Not much has changed on the directory front - until now!

Dave Kearns over at Network World just published a story stating that "Not much has changed on the directory front". When I first read the headline I knew I wanted to agree - and blog my views on his comments. However, just as I was getting ready to write this a significant change event on the directory front happened. John Fontana - also of Network World - reported from the Microsoft PDC that "Microsoft touts groundbreaking 'clip-on' for Active Directory". So let's discuss Dave's story first:

"Not much has changed on the directory front"
As I said, I couldn't agree more. In 1996, if my memory is correct, Netscape released their LDAP-based directory server. It effectively killed the X.500 directory and also resulted in the ultimate demise of X.400 for messaging. Over the next few years we saw the launch of the meta-directory by Zoomit and then, in 2000, the launch of Active Directory by Microsoft. Aside from virtual directories gaining more momentum I would say that since Active Directory there have been no major advances on the directory front. Netscape started things off but Microsoft crossed the finish line and now has the most deployed LDAP-based directory in the world.

I agree with Dave that nothing much has really changed - until now...

"Microsoft touts groundbreaking 'clip-on' for Active Directory"
Kim Cameron at Microsoft discussed Next Generation Active Directory (NGAD) at the Professional Developers Conference this week. NGAD has been described as "a modular add-on that is built on a database and designed to add querying capabilities and performance never before possible in a directory". Hopefully, the term "clip-on" is not equivalent to "clippie"!

NGAD, however, is not a replacement for Active Directory but a "clip-on" that provides developers a single programming API for building access controls into applications that can run either internally, on devices or on Microsoft's Azure cloud operating system. Users will not have to alter their existing directories but will have to option to replicate data to NGAD instances. NGAD stores directory data in an SQL-based database and utilizes its table structure and query capabilities to express claims about users such as "I am over 21" or "Henry is my manager." To ensure security, each claim is signed by an issuing source, such as a company, and the signatures stay with the claim no matter where it is stored.

"You can answer questions in your directory that are currently impossible to even ask," says Kim Cameron, identity architect at Microsoft. "You can find out who had access to a file last September." He says NGAD is a reshaping of the programming model for Active Directory.

In addition, the directory design means multitudes of new cloud or other applications won't be hammering the central Active Directory architecture with lookup requests and administrators don't have to perform often tricky updates to directory schema to support those new applications.

Of course, extrapolating features, functionality and benefits at this point is difficult but you can see how NGAD could change our views of auditing, compliance, security and (NGAD)directory-enabled programming including cloud-based identity and identity as a service. I'm also betting that NGAD will be a significant enabler of the externalization of a distributed authorization infrastructure just as Active Diretory has been an enabler of a distributed authentication infrastructure.

I believe NGAD has the potential to be a big change or even an inflection point for the industry and customers. I'm sure we'll be seeing much more discussion about NGAD.

Technorati Tags:
Microsoft, MSFT, Active Directory, NGAD, next generation active directory

Gartner: Directories and Virtual Directories: Foundations of Your IAM Infrastructure

Andrew Walls definition of today’s directory proliferation problem is quite appropriate: “I am Legion and we are many!”

Andrew talked about how virtual directories are “in fashion” these days. Interesting that when Andrew presented which vendors have a virtual directory that he put up Microsoft and IBM with question marks after them. His caution: Don’t assume that either of these vendors have these capabilities despite having info on their web site that they do. Andrew’s belief is that IBM and Microsoft don’t want their customers to look to another vendor to solve the virtual directory problem. I’m not sure about anyone else but I never believed either of these vendors had a virtual directory.

Andrew characterized meta-directory as storing data rather than fetching data like a virtual directory – and called them fundamentally the same. I disagree with this simple of a characterization but I certainly agree with Andrew’s statement that rapid deployment of a virtual directory is possible whereas in most cases you are not going to rapidly deploy a meta-directory.

Are meta-directory and virtual directory products melding – blurring the lines between themselves? Yes, and it’s high time that they did. Generally speaking, I think a customer can benefit from both of these technologies so why not use one product for that? Simple is always better. A virtual directory is the perfect veneer to stick on top of your directory infrastructure(s) because it allows you to swap underlying directory pieces in and out as your business changes.

And, I agree with Andrew’s comment that adding a virtual or meta-directory can hide the complexity of your infrastructure – it doesn’t fix it.

