Tuesday, December 14, 2010

FedEx’s impressive IAM ROI

FedEx spent $277,000 on an IAM project and saved $500,000 in real costs along with $1.2M in soft costs. This article in CIO Magazine because speaks to how FedEx integrated their security badge management system into their IAM system for both better security and compliance. Clearly, FedEx not only had some clear goals in mind (improve security & regulatory compliance, cut costs and improve operational efficiency) but they also had a very clear picture of the ROI potential associated with the project and what their criteria for success was. I especially appreciated the fact that FedEx quantified both the hard savings ($500K) and the soft savings ($1.2M) associated with the elimination of 23,000 annual hours of a administrative work related to managing their badging system.

One important factoid was how FedEx decreased the time to get a badge to a new hire from three weeks to near real-time. I’m willing to bet that FedEx employs some contractors so that’s probably something that could figure into their overall ROI calculation also. What percentage of those contractors – who you are paying by the hour – would have been impacted by a three week wait for a badge? Multiply that out and I’m willing to bet that FedEx may have saved even more.

This is a good example of some of the upfront work that needs to be done to help measure the impact of an IAM project before you spend the money to do it. The only bit remaining is to re-examine all of the numbers a year after-the-fact to see if, in fact, those savings actually materialized.

Technorati Tags: ,,,,

-- updated/fixed the article link.

Tuesday, November 23, 2010

Attachmate/NetIQ’s acquisition of Novell

I just had to comment on Earl Perkins (Gartner) blog entry on this topic:

In the midst of all of this of course is the identity and access management impact. I see challenges for Quest Software ahead, since they often go head-to-head with Attachmate-NetIQ for Microsoft centric administration customers. I see some relief for the “Big Three” in IAM now, CA, IBM Tivoli, and Oracle, now that a spoiler in many ways may be out for a bit during the ‘absorption’ phase of acquisition. I see advantages for smaller and more nimble players such as Courion, as well as obvious beneficiaries like Microsoft. What will be interesting to see in the days ahead is the impact this has on Novell partners: Verizon in cloud security, VMWare in virtualization, SAP in IAM, and Deloitte in IAM consulting and system integration. One would expect Attachmate not to shoot the goose that lays golden eggs, but you never know.
First, I take this as a great compliment. A few short months ago Quest Software would never have been mentioned from the perspective of “identity and access management”. That shows how far we have come with respect to IAM especially in light of the acquisition of Voelcker Informatik and their ActiveEntry product. Second, in a perfect world, I would be more concerned about this but fortunately (or not) this is not a perfect world…

1. NetIQ has virtually disappeared from our radar. Sure, the acquisition of Novell could change that but will it?

2. When we do run into NetIQ it is almost 100% because the customer has decided to migrate off of their product versus being in a competitive situation.

3. There will be 12-36 months of “spinning” while Attachmate/NetIQ/Novell gets their respective acts together.

4. The smart people at Novell have been and are currently looking for seats in the life boats and those life boats do not have “S.S. NetIQ” stenciled across them. In fact, we’re already interviewing lots of top quality sales and product management talent from Novell.

So, to Earl, the “Big Three” and everyone else: Game on! (Yes, and to quote Earl again: “And buckle your seatbelts.”)

Monday, November 22, 2010

What IP has Microsoft purchased from Novell/Attachmate?

Just checked Microsoft's press releases and nothing there (yet) about this $450M purchase!

Novell also announced it has entered into a definitive agreement for the concurrent sale of certain intellectual property assets to CPTN Holdings LLC, a consortium of technology companies organized by Microsoft Corporation, for $450 million in cash, which cash payment is reflected in the merger consideration to be paid by Attachmate Corporation.

Mary-Jo Foley doesn't know what this is either?


Novell acquired by Attachmate!


Novell, Inc. (NASDAQ: NOVL), the leader in intelligent workload management, today announced that it has entered into a definitive merger agreement under which Attachmate Corporation would acquire Novell for $6.10 per share in cash in a transaction valued at approximately $2.2 billion. Attachmate Corporation is owned by an investment group led by Francisco Partners, Golden Gate Capital and Thoma Bravo. Novell also announced it has entered into a definitive agreement for the concurrent sale of certain intellectual property assets to CPTN Holdings LLC, a consortium of technology companies organized by Microsoft Corporation, for $450 million in cash, which cash payment is reflected in the merger consideration to be paid by Attachmate Corporation.

The $6.10 per share consideration represents a premium of 28% to Novell's closing share price on March 2, 2010, the last trading day prior to the public disclosure of Elliott Associates, L.P.'s proposal to acquire all of the outstanding shares of Novell for $5.75 per share and a 9% premium to Novell's closing stock price on November 19, 2010.

"After a thorough review of a broad range of alternatives to enhance stockholder value, our Board of Directors concluded that the best available alternative was the combination of a merger with Attachmate Corporation and a sale of certain intellectual property assets to the consortium," said Ron Hovsepian, president and CEO of Novell. "We are pleased that these transactions appropriately recognize the value of Novell's relationships, technology and solutions, while providing our stockholders with an attractive cash premium for their investment."

Mr. Hovsepian continued, "We also believe the transaction with Attachmate Corporation will deliver important benefits to Novell's customers, partners and employees by providing opportunities for building on Novell's brands, innovation and market leadership."

"We are very excited about this transaction as it greatly complements our existing portfolio," said Jeff Hawn, chairman and CEO of Attachmate Corporation. "Novell has an established record of innovation, impressive technology and brand assets, and a leading ecosystem of partnerships and talented employees. The addition of Novell to our Attachmate and NetIQ businesses will enhance the spectrum of solutions we can offer to customers. We fully support Novell's commitment to its customers and we look forward to continuing to invest for the benefit of Novell's customers and partners."

Attachmate Corporation plans to operate Novell as two business units: Novell and SUSE; and will join them with its other holdings, Attachmate and NetIQ.

Friday, November 19, 2010

The Great Cyberheist–Would proper identity management have helped?

This an excellent New York Times article on how the FBI cracked the biggest ring of hackers who  trafficked in databases of stolen card accounts and devices like magnetic strip-encoders and card-embossers. If you are interested in how this is done or if you have ever had your ATM or credit card re-issued by your bank for security reasons then you may want to read this article. As I read it there were a few places that I thought an effective IAM/IDM strategy would have helped. 

