Friday, July 30, 2010

CA takes cloud to new levels of fluffiness!

This caught my eye today: CA announced that they are executing on their cloud strategy with IAM to and from the cloud. So I decided to look through their press release and associated white papers and was both underwhelmed and amazed with the new height of cloud fluffiness that has been achieved. I would like to award their public relations team and external PR agency medals and trophies on the great, fluffy job they did. Was it done because you had to announce something at the Catalyst conference?
Today’s announcement includes the availability of new CA Identity Manager capabilities that extend identity management to cloud applications; it highlights how a customer has leveraged the CA SiteMinder portfolio to control access to its SaaS applications; and it features how CA Technologies is providing IAM as a service from the cloud.
What are these new capabilities I asked? I started trolling around the website and looking at various documents searching on the word “cloud”. What I came up with was that CA supports provisioning connectors to Salesforce.com. You can watch a demo of this incredible fluffiness here: http://www.ca.com/media/datacenter-of-the-future/secure1.swf

So, CA can provision to Salesforce.com. Congratulations guys! Job well done!! Is there any value add above provisioning and de-provisioning? Something that would actually be more than just adding or deleting users? Anything? Anything?

With a flashback to the famous “Bueller? Bueller? Bueller?” scene in Ferris Bueller’s Day Off I recorded this…


Thursday, July 29, 2010

Simplifying Unix User Management and Lifecycle

You can tell when I get super busy with my day job as my blog posts slow down. In fact, I’ve been so busy and traveling so much that I had to miss the Cloud Identity Summit last week – which I really wanted to attend – and I skipped The Burton Group Catalyst conference this week. However, I did get a picture of our Catalyst hospitality suite sent to me. It was Sinatra themed – check it out:


Earlier this week Quest announced the release of Quest Unix Identity Manager. This is a new product for us and congratulations to the team that worked on QIMU. They really did a tremendous job. QIMU is a Java-based application that works from any browser and enables a Unix administrator to discover Unix servers and manage the user (/etc/passwd) and group (/etc/group) files on all the discovered machines. The best part is that QIMU is free. You can download it from http://www.freeunixiam.com or any of the popular shareware or freeware sites that are available on the internet. QIMU is also the new administration console for Quest Authentication Services 4.0. The only difference is with QAS 4.0 there are additional screens or functions that are enabled.

So whether you use QIMU just for Unix user lifecycle management – for free – or to help manage your Active Directory integrated users via QAS 4.0 I hope you find QIMU useful.

Let me know what you think of QIMU!

Thursday, July 22, 2010

What are good security questions for resetting your password?

I picked up on this website from commentary on another blog and thought I would pass it on. I have had customers ask me this same question on numerous occasions when they are employing some sort of a self-service password reset product like Quest Password Manager, for example. The site is appropriately named: Good Security Questions. I like their approach to the problem of what a good security question is:
Thus, security questions have both benefits and liabilities. Poor questions create security breaches and confusion and cost money in support calls. Good security questions can be useful in the current environment, but are not common.
However, there really are NO GOOD security questions; only fair or bad questions. "Good" gives the impression that these questions are acceptable and protect the user. The reality is, security questions present an opportunity for breach and even the best security questions are not good enough to screen out all attacks. There is a trade-off; self-service vs. security risks.
So what is a good security question? Here’s their definition:
Good security questions have four common characteristics. The answer to a good security question:
  1. cannot be easily guessed or researched (safe),
  2. doesn't change over time (stable),
  3. is memorable,
  4. is definitive or simple.
An example of a good versus a not so good question would be “What was the name of the school you attended for Grade 6” versus “What was your high school name.” In this case, it’s a bit harder to research what school you attended in Grade 6 versus your high school which can easily be found on Facebook, Classmates.com or a number of other places.

This is an informative web site that can help you to determine what self-service password reset questions are the best for your organization. If you have or are planning on implementing a self-service password reset product I strongly recommend spending some time on the Good Security Questions website. It’s well worth it.

Tuesday, July 20, 2010

Choosing the Right Strong Authentication Option for Your Scenario


This webcast is happening today so if you can attend...

Webcast: Finding the Right Strong Authentication Option for Your Scenario
Date:  Tuesday, July 20 11:00 a.m. EDT / 8:00 a.m. PDT

Strong authentication doesn't have to be very expensive, difficult to implement and hard to sell to users. That's because there's been an explosion in imaginative and exciting options, as well as convergence on important interoperability standards.

In this informative live webcast, Randy Franklin Smith will describe the wide variety of strong authentication options available today, and provide you with a detailed approach to help you zero in on the best choice for your organization.

Register today

Monday, July 19, 2010

Authentication crack could affect millions

A friend of mine brought this article to my attention a few days ago…
Researchers Nate Lawson and Taylor Nelson say they've discovered a basic security flaw that affects dozens of open-source software libraries -- including those used by software that implements the OAuth and OpenID standards -- that are used to check passwords and user names when people log into websites. OAuth and OpenID authentication are accepted by popular Web sites such as Twitter and Digg.
The researchers are going to disclose their results at the upcoming Black Hat conference in Las Vegas. Since both OAuth and OpenID are in use by major providers and potential by cloud services it will be interesting to see how much of a stir their work causes.

Friday, July 16, 2010

IAM exam results so far: 9%


I just finished a customer tour in Calgary, Canada. I met three customers a day for three days. All significant customers. Of those 9 customers here’s what they were using for identity management in their environment:
  • Sun’s Identity Manager: 6 customers
  • Novell DirXML: 2 customers
  • Novell Identity Manager: 1 customer
The customers who were using Novell DirXML were looking to migrate to something else. Yes, they were using Novell DirXML – not Novell Identity Manager. The customer who was running Novell Identity Manager was quite happy with it and planned to continue to use it. The DirXML customers were migrating because they were migrating from Novell anyway. All the customers who were using Sun’s identity manager were unhappy and either had thrown out Sun or were in the process of finding an alternative. None of the Sun customers was looking at Oracle.

What were the common threads across these 8 customers?
  • We never progressed further than the proof-of-concept. We didn’t POC our whole environment and when we tried to expand the POC scope into production we failed. We never saw the ROI we were promised.
  • Every time we needed a change to the product we had to pay far too much.
  • Everything required too much care and feeding to ensure the product was working.
  • We needed specialized talent to keep it running.
  • The consultants treated Active Directory as if it was only an LDAP directory. They did not understand Active Directory.
  • Every time we need to change the structure of Active Directory we had to pay to re-code all of the scripts that were written.
  • I was paying more in maintenance and re-programming the product than the cost of hiring a few people to do it manually. So I hired some staff and threw the product out.
 This was a great illustration to me of how far our little industry segment needs to improve. None of these customers were trying to do anything fancy. They had fancy plans originally but they were failing on basic provisioning or password management and were never able to progress further. It also further reinforced my view that there’s a great opportunity for a solution that doesn’t require a couple of busloads of consultants to get it (and keep it) running. A solution that delivers immediate value. A solution that customers are happy to have. A solution that is my dream…

Thursday, July 15, 2010

I have nothing to show after spending $7M and they’ve asked for $20M more…

Let that sink in for a second. This is what a customer said to me regarding their failed IDM initiative. You can imagine the look on my face when he said that. No, it’s not the first time I’ve heard an IDM horror story of that magnitude. I’ve heard of a few bigger ones. But just the same, it’s incredible. The customer didn’t want to go into a lot of details about what happened but here are a few things he shared with me. He reports to the CIO so while quite senior he’s not real technical:
  • I fired all of their consultants when I realized I knew more about Active Directory than they did. I asked him if that was because the consultants were 3rd party partner consultants or if they were from the IDM company. He said “from the IDM company”. To me, this was incredible. These guys still do not know that Active Directory isn’t just an LDAP directory? That it’s more than data – it’s Exchange, it’s SharePoint, it’s OCS, etc?
  • When they acquired a company they migrated the people and data from the merged company’s Active Directory forest into their Active Directory forest. When they did that they restructured Active Directory and the IDM product stopped working. Everything was hard-coded to the previous structure of Active Directory. That was a several million dollar “re-do” right there.
  • The product was “free”. So it was attractive to management. It was also picked by looking at the Gartner magic quadrant. If it is in the top-right hand quadrant it had to be good, right? I guess it wasn’t the “magic” he was expecting.
We could all arm-chair quarterback this deal. Why doesn’t he kick them all out now and start over? Why did he let it go on this long? Who knows?

All I can say is it has always been my goal to get to a point where customers do not have to spend millions upon millions of dollars to implement an identity and access management solution. This is something many of us at Quest Software have been working on for a long time now. The acquisition of ActiveEntry from Voelcker is one of the steps forward in that strategy. I want customers to remember Quest as that company that helped them realize their identity and access management vision without costing them their careers.

Technorati Tags:
, , , , , ,

Monday, July 12, 2010

Quest Software acquires Voelcker Informatik AG a leading identity management company based in Germany


I’m really pleased to pass on this news to everyone! We’ve been working very closely with Eckhard Völcker and his team in Germany for quite some time now and I’m really proud to announce that he and his team have agreed to join up with Quest and to help further our foray into the identity and access management market.

Voelcker’s ActiveEntry product simplifies identity management and compliance for large organizations through its comprehensive, solutions that include:
  • Identity Management
  • IT Compliance Automation
  • IT Service Delivery
The fact that ActiveEntry is more than a provisioning or identity management product is one of the key attractions to this solution from my perspective. Another key attribute to ActiveEntry that I like is the fact that it is such a dynamic and easy-to-use product compared to many of the other frameworks that are available today. It has been German-engineered to be easy to integrate with and already supports integrated modules like its "IT Shopping Cart". This is extremely important to Quest. We already have a robust identity and access management portfolio of products and being able to integrate those products into the ActiveEntry platform will be very important and a key work item for us moving forward.

This is an exciting time! We'll be disclosing our road map plans and more details on product integration and direction later next month. As things progress I'll continue to blog what I can so stay tuned.

Once again, I'd like to welcome all the people at Voelcker Informatik to the Quest family!

Friday, July 09, 2010

Quest Authentication Services 4.0 – Auditing, Alerting and Change Tracking

I mentioned in my previous post that one of the new capabilities in QAS 4.0 is auditing, alerting and change tracking. I thought I would give you some further information on this benefit. The best benefit being that auditing, alerting and change tracking is included with QAS 4.0 at no additional charge.


Q) Why would someone care about auditing, alerting, and change tracking in an AD bridge solution?
A) When organizations make the key decision to integrate Unix with Active Directory they expand the scope and strategic importance of Active Directory. As a result it is critical to provide visibility into the Unix-centric data, which is now managed by AD. Authentication Services 4.0 addresses this challenge by delivering the ability to audit, alert, and show detailed change history of this Unix-centric information being managed by Active Directory.
Without these capabilities AD bridge administrators are either blind to any changes made to Unix-centric information managed by Active Directory or are forced to implement/purchase a 3rd party solution, if one even exists.

Q) How does Authentication Services’ audit capabilities compare to other solutions?
A) This is a unique and critical differentiator for Quest. There are several competitive vendors in the AD bridge space but no vendor except Quest can offer these benefits as an integrated and included component of its AD bridge solution.

Q) How much does the audit capabilities of Authentication Services 4.0 cost?
A) There is no additional cost for audit, alerting, and change tracking, it is considered a new feature of Authentication Services 4.0 and is available to new customers and to existing customers that upgrade to the 4.0 product as part of their existing relationship with Quest.

Q) How does Authentication Services 4.0 handle the licensing for alerting, audit, and change tracking?
A) Quest Authentication Services 4.0 includes a special license key for Quest ChangeAuditor 5.0. When this license key is added to ChangeAuditor it unlocks a number of unique, Authentication Services-specific events.

Q) How does integration with ChangeAuditor work – technically?
A) Change Auditor 5.0 has been enhanced to support dozens of new events related to Authentication Services and Unix-centric information stored in Active Directory. When the provided license key is added these Authentication Services-specific events are unlocked and made available in the Change Auditor console.

Q) What are some sample use-cases for the ChangeAuditor functionality?
A1) Imagine that an organization is using Active Directory Group Policy to manage Unix systems and specifically has a policy that permits a Unix system administrator to access to every Unix machine.   If someone edits this Group Policy and, for example, grants additional users this access, Authentication Services can now grant immediate visibility into these changes.  An alert can be generated; organizations can audit who made the change, when, and from where; and a detailed history on what the policy was before and after the change can be provided.
A2) For any number of compliance initiatives assume an organization needs to be able to prove it has control over its Unix-centric data in Active Directory. With this new functionality an organization can now alert, audit, and show change history for events such as Unix systems being joined to AD, AD users or groups being ‘Unix enabled’, or even changes to NIS data stored in Active Directory.

Technorati Tags: ,,,,,,,,,,,,,

Thursday, July 08, 2010

Quest Authentication Services 4.0 – The leading Active Directory bridge product

We just released Quest Authentication Services 4.0. We’ve been shipping QAS since 2003 and this major release is a significant milestone with respect to the new capabilities we’ve engineered into the product. What are some of these new capabilities?
  • Detailed Auditing and Alerting: Consolidating Unix data into Active Directory is just part of the picture. Authentication Services 4.0 solves the challenge of how to audit, report and alert on who makes changes to critical Unix data that is now stored in Active Directory. Version 4.0 includes award winning functionality to deliver full visibility and change alerting into who made changes, to what, when, where, and even why.
  • Web-based Administrative Console: Effective management is essential when integrating Unix with Active Directory. The new web-based administration console dramatically simplifies deployment, expands management to local Unix users and groups, provides granular reports on key data and attributes, and streamlines the overall management of the Active Directory Bridge product from any web browser.
  • One-time Password Authentication: Easily add another layer of security in situations that require it. For example when deploying Unix systems to tightly controlled network environments (e.g., DMZ). With new functionality included in Authentication Services 4.0, Active Directory users can be required to authenticate with a One Time Password to Unix systems. Everything that is required for an out-of-the-box solution comes with 4.0 including hardware and software tokens, PAM modules, Group Policy management capabilities and end-user licenses.
  • Freeware Administrative Console: The administrative console is available free-of-charge to any organization wishing to take advantage of its local Unix user and group management capabilities.
  • Advanced Management: Support for the flexible scripting of PowerShell, additional ADUC integration, and automated configuration tools.
  • Group Policy: Group Policy functionality expands to include macro support, which enables a single GPO to be re-used across multiple Unix systems. In addition Mac OS X Group Policy support keeps pace with the latest OS from Apple (OSX 10.6 Snow Leopard).
  • Privileged Account Management: Authentication Services 4.0 includes optimized integration with Quest Privilege Manager for Unix. Solve Unix security initiatives that need to control which users can access which system and what elevated rights they have. For example use Active Directory group memberships and Group Policy for streamlined management tasks.
We’ve talked with hundreds of customers, partners and analysts over the last twelve months and much of their input is included in this release. We’ve got a lot more to come over the rest of 2010 – stay tuned!

Tuesday, July 06, 2010

Why is there a man in my browser?

If you are not familiar with “man-in-the-browser” attacks you should read this article.
Malware integrating itself into a victim's Web browser is nothing new. Increasingly however, these man-in-the-browser attacks are being used to successfully bypass authentication mechanisms used by online banking sites, according to a security researcher.
If you think a one-time password (OTP) token protects you from MITB attacks you are wrong. Smartcards - in many case but not all - can protect against MITB attacks. If you are in corporate security you cannot ignore this either. This is not just about on-line banking! A MITB attack can be used to try to fool privileged users in your corporation to give up passwords or even download files from the administrator's workstation that would give the man in your browser access to privileged passwords.

Use a privileged account management product – like Quest’s Privilege Manager for Unix or ScriptLogic’s Privilege Authority and wash that man out of your browser.


Sunday, July 04, 2010

Happy 4th of July

Updated: Is Apple the new Ministry of Information?


I continue to read the amazing posts over at Kim Cameron's blog on privacy related to Apple and their use of your "non-personal" information. I cannot help but thinking how farcical it all is and how Apple is beginning to remind me of the Ministry of Information in Terry Gilliam's movie Brazil.

The question I have is who will be our Sam Lowry?

Update: Kim has a follow-up post on an article by Todd Bishop posted on TechFlash - "Microsoft identity guru questions Apple, Google on mobile privacy".




Thursday, July 01, 2010

Protecting Active Directory administrative accounts

Another good article in InfoWorld -“How many enterprise admins is too many?” – that is well worth the read. I’ve been doing a lot of reading and talking to customers over the last 6 months or so on the topic of privileged account management and there’s a lot to be worried about in this area. In this article the author gives some good advice on protecting your Windows admin accounts:
  • Enterprise admins should not be logged on for surfing the Web, picking up email, or any other task that doesn't require enterprise admin abilities
  • All admin user accounts should have long passwords, 15 characters or more – or, even better, they should be protected by smartcards
  • Used dedicated admin workstations for domain or enterprise admins
  • Use third-party software that helps companies manage elevated accounts
With phishing attacks constantly on the rise it’s a good idea to review what you’re doing with your privileged accounts. The attackers on the outside are getting to be more of a risk than internal attacks. You need to be well locked down for both.