Tuesday, November 23, 2010

Attachmate/NetIQ’s acquisition of Novell

I just had to comment on Earl Perkins (Gartner) blog entry on this topic:

In the midst of all of this of course is the identity and access management impact. I see challenges for Quest Software ahead, since they often go head-to-head with Attachmate-NetIQ for Microsoft centric administration customers. I see some relief for the “Big Three” in IAM now, CA, IBM Tivoli, and Oracle, now that a spoiler in many ways may be out for a bit during the ‘absorption’ phase of acquisition. I see advantages for smaller and more nimble players such as Courion, as well as obvious beneficiaries like Microsoft. What will be interesting to see in the days ahead is the impact this has on Novell partners: Verizon in cloud security, VMWare in virtualization, SAP in IAM, and Deloitte in IAM consulting and system integration. One would expect Attachmate not to shoot the goose that lays golden eggs, but you never know.
First, I take this as a great compliment. A few short months ago Quest Software would never have been mentioned from the perspective of “identity and access management”. That shows how far we have come with respect to IAM especially in light of the acquisition of Voelcker Informatik and their ActiveEntry product. Second, in a perfect world, I would be more concerned about this but fortunately (or not) this is not a perfect world…

1. NetIQ has virtually disappeared from our radar. Sure, the acquisition of Novell could change that but will it?

2. When we do run into NetIQ it is almost 100% because the customer has decided to migrate off of their product versus being in a competitive situation.

3. There will be 12-36 months of “spinning” while Attachmate/NetIQ/Novell gets their respective acts together.

4. The smart people at Novell have been and are currently looking for seats in the life boats and those life boats do not have “S.S. NetIQ” stenciled across them. In fact, we’re already interviewing lots of top quality sales and product management talent from Novell.

So, to Earl, the “Big Three” and everyone else: Game on! (Yes, and to quote Earl again: “And buckle your seatbelts.”)

Monday, November 22, 2010

What IP has Microsoft purchased from Novell/Attachmate?

Just checked Microsoft's press releases and nothing there (yet) about this $450M purchase!

Novell also announced it has entered into a definitive agreement for the concurrent sale of certain intellectual property assets to CPTN Holdings LLC, a consortium of technology companies organized by Microsoft Corporation, for $450 million in cash, which cash payment is reflected in the merger consideration to be paid by Attachmate Corporation.

Mary-Jo Foley doesn't know what this is either?


Novell acquired by Attachmate!


Novell, Inc. (NASDAQ: NOVL), the leader in intelligent workload management, today announced that it has entered into a definitive merger agreement under which Attachmate Corporation would acquire Novell for $6.10 per share in cash in a transaction valued at approximately $2.2 billion. Attachmate Corporation is owned by an investment group led by Francisco Partners, Golden Gate Capital and Thoma Bravo. Novell also announced it has entered into a definitive agreement for the concurrent sale of certain intellectual property assets to CPTN Holdings LLC, a consortium of technology companies organized by Microsoft Corporation, for $450 million in cash, which cash payment is reflected in the merger consideration to be paid by Attachmate Corporation.

The $6.10 per share consideration represents a premium of 28% to Novell's closing share price on March 2, 2010, the last trading day prior to the public disclosure of Elliott Associates, L.P.'s proposal to acquire all of the outstanding shares of Novell for $5.75 per share and a 9% premium to Novell's closing stock price on November 19, 2010.

"After a thorough review of a broad range of alternatives to enhance stockholder value, our Board of Directors concluded that the best available alternative was the combination of a merger with Attachmate Corporation and a sale of certain intellectual property assets to the consortium," said Ron Hovsepian, president and CEO of Novell. "We are pleased that these transactions appropriately recognize the value of Novell's relationships, technology and solutions, while providing our stockholders with an attractive cash premium for their investment."

Mr. Hovsepian continued, "We also believe the transaction with Attachmate Corporation will deliver important benefits to Novell's customers, partners and employees by providing opportunities for building on Novell's brands, innovation and market leadership."

