Sunday, January 31, 2010

Toyota Translated

After the incredible response to my post where I translated Sun’s IDM roadmap post the Oracle acquisition I thought I’d follow up with a translation of Toyota’s full page ad in today’s Seattle Times. I suspect this ad was placed in many other newspapers so perhaps you saw it too?

“A temporary pause. To put you first.”

Was I the only one who read this and immediately thought?

“Then we’ll return to taking your safety second and your money first.”
“Then we’ll get back to profits first and safety second.”

I can think of a bunch of lines I would have used before the “pause” line like…

“We made a mistake. We’re fixing it. We’re sorry.”

Come on Toyota. You can do better.

Technorati Tags: ,

Friday, January 29, 2010

Enhancing Security with Attestation – and Accountability

My colleague Bob Bobel recently had a question and answer session with James Powell over at the Enterprise Systems Journal. I’ve cut-and-pasted one question and answer below. The whole article is worth reading.

One of the things that wasn’t touched on in the article is how important executive sponsorship and oversight fits into attestation. Attestation is useless unless the metrics around it are tracked and clearly visible within the business. I might faithfully review my attestation reports ever quarter but it doesn’t really help if other business owners in the organization don’t. Attestation for attestations sake is bound to fail but attestation as a job, business or company performance indicator has a much greater chance for success.

A great example is Quest’s own corporate policies and how we are each required to attest to the fact that we have read the policies on an annual basis. If you don’t, your manager and our CEO know you haven’t and they let you know you haven’t. Attestation goes hand-in-hand with accountability.
Q: How does attestation help sustain compliance through access accountability?
A: Good attestation software will enable IT to answer an auditor's questions about why access decisions were made to the data owner who made the decisions. By allowing IT to refer the auditor to the accountable person the burden of compliance is placed on the data owner where it should be. Good attestation software will also provide a historical report showing where the data owner granted/revoked access as well as when they completed attestation reviews.

Over time, access will change and periodic attestation reviews are usually conducted. These reviews should be completed quarterly or yearly. This ensures the business treats security and compliance as ongoing requirements rather than one-time events resulting in better security and sustained compliance.

Thursday, January 28, 2010

Sun IDM is dead

Sometimes I think I’ve been in this business too long or that perhaps where I got my marketing & PR training (Microsoft) leads me to view things differently – maybe even incorrectly. I read Nishant Kaushik’s post today on the Sun acquisition by Oracle which you can read here. Here’s my translation of what I read in Nishant’s post (below) with my translation in italics. I’m not trying to offend Nishant by any means. I just read these things “differently”.

Oracle Identity Management Suite continues as the strategic family of products, but Oracle will continue to invest in and share technology between Sun and Oracle products = We (Oracle) won. We (Oracle) are the strategic choice. In order not to cause panic we’re going to say that we’re going to continue to invest in the Sun product line. If you were an employee your new title would be “Director, Special Projects”.

Both Oracle Internet Directory (OID) and Sun Directory Server will be supported, with common LDAP administration through our DS Management tools. Oracle will continue to maintain OpenDS. = The maintenance stream on the Sun Directory Server is too huge to disrupt. We’ll integrate the management but we aren’t going to sell the Sun Directory Server anymore. We will continue to bill current customers.

Sun Role Manager will become Oracle Identity Analytics, the strategic identity analytics tool = This is really a good product. We’re going to keep it. It doesn’t overlap any of our other goo. Plus, we really had to give at least one consolation prize to the community (e.g., customers, analysts) and this is it.

Oracle Identity Manager, Oracle Access Manager, Oracle Virtual Directory, Oracle Entitlements Server and Oracle Identity Federation continue as Oracle’s strategic products for their respective areas, with technology incorporated from Sun = All the Sun products that overlap are dead.

Oracle will invest in Sun Identity Manager and integrate it with Oracle Identity Manager = Sun Identity Manager is dead. If there’s any good stuff in it we’ll stick it in OIM.

Oracle will also invest in Sun OpenSSO and integrate it with OAM = This is a good product but Oracle is here to make money – this won’t continue to be free.

In a year or two we’ll all have to re-group and see what really happened. Time will tell.

Wednesday, January 27, 2010

Virtual less secure than physical?

