Tuesday, November 27, 2007

Jackson's upcoming tour dates...

Once business planning is over (this week - yay!) I'll be heading to New York City and Salt Lake City during the first week of December and visiting with a multitude of customers. Second week I'm in Chicago doing the same! During my NYC visit I'll be presenting with Microsoft and Unisys at a breakfast for CIOs that looks like it will be well attended - I'm looking forward to that.

As usual, I'll post a summary of my significant learnings after the fact.

Technorati Tags:
, ,

Sunday, November 25, 2007

Thanksgiving in Leavenworth, WA

Leavenworth, WA

We spent a couple of nights in Leavenworth, WA over the Thanksgiving holiday. It's about 2.5 hours from Seattle on the east side of the Cascade Mountains. In fact, it is almost due east of where we live. Leavenworth is known as "Washington's Bavarian Village" and if you check out the pictures you'll see some examples of the Bavarian architecture. You'll also see another thing they are famous for: their Christmas lights. In fact, this year they are being honored by Good Morning America...

Good Morning America Comes to Leavenworth

Good Morning America is doing a new segment called "Good Morning America Lights Up The Holidays". They will be doing a live feed from Leavenworth to begin Good Morning America's show in New York.

The special will take place for 5 days ONLY. We were selected as one of the top 5 in the United States for the filming of our Christmas celebration.

The Good Morning America film crew arrived November 15 under bright blue skies to film Leavenworth preparing for the upcoming Lighting Ceremony. These shots will be used as teasers to entice viewers to watch the show and some of the clips will be used on the 29th with the live feed.

Good Morning America host Sam Champion will be here for the live feed to New York City on November 29th from 4-6AM as we light our town. They encourage everyone to be here at 4am. Hot beverages and roasted chestnuts will be available. Come join the party!

This is unbelievable coverage for us and we invite you to join in the fun. We will be roasting chestnuts and serving hot coffee. Since the feed is live to New York after the fun we can tune in to Good Morning America at 7am our time to watch the show.

Try and check it out, if you can - or, Tivo it!

Thursday, November 22, 2007

Happy Thanksgiving you turkeys!

Happy Thanksgiving to everyone. For those that haven't seen a picture of a wild turkey see below. They don't naturally have all white feathers!

It's a time for friends and family - enjoy!

Tuesday, November 20, 2007

PowerShell AD/v-card utility

Recently, I wanted to grab someone's contact details out of Active Directory, save them as a v-card and send the v-card to a friend. It's not so trivial to do that manually so I wondered how it might be done in PowerShell - and, I'll admit, how I could get someone else to build the utility for me - so I talked to our resident PowerShell guru Dmitry Sotnikov.

Dmitry quickly whipped up a script for me, ran it through his powerful quality control process ("Here, see if this works!) and I was off to the races. Dmitry blogged about the v-card tool and recently told me that there's been significant downloads of it. It was even picked up on both the MSDN PowerShell and Windows PowerShell blogs.

Check it out...

Our local identity management guru Jackson Shaw tasked me with giving him an easy way to export contact information from corporate address book so you can then send it to someone for their reference. The standard format for Outlook to import contact information is vCard, but the problem is that Outlook can export to vCard only personal contacts, but not GAL entries. Needless to say, PowerShell is the answer.

This is the command-line which solves the task:

Get-QADUser "Dmitry Sotnikov" Out-vCard

This will locate a user in your AD whose name is "Dmitry Sotnikov" (which probably means you work for Quest) and create a file "Dmitry Sotnikov.vcf" at the c:\ drive root.

If you want to export all members of a DL - this will work too:

Get-QADGroupMember DL.ProjectA Out-vCard

This will create a vCard for each DL member.

And because it only reads data from your Active Directory you don’t need any administrative privileges. This will work for any domain user.

