Tuesday, December 23, 2008

What does "enterprise" really mean?

I recently received an email from a vendor titled "Why Single Sign-on Isn't the Answer" - Here's the text of the email...
Dear Jackson - Our press release below discusses three reasons "Why Single Sign-On Isn't the Answer."

1.) Expensive, time-consuming implementation.
2.) Single point of attack.
3.) Issues with partner sites.

RoboForm Enterprise increases corporate security and improves your end users' work flow and productivity, all while decreasing overall IT costs.

Find out why RoboForm Enterprise is "Better than SSO."

I'd be happy to answer any questions about customization, deployment, or pricing. We are here to help.

Of course, I had a question. Where do they store all of the single sign-on information? The answer: In a secure "wallet" stored on the user's hard drive. So the real question in my mind is whether or not this product is really an "enterprise" product if it doesn't support a directory? Or, is it just a product that a bunch of users can use in an enterprise?

In my opinion, it's not an enterprise product unless it supports a directory. What do you think?

Technorati Tags:
,

Monday, December 22, 2008

Mixed Windows/Linux shops have their hands full...

That's the title of one of the cover stories that ran on Oct. 27/08 in NetWorkWorld by John Fontana. One of the primary reasons that companies have their hands full here is because of:

The sprawl of management consoles, the proliferation of data they provide and the rising use of virtualization are adding challenges to corporations looking to more effectively manage mixed Linux, Windows and cloud environments.

It's nice to see that Quest Software's own "Management Xtensions for System Center" get mentioned as the solution that Johns Hopkins University is using to support their non-Microsoft infrastructure. He's also using our compliance solutions so he can report on both Windows and non-Windows platforms.

As the article mentions, the industry has been working on platform independence since 1998. More than 10 years later and third-party tools are still required to glue together these different systems. I'm sure there will still be a requirement for these types of tools for a long time to come...

Technorati Tags: ,

Saturday, December 20, 2008

What would it take? How about support for the standard?

James McGovern asks a great question over at his blog about getting some support for SPML in Active Directory or Active Directory Application Mode (ADAM, aka AD LDS).
What would it take for MS to provide code that simply takes a SPML request on one side and on the other performs the appropriate operations against either/or Active Directory and/or ADAM...

Well the answer is simple: Microsoft would have to support SPML, which it doesn't.

Sorry, what did you say? Use MMS/MIIS/ILM/ILM"2"? Oh, well then MMS/MIIS/ILM/ILM"2" would have to support SPML. Nothing at Microsoft supports SPML.

The stock answer from across the snowy street will be "Hey, that's what WS-Provisioning is for." So let's take a look at the WS-Provisioning support for Active Directory, Active Directory Application Mode (ADAM, aka AD LDS) and MMS/MIIS/ILM/ILM"2": Hmmm, same answer as before. Seems nothing supports WS-Provisioning either.

Personally, I love SPML. We support SPML 2.0 in our ActiveRoles Server (ARS) and, in fact, many of our customers use it in conjunction with Sun's identity products.

Well James, guess you're out of luck buddy. Sorry.

Technorati Tags:
, , , , , , , ,

Wednesday, December 03, 2008

If you aren't adding value...


I'm in Frankfurt, Germany attending Gartner's Strategy and Technology conference. This is the first time I have attended this type of show. As you know, I typically hang out at the identity management related shows. This show as been very interesting for me because the discussions have been less product-centric and much more strategic oriented.

There are a number of topics that I am going to blog about regarding what I've seen at this show and the customers I have talked about but I wanted to focus this post on value. When I say value I don't mean the value that infrastructure software or hardware might be delivering to your company but the value that YOU yourself are delivering to your company.

In case you haven't noticed, we as an industry and as a global economy have hit a dip in the road. I don't think we know if what we've hit is a dip, a hole, a canyon or a chasm. Either way, many companies have decided to scale back their spending or are actually laying off staff. A long time ago I learned that during turbulent times the best thing to do is put your head down, do your work, show the value you are adding and continue to deliver on your commitments. In other words, continue to deliver value to your company, your peers and your managers.

Today, delivering value really means showing how you are helping to reduce costs and improve operational efficiency. This is also known as: Doing more with less. So is the role within your company to improve IT operational efficiency or helping to reduce IT costs? If so, put your head down, do your work and show your value.

If you are not involved in helping your company to reduce costs and improve operational efficiency then I think you need to put your head down and start making some telephone calls. Companies are focusing on costs right now. If you are focused on helping to reduce costs then great. If you are focused on "rocket science" projects then you may be at risk. What are some of the specific "rocket science" areas that are at risk? Compliance, security "policy", cloud computing, software/security/identity as a service, risk analyst or advisor are areas that I'd not want to be in at the moment. I've met a number of people who are now re-tooling their business cards from one of these soft and squishy titles to something hard like firewall expert or intrusion detection expert.