Within 10 minutes we were on their computers and were able to execute commands freely. From there we leveraged access until we were the domain administrators.

Wow, clearly a privileged account management problem that could have been solved via software, smartcard use for administrators or better control of group memberships. 

Scott cracked the Marshalls WiFi network, and he and James started navigating the system: they co-opted log-ins and passwords

Last login date; more effective provisioning and de-provisioning may have helped prevent this. Of course, if Marshalls would have bothered to implement 802.1X security rather than having “open” wireless access points this may never have happened to begin with. 

He was also tired of war driving. He wanted a new challenge. He found one in a promising technique called SQL injection.

I’m not a SQL expert but these guys accessed SQL databases to get their information. Whether they did this with privileged accounts or not is unknown but clearly a file/database security monitoring tool or potentially something that managed privileged accounts (SQL or domain accounts) may have prevented this type of access or at least alerted people to the access issues.

And one last pointer from the article: Beware of people sitting in cars, with laptops and giant antennas!

    Wednesday, November 17, 2010

    Gartner: New Directions in Federation

    by Bob Blakley. I’m live blogging from the Gartner IAM Summit in San Diego.

    What are the demand drivers for federation?
    • Externalization: The users have left the building and so have the applications!
    • Economic pressures: Emphasis on cost reduction/containment. If you don’t specialize in an activity: outsource it, offshore it, or buy it as a service
    • Globalization and externalization: Enterprises interact with everyone: partners, customers, value chain, governments, higher education, joint ventures, etc. Applications, data, and users are everywhere.
    No application is “safe” from SaaS. CRM, IAM, HR, Contractor Management, Payroll, Travel and expense reporting & processing, web conferencing, productivity applications, 10Q preparation and filing.

    I think if I was starting a new business today I’d look to a goal of 100% of my infrastructure and business tools as SaaS apps.

    There’s a growing supply of federations:
    • Shibboleth deployments in 25 national federations representing 1,500 apps and 15M users
    • Exostar has doubled its customer base to 66,000 orgs
    The ecology is robust and growing.

    Protocol wars are over. SAML 2.0 is preferred by enterprises. OpenID and OAuth continue to attract interest, but mostly for low-assurance uses. Information cards also have interesting use cases. The focus is on solving business problems and using right protocols for the business scenario.

    The business model for federation as a hosted-model still needs to be shaken out.

    An IdP service needs to handle: registration, ID proofing, authentication and federation.  Still some holes like SPML missing from this.

    I highly recommend this paper by Bob: "A Relationship Layer for the Web". It's a free download.

    What are some of the challenges around federation?
    • SAML is not ubiquitous
      • Many apps are not federation ready
      • A hybrid SSO capability will be needed
      • Federated provisioning is in a much worse state than SSO
    • Point to point federations are not scalable for large environments. How do you scale to 100s or 1000s of partners?
    • Compliance: Who audits what?!
    Expanding federation’s scope:
    • Federation focuses on authentication today
      • But real federations require much more than authentication
      • Federation capability needs to be broader and deeper
    Federation trends in 2010:
    - Demand is strong.
    - Cloud is driving
    - Market is responding with innovative solutions
    - Many unresolved issues remain: Uptake of federation protocols; SPML

    Overall this was a great session. But, as Bob pointed out while a lot of progress has been made there’s also a very long road yet to be travelled for federation to really become ubiquitous.

    Technorati Tags: ,,,,,

    Monday, November 15, 2010

    Gartner: Delivering IAM to Enterprise Customers and Partners

    by Avivah Litan, Gartner – Live blogging from Gartner’s IAM conference in San Diego

    What are some of the challenges and threats with managing external user identities? Well, the biggest problem is there is no high assurance information about external users in many countries. In the developed world we have passports and third-party data – like credit reports and history – but what about the lesser developed world? The fact of the matter is there are more and more effective threats against user security with new Web 2.0 attacks. As Avivah says, “just about everything can be broken”.

    With respect to knowledge-based authentication (What school did you attend, what’s your mother’s name, who is your bank, etc etc) Avivah presented a case study of 100 of these sessions at a bank and only 49 passed. Of that, only 44 were legitimate – 5 were fraudsters! So despite all the efforts around knowledge-based authentication there was a 5% failure rate that let the fraudsters in. Scary stuff! “More fraudsters are more successfully answering those ‘secret’ questions!” Avivah also talked about the recent malware attacks on OTP credentials by using a man-in-the-browser attack. I blogged about this back in July here.

    Medical fraudsters have bilked Medicare for hundreds of millions of dollars over the last year. All by faking doctors registrations, creating fake clinics and buying stolen healthcare ID numbers. With all of that they were able to pull of this fraud. Again, a great example of tying identity and access management into business intelligence.

    The best identification method is “browser mining” according to Avivah. This is a new technology that requires a log-in and catalogs dozens of variables. However, a lot of tools that work with “fixed” machines like PCs doesn’t work in the mobile world – and we’re moving faster and faster to a mobile world aren’t we? Part of the way to solve this is to use location information but that means giving up some of our own privacy. As long as my bank is willing to refund any fraudulent activity I don’t really care enough to give up any privacy. It’ll be interesting to see how this all plays out.

    Trust, but verify!

    Technorati Tags: ,,,,,

    Gartner: Identity and Access Intelligence

    by Earl Perkins, Gartner

    - IT has been too busy keeping the IAM fires burning, or putting them out to really add value to the business. We have all the potential sources for this intelligence. We are sitting on a gold mine of intelligence.

    - Unless you (IT) can provide actionable intelligence for business decision making, go home.

    - IAI is part of a broader spectrum of enterprise security intelligence. So you have to know your place.

    - Who benefits from the convergence of IAI and BI (business intelligence) is the customers.

    - IAI’s core responsibility to the business is accountability of access to critical resources and the transparency to see it.

    - We can justify IAM through intelligence. You can justify your presence and your relevance via identity and access intelligence.

    - Gartner’s strategic planning assumption: “Through 2013, notable IAM project failures will cause 50% of all companies to shift IAM efforts to intelligence, not administration.”