To make this work you need to:

Install PowerShell and AD cmdlets.
Copy/paste the following function into PowerShell command-line shell before running the commands or add it to your profile (My Documents/WindowsPowerShell/profile.ps1):
function Out-vCard {
$input ForEach-Object {

$filename = "c:\" + $_.Name + ".vcf"
Remove-Item $filename -ErrorAction SilentlyContinue
add-content -path $filename "BEGIN:VCARD"
add-content -path $filename "VERSION:2.1"
add-content -path $filename ("N:" + $_.LastName + ";" + $_.FirstName)
add-content -path $filename ("FN:" + $_.Name)
add-content -path $filename ("ORG:" + $_.Company)
add-content -path $filename ("TITLE:" + $_.Title)
add-content -path $filename ("TEL;WORK;VOICE:" + $_.PhoneNumber)
add-content -path $filename ("TEL;HOME;VOICE:" + $_.HomePhone)
add-content -path $filename ("TEL;CELL;VOICE:" + $_.MobilePhone)
add-content -path $filename ("TEL;WORK;FAX:" + $_.Fax)
add-content -path $filename ("ADR;WORK;PREF:" + ";;" + $_.StreetAddress + ";" + $_.PostalCode + " " + $_.City + ";" + $_.co + ";;" + $_.Country)
add-content -path $filename ("URL;WORK:" + $_.WebPage)
add-content -path $filename ("EMAIL;PREF;INTERNET:" + $_.Email)
add-content -path $filename "END:VCARD"

Note that the script is something I put together in 15 minutes to help Jackson, so it still needs a few improvements when I have time:

Need to add an optional parameter for the output folder.
Need to actually look at vCard spec to make sure all attributes translate right.
Need to look whether I need to check whether attributes are present. Does vCard format permit empty values or should their keys be in that case omitted?
Anyways, this seems to solve the task for now, I hope I have a few hours later to make it perfect. Feel free to do so yourself if you are interested.

Technorati Tags:
, , ,

Monday, November 19, 2007


James McGovern had a comment on my re-cap of Ant Allan's session on privileged user management:

I wonder if Jackson Shaw will acknowledge that the real reason identity management vendors aren't solving for this problem is that they believe that this should be a separate and distinct product and their customers are too stupid to know better.

I'm not sure if that's the reason or not, James. I had a long discussion after the session with Ant Allan and I asked him why he thought more identity management vendors were not involved in this corner of the identity business. After all, none of the usual suspects have products in this area: Sun, Microsoft, Novell. His answer was quick and short: There's not enough services revenue required for these products.

I'm not sure how true that is but I will report back to you on that. Quest Software has OEMed PassGo's privilege management products so once we have some more experience with them I'd be happy to share further.

Technorati Tags:
, , ,

Friday, November 16, 2007

What a blague!

I'm sitting in the LAX airport - what a hole - waiting for my flight to Seattle so I'm doing e-mail, of course. I happened to come across this and said to myself "What a joke!". For some reason my brain burped and the French word (or is it a Quebecois word?) for joke popped out: blague

So here's the blague...

The OASIS IDtrust Member Section, http://www.oasis-idtrust.org/ , is pleased to co-sponsor the 7th Symposium on Identity and Trust on the Internet (IDtrust) 2008 – formerly known as the PKI R&D Workshop. The event will occur on 4-6 March 2008 at the NIST facility in Gaithersburg, Maryland.

What cracked me up was the "formerly known as the PKI R&D Workshop". So my question to myself was: Is this just simply a PKI R&D Workshop warmed over to attract more people to it or is it really about Identity and Trust on the Internet? I agree with the rename from a marketing perspective. Imagine Kentuck Fried Chicken being marketed as "Hot, Dead Chicken" - they might want a rename, too.

I thought 2007 was the year of PKI so why rename the workshop? (Some old timers will get this blague, I hope)

Have a good weekend everyone. I'm glad you're not sitting here at LAX with me.

Technorati Tags:

Getting to the problems of the root: Effective and efficient management of superuser privileges and shared account management

So, it's day 3 of the Gartner IAM conference and my first session is the above being hosted by Gartner's Ant Allan. I've blogged before that many (most, all) of the IAM vendors have either forgotten or avoided how to control superuser privileges.

Apparently, Apple has done a good job in Mac OS X handling the superuser and privilege management problems. I'll have to take a look at it.