Companies are going to focus on cost savings more and more as this "dip" in the road continues. "Rocket science" projects are being canceled or, at best, being delayed. From what I am seeing over here in Europe my advice would be to ensure that you, in your role today, are helping to deliver hard savings, economies and improved operational efficiency to your company.

Are you adding value?

Technorati Tags:
, ,

Tuesday, December 02, 2008

Help Don out by answering a short survey

Don Jones - one of the most well-known PowerShell trainers, speakers, evangelists and community members is running a survey on his ConcentratedTech site. They have a bunch of $100-$500 certificates to give away, but more importantly this should help them optimize their site for better user experience.

So if you have a few minutes, here’s the survey link.

Technorati Tags:

Thursday, November 20, 2008

Welcome Joel Oleson - prominent SharePoint blogger!

I am thrilled to see that Quest has hired prominent SharePoint blogger, trainer, evangelist and architect Joel Oleson as a senior product manager in our SharePoint group. Joel will be working closely with Quest's SharePoint team to help set product direction and strategy for our SharePoint products, while continuing his evangelism and blogging efforts.

Seems like Joel also spent some time aboard the "good ship lollipop" where he was a senior technical product manager for IT professionals around SharePoint. He designed the first Microsoft global deployment of SharePoint, as well as the extranet and hosted SharePoint deployments at Microsoft.

Joel’s well-read blog, www.sharepointjoel.com is one of the top SharePoint IT blogs and I'll definitely add his blog to my reading list.

You all know the issues and problems related to distributed ("federated") access to SharePoint sites as it relates to identity management. I'm going to be leaning on Joel for his expertise to help me better understand SharePoint. I'm glad to see he's joined us!

Welcome, Joel!

Technorati Tags:
, , , ,

Wednesday, November 12, 2008

What are you waiting for? Cybertheft is getting bolder!

I’m flying back from the Gartner IAM Summit and reading a story in today’s USA Today titled “Cyberthieves mine for corporate data nuggets” and I can’t believe how bold cyberthieves are getting. Here’s the jist of the story…

  • Cyberthief observes an employee entering their userid and password while they are at an airport, coffee house, hotel lobby or at a conference.
  • Cyberthief logs onto the employee’s company network and finds an internal web server that they can compromise. In the USA Story they added a link to an internal employee website that discussed a charity.
  • Unsuspecting employees clicked on the link which took them outside their internal network and downloaded a program that basically dumped their My Documents folder over the Internet and into the hands of the cyberthieves.
Over 300 PCs fell to this attack which means 300 My Documents folders were dumped. Amazing.

Some questions for all of us and a few comments:
  • Many companies are still employing a hard-outside, soft-in-the-middle approach to security. Once a firewall is bypassed the cyberthief has unfettered access. That’s why security professionals push for “defense in depth”. Clearly, in the case above network monitoring tools could have seen the unusual jump in connections and data traffic and perhaps started shutting down ports or the internet connection. Are you taking a defense-in-depth approach to your network security?
  • Look at you’re My Documents folder right now. Anything in there that you wouldn’t want a competitor to see? Yes? Is it encrypted? If not, why not? How are you going to protect yourself against this type of attack? (As I write this I am busy encrypting a lot of files!)
  • How strong is your front door? Are you still only requiring a username and password to access your network remotely? If you are using some sort of two-factor authentication like a smart card or one-time password token then you are ahead of the curve. If you are not, then you are protecting your network with the equivalent of a screen door. I’d bet that 95% of cybertheft could be prevented if companies deployed two-factor authentication.
I’ve had many people ask how they can justify security projects. I go to the dentist twice a year because I’ve had a root canal and I don’t want to go through that pain again – ever. So I pay for this as a preventative measure. Your equivalent to a root canal – as a company – is being featured in USA Today or the Wall Street Journal.

Don’t just think about it. Do something before it is too late.

Technorati Tags:
, , , ,

Gartner's IAM Summit 2008 - Day 2

Here's my summary observations of the most interesting sessions I sat in on Day 2 of the Gartner IAM Summit...

The Future Panel: User Centric Identity



Awesome panel that Gregg Kreizman from Gartner moderated. Kim Cameron (Microsoft), Dave Nikolesjin (CIO, Province of British Columbia), Dale Olds (Novell) and Frank Villavicencio (Citigroup) were the panelists. It was interesting that the CEO of JanRain was listed as a panelist in the agenda but didn't show. That was too bad since hearing his viewpoint regarding the likes of InfoCard would have been interesting.

The most interesting points to come up in this panel were that claims could be used for authorization (Kim), PKI is being stretched and will not be elastic enough for use as claims or roles transport packages (Frank), and how if the lawyers get involved in this business we're cooked (Dave). It was great to hear Kim discuss how much Microsoft was trying to break down internal barriers to enable InfoCard use across their enterprise. Also, Dale's comment about how far we have managed to come in two years was bang on - the industry has moved forward around identity but we sure have a long way to go yet.