    - Current IAM projects are difficult to justify as efficiency efforts alone. I totally agree with this!

    - Cloud computing security concerns increase the value of log and repository information.

    - Privacy concerns will hinder aggressive use of IAI

    - We’ve moved from what I used to call triple-A (administration, authentication and authorization) to IAAA: Intelligence, administration, authentication and authorization.

    - Someone needs to have a global understanding of all the data, schemas and key repositories being collected in the business and through IAM. SAP has done a lot of work here according to Earl.

    - Adjacent IAI influences and influencers include SIEM, GRC, IT GRC, BPM, NAC, BI, DLP – enough acronyms yet?!

    - IAI can bring the who view to SIEM, for example. This is something ArcSight (HP) did.

    - IAI is about helping to say what will happen. Not what happened and more than why did it happen.

    This session was a great follow-on from this morning’s keynote by Bill Hossmann. Earl took it a double-click deeper though. It’s really important to be looking at the identity and access management systems in the light of the business versus just the IT group. Will this be more difficult? Absolutely. Throw in cloud data and you can see how deep this water can get. This is definitely graduate school for IAM!!! And, as Earl stated, this is a 5-10 year vision. It is not going to be accomplished overnight.

    (click on the pictures below to get the full view)

    Technorati Tags: ,,,,,

    Gartner: Transforming IAM–The New Business Intelligence Connection

    by Bill Hostmann, Gartner. Live blogging from Gartner’s IAM conference in San Diego

    Bill’s keynote followed the conference kick-off by Earl Perkins and Ray Wagner. As Earl and Ray mentioned this is the 5th Gartner IAM show and it is getting better year after year.

    - BI initiatives in organizations are at the top of business investment these days.

    - BI helps to increase the level of business impact that the (IAM) information has.

    - City of Richmond, VA: Made groundbreaking decisions by including social networking as part of the crime analysis. They had bad assumptions like Christmas being the day of least criminal activity. Turns out it was really Superbowl Sunday.

    - Moving  IAM from traditional operational efficiency to strategic business transformation and from lowering TCO to higher business agility and scale are key things to really up-level IAM with CIOs and other senior staff at your company. How many business value discussions have you had around IAM where you can show or demonstrate how you will increase the organization’s revenue? This is extremely important.

    - You have to align the deciders, the thinkers and the engineers around any of these BI initiatives to maximize IT and business value.

    - You start with key performance indicators (KPI) and take a solution architecture approach to maximize business value.
    - “Actual business impact” is what you are driving for. Much more impactful than “actual IT impact”, eh?!

    - Only about 10% of companies have a BI architect, unfortunately. Companies should consider a BI competency center as part of program management.

    I do believe that BI has the capability to transform the value of IAM in the future and to truly make it relevant to the business. It’s going to be a bit of tough road both for the vendors and for the IT folks. Crossing the chasm from IT value to business value using BI as the bridge is going to take new skills all around…

    (click on the pictures below to get the full view)



    Friday, November 12, 2010

    Gartner Identity & Access Management Summit 2010 - See you there?

    Quest Software will be attending, exhibiting and speaking at the Gartner IAM Summit in San Diego next week (Nov 15-17). I'll be there along with many of my fellow IAM colleagues.

    A few of the sessions I am especially interested in:

    • The Future of Information Security is Context- and Identity-aware (Neil MacDonald)
    • Transforming IAM: The New Business Intelligence Connection (Bill Hostmann)
    • Economics of Identity Management (Bob Blakeley)
    • IAM Intelligence and Analytics (Earl Perkins and Mark Nicolett)
    • Identity Assurance (Bob Blakeley)
    • Managing Identity in the Cloud (Gregg Kreizman)

    I hope to see you at a session or at our hospitality booth!

    Technorati Tags: ,,,,,,,,,

    Friday, November 05, 2010

    Q&A: IAM and the Unix/Linux Organization

    There’s an article in Enterprise Systems with this title that I wanted to draw your attention to. The author, James Powell, spent some time talking to me about this topic and you can find my answers to his questions in his article. Basically, the article discusses how Unix/Linux systems needn't be islands of identity; the challenges and options for addressing authentication, provisioning, and security and we take a closer look at Active Directory bridge products.

    Some of the questions we discussed include:
    • What are some of the unique challenges Unix/Linux organizations face with identity and management (IAM)?
    • What are the options to address those challenges?
    • Can you explain the idea behind Active Directory bridge products? What are the benefits and drawbacks of such products?
    • What makes these AD bridge solutions different from the native tools available through OS providers and open source options?
    • With such a fundamental shift in IAM strategy with an AD bridge solution, what are some of the things organizations should look out for?
    • How is this different from more “traditional” solutions (such as a metadirectory and synchronization)?
    • Can you give some examples of where and how AD bridge technologies are used in the real world?
    • What does Quest offer for Unix/Linux IAM?
    So if you’re interested in any of these questions I’d invite you to take a closer look at James’ article.

    Tuesday, November 02, 2010

    Quest Authentication Services wins 2010 Redmond Magazine Readers Choice Award

    In the “Best Interoperability Product” category we were awarded Preferred Product status. We were also the only Active Directory (AD) bridge product to make the list at all. You can read all about it at their website.
    What I do like about Redmond Magazine and the readers choice award is it really is the readers choice:
    Redmond sent its Readers Choice survey to 40,000 subscribers of the magazine, each of whom could only fill out the survey once. Vendors are not allowed to vote. This year, we're again awarding "ISV Winner" status to non-Microsoft, independent vendor entries that didn't win their categories outright but managed to beat everybody else but Microsoft.
    This is one more proof point that Quest Authentication Services 4.0 is hitting the mark with new, leading features like:

    Detailed Auditing and Alerting: Consolidating Unix data into Active Directory is just part of the picture. Authentication Services 4.0 solves the challenge of how to audit, report and alert on who makes changes to critical Unix data that is now stored in Active Directory. Version 4.0 includes award winning functionality to deliver full visibility and change alerting into who made changes, to what, when, where, and even why.

    Web-based Administrative Console: Effective management is essential when integrating Unix with Active Directory. The new web-based administration console dramatically simplifies deployment, expands management to local Unix users and groups, provides granular reports on key data and attributes, and streamlines the overall management of the Active Directory Bridge product.

