Monday, December 17, 2012

Samba 4.0 released - The First Free Software Active Directory Compatible Server is now available! …So what?

I’ve just read two articles over at ZDNet about the Samba 4.0 release:

Samba 4 released, brings Free alternative to Active Directory

Samba 4 is now slated for release on November 27

…and my reaction was literally: So what?

Samba has been around for years and they’ve been integrating with Windows from the beginning. So now they’ve just announced that they’ve landed on the moon but of our eyes are pretty much focused on Mars at the moment. It’s truly an amazing engineering feat ladies and gentlemen.

What do I mean? Well, having an Active Directory, plug compatible, non-Windows server might have been interesting 5-7 years ago but today it’s not. I’m not sure if anyone’s heard but many companies are extending to the cloud and that includes to Office 365. The reliance and need for Samba’s 4 “free alternative to Active Directory” is way too late to the party.

And, while I am on free I can just imagine the laughter coming from Microsoft’s support centers when some customer calls in with a problem they have with Samba 4’s Active Directory behavior. You get what you pay for ladies and gentlemen.

Oh, a small business might be interested in it? You’re kidding, right? A small business would be far more interested in using Office 365 or using Google than having the expertise to stand up a Samba 4 server.

Who cares?

Tuesday, August 21, 2012

Is seven USC’s lucky number or will they crap out?

USC just had their sixth data breach since 2006 according to this report. This one exposed confidential information of 34,000 people in the College of Education.

No evidence has been found that the hackers have accessed or used any information on the server, but USC has sent notifications to everyone in the database to place fraud alerts on their credit files, school officials said.

One would have thought that after perhaps the second or third breach at USC they’d figure out they needed some serious help and serious introspection. Will their be a seventh? If there’s a seventh and heads don’t roll you can be assured that someone came up lucky.

There’s not enough detail to even guess at what the security issue or problem may have been. During the same month there was another security breach related to credit card data at USC cafeterias and dining halls. I’m not sure why both weren’t reported at the same time since they both happened the same month.

This kind of reminds me of all the scams that people fall for and they’d say that they’d get calls from all kinds of scammers after they fell for one or two scams. I wonder if USC has become a target of Internet scammers because they aren’t doing enough to secure their systems and now appear like an easy target?

Let’s hope there isn’t a seventh report in the making. Remember, seven is only lucky on your first roll in craps – every other roll and a seven craps you out…

Monday, August 20, 2012

Quest One & Data Governance

Today we released Quest One Identity Manager – Data Governance Edition. I’m particularly excited about this release because it is built on Quest One Identity Manager and is based on a very scalable and capable identity infrastructure.

By being based on Q1IM we get to leverage all of the capabilities of our underlying identity management platform like data synchronization, provisioning, workflow, segregation of duties, reporting and, most importantly, a common user interface for users of either product.

Some of the other key features include:

  • Restricted Access – Define access policies for your organization to ensure that sensitive unstructured data is only accessible to approved users. Quest One locks down sensitive data such as files, folders and shares across NTFS, NAS devices and SharePoint.
  • Data Owner Assignment – Determine and assign the appropriate owner of data for all future access requests by evaluating usage patterns and read and write access.
  • Simplified Auditing – Identify user access to enterprise resources such as files, folders and shares across NTFS, NAS devices and SharePoint to provide key information during audit preparations. 
  • Automated Access Requests – Use built-in workflows to automatically direct access requests from the request portal to the appropriate data owner. Approved requests are automatically and correctly fulfilled, with no burden on IT.
  • Access Verification – Ensure that only approved users have access to specific resources, including those who have left the organization or department or whose roles have changed. Quest One enables you to monitor user and resource activity, and configure and schedule a recertification process for data owners to verify and attest to employee access.
  • Personalized Dashboard – View trends, historic and current data access activity, and attestation status on a personalized dashboard with reports that can be used to prove compliance to auditors.

More information about Quest One Identity Manager – Data Governance Edition can be found here.

Wednesday, August 15, 2012

The Answer to Verification and Authentication?