Oracle's session on Services Oriented Security



Amit Vasuja did a good job outlining some of the problems in this space and how Oracle is addressing them. He pointed out a great hole that we have in the authorization space: "Need for open standard authorization API based on XACML". I couldn't agree more. Oh, yes, and with bindings to all the popular languages out there including Ruby, Perl, .NET and, of course, Java.

Trust in a Heterogeneous World

Jim Hosmer, Principal Architect at Lockheed-Martin gave this presentation right after mine and it was awesome. What I liked the most about Jim's presentation was how he discussed the two approaches to dealing with heterogeneity in an organization: manage or integrate. Manage is easier but yields less benefits whereas integration is harder but yields the most benefits. Lockheed-Martin chose to integrate. Jim outlined the technical challenges they had, the solutions they picked and how they are integrating over 140,000 users and thousands of systems to enable trust in their widely dispersed company. Oh, and it is all based on Active Directory! If you'd like a copy of Jim's slides drop me an e-mail.

From Gartner IAM Summit 2008


Next stop on the reality tour: Gartner Strategie & Technologie Konferenz 2008 in Frankfurt, Germany from Dec 2-3. See you there!

Technorati Tags:
, , , , , , , ,

Tuesday, November 11, 2008

Who is the talk of the town at Gartner's IAM Summit 2 - Part Deux

Yesterday, I mentioned which exhibitors were the talk of the showfloor. Today, I wanted to mention who was the talk of showfloor because they weren't here:
  1. Novell
  2. Microsoft
Now, in defense of both they have some awesome speakers here in Dale Olds (Novell) and Kim Cameron (Microsoft). That said, with all the recent announcements out of Novell (w/Aveksa) and Microsoft (ILM2, Geneva, Azure) I was hoping to see more of a presence...

No one mentioned not having Google here but we already know they don't understand identity.


Technorati Tags:
, , , ,

Monday, November 10, 2008

Who is the talk of the town at Gartner's IAM Summit 2008?

Top three vendors people seem to be buzzing about...
  1. Symplified
  2. Aveksa
  3. SailPoint
I don't necessarily mean that people are writing checks at their booths but that either folks are asking me what I think or know of them, or I am overhearing discussion about them amongst the attendees...

I think all three of them fit - more or less - into what Earl Perkins was talking about earlier: identity management as a business enabler.

Technorati Tags:
, , , ,

Gartner's IAM Summit 2008 - Day 1

Here I am at the gorgeous Gaylord Palms Resort and Convention Center in sunny Orlando, FL attending Gartner's IAM Summit 2008. This is Gartner's third summit and looks to be well attended from what I saw at the keynotes this morning. As usual, I am working my Canon camera and if you click on the pictures below you can see what and who I've been capturing.



I'm hoping for an exciting session like the one Gartner's Neil MacDonald gave last year titled: "Everything You Know About Identity Management Is Wrong". That was awesome.

Earl Perkins followed Ray Wagner's welcoming comments to the attendees. Earl spent a lot of his time talking about how IAM is maturing and needs to continue to grow up. His session was titled "IAM: Enabling Governance and Risk Management in an Age of Business Challenges". I agree that IAM is growing up but, as Earl stated, it's still a teenager and there's a lot more maturity needed before we really see IAM enabling the business and not just enabling IT. In Earl's words: IAM as a transformational technology. I couldn't agree more. I think we've just barely scratched the surface of IAM as a truly transformational technology. Yes, we've definitely made lots of progress with IAM as an IT enabler but not as a business or transformational technology.

I think this is one of the biggest challenges facing software vendors today. Building that bridge between IT enabling software to business enabling technology. This is a big obstacle to overcome because most of the people who create software come from a computing or IT operational background rather than a business operational background. Sure, many of us in computing have taken business courses but do we actually understand risk management, compliance and audit?

We need - as vendors - to help our customers move from automating infrastructure procedures to enabling business processes. We've started down that path with things like self-service password management, workflow automation, role management and mining (etc.), but we do have a long way to go still.

Earl loves to use quotes in his slides to mix things up. Here's a couple of the most notable ones from his presentation today:

  • We can dispense with the pleasantries, Commander. I am here to get you back on schedule. - Darth Vader.
  • Sooner or later all thinking and planning has to degenerate into work. - Peter Drucker
I'll post more as the conference evolves!

p.s. Mark your calendars now: Gartner's IAM Summit 2009 will be Nov 9-11 in San Diego, CA

Technorati Tags:
, , , ,

Tuesday, November 04, 2008

Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains

That's the title of a U.S. Government Accounting Office report on this topic. Here's the major finding (emphasis is mine):
From July through September 2007, the major agencies collectively reported that they had not yet installed encryption technology to protect sensitive information on about 70 percent of their laptop computers and handheld devices. Additionally, agencies reported uncertainty regarding the applicability of OMB’s encryption requirements for mobile devices, specifically portable media. While all agencies have initiated efforts to deploy encryption technologies, none had documented comprehensive plans to guide encryption implementation activities such as installing and configuring appropriate technologies in accordance with federal guidelines, developing and documenting policies and procedures for managing encryption technologies, and training users. As a result federal information may remain at increased risk of unauthorized disclosure, loss, and modification.