    One-time Password Authentication: Easily add another layer of security in situations that require it. For example when deploying Unix systems to tightly controlled network environments (E.G. a DMZ). With new functionality included in Authentication Services 4.0, Active Directory users can be required to authenticate with a One Time Password to Unix systems. Everything that is required for an out-of-the-box solution comes with 4.0 including hardware and Software tokens, PAM modules, Group Policy management capabilities and end-user licenses.

    Freeware Administrative Console: The administrative console is available free-of-charge to any organization wishing to take advantage of its local Unix user and group management capabilities.

    Advanced Management: Support for the flexible scripting of PowerShell, additional ADUC integration, and automated configuration tools.

    Group Policy: Patented Group Policy functionality expands to include macro support, which enables a single GPO to be re-used across multiple Unix systems. In addition Mac OS X Group Policy support keeps pace with the latest OS from Apple (OSX 10.6 Snow Leopard).

    Privileged Account Management: Authentication Services 4.0 includes optimized integration with Quest Privilege Manager for Unix. Solve Unix security initiatives that need to control which users can access which system and what elevated rights they have. For example use Active Directory group memberships and Group Policy for streamlined management tasks.

    Wait until you see what we have coming in 2011 – more awesomeness is on the way!

    Monday, November 01, 2010

    Microsoft to add Java support to Azure

    I caught this post over at Mary-Jo Foley’s “All about Microsoft” blog. This doesn't surprise me. In fact, it would surprise me more if they decided they wouldn’t support Java in Azure. They already support a bunch of other non-.NET languages so why not Java? Might there be identity data that needs to be accessed from Java? Might their be identities to authenticate or authorize from Java? The real interesting part for me is if they start supporting Java in Azure will they do that in other areas, too? Like federation, for example. Microsoft needs to be as open as they can be and this is one small step in that direction but there’s a lot of other steps still to be taken.
    This Microsoft has been touting for a while the ability for developers to use a variety of tools, like Java, PHP, Ruby and Eclipse, when developing applications for Windows Azure. But the company is going to step up its Java support for Azure in the coming weeks and months, elevating Java to a “first-class citizen” in the Microsoft cloud realm.
    The reasons Microsoft is interested in doing this aren’t hard to figure. There are lots of Java developers out there whom Microsoft would be excluding from its potential cloud customer base if it didn’t support anything beyond .Net. And Microsoft cloud competitors like VMware, Amazon and Google all have built Java support into their respective platforms.

    Saturday, October 30, 2010

    Choosing the right authentication method

    There’s lots of talk about whether smartcards are better than one-time passwords (OTP), or is OTP easier than smartcards to implement, or is a soft-token as secure as a hard-token? I came across this article
    “Proof Of Identity: How To Choose Multifactor Authentication” which had a pretty good run down on the various options, how secure each option was and how easy or hard it was to maintain those authentication methods. The article is below but there’s also a link to a white paper on the topic (requires registration) which you might find useful to read. As you can imagine, the answer to the question of which authentication method is best is “it depends”. Let me tell you how I would choose:

    Ask yourself this question: Do you trust your employees? Do you run new hires through employment verification? If the answer is a basic yes then in my opinion you don’t need fancy (e.g., iris scans) or real heavy-duty strong authentication. You can get by with SMS tokens or OTP-based soft-tokens that run on your smartphone. If the answer is no, then you are more likely a government department or your firm is somehow working in a sensitive area (defense, government-related, power plant, etc.) and you are not allowed to trust your employees. In that case, go for the gusto, use a smartcard or fancy biometrics.
    To control access to your Web-based applications, you need to identify and authenticate anyone wishing to use them -- that is, verify they are who they say they are. But how do you choose the right method of authentication? There's the rub.
    Why do you need to implement strong or two-factor authentication for your Web applications? First, lawmakers have pushed security to the top of the agenda, and strong authentication is part of that agenda. Laws such as Sarbanes-Oxley and requirements such as PCI DSS mean single-factor authentication is no longer adequate for protecting access to high-value or personally identifiable information and providing reliable audit trails.
    Second, any organization that sees customer trust as a business priority needs to provide secure authentication, and the password approach doesn't do that. Many organizations, though, are wary of implementing strong authentication due to its perceived cost. However, managing passwords can be expensive, too. They provide too low a level of trust to be considered a viable option where assets of any value are involved.
    And the situation's getting worse. The growing use of number-crunching power of modern graphics cards to carry out brute-force attacks will soon make it trivial for hackers to crack strong passwords. Adding a second-factor credential to the authentication process provides additional security as well as a higher level of trust between a user and an application. Let's look at some of the options for authenticating users to Web applications.
    The technologies for implementing strong Web authentication are:
    • Soft or hard digital certificates
    • One-time passwords (OTP)
    • Challenge-response
    • Authentication-as-a-service (AaaS)
    Management is going to want a solution that's effective, flexible, and scalable, and can be implemented with minimum disruption and cost. Your customers, on the other hand, will want a solution that not only offers increased security but is easy to use.
    There are three key factors to consider when choosing the right solution: time, risk and cost. If you know what your users will bear in terms of time to log on, and if you can weigh the risks associated with each method against its costs, you will find the solution that fits best for your applications.
    For a detailed discussion of how to evaluate these factors and how they stack up against the various alternatives in Web authentication, download the full report.

    Saturday, October 23, 2010

    Integrating Unix and Linux Systems with Quest’s IAM Platform - Voelcker ActiveEntry

    It’s been nearly a month since my last blog post. Things have been very busy and hectic to say the least, but I figured it was time to get back to posting so here goes...

    One of the things that many people on the IAM team here at Quest have been working on is integrating various aspects of the current Quest IAM portfolio with our latest acquisition – Voelcker ActiveEntry. In my last post I talked about the integration of Microsoft’s Forefront Identity Manager (FIM) product with ActiveEntry.

    In the screen shot below you can see that we have made more progress and have integrated Unix/Linux systems and identities into ActiveEntry. Fortunately, the design of ActiveEntry and our Unix/Linux identity products allows us to easily integrate these capabilities together into the ActiveEntry platform. A very valid question that anyone might ask is if this is simply showing the features of one product in another? The answer is definitely “no”, in fact it is much more.