Technorati Tags: Gartner,identity management,Active Directory,virtual directories,meta-directories,#GartnerIAM

Gartner and The Death of IAM

Earl Perkins kicked off the Gartner IAM summit with this talk: The Death of IAM and the Loss of Identity Innocence – A Review of Program Maturity, Service-Driven Change and New-Era Threats. Catchy title, eh?! It was certainly penned this way to draw attention to what Earl called an “inflection point” that is now happening in the IAM market.

Earl’s commentary centered around IAM – especially the “A” access part – accountability as the new phase of IAM. Gartner has clients who approach them daily who are now talking about replacing their first generation IAM systems – as Earl calls it, a “disaster summit” or a “do-over” conversation. In the area of governance (GRC) we are in the same place where we were with provisioning 5 years ago which means we are early and still have a long way to go in this area.

Earl see these trends in the “IAM Age of Accountability”:

- Externalization + decentralization = “The out is now in”

- Finding or identifying who is in charge

- “Scale” is becoming off the scale

- Delivery methods increase

- Expanding business process management

I think we have all seen much of the above. Much of this is being driven by the effects of compliance pressures on companies along with the drive to save money through the use of the “cloud”. It’s only going to get worse as federation begins to take off.

Earl also talked about the death of the IAM suite and birth of the IAM partnership. Not the actual, real death of the IAM suite but the importance of partnering with your IAM vendor and picking the right vendor that you can work with over time. While Earl didn’t say this nor do I think he meant that the magic quadrant is “dead” but I do wonder about customers who make IAM choices simply by looking at the MQ. Partnership cannot be measured by the Gartner MQ in my opinion.

Earl concluded by discussion how you map an IAM program into an information security program – taking you to serious business enablement, security effectiveness and security efficiency – where I expect we all want to end up.

I like how Earl characterized this as an “inflection point”. It’s a better term than saying IAM 2.0 or “next generation”. The fact of the matter is that market pressures (“requirements”) are causing the slope to change of companies needs in this area and by definition that is an inflection point. I do think that many of the early IAM products and suites are struggling with this inflection point whereas some of the newer vendors in these areas are able to cope with or build directly to this inflection point.

Interesting times for sure. For all of us – vendors and users.

Technorati Tags: Gartner,identity management

Windows Identity Foundation release candidate now available

The Windows Identity Foundation (WIF) is now available as a release candidate per the Forefront Team Blog posting here.

Look for more information about "WIF" coming out of Microsoft's Professional Developer Conference, the week of Nov 16.

We are sending a number of our smart people to the PDC to check out WIF. This release will definitely mark the beginning of true market adoption of web-services based identity. (What we have seen so far has mostly been science experiments and very specific industry segment adoption)

Technorati Tags:
identity management, Windows Identity Foundation, WIF

See you at Gartner's Identity Conference?

Gartner's Identity and Access Management conference starts this coming Monday in San Diego. Will you be there? I'll be there and Quest Software will also have a number of our IAM experts present along with a booth in the exposition area.

We'd love to see you so please drop by our speaking slots or come by our booth. I fully expect this to be an eventful conference - as usual!

Technorati Tags:
Gartner, identity managment, Quest Software, QSFT

Security = smoke detectors?

We're always reading about fires and deaths that could have been prevented by smoke detectors. We are also always reading about security breaches that could have been prevented by having the proper software or policies in place.

I was reminded about this in "Better Security For Not Quite All" which appeared in ComputerWorld on November 2, 2009. The article isn't about a huge security breach but does discuss the difficulties and findings of just trying to enforce "screen locking" at the company in question:

We found that more than 70% of our approximately 6,000 users had disabled both the password requirement and the screen saver.

Clearly, these 6,000 users feel that their own convenience is more important than the company's security posture. This is, however, not too surprising is it? What was a bit more interesting were the results of the author's survey related to what other companies were doing:

When I proposed the change in our lockout policy to the CIO, he asked me to determine what other companies in our industry are doing. I have a pretty decent network of peers in this industry, so I asked them whether they enforce a screen lock -- and if so, what the timeout value is, and if not, what their policy regarding screen locks is. I was surprised by the results: Only one of the 20 companies in my survey enforces the screen lock. That wasn't the response I had anticipated, and it certainly wasn't what I wanted to report to the CIO. In the end, though, he agreed with me that this is one area where it's worth bucking the industry norm.

One in twenty? That's only 5%! I congratulate the author and his company for their choice to turn on the screen lock. I can only imagine that so many other firms haven't bothered to turn on such a basic security feature. It's cheaper than a smoke detector: If you're running Active Directory all you have to do is use Group Policy to turn this capability on.

