Thursday, November 20, 2008

Welcome Joel Oleson - prominent SharePoint blogger!

I am thrilled to see that Quest has hired prominent SharePoint blogger, trainer, evangelist and architect Joel Oleson as a senior product manager in our SharePoint group. Joel will be working closely with Quest's SharePoint team to help set product direction and strategy for our SharePoint products, while continuing his evangelism and blogging efforts.

Seems like Joel also spent some time aboard the "good ship lollipop" where he was a senior technical product manager for IT professionals around SharePoint. He designed the first Microsoft global deployment of SharePoint, as well as the extranet and hosted SharePoint deployments at Microsoft.

Joel’s well-read blog, is one of the top SharePoint IT blogs and I'll definitely add his blog to my reading list.

You all know the issues and problems related to distributed ("federated") access to SharePoint sites as it relates to identity management. I'm going to be leaning on Joel for his expertise to help me better understand SharePoint. I'm glad to see he's joined us!

Welcome, Joel!

Technorati Tags:
, , , ,

Wednesday, November 12, 2008

What are you waiting for? Cybertheft is getting bolder!

I’m flying back from the Gartner IAM Summit and reading a story in today’s USA Today titled “Cyberthieves mine for corporate data nuggets” and I can’t believe how bold cyberthieves are getting. Here’s the jist of the story…

  • Cyberthief observes an employee entering their userid and password while they are at an airport, coffee house, hotel lobby or at a conference.
  • Cyberthief logs onto the employee’s company network and finds an internal web server that they can compromise. In the USA Story they added a link to an internal employee website that discussed a charity.
  • Unsuspecting employees clicked on the link which took them outside their internal network and downloaded a program that basically dumped their My Documents folder over the Internet and into the hands of the cyberthieves.
Over 300 PCs fell to this attack which means 300 My Documents folders were dumped. Amazing.

Some questions for all of us and a few comments:
  • Many companies are still employing a hard-outside, soft-in-the-middle approach to security. Once a firewall is bypassed the cyberthief has unfettered access. That’s why security professionals push for “defense in depth”. Clearly, in the case above network monitoring tools could have seen the unusual jump in connections and data traffic and perhaps started shutting down ports or the internet connection. Are you taking a defense-in-depth approach to your network security?
  • Look at you’re My Documents folder right now. Anything in there that you wouldn’t want a competitor to see? Yes? Is it encrypted? If not, why not? How are you going to protect yourself against this type of attack? (As I write this I am busy encrypting a lot of files!)
  • How strong is your front door? Are you still only requiring a username and password to access your network remotely? If you are using some sort of two-factor authentication like a smart card or one-time password token then you are ahead of the curve. If you are not, then you are protecting your network with the equivalent of a screen door. I’d bet that 95% of cybertheft could be prevented if companies deployed two-factor authentication.
I’ve had many people ask how they can justify security projects. I go to the dentist twice a year because I’ve had a root canal and I don’t want to go through that pain again – ever. So I pay for this as a preventative measure. Your equivalent to a root canal – as a company – is being featured in USA Today or the Wall Street Journal.

Don’t just think about it. Do something before it is too late.

Technorati Tags:
, , , ,

Gartner's IAM Summit 2008 - Day 2

Here's my summary observations of the most interesting sessions I sat in on Day 2 of the Gartner IAM Summit...

The Future Panel: User Centric Identity

Awesome panel that Gregg Kreizman from Gartner moderated. Kim Cameron (Microsoft), Dave Nikolesjin (CIO, Province of British Columbia), Dale Olds (Novell) and Frank Villavicencio (Citigroup) were the panelists. It was interesting that the CEO of JanRain was listed as a panelist in the agenda but didn't show. That was too bad since hearing his viewpoint regarding the likes of InfoCard would have been interesting.

The most interesting points to come up in this panel were that claims could be used for authorization (Kim), PKI is being stretched and will not be elastic enough for use as claims or roles transport packages (Frank), and how if the lawyers get involved in this business we're cooked (Dave). It was great to hear Kim discuss how much Microsoft was trying to break down internal barriers to enable InfoCard use across their enterprise. Also, Dale's comment about how far we have managed to come in two years was bang on - the industry has moved forward around identity but we sure have a long way to go yet.

Oracle's session on Services Oriented Security

Amit Vasuja did a good job outlining some of the problems in this space and how Oracle is addressing them. He pointed out a great hole that we have in the authorization space: "Need for open standard authorization API based on XACML". I couldn't agree more. Oh, yes, and with bindings to all the popular languages out there including Ruby, Perl, .NET and, of course, Java.

Trust in a Heterogeneous World

Jim Hosmer, Principal Architect at Lockheed-Martin gave this presentation right after mine and it was awesome. What I liked the most about Jim's presentation was how he discussed the two approaches to dealing with heterogeneity in an organization: manage or integrate. Manage is easier but yields less benefits whereas integration is harder but yields the most benefits. Lockheed-Martin chose to integrate. Jim outlined the technical challenges they had, the solutions they picked and how they are integrating over 140,000 users and thousands of systems to enable trust in their widely dispersed company. Oh, and it is all based on Active Directory! If you'd like a copy of Jim's slides drop me an e-mail.