    By leveraging ActiveEntry’s capabilities and the web services interfaces in our Unix/Linux products it’s fairly easy for us to enable the integration but more importantly to provide some real value-add. Let me give you just a few examples of that value add:
    • Independent but integrated: Based on your role use the interface you prefer. An Unix/Linux administrator may prefer the straight-forward web interface that’s built into Quest Identity Manager for Unix (a free download by the way) while an end-user or business manager might prefer the more business/task oriented interface of ActiveEntry (below).
    • Enable end-user self-service: The integration with ActiveEntry enables Unix/Linux servers to be made available in the “Shop” interface so an end-user can request access to a particular Unix/Linux server by their individual server names or perhaps by the business application that is being hosted on that machine.
    • Approvals through integrated workflow: Once someone has shopped for a Unix/Linux server or business application a workflow request can be sent to the appropriate approval manager or administrator. Or, perhaps you’d like all request to be automatically approved? Depending on your compliance requirements you have the power to make that choice.
    • Enhanced compliance: By tying the approval process into ActiveEntry’s compliance capabilities you can do things like run reports to determine who requested access to a Unix/Linux server, who approved the access, etc.
    • Separation of Duties: Integrating Quest’s Unix/Linux identity products into ActiveEntry enables the system to have an all-up view of the many identities across your enterprise including other systems like HR, your Active Directory account information, group memberships, etc. All of this information can be used by ActiveEntry to perform separation of duties (SoD)checks when someone requests access to a Unix/Linux server. You can prevent the administrator of a Unix/Linux server from being the same person who approves access, for example. Or, you could check to ensure that members of a particular group in Active Directory (e.g., contractors) could not request a Unix/Linux account without additional approvals.
    This example of how we are integrating Quest Identity Manager for Unix with ActiveEntry is just one of many product integrations that are underway right now. I will definitely showcase more of these examples so you can get the feel of how we’re leveraging the capabilities of ActiveEntry.


    Wednesday, September 29, 2010

    Voelcker ActiveEntry continues to impress me!


    I’m sitting here in the Quest Chicago offices with a bunch of our identity specialists getting some advanced training on ActiveEntry. I continue to be impressed by this product. This is a screen shot of the out-of-the-box dashboard that is showing a pie-chart of external and internal employees that this manager is managing along with a traffic light that signifies if any of his employees are locked-out. The dashboard can be customized by simply be enabling or disabling the various reports that are available to you. Some of those default reports that can be included in the dashboard are:
    • Accounts without requests
    • Blocked employees with enabled accounts
    • Employees by status
    • New rule violations by department
    • Pending requests by department
    • Rule violations by department
    • Top 10 entitlements with members by department
    • Top 10 roles with members by department
     All of this is available at installation. No programming. No consulting. No effort. No sweat.

    Thursday, September 23, 2010

    IAM horror stories from Atlanta – times three!


    “We’ve hardly exploited the product – but we paid full price!”

    This is what a customer told me here in Atlanta today. I had spent the morning talking with them about their identity management initiatives. Does anyone out there believe that a company has only one identity management product, suite or vendor? I hope note. I rarely meet a customer that has only one. This customer already had two and were talking to us about our capabilities. They had both XXXXXXX and XXXXXX. I’m happy to add Quest because I will make sure that they are H-A-P-P-Y with our solution.

    I finish my meeting and head to my hotel room to interview a sales director for our identity management team and my mobile phone rings: “Dude, when are you back in Seattle? I have a customer who has XXXXXX Identity Manager. They’ve spent a ton of money and don’t want to spend any more. Will you talk with them?”

    After I get off the candidate interview my mobile rings again. It’s a different sales rep: “I just talked with XXX and they have XXXXXX Identity Manager. They’ve spent $3M and have been asked to spend another $3M. They want to talk to us!”

    So, I don’t know if it’s because we bought Voelcker that customers are falling out of trees or what but in one day we had three opportunities pop up! What a day. Oh, and of the three opportunities two were to displace XXXXXX Identity Manager and the other was to displace another Gartner Magic Quadrant “Leader”.

    What are my take-aways?

    1. Many customers have more than one identity management product, suite or vendor in the house already.
    2. Customers are not happy with what they have.
    3. IAM is important enough that despite rampant failures the customer is still wanting to solve the problem even if it means selecting another vendor and spending more money.
    4. Being in the leadership quadrant has absolutely nothing to do with how successful you, as a customer, will be.

    Exciting times for an upstart IAM vendor like Quest Software eh?!

    Technorati Tags:

    Friday, September 17, 2010

    Even governments gives “sales” discounts!

    This was an interesting read in itself but I had to laugh at the comment that the UK government gave RBS a 30% discount on the fine they were going to impose because they did not challenge their findings!

    Bank fined $9.7m over poor IT governance

    RBS' IT systems could have let fraud go unmonitored.

    UK financial services regulator the Financial Services Authority [FSA] has fined the Royal Bank of Scotland (RBS) £5.6 million (A$9.7 million) for implementing shoddy IT systems which left it in breach of the country’s money laundering laws.

    The bank had implemented its treasury IT system in 2006, which was meant to screen incoming and outgoing cross-border payments. According to the FSA, RBS neglected to check the accuracy of the systems since its implementation. “After the initial set up, the results produced by the screening filters were not routinely reviewed or monitored by RBSG to ensure that they were appropriate. "This meant that over time the ‘fuzzy matching’ parameters initially set by RBSG became significantly less effective at identifying potential matches,” the authority said in its decision notice this week.

    For two years the bank failed to screen a single incoming payment from a foreign source. It also missed the bulk of outgoing payments by its customers, except those destined for the US. “RBSG’s automated screening failed to screen the majority of trade finance SWIFT messages generated in the international trade transactions that it carried out,” said the FSA. Under UK laws financial institutions are meant to match customer transactions to the government’s treasury list, known as Her Majesty’s Treasury. The Treasury’s Asset Freezing Unit (AFU) maintains a list of people identified by the United Nations, the European Union and the UK. If the financial institution identifies a transaction that may correlate to a person on that list, it must stall the payment until it determines whether it is an exact match. If it is the bank should alert the AFU.