This doesn't make me feel very good. A personal yet related note from my privacy dealings today:

  • My son is having a crown repaired at a new dentist down here in Torrance, California.
  • Dentist wants to verify his (my) insurance so he asks for my social security number. I refuse to give it.
  • Dentist calls my insurance provider and then asks me my zip code which I do provide.
  • Dentist appears and claims that everything is good with the insurance.
Of course, my immediate question was "If all they needed was my zip code then why didn't they simply ask for it instead of my social security number? After all, it's five digits versus nine!" Frankly, I could care less if the dentist's records were compromised with my zip code. I do care if he has my social security number and they are compromised.

The moral of the stories above is we need some attitude adjustment in both the government and commercial sectors regarding privacy. I adjust my attitude pretty quickly when it comes to my continued employment so it is a good motivator. We need to do more of this around protecting private information.


Technorati Tags:
, ,

Thursday, October 30, 2008

Microsoft's Geneva

I mentioned in my previous post about The Experts Conference that the most interesting sessions will be about identity as a service, identity in the cloud and software as a service. It's pretty clear from what's been going on down at the PDC that identity is being featured pretty darn heavily.

Let me draw your attention to Burton Group's Gerry Gebel and his post on this topic: Microsoft and the SAML protocol come together in Geneva which sums things up pretty well. Microsoft's support for SAML 2.0 is key and, in some ways, earth shattering. My hat is off to Kim because I am positive he help drive Microsoft to this conclusion. I've always believed that interoperability is the first step to migration. You may never migrate, or you may take a long time before you migrate but having interop gives you doors to go through that were previously locked.

Gerry asks the following:
The next step we’re waiting to hear about is entitlement management and policy enforcement. Today, that is still handled by the developer within the business application. Will Microsoft also externalize that function a la entitlement management tools?

I sure hope so. Oh, and if (when) they do, we will move from earth shattering to galaxy shattering. Whether you will use Microsoft Geneva or use the entitlement management tools they might (or might not be) building doesn't matter. What I do know is that when Microsoft enters a market they tend to put tremendous downward pressure on pricing. I don't know about you but I certainly don't want to pay hundreds of thousands of dollars for entitlement management tools or federated interoperability products. I absolutely want to see Microsoft jump into these pools! If you, Mr. Customer, are looking at any of these solution you will also want to see Microsoft jump into these pools.

Technorati Tags:
, , , , , , ,

Wednesday, October 29, 2008

Simplify identity management for compliance and security

Interesting tidbit in CIO Magazine -
One of the common requirements of regulatory compliance is to reduce complexities and redundancies in the network so data can be better tracked and protected. A side benefit is that fewer complexities means few opportunities for a security failure, especially in an organization where staffing and tech savvy is in short supply.

Simplify, integrate and consolidate - then manage.

Technorati Tags:
, ,

Tuesday, October 28, 2008

Shouldn't Single Sign-on be Child's Play?


I'm co-presenting this webcast next week - on election day - with Kevin Remde from Microsoft. Please join us - after you vote, of course!

ABSTRACT: Authentication technologies such as Single Sign-On (SSO) can help security personnel face the challenges of managing and securing user identities and passwords while also providing control across multiple applications and platforms.

Check out this webcast and learn about:

  • Different SSO options that are currently available and tips for choosing the best tool for your company
  • Enterprise SSO benefits and when synchronization is most appropriate
  • When directory consolidation and integration with Active Directory are the best choices
See you next week and what an exciting week it will be!

Technorati Tags:
, , , , , , ,

Friday, October 24, 2008

The Experts Conference - early bird registration

TEC 2009 early bird registration expires in just eight days – and this is the lowest price you will pay for TEC this year. You can visit the web site - http://www.tec2009.com - for details on the themes, speakers, topics, and workshops featured in the TEC 2009 line up. Here are my favorite sessions that are currently on the agenda:

  • Welcome & Keynote by Microsoft: Stuart Kwan, Group Program Manager, Federated Identity and Security; Alex Weinert, Group Program Manager, ILM; Group Program Manager, Directory Services. Obviously, this session will provide the latest and greatest view into Microsoft's IAM strategy.

  • Federation Gateways - The Key to Supporting Platform-Specific Applications in Heterogeneous Environments: Nick Nikols, Novell. Lots of talk about cloud computing, software and identity as services so I'll be interested in Nick's view on this hot topic.

  • Implementing an Identity-Based Solution using Microsoft's Cloud Based Infrastructure: Danny Kim, Full Armor. Identity as a Service - enough said!

  • Notes from the Field: Deploying Secure SSO to the Internet and Back: Dave Jones, Cisco. I'm interested in this to see if there's a tie-in between what Dave is going to talk about and Cisco's Securent acquisition.

Those are my top picks for TEC 2009 and there are many more awesome sessions. Check them out and take advantage of the early bird registration.