Why are vendors building kernel-intrusive products to manage these privileged users? It seems crazy to me. If you are the vendor - why not simply fix the darn problem to begin with?! Making a tool kernel intrusive means you are reliant on the vendor to update the tool when the OS is updated otherwise you can't upgrade your systems. Additionally, and worse(!), who the heck wants a kernel intrusive tool anyway? That's a freakin' recipe for disaster ladies and gentlemen - "Please wait while I swap out parts of your operating system for these specialized components that will protect you better." - Ya, right - don't let the door hit you in the rear while you leave...

Who are the key vendors in this space (according to Ant)?

On Unix/Linux: fortefi, PassGo, OSM, S4 and Symark (Quest has OEM'ed the PassGo product)
On Windows: dotNet factory, NetIQ, Quest (hooray!)
z/OS: IBM, Vanguard, Powertech, betasystems
Superuser (i.e., kernel intrusive) tools: CA, foxt, IBM
Network level: eDMZ, Xceedium

Fisher and M-Tech both come from the provisioning world and have pushed into the "superuser privilege management" space. Not surprising.

Interesting that nothing was mentioned for managing database admin passwords and those type of privileged accounts. Ant does not think that the major IAM vendors are not going to be embracing these types of scenarios - which is stupid.

Ant's recommendations...
  • Minimize the number of users with full superuser privileges - This one is obvious
  • Eliminate shared passwords for shared accounts - Indeed
  • Eliminate hard-coded passwords for service accounts - Yes, please! Hearing that someone had one hard-coded for 18 years made my stomach turn.
  • Look for tools from your preferred IAM vendors - Don't hold your breath.

OK, that's it from me here at the Gartner conference. I'm heading back home to Seattle - from sun and fun to wet and wild!

Have a great weekend everyone!

Technorati Tags:

Thursday, November 15, 2007

Microsoft's Identity Vison and Strategy

Microsoft presented their vision and strategy today here at Gartner. They managed to bring up a customer (NewEgg.com) to talk about what they've done with Microsoft's Identity Lifecycle Manager product. Always good to have a customer talk about their experience! (see notes at the bottom of this post)

I thought it was funny that the presenter mentioned that too many people didn't know about Microsoft's fine certificate (X.509) server that is built into the server platform. I agree, it is a great solution and people don't know about it. With all the push around security you'd think they might trumpet this a bit more.

I blogged about this in the past but again noticed that they don't mention BizTalk server in their architecture slides even though BizTalk has an enterprise single sign-on service built into it along with other identity-based services. I'm more surprised that BizTalk is not mentioned because both BizTalk and the other IDM-related technologies all come under the same vice-president at Microsoft (Robert Wahbe).

They're still saying that ILM "2" and ADFS "2" will be released in 2H08. ILM "3" was mentioned for the first time (at least to me) as being released 18 months after ILM "2" and it will be focused around integration of all the components into a single offering - so I guess that's sometime around 2010 or 2011?

One happy thing was that I didn't see any of the slides I had authored while I was at Microsoft being used in this presentation!

NewEgg presentation

NewEgg's drivers were regulatory compliance, management of user entitlements and secure access to the network. They user Active Directory as their core identity repository so going with Microsoft certainly made sense especially when you add in the fact that their collaboraton platform is Exchange 2003. Interesting that NewEgg is using Remedy for their workflow and trouble tickets. They integrated with Remedy over web services. They deployed the system in 180 hours - so less than two months - that's really awesome especially when you consider that they needed to integrate SAP and they had no common attributes across the various systems.

As a next step NewEgg did mention that they might use CardSpace for external authentication to their e-commerce site!

Technorati Tags:
, , , ,

Identity as Application Infrastructure: Evolution or Revolution?

It's the second day of Gartner's conference and I'm sitting in this talk being given by Earl Perkins and Neil MacDonald. Neil focused on the vision of the service-oriented enterprise and how abstraction and de-coupling of identity services (provisioning, authorization, "security") is the way that we introduce fluidity to the enterprise. Of course, identity is at the center of this fluidity - or, to put this another way, enabling fluidity depends on driving application-enabled identity services. Folks need to check out the "Services Modeling Language" draft standard that helps to abstract this.