From Gartner IAM Summit 2008

Next stop on the reality tour: Gartner Strategie & Technologie Konferenz 2008 in Frankfurt, Germany from Dec 2-3. See you there!

Technorati Tags:
, , , , , , , ,

Tuesday, November 11, 2008

Who is the talk of the town at Gartner's IAM Summit 2 - Part Deux

Yesterday, I mentioned which exhibitors were the talk of the showfloor. Today, I wanted to mention who was the talk of showfloor because they weren't here:
  1. Novell
  2. Microsoft
Now, in defense of both they have some awesome speakers here in Dale Olds (Novell) and Kim Cameron (Microsoft). That said, with all the recent announcements out of Novell (w/Aveksa) and Microsoft (ILM2, Geneva, Azure) I was hoping to see more of a presence...

No one mentioned not having Google here but we already know they don't understand identity.

Technorati Tags:
, , , ,

Monday, November 10, 2008

Who is the talk of the town at Gartner's IAM Summit 2008?

Top three vendors people seem to be buzzing about...
  1. Symplified
  2. Aveksa
  3. SailPoint
I don't necessarily mean that people are writing checks at their booths but that either folks are asking me what I think or know of them, or I am overhearing discussion about them amongst the attendees...

I think all three of them fit - more or less - into what Earl Perkins was talking about earlier: identity management as a business enabler.

Technorati Tags:
, , , ,

Gartner's IAM Summit 2008 - Day 1

Here I am at the gorgeous Gaylord Palms Resort and Convention Center in sunny Orlando, FL attending Gartner's IAM Summit 2008. This is Gartner's third summit and looks to be well attended from what I saw at the keynotes this morning. As usual, I am working my Canon camera and if you click on the pictures below you can see what and who I've been capturing.

I'm hoping for an exciting session like the one Gartner's Neil MacDonald gave last year titled: "Everything You Know About Identity Management Is Wrong". That was awesome.

Earl Perkins followed Ray Wagner's welcoming comments to the attendees. Earl spent a lot of his time talking about how IAM is maturing and needs to continue to grow up. His session was titled "IAM: Enabling Governance and Risk Management in an Age of Business Challenges". I agree that IAM is growing up but, as Earl stated, it's still a teenager and there's a lot more maturity needed before we really see IAM enabling the business and not just enabling IT. In Earl's words: IAM as a transformational technology. I couldn't agree more. I think we've just barely scratched the surface of IAM as a truly transformational technology. Yes, we've definitely made lots of progress with IAM as an IT enabler but not as a business or transformational technology.

I think this is one of the biggest challenges facing software vendors today. Building that bridge between IT enabling software to business enabling technology. This is a big obstacle to overcome because most of the people who create software come from a computing or IT operational background rather than a business operational background. Sure, many of us in computing have taken business courses but do we actually understand risk management, compliance and audit?

We need - as vendors - to help our customers move from automating infrastructure procedures to enabling business processes. We've started down that path with things like self-service password management, workflow automation, role management and mining (etc.), but we do have a long way to go still.

Earl loves to use quotes in his slides to mix things up. Here's a couple of the most notable ones from his presentation today:

  • We can dispense with the pleasantries, Commander. I am here to get you back on schedule. - Darth Vader.
  • Sooner or later all thinking and planning has to degenerate into work. - Peter Drucker
I'll post more as the conference evolves!

p.s. Mark your calendars now: Gartner's IAM Summit 2009 will be Nov 9-11 in San Diego, CA

Technorati Tags:
, , , ,

Tuesday, November 04, 2008

Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains

That's the title of a U.S. Government Accounting Office report on this topic. Here's the major finding (emphasis is mine):
From July through September 2007, the major agencies collectively reported that they had not yet installed encryption technology to protect sensitive information on about 70 percent of their laptop computers and handheld devices. Additionally, agencies reported uncertainty regarding the applicability of OMB’s encryption requirements for mobile devices, specifically portable media. While all agencies have initiated efforts to deploy encryption technologies, none had documented comprehensive plans to guide encryption implementation activities such as installing and configuring appropriate technologies in accordance with federal guidelines, developing and documenting policies and procedures for managing encryption technologies, and training users. As a result federal information may remain at increased risk of unauthorized disclosure, loss, and modification.

This doesn't make me feel very good. A personal yet related note from my privacy dealings today:

  • My son is having a crown repaired at a new dentist down here in Torrance, California.
  • Dentist wants to verify his (my) insurance so he asks for my social security number. I refuse to give it.
  • Dentist calls my insurance provider and then asks me my zip code which I do provide.
  • Dentist appears and claims that everything is good with the insurance.
Of course, my immediate question was "If all they needed was my zip code then why didn't they simply ask for it instead of my social security number? After all, it's five digits versus nine!" Frankly, I could care less if the dentist's records were compromised with my zip code. I do care if he has my social security number and they are compromised.

The moral of the stories above is we need some attitude adjustment in both the government and commercial sectors regarding privacy. I adjust my attitude pretty quickly when it comes to my continued employment so it is a good motivator. We need to do more of this around protecting private information.

Technorati Tags:
, ,