    The FSA said it could have fined RBS $13.8 million, but offered RBA a 30 percent discount for not challenging its decision.

    Monday, September 13, 2010

    HP buys Arcsight

    Just read this in the Wall Street Journal:
    Hewlett-Packard Co. (HPQ) agreed to buy security-software maker ArcSight Inc. (ARST) for about $1.5 billion, continuing the company's spending spree that began after Chief Executive Mark Hurd resigned last month.
    I wonder if, as the article implies, this leads to additional consolidation within the security market. I did like what ArcSight was trying to achieve around identity with their SIEM capabilities by integrating identity management into the SIEM equation:
    ArcSight IdentityView is a specialized solution module, built on the ArcSight SIEM Platform, designed to enhance the value of IAM technologies. It combines the broad activity collection and correlation of SIEM with the user and role management of IAM. As a result, organizations realize the value of their IAM investment more quickly, get a complete picture of user activity, and can pass compliance audits with confidence.
    It will be interesting to see both if HP can be successful with their integration of ArcSight and if they manage to value (and keep) the IAM part of this technology.

    Friday, September 10, 2010

    Exclusive Training and Networking Events for Quest Customers in Europe

    If you are a Quest customer, we’re pleased to introduce two user group meetings, offered Wednesday afternoon immediately following the close of The Experts Conference in Germany. The user group meetings highlighting ActiveRoles Server and ChangeAuditor, will bring together users for an interactive discussion around best practices and roadmap plans. We hope you’ll join us!

    ActiveRoles Server User Group Meeting – Wednesday, 6 October | 13:30 -16:30
    To Register, Please Email: Allison.Main@quest.com
    Please join us for an exclusive ActiveRoles Server User Group Meeting at The Experts Conference (TEC) Europe 2010 on Wednesday, 6 October from 13:30 to 16:30 at the InterContinental Dusseldorf . We’ll discuss best practices for ActiveRoles Server’s provisioning and day-to-day Active Directory management. We’ll cover deployment scenarios, product roadmap and a live product demonstration of our upcoming 6.7 release. Best of all, we’ll have the rare opportunity to hear from you in person!

    ChangeAuditor User Group Meeting – Wednesday, 6 October | 13:30 – 16:30 pm
    To Register, Please Email:

    Do you own Quest ChangeAuditor? If so, please join us for our User Group Meeting at The Experts Conference (TEC) Europe 2010 on Wednesday, 6 October, from 13:30 to 16:30 at the InterContinental Dusseldorf.

    We will demonstrate what is new in ChangeAuditor 5.0 and the recently-released ChangeAuditor 5.1 and preview new capabilities and features that are being added to version 5.5 and beyond. We will also discuss key integration points between ChangeAuditor and InTrust. Then, join in a discussion with your peers on how other organizations are leveraging ChangeAuditor to track, audit, report and alert on changes in their environment.  Whether you use ChangeAuditor to monitor Active Directory, Exchange or your Windows file servers, you are sure to get some relevant take-aways from this meeting.

    Thursday, September 09, 2010

    Controlling the Risk of Active Directory Domain Admins

    Quest is sponsoring a live webcast with industry expert Randy Franklin Smith on controlling the risk created within organizations when system administrators have absolute power over Active Directory.  If you would like to attend the webcast, click on the below link.

    Live Webcast - Absolute Power: Controlling the Risk of Domain Admins
    September 21, 2010, 11:00 a.m. ET

    Systems with all-powerful administrators are at risk for unintended changes and malicious acts.  During this one hour "Real Training for Free™" event, Randy Franklin Smith will show you how to use Active Directory’s built-in delegation of control feature to get the majority of people out of the Domain Admins group and grant administrators only the granular authority they actually need.  You’ll also learn to use the security log to monitor any changes, as well as how to quickly restore privileges in case of an emergency.

    Then Quest will demonstrate their innovative solution that makes it easy to manage least privilege using self-service and automation.

    Register for the webcast

    Technorati Tags: ,,,,,,,,,,,

    Wednesday, September 08, 2010

    Quest Authentication Services – Upcoming Lunch and Learn’s in Denver and Omaha

    We’re going to have some smart guys leading a lunch and learn on the latest release of Quest Authentication Services in Denver and Omaha in a couple of weeks. If you are in the area and have the opportunity to join us we’d love to meet you. Here are the details:

    Lunch Discussion:  Improve Security, Compliance and Productivity with Quest’s AD Bridge Solutions
    When: Tuesday, September 21 from 11:45 a.m. to 2:00 p.m.
    Where:  McCormick & Schmick's Seafood Restaurant – Denver, CO (DTC)

    Lunch Discussion:  Improve Security, Compliance and Productivity with Quest’s AD Bridge Solutions
    When: Wednesday, September 22 from 11:45 a.m. to 2:00 p.m.
    Where:  Fleming’s Steakhouse – Omaha, NE
    Consolidating identities into AD reduces the complexity and costs of identity management while improving security, compliance, and productivity. At this luncheon we will discuss best practices for evaluating AD bridge solutions, and explain how Quest‘s solutions can meet the unique needs of every organization.  Key discussion topics include:
    • Short-term Unix, Linux, Mac password challenges
    • Long-term password compliance
    • A safe and controlled path to eliminating NIS
    • Two-factor authentication solutions
    • Unix root delegation and auditing
    • Access control of Unix information housed in AD
    Don’t miss this opportunity to meet Quest experts and ask them your toughest identity and access management questions, as well as share tips and best practices with other local business leaders.

    Saturday, August 28, 2010

    Location services pose huge security risks

    Interesting article in USA Today regarding this topic. What interested me about the article was the two real-life stories associated with the story:
    Sylvia was dining out with a friend. The restaurant manager interrupted her dinner to tell her she had a phone call. It was from a complete stranger who tracked her online. He had described her to the manager.
    Louise was at a bar with colleagues. A stranger began talking to her. He knew a lot about her personal interests. Then, he pulled out his phone and showed her a photo. It was a picture of Louise that he found online.
    Both of these stories are true. And they're very unnerving. There is also a common thread. The women were tracked by something known as "geotagging."
    Kim Cameron and others have been blogging about the privacy of location information – especially in light of the revelations about the Google street view service. This article brings to Earth exactly what the ramifications of the abuse of this information can lead to.

