Thursday, October 19, 2006

Got a sec for IPSec?

I've been doing a lot of thinking about IPSec recently. It's one of those "features" built into Windows servers that many people don't know much about and what they do know generally falls into the bucket of "it's hard".

Has anyone out there been thinking about using IPSec? Or, maybe you are using IPSec? If so, I'd like to understand what for. Is it for server isolation? Is it for domain isolation? Is it for Active Directory domain controller isolation? If you are using it are you also using it for data integrity? In other words, are you using it to encrypt your network traffic?

Microsoft has a lot of good documents and information about IPSec that can be found here and here. Microsoft characterizes the benefits of IPSec as follows:
  • Additional security. A logical isolation defense layer provides additional security for all managed computers on the network.
  • Tighter control of who can access specific information. By using this solution, computers do not automatically gain access to all network resources simply by connecting to the network.
  • Lower cost. This solution is typically far less expensive to implement than a physical isolation solution.
  • An increase in the number of managed computers. If an organization's information is available only to managed computers, all devices will have to become managed systems to provide access to their users.
  • Improved levels of protection against malware attacks. The isolation solution significantly restricts the ability of an untrusted computer to access trusted resources. For this reason, a malware attack from an untrusted computer will fail because the connection will not be allowed, even if the attacker obtains a valid user name and password.
  • A mechanism to encrypt network data. Logical isolation makes it possible to require encryption of all network traffic among selected computers.
  • Rapid emergency isolation. This solution provides a mechanism to quickly and efficiently isolate specific resources inside your network in the event of an attack.
  • Improved auditing. This solution provides a way to log and audit network access by managed resources.

Sounds great, right? If so, how come more people aren't using it? Let me know what you think.



Technorati Tags:
, , ,

Wednesday, October 18, 2006

Halifax - Old, New, Hip!

Arrived in Halifax on Monday evening (Oct 16) for my very first visit. Aside from the connection of living in Seattle - another port city - my mother's family is all from Newfoundland and I spent four years in the early '70's growing up in Chatham, New Brunswick so the salt in my blood seemed excited as I exited the airport and breathed in the salt air.

The Quest office here in Halifax overlooks the harbor and has a truly incredible view. I'd love to spend a couple of weeks here in the summer! We cut out of the office a bit early to head out to Peggy's Cove which is a very famous tourist hot spot here. It's also where the memorial to Swissair Flight 111 is located. Click the picture below if you want to check out the pictures I took while we were there.

Halifax is an old town by North American standards. It was founded in 1749 by Edward Cornwallis and is been an important port city in Canada, North America and the World. So, I was wondering why - as I was walking around on the waterfront - that the buildings weren't old. If you've ever been to an old port city like Quebec City, Boston or Lower Manhattan you can see old buildings that are 200-300 years old. Well, a quick Google and I found out why: On December 6, 1917 two ships collided in Halifax harbour, one carrying about 2,600 tons of various explosives. After the collision the ship caught on fire, drifted into town and eventually exploded. More than 1,900 people were killed and much of downtown Halifax was destroyed. An evaluation of the explosion's force puts it at 2.9 kt. Hence, most of the buildings located on the harbour front and downtown aren't even 100 years old yet!

An interesting side note for Beantown friends: Boston responded with so much aid and compassion that to this day the City of Halifax sends the City of Boston a Christmas tree that is put up at Prudential Center. Maybe you've seen it?

I went to dinner on Tuesday night at Salty's which - of course - overlooks the harbour (no, I'm not spelling "harbor" incorrectly, that's how it's spelt up here in the Great White North!). Then, wondered over to the Halifax Casino and played Texas Hold'em to the wee hours.

The reason for my visit was to meet up with the R&D folks here in our office to get a preview of some of the new products that are coming out and make some decisions on packaging and pricing. I was pretty amazed at what we are working on in the areas of group policy, compliance and security. Next year we are going to release some awesome new products. Watch out for them! I'll probably blog more about them as we get closer to RTM - no need to give our competitors any advance notice, eh?! Oh, and kudos to the team here - they're doing a great job and definitely passionate about their work.

I'm off to Ottawa tomorrow morning to meet with folks in our offices there. Same story: review progress on product development, R&D and talk to the sales and marketing folks that are located there...

More soon.

Technorati Tags:
, , ,

Monday, October 16, 2006

Those lucky trout!

Spent the past weekend in Montana. It's so incredibly gorgeous. Two views of the Coeur d'Alene River included below. All I can say is those trout are very, very lucky... I have to believe this is the equivalent of a penthouse condo in New York City with a view of Central Park for trout.

Off on another whirlwind part of the reality tour: Halifax, Ottawa, New York City and closing out this leg in San Jose. I'm going to do my best to try to meet up with McGraw-Hill while I am in NYC - they were quoted in my earlier post titled "The Truth about Federated Identity Management".

Enjoy the pics...

From Montana

From Montana

Friday, October 13, 2006

At least Ping is taking off

Happy to see that Ping got some more funding. They're head-first in the federated identity space that I mentioned in yesterday's blog entry. The eco-system is growing but is it fast enough?

DENVER, CO – Oct. 11, 2006—Ping Identity Corporation, a provider of Internet-scale identity technology for enabling secure business collaboration, having just completed a record quarter in sales and new customer wins, today announced the completion of a $13 million Series C financing. Appian Ventures of Denver, Colorado led the round, with full participation from existing investors Draper Fisher Jurvetson, General Catalyst Partners, Fidelity Ventures, SAP Ventures and I-Vent.

