Thursday, December 31, 2009

Happy New Year everyone!

As 2009 draws to it's end I want to wish everyone a very happy and successful 2010.

Thanks for your support, comments and continued readership!


Wednesday, December 30, 2009

PKI is too hard for even the US military!

I end up in debates about the use of smartcards (PKI) and one-time passwords (OTP) fairly frequently. Which one is “safer” or “better” and which one is easier to implement. I love PKI. I love the math around public-key cryptography. But what I hate about PKI is the implementation of a PKI. It is not easy. Have you ever set up a certificate authority (CA)? I tried once but I stopped when I noticed my hair had turned white. It is not for the faint of heart. Once mis-step can lead to having to re-do everything and imagine a re-do after you have already deployed certificates to your end-users! When I first got involved in the Defense Message System (DMS) and NATO ACP123 for secure message interoperability I felt I had entered the world of spy-versus-spy. This stuff is really complicated. That’s probably why it’s been “The year of PKI” for the last 20 years and why it might be “The year of PKI” for the next 20 if we can’t figure out how to un-complicate it.

Well, it seems that this stuff is pretty darn complicated for the US military, too. I was dumbfounded when I read in the Wall Street Journal that our “enemies” were able to watch the real-time video feeds from Predator aircraft. All they needed was a satellite dish and a program (“SkyGrabber”) that was put together in Russia that costs $30 or so. My first thought, aside from “You must be kidding!!!” was that the insurgents must have found some sort of vulnerability but it turns out they hadn’t. The military just wasn’t encrypting the video feeds and they even admitted to knowing about the problem since the Bosnia conflict in 1990s.

Monday, December 28, 2009

Jeremy Moskowitz’s comments on Privileged Account Management

My thanks to Jeremy for taking the time to comment on my earlier post on this topic. I thought it would be useful to highlight his comment below for all readers and to give my perspective on it:
Microsoft already owns a BeyondTrust-like solution gained in the acquisition of Winternals. 99% of the Winternals acquisition went out with MDOP. 1% did not. This product. The real question is, with the ownership of that technology AND the fact that they specifically passed up the Beyondtrust piece... WHY would Microsoft WILLINGLY decide NOT to get into that business. My feeling is that they need to maintain "plausible deny-ability" in security cases. In other words, there is no middle ground: there are Admin users and there are User users. The Winternals and BeyondTrust pieces allow you to dial up or down privilege rights. Microsoft clearly doesn't want to be in that business. So they aren't. (PS: No internal knowledge here.. just a hunch.) -Jeremy Moskowitz, Group Policy MVP
I wasn't aware of the fact that the acquisition of Winternals brought a lot of this technology to the table. I'm sure Jeremy or my old friend Darren Mar-Elia can comment on the penetration of Microsoft Desktop Optimization Pack (MDOP). My experience - and it's by no means definitive - was that not many customers were purchasing it. Or, at least not the majority of customers were purchasing it. In either case, I'd love to hear Jeremy's or Darren's comments on the uptake of MDOP.

Friday, December 25, 2009

Happy Holidays

Best wishes, happy holidays and Merry Christmas to everyone!

P.S. To Santa: I really like these flying wing things that these guys were piloting over the cliff at Huntington Beach yesterday...They just fly on the wind currents, no engine - very cool.

Thursday, December 24, 2009

Privileged Account Management’s Star to Rise in 2010?

Martin Kuppinger over at Kuppinger Cole+Partner just blogged about this topic: Will IBM change the way we do PAM (or PIM or PUM)? His post is worth reading in its entirety but I thought I’d comment on one particular portion of it:
An interesting question in this context is whether this will affect the overall PAM market. First of all, it confirms what I’ve described earlier in my blogs: There will be a convergence of PAM with provisioning and other IAM solutions. And with more vendors providing such integrations (some are providing some integration or are working on that), customers are likely to pick the “integrated PAM”. However, there is no doubt that at that point of time the PAM specialists in most cases have more feature-rich offerings, which might complement even these integrated PAM approaches or replace them in case that specific features are required. Thus, there will be a “stand-alone” PAM market for the foreseeable time. On the other hand I expect more acquisitions of PAM specialists to happen given that the larger vendors might want to speed-up the development of their integrated PAM offerings by acquiring a product and integrating it. Another point to mention: IBM’s approach shows that PAM is moving out of a niche towards a mainstream IAM market segment.
I completely agree that we are going to see a greater tie-in between provisioning and privileged account management systems. After all, isn't a privileged account a special type of account and isn't my provisioning application used for creating accounts? "QED" as my old math professor would say. I think the traditional stack vendors (IBM, CA, Sun, Novell, etc.) are going to have to address privileged account management within their platforms sooner than later. Regulators and compliance professionals are starting to wake-up to the fact that companies do not have a good handle on their privileged accounts, who has them, what they are doing with them and who has authorized them to have one. Just ask yourself who has an Active Directory domain administrator account in your organization, why they have one, who authorized them to have it and what they do when they use it? That’s not an easy question for most organizations to answer today. The same goes for “root” on your Unix or Linux systems. In fact, on Unix and Linux the question is even more difficult to answer.
Privileged account management as a subset of identity management is new. Provisioning has been around a long time and is somewhat “old news”. In 2010 I think we will see a lot more market turbulence around privileged account management and I agree with Martin’s prediction to expect more acquisitions.
Hmmm, did Microsoft make a mistake in their purchase of Desktop Standard in 2006 by allowing the BeyondTrust bit to escape? In retrospect, they would have been better to keep the PAM (BeyondTrust) portion – they need it like the other stack vendors!