Do you have a smoke detector installed? Is the battery still good? Have you tested it recently?

Technorati Tags:
security, identity management, QSFT, Quest Software

Goodbye, Don

I first met Don Bowen when I was at Zoomit and we did an on-site presentation to him and his team. We flew from Ottawa and Toronto through a blizzard that shut down Chicago as we got the last plane out to Peoria, Illinois. It turned out we were the only vendor to make it through to Peoria and we won Caterpillar's business.

Don was a product manager's dream customer. Always had good ideas and new ways to use a product. He also stretched a product in ways it was never designed, pushed his vendors to do the right thing and was always ready to talk to you about life or technology - day or night. Whatever identity management conference I went to I would usually run into Don with his wife Eileen - especially at The Burton Group conferences.

Don had only one speed - full speed ahead - and that's how he attacked his brain cancer right to the end.

I'll miss you Don.

P.S. If you can, please help out Don's family via The Bowen Family Trust.

Technorati Tags:
Don Bowen, Bowen Family Trust

Reality tour visit to Vancouver

I'm speaking at the Vancouver Technology User Group next week on "Shouldn't Single Sign-on Be Child's Play?". Quest Software is sponsoring the food. Welcome time is 6pm and we'll kick things off at 6:30pm. If you're interested in attending please click here for the registration link.

I hope to see you there!

Technorati Tags:
Quest Software, QSFT, identity management, single sign-on

Serious provisioning mistake costs $471,000!

I read this in the morning paper today and thought you'd appreciate how serious of a provisioning mistake this was. Would you class this as an identity management issue? I certainly would. I'd also class it as a compliance issue. Great examples of how identity management and compliance are so interlinked. I wonder if Avaya already has an IDM product? If so, it shows you the hole that still exists in the checks and balances side of IDM and compliance.

A New Jersey company paid a man nearly half a million dollars before realizing he wasn't working.

Anthony Armatys was hired by telecommunications giant Avaya in 2002 for more than $100,000 a year. He changed his mind and didn't take the job, but the payroll department apparently never got the memo, according to the Star-Ledger.

For nearly five years, Avaya paid Armatys and he gladly accepted, spending most of the money on everyday items. The rest went straight into a retirement account. Armatys got caught when he tried to make an early withdrawal from that account.

He pleaded guilty to second-degree theft and has to pay the $470,995 back to Avaya. Armatys, 35, faces up to six years in prison when he's sentenced in January -- time enough to think about his next dream job.

Technorati Tags:
identity management, provisioning, compiance, security

Quest and Microsoft Executive Summit on Identity Management

I'm pleased to tell you about the Quest and Microsoft executive summit being held Thursday, November 19, 2009 at the Microsoft Executive Briefing Center across the street from me here in Redmond, Washington.

Our experts will offer guidance for gaining greater efficiency and security from your current infrastructure, using best practices and real-life examples. We'll be discussing:

• Common challenges and organizational impact of simplifying your access, single sign-on and identity management
• Available solutions and services that can make your transition a success as well as facilitate a secure environment
• How to comply with regulations and mitigate risks by automating and managing access to sensitive systems and data
• Benefits of the Microsoft platforms for identity and access management
  

We have a number of awesome Microsoft speakers including Shanen Boettcher and Conrad Bayer who will be presenting, too. If you are interested in attending this event or would like more information please visit http://www.quest.com/IDAExecutiveSummit/

Technorati Tags:
identity management, Microsoft, MSFT, QSFT, Quest Software

Single Sign-on: Separating Fact from Fiction

Quest Software is hosting a virtual trade show and the session I am doing is called "Single Sign-on: Separating Fact from Fiction". It has been recorded so if you're interested in seeing it all you have to do is click here.


Technorati Tags:
Quest Software, QSFT, single sign-on, identity management, Kerberos

ADAC & Windows Server 2008 R2

My colleague and fellow blogger, Bob Bobel, has posted about a shortcoming in the latest and greatest from Microsoft related to Microsoft Exchange integration - actually, the lack thereof. Here's a link to his post and a quote:

One glaring regression is the lack of integration with Microsoft Exchange. The former Active Directory Users and Computers UI had extensions that would expose the critical attributes necessary to perform recipient management. This was handy for many people and its absence is already being mentioned. I would guess that eventually the Microsoft Exchange team will provide this, but so far it has been a no-show.