I tweeted a very interesting article by Dan Raywood titled “A question of verification and authentication.” It’s a good article and I certainly recommend reading it. There’s a comment in the article from Richard Law, CEO of GB Group that reminded me of something. His firm’s verification technology is used as a third-party solution to verify users by retailers, banks and gambling websites.

The system it built in 2004 verifies 13 million people a year and its vision is to verify anyone anywhere in the world at any time and to be a true enabler of online business.

Law said that if an instance were to arise where GB Group became the trusted issuer, it would have to convince everyone to give them their data and it would issue a token that would be verifiable to them.

For some reason my memory bank spit out that what we might need has already been predicted in the movie “The Forbin Project.” A supercomputer that controls our identity data and can positively verify us. But, I’m positive that would never come to happen. Would it?

Law’s technology would take 536 years to verify the world’s population at 13M per year. It just goes to show you that we have a Colossus of a project on our hands and we haven’t really even started to or tried to verify identities that our outside of the developed world.

This problem will never go away. Just because we have fire insurance doesn’t mean there will never be a fire. The same goes for identity verification. We have to accept the fact that no matter how much insurance we put around identity we’ll never prevent 100% of identity theft or misuse of identity.

In the United States most banks still issue credit cards without chips. Why don’t they move to a more verifiable, more secure platform for transactions? The cost of doing nothing hasn’t exceeded the cost of the fraudulent transactions. Who needs fire insurance if you have enough money to re-build and you don’t care about the damage you incur due to the fire?

Monday, August 13, 2012

Cloud complications sinking security?

Any solution that claims security, but moves identities and credentials off premise is a security risk.

A wise statement from SecureAuth co-founder Garret Grajek in his blog commentary on the Mat Honan affair. It rang a bell with me based on some research I’ve been doing since last year on this topic:

Why aren’t customers deploying federation for access to cloud services that support federation?

Answers:

  1. Federation is complicated and we don’t have the expertise (or want to get the expertise) to manage it.
  2. We want “one throat to choke” if there’s a problem. “I don’t want to call the cloud provider to have him tell me it is Microsoft’s ADFS and call Microsoft to have them tell me it is the cloud provider or some other piece of my infrastructure.”
  3. Password synchronization is something we already do and are comfortable with. (A variation of #1)

I think Garret’s blog post gives a good overview of why #3 above is an issue. I’ll say it can be especially concerning if it is your Active Directory password that is being synced to multiple cloud properties.

Another bid of good advice:

An enterprise needs to retain the “keys to the kingdom” by (1) Retaining the identities (2) Conducting the authentication (3) Federating the identity and (4) Logging the Access for secure cloud usage.

Couldn’t agree more about giving away the keys to the kingdom! And I know many companies are behind here – especially when it comes to logging & auditing.

Wednesday, August 01, 2012

Will third time be the charm for DropBox?

So it’s the second time that DropBox has been hacked. Lots of coverage about the hack which came to my attention here. I hope everyone remembers the previous hack from last year.

Now DropBox is adding two-factor authentication after the horse has bolted from the barn – twice. Will there be a third hack?

After last year's embarrassing data breaches, Dropbox promised to implement additional safeguards "to prevent this from happening again." Whoops, it just happened again.

DropBox is an excellent product. I use it. I really like it for probably the same reasons you guys do but I continue to be amazed that cloud-based apps don’t come out of the box with two-factor as an included – preferably for free – feature. I mean even supporting something like Symantec’s VIP token would be a plus and not hard to add. (I know, we’ve added it to our Webthority product)

This simply re-enforces two things:

  1. Despite all of the surveys that say people are concerned about cloud security the vendors (aka YOU the product managers at these companies) aren’t listening.
  2. Simplicity, coolness and ease-of-use will continue to trump security. (i.e., People like me who know better are using the product without enhanced security)

Oh, I wonder if the users who were hacked have mentioned to their employers that perhaps some of their data was compromised? Yah, right.

The company also said that one of those stolen passwords was used to access a Dropbox employee’s account, which contained a project document with user email addresses.

Where’s my cloud compliance solution…? Is it possible to prevent this from happening again? What’ll happen if (when?) this happens a third time to DropBox? Does your company have a written policy about the use of cloud-based file sharing solutions? What is the air speed velocity of an unladen swallow? (This last question is to see if: a) you have read this all the way thru; b) you know Monty Python; and, c) you get the fact that cloud security is verging on being a great Monty Python skit)

Tuesday, July 31, 2012

Compliance In The Cloud Era–New Pressures

Interesting article in Information Week going over the results where they surveyed 422 business technology professionals about compliance. Not surprising one of the top technologies identified to aid in compliance was identity management.

ScreenHunter_03 Jul. 31 11.41

The image above – from the article – is interesting. A whole 6% of businesses will use the cloud regardless of compliance concerns. The other 94% of the businesses – according to the graphic – either won’t put data in the cloud that is subject to compliance or need to assure themselves that they’d remain compliant. I hate to be glass “half-empty” but one could read that as 94% of respondents won’t risk the cloud for data subject to compliance.

With all of the hype around privileged account management it is interesting to see that there are nearly no vendors that support PAM for cloud service providers. Also, the same goes for both discovery of data in the cloud that might be subject to compliance regulations (e.g. an Excel spreadsheet with social security numbers in an Office 365 document) and data loss protection (DLP) solutions.

So either a lot of companies (i.e., more than 6% noted in the graphic) are just doing it or they are leveraging private clouds. But, if they are leveraging private clouds they still have issues managing privileged accounts and discovery/DLP.

Yes, the cloud is generating new pressures.

Monday, July 16, 2012

Yahoo’s Unbelievable Lapse

Well, the title in this article says it all and if you’re like me you probably still can’t believe it.

The error that led to the breach of nearly half a million user passwords from Yahoo was so basic, that the security expert who first spotted it didn’t  believe it. “When I first looked at it, I thought it was fake because there’s no way Yahoo would store 450,000 passwords in the clear”

That being said, I’ll remind everyone that Google has a similar faux-pas in 2008. For a quick refresher on that incident check out my blog entry from then: http://jacksonshaw.blogspot.com/2008/09/google-age-and-single-sign-on.html. And, as quoted then:

As an industry we shouldn’t be making the kinds of mistakes we made 15 or 20 years ago.

Well, it seems we’re still making those kind of mistakes. What Yahoo allowed to happen is not only unbelievable but unconscionable. There’s a good article on creating strong passwords but does having a strong password really matter if the password is stored in clear-text on a back-end server somewhere? If some of this doesn’t push us to better use and better integrate two-factor authentication into our lives I am not sure what will.

In the meantime, I’ll go and change my Yahoo password…

Technorati Tags: ,,

Tuesday, July 03, 2012

There’s a lot of 10 year Active Directory anniversaries happening

I spend a lot of time talking to customers. I wish I could spend more because you really do get a view into their world, their problems and their priorities. My uber-goal is to try to amalgamate those customer visits and see trends that provide me insight into the overall market.

One trend that I have started to see is the number of customers that have been telling me that their Active Directory design and architecture is more than 10 years old and they’ve decided it’s time for an overhaul.

Do you remember what we are all first told by Microsoft about Active Directory security architecture? Here it is: A domain is the security boundary in AD.” Then, we were told: “Ooops, a domain isn’t the security boundary in AD. A forest is the security boundary.” So what ended up happening is a lot of companies – especially banks and multi-nationals – architected and deployed their Active Directory with multiple forests. Now the “ooops” has come back to haunt them.

Many companies have found that managing multiple forests is a pain in the butt. What’s worse is that with the advent of the cloud and things like federation and Office 365 there are scenarios where having multiple forests really, really complicates things. So many customers are working at reducing the number of forests in their environment and also reducing the number of domains while they are at it. In fact, I met one multi-forest, multi-national bank that simply decided to start over from scratch: They set up a brand new single forest and are migrating over to it. (Aside: that same customer already had 5, yes 5, IAM platforms in use. Amazing!)

Is it time for your 100,000 mile/10 year engine overhaul? If so, we have a great tool to help you called Quest Migration Manager for Active Directory. It has 10 years of experience helping customers through these exact scenarios.

The Sad World of Passwords: Is X.500 the answer?

Martin Kuppinger commented on both John and my posts on this topic. Martin, as usual, added some pretty good meat to the discussion. There’s a couple of points I wanted to emphasize that I thought were particularly important:

  • We also know that user acceptance is key to success

This is possibly the #1 issue to security in general. It has to be easy for the user. Ever forget your car keys somewhere? Have to go downstairs to get your wallet so you can get your credit card number to complete an order on a machine upstairs? That type of inconvenience is difficult to overcome around security. I am not convinced that NFC is the panacea here either. I’m sure it’ll be awesome if you happen to have your NFC device at-hand, charged and ready to go.

  • Trust frameworks will be dealing with the complexity of having many IdPs

Hmmm, communication between multiple IdPs? Maybe we’ll need to have a master IdP in each country responsible for “chaining” these transactions to lower-level IdPs and communicating between country-level IdPs? Might we need referrals between these IdPs? What about caching? Shades of X.500!

Yes, I remember how successful X.500 was: At the Interop conference in Atlanta in 1995 an attendee came up to me at the Zoomit booth and said: “How do you speed up things 500 times?” That’s when I knew it was time to move on.

Yes, this will be complicated…

Monday, July 02, 2012

Vulnerability in SCEP? Watch out mobile devices!

Mark Diodati over at Gartner just blogged about a vulnerability in the Simple Certificate Exchange Protocol.

This vulnerability—when combined with two additional pieces of information—enables an attacker to impersonate another user when enrolling for an X.509 certificate.

This is pretty significant because many portals are using SCEP to enroll mobile devices. A certificate is downloaded to the mobile device (usually) after the end-user has authenticated for the first time with the device to the corporate portal. This enables the corporate portal and sometimes Active Directory to start managing the device. It’s a big deal for Bring Your Own Device (BYOD) and it is a big deal around security generally even if you aren’t concerned about BYOD.

Many organizations rely upon certificates for mobile access to the internal network, email, SharePoint, virtual desktops, web applications—you name it. The attacker can impersonate an authorized user and gain unauthorized access to these applications.

This is just another reason why step-up or adaptive authentication is an important aspect of security. Same goes for adaptive authorization once you’re in.

We can no longer rely on a one-time challenge for entry thru the castle walls. We must build in multiple layers of security that force different methods of authentication at different times while you are in the castle. You want to access the treasure room? Who are you again?

It won’t be enough “to perform better user proofing prior to certificate issuance” as Mark says. That will help but we are all going to need to get used to more “Halt! Who goes there?” challenges even after we get thru the castle door.

Counting Quest Defender Tokens

A customer wrote a PowerShell script to perform this task. I've cut-and-paste the PoSh script from his original post below in case you’re interested…

Thank you Mr. Torr!

Technorati Tags: ,,

#—————————————————————————-
# Author: Darin Torr
# Contact: darin@colorado2cambodia.com
#
# This script connects to Quest Defender Reporting Console then parses the xml
# to extract token license counts and emails results
#
# Current Version: v1.1
# Version History
#
#
# 5/06/2012 – v1 – Initial Revision.
# 5/06/2012 -v1.1 – Added html and xml file cleanup on report server
#—————————————————————————-

# // Uncomment this to create secure password
#$secureString = Read-Host -AsSecureString
#ConvertFrom-SecureString $secureString | out-file c:\encrypted.txt
#$secure = gc C:\encrypted.txt | ConvertTo-SecureString

# // This is to clean up any old xml and html files from running reports
$reporthtml = “C:\Program Files (x86)\Quest Software\Defender\Defender Report Console\downloads\html\*.html”
$reportxml = “C:\Program Files (x86)\Quest Software\Defender\Defender Report Console\downloads\*.xml”
if (Test-Path $reporthtml)
{
Remove-item $reporthtml
}
if (Test-Path $reportxml)
{
Remove-item $reportxml
}

# // Change to reflect your servername
$url = “http://server/cgi-bin/d5dsslicensereport.exe?mode=0&xsl=d5licensereport.xsl”
# // create a request
[Net.HttpWebRequest] $req = [Net.WebRequest]::create($url)
$req.Method = “GET”
$req.Timeout = 600000 # = 10 minutes

# // Set if you need a username/password to access the resource
$secure = gc C:\encrypted.txt | ConvertTo-SecureString;
$UserName = “domain\username”;
$req.Credentials = New-Object System.Management.Automation.PSCredential($UserName, $secure);

# // Reading data from page
[Net.HttpWebResponse] $result = $req.GetResponse()
[IO.Stream] $stream = $result.GetResponseStream()
[IO.StreamReader] $reader = New-Object IO.StreamReader($stream)
[string] $output = $reader.readToEnd()
$stream.flush()
$stream.close()
$output | out-null
[xml]$defxml = $output
$final = $defxml.defender_license.desktop_license | select Type,Assigned,Allocation | ConvertTo-Html
function SendMail
{
#Mail Variables
$EmailFrom = “who@ever.com>”
$EmailSubject = “Daily Defender Token Count”
$smtpServer = “relay”
$SendTo = “you@yours.com”
$date = (Get-Date -format “MM-dd-yyyy”)

$mailmessage = New-Object system.net.mail.mailmessage

############## MAIL BODY #############

# Update body with any text you want and variables # #
######################################

$body = “
<lang=EN-US link=blue vlink=purple><div><p>
<span style=font-size:10.0pt;font-family:tahoma,sans-serif;color:#595959>
<dd><p><b>Defender Token count as of $date </b>
<p>
<p><pre style=font-size:10.0pt;font-family:tahoma,sans-serif;color:black> $final <b style=color:red></b></pre>
<p>
</dd></span></b></p>”
#Mail info
$mailmessage.from = $emailfrom
$mailmessage.To.add($sendto)
$mailmessage.Subject = $emailsubject
$mailmessage.Body = $body
$mailmessage.IsBodyHTML = $true
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 25)
$SMTPClient.Send($mailmessage)

}
SendMail

Tuesday, June 26, 2012

The Sad World of Passwords

Some commentary on John Fontana’s recent article on this topic. First, I wanted to give John some credit for saying (below) that the basic structure is to have a trusted identity provider but, as he states, there is still a single point of failure argument.

The very basic structure is to have a trusted identity provider (IdP) that vouches for you when other sites -known as relying parties - go looking for your authentication credentials. Nearly every site gets out of the password game - LinkedIn, eHarmony, Last.fm, etc. etc. and the number of IdPs shrinks to four or five major sites.

Yes, there is a single point of failure argument, but liability contracts are the incentives IdPs have to protect your data. Protecting your identity will be their core competency as opposed to holiday cheese balls and wrapping paper.

An interesting analogy of this was my drive into Seattle today. It’s June 26 and it’s 56F and raining. What a crappy day for summer. But, as I was crossing the 520 bridge, there was a mature bald eagle sitting on a light pole just above the road. What a sight to behold. Unfortunately, I think we are going to be in 56F and raining weather (passwords) for a while with the occasional bald eagle (IdP) seen in-use to brighten our day.

Secondly, I wanted to state that passwords aren’t dead. Until every IdP is SUPER EASY to install and operate passwords and password synchronization will live long into the future. And yes, there will ALWAYS be the potential for a single point of failure. How do you protect against that? Redundancy and protecting the keys to your kingdom with two-factor authentication (like Quest Defender).

And finally, let’s not forget that in order to use an IdP in this brave new world your application must be written to support (federated) claims. No re-write required for password synchronization or to continue to use in-app passwords.

I agree with John that it is time to change the movie but few seem to be ready to pay another admission charge. At least not at the moment.

Wednesday, June 20, 2012

Compliance and Office365

My fascination with compliance issues and Office365 is not abating. A few months ago I blogged about a data breach at the State of Utah. I was doing a bit more research about this breach and the fact that Utah’s Governor fired the State’s CIO over the breach and it got me thinking more specific to Office365: Is there a capability to enforce “at-rest” encryption of data stored in Office 365?

As far as I can tell from all the documents I’ve read there is no “at-rest” encryption of data except potentially within e-mail. I did download Microsoft’s “Security in Office 365” whitepaper and didn’t find anything that really addressed at-rest encryption but the whitepaper was written in June, 2011 so perhaps things have changed since then. Apparently you can copy RMS/IRM protected files to Office365 but that seems rather hackish and not subject to a general policy like “everything in Office 365 must be encrypted.”

So in a situation like what happened in Utah there’d be no difference if the data was stored in Office365.

More on this topic later – like maybe a punch list of what a customer might want for compliance.

Monday, June 18, 2012

Half our audit findings are identity related!

Last week I meet with a big bank in Manhattan. We spent a morning talking about privileged account management, identity and access management and what the bank was trying to achieve.

One of the most interesting data points they raised was that they have approximately 1,600 audit findings that they are working on. The most interesting point was that of the 1,600 approximately half of them were directly related to identity. The bank employs over 200 people who are responsible for cleaning up these audit findings so one could assume that there are 100 people or so working on the identity side of the audit issues. Another interesting tidbit was that this was pretty much in reactive mode related to the findings. They were trying to fix the findings but figuring out WHY something happened was extremely complex in their environment. Furthermore, after figuring out the why they then had to implement processes to ensure the problem was prevented in the future. Needless to say they are having some pretty difficult times coping with the problem.

Now obviously a large bank can’t be compared to what everyone else might experience but it does speak volumes about how much compliance is driving people crazy – and driving firms to spend big bucks to fix it. Imagine the cost of having 200 people doing nothing other than fixing compliance issues.

Also, not that I want to get into the fray with Nishant Kaushik and Kim Cameron on governance but I have to say, as Kim titles his blog entry: Governance is key. But, as Kim states:

they (identity and access management products) continued to require extensive manual intervention by security experts to coax ”compliant” behaviors out of them

I am going to be a more-than-just-interested party sitting at the sidelines watching how this develops. Office 365 is a great use case. It’s new and it’s not like Kim (and therefore Microsoft) don’t know the issues that companies like the bank I visited are facing.

How Microsoft solves this problem for Office 365 is going to be very, very, very interesting indeed.

Friday, June 15, 2012

Re-using Defender tokens

IMG-20120614-00056

Great example of a customer that is re-using their Defender tokens. One of our guys stumbled across this sign while visiting them in their Manhattan offices. We don’t know if the customer is recycling their BlackBerry’s or…

I just returned from a few days in Manhattan and have a couple of additional posts I want to get out about my visit.

1. The high cost of compliance.

2. Re-engineering 10-year old Active Directory architectures.

Stay tuned.

Wednesday, May 09, 2012

Trust, but verify!

There was an interesting article related to cyber attacks targeting natural gas pipelines. I think the interesting aspect of the story is how the basis for the attack is e-mails that look like they come from co-workers and may very well include relevant personal details.
Analysis shows that the spear-phishing attempts have targeted a variety of personnel within these organizations; however, the number of persons targeted appears to be tightly focused. In addition, the emails have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization.

Some attackers have become so sophisticated in their efforts that they research known employees on Internet social sites and then craft an e-mail that appears to come from someone who is known to the intended target.
Spear-phishing attacks are efforts to get employees to click on e-mail attachments.

Generally speaking I sure hope that people aren’t blindly opening attachments just because an e-mail appears to come from someone they know. Everyone does realize that it is possible to fake an e-mail’s from address, right?

In my previous post I mentioned the data breach that occurred in Utah based on a weak password that was used. Both of these events highlight the need for a privileged account management product like Quest One Privileged Password Manager. It’s not enough to simply rely on an e-mail looking like it comes from a friend or co-worker. You need multiple levels of protection in your organization to protect your critical data and systems.

Like this post? Please +1 it or tweet it (below)!

Tuesday, April 10, 2012

Utah Breach Shows Vulnerability of Health Records - NYTimes.com

Utah Breach Shows Vulnerability of Health Records - NYTimes.com

The same week that I am reading about the NSA building a big facility in Utah there's a data breach in Utah...
"Eastern European hackers have stolen personal records for 780,000 people in the breach of a computer server in Utah...Hackers were able to breach the servers by exploiting a technician’s weak password."
And this is definitely a hack that could have been avoided if the proper procedures were followed for configuration of their server according to the article. Personally, I'd go further and take the reliance off of manual procedures and eliminate weak passwords through the use of a privileged account management product like Quest One Privileged Password Manager. Why bother leaving this to manual procedures that may be "forgotten" as happened in this case?

Privileged Password Manager ensures that when administrators require elevated access, that access is granted according to established policy, with appropriate approvals, that all actions are fully audited and tracked and that the password is changed immediately upon its return. It’s a secure, compliant and efficient solution to the age-old “keys to the kingdom” problem. Privileged Password Manager is deployed on a secure, hardened appliance.

Friday, March 09, 2012

IETF explores new working group on identity management in the cloud - Computerworld

Great article on the SCIM (simple cloud identity management) specification that you should read. The key paragraph to note is:

"Momentum for SCIM is going to be key," Land says. "We've got Google, Webex, VMware all saying that they've got it ready to go. You'll see a lot more of the smaller vendors, the middleware guys, build products with SCIM. Towards the end of 2012, we should start seeing implementations of SCIM within the enterprise."

I talked about this in my previous post on the topic “SCIM, PEX and what the parrot saw”. Momentum is exactly what I am hoping to see in 2012. Which companies will adopt it and release support for SCIM in their product? Salesforce.com? Google? Webex? VMWare? Any of those 4 would be great. All of those four would be awesome! Customers will ask us to support those platforms for sure. But it is pretty doubtful customers will ask us to support Ping Identity, Courion, UNBoundID or SailPoint.

I’m not a complete Doubting Thomas on this topic (sorry, it is Lent after all) – just a pragmatist.

Like this post? Please +1 it or tweet it (below)!

Wednesday, March 07, 2012

Answers to Common Privileged Account Management Challenges

We have a webcast coming up on this topic and I’d like to invite you to join us for it. There are two times for the webinar: March 14 and March 16 so hopefully one of them fits your schedule. A few more details…

Access through privileged accounts is one of the most troublesome security and compliance challenges. Manually controlling administrative access is tedious and error prone and leads to a lack of accountability, auditing and, at times, administrators having more access than necessary.
Join Quest Software for this informative webcast where we will walk you through the issues of common privileged account scenarios such as:
  • Controlling remote vendor access
  • Enabling developer access to production
  • Managing the issuance and approval of credentials
  • Facilitating separation of duties
  • Providing limited rights for daily administrative tasks 
  • Managing a Sudo environment

You will also see a quick demo on how Quest One Privileged Account Management solutions help you control access through granular delegation and policy-based control of administrative accounts and tightly controlled and audited issuance of full administrative credentials.

Registration date and time information:

Wednesday, March 14, 2012 3:00 PM EST

Friday, March 16, 2012 3:00 PM EST

Like this post? Please +1 it or tweet it (below)!

Friday, February 10, 2012

Looking for a federation expert!

I'm looking at adding a new member to our band of merry product managers here at Quest. Someone who will have a strong focus on federation and especially on authorization. With the acquisition of BiTKOO they will be driving the product strategy for our authorization solution both externally for our customers and internally for use by other Quest products. Throw in a dash of XACML, strong authentication and simmer with SAML and ADFS - then bake.

Interested? Take a look at the job description and feel free to submit your resume.


Help me get the word out and +1 or tweet this post (below)!

Saturday, February 04, 2012

Multifactor Authentication for Dummies

Multifactor Authentication For Dummies®, Quest Software EditionWe just released this “for Dummies” book which gives a good overview of what multifactor authentication is, the challenges it helps to solve and how the Quest Defender product fits into solving customer’s problems in this area.

You can download your copy of this book here. I hope you find it useful.

Wednesday, January 11, 2012

SCIM, PEX and what the parrot saw

I was talking with my older son the other day about renovations. He’s worked a lot on house renovations over the years and has a lot of experience dealing with the usual suspects: plumbing, flooring and drywall.

During the conversation I asked him about using PEX tubing for plumbing renovations. PEX is a fairly new innovation in the plumbing world and it seems like an interesting replacement for copper piping and all the cutting, bending and soldering fun that comes along with copper. Chris’ response was interesting: “I wouldn’t use it in a job until it’s been tried true and tested for 20 years.” A lively debate on old-school versus “cool” quickly ensued. Further discussions with plumbers found a camp of “Never used it” to “Prefer it”.

How does this relate to SCIM (Simple Cloud Identity Management)? Well, we now have this brand new piping called SCIM. But so far there are very few plumbers or contractors that are using it. The fact that we’ve got this cool new standard is, unfortunately, not going to mean that all the plumbers and contractors are just going to swap over from their tried-and-true (copper) standard to PEX (SCIM).

Don’t get me wrong. The guys at salesforce.com, Google and others have done an awesome job inventing this new tubing – and it was done in record time. Everyone involved in the invention of SCIM deserves credit. But, we need some plumbers and contractors to start using it in anger. The fact of the matter is until we get more plumbers and contractors using SCIM we are looking at a long uptake cycle unfortunately.

I still bear the scars from the “build it and they will come days” of X.400, X.500, OSI, token ring, Meridian LanStar, the Defense Message System (DMS) and my personal favorite: the back-of-a-cocktail-napkin (literally) LIPS standard. I’m hoping SCIM will not follow the same path but neither I nor the group involved in inventing SCIM can snatch success from the jaws of failure without that help.

Will Quest Software support SCIM? Absolutely – as soon as customers start demanding it and ISVs start building it into their products.

P.S. Please see Sean Deuby's excellent overview article in WindowsITPro on SCIM.

Like this post? Please +1 it or tweet it (below)! 

Tuesday, January 10, 2012

Sudo video

Last month I blogged about our release our Sudo plugins for sudo 1.8.1. There’s a short two minute video that Jason Fehrenbach recorded that highlights some of the key features of these plugins. Take a look at the video to get a quick overview of the reports that you can run that show the access and privileges a Unix user has per host, examples of the event log, accepted and rejected commands by user or host. There’s also an example of the keystroke playback of a successfully executed sudo command session. Good stuff!

Like this post? Please +1 it or tweet it (below)!

Monday, January 09, 2012

Access Request Portal in Quest One Identity Manager

Late last year I highlighted a Quest One Identity Manager (Q1IM) video about “Self-Service Provisioning”. There’s also a video that highlights the Q1IM Access Request Portal that’s about three and half minutes long.

Barry Gerdsen highlights the Access Request Portal, the WYSIWYG editor for customizing the portal and gives an example of the various tables, charts and graphs that you can easily include in the portal. The portal can help you sift through your identity data to turn it into actionable information and knowledge.

If you have a few minutes take a look!

Like this post? Please +1 it or tweet it (below)! 

 Technorati Tags: ,,,,,


Thursday, January 05, 2012

Top 10 Common Passwords

I was going to title this “Popular Passwords of 2011” but unfortunately I can’t find the original FBI article referred to in the January 4, 2012 article in the Los Angeles Times: “Some passwords are easy for hackers to crack”

According to the article the top ten most common passwords used are:

1. password
2. 123456
3. 12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon

It would be interesting to do an audit of a company to see how many of their users have passwords in the top 10. I really wouldn’t have guessed “monkey” or “dragon” were a favorite but what do I know? I hope no one has a privileged user account out there protected with any of the top 10!

Tuesday, January 03, 2012

Quest in the ‘Challengers’ Quadrant for User Administration

Quest Software has been positioned in the “Challengers” quadrant in Gartner Inc.’s 2011 Magic Quadrant for User Administration. We were recognized for “Completeness of Vision” and “Ability to Execute”.

We were rated much better than last year and, I believe, that’s partially in recognition of both the acquisitions we have made and the hard work of all the folks in sales, marketing and product management.

Yes, we still have a long way to go but we aren’t resting on our laurels. As you know, we acquired BiTKOO a few weeks ago and their technology and products are going to take us even further towards offering not only best-of-breed products but a simpler, easier to implement IAM suite – an IAM suite that incorporates leading-edge technologies like XACML-based authorization management integrated across our whole portfolio.

We’re all looking forward to 2012 and the challenges it will bring us! Happy New Year to everyone!