Robert Grapes over at Cloakware wrote an interesting article that caught my attention with this fact:
Analysts predict that in the rush to reap the benefits of deploying virtual systems and applications, more than 60 percent of virtual machines deployed will be less secure than their physical counterparts.
I wonder if some people think that simply running a virtual machine on a physical box that is protected appropriately means that all the virtual machines are equally protected? If only that were true. Robert’s work centers around privileged identity management or how to manage privileged identities (i.e., Unix’s root or Active Directory’s domain administrators) in sea of unprivileged identities. In this article Robert gives great perspective on this important aspect of identity management in a virtualized environment. He also raises a great question regarding the need for security systems to be highly scalable in an easily scaled virtual environment – a great point.

If you get a moment read his article.

Tuesday, January 26, 2010

Group Policy Preferences Overview

I happened across Darren Mar-Elia’s white paper on this topic the other day. It’s a great introduction to Group Policy Preferences (GPP). From the GPP white paper’s overview:
The Group Policy Preferences (GPP) feature was first made available at the release of Windows Server 2008. GPP is technology that Microsoft acquired when they purchased DesktopStandard and was referred to as PolicyMaker. Essentially, GPP is a set of client-side extensions and a management interface that adds to the policy capabilities that were previously available from Windows. The name “Preferences” underscores the fact that all of these new policy capabilities added by GPP are just that—preferences rather than policies that cannot be undone by an end-user. That being said, they do allow for a wide variety of additional configuration capability through Group Policy that previously had required complex logon scripts to automate.
What I like about GPP is the fact that it helps to eliminate logon scripts and includes what is described as "item level targeting" which enables you to set very granular filters on individual policy items within a group policy object. This gives you more granular control to target preferences at particular laptops, for example. Group Policy - and Group Policy Preferences - are two of the most important things that distinguish Active Directory from being just another directory service. If you're not familiar with GPP please read Darren's white paper. I'm hoping he updates it to include any changes with Windows 7 and Windows Server 2008 R2 that we all should know.

Sunday, January 24, 2010

Achieve Access Accountability with ActiveRoles Server 6.5

This is the title of an upcoming webcast on Wednesday of this week. A bit more context:
Manually managing access to applications and data resources can be time-consuming and error-prone. Learn how ActiveRoles Server uses automation to help you control access to sensitive data and applications during a live demo. During this eye-opening presentation you will see how ActiveRoles Server reduces provisioning time, provides push-button data reporting and ensures that users get exactly the access they need to do their jobs – nothing more, nothing less.
Interested in attending? Following this link: Live Webcast: Achieve Access Accountability with ActiveRoles Server 6.5

Friday, January 22, 2010

Even my dentist is driven by regulatory compliance

I endured my annual checkup at the dentist yesterday. The first thing they did was take new X-rays of my teeth while proudly stating they had switched from regular film to digital film for the X-rays. I asked why and the young lady recited the following features to me:
  • The X-rays are 2/3rds less power for digital versus regular film (I thought this features was a good benefit for me!)
  • The images are more detailed
  • The software that comes with the digital imaging system can help the dentist better diagnose problems
I thought these were all good reasons but I was still really interested in why the dentist spent the money to do this. After all, I was getting great treatment with regular film X-rays last year. Why did the dentist spend the money to go digital? She said “You’d better ask him”, just as he appeared so I did. “Doc, why did you spend this money in this economic climate when I suspect that no one wants to spend money?” His response was that he didn’t want to spend the money at all but due to new Washington State laws that governed the use of X-ray machines and how X-rays are developed he had to upgrade his equipment for an obsolete (film) technology and that the cost of the upgrade was about 1/3rd of switching to digital so he decided to switch to digital.

I thought maybe the dentist was rolling in money and just wanted to upgrade but that wasn’t the case. He didn’t want to spend his money but he had to for regulatory compliance. The features above just came as part of the deal. In fact, he would have spent the money even if he didn’t get the features above.

So the moral of the story to me is that regulatory compliance drives even my dentist – not just IT – to spend money. From a marketing perspective, having good features like those listed above wouldn’t have been enough to get the dentist to spend his money but by connecting these features to regulatory compliance the manufacturer got their sale and I got the benefit of less radiation.