    Technorati Tags: ,

    Monday, August 09, 2010

    Is IAM relevant to the Business?

    This is a really important question. And by business I mean your business, your employer. Or is IAM simply something that makes the IT administrator’s and auditors' lives easier? This question will be addressed at this fall’s Gartner Identity & Access Management Summit 2010, November 15 – 17, in San Diego. I cut/paste a couple of questions and answers from Ray Wagner’s discussion on key trends in IAM – emphasis is mine. I’m willing to bet many organizations are still at the lowest level of maturity. You may have automated some processes but are you relevant to the business?

    Q: The theme of this year’s conference—Transforming IAM: The New Business Intelligence Connection—is something of a departure. Why?
    RW: Maturity is beginning to happen for many organizations. Now it’s time to talk about the next step. Once you have a set of well-documented processes and a mature infrastructure in place, you can begin to look at ways to utilize that infrastructure to generate more value for the organization. IAM and business intelligence are closely linked. What can an organization do with the output of its IAM systems? The reporting and intelligence that go along with providing access and control to individuals can be extremely useful in making business decisions.
    We’ll also cover the foundations of IAM, technologies, current trends and the IAM marketplace at the conference, because there’s still a long way to go for most organizations to attain maturity. We’ll look at how to create the IAM program, including governance, project management, architecture and technologies, and do workshops to assess where you are in the maturity cycle. But we’ll also take a close look at what a modern and mature IAM infrastructure can bring to the business beyond the obvious.

    Q: What changes need to be made to start leveraging IAM for business intelligence?
    RW: Organizations don’t need to make big changes, given that they are cognizant of the IAM maturity cycle and their place in it. They need to reach a medium- to high-level of maturity. At that point, you can start using IAM to drive business intelligence, and that’s where things get interesting. However, maturity is something all organizations need to work on. At the lowest level, you may not have an identity team and your processes may still be completely ad hoc. If so, you’ll benefit from formalizing your IAM processes and then looking at ways to streamline them, in particular at technologies that will give you more insight into your IAM operations and what they mean for the business. Only at that point can you get the benefits we’re talking about with BI.
    Not everyone is ready to start doing BI with IAM today. However, there’s no question that a mature IAM program can contribute to BI and business initiatives in a positive way. It’s time to start thinking about it and getting ready for it.

    Friday, August 06, 2010

    Tax collector accessed private files for gain

    This story, from the Vancouver Sun, goes to show you that we don't do enough to protect our computer files and systems. Just because you have authenticated to a computer doesn't mean you are authorized to poke around the file system. In this particular case, it's clear that the Canadian federal agency - the equivalent of the IRS - doesn't have proper software controls in place otherwise they would have caught this thief earlier.

    What's even more worrisome to me is that the thief's name hasn't been released nor has a criminal investigation been kicked off.

    Tax collector accessed private files for gain

    Tuesday, August 03, 2010

    Quest Software Introduces the Next Generation of Active Directory Bridge Technology

    We officially announced the 4.0 release of Quest Authentication Services today:

    Quest Software, Inc. (Nasdaq: QSFT) introduces the next generation of Active Directory Bridge Technology with the newest version of Quest Authentication Services. This patented technology allows Unix, Linux, and Mac systems to act as full citizens within Active Directory by enabling administrators to extend the authentication, authorization and administration infrastructure of Active Directory to the rest of the enterprise.
    New benefits of Quest Authentication Services include:

    Auditing and Alerting
    • Enables administrators to audit, report and alert on users who make changes to critical Unix data stored in Active Directory
    • Gives full visibility and change alerting into who made changes, to what, when, where, and even why
    One-time Password Authentication
    • Provides an additional layer of out-of-the-box security requiring Active Directory users to use a one-time password to authenticate to any and all Quest Authentication Services-supported Unix systems
    • Integrations include two-factor group policy support, and hardware and software tokens
    Web Console
    • Ties identity related tasks together for a centralized point of identity management for Unix that can be run from any Unix, Linux, Windows, or Mac platform, and any of the most common browsers
    • Provides administrators with simplified deployments, expands management to local Unix users and groups, and offers granular reports on key data and attributes with easy-to-use access over many of the deeper functions only available through Authentication Services
    Advanced Group Policy Management
    • Provides macro support, which enables a single GPO to be re-used across multiple Unix systems
    • Offers additional Mac OS X Group Policy support
    Enhanced Privileged Account Management
    • Provides control  over security initiatives to determine which users can access which system, and what elevated rights they have in Unix systems
    If you're interested in taking a look at QAS 4.0 you can download your trial version here:


    Monday, August 02, 2010

    Deploying QAS remotely – no more sneaker net!


    One of the things that QAS customers will appreciate in the new Quest Identity Manager for Unix console is that QIMU can be used to deploy the QAS agent on *nix box remotely. No more need to script, visit or otherwise figure out how to deploy the agent. In addition to remotely installing the agent you also have the ability to check the Active Directory readiness of the targeted machine. This really simplifies the installation of the agent by double-checking all of the settings on that remote host to ensure that QAS can be successfully deployed and started.

    I’ve already heard from a number of customers who have used QIMU to deploy, test and put QAS into production all without technical help from a consultant!

    Friday, July 30, 2010

    CA takes cloud to new levels of fluffiness!

    This caught my eye today: CA announced that they are executing on their cloud strategy with IAM to and from the cloud. So I decided to look through their press release and associated white papers and was both underwhelmed and amazed with the new height of cloud fluffiness that has been achieved. I would like to award their public relations team and external PR agency medals and trophies on the great, fluffy job they did. Was it done because you had to announce something at the Catalyst conference?
    Today’s announcement includes the availability of new CA Identity Manager capabilities that extend identity management to cloud applications; it highlights how a customer has leveraged the CA SiteMinder portfolio to control access to its SaaS applications; and it features how CA Technologies is providing IAM as a service from the cloud.
    What are these new capabilities I asked? I started trolling around the website and looking at various documents searching on the word “cloud”. What I came up with was that CA supports provisioning connectors to Salesforce.com. You can watch a demo of this incredible fluffiness here: http://www.ca.com/media/datacenter-of-the-future/secure1.swf

    So, CA can provision to Salesforce.com. Congratulations guys! Job well done!! Is there any value add above provisioning and de-provisioning? Something that would actually be more than just adding or deleting users? Anything? Anything?