Wednesday, December 23, 2009

The Right Authentication for the Right Risk

Last week I blogged about Gartner’s story on beating strong authentication. Today, I wanted to point out another Gartner article which I thought was useful and re-enforced what I said about choosing the right level of authentication (strong or otherwise) depending on the risk of the transaction. Gartner’s "Good Authentication Choices for Workforce Remote Access" by Ant Allan and John Girard was published on December 21, 2009. If you are a Gartner client you can look the article up by it's ID number: G00173177. You have to be a Gartner client to access the report.
...we recommended that, for each use case, an enterprise must consider at least the required minimum authentication strength (commensurate with the level of risk), ease of use and the maximum justifiable total cost of ownership (TCO).
I agree that authentication strength should be matched against risk but that's not the only factor that should be considered. We are talking to more and more customers who are willing to enhance their authentication strength because costs for some two-factor solutions are declining. The typical conclusion I see a customer reaching is that for less than what they paid to protect higher risk transactions they can now protect all access to their network. So rather than simply replace the higher-risk transactions with a cheaper - but as effective solution - companies are considering increasing the footprint of their strong authentication deployment to cover more users even if they are doing less risky things. So for the same or even less money they are increasing their overall security posture.
So while I agree with Gartner that risk plays into the authentication mechanism a company might use I would also recommend that a company look at overall cost. Why protect only high-risk transactions if you can extend strong authentication to all users in your company?

Tuesday, December 22, 2009

Santa's Identity Crisis

Dave Kearns (re-)posted a humorous slant on identity management from the perspective of Santa's many identities:
It's that time of year when it seems our biggest identity problem is "will I remember who and where I am if I have another round of egg nog?" But there's one guy who goes through a major identity crisis each year at this time.

Every year, from Dec. 6 through Jan. 6, someone visits many of the children of the world and brings them presents. If you think remembering all your user names is tough, think of the problem he has! In various places around the world he's known as:

Agios Vassilios
Black Peter
Bozic Bata
Christmas Bock
Ded Moroz
Dedek Mraz
Diado Coleda
Dun Che Lao Ren
Father Christmas
Father Frost
Fur Clad Nicholas
Gaghant Baba
Grandfather Frost
Hagios Nikolaos
Jolly Old Elf
Kaledu Senis
Karácsony Apó
Kriss Kringle
Mos Craciun
På norsk
Pai Natal
Papa Noel
Papai Noel
Pére Noel
Saint Nicholas
San Nicolás
Santa Claus
Santa Klausam
Santa Kurohsu
Shakhta Babah
Shengdan Laoren
Sing dan lo ian
Sint Nikolass
Sion Corn
Star Man
Svaty Mikulas
Swiety Mikolaj
Vovo Indo
Winter Holiday Old Man
Wise Man
Ziemmassve'tku veci'tis

That's almost 60 different usernames! And those are only the most popular ones. Now since he does have to travel around the world, he probably needs a passport in each name as well as a description and picture. This part is hard to explain, though, as the pictures I've seen show both a tall thin man as well as a short round one. It may be that we're dealing with multiple people rather than multiple personas. I understand that the U.S. Department of Homeland Security is investigating.
Dave, thanks for reminding us that identity spans more than just IT!

Technorati Tags:

Friday, December 18, 2009

Gartner on beating strong two-factor authentication

Gartner just released a document titled “Where Strong Authentication Fails and What You Can Do About It”. Various articles have been published reporting on Gartner’s findings including here, here and here. Most of Gartner’s comments and guidance revolve around protecting yourself from “man-in-the-browser” attacks. If you don’t know what an MitB attack is here’s a link to Wikipedia’s MitB definition – check it out. A good example of an MitB program is “Silentbanker” (click to link to Symantec’s description of it).

The author’s advice is:

Enterprises need to protect their users and accounts using a three-prong layered fraud prevention approach that uses stronger authentication, fraud detection and out-of-band transaction verification and signing for high risk transactions.

I completely agree with the advice but also want to point out that last phrase “high risk transactions”. I hope everyone recognizes that security is graduated. That means for high risk transactions that you are placing much more security around those types of transactions while for low risk or no risk transactions you are placing lower levels of security around them. After all, the best security against MitB attacks would be not to be connected to the Internet but that’s probably not what companies have in mind. Hopefully, consumers and are all running up-to-date anti-virus software that helps to prevent and eradicate these types of attacks and companies are doing the same for their employees.

So does this mean that strong two-factor authentication is of no value anymore? Not at all but we all should be re-evaluating our security posture based on risks and threats. The author emphasizes the use of out-of-band authentication due to growing MitB attacks. If your evaluation of this new risk versus your current security – two-factor or otherwise – leads you to believe you need to ratchet your security tighter then that’s good advice for you. Security should always be evaluated against risk. If you are never going to drive 200 MPH then why buy a car that can drive this fast? It’s the same concept for security.


Cool features in the latest Release of Quest Password Manager

My thanks to our Moscow development lab in getting out the latest release of Quest Password Manager (V4.6 which is available at our website here). I also want to thank our development lab in Horton (UK) for their help with this release because it marks another great area of product integration between a Quest product (Password Manager) and a former PassGo product (Defender). For those that have been following my blog for a while you'll remember that we acquired PassGo two years ago. Stuart Harrison who is the product manager for QPM has blogged about the release and features already so I won’t re-hash them all other than the specific product integration work that has happened with Quest Defender.

The integration with Quest Defender adds a twist to traditional password reset products like QPM. Most password reset products have the capability of storing a number of question and answer responses that an end-user must correctly enter in order to reset their password. By integrating with Quest Defender it is now possible for a company to protect the registration, or initial entry, of those answers by requiring an end-user to verify their identity via their Defender one-time-password. In addition, if Quest Defender is installed it is possible to totally bypass the question and answer procedure by simply having the end-user verify their identity via their Defender one-time-password and letting them reset their password. After all, Defender is proving a stronger authentication than simply being able to answer some questions.

We are not done with integration between these two products yet. I would like to see integration the other way so that a customer who has both products installed could use the QPM questions and answers as a means of verifying someone’s identity when they call the helpdesk to have their Defender pin-code reset. After all, the users have all registered this information already so why not leverage it within other products?


Monday, December 14, 2009

Ash's Healthcare Observations

Fellow blogger Ash Motiwala blogged about the Microsoft/Sentillion acquisition over the weekend. He has some great insights into the healthcare angle as to why this was important to Microsoft:
1. The healthcare IT market is pretty unique, and healthcare specific software tends to take precedence over the larger generic software providers. This has caused 100's (if not 1000's) of applications within a typical healthcare IT environment. Healthcare IT shops want to buy software from companies who understand them (with doctors in the exec board), and they'll pay top dollar for the special attention. For example, McKesson brought in over $100b in 2008 vs. Microsoft's $60b in all verticals.