Thursday, October 12, 2006

Ray, I never knew you but thanks...

Ray Noorda passed away a couple of days ago. I never me him but I sure knew of him and many friends of mine worked with Ray in the beginning days of Novell. I've had a number of momentous intersections where his influence affected me...

#1 - I started a new job in 1989 at IDRC and my first task was to evaluate LAN technology from Novell, 3COM and Banyan and make a recommendation on what we should buy - we went with Banyan VINES - but that's when I first really started to get into what Novell was about. To this day Novell still gets directories and how a directory can be an enabling force. More so than any other vendor out there.

#2 - When I was with Zoomit in the mid-'90s we ported our Banyan VINES products over to Novell's UnixWare, sold three copies of our fledgling pre-cursor to our metadirectory product and promptly had the rug pulled out from under us when Novell sold off UnixWare. It was Craig Burton - a Ray Noorda disciple - who told us in 1997 that we had to build our metadirectory product (Zoomit VIA) on Microsoft. Of course, that ended up leading Microsoft to acquire us in 1999. Kim Cameron, my old friend and our VP, Technology at Zoomit is still an architect at Microsoft running the identity show and working hard on InfoCard/CardSpace.

#3 - When I left Microsoft in Feb, 2005 I joined a small company based in Utah called Vintela. They were backed by Canopy Ventures which Mr. Noorda founded. Vintela was acquired by Quest Software in July, 2005.

Even though I never met Mr. Noorda my life has been influenced by him.

Thanks, Ray.

Technorati Tags:
, , , , , ,

The Truth About Federated Identity Management

"It doesn't matter if you have a telephone. It only matters if someone you want to call has a telephone."

Sarah Scalet wrote a great article in CSO Online about federated identity management that you can find here. She talks about why Aramark implemented federation and why it hasn't really gone anywhere past their initial internal implementation. She makes some great points - I especially like her comment about "history being littered with supposedly revolutionary communications methods that sputtered and failed from too few adopters".

There are still lots of problems and issues that folks need to think about before they kick one of these projects off. Sarah's article goes into a lot of these issues including the competitive standards that are out there (SAML and WS-Federation), security paranoia and the hunt for the Holy Grail of computing: single sign-on.

The story's not all doom and gloom since she also has written in some great overviews of what Aramark, Boeing, Fifth Third Bank, McGraw-Hill and others are doing. But, the moral of the story is to make sure you understand what you are getting into and the business benefits (and risks) of federated identity management.

The question I have is where are the early adopter programs for federation from IBM, Microsoft and the other players? Where are the compelling scenarios and their solutions that would get us excited to jump on the band wagon? Who is helping to get the pump primed? Where's the eco-system?!

I get the distinct feeling that B-2-B federation is going to be limited to very specific scenarios (i.e., manufacturers and their suppliers) where the big buyer calls the shots...

Technorati Tags:
, , ,

Speaking of reality...

I got back last night from a press tour. I was with Steve Dickson who is the VP of the Windows Management division at Quest and who I report to. I kept joking with him that it was great to be "friends of Steve" so I could share in the limo rides to and fro. When I'm on my own I get schleped around in cabs like everyone else.

Spent Tuesday in Denver where the weather was worse than Seattle and snow was threatened in the forecast. Have you ever been anywhere in the world on the first day that it snows after spring, summer and fall have finally slipped away? Well fortunately that didn't happen on Tuesday because if it did pandemonium would have ensued with all the folks who forget that 4-wheel drive doesn't make you invincible. Anyway, I digress. Tuesday was great. Started the day off meeting my old friend John Fontana at a great coffee shop called "The Garage". He and I go back to my days at Microsoft and is one of the few reporters out there who is technical enough to get it. John wrote a nice article about what we're up to. If you're interested you can find it here. From there, we drove up to visit with Penton Media in Loveland, CO. Penton publishes Windows IT Pro Magazine, SQL Server Magazine and a host of other great mags. I met with Karen Forster and her fine team of folks. Great crew, great visit, great lunch and a bunch of great story ideas I need to follow up with Karen on. Then it was off to the airport to fly to San Francisco.

Wednesday in San Francisco was beautiful. No snow showers in the forecast fortunately. First meeting was with Neil McAllister from InfoWorld. I'd never met Neil before but he's clearly a sharp guy and covering cool stuff around Open Source, Linux and infrastructure. We were then whisked over - by limo, of course - to Coupa Cafe in Palo Alto to meet another old friend, Dave Kearns who writes the Identity Management newsletter for Network World. Great coffee, free wireless and more Macs than I have ever seen in one spot at Coupa Cafe. Said bye to Dave and we were off to the airport homeward bound for Seattle...

Come on in, the water's fine!

OK, OK. After almost two years of procrastinating I'm blogging. Are we having fun yet?!

I expect I'll make the usual spelling, HTML, legal, moral and whatever other mistakes everyone makes in the blogosphere so mea maxima culpa in advance. Oh ya, I promise I'll try to post fairly frequently in case anyone is actually reading my drivel. Speaking of drivel, what am I going to be blogging about anyway? Well, as the title states this will be pretty much about identity management, Active Directory and my travels around the world meeting with customers, partners and companies who are actually doing it.

I'm hoping to bring to you a bit of the reality of what's going on out there in these two important areas. I work for Quest Software and get the opportunity to travel the globe on their nickel to do this so why not expand my trip reports to include you too?

If you actually stumble across this please say "hi" so I know I'm not alone out here...