"We are very excited about this transaction as it greatly complements our existing portfolio," said Jeff Hawn, chairman and CEO of Attachmate Corporation. "Novell has an established record of innovation, impressive technology and brand assets, and a leading ecosystem of partnerships and talented employees. The addition of Novell to our Attachmate and NetIQ businesses will enhance the spectrum of solutions we can offer to customers. We fully support Novell's commitment to its customers and we look forward to continuing to invest for the benefit of Novell's customers and partners."

Attachmate Corporation plans to operate Novell as two business units: Novell and SUSE; and will join them with its other holdings, Attachmate and NetIQ.

Friday, November 19, 2010

The Great Cyberheist–Would proper identity management have helped?

This an excellent New York Times article on how the FBI cracked the biggest ring of hackers who  trafficked in databases of stolen card accounts and devices like magnetic strip-encoders and card-embossers. If you are interested in how this is done or if you have ever had your ATM or credit card re-issued by your bank for security reasons then you may want to read this article. As I read it there were a few places that I thought an effective IAM/IDM strategy would have helped. 

Within 10 minutes we were on their computers and were able to execute commands freely. From there we leveraged access until we were the domain administrators.

Wow, clearly a privileged account management problem that could have been solved via software, smartcard use for administrators or better control of group memberships. 

Scott cracked the Marshalls WiFi network, and he and James started navigating the system: they co-opted log-ins and passwords

Last login date; more effective provisioning and de-provisioning may have helped prevent this. Of course, if Marshalls would have bothered to implement 802.1X security rather than having “open” wireless access points this may never have happened to begin with. 

He was also tired of war driving. He wanted a new challenge. He found one in a promising technique called SQL injection.

I’m not a SQL expert but these guys accessed SQL databases to get their information. Whether they did this with privileged accounts or not is unknown but clearly a file/database security monitoring tool or potentially something that managed privileged accounts (SQL or domain accounts) may have prevented this type of access or at least alerted people to the access issues.

And one last pointer from the article: Beware of people sitting in cars, with laptops and giant antennas!

    Wednesday, November 17, 2010

    Gartner: New Directions in Federation

    by Bob Blakley. I’m live blogging from the Gartner IAM Summit in San Diego.

    What are the demand drivers for federation?
    • Externalization: The users have left the building and so have the applications!
    • Economic pressures: Emphasis on cost reduction/containment. If you don’t specialize in an activity: outsource it, offshore it, or buy it as a service
    • Globalization and externalization: Enterprises interact with everyone: partners, customers, value chain, governments, higher education, joint ventures, etc. Applications, data, and users are everywhere.
    No application is “safe” from SaaS. CRM, IAM, HR, Contractor Management, Payroll, Travel and expense reporting & processing, web conferencing, productivity applications, 10Q preparation and filing.

    I think if I was starting a new business today I’d look to a goal of 100% of my infrastructure and business tools as SaaS apps.

    There’s a growing supply of federations:
    • Shibboleth deployments in 25 national federations representing 1,500 apps and 15M users
    • Exostar has doubled its customer base to 66,000 orgs
    The ecology is robust and growing.

    Protocol wars are over. SAML 2.0 is preferred by enterprises. OpenID and OAuth continue to attract interest, but mostly for low-assurance uses. Information cards also have interesting use cases. The focus is on solving business problems and using right protocols for the business scenario.

    The business model for federation as a hosted-model still needs to be shaken out.

    An IdP service needs to handle: registration, ID proofing, authentication and federation.  Still some holes like SPML missing from this.

    I highly recommend this paper by Bob: "A Relationship Layer for the Web". It's a free download.

