Monday, December 19, 2011

Quest Acquires BitKoo and Dives Into Authorization

Back in the mid-90’s Netscape’s release of their LDAP directory product heralded the beginning of many companies starting to centralize identity information and authentication. Over the last few years many companies have started to struggle with all of the applications they have – especially web-based apps – and how they could possibly externalize their authorization processes. There’s been an OASIS standard defined for authorization called XACML and a number of ISVs have built software that leverages XACML.

Quest has chosen to move forward with BitKoo as our “big bet” in the authorization market. We feel that BitKoo provides the best fit for our customers with their .NET-based architecture, their plugins for SharePoint and their overall capabilities and architecture. And, with all of our privileged account and other identity management products we have a natural fit for BitKoo's software.

I’m looking forward to working with the BitKoo team!

Thursday, December 15, 2011

Quest Releases Privileged Account Management Plugins for Sudo

Most every company out there that uses Unix or Linux is also using Sudo to manage delegation of root privileges. The only alternative for additional capabilities like centralized policy management or keystroke logging was an expensive privileged account management product - until today with the release of our plugins for Sudo.

Quest's Privilege Manager for Sudo plugins provide a central policy server that eliminates the need for box-by-box management of sudoers files, and offers visibility and relevant reports on Sudo policy and use, including access control; separation of duties; and policy tracking, versioning, and change history. Privilege Manager for Sudo enables users to continue to use Sudo as the enterprise-wide primary privileged account management solution for Unix/Linux systems. This results in no end user or administrator retraining requirements, fewer help desk calls and a faster time-to-value.

Joab Jackson at ComputerWorld interviewed me for an article he wrote on this which you can find here. The software is available now and Quest has included 10 licenses at no-cost if you want to try it out at your organization!

Tuesday, November 08, 2011

Self-service Provisioning with Quest One Identity Manager

There’s a great 5 minute video that gives a nice overview of the self-service provisioning capability within Quest One Identity Manager. I’ve embedded it below or you can get to it here. There are a few key things worth highlighting about this demo that I think you’ll be interested in so watch for:
  • How Scott Harris – the approver of Candice Clark being provisioned – is given an indication that there are no separation of duty (SOD) conflicts apparent if Candice is provisioned. What is cool here is that this SOD check is built right into the approval request. This helps move compliance front-and-center to the business manager who is responsible for approving the request.
  • Scott can also easily see the history of the request. In a more complicated scenario Scott would be able to see who else was involved in the workflow request, who initiated the request and via the same interface Scott can also see the next decision steps for the workflow.
Rather than different interfaces for compliance and complex workflows it is possible for business managers to easily understand that they have provisioning requests waiting for them, why they got the request, if approving the request would violate any compliance rules and who else might be involved in approving the request.

These types of capabilities really enable business owners in an organization to participate fully in their company’s identity and access governance initiatives.

Monday, October 24, 2011

Quest Authentication Services now IBM VIOS Certified

Quest Authentication Services (QAS) 4.0 was recently awarded IBM Virtual I/O Server (VIOS) certification.

“VIOS allows a single machine to run multiple operating system (OS) images at the same time but each is isolated from the others. This logical partition (LPAR) controlled by the HMC or IVM that owns hardware adapters like SCSI disks, Fibre-Channel disks, Ethernet or CD/DVD optical devices but allows other LPARs to access them or a part of them. This allows the device to be shared. The LPAR with the resources is called the VIO Server and the other LPARs using it are called VIO Clients. For example, instead of each LPAR having a SCSI adapter and SCSI disk to boot from they can shared one disk on the VIO Server. This reduces costs but eliminating adapters, adapter slots and disks.”

Like a post? Please +1 it below. Thanks!

Thursday, October 20, 2011

More on privileged account (mis-)management

Check out this story I read on InformationWeek: Are Your IT Pros Abusing Admin Passwords?

Just goes to show you that this is a problem that is nearly endemic due to the fact that we have far too many passwords to remember - and that includes privileged account passwords.
  • 42% report that IT staff freely share passwords and access to multiple business systems and applications.
  • 25% of survey respondents said that at least some of the superuser passwords that grant all-access rights to hardware, applications, or databases were less complex than the business' end-user password policies required.
  • 48% of survey respondents reported that privileged account passwords at their business had remained unchanged for at least 90 days.
It's only getting worse with more and more cloud applications and services being used. What's going on with your admin passwords for, for example? What are you going to do about Office365? Exactly.

Wednesday, October 19, 2011

Privileged Identity Management (PIM) Market to Grow 24% Through 2014

I came across this report yesterday. Not surprising to see the following statement highlighted:
One of the key factors contributing to market growth is the growing compliance requirements.
Hopefully, we have all come to realize that the reason for many software acquisitions in this area - identity and access management - are to help companies meet compliance requirements. And, that most of the components of an IAM suite enable a customer to better comply with these regulations.

