Wednesday, January 28, 2009

Would you replace your domain controllers with Samba?

Samba gets closer and closer to being able to act as an Active Directory domain controller. Would you use an open-source alternative? Here's the thread that sparked this post:

"Enterprise networks now have an alternative choice to Microsoft Active Directory (AD) servers, with the open source Samba project aiming for feature parity with the forthcoming release of version 4, according to Canberra-based Samba developer Andrew Bartlett. Speaking at this year's linux.conf.au Linux and open source conference in Hobart, Bartlett said Samba 4 is aiming to be a replacement for AD by providing a free software implementation of Microsoft's custom protocols. Because AD is 'far more than LDAP and Kerberos,' Bartlett said, Samba 4 is not only about developing with Microsoft's customization of those protocols, it is also about moving the project beyond just providing an NT 4 compatible domain manager."

I guess the potential gotcha here is the fact that "AD is far more than LDAP and Kerberos". That's certainly true.

Q: Could Samba 4 replace an AD domain controller?
A: Possibly, probably.

Q: Would an enterprise use Samba 4 exclusively without deploying a Microsoft-based AD domain controller?
A: I'm doubtful they'd want to take the risk. After all, AD pretty much "just runs". Imagine the business impact of the Samba 4 DCs blowing up and the pressure to "get them fixed". Yikes.

Q: Would an enterprise want to deploy an all Samba 4 DC-based enterprise?
A: I guess that depends on what Microsoft would say if you called in with a problem. What would they answer? Call Samba? (Where did I put that number...?)

Q: Would third-party AD-vendors support Samba 4 DCs with their tools?
A: Wow, that's a good question. Would Quest? I guess it depends if lots of customers started asking we'd be forced to. If not...

Q: Would small businesses use a Samba 4 DC-only environment?
A: Makes more sense in an SMB environment.

Microsoft has built a lot of value around Active Directory - like Exchange. Any company wanting to drop it entirely would need to be very careful and really evaluate their overall use of Microsoft products. I can see some edge cases where it might make sense but, in general, I don't see why you would. (OK, sure, SMB is not really an edge case but what SMB doesn't also want to run Exchange?)

Technorati Tags:
, , , ,

Tuesday, January 27, 2009

Managing the Mac with Group Policy and Preference Manifests

A few weeks ago I posted about how we are doing more and more work with Apple's Mac OS X. This is a follow-on post to that one...

Quest Authentication Services (QAS) version 3.5 includes new support for managing Mac OS X systems and applications through Microsoft's Group Policy. One unique aspect of this functionality is the ability to manage Mac applications using preference manifest files. Preference manifest files provide a standard way to expose application settings to centralized management systems like Workgroup Manager. Apple provides preference manifest files for all of the Mac's configurable system settings. Apple encourages 3rd party software developers - like Quest - to provide preference manifest files with their applications.

QAS leverages this infrastructure to allow you to manage Mac-specific settings centrally in Microsoft Group Policy. Using the Microsoft Group Policy Management Console editor, you can configure Mac application settings which are applied using the Group Policy framework built-in to QAS. The graphic below shows all of the preference manifest policies that ship with QAS by default.


Each policy is configurable according to the settings described in the preference manifest file. For example, the preference manifest for Screen Saver exposes the six settings shown in the next graphic below. In this example, Screen Saver has been configured to require a password. When this GPO is applied to a Mac system running QAS, the configuration will be propagated to the Managed Client application which will reconfigure Screen Saver to prompt for a password.

QAS uses the information in the preference manifest to produce an appropriate user interface to configure each setting. Additional preference manifest files can be loaded into the Group Policy Management Editor at runtime allowing you to customize the set of policies.

Some applications, such as Microsoft Office for Mac, do not provide preference manifest files. However, since preference manifest files follow a simple XML format it is easy to create or customize them. As an example of custom preference manifest files, QAS comes with a set of preference manifests for managing Microsoft Office. Some of the settings for Microsoft Word which can be configured with QAS are shown below.



Using custom preference manifests, you can manage an unlimited number of applications and settings on the Mac. Support for preference manifest files is a unique feature of QAS demonstrating the commitment to standards-based interoperability that has always been at the core of Quest Authentication Services.

We've had awesome customer interest in the way that we're supporting Apple's preference manifest files due to the flexibility it enables. It seems like we've struck a chord. If you're interested in more information about preference manifest files can be found on Apple's developer website here.

Technorati Tags:
, , , , ,

Monday, January 26, 2009

Entrust, wake up and smell the coffee!

Quest sells a two-factor authentication product called Defender. Entrust also sells two-factor authentication products. Defender supports OATH complaint tokens so our customers can purchase tokens from us or any vendor who supplies OATH compliant tokens. Entrust supports OATH compliant tokens too, but they don't want customers using Entrust tokens with anything other than Entrust software...

You are expressly prohibited from using and agree not to use Entrust Tokens with any other manufacturer's verification or identification software even if the Entrust Tokens may interoperate with such other manufacturer's verification or identification software.

What's even better is how Entrust touts their support of OATH!

...the Entrust IdentityGuard Mini Token OE supports the OATH algorithm for broad, open-standard compatibility.

Wow. Forget about standards. Forget about interoperability. Long live vendor (Entrust) lock-in. Yes, that's exactly what I told the prospect who was looking at Defender and Entrust. We're open. Entrust only wants to appear open.

Get with the program guys.

Technorati Tags:
, , , , , ,

Wednesday, January 07, 2009

Apple's Rising Mac OS X Tide

Apple Inc.'s Mac OS X posted a record gain that brought it close to a 10 percent share for the first time...