Technorati Tags:
, , , , , , , ,

Wednesday, October 15, 2008

NetPro integration roadmap announced

If you are interested in what the integration roadmap between NetPro and Quest is you an find it right here. In summary:

Decisions on the product roadmap were made in the following key areas:

· Active Directory: Quest will move forward with several NetPro products, providing superior auditing and reporting, efficiency, and availability.

· Identity Management: Quest will expand its leadership position by continuing to develop key NetPro products for identity management and compliance.

· Compliance: Quest will enhance its robust portfolio with key NetPro products to provide better visibility, auditing and alerting, and change prevention.

· Exchange Server: Quest will integrate the best features from NetPro’s Exchange Server products and technologies into the existing Quest product line.

· SharePoint: NetPro’s early SharePoint development efforts will be integrated into the development of upcoming Quest products that support SharePoint.

Product support for discontinued products will continue through the end of 2009. In cases where Quest has made the decision to end the sales and development of a product, customers on current maintenance contracts will receive the go-forward product at no additional license cost.


Technorati Tags:
, ,

Monday, October 13, 2008

Does the TSA need an IDM system?

I'm over in Amsterdam meeting with customers and the story on the front page of USA Today caught my eye: "Report slams TSA failure to track security passes". In reading the story it was quite apparent that the TSA has an identity management problem. What are the interesting facts?
Investigators found numerous cases in which former employees retained their passes long after they had left the agency.

I wonder if this means that they just never returned the passes and they were inactive or if the passes they had would still work? I wonder if the connection has been made between the physical access system and the IDM system? (Does an IDM system even exist?)

In 73 cases, officers left TSA jobs, but offices that monitor airport security passes were not properly notified.

No workflow or notification exists between systems obviously. Or, maybe one does exist and it simply isn't being responded to in a timely fashion. Sometimes, automation can only take you so far. (I've even seen cases where the workflow was being sent to an unmonitored or disabled mailbox.)

One security officer had an active pass to the airport's secure areas for 827 days after leaving the agency.

Ouch, more than two years? Proof positive that there either isn't an IDM system in place or that the TSA's implementation of an IDM system did not connect the physical and logical access systems together.

I was asked during a presentation last week how you justify an IDM implementation based on security. There's an answer above!

Technorati Tags:
, ,

Friday, October 10, 2008

New Defender5 case study - RSA switch

One of our customers - The Longaberger Company - has switched off of RSA's SecurID infrastructure on to Quest's Defender5. Why? Because of our integration with Active Directory and the Windows platform...
“With RSA SecurID®, our previous solution, we had to have a separate administrator manage the system. Since Defender integrated so nicely with Active Directory our AD administrators now support two-factor authentication as part of the responsibilities. The added functionality that integrating with AD provided, coupled with the cost savings of Defender enabled us to get a technically superior solution at a lower cost of ownership.”

It's much easier for a company to leverage their Windows helpdesk and Windows administrators than it is to spin up specialized staff and technically challenging synchronization between RSA's solution and Active Directory.

Just use Active Directory - it's no longer a specialized directory that few people know!

Technorati Tags:
, , , , , ,

Tuesday, October 07, 2008

Matt's Litmus Test

Matt Flynn posted on a litmus test for metadirectory versus virtual directory a couple of days ago. He quoted Divya Sundaram of Motorola:
If you front-end data (or a data store) that you don't own (or don't have control of), then you need to replicate/sync data (instead of virtualizing the view).
I might not be reading it correctly or maybe Matt's notes are slightly off but I always thought it was better to use a virtual directory for data that you don't own. A good example here would be HR data. The typical metadirectory or IT/IS project is not going to have read/write access to the HR system so there's no real need for a metadirectory, per se, as the metadirectory will never be writing back to the HR system. From my perspective if you "own" the data store then you can replicate or synchronize the data in it. If you don't own the data store then you can only pull (read) from it.

I completely agree with Matt that both virtual directories and metadirectories should be part of your overall toolbox. I look forward to the day we won't need to make this distinction anymore.

So I am not sure if we have a pure blue and pink litmus test for this yet...

Technorati Tags:

Monday, October 06, 2008

IDM conference in Asia

I saw some information on this conference that's taking place in Singapore a few weeks ago and thought I'd pass it on:

Take advantage of this unrivaled networking opportunity that’s combined with 2 days of cutting-edge content delivered by industry leaders and specialists. With our finger on the pulse of the region’s Identity management industry, we are proud to once again witness the remarkable development of this dynamic market.

Interesting how we are starting to see more and more of the traditional physical access management vendors attending and sponsoring these events. Makes you wonder if there's a convergence happening between physical and logical access? (That was a rhetorical question!)

Technorati Tags:

Sunday, October 05, 2008

Time-warped in Toronto

The reality tour took me to Ottawa, Montreal and Toronto last week. I was visiting with customers and partners like Avaleris and Itergy. On Friday, I had the opportunity to present to the "Federation of Security Professionals" in Toronto. The keynote speaker was Jim O'Donnell who is the CISO of the Royal Bank of Canada.