Update: Martin Kuppinger sent me an email and made a couple of good points that I felt were worth highlighting:

  1. 24% CAGR growth is too low. I agree! The issues around privileged account/identity management are only growing. We've seen some great examples recently of how poor controls around privileged accounts have led to some IT disasters. And, as the report highlights, compliance regulations aren't getting any easier.
  2. It's easier to be compliant when PxM (Privileged whatever Management) becomes tightly integrated with Provisioning and Access Governance, unlike today, where we frequently see things done separately for "normal" and privileged accounts, users, and identities. This is very true. It isn't really possible to consider PxM outside of provisioning and access governance any more. The days of just managing "root" on your Unix boxes are long gone. In fact, I wonder how companies are going to handle their Office365 administrative account? How they handle their privileged accounts? PxM needs to include the cloud too!

Tuesday, October 04, 2011

Achieving PCI DSS Compliance with Quest One Solutions for Privileged Access

We just published this whitepaper. It’s pretty hard to over-emphasize how the management, control and audit of both shared/privileged account passwords is mandatory in meeting PCI requirements.

Like all regulatory requirements, there is no single product or policy/procedure that can assure compliance! PCI compliance requires that your enterprise deploy many security technologies, and have specific policies and procedures in place.

This white paper focuses on the unique issues and solutions associated with both privileged password management and remote vendor access in meeting PCI compliance requirements. Many of the requirements highlighted cannot be resolved or adequately addressed by existing enterprise security technologies such as firewalls, VPN and IDS solutions. Existing legacy policies and procedures are also unable to meet many of the requirements standards presented under PCI.

Friday, September 23, 2011

Microsoft, BHOLD and what the parrot saw

Microsoft has acquired certain assets of BHOLD, a leading provider of identity and access governance functionality. BHOLD will continue as an independent entity. The terms of the deal will not be disclosed. Roadmap and licensing will be announced later.
Both Ian Glazer (Gartner) and Martin Kuppinger (Kuppinger Cole) blogged about the acquisition today. I’m the parrot and here’s what I saw after reading the announcement:
  1. It was an acquisition of “certain assets” of BHOLD. So basically the IP (software) got bought leaving behind debts and various other obligations.
  2. The “certain assets” apparently didn’t include the customers: “Current BHOLD customers’ support experience for their current products will remain the responsibility of BHOLD.”
  3. As Ian Glazer says: “Voelker was acquired by Quest. BHOLD is now Microsoft. This leaves Omada standing alone.” The guys at Omada have big egos so I hope this is a wake up call for them. I think you’re FIM-software days might be numbered.
  4. Ian further says: “This is a sensible deal for Microsoft. Forefront Identity Manager lacks IAG capabilities and an acquisition strategy makes perfect sense.” I agree. It is a sensible deal. But Ian asks the excellent question of how and when the BHOLD goo will show up in FIM. Integrated? Stand-alone? No one knows at the moment but we’ll probably hear something from Microsoft on this topic soon.
  5. Ian also said: “Catch that last bit? Authorization management. BHOLD had some interesting ways of behaving like a PDP for SharePoint.” I actually think this bit might be more important to FIM’s long-term cloud management aspirations. Again, we’ll probably hear something from Microsoft on this topic soon.
So net-net this was a good deal for Microsoft. And what does the parrot see as the top 3 things Microsoft needs to do now that they have acquired “certain assets”?? Execute, execute, execute.

Thursday, September 22, 2011

How to ensure Active Directory availability

We’ve released a white paper on this topic that you can find here (registration required) or here.
Today’s IT organizations refer to Active Directory as the ―heart of their infrastructure. Active Directory sits at the center of a Windows-based environment, and without it, the entire network can become useless. Because Active Directory is the key to the authentication and authorization functions that grant users access to nearly every resource they use throughout the day, an impaired Active Directory can cause performance, security, and availability problems throughout the network.

To manage Active Directory successfully, you’ll need tools to monitor its health and detect impending problems, as well as tools that can help correct those problems and even help you recover from a failure.

This paper explores some of the key capabilities you need to maintain a healthy Active Directory infrastructure, and examines techniques and technologies that can help recover from a failure, mistake or other problem condition.
I'll put a plug in for Spotlight on Active Directory. This is an awesome tool. In fact, if I was an AD admin or concerned with AD operations at all I'd have Spotlight on Active Directory at-hand or - at a bare minimum - bookmark the link to download it if I ever needed it: The fact of the matter is we offer a fully functional 30-day evaluation license. So, if you ever find yourself in a bad situation you should download it and get some free diagnostics. It might just save your butt.

Thursday, September 15, 2011

Escalation Engineer – Identity Management in the UK

If anyone out there is interested in a position at Quest in beautiful Somerset here’s a link to the job here. Feel free to e-mail me if you’d like to get more info or an introduction.
We are looking for an extremely bright individual with a solid background in IT to join our highly skilled, customer-focused team of escalation engineers for our first-class Identity Management solutions. Escalation engineers provide expert technical support for advanced issues, and act as a critical link between Quest Support and the engineering teams. If you have systems administration or technical support experience in either a Windows Active Directory or Unix/Linux environment, and can demonstrate a passion for problem-solving, then we want to talk to you.

We are always looking ahead at cutting edge technologies, so this is a fantastic opportunity to get your career off to a great start or simply to keep you ahead of the curve working for one of the top companies in the industry. Through Quest Software’s award-winning solutions, our customers can get more from their IT investments; we attract and hire only the best to deliver our commitments to our customers.

This role is based in Somerset, UK at one of Quest’s global Research and Development sites.