2. Until about the mid 2000's, Microsoft's healthcare strategy was pretty bad. They might disagree with me, but anecdotal evidence suggests that they were trying to sell generic technology (like BizTalk, SharePoint, etc.) with a healthcare twist. In my opinion, that approach caused them to lag in healthcare, and was a major cause of complaint for Microsoft's healthcare account reps that I had dealt with in the past.

3. In 2005, Microsoft hired Peter Neupert as VP of their Health Solutions Group. Prior to that, Peter was the CEO of, and co-chair'd the healthcare IT committee for the President's IT Advisory Committee. In 2006, Microsoft acquired Azyxxi, a healthcare app that pulls and displays patient info from disparate sources, and competes with the Cerners and McKessons of the world. Good move. (They also brought over a doc with the acquisition to lead the software team!) They followed that up with the acquisition of Hospital 2000 by GCS, then Rosetta Biosoftware and the launching of HealthVault. At HIMMS 2008 in Orlando, Microsoft renamed their healthcare line 'Amalga'.

4. In line with their seemingly new strategy of going more vertical, this past June - Microsoft signed a licensing agreement with Sentillion to supply Sentillion's SSO and Context Management technology as part of Amalga. A few days ago, Microsoft announced its plan to acquire Sentillion.

The one thing I will add is I do know that the healthcare vertical in Microsoft is an important one. They have their own dedicated teams and there is clearly a lot of room for revenue growth for Microsoft - which is exactly why they purchased Sentillion. Ash's commentary certainly helps me understand Microsoft's actions better.

Technorati Tags:
, , , , ,

Thursday, December 10, 2009

Further reflection on the Sentillion acquisition brings more questions

Earlier today I blogged about Microsoft's acquisition of Sentillion. After letting this percolate in my mind for a while I thought I'd share some of the questions that have come up for me about this acquisition:
  • If you carefully read the press release you will see that there's a quote from Sentillion's CEO and a quote from Peter Neupert, corporate vice president, Microsoft Health Solutions Group. Why no quote from anyone on the Forefront Identity Management (FIM) team? My conclusion - possibly wrong: This acquisition was driven by the Health Solutions Group - not the FIM team.
  • Single sign-on (enterprise, web or federated) is a key identity management concept. Question: Will any of Sentillion's products or technology be integrated into the FIM stack? Microsoft owns Sentillion now. It would make sense to do this. However, if Sentillion will be exclusively run by the Health Solutions Group this could lead to a split identity management strategy at Microsoft and that would not be good. Imagine having to speak to the FIM sales guys about FIM and the healthcare sales guys about Sentillion/ESSO.
  • The Sentillion product line includes a product called "ProVision" which is focused on user provisioning. Question: What happens to that? Can Microsoft afford two user provisioning solutions? Even if one is for healthcare only? Will FIM replace ProVision? Will Microsoft keep any of Sentillion's IDM stack at all other than the healthcare-specific "context switching" stuff?
  • Why did Microsoft acquire Sentillion versus leveraging FIM? I can guess at a whole bunch of reasons why this didn't happen: Time to market of a FIM-based solution for the healthcare people; FIM being a more general purpose solution versus Sentillion's healthcare focus; or the healthcare people simply focusing on their market and Sentillion being a market leader was the obvious play.
I'm guessing that this was not an identity management acquisition but a healthcare acquisition meant to strength Microsoft's position in the healthcare market. That would lead me to believe that none of the Sentillion solution ends up in FIM. In either case, time will tell.
    Technorati Tags:
    , , , , ,

    Microsoft expands into enterprise single sign-on

    Microsoft announced this morning that they are acquiring Sentillion:
    Sentillion has successfully combined patented technology with a deep understanding of the healthcare industry to deliver the most comprehensive set of solutions for single sign-on, clinical workstations, advanced authentication, identity management and desktop virtualization.
    While the emphasis on the acquisition is healthcare focused I'm sure that Microsoft will want to roll some or all of the Sentillion technology into their FIM/identity management product line eventually.

    Technorati Tags:
    , , , , ,

    Wednesday, December 09, 2009

    Password Security for Boneheads

    That's the title of an interesting article I just read over at InfoWorld. The author points out that many web sites are just not secure with respect to how they store or require passwords:
    More disturbing is the way password recovery works on some of these sites. At least half the time, when I get the (unencrypted) recovery e-mail, my password is right there in the message, in plain text. That means the site is storing all those passwords in plain text in a database -- one that's being backed up somewhere and is probably readable by a significant number of admins and possibly anyone who happens to snag a backup tape. It's a catastrophe waiting to happen.
    I agree - and I am sure most of you do also - that this is catastrophes waiting to happen and many have already happened! The problem is so much is now tied to our identities that it is nearly impossible to protect ourselves effectively. I once asked a lady in front of me at the grocery store why she wrote a check rather than use a debit/credit card to pay for her purchases and she responded with "I've never had my identity stolen via a check". Good point lady.

    Technorati Tags:

    Friday, December 04, 2009

    Saving (AD) Forests

    A successful Active Directory forest recovery relies primarily on planning and documentation, so if you don’t have those in place now—jump on it.

    Don Jones, a Microsoft MVP has written a white paper for Quest that provides real-world customer examples of forest failures and why you should be prepared for this sort of a disaster. It's definitely worth reading just to understand the magnitude of a forest recovery.

    Technorati Tags:

    Wednesday, December 02, 2009

    Windows Access Rights Explained

    Fellow blogger Matt Flynn has published a white paper titled “Expert Insight on Windows Access Rights” which I managed to read yesterday. Matt gives a great overview of Windows  Access Rights, how they are granted and, most importantly, how they are evaluated by the operating system. If you feel your knowledge of Windows Access Rights is a bit weak or you need a refresher on this topic I’d suggest reading Matt’s paper. It’s only 8 pages long but Matt packs a lot of great information in those pages…

    If you think you know who has access to files by looking at the security tab, you’re dead wrong. Access to Windows file system resources is controlled via a complex web of interwoven components. And in most cases, users manage permissions on their own files and folders making centralized access management extremely difficult to achieve and audit of access rights near impossible without help. In this paper, we break down the elements that combine to control access to files on shared Windows network resources.

    As Matt says, the Windows file system is complicated!