From Toronto

I was the second last speaker of the day and as I sat through the presentations - all of which were excellent - I began to feel like I had entered a time-warp. Back in 1993, my career forked from the mainframe world of my first employer to a new employer who wanted my technical evaluation of something called Banyan VINES. Fast-forward to Toronto and suddenly I am hearing, throughout the day, terms I have not heard in over 15 years...
  • Daz-Dee (DASD) - Direct Access Storage Device - A mainframe disk drive.
  • Vee-Talk (VTOC) - Volume table of contents - The "directory" for the DASD.
  • Jez (JES) - Job Entry System for MVS.
  • Emm-Vee-Ess (MVS) - Multiple Virtual System - The operating system for IBM mainframes.
  • Rack-Eff (RACF) -Resource Access Control Facility. Security and access control system for IBM mainframes.
  • Kicks (CICS) - Customer Information Control System. General purpose monitor for terminal-oriented and inter-system transaction processing in z/OS.
All those terms being thrown around made me realize that the mainframe was still very much alive and well, and I was old - but the worse part of the day was walking down Yonge Street (the longest street in the world) in downtown Toronto that evening and realizing that Sam the Record Man was closed down. For 60 years it was the place for records and now it's boarded up. Yonge Street is beginning to look more and more like Trafalgar Square or Times Square as the years go by. I'm not sure if that is good or not.

This week (Oct 5-7) I will be speaking at Digital Identity World 2008 in Hamburg, Germany. Will I see you there?


Technorati Tags:
, , , ,

Tuesday, September 23, 2008

Oslo, Microsoft not Oslo, Norway

I've been to Oslo, Norway - and it's wonderful - but Oslo, Microsoft is definitely a place to get more familiar with. The front cover of the Sept 8/08 E-Week featured Microsoft's Oslo. Oslo is all about making it easier for developers to develop distributed applications which in today's parlance means Web-based and services oriented. I think the article was also interesting in describing how Microsoft's BizTalk Server is going to play a significant role "in the cloud".

There are other articles about the origins of Oslo and the "D" language that was (is?) being developed at Microsoft to support developing Oslo content. I'd recommend taking the time to read the articles. A significant part of the Microsoft Professional Developer Conference (PDC) is going to be dedicated to Oslo including a delivery of the first Community Technology Preview (CTP) for Oslo.

If you check the agenda for the PDC you'll see there are 26 sessions on "cloud services" in addition to 5 sessions on Oslo specifically compared to 14 on SQL Server, 8 on identity and only 5 on "Windows 7". Hmmm, I wonder where Microsoft is focusing?!

Technorati Tags:
, , ,

Monday, September 22, 2008

Netpro and Quest - Now the real work begins!


I mentioned in a post last week that a bunch of people from both Quest and NetPro were locked in a room in Aliso Viejo figuring out our go forward plans for both sets of products. I think we made awesome progress last week in at least determining which were the best products wherever there was overlap. Now the technical guys are going to figure out the finer details of what, if any, engineering work needs to take place to ensure there is no loss of functionality based on the preliminary discussions. We are pretty much still on target for announcing our roadmap plans on Oct 15.

Dave Kearns over at Network Computing recaped the acquisition in his story "Two Classy Organizations are Now One". He asks an interesting question:

What happens to NetPro's TurboCharge after its meger with Quest?

As usual, Dave poses a good question. We definitely discussed TurboCharge so I think it is safe to assume that we'll disclose our plans regarding it on Oct 15, too. I will go out on a limb and tell everyone that I went ahead and made the (easy) decision that we would continue with NetPro's MissionControl for Microsoft ILM product. MissionControl proactively troubleshoots and diagnoses issues with ILM servers, management agents, and connected databases along with providing auditing and reporting on critical configuration changes as they occur.

My compliments to everyone involved last week. We shared a lot of laughter during the meetings. Everyone is excited!

Technorati Tags:
, , , , , , , , , ,

Thursday, September 18, 2008

Adobe expands their SSO efforts

Today, we announced an expanded OEM agreement with Adobe Systems Incorporated to help organizations simplify their identity and access management needs. The agreement provides single sign-on to Adobe LiveCycle products in Java environments with Active Directory. Basically, with this capability, organizations can strengthen authentication and authorization for electronic forms, process management and document security.

The last sentence of the quote from Jonathan Herbach at Adobe really sums up Quest's strategy nicely:
Our customers need to know that they have more secure and compliant access to the documents we help them manage, and they want this access without the need to manage multiple identities and access roles across their heterogeneous environments," said Jonathan Herbach, product manager for LiveCycle Rights Management at Adobe. "With Quest's single sign-on technology included in the LiveCycle suite, we can offer our customers increased security without implementing more infrastructure."

Without implementing more infrastructure - aka, yet another directory service.