Earl spent some time talking about how roles-based access control is the linchpin for process security models and how there's an impedance mismatch in a lot of cases between roles in HR, groups in your directory (role proxies) and general inconsistency. RBAC is critical to this evolution but, as they say, the devil is in the details here. I personally am not sold that we have solved this problem from a business perspective yet. However, there are no problems - only opportunities, right?!

I see how we are moving from the "metadirectory" approach to identity to the "proxy"-based approach to SOA for delivering the security and identity characteristics and functions that the applications require. So will we have the same types of problems we have experienced except now at the SOA level? Vendor A provisions well to Oracle but lousy to Active Directory?

I do believe this will be the future. However, I remember that in 1996 Netscape's LDAP Directory server started to take off and customers started demanding integration in order to externalize authentication. Here we are nearly 12 years later and we still have lots of problems here. What Earl and Neil are talking about is a much bigger change - where will we be in 2019 twelve years from now? Will we be further ahead than where we are today with externalizing authentication? By then I won't care because I'll be on a beach somewhere with an umbrella-decorated cocktail in my hand - retired.

I'm not making light of what Earl and Neil are saying. They are sharp guys and I do agree that we need to get there but inertia can be a very, very, very powerful force.

Do you think that virtualization might be the force that can overcome the inertia? Maybe, maybe.

What do you think?

Technorati Tags:

Wednesday, November 14, 2007

Everything You Know About Identity Management Is Wrong

Gartner's Neil MacDonald spoke on this topic. I have to say the title absolutely intrigued me so I had to be here. How could you not like a presentation where the speaker mentions Banyan VINES during his intro?!

Neil believes we are nearing a revolutionary change in identity management.

"Too many IAM vendors, too much complexity, too many products and you are paying too much." -- here here!!!

Put identity and security administration in the business units - not in the high priced security professionals hands. If we can't achieve that then we have failed.

Key trends according to Neil: (Neil in italics - my comments not)

  1. Security-service oriented applications will require security-as-a-service, including identity services. Clearly what Cisco is thinking isn't it?
  2. Identity Becomes Application Infrastructure (aka authorization or entitlement application). As I have stated before, this is the next "battleground".
  3. Business Process Management Services as a new starting point for application development.
  4. ERP as a new center for identity-centric application serices. Clearly what SAP was thinking with their MaxWare acquisition. ERP is the starting point isn't it?
  5. Context delivery architecture. What you need is what you get services - and it needs to be federated.
  6. Grid computing and virtualization. Traditional security approaches tied to physical characteristics will fail and externalized policy management (security, identity) are absolute requirements.
  7. The Rise of identity-aware applications and sites. As I mentioned in a previous post it is these type of applications (e.g., SharePoint) that will drive federation and federated identity. Have you looked at OpenSocial yet? You need to (so do I)!
  8. The impending collision of consumer and enterprise identities. Who hasn't seen this one coming?
  9. Convergence in multiple dimensions: Of IAM point products, into platforms, into services, of mature security infrastructure into operations.
What mistakes are organizations doing wrong and how should they be done differently?
  • Thinking of IAM as a collection of products or projects. It's not, it's a set of inter-related processes. We're moving from IAM suites of products to suites of IAM services.
  • Overlooking the synergy between middleware and IAM. Neil pointed out how Microsoft has moved to one workflow platform and set of connectors based on BizTalk in order to reduce cost and complexity. Now if MIIS/ILM was also using those same connectors and vice-versa wouldn't that be nice? I loved this point on this slide: "Don't assume legacy IAM vendors are best positioned for the future application- and process-centric requirements of identity infrastructure." I agree - some of those legacy guys are going to die off.
  • "I've implemented RBAC...I'm done" - Neil says the root cause of this problem isn't too many roles, it's a lack of governance and automation (creation and destruction). Role management needs to be a part of provisioning solutions.
  • Requiring application programmers to code to LDAP. - Externalizing authentication and authorization is a pre-requisite for applications. Neil believes there are viable commercial solutions (e.g., Layer7, BitKoo) available today to make this happen.
  • Thinking HR is the trigger for all things user provisioning-related. Yes, HR for hires and fires but what about role changes? Does that have to to HR in order to make something happen?
  • Information security administers all security, including user/role assignments. Business units must assume the risk, not IT. How true!
  • Limiting the scope of identity projects to just people. Any resource may require identity services. How do we do this in a virtualized environment?
  • Treating user provisioning as a strategic technology. Indeed. We need identity-aware applications: Kerberos, SAML, WS-* etc.
  • Paying too much. No kidding! Why are identity vendors charging 3-4X the software cost to install and deploy?! Use Microsoft to pressure the other vendors!
  • I've deployed UP, WAM, SSO...I'm done. Again, no kidding! It all starts again my friends, it all starts again. Interesting how Neil has modified Gartner's operational efficiency grid: Basic, Centralized, Standardized, Rationalized, Virtualized, Service-Based, Policy-Based (fyi - moving left to right is better and Gartner's grid stopped at Rationalized before)