    What are some of the challenges around federation?
    • SAML is not ubiquitous
      • Many apps are not federation ready
      • A hybrid SSO capability will be needed
      • Federated provisioning is in a much worse state than SSO
    • Point to point federations are not scalable for large environments. How do you scale to 100s or 1000s of partners?
    • Compliance: Who audits what?!
    Expanding federation’s scope:
    • Federation focuses on authentication today
      • But real federations require much more than authentication
      • Federation capability needs to be broader and deeper
    Federation trends in 2010:
    - Demand is strong.
    - Cloud is driving
    - Market is responding with innovative solutions
    - Many unresolved issues remain: Uptake of federation protocols; SPML

    Overall this was a great session. But, as Bob pointed out while a lot of progress has been made there’s also a very long road yet to be travelled for federation to really become ubiquitous.

    Technorati Tags: ,,,,,

    Monday, November 15, 2010

    Gartner: Delivering IAM to Enterprise Customers and Partners

    by Avivah Litan, Gartner – Live blogging from Gartner’s IAM conference in San Diego

    What are some of the challenges and threats with managing external user identities? Well, the biggest problem is there is no high assurance information about external users in many countries. In the developed world we have passports and third-party data – like credit reports and history – but what about the lesser developed world? The fact of the matter is there are more and more effective threats against user security with new Web 2.0 attacks. As Avivah says, “just about everything can be broken”.

    With respect to knowledge-based authentication (What school did you attend, what’s your mother’s name, who is your bank, etc etc) Avivah presented a case study of 100 of these sessions at a bank and only 49 passed. Of that, only 44 were legitimate – 5 were fraudsters! So despite all the efforts around knowledge-based authentication there was a 5% failure rate that let the fraudsters in. Scary stuff! “More fraudsters are more successfully answering those ‘secret’ questions!” Avivah also talked about the recent malware attacks on OTP credentials by using a man-in-the-browser attack. I blogged about this back in July here.

    Medical fraudsters have bilked Medicare for hundreds of millions of dollars over the last year. All by faking doctors registrations, creating fake clinics and buying stolen healthcare ID numbers. With all of that they were able to pull of this fraud. Again, a great example of tying identity and access management into business intelligence.

    The best identification method is “browser mining” according to Avivah. This is a new technology that requires a log-in and catalogs dozens of variables. However, a lot of tools that work with “fixed” machines like PCs doesn’t work in the mobile world – and we’re moving faster and faster to a mobile world aren’t we? Part of the way to solve this is to use location information but that means giving up some of our own privacy. As long as my bank is willing to refund any fraudulent activity I don’t really care enough to give up any privacy. It’ll be interesting to see how this all plays out.

    Trust, but verify!

    Technorati Tags: ,,,,,

    Gartner: Identity and Access Intelligence

    by Earl Perkins, Gartner

    - IT has been too busy keeping the IAM fires burning, or putting them out to really add value to the business. We have all the potential sources for this intelligence. We are sitting on a gold mine of intelligence.

    - Unless you (IT) can provide actionable intelligence for business decision making, go home.

    - IAI is part of a broader spectrum of enterprise security intelligence. So you have to know your place.

    - Who benefits from the convergence of IAI and BI (business intelligence) is the customers.

    - IAI’s core responsibility to the business is accountability of access to critical resources and the transparency to see it.

    - We can justify IAM through intelligence. You can justify your presence and your relevance via identity and access intelligence.

    - Gartner’s strategic planning assumption: “Through 2013, notable IAM project failures will cause 50% of all companies to shift IAM efforts to intelligence, not administration.”

    - Current IAM projects are difficult to justify as efficiency efforts alone. I totally agree with this!

    - Cloud computing security concerns increase the value of log and repository information.

    - Privacy concerns will hinder aggressive use of IAI

    - We’ve moved from what I used to call triple-A (administration, authentication and authorization) to IAAA: Intelligence, administration, authentication and authorization.

    - Someone needs to have a global understanding of all the data, schemas and key repositories being collected in the business and through IAM. SAP has done a lot of work here according to Earl.

    - Adjacent IAI influences and influencers include SIEM, GRC, IT GRC, BPM, NAC, BI, DLP – enough acronyms yet?!

    - IAI can bring the who view to SIEM, for example. This is something ArcSight (HP) did.

    - IAI is about helping to say what will happen. Not what happened and more than why did it happen.