    With a flashback to the famous “Bueller? Bueller? Bueller?” scene in Ferris Bueller’s Day Off I recorded this…

    Thursday, July 29, 2010

    Simplifying Unix User Management and Lifecycle

    You can tell when I get super busy with my day job as my blog posts slow down. In fact, I’ve been so busy and traveling so much that I had to miss the Cloud Identity Summit last week – which I really wanted to attend – and I skipped The Burton Group Catalyst conference this week. However, I did get a picture of our Catalyst hospitality suite sent to me. It was Sinatra themed – check it out:

    Earlier this week Quest announced the release of Quest Unix Identity Manager. This is a new product for us and congratulations to the team that worked on QIMU. They really did a tremendous job. QIMU is a Java-based application that works from any browser and enables a Unix administrator to discover Unix servers and manage the user (/etc/passwd) and group (/etc/group) files on all the discovered machines. The best part is that QIMU is free. You can download it from http://www.freeunixiam.com or any of the popular shareware or freeware sites that are available on the internet. QIMU is also the new administration console for Quest Authentication Services 4.0. The only difference is with QAS 4.0 there are additional screens or functions that are enabled.

    So whether you use QIMU just for Unix user lifecycle management – for free – or to help manage your Active Directory integrated users via QAS 4.0 I hope you find QIMU useful.

    Let me know what you think of QIMU!

    Thursday, July 22, 2010

    What are good security questions for resetting your password?

    I picked up on this website from commentary on another blog and thought I would pass it on. I have had customers ask me this same question on numerous occasions when they are employing some sort of a self-service password reset product like Quest Password Manager, for example. The site is appropriately named: Good Security Questions. I like their approach to the problem of what a good security question is:
    Thus, security questions have both benefits and liabilities. Poor questions create security breaches and confusion and cost money in support calls. Good security questions can be useful in the current environment, but are not common.
    However, there really are NO GOOD security questions; only fair or bad questions. "Good" gives the impression that these questions are acceptable and protect the user. The reality is, security questions present an opportunity for breach and even the best security questions are not good enough to screen out all attacks. There is a trade-off; self-service vs. security risks.
    So what is a good security question? Here’s their definition:
    Good security questions have four common characteristics. The answer to a good security question:
    1. cannot be easily guessed or researched (safe),
    2. doesn't change over time (stable),
    3. is memorable,
    4. is definitive or simple.
    An example of a good versus a not so good question would be “What was the name of the school you attended for Grade 6” versus “What was your high school name.” In this case, it’s a bit harder to research what school you attended in Grade 6 versus your high school which can easily be found on Facebook, Classmates.com or a number of other places.

    This is an informative web site that can help you to determine what self-service password reset questions are the best for your organization. If you have or are planning on implementing a self-service password reset product I strongly recommend spending some time on the Good Security Questions website. It’s well worth it.

    Tuesday, July 20, 2010

    Choosing the Right Strong Authentication Option for Your Scenario

    This webcast is happening today so if you can attend...

    Webcast: Finding the Right Strong Authentication Option for Your Scenario
    Date:  Tuesday, July 20 11:00 a.m. EDT / 8:00 a.m. PDT

    Strong authentication doesn't have to be very expensive, difficult to implement and hard to sell to users. That's because there's been an explosion in imaginative and exciting options, as well as convergence on important interoperability standards.

    In this informative live webcast, Randy Franklin Smith will describe the wide variety of strong authentication options available today, and provide you with a detailed approach to help you zero in on the best choice for your organization.

    Register today

    Monday, July 19, 2010

    Authentication crack could affect millions

    A friend of mine brought this article to my attention a few days ago…
    Researchers Nate Lawson and Taylor Nelson say they've discovered a basic security flaw that affects dozens of open-source software libraries -- including those used by software that implements the OAuth and OpenID standards -- that are used to check passwords and user names when people log into websites. OAuth and OpenID authentication are accepted by popular Web sites such as Twitter and Digg.
    The researchers are going to disclose their results at the upcoming Black Hat conference in Las Vegas. Since both OAuth and OpenID are in use by major providers and potential by cloud services it will be interesting to see how much of a stir their work causes.

    Friday, July 16, 2010

    IAM exam results so far: 9%

    I just finished a customer tour in Calgary, Canada. I met three customers a day for three days. All significant customers. Of those 9 customers here’s what they were using for identity management in their environment:
    • Sun’s Identity Manager: 6 customers
    • Novell DirXML: 2 customers
    • Novell Identity Manager: 1 customer
    The customers who were using Novell DirXML were looking to migrate to something else. Yes, they were using Novell DirXML – not Novell Identity Manager. The customer who was running Novell Identity Manager was quite happy with it and planned to continue to use it. The DirXML customers were migrating because they were migrating from Novell anyway. All the customers who were using Sun’s identity manager were unhappy and either had thrown out Sun or were in the process of finding an alternative. None of the Sun customers was looking at Oracle.

    What were the common threads across these 8 customers?
    • We never progressed further than the proof-of-concept. We didn’t POC our whole environment and when we tried to expand the POC scope into production we failed. We never saw the ROI we were promised.
    • Every time we needed a change to the product we had to pay far too much.
    • Everything required too much care and feeding to ensure the product was working.
    • We needed specialized talent to keep it running.
    • The consultants treated Active Directory as if it was only an LDAP directory. They did not understand Active Directory.
    • Every time we need to change the structure of Active Directory we had to pay to re-code all of the scripts that were written.
    • I was paying more in maintenance and re-programming the product than the cost of hiring a few people to do it manually. So I hired some staff and threw the product out.
     This was a great illustration to me of how far our little industry segment needs to improve. None of these customers were trying to do anything fancy. They had fancy plans originally but they were failing on basic provisioning or password management and were never able to progress further. It also further reinforced my view that there’s a great opportunity for a solution that doesn’t require a couple of busloads of consultants to get it (and keep it) running. A solution that delivers immediate value. A solution that customers are happy to have. A solution that is my dream…