Friday, March 28, 2008

Our first Defender case study

We just published our first Defender case study: "ScriptLogic Makes the Logical Choice for Two-factor Authentication". Defender is the two-factor authentication product that we got as part of the PassGo acquisition. I think it is an awesome product (people internally at Quest are probably tired of hearing me say this!) and with our first quarter coming to a close I am sure we are going to exceed our targets for Defender.

While I enjoy competition and especially winning deals that our competitor fight hard over there is a special joy to every competitive deal we win with Defender: Nearly every customer I have talked to tells me that because Defender is less expensive they are able to purchase more and thusly expand and strengthen their company's security posture. The customer had 500 of someone else's token and now they can afford to purchase 1,500 or 2,500 tokens. Really awesome. That's exactly what happened at ScriptLogic.

Check out the case study.

Technorati Tags:
, , , ,

Wednesday, March 26, 2008

New Orleans Product Management Meeting

Last week the Quest Active Directory and identity and access management teams spent three beautiful days in New Orleans. I was particularly happy to visit New Orleans since I had not been there since Katrina and I was happy have Quest meet there and, in our own way, support the local economy.

We had a couple of days of training followed by a day of team meetings. Our guest of honor on day three was Earl Perkins from Gartner. Earl came in to talk to us about his views on the identity management market. I think we challenged Earl in a number of areas and had some great "back and forth" with him. I know our team appreciated having Earl come by and talk with us. Earl, we really appreciated having you spend time with us - thank you, sir!

We spent the rest of the day talking about authorization, web single sign-on, common engineering practices and demoing some of the integration that has been accomplished between the Quest and recently acquired PassGo products.

One of my colleagues visited the gallery of his favorite artist and further contributed to the local economy by purchasing one of his original works! The stars aligned because the artist hadn't titled the piece yet so Shawn requested that he call it "Shawn's Place". Congrats on your first acquisition, Shawn!

Lots of cool stuff happening around the product lines. I wish we could get stuff out faster!

Technorati Tags:
, , ,

Monday, March 24, 2008

Critical bugs bite MIT Kerberos

Just happened to catch this article today. Here's the important bits:

Multiple critical vulnerabilities have been discovered in version five of the widely-used Kerberos authentication protocol. The most serious of the bugs create a means to either compromise or crash vulnerable systems.

Exploits are yet to surface and patches are available. All releases of MIT Kerberos 5 up to and including krb5-1.6.3 are affected.

An overview of the bugs by security clearing house Secunia can be found here. A summary of the products affected - along with responses from vendors - has been published by US CERT here and here.

What's the key take-away? Numerous companies ship MIT Kerberos with their product(s), like Centrify (here, here and here). And, in fact, may even customize it. I wonder how companies affected by these published vulnerabilities handle the following?

  • Patching their own customized versions of MIT Kerberos to work around these and other bugs? (For all versions of their software!)

  • Notifying their install base to update to the patched, more secure release?

  • Guarantee timely releases to critical security issues, bugs and vulnerabilities?

Who provides your Kerberos implementation? Is it up to date? Is it affected by these recent security alerts? How do you know? This is one of the reasons why Quest Software has a published guarantee that all critical security bugs will be patched within 10 business days.

Technorati Tags:
, ,

Friday, March 21, 2008

Microsoft and standards - again

I've commented numerous times (here, here and here) on Microsoft's support (or lack thereof) of standards. In one other previous post I commented on the founding of the Kerberos Consortium and the important fact that Microsoft was not a founding member. In fact, I stated:

Microsoft put Kerberos on the map my friends

I'm happy to state that Microsoft is now a member of the consortium and holds a seat on the executive advisory board.

Well done!

p.s. Conspiracy theorists please take note: Google is also a member of the consortium and also holds a seat on the executive advisory board. They were a founding member. I'm sure that had nothing to do with Microsoft finally jumping on.

Technorati Tags:
, ,

Wednesday, March 19, 2008

Shouldn't Single Sign-on Be Child's Play?

I'm doing a webcast next week on this topic.

We’ve all heard of single sign-on, and probably been frustrated by the limitations presenting “traditional” single sign-on offerings. Quest Software and DLT can help you navigate the SSO minefield and actually achieve your goals without implementing expensive, cumbersome, and limited alternatives.


  • SSO for all users and all applications based on their existing Active Directory account

  • Consolidation of non-Windows system directories into Active Directory
    Web-based single sign-on for Java applications and remote users

If you are interested sign up here:

Technorati Tags:
, , ,

Friday, March 14, 2008

Integrating, extending and securing

By leveraging standards (industry or otherwise) we have been able to benefit in a number of ways:
  • Faster time to market

  • Better and easier cross-product integration

  • Less development work on our end

Some of the standards we have leveraged with our products are well known including Kerberos and LDAP - especially with respect to Windows and Active Directory. So despite all the carping about Microsoft and standards I believe that Quest Software is a shining example of how we have leveraged these standards - for many years - to build products that fully interoperate with Microsoft and are significant revenue generators for Quest.

So where did this help specifically? One area was our integration of smart cards and PKI with our Unix, Linux and Java products. We leverage Microsoft's Kerberos and LDAP in our client software so adding in support for smart cards while a challenge was made much easier by the fact that the underlying protocol to support this integration was Kerberos. This is the same mechanism we are using to add strong authentication support to Mac OS X.

Another "industry" standard we now support is RSA SecurID tokens. Quest Software acquired PassGo Technologies and one of their products - Defender5 - allowed us to jump into the other side of two-factor authentication: one-time passwords (OTP). In that light, we now support RSA tokens with our Unix and Linux products.

Another industry standard is OATH - Initiative for Open Authentication. The Initiative for Open Authentication (OATH) is a collaborative effort of IT industry leaders aimed at providing a reference architecture for universal strong authentication across all users and all devices over all networks. By supporting OATH we are able to support a broad range of OTP products within our Defender product. We are also members of OATH.

I am all behind standards. I am all behind better support for standards - including pushing Microsoft to do more. And, I'm really thankful for what Microsoft has done so far.

Technorati Tags:
, , , , ,

Monday, March 10, 2008

Microsoft, XACML, SQL and Sharepoint

Over at James McGovern's blog - I couldn't agree more!

Microsoft's directory team forced to reconsider ignored standards - Would I love to see Microsoft embrace XACML? Absolutely! Reality though says that XACML is not part of the directory service. XACML does have a play in being incorporated directly into enterprise applications. I would love to see Microsoft build XACML support into SQL Server by replacing grant/revoke semantics as well as putting into Sharepoint. Of course, for Microsoft to get it right, requires them to hire an authorization czar like Kim Cameron is for identity.

Technorati Tags:
, ,

Is the metadirectory dead?

Dave Kearns commented on my previous post where I stated that the metadirectory was dead. For those who were at Gartner's Identity and Access Management Summit you might remember Neil McDonald's session "Everything You Know About Identity Management Is Wrong."

The thing that struck me about Neil's session was the amount of support he received from the audience when he dove into questions regarding how satisfied audience members were with the cost of their IDAM systems, amount of consulting related to it, etc. Clearly, customers feel they are being "hosed". This is not an unfamiliar refrain - I hear it frequently when I am on the road meeting with customers.

Neil also introduced the concept of "Identity as a service" to the audience. At the Directory Experts Conference, John Fontana wrote "Is Microsoft’s directory, identity management a service of the future?" What I am stating is quite simple: I believe a big-bang around identity is coming and it will primarily be centered around web services. I hope the resultant bright star that evolves from this will simplify identity for both web and enterprise-based identity infrastructure.

Active Directory, other directories and metadirectory "engines" will hopefully become dial tone on the network and won't be something that has to be managed - at least not to the level it has to be today.

We are still working with provisioning technologies that were built in the 90's. These technologies haven't changed much. With services to license ratios still in the 5:1 to 10:1 range we clearly haven't been successful from a software perspective.

A big bang is due, a big bang is needed.

Technorati Tags:

Friday, March 07, 2008

Radio broadcast on our survey

I posted earlier this week on "National Security Trumping Personal Privacy". The press release regarding the results was widely picked up. If you are interested, there's a great interview of Paul Garver discussing the results on Federal News Radio. Paul is our Vice-President, Public Sector and is not only a great guy but also smokes the same cigars as I do (Partagas Black Label "Maximo").

Check it out if you're interested in the survey results. I understand we will be posting the full results shortly. I'll give you a link to the data as soon as I get it.

Technorati Tags:
, ,

Thursday, March 06, 2008

Identity breach at First Tech. Again!!

