they are Windows machines, network devices, application access or root access control to a Unix or Linux server. Quest now can offer both network and host-based controlled access to privileged accounts. Host-based control via our ability to manage sudo policies across Unix/Linux servers and traditional root access control and network-based controlled access via the e-DMZ product line.

This really gives us a “soup-to-nuts” set of capabilities in this up and coming market. Both e-DMZ and Quest will have booths at the RSA show that starts today so please drop by and see us. Happy Valentines Day!


Tuesday, February 08, 2011

Quest invests in SecureAuth!

In a previous post I talked about our strategic investment in Symplified. Here I am again talking about another strategic investment we just made in SecureAuth, an Irvine-based company in California. I really like what SecureAuth is doing with their products. Not only have they developed a great product that enables SSO (single sign-on) to web and cloud properties via SAML but they’ve also solved a big security problem while doing so. The SecureAuth Identity Enforcement Program (IEP) works with X.509 v3 certificates to prevent existing and new identity attacks by authenticating both the user and the server being accessed.

Why did I underline the word both? The fact of the matter is that SecureAuth’s IEP authenticates both side of the conversation: the end-user and the server the end-user is communicating with. What does this mean? It means that the Secure IEP can prevent someone from pretending to be the server that the end-user is supposed to be talking to – also known as a “man-in-the-middle” attack. The SecureAuth IEP effectively prevents man-in-the-middle and phishing attacks.

Instead of forcing organizations to implement APIs or modify applications, SecureAuth leverages the SecureAuth IEP hosted web services that include telephony and SMS one-time-registration password options and certificate servers so an organization doesn’t have to purchase and deploy additional infrastructure components. Unlike traditional approaches to 2-Factor authentication, SecureAuth has created a unique set of high-availability certificate authorities behind a protected set of web services that can securely create and distribute X.509 v3 credentials without requiring an organization to invest more in their infrastructure. This approach enables an organization to scale 2-Factor authentication for any application or number of users.

Not only does SecureAuth solve the cloud-based SSO problem to applications like, Google, Postini, Microsoft SharePoint but it also enables a seamless level of security and encryption above and beyond what many other solutions offer today. To me, it is a winning combination!

Here’s some more information on SecureAuth:

Quest Software Makes Strategic Investment in SecureAuth Corporation

SecureAuth Closes Record Year in 2010 - Provider of Identity Enforcement for the Cloud and On-Premise Applications Grows Sales by 300 Percent, Secures Financing for Expansion, and Adds Marque Customers and Partners

P.S. And a warm shout-out to Garrett Grajek (CTO, his blog here), Tom Stewart, Craig Lund, Stephen Moore and Jeff Lo - the guys behind the curtain at SecureAuth!

Tuesday, February 01, 2011

Marriott’s lack of claims-based authorization costs them millions!

True story. I travel a lot. Typically, I stay in Marriott’s or Hilton’s usually. Last year, I stayed in Marriott’s for more than 65 room nights. I joined their “rewards” program many, many years ago and I’ve noticed that every time I checked out my Marriott invoice would show me as Jackson Shaw, Microsoft Corporation. Well, as of February 1, 2005 I was gone from Microsoft. I never really considered this an issue and I frankly wasn’t ready to spend the time figuring out why it said this or how to get it changed because I simply didn’t care. I didn’t care because it didn’t affect me – until a recent trip.

I checked in very late to a hotel that my GPS couldn’t find in Sticksville somewhere. The person checking me in was also the person who was guiding me to the hotel on my mobile phone so they were happy to see that I finally arrived. As part of his welcome he mentioned: “And, it’s noted here on your file to reduce your nightly rate by $10/night because you work for Microsoft.” I was too tired and a bit too stunned to argue with him. I began to wonder how this little screw-up (Marriott mistakenly believing I was still a Microsoft employee) could be solved by an effective identity management strategy.

That’s when I realized that this is no simple identity management problem. Let’s take a look at the problem, the potential solutions and the possible ramifications.

Fact: There’s an attribute – let’s call it “company” – that is present in Marriott’s frequent stayer program. In my case, that attribute has been set to “Microsoft Corporation”.

Issue: That attribute is being used to calculate discounts to the booked room night cost. In this specific case it was giving me $10 off/night.

Result: For this particular stay (3 nights), Marriott missed out on $30 of additional revenue. No other Marriott staff ever called out a discount to me before but let’s assume I did get $10 off/night in 2009 at all Marriott’s. For 65 room nights that cost Marriott $650. Just a bit of basic math and you could probably say there are 50,000 other people out there that might be getting $10 off/night and if each of them stayed on average 2 nights a year with Marriott that’s $1M right there. It’s pretty easy to imagine that there are lots of companies that get discounts, lots of employees who move from a discounted rate employer to a non-discounted rate employer. I’d say the problem might be even significantly bigger because this is a business traveler issue and most business travelers stay in hotels more than 2 nights a year.

With all this in mind, what solution could we put in place to save Marriott millions of dollars in unnecessary room night discounts?

Solution #1: Traditional IAM solution – Every company that gets a room discount for their employees submits a list of all eligible employees on a regular basis.

Strength: Easy to implement on both sides of the fence. Simple text file exchange via e-mail or FTP. Current IAM solutions should be able this simple scenario. No requirement – that I can see – to change Marriott’s application.

Weakness: Marriott may have to do this for hundreds or even thousands of companies. It may not be a scalable solution. It would not be a “real-time” solution – there would be a finite lag in knowing when someone is no longer entitled to a discount. There’s the inherent data loss issue if files are lost or the FTP site is compromised.

Solution #2: Claims-based IAM solution – Every company that gets a room discount for their employees would have to set up an “authorization” domain so that anyone checking in/out can have their “claim” for a room discount evaluated.

Strength: Provides real-time claim evaluation.

Weakness: Not all IAM solutions support claims-based authorization. This would most likely require a change to Marriott’s application. Microsoft (and all partner companies) would have to set up and expose a service to validate the evaluation context of the claim that someone was entitled to a discount. Is it reasonable to expect that every partner would have the capacity to implement claims-based authorization to support Marriott discounts?

I've said many times that I only play an award-winning solutions architect on TV. I don't see an "easy" solution here for Marriott. Do you? Or is the "easy" solution just "business as usual"? If you were the CIO of Marriott Hotel's what would you do?