Thursday, July 31, 2008

New Sybase Single Sign-on Technical Brief

As a follow-on to yesterday's post about SAP SSO I'd also like to bring your attention to the Sybase single sign-on technical brief that was also just published. The document provides guidance on the configuration of Sybase Adaptive Server Enterprise (ASE) to enable Active Directory (AD) authentication through Quest's software to achieve centralized authentication and transparent single sign-on for Sybase ASE accounts.

The software provides:
  • Native Active Directory authentication (Kerberos) for Sybase ASE
  • Access control and password management based on existing AD groups and security policy
  • Centralized deprovisioning/removal of access to Sybase
  • Simultaneous implementation of both centralized authentication and transparent single sign-on (SSO) for Sybase ASE accounts with corresponding Active Directory accounts
  • Increased user productivity and reduced TCO through transparent SSO and identity integration
I hope you find it useful.

Technorati Tags:
, , , ,

Wednesday, July 30, 2008

New SAP Single Sign-on technical brief

We're increasing our SSO capabilities with SAP due to customer demand. We just published a short tech brief on our capabilities in case you're interested in better understanding Quest Software's capabilities.

Technorati Tags:
, , ,

Saturday, July 26, 2008

I just can't take it anymore

  • It's a power pig. Green? I know I'm seeing red! I used to get up to 8 hours on battery life with XP and now maybe 2 hours with Vista?
  • What's with the interface dimming and then going back to normal brightness? Is it telling me there's something going on with security? Whatever it is I don't like it and I don't understand why it is doing it.
  • As my dear old mother would say: "It's slower than molasses in January". Runs on 2Gb? How about walks on 2Gb!
I've backed up my machine - twice - and am about to reformat and go back to XP.

  • I'm so sick and tired of the inability for this thing to remember web site passwords because "I" don't have the cookies set correctly. This typically happens with all my Google properties - coincidence?
  • I'm so sick and tired of "The current web site is trying to open a site in your Trusted Sites list. Do you want to allow this?" dialog box. If I had a penny for each of these I'd be retired.
  • I'm so sick and tired of the general clumsiness.
I have no idea if I can get rid of IE but I've fallen in love with Firefox3. "Do you wish to restore to your previous state?" - Are you kidding me? Restore to the previous state, with all my tabs intact? Can you love a piece of software?

About 18 months ago when I had another one of these liminal moments with Microsoft I sold half my Microsoft stock and bought Apple. That certainly wasn't a mistake because Apple has only gone up about 70% or so (I bought at $95) and Microsoft is the same or down today as it was then.

I'm getting ready to dump the rest of my Microsoft stock. Probably on their next up-tick - whenever that might be.

Dear Readers, this will be my last post from Vista.

Technorati Tags:
, , ,

Friday, July 25, 2008

July 25, 2008 - Links and Commentary

Privacy and the Red Pill
Have you ever forgotten a password? I have. This article basically blows away any security I thought I had around the typical Q&A password reset I get asked on-line or via an operator. Anyone can find out the last 4 digits of my social, where I was born, where I live/have lived, etc. etc. by paying a few bucks. Sure, they might not know my dog's name ("Monaco") or the first car I had ("Hmmm, did I answer 'Ford', 'LTD' or 'Ford LTD") but how hard is that to figure out? Especially if the threat might be coming from within my company...they could always ask at a moment of weakness while I'm at a drunken barn dance or the like...

Security is, ah, like hard, man
Twelve new ways to visualize network security. New metaphors for security including: "Security is like a stack of Swiss cheese", "Security is like golf" and "Security needs to think on it's own". I thought this was a humor article but I think the participants are serious - if so, that's really scary.

DNS Hole Doesn't Go Unnoticed
I'm not a DNS expert but I've seen repeats of this: "Both Red Hat and Sun distribute the Berkeley Internet Name Domain technology". There are a number of critical pieces of software that all (or mostly) have a common root - DNS is an example. A fundamental design flaw found could very well affect all of the descendents. I've seen this in X.500, X.400, LDAP and other technologies. Better check your DNS software! (Check out for a simple test to see if your DNS is vulnerable and "Fix DNS Now" for more details.)