Thursday, January 21, 2010

Active Directory Scalability

For those doubting Thomas’ who question Active Directory’s near infinite scalability there’s a white paper you can read on this topic. Ever wondered what the maximum number of objects that could be stored in AD? Read the white paper to find out that the answer is 2.15 billion objects (that’s 2**31 minus 255 by the way). Or that the maximum number of SIDs is 2**30 or about 1 billion. There’s a lot of good information in this paper related to maximum number of group memberships for security principles, maximum number of group policy objects applied, etc. You get what I mean.

So if you need this type of data or run into someone who still is doubtful of Active Directory’s incredible powers point them to this white paper.

Technorati Tags: ,,

Wednesday, January 20, 2010

Shared password mistake affects 1.2 million people!

Wow, how could a financial firm make this mistake? A shared password being “passed around” for up 10 years? Read the story here.
Concord, New Hampshire, financial services company is sending data breach notification letters to customers after discovering that shared passwords, set up to simplify administrative functions nearly 10 years ago, could have exposed the private data of 1.2 million customers. Lincoln National began notifying customers of the problem last week, according to a letter (pdf) posted to the New Hampshire Department of Justice's Web site. According to the letter, the company learned of the issue on Aug. 17, after a federal regulator was tipped off by an unnamed source. The Financial Industry Regulatory Authority was given a username and password combination that let anyone access Lincoln's portfolio information system.
It goes to show you that basic computer access reporting, automated password policies and expirations, provision & de-provisioning and strong authentication cannot be taken for granted at any company – including at Lincoln National.

Now, imagine that shared password being used to access a federated application and the damage that might have done. You shouldn’t wonder why some companies are so concerned about their own internal security and trust of their identities let alone how a trusted identity could be used in a federated setting. As long as IT is seen as a “cost” or a “burden” these types of things are going to continue to happen.

I sure hope that some IT guy at Lincoln National said: “If only you would have bought – insert software name here – so we could have prevented this!”

Tuesday, January 19, 2010

Microsoft loses their Dick

Dick Hardt has left Microsoft. He joined Microsoft in early December, 2008 and was the CEO of Sxip Identity. Dick joined Microsoft shortly after another identity guru – Stefan Brands – came over with Microsoft’s acquisition of Credentica based in Montreal. Funny tidbit that Dick and Stefan joined fellow Canadian Kim Cameron to work on identity at Microsoft. Were the Canadians taking over?
I was taken aback yesterday when I saw the announcement – by Dick – that he had left Microsoft after one year.
Yesterday was my last day at Microsoft. I worked there a year. When I reflect on 2009, I think of it as the Year of Darkness. I only  wrote a couple blog posts. I was inactive in the OpenID community. I did not talk to press or analysts. I gave no public presentations.
I have to say I wasn't shocked. Dick had made significant waves in the community before he joined Microsoft. His “infamous” Identity 2.0 presentation is nearly legendary. If you haven’t seen it you must watch it. I can only imagine how difficult it was for someone who spent lots of time talking to customers, the public, press and analysts to spending no time doing this. I also know how difficult it is to go from a very small company to a company of what, 85,000 employees?

So I’m willing to bet we see more Dick in 2010.

Friday, January 15, 2010

Quest’s One-time Password Solution wins awards!

SC Magazine has awarded us 5 stars for our one-time password solution (Quest Defender) and has also made Defender an "SC Recommended product". This is a great achievement for Quest especially since SC Magazine cites some of the key things that we added to Defender over the last 18 months to make it more attractive to customers like:
  • Full-featured token integration (hard tokens, soft tokens, SMS and Grid)
  • Allowing users with expired Microsoft Active Directory passwords to reset them based on an (OTP) authentication
Of course, tripling the revenues of this product in 2009 was a pretty strong endorsement of both what we are doing with the product and the fact that companies are looking for strong alternatives to the industry leader. We have lots more in store for Defender in 2010 and 2011.

Thursday, January 14, 2010

Is Azure priced too high?