Good to know this up-front so you're not too surprised by this fact.

Is there money in federation?

In my last post, "Microsoft on the verge", I talked about a number of things including "Geneva" or Windows Identity Foundation. One of the things that interests me about Microsoft's federation strategy is the inclusion of the foundation within Windows Server itself.

Why is this significant? Mainly because it means that federated scenarios are included in the server license so if a customer wants to federate with another organization all they have to do is set up the agreements and go from there without being concerned about additional licensing costs. As you can see from the Liberty Alliance test matrix Microsoft went through a battery of test to get their SAML 2.0 certification.

What does this all mean for Microsoft's customers? Well, it means that there may no longer be a need to purchase an actual federation solution from a 3rd party ISV. Or, as time goes on, I suspect that the inclusion of federation in the Windows platform will put significant pricing pressure on ISVs that sell federation products. ISVs will not be able to make a lot of money on pure federation solutions. However, I do believe that there are still three areas where ISVs will be able to add significant value over what Microsoft is delivering:

1. Auditing: I do not believe that Microsoft will be delivering a comprehensive audit capability around their federation components. As you can well imagine the need to audit federation or single sign-on "events" will be pretty important from a security and compliance perspective.

2. Management: By management I mean operational management of your federated relationships. How easy will setting up a federated partnership be? How easy will it be to monitor your on-going partnerships? How about troubleshooting those linkages?

3. Strong authentication: I haven't seen much discussed about enabling strong authentication of federated transactions. What if I want to use a smartcard or a one-time password (OTP) to protect my transactions?

Don't forget the basics that we have all come to rely on - or are asked to deliver by our company's management: Audit, compliance and security. They are all required - still.

Technorati Tags:
identity management, ADFS, SAML, strong authentication, security, Microsoft, MSFT, cloud computing

Microsoft on the verge?

My Google news net caught this article for me today - Microsoft wary as security, identity integration plan lags - by John Fontana that's definitely worth a read.

Microsoft is on the verge of finally providing some pieces of software to back up its ambitious plan to integrate its security and identity technologies, but the company admits it is moving slower than it had anticipated.

Progress towards this goal, as many of us have already blogged, has been slow. One glimmer of movement in the right direction was last year's merger of the security and identity teams. I also think that the upcoming "Geneva" - now Windows Identity Foundation - will be pivotal for Microsoft and the industry.

In John Fontana's article there's an interesting quote from Bob Muglia I'd like to highlight:

We (Microsoft) don't see ourselves as providing the only solution that an enterprise customer needs for security...

I think most customers would agree with this. In fact, Bob really needed to add "and identity" to that statement. Nearly every customer I meet with has multiple identity management products deployed. In fact, at one customer I recently met with they had three different self-service password reset solutions deployed. Many of the customers I meet with have also deployed Microsoft's identity lifecycle product too (MMS, MIIS or ILM). When I quiz them on what scenarios they are solving with the Microsoft product the most typical response is "GAL sync" yet the company has also deployed a non-Microsoft identity product or framework for the enterprise.

In talking with these teams I have found that in many cases the "Windows", "Active Directory" or "Microsoft" team at an enterprise holds enough power or influence to dictate what is used in their own environment but not enough power or influence at the corporate level to dictate what is used for identity management.

Bob Muglia states that he doesn't see Microsoft providing the only solution that an enterprise customer needs for security. I don't see Microsoft providing the only solution that an enterprise customer needs for identity either.

Technorati Tags:
identity management, Geneva, ForeFront, Microsoft, MSFT, Windows Identity Foundation

Ten Risks of PKI

This is an old article but it is a good article co-authored by Bruce Schneier. For those that don't know Bruce he is a well respected and acclaimed cryptographer. As Bruce says in the first few paragraphs about the sales guys who sell PKI:

“If you only buy X,” the sales pitch goes, “then you will be secure.”
But reality is never that simple, and that is especially true with PKI.

Many times we have customers who are considering going with certificates or smart cards rather than one-time passwords (OTP) as their means of two-factor authentication. Bruce does a great job of throwing light on some of the PKI/smart card "myths". Especially true is that for any security system there are people involved:

Security is a chain; it’s only as strong as the weakest link. The security of any CA-based system is based on many links and they’re not all cryptographic. People are involved.

So if you are interested in strong authentication take a look at this article. It's worth your time.

Technorati Tags:
security, two-factor authentication, QSFT, Quest Software, PKI