Technorati Tags:

Friday, July 18, 2008

July 18, 2008 - Links and Commentary

Microsoft fills in identity puzzle
Awesome news about the Identity Metasystem and all the work that's going into claims-based identity and identity as a service over at Microsoft. Read the last paragraph of John Fontana's story: "Microsoft announced prices for its hosted Microsoft Online Services earlier this week, but did not have any details on claims-based support for those cloud services." This speaks volumes in itself and bothers me to no end. Why can't Microsoft announce something that includes internal adoption? Yes, I would like some steak with that sizzling plate you just delivered!!

Former HP VP charged with stealing IBM trade secrets
Apparently this genius is charged with allegedly emailing confidential IBM information to two senior HP vice presidents - with non-descript subject lines like "For Your Eyes Only". This is a clear example of the Peter Principle in action!

VMware's CEO switch targeted at Microsoft, analysts say
More on Paul Maritz as the new VMWare CEO. "VMware is a single-product company trying to compete with a giant in their backyard, because the operating system environment is Microsoft's bread and butter.” You figure? Where have we seen this before? "Maritz probably can be expected to lower VMWare's product prices..." Now, there's a surprise, too.

Technorati Tags:

Wednesday, July 16, 2008

I'll be at the SSO Summit next week

I'll be at the SSO Summit next week on Thursday and Friday. On the assumption that we'll have wireless I'll try to blog about impressions etc. I'm hosting a BOF on "Enterprise Single Sign On" and some of the smarter folks from Quest will be demoing our products at our table top. Please drop by and say "Hi" if you're going to be there.

The first question I want to answer is: Should Quest attend next year? This event was created by Ping Identity so it'll be interesting to figure out the ratio of Ping sales/marketing event versus SSO industry event. It does look like there's some good customer presentations on the agenda from: General Motors, Commonwealth of Pennsylvania, Wyeth and 3M...

More next week!

Technorati Tags:
, , , ,

Tuesday, July 15, 2008

James' unanswered questions...

James McGovern's has some unanswered questions on the debate around directories that I thought I'd at least try to answer...

If pretty much every Fortune 500 enterprise (acknowledging that Sun is the standout oddball) has Active Directory, why should any of them consider yet another product? Why shouldn't they simply wait for Microsoft to include virtualization support in Active Directory? Please no responses that are "tactical" in nature nor attacking Microsoft because they never get it right the first time.

I agree. Why should they? It's obvious - at least to me and I am pretty sure a lot of other folks out there - that identity management has evolved beyond directory synchronization and metadirectory to include the concept of virtual directories and all of what that means. Is there ever an ideal product? Sure, for a period in time. But times change. If Microsoft isn't thinking about how to solve this problem I would be surprised - oh, and let's not forget that a possible solution is to do nothing.

Are the current provisioning products somehow deficient when it comes to modern identity as they tend to focus solely on central sources of data while user-centric approaches require more in the way of self-provisioning?

Yes, absolutely.

When should virtual directory technology be a standalone product vs when should the capability be just another component in another product? For example, shouldn't an XACML Policy Engine or an Security Token Service just be able to read a variety of data sources without necessarily creating another layer/hop from a networking perspective?

Yes, absolutely. I think the industry will move away from a technology solution to a product solution over time. Given the "buzz" about this I am sure we will see this happen in the near-term. I certainly do not want to sell a virtual directory "product" but I do see how adding that capability to various Quest products would solve some very interesting business problems that our customers have.

The ideal situation says that a software company should be able to write an directory enabled application without requiring virtual directories but reality is a little different. Wouldn't the thought leaders in this space without resorting to tactical responses agree that instead of pushing products/tools in this space we have to help others understand the <> so that this problem goes away? Even products by companies with really smart individuals such as EMC still get this wrong. Does Oracle have any thoughts on helping people avoid virtual directory by writing better directory-enabled applications or is it better to bury one's head in the sand, ignore the problem of others and simply respond with point solutions.

James, you are right. Software companies need to do a better job when they write directory enabled applications but it is a long road. The average application developer still needs to do a better job managing identity, authentication and authorization.We still have a long way to go unfortunately.

CARML may be an answer, but how come no one other than Oracle even understands the problem? You will note that none of the industry analysts including Redmonk, Burton Group, Gartner or other firms have even published one sentence on the value proposition of CARML in an enterprise setting? Have you heard of Mike Jones, Curt Devlin, Pat Patterson or other folks from Microsoft, Sun, CA, IBM and so on talk about it?