Technorati Tags:
, , , , ,

Tuesday, September 16, 2008

NetPro & Quest - Getting down to brass tacks

Friday we acquired NetPro. Monday we're all in a hotel meeting room trying to figure out our move forward plan. That's Mark Armstrong (NetPro's CTO) giving us a detailed review of NetControl which is the framework for NetPro's common console and tasks like workflow and approvals. Awesome stuff! Mark was joined by Rod Simmons (NetPro's Director of Product Management) and Heather Dunn (NetPro's Director of Product Marketing).

What our marching orders? Ensure that none of our joint customers are disadvantaged by the acquisition or our product plans moving forward.

Gil Kirkpatrick and Christine McDermott will be joining the fun on Wednesday for the rest of the week. Hopefully the oxygen in the room holds out.

Wish us luck!




Technorati Tags:
, , , , ,

Monday, September 15, 2008

Google, age and single sign-on

Kim Cameron and I were talking this weekend and he mentioned he was about to post regarding Google's recent single sign-on and SAML "faux pas". Kim does a fine job of pointing out the problem and providing references to the relevant material. However, there are a few lines that I thought were interesting and made me think a bit about Google from a different angle:

But the surprising fact is that the errors made are incredibly basic - you don’t need an automated protocol verification system to know which way the wind blows. The industry has known about exactly these problems for a long time now. Yet people keep making the same mistakes.

(snip)

But let’s face it. As an industry we shouldn’t be making the kinds of mistakes we made 15 or 20 years ago. There must be better processes in place. I hope we’ll get to the point where we are all using vetted software frameworks so this kind of do-it-yourself brain surgery doesn’t happen.

I've heard from a number of people who have either joined Google, been acquired by Google or interviewed at Google that they seem to place particular reverence on young, hip, styling, hot, recent graduates from name brand schools. Of course, this makes me think that they may not revere the more mature, industry (and customer) schooled professional who has been around the block more than once. Could Google's predilection for those who have just emerged from the fountain of youth have contributed to this SSO "disaster"? Obviously, I don't know if it is a contributing factor or not but I do wonder.

But, if Google is looking for someone more mature, who has been described as beautiful by many, is gregarious and outgoing, then look no farther and click here.

Technorati Tags:
, , , ,

Friday, September 12, 2008

Quest acquires NetPro Computing

Yes, we did. Today. A pretty amazing event if you ask me. See the press release here.

When I was at Microsoft I got the opportunity to work closely with Kevin Hickey, Gil Kirkpatrick, Christine McDermott and many others from NetPro. I'm looking forward to working with them as fellow Questies now. Welcome aboard, guys!

Maybe I'll finally get to speak at "The Experts Conference"? Yah, I know, but even I have to have a dream, a goal, something to aspire to...



Technorati Tags:
, , , , ,

Friday, September 05, 2008

September 5, 2008 - Links and Commentary

I'll be at DIDW 2008 next week!
Blogging live, of course. I hope I see you there!

Fire and Motion Strategy
I love this article - a simple and succinct strategy.

How Microsoft IT Manages its Active Directory Schema
A webcast and detailed document on how Microsoft does this.

The Laws of Identity - Pamela Style
Pam did a great job on a "less internerdy version of the Laws of Identity".

Looking for a change? Quest has IDM related job openings:
At our Lindon, Utah office which primarily focuses on our Vintela products, authentication, authorization and Java. Click here.

At our Somerset, UK office which primarily focuses on our security products. Click here.

Upcoming events I'm attending or speaking at:
Digital ID World 2008, US
I'll be attending this conference being held September 8-10 in Anaheim, CA. I hope to sit in on some great sessions and meet up with various identity management cognoscenti. Will you be there?

Digital ID World 2008, Europe

Quest is sponsoring this event in Hamburg from Oct 7-8. I'll be speaking so I do hope to see you there!

Burton Group Catalyst Conference Europe, Prague
It's been a few years since I've attended a Catalyst Europe event - I think my last one was the 2004 event in Monaco. This one is in Prague from Oct 20-23! Quest is also sponsoring this one.

Gartner Identity and Access Management Summit
This is a (the?) key identity management event. It's being held in Orlando, Florida from November 10-12, 2008. Mickey Mouse will be there, will you?

Technorati Tags:
, ,

Thursday, September 04, 2008

Death of passwords? Not quite yet!

On Valentine's Day 2006 Bill Gates talked about the need to move away from passwords:

"I don't pretend that we are going to move away from passwords overnight, but over three or four years, for corporate systems, this change can and should happen,"

So we are about 2.5 years after that speech by Bill and 52% of enterprises still only require passwords to access critical data. That's one of the many data points that came up in a recent Aberdeen study that we underwrote regarding strong authentication. Some of the other interesting statistics include:

Other key findings of the Aberdeen benchmark study include:
  • 88% of enterprise users have multiple work-related passwords, averaging between five and six
  • 64% of organizations do not even require users to change their passwords
  • 45% of organizations allow standard dictionary terms (like “password”)
  • 29% of organizations have no requirements for password length
I wish I had a comparable study from a few years ago so I could answer questions like: Have we improved our security related to password and strong authentication and how?