A colleague at the office mentioned that over the holidays he helped build a custom application for a small business in his town and they made some a startling discovery about Azure versus Google pricing. I did track down a blog post by Danny Tuppeny where this was talked about in more detail:
As a .NET developer, I was quite excited to hear about Windows Azure. It sounded like a less painful version of Amazon's EC2, supporting .NET (less painful in terms of server management!). When I saw the pricing, it didn't look too bad either. That was, until I realized that their "compute hour" referred to an hour of your app running, not an hour of actual CPU time. Wow. This changes things. To keep a single web role running, you're looking at $0.12/hour = $2.88/day = $20.16/week = $86.40/month. Anyone that's bought hosting for a small site/app recently will know that this is not particularly cheap!
I also tracked down the Azure pricing at Microsoft's web site and it pretty much confirms the above. You can find Google’s pricing here if you’d like to compare.
Compute time, measured in service hours: Windows Azure compute hours are charged only for when your application is deployed. When developing and testing your application, developers will want to remove the compute instances that are not being used to minimize compute hour billing. Partial compute hours are billed as full hours.
Google is charging per CPU hour versus clock hour. As we probably all know, most applications use very little CPU. Sure, a database or analytics product will suck it back but most middle-of-the-road applications don’t. Especially ones that are used by smaller businesses. In a lot of ways I do agree with the my colleague and the blogger cited above that Microsoft’s pricing is out-of-whack. Should the pricing be competitive? Yes, absolutely. The final point I want to make is based on this quote from Danny:
...and while all programmers will have a preferred language/framework (I'm no exception), many can be swayed by a cool framework or hosting.
If I were Microsoft this is what I’d be worried about: A developer like Mr. Tuppeny who is totally comfortable in .NET who has been converted by this pricing to working in Python with the Google App Engine. Microsoft knows how much “owning” the developer means to their business and this isn’t a great indicator in my opinion. I really do not think that the Azure pricing is geared towards smaller businesses and that’s a problem.

Wednesday, January 13, 2010

Looking for a new challenge?

A partner of ours has asked me to help them find someone for an identity management position that they have open. Further information is below and if you're interested please send me an e-mail and I'll get you hooked up with them.

Title:   Sales Engineer & Delivery Manager (hybrid role)
Industry:  Professional Services
Vertical:  Security, Identity and Access Management
Location / Territory:  Tri-State  ( NY, CT, PA, NJ)

Sales Engineer/DM primary responsibilities for the role:
Professional Services business development, technical sales lead and delivery oversight in the tri-state region.  Candidate will work closely with VP of Sales to further develop Logic Trends footprint, working closely with a distributed team of specialist (technology and project)and be partnered with a dedicated sales person in mid-2010.  Must be a self-starter, and existing client relationships are a plus, Tri-state quota of approximately $3 million in billed business (multiple customers already exists in region). Candidate will be required to interface with prospects and clients on both a technical, business, and project delivery level.

Experience / Skills:
  • BA/BS Degree in Business Administration, Computer Science, Engineering, Accounting or Information Systems
  • Strong oral and written communications skills
  • Project Management certification a plus
  • IAM Technical sales experience and knowledge (AM, IdM, Recert., SSO, DLM, DRM, etc)… including solution demonstration
  • Professional Services delivery experience (i.e. delivery manager)
  • Strong potential for growth and acceptance of additional responsibilities
  • Ability to take a broad view of his/her position and take initiative to communicate, interact and cooperate with others
  • Demonstrated ability to write proposals and to participate in presentations
  • Open to travel requirements
  • Ability to work as a member of a team and independently
  • Familiarity with IdM offering and messages of key vendors: Microsoft, Oracle, Sun, CA, Courion, etc.
  • Prior Big 4 or leading system integrator experience
  • Base Salary...  TBD
  • OTE, total compensation... TBD
  • 401k... matching up to 5%
  • Health, Dental, etc
  • Paid Time Off

Tuesday, January 12, 2010

Security in the Swamp

I just read a great article published by MIT called “Security in the Ether”. You really should read it, too. This five page article has a lot of great information in it. In the “what’s in this for me” reason to read the article I was immediately captivated by this comment:
When thousands of different clients use the same hardware at large scale, which is the key to the efficiency that cloud computing provides, any breakdowns or hacks could prove devastating to many.
This means security is key. One breach and instead of a company being affected you have the potential for multiple companies to be affected. I remember a marketing focus group I did about federation a few years ago and one CIO said to me: “Are you kidding? I can’t trust my own end-users and their passwords when they access my systems let alone a federated system.” The cloud is simply going to magnify these problems – security or otherwise.