What the heck? When did that happen? I knew that Apple's share was increasing but this InfoWorld fact took me by surprise. That certainly explains why more and more companies that I've been meeting with are asking about integrating their now officially supported Mac OS X machines into their Windows environments.

Then I was reading ComputerWorld's "Juicy Predictions for '09" and caught this one, too:

Apple will be a big winner in 2009 with products such as the iPhone and the Mac. With Exchange integration built into the iPhone and promised for the Snow Leopard release of OS X, Apple is poised to make some strong business inroads. -- Michael Gartenberg, Computerworld columnist and vice president of mobile strategy at Jupitermedia Corp.

The Mac has truly swung from being the office joke to becoming a serious part of many corporations infrastructure. Even when the Mac is not officially supported it tends to be officially tolerated. It was amazing at Quest how quickly we adopted support for the iPhone once our company president started using one - in addition to his MacBook.

Quest Software pioneered the integration of Unix and Linux systems with Active Directory and were also the first to extend Group Policy's benefits and capabilities to these platforms. For a number of years we have supported Mac OS X but in the last few months we have really beefed up our support in, what I consider are, ground breaking ways.

The basic concepts of what we do for Mac OS X are spelt out in this new white paper: Managing Macs in a Windows World

Over the next couple of weeks I'm going to give you a deeper dive into the investments we've been making to support this more present platform. Stay tuned!

Tuesday, January 06, 2009

SaaS Realities

There an intersting article on software as a service (SaaS) in the latest issue of ComputerWorld that you should check out. It's interesting to me because one of the virtual panelists (Daniel Wakeman, CIO of Educational Testing Service) stated that it was a "huge shortcoming" that SaaS vendors do not embrace federated identity management standards allowing centralized identification and validation of users via a single sign-on process. In particular, this comment stuck out:
We have to manage the identities of our employees at multiple SaaS providers. We can't say that this employee has terminated and automatically shut him off from all the systems he has access to.
Wakeman has hit the nail on the head. SaaS will only complicate security, audit and compliance if it doesn't effectively address identity management. As he points out, supporting federated identity management would go a long way to addressing those issues...

N.B. The online article, for whatever reason, totally omits the question that lead to this quote: "Is security an issue?". This is the second question in the print edition that appears on page 21 of the January 1, 2009 "Forecast 2009" issue of ComputerWorld.

Technorati Tags:
, ,

Thursday, January 01, 2009

2009 Predictions and Prognostications

Happy 2009 one and all!

I'm not going to make predictions on specific technologies or sub-markets within identity management for 2009. I know that many of my colleagues in the blogosphere will be making those predictions so I thought I'd blog about how the downturn in the economy is going to affect identity management at a more macro level instead. So here goes...

Do More With Less (employees, consultants, temporary staff)

Layoffs abound. Predictions are that for 2009 we will see even more. The one thing that I do know is that companies turn to technology to automate even more when staffing gets tight or when layoffs happen. The proverbial "do more with less" term will be bandied about until things turn around.

What does that mean for identity management? Well, in my mind it comes down to operational efficiency. How can you continue to effectively perform all of the tasks that your group has been asked to do with less people? Well, first thing you do is prioritize your tasks and stop doing the lowest priority set of tasks. Second thing you do is look at the rest of your tasks and see how you can automate them. So my first prediction is we will see an uptick in identity management software revenues for products that specifically help to automate tasks (e.g., provision) or help cope with reduced staffing levels (e.g., self-service).

Expect to see consultants get the axe too. Those are easy bottom-line savings for many executives to make. Tough times for consultants unless they are working on projects that have a very clear trajectory to reducing costs or increasing revenues. I've been in the room when the exec asks the question: "Choose between employee layoffs or cutting consultants." I've never seen managers jump up to volunteer their own staff first.

Tough Times for Venture Capital-backed Firms

Ugh. I'd hate to be at the helm of a VC funded company right now. Why? Generally speaking, the VC guys only invest in a company because they see a way to exit with more money. Most VCs hope for at least a 10X exit strategy. Invest $50 million and exit with $500 million. Not bad for a few years work. Problem is in this economy the multiple (10X) that a VC can expect gets compressed downwards. Companies that are acquiring are smart and they say "Well, your revenues are down, and we simply aren't going to pay you 10X. We'll pay you 2X." Or, if there are no buyers out there and the company needs more VC funding the VC will either say "Forget it, we've already put too much in" or they'll say "Sure, but rather than increasing our stake by 10% for that extra $5 million we will increase our stake by 40% for that extra $5 million."

The net effect is that VC funded companies are going to see a lot of pressure for results (i.e., revenue, new customers) in 2009 in order to get an exit or to get more funding. IPO? Forget about it. There's a double whammy to be aware of, too: Many VCs - especially in the IDM arena - count on the financial vertical as their early adopters. Well, in case you've been living under a rock, those guys are in trouble and that will mean less sales or reduced revenues coming from that vertical. So my prediction is that we'll see more VC backed companies disappear, get desperate or get discouraged in 2009.

Remember when things get tough - as is happening right now - start looking for a seat in the lifeboat now. And remember that there are never enough seats in the lifeboat...

Here's some of the 2009 predictions and 2008 reviews that I've noted:

Dmitry's PowerBlog - Happy New Year

Ian Yip's Security and Identity Thought Stream - Wrapping up 2008

Jeff Bohren's - Seasons of Change

Mary-Jo Foley's - What will - and won't - Microsoft do in 2009?

Photojojo's - 120 of 2008's Most Amazing News Photos

Sahaa's - 2009-2010: Predictions about Identity and Privacy Management

Technorati Tags: