Monday, June 29, 2009

CLEAR is still unCLEAR

Mainstream press has started reporting on the CLEAR debacle that I mentioned in a previous post: Clear is dead. What about my retinal scans?
On Thursday, the House Committee on Homeland Security sent a letter to TSA Assistant Secretary Gale Rossides expressing concern about the handling of Clear members personal data.
I guess the good news is there is a lot of visibility regarding what's happening to my data and the data of 250,000 of my closest friends...

Technorati Tags:
, , , ,

Friday, June 26, 2009

Enterprise-Class SaaS Provisioning

I happened across this white paper - Enterprise-Class SaaS Provisioning - over at Conformity's website. The first paragraph of the executive summary caught my attention:
User provisioning provides the foundation for effective lifecycle management of user identity and access rights in complex IT environments. Historically, enterprises have addressed this critical need through a combination of business process and integration of premise-based applications with management tools. These tools have included local directory services, identity services and user provisioning and role management solutions. The recent rapid adoption of SaaS and cloud-based applications is now significantly straining the on-premise capabilities of existing IT models and approaches.
I think there are lots of executives and IT staff who are running around thinking that SaaS is the promised land. If you consider an SaaS application as "just another application" you will understand that your end-user identities still must be managed in that SaaS application. How are you going to provision, de-provision and update those identities? How are you going to manage the namespace of your corporate identities and the namespace of your SaaS application's identities? (Don't make me break out the Venn diagrams!)

We have a standard called "Services Provisioning Markup Language" (SPML) which was specified to help provision identities via a web service. Does your SaaS vendor support that standard? I'll bet they do not! What do you do then? I've met with hundreds of customers over the years and many are still struggling with provisioning inside the enterprise! Throw in SaaS provisioning - via some hairbrained interface because the vendor doesn't support SPML - and it only adds to the organization's identity management complexity.

Don't get me wrong. There's lots of promise with SaaS. Unfortunately, the road to the SaaS promised land passes through a few mine fields on the way...

Technorati Tags:
, , , ,

Thursday, June 25, 2009

Catalyst Conference Discounts and Free Passes

Are you thinking about going to this conference? If you are let me help push you over the edge!

Here's how you can get free passes to the hospitality suites (only) here:

Go to:
Use code: queqp2cg

Or, discounted rates to attend the conference here:

Go to:
Use code: queFriend

This really is the best technical identity management conference out there so if you can only get to one then this is it!

Technorati Tags:
, , ,

Wednesday, June 24, 2009

Quest wins Active Directory Partner of the Year!

Yes, we did! Congrats to everyone at Quest! Here's what Microsoft posted on the Worldwide Partner Conference 2009 awards page:
Quest Software offers a suite of solutions that enables migration to Active Directory service from competing platforms, and delivers directory consolidation by extending Active Directory into heterogeneous IT environments. The suite also provides compliance by compiling an audit of system access events and secure dual-factor authentication through one-time password tokens, and creates a single sign-on solution using Active Directory. Quest implemented its solution, replacing a competing platform, to deliver dual-factor authentication of remote users at a lower cost and with zero impact to users. Seamless collaboration across Quest, Microsoft, and a key systems integrator partner enabled the Active Directory migration to be completed quickly and with no system downtime. Quest Software solutions have enhanced thousands of enterprise Active Directory environments, including Dell, Movado, Siemens, ADT, and Shell.

Finalist: Centrify, United States

Finalist: Likewise Software, United States
Update: More from Microsoft here.

Technorati Tags:
, , , , ,

Trusted Cloud Computing

In Infrastructure as a Service (IaaS) cloud services such as Amazon’s EC2, the provider hosts virtual machines (VMs) on behalf of its customers, who can do arbitrary computations. In these systems, anyone with privileged access to the host can read or manipulate a customer’s data. Consequently, customers cannot protect their VMs on their own.
I read two papers on this topic over the last few days and I invite you to take a look at them. If you are short of time at least try to read "Towards Trusted Cloud Computing". This paper gives a good overview of how cloud computing services "have no means of verifying the confidentiality and integrity of their data and computation". This paper helped me to understand some of the core security issues around cloud computing.

One of the references in this paper was to Terra - a trusted platform that enforces a closed box execution environment. While Terra is an academic study, out of Stanford, it does lay the ground work for a better architecture that could be used to secure and protect virtual machines. It's interesting follow-on reading if you're into a more academic discussion of the problem and their proposed solution. I love how they built "Trusted Quake" - yes, that Quake!

Ultimately, I don't know how many customer will care or won't care about security to this level of depth. My suspicion is customers will try to cover their bases via legal agreements versus computational security as discussed in the two papers above. Either way, it is a good idea to get educated on these topics. Also, it is interesting to me that we still have a long way to go yet around trusted computing hardware (and software).

Technorati Tags:

Monday, June 22, 2009

Clear is dead. What about my retinal scans?