Monday, January 11, 2010

Common Criteria = Common Crock

The Common Criteria certification is a crock in my opinion. Same goes for FIPS and many other software certifications. I completely agree with Bruce Schneier's comment that "no one really understands what a certification means". (You can follow the original post and ensuing debate here:

These certifications are extremely costly. The ones I have been involved in end up exceeding $100,000 and the certification is valid only for that particular version. In this day and age most software companies are releasing new software versions every 6-8 months. I can't afford to re-certify for every major and minor release.

One of the benefits to software companies was that government agencies were supposedly required to only purchase Common Criteria or FIPS certified products. Guess what? They don't. They get around those requirements pretty easily with all kinds of excuses. So, why should a software company bother?

Sunday, January 10, 2010

Hello, Steve Riley!

Awesome to see the preeminent Steve Riley, ex-Microsoft security guru, over at Amazon working in the Amazon Web Services evangelism team.

Definitely a blog I will follow for Steve's insights into Federation, AWS, ADFS, etc. You should too!

in reference to: Amazon Web Services Blog: Hello, world! (view on Google Sidewiki)

Technorati Tags:
, , , , , ,

Friday, January 08, 2010

The (Craig) Burton Group

I owe a debt of gratitude to Craig Burton who founded The Burton Group. I really should say "we" owe a debt of gratitude to Craig because if it wasn't for Craig I'm not sure we'd be where we are today. The "we" is my old company Zoomit and all of my colleagues there, including Kim Cameron. I think I could even say the "we" is identity today because it's pretty hard to imagine being where we are today without Kim's contributions. (Kim is the chief architect of identity at Microsoft)

When we first developed Zoomit VIA - the world's first metadirectory product - Craig was especially influential but there was one decision he made for us that changed our direction forever. We first developed Zoomit VIA on Novell's UnixWare platform back in the late 1990's. However, not long after we finished development Novell sold off their UnixWare platform. We had sold Zoomit VIA to three customers before Novell made their announcement. While we were considering which Unix platform to move Zoomit VIA to next Craig simply stated: "The future is Windows. You need to move to the Microsoft platform." This was no easy decision back in 1998. And, as they say "the rest is history". Thanks for that one, Craig.

So in many ways I agree with what Craig's recent blog post. I'll be sorry to see The (Craig) Burton Group disappear. Craig, lots of people owe you thanks for your vision and efforts!

Technorati Tags:
, , , , ,

Wednesday, January 06, 2010

The rising claims tide

Felix Gaehtgens over at Kuppinger Cole blogged about a new webinar series he is hosting on claims. Claims technology is rising in importance as more and more developers and companies start to externalize - or liberate - authentication and authorization from their applications. If you aren't familiar with claims then I would suggest checking out Felix's webinar series.

I briefly laughed while I was reading Felix's description of the first webinar in his series - kicking off on January 14th - which is about Sun's OpenSSO platform. One of the topic areas mentioned is "OpenSSO's proprietary SDK". It was funny to see "open" and "proprietary" in the same sentence.

Despite the laugh, Felix does make a great point. We do need standardization in this area. As Felix states: "Of course I have a side agenda here as well. What I am hoping is that in the end this will promote interoperability – we’re sure that there are some similarities in APIs and services, and hope that vendors will standardise – as users learn more about about these, they’ll put vendors under pressure to standardise their APIs and services."

I completely agree with Felix but I suspect we may see a claims "metadirectory" before we get claims standardized. Some people are going to use "OpenSSO's proprietary SDK" and some people are going to use Microsoft's Geneva and some people are going to use... You get what I mean, right?
in reference to:
"Of course I have a side agenda here as well What I am hoping is that in the end this will promote interoperability – we’re sure that there are some similarities in APIs and services, and hope that vendors will standardise – as users learn more about about these, they’ll put vendors under pressure to standardise their APIS and services"
- Webinar series on Claims | Felix Gaehtgens (view on Google Sidewiki)

Technorati Tags:
, , , , ,

Tuesday, January 05, 2010

Burton Group acquired by Gartner Inc. for $56M!