    Monday, November 30, 2009

    NGAD update from Mary-Jo

    If you don't follow Mary-Jo Foley's "All about Microsoft" blog you should. Mary-Jo has been writing about Microsoft for many years now. Her latest post is "Microsoft updates its enterprise ABC (Active Directory, BizTalk and Communications Server) roadmaps" and here's what she has to say about Active Directory:
    Microsoft is readying a number of Active Directory add-ons that company officials are counting on to provide a backbone for the three-screens-and-a-cloud vision that Microsoft execs love to tout. The company is working on what it calls Next Generation Active Directory (NGAD), which is a federation service more than it is a whole new version of Active Directory. The goal is to enable users to “federate across all our directories — the phone, the PC and the cloud,” said Identity Architect Kim Cameron. Microsoft took a first step toward enabling NGAD (which so far, has no public due date) by releasing to interested parties in mid-November a downloadable schema application programming interface (API), system.identity. In the nearer term, Microsoft is planning to deliver the near-final Release Candidate (RC) test build of Active Directory Federation Services 2.0 before the end of this year and deliver the final version within the first quarter of 2010, Cameron said. ADFS 2.0 is one component of Microsoft’s “Geneva” identity platform. Microsoft released to manufacturing its Geneva framework piece (now known as Windows Identity Foundation) a week-plus ago.
    There are still lots of questions about NGAD out there. Hopefully, over the next few months we'll get some answers...

    Technorati Tags:
    , , , ,

    Thursday, November 19, 2009

    Not much has changed on the directory front - until now!

    Dave Kearns over at Network World just published a story stating that "Not much has changed on the directory front". When I first read the headline I knew I wanted to agree - and blog my views on his comments. However, just as I was getting ready to write this a significant change event on the directory front happened. John Fontana - also of Network World - reported from the Microsoft PDC that "Microsoft touts groundbreaking 'clip-on' for Active Directory". So let's discuss Dave's story first:

    "Not much has changed on the directory front"
    As I said, I couldn't agree more. In 1996, if my memory is correct, Netscape released their LDAP-based directory server. It effectively killed the X.500 directory and also resulted in the ultimate demise of X.400 for messaging. Over the next few years we saw the launch of the meta-directory by Zoomit and then, in 2000, the launch of Active Directory by Microsoft. Aside from virtual directories gaining more momentum I would say that since Active Directory there have been no major advances on the directory front. Netscape started things off but Microsoft crossed the finish line and now has the most deployed LDAP-based directory in the world.

    I agree with Dave that nothing much has really changed - until now...

    "Microsoft touts groundbreaking 'clip-on' for Active Directory"
    Kim Cameron at Microsoft discussed Next Generation Active Directory (NGAD) at the Professional Developers Conference this week. NGAD has been described as "a modular add-on that is built on a database and designed to add querying capabilities and performance never before possible in a directory". Hopefully, the term "clip-on" is not equivalent to "clippie"!
    NGAD, however, is not a replacement for Active Directory but a "clip-on" that provides developers a single programming API for building access controls into applications that can run either internally, on devices or on Microsoft's Azure cloud operating system. Users will not have to alter their existing directories but will have to option to replicate data to NGAD instances. NGAD stores directory data in an SQL-based database and utilizes its table structure and query capabilities to express claims about users such as "I am over 21" or "Henry is my manager." To ensure security, each claim is signed by an issuing source, such as a company, and the signatures stay with the claim no matter where it is stored.

    "You can answer questions in your directory that are currently impossible to even ask," says Kim Cameron, identity architect at Microsoft. "You can find out who had access to a file last September." He says NGAD is a reshaping of the programming model for Active Directory.

    In addition, the directory design means multitudes of new cloud or other applications won't be hammering the central Active Directory architecture with lookup requests and administrators don't have to perform often tricky updates to directory schema to support those new applications.
    Of course, extrapolating features, functionality and benefits at this point is difficult but you can see how NGAD could change our views of auditing, compliance, security and (NGAD)directory-enabled programming including cloud-based identity and identity as a service. I'm also betting that NGAD will be a significant enabler of the externalization of a distributed authorization infrastructure just as Active Diretory has been an enabler of a distributed authentication infrastructure.

    I believe NGAD has the potential to be a big change or even an inflection point for the industry and customers. I'm sure we'll be seeing much more discussion about NGAD.

    Technorati Tags:
    , , , ,

    Monday, November 09, 2009

    Gartner: Directories and Virtual Directories: Foundations of Your IAM Infrastructure

    Andrew Walls definition of today’s directory proliferation problem is quite appropriate: “I am Legion and we are many!”

    Andrew talked about how virtual directories are “in fashion” these days. Interesting that when Andrew presented which vendors have a virtual directory that he put up Microsoft and IBM with question marks after them. His caution: Don’t assume that either of these vendors have these capabilities despite having info on their web site that they do. Andrew’s belief is that IBM and Microsoft don’t want their customers to look to another vendor to solve the virtual directory problem. I’m not sure about anyone else but I never believed either of these vendors had a virtual directory.

    Andrew characterized meta-directory as storing data rather than fetching data like a virtual directory – and called them fundamentally the same. I disagree with this simple of a characterization but I certainly agree with Andrew’s statement that rapid deployment of a virtual directory is possible whereas in most cases you are not going to rapidly deploy a meta-directory.

    Are meta-directory and virtual directory products melding – blurring the lines between themselves? Yes, and it’s high time that they did. Generally speaking, I think a customer can benefit from both of these technologies so why not use one product for that? Simple is always better. A virtual directory is the perfect veneer to stick on top of your directory infrastructure(s) because it allows you to swap underlying directory pieces in and out as your business changes.

    And, I agree with Andrew’s comment that adding a virtual or meta-directory can hide the complexity of your infrastructure – it doesn’t fix it.

    Gartner and The Death of IAM

    Gartner IAM Conference

    Earl Perkins kicked off the Gartner IAM summit with this talk: The Death of IAM and the Loss of Identity Innocence – A Review of Program Maturity, Service-Driven Change and New-Era Threats. Catchy title, eh?! It was certainly penned this way to draw attention to what Earl called an “inflection point” that is now happening in the IAM market.

    Earl’s commentary centered around IAM – especially the “A” access part – accountability as the new phase of IAM. Gartner has clients who approach them daily who are now talking about replacing their first generation IAM systems – as Earl calls it, a “disaster summit” or a “do-over” conversation. In the area of governance (GRC) we are in the same place where we were with provisioning 5 years ago which means we are early and still have a long way to go in this area.

    Earl see these trends in the “IAM Age of Accountability”:

    - Externalization + decentralization = “The out is now in”

    - Finding or identifying who is in charge

    - “Scale” is becoming off the scale

    - Delivery methods increase

    - Expanding business process management

    I think we have all seen much of the above. Much of this is being driven by the effects of compliance pressures on companies along with the drive to save money through the use of the “cloud”. It’s only going to get worse as federation begins to take off.

    Earl also talked about the death of the IAM suite and birth of the IAM partnership. Not the actual, real death of the IAM suite but the importance of partnering with your IAM vendor and picking the right vendor that you can work with over time. While Earl didn’t say this nor do I think he meant that the magic quadrant is “dead” but I do wonder about customers who make IAM choices simply by looking at the MQ. Partnership cannot be measured by the Gartner MQ in my opinion.

    Earl concluded by discussion how you map an IAM program into an information security program – taking you to serious business enablement, security effectiveness and security efficiency – where I expect we all want to end up.

    I like how Earl characterized this as an “inflection point”. It’s a better term than saying IAM 2.0 or “next generation”. The fact of the matter is that market pressures (“requirements”) are causing the slope to change of companies needs in this area and by definition that is an inflection point. I do think that many of the early IAM products and suites are struggling with this inflection point whereas some of the newer vendors in these areas are able to cope with or build directly to this inflection point.

    Interesting times for sure. For all of us – vendors and users.

    Technorati Tags: ,

    Sunday, November 08, 2009

    Windows Identity Foundation release candidate now available

    The Windows Identity Foundation (WIF) is now available as a release candidate per the Forefront Team Blog posting here.
    Look for more information about "WIF" coming out of Microsoft's Professional Developer Conference, the week of Nov 16.
    We are sending a number of our smart people to the PDC to check out WIF. This release will definitely mark the beginning of true market adoption of web-services based identity. (What we have seen so far has mostly been science experiments and very specific industry segment adoption)

    Technorati Tags:
    , ,

    Friday, November 06, 2009

    See you at Gartner's Identity Conference?

    Gartner's Identity and Access Management conference starts this coming Monday in San Diego. Will you be there? I'll be there and Quest Software will also have a number of our IAM experts present along with a booth in the exposition area.

    We'd love to see you so please drop by our speaking slots or come by our booth. I fully expect this to be an eventful conference - as usual!

    Technorati Tags:
    , , ,

    Tuesday, November 03, 2009

    Security = smoke detectors?

    We're always reading about fires and deaths that could have been prevented by smoke detectors. We are also always reading about security breaches that could have been prevented by having the proper software or policies in place.

    I was reminded about this in "Better Security For Not Quite All" which appeared in ComputerWorld on November 2, 2009. The article isn't about a huge security breach but does discuss the difficulties and findings of just trying to enforce "screen locking" at the company in question:
    We found that more than 70% of our approximately 6,000 users had disabled both the password requirement and the screen saver.
    Clearly, these 6,000 users feel that their own convenience is more important than the company's security posture. This is, however, not too surprising is it? What was a bit more interesting were the results of the author's survey related to what other companies were doing:
    When I proposed the change in our lockout policy to the CIO, he asked me to determine what other companies in our industry are doing. I have a pretty decent network of peers in this industry, so I asked them whether they enforce a screen lock -- and if so, what the timeout value is, and if not, what their policy regarding screen locks is. I was surprised by the results: Only one of the 20 companies in my survey enforces the screen lock. That wasn't the response I had anticipated, and it certainly wasn't what I wanted to report to the CIO. In the end, though, he agreed with me that this is one area where it's worth bucking the industry norm.
    One in twenty? That's only 5%! I congratulate the author and his company for their choice to turn on the screen lock. I can only imagine that so many other firms haven't bothered to turn on such a basic security feature. It's cheaper than a smoke detector: If you're running Active Directory all you have to do is use Group Policy to turn this capability on.

    Do you have a smoke detector installed? Is the battery still good? Have you tested it recently?

    Technorati Tags:
    , , ,

    Sunday, November 01, 2009

    Goodbye, Don

    I first met Don Bowen when I was at Zoomit and we did an on-site presentation to him and his team. We flew from Ottawa and Toronto through a blizzard that shut down Chicago as we got the last plane out to Peoria, Illinois. It turned out we were the only vendor to make it through to Peoria and we won Caterpillar's business.

    Don was a product manager's dream customer. Always had good ideas and new ways to use a product. He also stretched a product in ways it was never designed, pushed his vendors to do the right thing and was always ready to talk to you about life or technology - day or night. Whatever identity management conference I went to I would usually run into Don with his wife Eileen - especially at The Burton Group conferences.

    Don had only one speed - full speed ahead - and that's how he attacked his brain cancer right to the end.

    I'll miss you Don.

    P.S. If you can, please help out Don's family via The Bowen Family Trust.

    Technorati Tags:

    Friday, October 30, 2009

    Reality tour visit to Vancouver

    I'm speaking at the Vancouver Technology User Group next week on "Shouldn't Single Sign-on Be Child's Play?". Quest Software is sponsoring the food. Welcome time is 6pm and we'll kick things off at 6:30pm. If you're interested in attending please click here for the registration link.

    I hope to see you there!

    Technorati Tags:
    , , ,

    Tuesday, October 27, 2009

    Serious provisioning mistake costs $471,000!

    I read this in the morning paper today and thought you'd appreciate how serious of a provisioning mistake this was. Would you class this as an identity management issue? I certainly would. I'd also class it as a compliance issue. Great examples of how identity management and compliance are so interlinked. I wonder if Avaya already has an IDM product? If so, it shows you the hole that still exists in the checks and balances side of IDM and compliance.
    A New Jersey company paid a man nearly half a million dollars before realizing he wasn't working.

    Anthony Armatys was hired by telecommunications giant Avaya in 2002 for more than $100,000 a year. He changed his mind and didn't take the job, but the payroll department apparently never got the memo, according to the Star-Ledger.

    For nearly five years, Avaya paid Armatys and he gladly accepted, spending most of the money on everyday items. The rest went straight into a retirement account. Armatys got caught when he tried to make an early withdrawal from that account.

    He pleaded guilty to second-degree theft and has to pay the $470,995 back to Avaya. Armatys, 35, faces up to six years in prison when he's sentenced in January -- time enough to think about his next dream job.

    Technorati Tags:
    , , ,

    Thursday, October 22, 2009

    Quest and Microsoft Executive Summit on Identity Management

    I'm pleased to tell you about the Quest and Microsoft executive summit being held Thursday, November 19, 2009 at the Microsoft Executive Briefing Center across the street from me here in Redmond, Washington.

    Our experts will offer guidance for gaining greater efficiency and security from your current infrastructure, using best practices and real-life examples. We'll be discussing:
    • Common challenges and organizational impact of simplifying your access, single sign-on and identity management
    • Available solutions and services that can make your transition a success as well as facilitate a secure environment
    • How to comply with regulations and mitigate risks by automating and managing access to sensitive systems and data
    • Benefits of the Microsoft platforms for identity and access management
    We have a number of awesome Microsoft speakers including Shanen Boettcher and Conrad Bayer who will be presenting, too. If you are interested in attending this event or would like more information please visit

    Technorati Tags:
    , , , ,

    Wednesday, October 21, 2009

    Single Sign-on: Separating Fact from Fiction

    Quest Software is hosting a virtual trade show and the session I am doing is called "Single Sign-on: Separating Fact from Fiction". It has been recorded so if you're interested in seeing it all you have to do is click here.

    Technorati Tags:
    , , , ,

    Tuesday, October 13, 2009

    ADAC & Windows Server 2008 R2

    My colleague and fellow blogger, Bob Bobel, has posted about a shortcoming in the latest and greatest from Microsoft related to Microsoft Exchange integration - actually, the lack thereof. Here's a link to his post and a quote:
    One glaring regression is the lack of integration with Microsoft Exchange. The former Active Directory Users and Computers UI had extensions that would expose the critical attributes necessary to perform recipient management. This was handy for many people and its absence is already being mentioned. I would guess that eventually the Microsoft Exchange team will provide this, but so far it has been a no-show.
    Good to know this up-front so you're not too surprised by this fact.

    Monday, October 05, 2009

    Is there money in federation?

    In my last post, "Microsoft on the verge", I talked about a number of things including "Geneva" or Windows Identity Foundation. One of the things that interests me about Microsoft's federation strategy is the inclusion of the foundation within Windows Server itself.

    Why is this significant? Mainly because it means that federated scenarios are included in the server license so if a customer wants to federate with another organization all they have to do is set up the agreements and go from there without being concerned about additional licensing costs. As you can see from the Liberty Alliance test matrix Microsoft went through a battery of test to get their SAML 2.0 certification.

    What does this all mean for Microsoft's customers? Well, it means that there may no longer be a need to purchase an actual federation solution from a 3rd party ISV. Or, as time goes on, I suspect that the inclusion of federation in the Windows platform will put significant pricing pressure on ISVs that sell federation products. ISVs will not be able to make a lot of money on pure federation solutions. However, I do believe that there are still three areas where ISVs will be able to add significant value over what Microsoft is delivering:

    1. Auditing: I do not believe that Microsoft will be delivering a comprehensive audit capability around their federation components. As you can well imagine the need to audit federation or single sign-on "events" will be pretty important from a security and compliance perspective.

    2. Management: By management I mean operational management of your federated relationships. How easy will setting up a federated partnership be? How easy will it be to monitor your on-going partnerships? How about troubleshooting those linkages?

    3. Strong authentication: I haven't seen much discussed about enabling strong authentication of federated transactions. What if I want to use a smartcard or a one-time password (OTP) to protect my transactions?

    Don't forget the basics that we have all come to rely on - or are asked to deliver by our company's management: Audit, compliance and security. They are all required - still.

    Technorati Tags:
    , , , , , , ,

    Saturday, October 03, 2009

    Microsoft on the verge?

    My Google news net caught this article for me today - Microsoft wary as security, identity integration plan lags - by John Fontana that's definitely worth a read.
    Microsoft is on the verge of finally providing some pieces of software to back up its ambitious plan to integrate its security and identity technologies, but the company admits it is moving slower than it had anticipated.
    Progress towards this goal, as many of us have already blogged, has been slow. One glimmer of movement in the right direction was last year's merger of the security and identity teams. I also think that the upcoming "Geneva" - now Windows Identity Foundation - will be pivotal for Microsoft and the industry.

    In John Fontana's article there's an interesting quote from Bob Muglia I'd like to highlight:
    We (Microsoft) don't see ourselves as providing the only solution that an enterprise customer needs for security...
    I think most customers would agree with this. In fact, Bob really needed to add "and identity" to that statement. Nearly every customer I meet with has multiple identity management products deployed. In fact, at one customer I recently met with they had three different self-service password reset solutions deployed. Many of the customers I meet with have also deployed Microsoft's identity lifecycle product too (MMS, MIIS or ILM). When I quiz them on what scenarios they are solving with the Microsoft product the most typical response is "GAL sync" yet the company has also deployed a non-Microsoft identity product or framework for the enterprise.

    In talking with these teams I have found that in many cases the "Windows", "Active Directory" or "Microsoft" team at an enterprise holds enough power or influence to dictate what is used in their own environment but not enough power or influence at the corporate level to dictate what is used for identity management.

    Bob Muglia states that he doesn't see Microsoft providing the only solution that an enterprise customer needs for security. I don't see Microsoft providing the only solution that an enterprise customer needs for identity either.

    Technorati Tags:
    , , , , ,

    Tuesday, September 22, 2009

    Ten Risks of PKI

    This is an old article but it is a good article co-authored by Bruce Schneier. For those that don't know Bruce he is a well respected and acclaimed cryptographer. As Bruce says in the first few paragraphs about the sales guys who sell PKI:
    “If you only buy X,” the sales pitch goes, “then you will be secure.”
    But reality is never that simple, and that is especially true with PKI.
    Many times we have customers who are considering going with certificates or smart cards rather than one-time passwords (OTP) as their means of two-factor authentication. Bruce does a great job of throwing light on some of the PKI/smart card "myths". Especially true is that for any security system there are people involved:
    Security is a chain; it’s only as strong as the weakest link. The security of any CA-based system is based on many links and they’re not all cryptographic. People are involved.
    So if you are interested in strong authentication take a look at this article. It's worth your time.