I signed up to Clear about 18 months ago. Theoretically, I would get through airport security lanes faster. It involved a registration, fingerprinting and retinal scans. I pretty quickly realized that it was a waste of my money when the people in the "normal" security lines were getting through faster than me. In addition, why was their first question when I showed up to their line "Can I see your drivers license please?"

I let the card expire and for the last two months Clear has been hounding me multiple times a week to renew. Yesterday, I finally told them to stop sending me e-mails and this was their response (above). I guess I got my wish.

Now my question is: What happens to those digital fingerprints and retinal scans they took? Checking their privacy policy reveals this interesting tidbit:
...a copy of your biometric information (but not your name) is retained by the Transportation Security Clearinghouse to prevent fraudulent enrollments under alternate identities.

So, the TSA has my biometric information but not my name in order to prevent fraudulent enrollments under alternate identities? Hmmm, does that mean that the TSA has my biometric information but not my name but does have my social security number? Otherwise, how would they prevent fraudulent enrollments?

Generally speaking I care about this. Specifically, for me, I don't because I've been fingerprinted many, many times by the US government already. (No, I'm not a criminal - I'm an immigrant!)

How much biometric detritus is floating around about me out there? About you?

Follow-up: See Kevin Kampman's (Burton Group) post on this topic here.

Technorati Tags:
, , , ,

Thursday, June 18, 2009

All Defender, all the time

Mr. Stuart Harrison has started to blog! As the product manager behind Defender you can imagine what he'll be discussing most of the time. Check out his latest post on our GrIDsure integration...
GrIDsure’s solution is based on its groundbreaking yet simple invention that allows users to authenticate themselves by remembering a minimum of a four block sequential pattern on a five by five grid. By integrating GrIDsure’s software-based solution, Quest will be able to offer its customers an enhanced level of scalable security at a very competitive price point, whilst enhancing the user experience.

Technorati Tags:
, , , , ,

Thursday, June 11, 2009

Don't get caught in your identity underwear!

Brian Green's experience with not-so-secret questions began when he logged on to his World of Warcraft account in March of this year and found all of his characters in their underwear. Someone had stolen the account and sold off all of his virtual equipment.
This article made me burst out laughing but behind the humor of someone have all of their "virtual equipment" being sold off there's a serious point to be made: Secret questions used to secure password-reset functions can be woefully insecure.
In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.
If it isn't obvious to all you really must ensure that your secret answers are, in fact, secret and secret means not easily guessed or easily subjected to social engineering attacks. I highly recommend that an out-of-band technique be used to send you your new password. For example, an SMS message with your temporary password to your mobile phone or the use of a one-time password (OTP) as part of your Q&A response profile. Both of these rely on something you know and something you have - much harder for the hacker to defeat.

Don't rely on "shoe size" and "pet's name" or you'll end up being caught in your identity underwear, too.

Technorati Tags:
, ,

Thursday, June 04, 2009

Application Performance Monitoring

Last week I attended a conference here in Europe and a Gartner analyst by the name of Will Cappelli gave a talk on “Application Performance Monitoring: Technology Trends and Market Dynamics”. Normally, it's not the kind of talk that I would sit through but I decided to this time because I am not very familiar with this part of the market. I'm glad I did because Will gave me a perspective that I would have never seen myself:
  • Monitoring applications have been performed differently than monitoring the infrastructure
  • Application-centric monitoring is where things are moving – how to make the application successful in its environment
  • From the businesses perspective the value that IT delivers is embodied in the application portfolio - not the infrastructure. (How often do you say "Wow, the network is fast" versus "Why is PeopleSoft slow?"
  • This shift makes the IT operations management group even more important as time goes on
  • APM = Application Performance Monitoring
  • There is no Business Service Management without a matrix of APM
  • We are almost at the point that the application can dictate the underlying infrastructure that it needs to perform appropriately (e.g., re-configure a VM)
  • The boundary between application and infrastructure is going away
  • You won’t be able to distinguish between virtual and physical applications soon
  • You need holistic monitoring of your application stack – there is more than one way to this: 4 perspectives:
  1. End-user experience monitoring (#1 thing to do – most fundamental task)
  2. Discovering and Modeling the Application
  3. Deep dive monitoring (middleware, database, network, off-the-shelf application stacks)
  4. Ebb and flow of transactions (hard work, embryonic)
How do you tie these 4 data streams together? With a Performance Management Database (PMDB).

The market is moving towards vendors who can provide all of these things (the 4 functionalities + performance management). An integrated, suite approach provides the built-in integration that must be provided via significant integration across “best-of-breed” tools in order to weave together the performance management information together.

This was an interesting session. Especially how there is enough value of putting the 4 items together in a suite coupled with a PMDB to enable a "suite" vendor to succeed. Maybe this is why the identity management "suite" vendors have not succeeded? They haven't figured out the "PMDB" side of things that ties everything together and provides additional added value.

Know what I mean?