Everyone one of our bills is paid by our First Tech Visa card - except for our local and federal taxes. Does First Tech - or any other provider - understand the cost to me to change all of our billing from one credit card to another? This is truly ridiculous.

How many times will First Tech re-issue cards and at what expense before they figure out they need to do something different? What is the cost of this to the industry and humanity as a whole?

Oh, yah, and First Tech is the bank that Microsoft recommends to new employees. Maybe they have some other recommendations for First Tech - like CardSpace (or Credentica?).


Technorati Tags:
, ,

Wednesday, March 05, 2008

May the force be with you?

Let me state that this is great. I'm glad to see Microsoft is re-examining it's support of standards. Check out John Fontana's coverage of this here and here.

Here's Joe Long's quote...

Joe Long, general manager of the connected identity and directory at Microsoft, said during a panel discussion at NetPro's Directory Experts Conference that Microsoft was being forced to re-examine if it would support SAML, the Service Provisioning Markup Language (SPML) and the Extensible Access Control Markup Language (XACML).

Microsoft has introduced an interoperability promise and we are trying to understand the ramifications of that," Long said. "Hopefully we can make a commitment one way or the other in the next few months."

I guess I'm disappointed it occurs late in the game. I really felt that the acquisition of Zoomit and their metadirectory product in 1999 would be the start of an interoperability wave but it appears it might be the EU that's forcing the issue.

Better late than never, eh?

Technorati Tags:

Tuesday, March 04, 2008

You won't have me to kick around anymore!

No, not me. Hewlett-Packard!

I heard about a month ago that HP was going to bow out of the IDM business. I didn't want to post anything because I felt it would compromise the person that told me. But, now that it has made the news:

Check out Burton Group's blog entry on this very topic...

Burton Group has been contacted by HP customers who report that HP is no longer going to seek new customers for its Identity Center product. We have contacted HP and the company confirms that HP Software has decided to focus its investment in identity management products exclusively on existing customers and not on pursuing additional customers or market share. HP is in the process of reaching out to each customer regarding the change.

Seriously - you thought HP was a contender in this space???!!! No, no, Nanette. Thanks for playing. Mission failure.

My friend Ian Yip also discusses HP over at his blog...

They've never really been in the Enterprise Identity Management game.

Let's be honest. The meta-directory is dead. Approaches that look like a meta-directory are dead. We talk about Identity 2.0 in the context of Web services and the evolution of digital identity but our infrastructure, enterprise identity "stuff" is decrepit and falling apart. I have visions of identity leprosy with this bit and that bit simply falling off because it was never built with Web services in mind.

I started in this area in 1993 and some of the same architectures are still out there.

There is going to be a big bang in this area. HP getting sucked into the black hole is just a step towards that...

p.s. I wonder if you can still buy "LDSU" from HP? That was Compaq's holdover from the early 1990's. Wouldn't that be funny if you could. Now there's some leprosy...

Technorati Tags:

Monday, March 03, 2008

National Security Trumps Personal Privacy

Today we announced the results of our Identity Management Government Survey of federal, state, local and municipal government IT professionals conducted by Pursuant, a Washington, D.C.-based public opinion research firm. They surveyed nearly 500 customers so it's a pretty good sample.

Key findings include:

  • The heterogeneous (mixed-application) environment is “very challenging” or “somewhat challenging” according to 51% for their organization or agency’s identity management system.

  • According to a majority (53%) of respondents, national security should be the priority, even if Americans’ personal privacy is negatively impacted.

  • Respondents cited lack of funding as the main obstacle that would most impact their organization or agency’s ability to reach their identity management objectives (31%). During the next five years, many (45%) think the amount budgeted for identity management projects and services will increase; very few (5%) think it will decrease.

  • However, half of respondents (50%) believe Congress should provide more funding to agencies to develop and implement identity management systems; a nearly equal number (49%) believe it should require greater planning and collaboration among federal agencies and state and local governments.

  • More city, county and municipal government IT professionals are likely to be “very concerned” (59%) about compromised critical public infrastructure than federal (45%) or state (38%) government IT professionals.

  • Over one-half of government IT professionals (56%) have either personally seen or heard about someone violating their organization or agency’s security protocols.

The majority of folks surveyed believe national security trumps security but I guess with the current administration why is this surprising?! Also, the fact that over half have seen or heard about security violations is also interesting.

What does everyone think about the privacy part of this?

Technorati Tags:
, ,