To reduce cost and complexity you should: leverage convergence and not be afraid to change vendors; look for "proxy" capabilities and set a long term goal that developers don't write security code.

All in all this was a great presentation. Lots of clapping whenever Neil mentioned how costly something was!

Technorati Tags:

The Internet is like a bad-news petri dish

Keynote - Gartner's Toby Bell on "Reputation: The Next Revolution"

I loved his comments on "reputational persistence". Negative or incorrect information may last forever. This is so true. Are you competitors using this against you? Toby's most illuminating comment...

"The Internet is like a bad-news petri dish! Reputation is useless in an anonymous world."

Some cool websites mentioned during Toby's talk:

Do you know what Google thinks of you or your company? Check it out at http://www.googlism.com/.

What's your reputational management strategy? Do you have a policy against allowing your employees to place co-worker

Check out http://www.touchgraph.com/ to see how you or your company relates to others and how its reputation is built and http://reputica.com/.

Technorati Tags:

Gartner Identity Access Management Summit 2007

I'm at the Hyatt Regency Century Plaza, Los Angeles for the next three days attending Gartner's big identity shindig. Ray Wagner (pictured) just kicked off the conference.

I'll post tidbits and highlights over the next few days...

Technorati Tags:

Wednesday, November 07, 2007

Quest helping federal federation initiatives

If you carefully read this Quest press release you'll see the word federation used. I just wanted to point it out to you because you probably either didn't read the press release or if you did you may have missed that word entirely (I did).

Lockheed-Martin is enabling federation of a B-2-B application that is built on SAP. They be using a number of our Vintela products to enable the scenario. It's pretty cool stuff - maybe someday they'll let us publish a case study about it. Of course, it's all Active Directory integrated...

The contract will support a Lockheed Martin identity convergence initiative and serve as guidelines towards working with federated identity infrastructures as the U.S. defense contracting community collaborates on identity management in future Department of Defense initiatives. - Emphasis is mine.

I also liked the fact it was a $2.3M sale but that's another story, eh?!

Tuesday, November 06, 2007

Leopard eats Active Directory

I've commented a couple of times about vendors and how they need to beef up their Active Directory integration (if they even integrate to start with). Now the opposite happens: Apple's Active Directory integration has blown up in their latest OS X incarnation - Leopard.

I heard about this yesterday when I was at the Vintela offices in Lindon, Utah (yes, downstairs from the evil Canopy Group and across the street from the eviler than yesterday SCO Group).

Here are some details...

Leopard Problems: Active Directort integration - First, Active Directory integration is broken. It centers mostly around authentication issues. If the Mac was joined to the domain before it was upgraded, it can’t log on after. Directory Utility returns a “Server can not be contacted” error. If the machine was not joined to the domain, it fails while trying to with an “unknown error” in step 3 of the bind process.

The other issue is in Safari through a Microsoft ISA 2006 proxy server. When going to an SSL website, Safari crashes after it tries to authenticate. Firefox still works.

Avoid an Active Directory 10.5 upgrade issue - If your Mac is bound to Active Directory (AD), make sure you unbind it before upgrading. Also make sure you have a local admin account (that was not created via AD) beforehand. I had a tough time with a Mac here -- the only account on the machine was created through authenticating via AD. In case this happens to someone else, and they find this, here's a fix:

Start up in single user mode (power on while holding Command-S) and enable the root account by giving it a password (by typing passwd and entering a password). Then reboot and log in as root. Once you've logged in (it was very slow for me), go into Directory Utility (/Applications » Utilities) and you will see the AD entry listed there.

For me it showed as connected, but was not getting the proper info. Unbind it, and as soon as it's done, you should see an immediate improvement. I was not able to log into my old account; I had to create a new (local) one, and then transfer the old home folder to my new one. I think I added that hint before, but here it is again, in case I didn't:

Create new user newuseraccount. In Terminal, do:
$ sudo -s (enter password)
$ cd /Users
$ rm -rf newuseraccount
$ mv olduseraccount newuseraccount
$ chown -R newuseraccount:staff newuseraccount

I guess Apple's QA team didn't include any cases for testing their Active Diretory integration?

Technorati Tags:
, , ,

Saturday, November 03, 2007

Identity Management and Photography

Ian Glazer asks a couple of really interesting questions about identity management and photography in his recent post titled "Identity Management and Photography". Like the best questions they are hard to answer because they are "core" - at least core to me. This post is just to say that I believe there is some sort of link, Ian.

There are a bunch of people in the greater identity management world who would consider themselves amateur photographers. I wonder if there is commonality of photography and IdM that practitioners of both find compelling.

Anyone else want to sound off?

p.s. My photos usually end up here: http://picasaweb.google.com/jackson.shaw

Technorati Tags:

Friday, November 02, 2007

Google's GrandCentral Service

OK, kinda weird post, eh? This is GrandCentral from Google. You can use the "Call Me" button to literally call me...Enter your name and the phone number you are at and GrandCentral will call you and then connect you to me!

Cool stuff as it will call all my lines (home, business, mobile) simultaneously and route the call wherever I pick up. Neat.

Thursday, November 01, 2007

Cisco to acquire Securent

OK, looks like the first move in consolidation in the authorization marketplace has happened...not bad: $100M! (Analysis and commentary by Phil Schacter at Burton Group can be found here.)

Congrats to the folks at Securent!

Cisco Announces Definitive Agreement to Acquire Securent

Cisco® today announced an agreement to acquire Securent, Inc., a leading provider of policy management software for enterprises. Securent's scalable, distributed policy platform allows enterprises to administer, enforce, and audit access to data, communications, and applications in heterogeneous IT application environments. Securent is privately held and based in Mountain View, Calif.

Securent's software will enable Cisco customers to protect and secure valuable application data regardless of vendor, platform, or operating system while still allowing ubiquitous access to the content workers and their collaborative communities need to be productive. By delivering policy from the network, Cisco will simplify entitlement decisions for all communications, collaboration and other third party applications.

Technorati Tags:
, , ,

Is federation stillborn?

I was party to a short, but interesting internal e-mail debate yesterday about federation. One view was that it was never going to amount to much due to politics and complexity. The other view was that it is starting to take off in certain scenarios and could potentially grow much bigger albeit the socio-political and complexity ramifications still loom.

I figured the debate was more or less over after a few e-mails but then I happened to read John Fontana's Network World article titled Microsoft switching SharePoint to claims-based authentication. So I'll switch the debate from internal e-mail to my blog and state that it will be scenarios that applications like SharePoint enable that will propel federation forward. Second, to see that Microsoft is opening up such a critical piece of their collaboration platform to federation and non-Active Directory authentication is both amazing and awesome.

I learned a lot about making products and technologies "viral" while I was at Microsoft. Bundling SharePoint services with the server operating system did just that - it introduced SharePoint to tens of thousands of companies and, at the same time, enabled those pesky administrators to build SharePoint sites with no IT oversight. Result? Hundreds of SharePoint sites at most companies before IT even knew how to spell SharePoint. Now Microsoft is going to enable SharePoint to be downloaded without having to purchase a server. The result will be that nearly everyone will become infected. (Need some free software to determine how many SharePoint sites you have? Click here.)

Add federation to the mix and the result is a federated, collaboration solution that nearly anyone will be able to "stand up". Yes, it may be complicated to set up but the admins can figure that out and while the various IT committees and internal standards groups are meeting in conference rooms with poor air circulation and no windows a whole new class of federated SharePoint sites will be springing up from the earth...

Technorati Tags:
, , , , , , ,