Technorati Tags: ,

Monday, September 12, 2011

FISMA Security Guide for Quest Password Manager

We just released guidance on the security features of Quest Password Manager. It reviews access control, customer data protection, secure network communication, and more. There is also an appendix that describes how Password Manager’s security features meet the NIST-recommended security standards as detailed in the Federal Information Security Management Act (FISMA).

You can download a copy from here (registration required) or here.

Friday, September 09, 2011

ActiveRoles Server European User Group 2011

16:00 – 19:00 Sunday, 16 October
InterContinental Frankfurt

We’re pleased to introduce this ActiveRoles Server user group meeting to “The Experts Conference”. This meeting will bring together users for an interactive discussion around best practices and roadmap plans. Join the ActiveRoles Server product, development and program manager team as we discuss best practices for ActiveRoles Server’s AD Windows Security, delegation and day-to-day Active Directory management. We’ll cover integration scenarios, group management, and more. Join us for an information-packed session!

For more information and to register, please email:

Monday, August 22, 2011

IT staff member wipes out company’s servers–after he was terminated!

I read this InfoWorld article this morning and figured I’d pass it on. It’s yet another story where a terminated IT staff member subsequently does something bad.
Logging in from a Smyrna, Georgia, McDonald's restaurant, a former employee of a U.S. pharmaceutical company was able to wipe out most of the company's computer infrastructure earlier this year.
Jason Cornish, 37, formerly an IT staffer at the U.S. subsidiary of Japanese drug-maker Shionogi, pleaded guilty Tuesday to computer intrusion charges in connection with the attack on Feb. 3, 2011. He wiped out 15 VMware host systems that were running email, order tracking, financial, and other services for the Florham Park, New Jersey, company.

Using vSphere, he deleted 88 company servers from the VMware host systems, one by one.
I sure hope Shionogi had an effective backup policy in place. Aside from that, I wonder how long it will take for IT to understand the importance of de-provisioning an employee and better access control around privileged account management?

A few weeks ago I overhead someone saying that identity management was passé. I don’t think so! This is a great example of how far we still have to go…

Friday, August 12, 2011

Why wouldn’t you federate to Office 365?

I don’t get it. Obviously I have blinders on. Apparently there are companies that prefer password synchronization – or nothing – between their corporate Active Directory and Office 365. Why?

Is it because setting up ADFS requires corporate ITs involvement? Is it because ADFS is perceived to be too difficult? Do they feel they are exposing their Active Directory on the internet so there’s a security risk?  I’m not getting clear answers when I try to dig into this. I’m having trouble understanding why a company wouldn’t want to enable single sign-on. Do they not understand the benefits of single sign-on from the perspective of reducing password confusion, reducing helpdesk calls, etc?

Have any of you run into this? What’s your experience?

Monday, August 08, 2011

What is the killer app for federation?

What is the killer app for federation?
A killer application has been used to refer to any computer program that is so necessary or desirable that it proves the core value of some larger technology...A killer app can substantially increase sales of the platform on which it runs.
I don’t know the answer to this question unfortunately but I am seeking an answer. I do believe that federation is a means to an end but it is itself not the end. In other words, the benefits of federation are not sufficient to make federation itself a killer app. Is federated single sign-on (FSSO) an important benefit of federation? Of course it is. But is FSSO enough of a benefit that companies are flocking to get federation deployed? Nope. Is federation driving people to use Google, Office 365 or Nope. Again, FSSO is a nice benefit but many companies use Google or without federation enabled.

Why did companies deploy Active Directory? Why is Active Directory deployed at nearly 100% of companies? Well, it’s not because Active Directory makes managing your users easier or because it provides single sign-on. Sure, those are awesome benefits for the company but those benefits generally accrue to the IT staff – not the business, not the company. What drove the uptake of Active Directory was a simple killer app called e-mail: Microsoft Exchange. The business benefit for an enterprise e-mail system drove companies to Exchange and Exchange requires Active Directory. Exchange was the killer app that drove deployment of Active Directory.

So the IQ test question becomes: Active Directory is to Exchange as Federation is to X?

What is X?

Thursday, June 30, 2011

Top 10 Secrets for Managing NTFS File Permissions

Randy Franklin Smith will be holding this technical webinar on managing NTFS file permissions on July 21…

Title: Top 10 Secrets for Managing NTFS File Permissions
Date: Thursday, July 21, 2011 11:00:00 AM EDT

Keeping files secure on file servers – and really any other type of server – is critical especially with the kinds of advanced persistent threats we’re up against today.  But managing file permissions is laborious and error prone and done poorly or irregularly leads to significant access control risks.  Factors that make file access control difficult include:
  1. Conflicts between share and NT FS permissions, especially when multiple shares exist on a given branch
  2. Difficulty of finding folders with inherited permissions or blocked inheritance
  3. The sheer number of files
  4. Loss of continuity with the admin who set everything up
  5. Lack of knowledge about the files, the type of information they hold and who should really be the owner
  6. Difficulty in finding all the files a given user or group has access to
  7. Confusion over how permission inheritance works
On top of that, Windows Server 2008 has new features such as Access Based Enumeration and User Account Control can cause confusing situations when it comes to how permissions are applied as well.
In this webinar I will update you on how NTFS permissions work today and I will tackle the challenges listed above.  In particular, I’ll demonstrate several free tools that will help easily list all shared folders and their share permissions, analyze a given folder hierarchy and find all explicitly defined permissions and analyze an entire server to find all objects a given user or group have access to.