    Technorati Tags:
    , , , ,

    Monday, September 21, 2009

    Quest and SAP Single Sign-on

    Someone pointed out a blog post on SAP Single Sign-on using Quest Authentication Services to me a few weeks ago and I thought I would share it with you. The author of the blog post - Joshua Fletcher - is a Senior Business Intelligence Consultant working in Perth, Australia primarily with SAP BusinessObjects software.

    Joshua pointed his readers to a very detailed SAP technical note on how to set up SAP SSO with Quest Authentication Services here (you'll need an SAP support account to login). He also issued a small plea to SAP to better document the overall procedure:
    If any SAP BusinessObjects staff read this post, it would be fantastic if all this knowledge that is being captured in the SAP Support Portal could be filtered and pushed back into the standard documentation, as this sorely lacks the detail required to implement Vintela SSO.
    Joshua, I passed on your blog post and your request to SAP's senior identity management staff last week when I was at their headquarters in Walldorf, Germany. Hopefully, they'll follow-up!

    Technorati Tags:
    , , , , , , ,

    Thursday, August 27, 2009

    Synchronizing Exchange identities and more

    Microsoft has a product to support synchronization of identities between Exchange environments. That product is the "Identity Integration Feature Pack for Microsoft Windows Server Active Directory with Service Pack 2 (SP2)". For those you who do not know what the IIFP is here's a snippet that gives you an overview:
    Identity Integration Feature Pack for Microsoft® Windows Server™ Active Directory® with Service Pack 2 (SP2) manages identities and coordinates user details across Microsoft Active Directory, Active Directory Application Mode (ADAM), Microsoft Exchange 2000 Server, and Exchange Server 2003 implementations. Using Identity Integration Feature Pack, you can combine identity information for a given user or resource into a single, logical view. Identity Integration Feature Pack also automates the provisioning of new and updated identity data, eliminating time-consuming, repetitive administration and the need to manually add, delete, or update identity information, groups, and user accounts.
    Sounds good, right? In fact, it does sound good - or maybe I should say it used to sound good. Read the description above a few times and you might notice three key things that are missing:
    1. What about support of Windows Server 2008?
    2. What about support for Exchange 2007? Exchange 2010?
    3. This is all about identities. What about synchronizing calendars "into a single, logical view"?
    The first two key items are getting to be show stoppers for most organizations. The last item is, in my humble opinion, very important - it's the "and more" in my post title. I've heard from many customers that they'd one tool to synchronize contacts and free/busy information - not half a tool.

    All of this came to mind when I was trying to better understand why interest in Quest's Collaboration Services product seems to be rapidly increasing. The product has been around for a long time but over the last 8-12 months it's really been taking off.

    I think I figured out that the answer is in the questions above.

    Technorati Tags:
    , , , , , ,

    Monday, August 24, 2009

    Privileged Identity Management

    I read an interesting article on this topic recently and how it relates to databases. The article is a good read and I want to highlight some points that should apply to everyone working in IDM and particularly around PIM:
    1. Even at an enormous firm, the number of privileged IDs with access to high-risk data should be short enough for a busy executive to personally review
    2. It is both feasible and reasonable for senior executives to personally review this information and record that they have done so
    3. Anyone can expect this kind of review may be taking place in any major organization handling high-risk data, although it is not as universal as it should be

    Think about point #1 above and ask yourself if you would have a short list for your CIO/CISO to review at your company. I agree that the list should be extremely short and it should be reviewed by your management chain on a regular basis. As the author states, these reviews are not as universal as they should be. How about at your company?

    Technorati Tags:
    , , ,

    Tuesday, August 18, 2009

    SPML - The Lingua Franca of Provisioning

    If you missed this webcast you can still view it here:

    If you have any interest in SPML here's an opportunity for education:

    Webcast: SPML -- Exploiting the New Lingua Franca of Provisioning Identity and Access Management
    Thursday, August 20 at 11:00 a.m. EDT

    During this informative webcast, Randy Franklin Smith will explain how Service Provisioning Markup Language (SPML) can help you easily integrate self-service portals, provisioning systems and target applications in your heterogeneous environment. You will learn where to find support for SPML in a Microsoft-centric network now and in the future, as well as see a live demonstration of SPML in action.

    Register here.

    Technorati Tags:
    , , ,

    Wednesday, August 12, 2009

    Cloud Insecurity

    Interesting article about Clive Peeters - an Australian company - and how they have been left reeling by $20m sting by their payroll manager.
    ...she admitted to using a loophole in the company's internet banking with National Australia Bank to steal from the company.
    What this reminded me of was a customer focus group about federation that I did while I was at Microsoft. I'm not sure if this is the exact words that the CIO of a company used during the meeting but it is close enough:
    Why would I want to use federation in my business when I can't even trust my own staff not to write down their passwords and leave them stuck to their monitors or to even log off their workstations at night?
    While the article I reference isn't exactly related to cloud computing it does highlight the fact that we still have a long way to go with respect to security. Here's another article that seems appropriate to the discussion: Why cloud security is only as strong as your weakest password (and what you can do about it)

    Technorati Tags:
    , ,

    Monday, August 10, 2009

    Quest Authentication Services User Group Meeting

    If you haven't already received a personal invitation from me I wanted to let you know that we are going to hold a user group meeting for Quest Authentication Services (QAS) right after The Experts Conference (TEC) conference in Berlin. The letter we sent out is below but the most important thing is the fact that we are going to be previewing our QAS 4.0 product at this session. This is going to be an amazing release of QAS so if you have any interest in what's coming this is your opportunity!

    If you are interested in attending - especially if you are one of our European customers - please send an e-mail message to Todd Peterson (below). Seats are starting to fill so please don't hesitate.
    Please join us for an exclusive Quest Authentication Services (formerly Vintela Authentication Services – VAS) User Group Meeting at TEC Europe on Wednesday, 16 September, from 13:30 to 16:30 at the Hilton Berlin. If you’re already attending TEC, please join us at the user group, if you aren’t attending TEC I would like to invite you to attend all or some of the conference while in Berlin, please let me know if I can arrange complimentary registration. While TEC is all about intense Microsoft technology training, we want to help you leverage your time and travel to TEC by bringing you together with your peers to share best practices and futures guidance on Authentication Services as an added benefit!