What's CARML? Can someone explain it to me? Certainly, until Gartner says it's important I won't be thinking about it... ;)

Technorati Tags:
, , , , , , ,

Monday, July 14, 2008

VD and AD

Nishant blogged ("To AD or not to AD") about virtual directories, Active Directory and applications supporting Active Directory. In discussing applications supporting Active Directory Nishant said:
This is one of the main reasons why there is an on-going effort to see if Oracle Virtual Directory can be made an embedded component (as opposed to its own server), something that is part of the middleware stack, so that it can act as a "directory connector" service in the application environment, freeing up applications from having to code against the idiosyncrasies of the individual directories.

OK, I understand the approach. What about freeing us - I'm using the royal "us", or course - from the idiosyncrasies of the individual authentication methods? The individual authorization methods? The individual protocol methods? This is not a dig on Nishant but a more general statement that solving one piece of the puzzle still leaves the rest of the puzzle in front of you.

Who wants to get to the last piece of the puzzle only to find they are missing one or more pieces?!

Nishant goes on to further state:

"...a lot of people are looking to support AD without getting locked into AD, and that is driving demand for both OVD and other alternatives"
Hmmm, sounds like a rose by any other name to me. People are looking to support AD without getting locked into AD but they are willing to get locked into Oracle or insert-your-favorite-vendor's-name-here?

And, finally, what's the big deal about being "locked into AD"? Have people forgotten that AD *is* an LDAP directory? You get "locked into AD" when you use it for desktop authentication otherwise it's just an LDAP directory with its own set of idiosyncrasies just like any other LDAP directory.

Technorati Tags:
, , , ,

Friday, July 11, 2008

July 11, 2008 - Links and Commentary

Pussy likes pizza
I guess I did start a storm with my post where I stated that the metadirectory was dead. I always enjoy Ian Yip's view of things!

Directory versus Virtual Directory
Jeff is bang on!!! This is not about meta-directory versus virtual directory. This is about directory versus virtual directory! Also, as I have pointed out in the past: Keep an eye on ApacheDS (and Alex) - these guys are going places.

Identity Management as a Service
From the founders of Securant comes Symplified - very interesting, but can they do it? I love their home page and graphic: "The Identity Revolution is On Demand"

Ex-Microsoft exec Maritz is new VMware CEO

When I saw this I said "wow". Maritz was still at Microsoft when I joined in 1999 and he was definitely a sharp guy. At the time he was a Senior Vice-President and ran the server division - if memory serves me. It'll be interesting to see what he brings to VMWare! Mary Jo Foley discusses this further in her blog post: "Look who's running VMWare now"

Go Green!
Want to be green? Save power? Reduce your carbon footprint? Install this - much easier than virtualizing!

Technorati Tags:

Thursday, July 10, 2008

Affordable Two-Factor Authentication Made Easy

With the push for stronger security, greater efficiency in user access, and easier compliance has increased, two-factor authentication has rapidly become the most effective approach to achieve these goals. But to get two-factor authentication, you might think your options are limited to expensive, proprietary solutions that are difficult to deploy. That’s just not true.

Watch Stuart Harrison, product manager for Defender discuss:

  • Comparing your organization to industry authentication best practices
  • Learn about cost-effective two-factor solutions that are built on Active Directory
  • Discuss strategies for simplified two-factor authentication rollouts
  • Educate you on how to perform a ZeroIMPACT™ two-factor migration
This is an hour long webcast moderated by Tech Republic. You can find the webcast here. There's some research that Aberdeen Group produced that Stuart discusses in detail regarding industry best practices - well worth checking out.

Technorati Tags:
, , , , ,

Wednesday, July 09, 2008

Resolving the Privilege Management Paradox

Following on from yesterday's post about the latest release of our SafeKeeping product I'd like to mention that we have posted a new white paper titled: Resolving the Privilege Management Paradox.

In this white paper, Enterprise Management Associates (EMA) examines three solutions from Quest Software to solve the challenges of securing privileged account access and enforcing strong authentication. In this paper, you will learn how to:
  • Control access to the most powerful accounts in your environment
  • Secure passwords to your administer accounts
  • Ensure secure access with two-factor authentication
  • Close the security gaps in high-privilege access control and secure your enterprise.