I’ll also provide other proven tips on managing file permissions including how to backup permissions and compare a folder hierarchy’s current permissions to a previous snapshot to detect what’s changed.

Then I think you will benefit from learning briefly about how Quest Access Manager fills in the remaining gaps with some very advanced and imaginative techniques.  For instance, Sudha Iyer, Quest product manager, will demonstrate how Access Manager helps you figure out who should be the business owner of file server folders by analyzing the activity on the folder’s files.  You’ll also see how Access Manager provides an enterprise wide view of a user or groups entitlements and helps you implement business owner approved access control.
Please join me for this very technical, real training for free (TM) webinar. Click here to register

Friday, June 24, 2011

Controlling & Managing Super User Access

This “Primer on Privileged Account Management” was written by Kris Zupan who was one of the founders of eDMZ and is now Chief Architect here at Quest Software.
Effectively managing privileged accounts (sometimes called super user accounts) is becoming more and more critical as security and compliance emerge as the driving force behind most IT initiatives. Unfortunately, native tools and manual practices for privileged account management are proving to be inadequate for today’s complex heterogeneous enterprise.

This white paper explores the risks associated with privileged accounts, and explains how Quest’s solutions mitigate those risks by enabling granular access control and accountability while preserving necessary access and ease of use. This paper is intended for CIOs, IT directors and managers, security and compliance officers and administrators in enterprises of all sizes, especially those who have not established firm control over all of their organization’s privileged user accounts.
You can download a copy of this primer from the Quest website here.

Tuesday, June 21, 2011

Find out who and what applications are hogging your Active Directory resources

Do you ever feel like your Active Directory is slow to authenticate or that your domain controllers are working harder than they really should be? Do you feel like users or applications are not being efficient in their use of your AD domain controllers? Quest ChangeAuditor can help you prove it. ChangeAuditor for LDAP tracks queries to your Active Directory environment, and then translates raw data into meaningful intelligent data to keep your infrastructure efficient and it also provides detailed analysis. It analyzes all LDAP queries against your domain controllers to tell you in simple terms of “Who, What, When, Where and originating Workstation," saving you the time you once spent digging for more details.

A couple of examples to illustrate how and when you can use ChangeAuditor for LDAP to get answers to the questions about your Active Directory:

1. Improve in-house and COTS use of Active Directory:
A logistic company noticed that over time their AD logon process slowed down to the point where it was a problem for users. Other than buying new hardware or re-architecting their AD, they wanted to know if there were applications or users that were taking up more resources than are reasonable for day to day business use. Using CA for LDAP – they were able to identify some internal applications that were querying AD for a large number of objects over and over. They were able to refine the queries to gather only the attributes they required, on an as needed basis, and the resource utilization was brought back in line – improving their overall user AD responsiveness without any hardware or AD design changes.

2. Don’t migrate before you know who is using your AD and how:
During a migration, an internal application was hard-coded to attach to a specific domain controller – but the users and administrators didn’t realize this until the domain controller was shut down. This broke a critical application. If they knew ahead of time that there was an application that was hard-coded, they would have updated the application before the migration, rather than having to restore an old domain controller and maintain 2 directories until the application was updated

How does it look? Here’s an example screen shot:


You can immediately see the container the application is querying, the scope of the query, the number of results, how many times (occurrences) the query has been made in the last few minutes – and the actual query they are making. All information you can use to see who’s using your directory resources.

Save yourself the headache of finding out the hard way that someone or something is not being a good “directory citizen” or abusing their access to Active Directory. Querying over and over, scoping queries that retrieve way too much information, or even hard-coded queries that go against specific domain controllers – all of which can be problematic to your directory. You can even see if someone is NOT using secure and signed queries. Quest ChangeAuditor for LDAP provides you with a proactive solution to problems you may not know you’re already having.

Monday, June 20, 2011

Controlling Privileged Account Access

Tomorrow (Tuesday, 6/21) at 1PM eastern we are presenting a webcast on this topic…

Access through privileged accounts is one of the most troublesome security and compliance challenges. Manually controlling administrative access is tedious and error prone and leads to a lack of accountability, auditing and, at times, administrators having more access than necessary.

Join Quest Software for this informative webcast where we will walk you through the issues of common privileged account scenarios such as:
  • Controlling remote vendor access
  • Enabling developer access to production
  • Managing the issuance and approval of credentials
  • Facilitating separation of duties
  • Providing limited rights for daily administrative tasks
  • Managing a Sudo environment
You will also see how Quest One Privileged Account Management solutions help you control access. They make it easy through granular delegation and policy-based control of administrative accounts as well as tightly controlled and audited issuance of full administrative credentials.

Register for the webcast today

Monday, June 06, 2011

Quest acquires Symlabs for their virtual directory and federation technology

Today, Quest Software announced the acquisition of Symlabs a privately held solutions provider that specializes in virtual directories and federation solutions. The addition of Symlabs virtual directory software will enable Quest products to easily consolidate identity data that is stored in a distributed environment whether it be stored in directories or databases. Symlabs also brings additional federated identity capabilities that will broaden our federated single sign-on solutions and capabilities.