Just saw the emails flying around about this and thought I'd get a quick post out about it. Amazing news really. I’ve worked with Jamie Lewis, Dan Blum, Gary Rowe and many of the other Burton team since my days at Zoomit. I have always considered Burton to be the best technical analyst firm and Gartner to be the preeminent analyst firm out there. I think this is a dynamite combination.
Congrats to the Burton team and congrats to my friends at Gartner who are really starting off 2010 with a bang! Here’s the email from Jamie Lewis that I received…
Burton Group Acquired by Gartner, Inc. A Message from Jamie Lewis, CEO, Burton Group As we kick off 2010, I’m thrilled to announce that Burton Group has been acquired by Gartner, Inc., the world’s leading information technology research and advisory firm. Given the importance of this news, I want to make sure that all of our clients understand how this acquisition affects them and the services we provide. 

The answer is simple: It won’t. 

Gartner acquired us precisely because of what our clients already know to be true: The practical, technically in-depth advice we provide to frontline IT professionals is very different from the strategic services Gartner provides to CIOs and IT leaders. Together, we will offer a complete world-class solution to every level and functional expert within the IT organization.

The majority of our clients currently use Gartner services as well as ours because they see our offerings as highly complementary and best-in-class for the IT roles and functions we both support. Consequently, Gartner will continue to offer IT1 and other Burton Group research services as separate products. 

Gartner will retain almost all our employees, including 100 percent of our research and consulting staff, so clients will continue to receive the same great value they expect from our company. Gartner also intends to continue our simple, enterprise-wide licensing model that our clients have asked us not to change. Finally, Gartner will increase its investment in our products and services, allowing us to expand our coverage scope to areas many of our clients have asked us to support. 

In short, this acquisition will enable us to provide the best, most complete set of IT research and advisory services available. We are excited to be a part of the leading research and advisory firm in our market, and look forward to bringing the benefits of our acquisition to you, our valued clients. 

On behalf of everyone at Burton Group, thank you for your continuing support. I look forward to updating you on our progress over the coming months. As always, feel free to contact me directly or any of us at Burton Group if you have any concerns or comments at +1.800.824.9924 (USA) or +1.801.304.8174 (international or direct dial).

There's also a blog post by Gerry Gebel here and a letter from the CEO of Gartner regarding the acquisition here. According to The Wall Street Journal, Burton was acquired for $56M in cash.

Does Cloud = Claims?

Laura Hunter (Microsoft), Pam Dingle (Ping) and Patrick Harding (Ping) have been talking about synchronizing passwords to the cloud. Laura’s post, "Syncing Passwords to the Cloud: Sign of the Apocalypse?" was kicked off by Patrick’s “Grounding Enterprise Passwords” and Pam’s “Kick Me for Cloud” posts. As Patrick states:
We are hoping that we can convince everyone that pushing Enterprise passwords into the cloud is a bad idea and in our opinion is certainly not a security ‘best practice’

Monday, January 04, 2010

Speaking of PKI, again!

I’ve been meaning to re-post Dmitry’s blog article on a "New enterprise PKI management console."
Certificate management used to be tough. There have not been a single tool to manage all the aspects of it and administrators had to launch all these certsrv.msc, certtmpl.msc, certutil.exe, ocsp.msc, pkiview.msc, and so on. We had no bulk operations, had to manage each certificate authority (CA) in a separate MMC snapin, and so on.
That is now all a thing in the past with the new PowerGUI/PowerShell-based certificate management admin console created by PowerShell MVP Vadims Podāns (here’s English translation of his blog) and shared for free here. Here’s a very quick summary of some of the features his tool has:
Certificate Authorities management:
CRL Distribution Points (CDP)
Authority Information Access (AIA) settings
Review CRLs
Publish new CRLs
Change CRL publishing periods including overlap settings
Revoked Certificates
Issued Certificates
Pending requests
Failed requests
Issued certificate templates
Revoke/unrevoke certificates
Issue or deny pending requests for certificates
Add/remove certificate templates to issue
Change CRL/CRT/OCSP URL priorities