    At this User Group meeting, we’ll discuss how you and other companies are leveraging Authentication Services to solve many of the problems with non-Windows identity and access management including: Access control, NIS migration, single sign-on, compliance, Group Policy, and directory consolidation. We’ll also give you an exclusive, early look at the exciting new capabilities available in Authentication Services 4.0

    Immediately following the user group, we will have a cocktail reception as well! To accept this invitation, simply respond with a favorable reply in Outlook and look for more details next week! (email to todd.peterson(at)

    We look forward to meeting you all in person at the user group.

    Technorati Tags:
    , , , , , ,

    Friday, August 07, 2009

    Webcast on Active Directory’s Delegation of Control and Auditing

    Quest is sponsoring one of Randy Franklin Smith's "real training for free" webcasts on this topic on August 13th. If you have a any interest in Active Directory delegation or auditing this will definitely be worthwhile. Here are some more details:
    The depth and breadth of information that must be accurately published in Active Directory spans the organization from Human Resources to the Telecommunications department. On top of that you have to manage access control based on decisions from data owners and managers.

    Trying to coordinate updates from all of these individuals and departments is a nightmare. Moreover skilled administrator time is wasted carrying out what basically amounts to clerical work.

    The best solution is self-service administration and access control (more on that below) but AD can't quite pull that off. Thankfully however Active Directory does support delegation of control and provides an excellent audit log. With these 2 features you can spread out responsibility for updating various aspects of user and group information to the people and departments actually responsible for it without losing control.

    AD’s delegation of control feature allows you to granularly delegate the ability to update specific fields on users and groups to any other user or group in AD. For instance you can grant the Telecommunications department the authority to update office, mobile and pager telephone numbers while giving Human Resources access to update home phone and address. Delegation also provides ways to streamline access control management and group membership.

    Lest you worry about losing control, the events generated by Active Directory are the best designed out of all the events in the Windows security log, so you always have a complete audit trail of who did what and when. In this real training for free webinar I will show you how to streamline maintenance of user, groups and access by using:

    * AD advanced permissions
    * The security log
    * Custom MMCs

    Randy's webcasts are always packed with great information so if you have any interest in this topic please check it out!

    Active Directory's Recycle Bin

    I happened across this article last night while flying back from Boston - "Criticisms and kudos for the Active Directory Recycle Bin". As you probably know, Microsoft introduces the concept of a recycle bin for Active Directory in Windows Server 2008 R2. Allow me to give you the executive summary of the article along with a few of my own tidbits:
    • All domain controllers have to be running Windows Server 2008 R2
    • The Recycle Bin has to be enabled to work. Don't delete something, enable the Recycle Bin and then expect to restore the item. (Why not enable the Recycle Bin by default - just like my Windows7 desktop does?)
    • There's no GUI to help in the restore process. You have to use PowerShell or LDP.
    • The Recycle Bin does not backup Group Policy Objects (GPO). This is a glaring hole.
    • The Recycle Bin only supports restoring deletions - not changes that are made to objects.
    Take a look at our PowerGUI tool to wrap your PowerShell scripts into - I'd rather PowerShell/PowerGUI than LDP any day of the week! It might make it easier and more repeatable to wrap PowerGUI around your recovery scripts.

    Don't forget you can always take a look at a 3rd party recover tool like Quest's Recover Manager for Active Directory.

    The Active Directory Recycle Bin is a welcome addition to Windows Server overall but like any insurance policy you need to read the fine print and plan accordingly. Last thing you want to be doing is trying to learn PowerShell to restore some executive's user object...

    Technorati Tags:
    , , , ,

    Tuesday, August 04, 2009

    Form factors for strong authentication

    Following on Stuart Harrison's post on Quest's new SlimToken I wanted to mention how we keep hearing from customers that they want tokens that are easier to carry and less likely to be forgotten or lost by end-users. With our Defender product we've spent a lot of time working on soft-tokens that run on your mobile phone. We are also about to introduce a new form factor - basically a credit card - that simply fits in your wallet with all your other cards.

    In the picture above you can see the one-time password ("717370") in the upper right hand corner. I triggered getting the number by pushing the "Press Here" space on the lower right hand side of the card. The SlimToken has an expected lifetime of 3-4 years and is fully OATH compliant so you can use it with Defender or any other vendor who supports OATH.

    Technorati Tags:
    , , , , ,

    Tuesday, July 28, 2009

    Microsoft's Recession Pitch - Part Deux

    Hmmm, not sure if the pitch worked or not: Microsoft sales, profits plummet
    Microsoft today reported revenue of $13.1 billion for its fiscal fourth quarter, a 17 percent decline, and earnings per share of 34 cents -- missing, by two cents, the consensus of Wall Street analysts polled in advance by Thomson Reuters.
    However, it is interesting to note that the Server & Tools Division posted only a 6 percent decline compared to the company's 17 percent decline. Maybe the story prevented a steeper revenue decline for Server & Tools? Maybe.

    Technorati Tags:
    , ,

    Wednesday, July 22, 2009

    Microsoft's Recession Pitch

    Interesting article in yesterday's The Seattle Times titled "Microsoft refines recession pitch". It kind of details how Microsoft basically changed their pitch to customers to be very specific around saving money.
    "It's been the most successful campaign and initiatives we've ever launched in Microsoft in immediately getting and resonating with customers," Turner said.

    "What customer isn't going to give you an appointment if you've got 13, 14, 15 things to help them derive business value and show them the ability to save money?"
    The last line of the quote above is one that I have direct experience with. I could ask this question: "Would you have time to discuss product X with our team and how your company could benefit from its use?" versus "Would you be interested in learning how we can help your company save xx% with our product X?"

    Guess which one question gets you in the door almost 100% of the time?

    Ladies and gentleman, software is about saving money through automation, operational efficiency, etc. You need to be able to show that value. In this climate, the customers I have been dealing with are telling me if I can't show concrete ROI within 12 months I might as well not pitch the story!

    Technorati Tags:
    , ,