Quest has been an OEM customer of the Symlabs virtual directory product for some time now. It was actually this exercise that started me to think about how customers – including Quest – weren’t really deploying a virtual directory (VDS) for the sake of having a virtual directory. Customers are deploying a VDS to solve very particular problems like easing the integration of identity data and systems into an existing identity management project or allowing directory-enabled applications to be kept in place despite the fact that the underlying directory was being re-architected or migrated.

So one of our goals will be to incorporate Symlabs’ VDS technology into a number of existing Quest products to make it easier to solve some of these problems. Our existing migration products have successfully helped thousands of customers migrate from one platform to the another but one of the problems that keeps coming up is: How do I migrate my directory-enabled applications? Most customers turned to a virtual directory for help. That’s why we feel that including a virtual directory capability as part of our migration products will prove useful to our customers. The same goes for our identity and access management product Quest One Identity Manager. We already provide a wealth of connectors for our customers to integrate their systems with Q1IM. Why not expand their capabilities and benefits by including a virtual directory as part of our identity and access management product?

I think Quest is uniquely positioned to leverage virtual directory technology into a host of products that the traditional virtual directory companies just don’t have today – like migration products. We'll also leverage  Symlabs’ federation product by incorporating it into our existing federation and WebSSO products giving them broader reach and extended capabilities.

Exciting times!

Friday, May 27, 2011

Looking for a Pre-Sales Solutions Architect - Identity Management

We’re looking for a pre-sales solutions architect for identity management. Here’s some background on the opening and if you’re interested in applying click here.

Job Summary:
As a member of the Presales team, you will play a key role as a technical liaison for Senior Sales Representatives and clients. 70% travel to clients. The position can be based in anywhere in the Western US.  However, it requires 70% travel to client locations.

Essential Responsibilities:
• Architect, design and implement Identity Management solutions for Quest customers 
• You will be presenting and demonstrating Quest’s Identity Management Solutions at customer sites, performing white board presentations, architecture overviews, product walkthroughs and proof of concepts
• To successfully execute procurement activities: RFP responses, trial execution, installation and tuning
• Represent Quest Software’s Identity Management Group at relevant trade shows and user groups  

Minimum Qualifications:
• At least 3 years of building and implementing Identity Management Solutions within heterogeneous environments
• Strong Active Directory and Enterprise Directory Services knowledge 
• Experience with a competing product (SUN, Oracle, CA or IBM)   
• EDUCATION B.A./B.S. in CS/CIS/MIS/Business or related field equivalent
• Available to travel 2 - 4 days/week

Preferred Qualifications:
• Experienced in User Provisioning and management, Help Desk, User Self Service and password management, Multiple Directory Integration or Synchronization, Account workflow and management, Single Sign On and system integration to consolidate user accounts/identities
• Strong communication skills both orally and verbally

Monday, May 16, 2011

Nick Nikols joins Quest Software!

On December 20, 2006 I blogged about Nick returning to Novell after a stint at The Burton Group. Well, Nick has now joined Quest Software. I’ve re-posted what I said about Nick back in ‘06 because there’s not much more I can say other than I am very excited that Nick has joined us and I’m personally looking forward to his influence on Quest’s identity and access management strategy.
I’ve known Nick for a long time now. I first met Nick while I was at Zoomit back in the late 90’s. Nick is one of a number of stellar directory smart (directory enabled?!) people in the world. We released Zoomit VIA – the world’s first commercial metadirectory product – in 1998. By the time Microsoft acquired us in June, 1999 Nick had single handedly architected and then convinced folks at Novell to build what was then called DirXML and is now called Novell Identity Manager. I remember when DirXML was released and how amazed I was at Nick’s approach of using XML as the foundation to help solve the metadirectory problem. It was truly bleeding edge back then but now is totally hip because of its XML roots.

Nick, along with a number of other great Novell folks – like Brad Anderson, Greg Macris, Samm diStasio, Ed Anderson – left Novell during the rein of Jack Messman. Nick joined The Burton Group where he served as an analyst in their identity management practice for a number of years. Over that time I worked with Nick both when I was at Microsoft and at Quest. We talked a number of times about the possibility of returning to Novell but it always seemed to be a non-starter with Nick (and everyone else!) that he’d want to go back while Jack was at the helm. Well, Jack left, Nick got a call and the rest is history. Nick is now VP, Product Management at Novell and I wish him the best of luck.

I’ve always been a big believer in Novell’s strategy, vision and products. If there is a company that really and truly “gets” directory it is Novell. Novell’s identity management products currently generate about $100M in revenue annually. The other players in this business do not break out their IDM revenue but I am willing to bet everyone trails this number by a lot. A couple of reasons for their success are the fact that they do have a good product, an integrated product stack and they have been successful penetrating the SMB (small & medium business) market.
Welcome aboard Nick!!!

Friday, May 13, 2011

Three Steps to Simplified & Intelligent Data Governance

We are hosting a webcast on this topic on Thursday, May 26 at 11 a.m. ET/8 a.m. PT:

You need to track access to critical data across your enterprise for security and compliance. Unfortunately, there is no easy way to natively gather information on data ownership and usage.