Do you think we have improved much since Bill's RSA keynote speech? I'm not feeling all warm, cozy and secure...

Technorati Tags:
, , , , , , , ,

Tuesday, September 02, 2008

User-centric or Identity-centric or both?


Dave Kearns penned an article on the difference between user-centric and enterprise-centric identity. He right-brained a post by Kim discussing user-centric identity and a recent post by mine talking about identity consolidation and came up with this:
Enterprise-centric identity management is really all about tying together all the activities and attributes of a single entity into a readily accessible (and reportable and auditable) form. User-centric identity is about keeping various parts of your online life totally separated so that they aren’t accessible and no report can be drawn.

Kim is our identity crusader. Me? I work for the Ministry of Information...

P.S. I think the answer is that we need both.

Technorati Tags:
, ,

Thursday, August 28, 2008

August 29, 2008 - Links and Commentary


Wi-Fi Warfare
Interesting article about how crooks stole 40 million credit card numbers through unsecured access points! How many companies check for rogue wireless access points? Anyone can plug one in.

University of Washington - An IT School To Watch
The University of Washington here in Seattle made this ComputerWorld list. Not only that, but they are also the least expensive of the schools listed.

Looking for a change? Quest has IDM related job openings:
At our Lindon, Utah office which primarily focuses on our Vintela products, authentication, authorization and Java. Click here.

At our Somerset, UK office which primarily focuses on our security products. Click here.

Upcoming events I'm attending or speaking at:
Digital ID World 2008, US
I'll be attending this conference being held September 8-10 in Anaheim, CA. I hope to sit in on some great sessions and meet up with various identity management cognoscenti. Will you be there?

Digital ID World 2008, Europe

Quest is sponsoring this event in Hamburg from Oct 7-8. I'll be speaking so I do hope to see you there!

Burton Group Catalyst Conference Europe, Prague
It's been a few years since I've attended a Catalyst Europe event - I think my last one was the 2004 event in Monaco. This one is in Prague from Oct 20-23! Quest is also sponsoring this one.

Gartner Identity and Access Management Summit
This is a (the?) key identity management event. It's being held in Orlando, Florida from November 10-12, 2008. Mickey Mouse will be there, will you?

Technorati Tags:
, ,

Privileged account mismanagement

I'm sure I've mentioned a few times how I think that privileged account management is a key aspect of identity management that most IDM vendors simply do not address in any way, shape or form. We have posted a white paper titled: Resolving the Privilege Management Paradox that discusses this problem so I invite you to take a look if you're unfamiliar with this area.

City officials lost administrative control of the network's routers and switches for more than a week after an IT worker allegedly reset passwords and refused to reveal them prior to and after his arrest on July 13.

If you would like to read about how the City of San Francisco is suffering through this right now here are some articles you may want to peruse:
This is a classic identity management problem.

Technorati Tags:
, , ,

Wednesday, August 27, 2008

Red Hat's push into identity management - part deux

It's time to following up on my previous post on this topic. Again, I'll make reference to Steve Coplan's (The 451 Group) impact report on "Red Hat identity management push takes shape" which was published on 24 July 2008 and Steve's analysis of Red Hat Enterprise IPA (Identity, Policy, Audit) product.

Steve makes this statement:
...it's useful to consider that AD is certainly the most pervasive directory and certainly there is no rational reason to try and displace it as the directory for Windows systems.

Obviously, you'll get no argument from me about that statement. However, what struck me is the inference to AD and Windows in a discussion of Red Hat's identity management push. I suddenly realized the complete and total vacuum that Red Hat and all of the other Linux (and Unix) operating systems have: a set of network and identity services that would provide similar benefits as Active Directory, Group Policy and Windows services like distributed system and security logs. Red Hat's IPA is the first step towards filling this vacuum and Red Hat has the advantage of seeing the mistakes that have been made and appear to be building something by starting with identity-based building blocks. Steve draws all this out very nicely in his paper.

I asked the question in my last post: Is this a strategic move for Red Hat or a tactical effort - as Steve paraphrases it - at "AD (Active Directory) containment"?

Answer: I think it is very strategic for Red Hat. I think AD containment is secondary but would be a benefit if the strategy is successful. In order for Red Hat to be successful they need to enable the management of Red Hat machines, identities and services in a distributed, replicated fashion. IPA v2 is the first step towards that goal. If Red Hat builds a foundation based on identity, externalizes authorization, incorporates roles and provides a centralized audit and log capability they will certainly have a leg up on achieving their goal. In the Web 2.0, Identity 2.0, whatever 2.0 world we are heading into there is a big need for "a distributed architecture that enables a policy-driven, dynamic model of managing how users interact with systems and data". That's where Red Hat is heading and it is very strategic. Without this, Red Hat will never break away from its traditional workloads in any significant way nor will it be significantly distinguishable from any of the other Linux or Unix systems that are out there today.

P.S. My thanks to Steve and The 451 Group for allowing me to quote from their report.

Technorati Tags:
, , , , , , , , ,