    This session was a great follow-on from this morning’s keynote by Bill Hossmann. Earl took it a double-click deeper though. It’s really important to be looking at the identity and access management systems in the light of the business versus just the IT group. Will this be more difficult? Absolutely. Throw in cloud data and you can see how deep this water can get. This is definitely graduate school for IAM!!! And, as Earl stated, this is a 5-10 year vision. It is not going to be accomplished overnight.

    (click on the pictures below to get the full view)

    Technorati Tags: ,,,,,

    Gartner: Transforming IAM–The New Business Intelligence Connection

    by Bill Hostmann, Gartner. Live blogging from Gartner’s IAM conference in San Diego

    Bill’s keynote followed the conference kick-off by Earl Perkins and Ray Wagner. As Earl and Ray mentioned this is the 5th Gartner IAM show and it is getting better year after year.

    - BI initiatives in organizations are at the top of business investment these days.

    - BI helps to increase the level of business impact that the (IAM) information has.

    - City of Richmond, VA: Made groundbreaking decisions by including social networking as part of the crime analysis. They had bad assumptions like Christmas being the day of least criminal activity. Turns out it was really Superbowl Sunday.

    - Moving  IAM from traditional operational efficiency to strategic business transformation and from lowering TCO to higher business agility and scale are key things to really up-level IAM with CIOs and other senior staff at your company. How many business value discussions have you had around IAM where you can show or demonstrate how you will increase the organization’s revenue? This is extremely important.

    - You have to align the deciders, the thinkers and the engineers around any of these BI initiatives to maximize IT and business value.

    - You start with key performance indicators (KPI) and take a solution architecture approach to maximize business value.
    - “Actual business impact” is what you are driving for. Much more impactful than “actual IT impact”, eh?!

    - Only about 10% of companies have a BI architect, unfortunately. Companies should consider a BI competency center as part of program management.

    I do believe that BI has the capability to transform the value of IAM in the future and to truly make it relevant to the business. It’s going to be a bit of tough road both for the vendors and for the IT folks. Crossing the chasm from IT value to business value using BI as the bridge is going to take new skills all around…

    (click on the pictures below to get the full view)



    Friday, November 12, 2010

    Gartner Identity & Access Management Summit 2010 - See you there?

    Quest Software will be attending, exhibiting and speaking at the Gartner IAM Summit in San Diego next week (Nov 15-17). I'll be there along with many of my fellow IAM colleagues.

    A few of the sessions I am especially interested in:

    • The Future of Information Security is Context- and Identity-aware (Neil MacDonald)
    • Transforming IAM: The New Business Intelligence Connection (Bill Hostmann)
    • Economics of Identity Management (Bob Blakeley)
    • IAM Intelligence and Analytics (Earl Perkins and Mark Nicolett)
    • Identity Assurance (Bob Blakeley)
    • Managing Identity in the Cloud (Gregg Kreizman)

    I hope to see you at a session or at our hospitality booth!

    Technorati Tags: ,,,,,,,,,

    Friday, November 05, 2010

    Q&A: IAM and the Unix/Linux Organization

    There’s an article in Enterprise Systems with this title that I wanted to draw your attention to. The author, James Powell, spent some time talking to me about this topic and you can find my answers to his questions in his article. Basically, the article discusses how Unix/Linux systems needn't be islands of identity; the challenges and options for addressing authentication, provisioning, and security and we take a closer look at Active Directory bridge products.

    Some of the questions we discussed include:
    • What are some of the unique challenges Unix/Linux organizations face with identity and management (IAM)?
    • What are the options to address those challenges?
    • Can you explain the idea behind Active Directory bridge products? What are the benefits and drawbacks of such products?
    • What makes these AD bridge solutions different from the native tools available through OS providers and open source options?
    • With such a fundamental shift in IAM strategy with an AD bridge solution, what are some of the things organizations should look out for?
    • How is this different from more “traditional” solutions (such as a metadirectory and synchronization)?
    • Can you give some examples of where and how AD bridge technologies are used in the real world?
    • What does Quest offer for Unix/Linux IAM?
    So if you’re interested in any of these questions I’d invite you to take a closer look at James’ article.