Join us for a free one-hour webcast as we discuss three steps you can take to achieve better data governance:

1. Discover your data—to find out who is accessing what data
2. Identify data owners—to remove IT from the role of “gatekeeper”
3. Establish consistency—to properly apply permissions and manage servers in groups

You’ll also see how Quest’s newly released Access Manager 2.0 simplifies these steps to identify and assign the appropriate data custodians, as well as centrally manage access to data, files and shares so that users access only the resources they need—no more and no less.

Register for webcast today!

Wednesday, May 04, 2011

Attachmate lays off Mono employees

Read this blog post earlier today and thought I’d pass it on:
Attachmate is moving swiftly to re-organize the Novell business it acquired for $2.2 billion. Today Attachmate laid off an unknown number of U.S. based Novell developers that were working on the open source Mono project.

Mono is the Novell led effort to provide an open source implementation of the Microsoft .NET framework on Linux.

"We have re-established Nuremburg as the headquarters of our SUSE business unit and the prioritization and resourcing of certain development efforts - including Mono - will now be determined by the business unit leaders there," said Jeff Hawn, Chairman and CEO of The Attachmate Group in a statement sent to "This change led to the release of some US based employees today. As previously stated, all technology roadmaps remain intact with resources being added to those in a manner commensurate with customer demand."

I've been following Mono since Miguel de Icaza started the project back in 2004. Yes, I know, there are lots of people that don't like Mono and its Microsoft styled technology. I also know a lot of people (including me) that rely on it as a way to run .NET on Linux.

I don't know what is happening to Miguel (yet). I know that without his leadership this project would not be where it is today. The U.S. based developers in the Novell project are the ones that I have interfaced with over the last 7 years. They are a skilled group and it's a real shame that Attachmate is letting them go.

That said, talent like that will likely be picked up by a rival - or maybe even Microsoft. The patent related issues have long made Mono a technology that some vendors (like Red Hat) have avoided.

It is my personal hope that the developers are taken care of financially by Attachmate and that they find new employment soon.

As for the Mono project, I hope that Attachmate has a plan to keep this project growing. Despite its shortcomings, it is an essential part of the Linux ecosystem, providing a critical bridge between .NET and Linux.
Technorati Tags: ,,,

Wednesday, April 27, 2011

Quest Granted Another Patent

We were just notified that we were awarded yet another patent for our work on translating legacy authentication requests into Kerberos requests. This is a pretty key and important area that allows us to take, for example, LDAP requests and authentications and return Kerberos tickets to implement single sign-on. It’s patent #7,904,949 “Apparatus, systems and methods to provide authentication services to a legacy application ”. Congrats to John Bowers and Matt Peterson our illustrious inventors. The patented work shows up in Quest Authentication Services and further demonstrates the innovative work that has been put into our products.

Tuesday, April 26, 2011

How to Implement a Two-Factor Authentication Solution -- or Replace Your Current One

Are you considering implementing or replacing your current two-factor authentication solution? Not all solutions are the same.
In this live webcast, “Secure, Affordable Two-Factor Authentication,” you’ll learn about Quest Defender, an affordable, open-standards solution for two-factor authentication. You’ll see how Defender can:
  • Leverage the redundancy, security and scalability of your existing Active Directory investment– so you won’t need to invest in expensive, proprietary solutions or learn a new console
  • Coexist with other two-factor implementations for ZeroIMPACT migrations
  • Offer perpetual soft and hard tokens that never expire
  • Include all agents, radius servers and user self registration for both hard and soft tokens
You can register here for the webcast which takes place on Wednesday, May 4th at 11AM eastern time.

Technorati Tags: ,,,,,,,,,,

Tuesday, March 22, 2011

BAA replaces their legacy OTP solution with Quest Defender

Good case study just published about BAA’s replacement of their legacy OTP solution in favor of Quest Defender. BAA is one of the world’s leading transport companies, owning six airports in the UK, including the largest, London Heathrow. One of Defender’s main advantages is being able to co-exist with other systems so a customer can do an “as they please” migration – no forklift required. Defender’s ability to co-exist with BAA’s previous solution also ensured that continuity of service was maintained during the roll-out.
“BAA will save money because Defender tokens last at least 67 percent longer than our previous solution, and last for the life of the battery rather than having a defined life of three years,” said Fiona Hayward, IT Programme Manager. “We can renew users’ tokens when they expire, as a help desk business-as-usual process, instead of issuing 7,500 tokens in one go and incurring the costs associated with running such a project.”
Thanks to BAA for participating in our case study. I always appreciate customers who are willing to talk publicly about our products and their success.

Friday, March 18, 2011

RSA Hacked! Were they using 2-factor authentication themselves?

This has really made headlines. It’s also resulted in a number of e-mails from Quest customers happy they chose Quest Defender over RSA SecurID!

Hacker Spies Hit Security Firm RSA

Top security firm RSA Security revealed on Thursday that it’s been the victim of an “extremely sophisticated” hack.
The company said in a note posted on its website that the intruders succeeded in stealing information related to the company’s SecurID two-factor authentication products. SecurID adds an extra layer of protection to a login process by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password. The number is cryptographically generated and changes every 30 seconds.

“While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers,” RSA wrote on its blog, “this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.”

As of 2009, RSA counted 40 million customers carrying SecurID hardware tokens, and another 250 million using software. Its customers include government agencies.

RSA CEO Art Coviello wrote in the blog post that the company was “confident that no other … products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.”

The company also provided the information in a document filed with the Securities and Exchange Commission on Thursday, which includes a list of recommendations for customers who might be affected. See below for a list of the recommendations.

A company spokesman would not provide any details about when the hack occurred, how long it lasted or when the company had discovered it.
If you read what RSA’s Chairman said in his note he doesn’t detail if the hackers by-passed RSA’s security or how they by-passed it. I wonder if they (RSA) were using their own SecurID product to protect access to their internal networks? Gee, that’d be embarrassing if they were. Heck, it’s even more embarrassing if they weren’t! I wonder if we’ll ever be told?

Of course, if you’d prefer an alternative, there’s always Quest Defender.

Friday, March 04, 2011

Gartner on UNIX Security and the New sudo

This is the title of Mark Diodati’s (Gartner/Burton) latest blog post on Unix security and sudo. I wanted to highlight a few things from his concluding paragraph:
It’s a smart move for Quest, and it is good for enterprises that leverage sudo. It opens up sales opportunities for Quest and other UNIX security vendors (e.g., Novell, CA, Centrifly, Cyber-Ark, BeyondTrust [previously Symark], and Fox Technologies) to sell into sudo-centric environments. Quest obviously gets “first mover” advantage. Enterprises will acquire practical centralized policy management without changing the user’s experience. When the time is right, the enterprise can leverage the UNIX security product for its other capabilities.
  1. “Enterprises will acquire practical centralized policy management without changing the user’s experience”This is really important. Sudo 1.8 is completely backwards compatible with previous versions of sudo. Preserving the user’s experience was job #1.
  2. Like I said in my last post, I wonder how quickly “other” UNIX security vendors will jump on board the sudo 1.8 plugin architecture. That would certainly validate our efforts wouldn’t it? (And our leadership and vision if I may be so bold to say that)
  3. “It’s a smart move for Quest”. Yes, we agree. Let’s not forget that it’s also a smart move for UNIX/Linux customers to begin looking, and we hope eventually using, the sudo 1.8 plugin architecture.
These architecture changes in sudo 1.8 really set up sudo “for the task for large scale UNIX security deployments”.

What is the killer feature in Sudo 1.8?

Here's a link to an interview that Todd Miller did while he was at SCALE. I like Todd's response to this question:

What would you say is the killer feature of this new release?

Todd Miller:  The "killer feature" in sudo 1.8 is dynamically loaded modules.  This makes it possible for third parties to write sudo plugins that implement custom security policies and logging of command input and output.  There are a number of root access control packages out there, both Open Source and commercial.  The plugin support makes it possible for users accustomed to using sudo to continue using it even if they want/need to use different security policy for root access.  All that is required is a plugin that can assess the security policy and determine whether the user is allowed to run the command.

Personally, I am going to be very interested to see how long it takes companies and Quest competitors to jump on this band wagon and offer plugins...

Wednesday, March 02, 2011

Sudo 1.8 Brings Pluggable Policies to Root Access Control

This is the title to an article by Joe Brockmeier that just appeared in ServerWatch. Joe “gets” what both Todd Miller is trying to achieve with the 1.8 version of sudo:
We're all familiar with the venerable utility Sudo, but its feature set hasn't kept up with what many companies want for root access control. Specifically, Sudo has lacked support for policy plugins and advanced logging features. There have been a number of proprietary tools that either replace or enhance Sudo for root access control (RAC). But who wants to have to buy an add-on if you can get the features you need as part of the native toolset that comes with your *nix?
There are many, many, many companies that leverage sudo in their day-to-day operations. Most of these companies – certainly the ones that have more than 10 or 20 *nix servers to maintain – struggle with consistent management of their sudo policy files and how to do effective logging. That’s exactly why Todd has implemented “pluggability” in sudo 1.8. I can’t but help agree with Joe with respect to one of his other observations:
Previously, those features (policy management and session logging) were the domain of proprietary RAC  (root access control) tools. And Sudo 1.8 doesn't mean that companies have no opportunity to offer services on top of Sudo, but it does mean that they don't need to replace it entirely -- and shops have the option of writing their own plugin or using open source plugins. During his talk, Miller said several open source plugins are in development. No doubt quite a few open source plugins will be contributed that fit the needs of many companies, and if not you could turn to vendors like Quest, which offer add-ons for Active Directory and other proprietary features.
Joe plans on writing more about how to take advantage of these plugins. I’m looking forward to it!

Technorati Tags: ,,,,,,,

Monday, February 28, 2011

Extending Unix Command Control with Sudo 1.8–slides and software release

Slides from Todd Miller’s presentation at SCALE 9X on “Extending Unix Command Control with Sudo 1.8” have been posted to the sudo website. In addition, sudo 1.8 which is the latest release of sudo that adds support for dynamically-loaded policy and I/O logging modules was released yesterday is available on the sudo website now. My estimate is that we had about 100 people that came to Todd’s talk and Matt Peterson’s demo. Not only was the session very interactive with lots of questions from the audience but there was also quite a lot of appreciation for Quest’s sponsorship of the project and this effort.

Here's Todd Miller presenting sudo 1.8 at SCALE yesterday...

Technorati Tags: ,,,,,,,

Saturday, February 26, 2011

Can't attend SCALE? Watch sessions streamed live!

In case you can't get to SCALE in Los Angeles this weekend you can watch the keynotes and sessions via live streaming. Details below...
Saturday’s SCALE 9X kicks off with Leigh Honeywell’s keynote on ‘Hackerspaces and Free Software’ at 10 a.m. in the La Jolla room, for those of you at the show. The keynote will be streamed live. To watch the keynote, visit

The other sessions on Saturday will be streamed live by ConferenceByWire, a video-conferencing and video content distribution solution that brings live and on-demand conferences and conventions directly to one's computer.

Non-keynote sessions will be streamed at

Technorati Tags: ,,,,,,,

Thursday, February 24, 2011

Quest Software Continues Contribution to Open Source Community Through Sponsorship of the Sudo Project

We just issued this press release that further re-iterates what our capabilities and plans are around sudo

ALISO VIEJO, Calif., Feb. 24, 2011
  • Quest Software, Inc. (Nasdaq: QSFT) has taken another step to expand its contribution to the open source community around identity and access management with sponsorship of the Sudo project.
  • The open source Sudo project will release version 1.8 of Sudo, which allows a system administrator to delegate authority and give certain users (or groups of users) the ability to run some (or all) commands as root or another user. The newest version includes a new pluggable framework that makes it possible to add extended functionality simply by loading a module. As an open source project, the API is available for anyone who wants to develop new modules that can plug into Sudo.
  • Quest will offer a free community edition and two commercial editions of Quest One Privilege Manager for Sudo, adding further capabilities in identity and access management through the Quest One Identity Solution
  • Quest One Privilege Manager for Sudo Community Edition targets Unix administrators who want an easier way to manage sudoers, the default Sudo policy file. Using the community edition, Unix administrators will be able to have all their Sudo clients retrieve a policy from a central policy server, eliminating the need to maintain and distribute a master copy of sudoers to each client. The community edition includes a new module that plugs into Sudo 1.8 and a central policy server.
  • The commercial editions will include additional features to help Unix, Linux and Mac administrators extend and enhance their Sudo environment. 
  • Quest One Privilege Manager for Sudo provides enhanced centralized sudoers management. It is a module that is pluggable into Sudo 1.8 to secure the corporate Sudo experience.  It provides role-based access control and separation of duty features for centrally managing Sudo policy.  It increases productivity by providing tools to run pre-installation readiness reports and remotely deploy Sudo plug-ins.  It also simplifies auditing by providing a Sudo access control report to see which users have been granted which elevated privileges via Sudo.
  • Quest One Privilege Manager for Sudo Keystroke Logging enables administrators to easily add central keystroke logging and reporting to Sudo. It is also a pluggable module for Sudo 1.8, and delivers a simple way to enable, gather, store, and play back keystroke log sessions for Sudo.
  • Included with the commercial offering is the Quest One Management Console for Unix, which provides centralized management and reporting of local Unix/Linux users and groups, and now acts as the management console for the Quest One Sudo plug-ins.

Todd Miller, maintainer of open source Sudo project and Software Developer at Quest Software
“Sudo has come a long way over the past 15 years, and is now available on most Unix and Linux systems. As a result, I often receive requests to add new functionality, not all of which are suitable for inclusion directly in Sudo itself. By adding a modular framework to Sudo, it is now possible for third parties to extend Sudo's functionality via pluggable modules. These modules can be configured to load at run time so that, for example, Sudo can use an external policy server. I am excited to see how the open source community extends Sudo by building new modules as Quest has done.”

Jackson Shaw, Sr. Director of Product Management, Quest Software
“Quest greatly values the work of the open source community, and our commitment is demonstrated by our support of the Sudo project, as well as development of the plug-ins to support the new architecture. By sponsoring the Sudo project, Quest is enabling project maintainers to move Sudo a major step forward, while expanding Sudo’s relevance in the larger identity and access market. Most importantly, this ensures that Sudo will always remain a true open source solution.”
  • Sudo version 1.8 will be available for free on Feb. 27. Both source code and pre-compiled binaries can be downloaded from the main Sudo website:
  • Quest Privilege Manager for Sudo Community Edition is expected to be available Q2. It will be available for download at no charge. Quest Privilege Manager for Sudo Commercial Editions is also expected to be available in Q2. It will have two options available, with North American pricing beginning at $59 a module per server. A beta program is currently being conducted. Contact Jason Fehrenbach to join the beta program.
  • Learn more about the new version of Sudo and Quest Plug-ins from Todd Miller and Quest Software Identity and Access Management architect Matt Peterson at Southern California Linux Expo (SCALE) in Los Angeles, Sunday, Feb. 27, at 1:30 p.m. PST, in the Carmel room.
Talk To Us Directly:
We can arrange a quick phone conversation with our experts, or on-site interviews at SCALE Feb. 25-27– just ask! Or stop by booth 11 at the show.

Technorati Tags: ,,,,,,,