If you're interested in this up-and-coming area of compliance and identity management please check out the paper. Not only is SafeKeeping discussed but so is Privilege Manager for Unix and Quest Defender - they all fit into the overall story.

Technorati Tags:
, , , , ,

Tuesday, July 08, 2008

Privileged Account Management - New release of our SafeKeeping product

One of the most exciting products we picked up as part of our acquisition of PassGo was their SafeKeeping product. Basically, the elevator pitch on SafeKeeping is:

Quest SafeKeeping delivers a powerful solution for the management of shared administrative account credentials. When an administrator needs the administrative credential, SafeKeeping ensures security and manageability by providing a secure, automated mechanism for the request, authorization, release, and change of these administrative account logins.

At the end of this week we will release version 5.1 of SafeKeeping. The significant enhancements include:

  • Extended target platform support, via a choice of either SSH or Synchronization Agents for communication with SafeKeeping
  • Enhanced Group administration
  • Enhanced System Status page
  • Enhanced Pending Requests page
  • Enhanced User Authentication, providing support for two-factor authentication
  • Enhanced timezone management
  • Enhanced network configuration
  • New Password Policies
  • New Email Templates
  • New System Log
I think the most important enhancement is that we have more than tripled SafeKeeping's platform support which includes support for Windows Server 2008. My hat is off to Alex Binotto the product manager for SafeKeeping and the whole team in our Ilminster (UK) office. You guys all rock.

p.s. To Udi and Richard at Cyber-ark: We're getting closer guys!

Technorati Tags:
, , , , ,

Monday, July 07, 2008

Accounting - obstacle to SaaS adoption?

My buddy Billy Bosworth has a short post on this topic worth reading. Something that software designers and product managers probably don't think about:
Tony Bain has written a nice succinct post from someplace we don’t hear from often: the real world. ;-) It is a quick and interesting read on a few obstacles to saas adoption. This one is VERY true, yet often overlooked. (note: CAPEX = Capital Expense; OPEX = Operational Expense)

CAPEX vs OPEX. The primary issue we encounter when positioning SAAS is an organisations budgeting process hadn’t planned for a SAAS offering. Many customers get a CAPEX budget approved in advance, then evaluate tools and on making their selection they need to spend the budgeted CAPEX. An OPEX based SAAS offering may be a good fit for them, but the requirement to go back and redo budgeting is so undesirable that almost always in this situation the customer will elect the CAPEX option.

It’s not like it’s tough to overcome technically, but it will require a shift in budgeting philosophy.

Technorati Tags:

Thursday, July 03, 2008

Metadirectory or Virtual Directory?

Jeff Bohren discusses that both of these technologies are just tools and you should use the most appropriate tool for your particular scenario. I couldn't agree more.

In the "old days" (i.e. 1995) we had spirited discussions about whether the metadirectory should be "real-time" look-up based or whether it should "cache" data. Caching won out simply because - in those days - we couldn't make assumptions on things like network bandwidth and the like. Today, however, most companies are running fat pipes internally and externally. In fact, most people are running fat pipes - mine is 15M down and 5M up at my house.

My question is why is there still a differentiation between the technologies? It would seem to me that a better solution would offer us the best of both worlds. The ability to do real-time look-ups, virtual attributes, data manipulation *and* also offers the metadirectory "store and forward" approach.

So when Matt Flynn says that metadirectories aren't dead they are just aging - he is totally right. It's time to consolidate these technologies.

Wednesday, July 02, 2008

Gone fishin...

I'm fishing up here in Sitka, Alaska. You can see the photos of king salmon, eagles and whales I've been grabbing by clicking on the photo above. This is my second fishing trip up here via Angling Unlimited who take exceptional good care of us while we are their guests. I'll be returning to Seattle with more than 100lbs of king salmon, halibut and black cod!

Aside #1 - The US got a great bargain when they bought Alaska from Russia!

Aside #2 - In a small town like Sitka I did not expect to eat on the best meals I've ever had. If you are ever up here please check out Ludvig's - you won't be sorry - especially if you order the Ciappino.