    Tuesday, November 02, 2010

    Quest Authentication Services wins 2010 Redmond Magazine Readers Choice Award

    In the “Best Interoperability Product” category we were awarded Preferred Product status. We were also the only Active Directory (AD) bridge product to make the list at all. You can read all about it at their website.
    What I do like about Redmond Magazine and the readers choice award is it really is the readers choice:
    Redmond sent its Readers Choice survey to 40,000 subscribers of the magazine, each of whom could only fill out the survey once. Vendors are not allowed to vote. This year, we're again awarding "ISV Winner" status to non-Microsoft, independent vendor entries that didn't win their categories outright but managed to beat everybody else but Microsoft.
    This is one more proof point that Quest Authentication Services 4.0 is hitting the mark with new, leading features like:

    Detailed Auditing and Alerting: Consolidating Unix data into Active Directory is just part of the picture. Authentication Services 4.0 solves the challenge of how to audit, report and alert on who makes changes to critical Unix data that is now stored in Active Directory. Version 4.0 includes award winning functionality to deliver full visibility and change alerting into who made changes, to what, when, where, and even why.

    Web-based Administrative Console: Effective management is essential when integrating Unix with Active Directory. The new web-based administration console dramatically simplifies deployment, expands management to local Unix users and groups, provides granular reports on key data and attributes, and streamlines the overall management of the Active Directory Bridge product.

    One-time Password Authentication: Easily add another layer of security in situations that require it. For example when deploying Unix systems to tightly controlled network environments (E.G. a DMZ). With new functionality included in Authentication Services 4.0, Active Directory users can be required to authenticate with a One Time Password to Unix systems. Everything that is required for an out-of-the-box solution comes with 4.0 including hardware and Software tokens, PAM modules, Group Policy management capabilities and end-user licenses.

    Freeware Administrative Console: The administrative console is available free-of-charge to any organization wishing to take advantage of its local Unix user and group management capabilities.

    Advanced Management: Support for the flexible scripting of PowerShell, additional ADUC integration, and automated configuration tools.

    Group Policy: Patented Group Policy functionality expands to include macro support, which enables a single GPO to be re-used across multiple Unix systems. In addition Mac OS X Group Policy support keeps pace with the latest OS from Apple (OSX 10.6 Snow Leopard).

    Privileged Account Management: Authentication Services 4.0 includes optimized integration with Quest Privilege Manager for Unix. Solve Unix security initiatives that need to control which users can access which system and what elevated rights they have. For example use Active Directory group memberships and Group Policy for streamlined management tasks.

    Wait until you see what we have coming in 2011 – more awesomeness is on the way!

    Monday, November 01, 2010

    Microsoft to add Java support to Azure

    I caught this post over at Mary-Jo Foley’s “All about Microsoft” blog. This doesn't surprise me. In fact, it would surprise me more if they decided they wouldn’t support Java in Azure. They already support a bunch of other non-.NET languages so why not Java? Might there be identity data that needs to be accessed from Java? Might their be identities to authenticate or authorize from Java? The real interesting part for me is if they start supporting Java in Azure will they do that in other areas, too? Like federation, for example. Microsoft needs to be as open as they can be and this is one small step in that direction but there’s a lot of other steps still to be taken.
    This Microsoft has been touting for a while the ability for developers to use a variety of tools, like Java, PHP, Ruby and Eclipse, when developing applications for Windows Azure. But the company is going to step up its Java support for Azure in the coming weeks and months, elevating Java to a “first-class citizen” in the Microsoft cloud realm.
    The reasons Microsoft is interested in doing this aren’t hard to figure. There are lots of Java developers out there whom Microsoft would be excluding from its potential cloud customer base if it didn’t support anything beyond .Net. And Microsoft cloud competitors like VMware, Amazon and Google all have built Java support into their respective platforms.