CLEAR is still unCLEAR

Mainstream press has started reporting on the CLEAR debacle that I mentioned in a previous post: Clear is dead. What about my retinal scans?

On Thursday, the House Committee on Homeland Security sent a letter to TSA Assistant Secretary Gale Rossides expressing concern about the handling of Clear members personal data.

• Unclear what happens to data with Clear -250,000 travelers wonder what will happen to personal information

• Clear customers again must wait with the pack - Verified Identity Pass ends service that allowed travelers to bypass lines

I guess the good news is there is a lot of visibility regarding what's happening to my data and the data of 250,000 of my closest friends...

Technorati Tags:
Clear, security, identity management, biometrics, privacy

Enterprise-Class SaaS Provisioning

I happened across this white paper - Enterprise-Class SaaS Provisioning - over at Conformity's website. The first paragraph of the executive summary caught my attention:

User provisioning provides the foundation for effective lifecycle management of user identity and access rights in complex IT environments. Historically, enterprises have addressed this critical need through a combination of business process and integration of premise-based applications with management tools. These tools have included local directory services, identity services and user provisioning and role management solutions. The recent rapid adoption of SaaS and cloud-based applications is now significantly straining the on-premise capabilities of existing IT models and approaches.

I think there are lots of executives and IT staff who are running around thinking that SaaS is the promised land. If you consider an SaaS application as "just another application" you will understand that your end-user identities still must be managed in that SaaS application. How are you going to provision, de-provision and update those identities? How are you going to manage the namespace of your corporate identities and the namespace of your SaaS application's identities? (Don't make me break out the Venn diagrams!)

We have a standard called "Services Provisioning Markup Language" (SPML) which was specified to help provision identities via a web service. Does your SaaS vendor support that standard? I'll bet they do not! What do you do then? I've met with hundreds of customers over the years and many are still struggling with provisioning inside the enterprise! Throw in SaaS provisioning - via some hairbrained interface because the vendor doesn't support SPML - and it only adds to the organization's identity management complexity.

Don't get me wrong. There's lots of promise with SaaS. Unfortunately, the road to the SaaS promised land passes through a few mine fields on the way...

Technorati Tags:
SaaS, SPML, Conformity, identity management, cloud computing

Catalyst Conference Discounts and Free Passes

Are you thinking about going to this conference? If you are let me help push you over the edge!

Here's how you can get free passes to the hospitality suites (only) here:

Go to: https://burtongroup.wingateweb.com/us09/portal/newreg.ww
Use code: queqp2cg

Or, discounted rates to attend the conference here:

Go to: https://burtongroup.wingateweb.com/us09/portal/newreg.ww
Use code: queFriend

This really is the best technical identity management conference out there so if you can only get to one then this is it!

Technorati Tags:
Catalyst, Burton Group, QSFT, Quest Software

Quest wins Active Directory Partner of the Year!

Yes, we did! Congrats to everyone at Quest! Here's what Microsoft posted on the Worldwide Partner Conference 2009 awards page:

Quest Software offers a suite of solutions that enables migration to Active Directory service from competing platforms, and delivers directory consolidation by extending Active Directory into heterogeneous IT environments. The suite also provides compliance by compiling an audit of system access events and secure dual-factor authentication through one-time password tokens, and creates a single sign-on solution using Active Directory. Quest implemented its solution, replacing a competing platform, to deliver dual-factor authentication of remote users at a lower cost and with zero impact to users. Seamless collaboration across Quest, Microsoft, and a key systems integrator partner enabled the Active Directory migration to be completed quickly and with no system downtime. Quest Software solutions have enhanced thousands of enterprise Active Directory environments, including Dell, Movado, Siemens, ADT, and Shell.

Finalist: Centrify, United States

Finalist: Likewise Software, United States

Update: More from Microsoft here.

Technorati Tags:
Quest Software, Active Directory, two-factor authentication, security, SSO, QSFT

Trusted Cloud Computing

In Infrastructure as a Service (IaaS) cloud services such as Amazon’s EC2, the provider hosts virtual machines (VMs) on behalf of its customers, who can do arbitrary computations. In these systems, anyone with privileged access to the host can read or manipulate a customer’s data. Consequently, customers cannot protect their VMs on their own.

I read two papers on this topic over the last few days and I invite you to take a look at them. If you are short of time at least try to read "Towards Trusted Cloud Computing". This paper gives a good overview of how cloud computing services "have no means of verifying the confidentiality and integrity of their data and computation". This paper helped me to understand some of the core security issues around cloud computing.

One of the references in this paper was to Terra - a trusted platform that enforces a closed box execution environment. While Terra is an academic study, out of Stanford, it does lay the ground work for a better architecture that could be used to secure and protect virtual machines. It's interesting follow-on reading if you're into a more academic discussion of the problem and their proposed solution. I love how they built "Trusted Quake" - yes, that Quake!

Ultimately, I don't know how many customer will care or won't care about security to this level of depth. My suspicion is customers will try to cover their bases via legal agreements versus computational security as discussed in the two papers above. Either way, it is a good idea to get educated on these topics. Also, it is interesting to me that we still have a long way to go yet around trusted computing hardware (and software).

Technorati Tags:
cloud computing

Clear is dead. What about my retinal scans?

I signed up to Clear about 18 months ago. Theoretically, I would get through airport security lanes faster. It involved a registration, fingerprinting and retinal scans. I pretty quickly realized that it was a waste of my money when the people in the "normal" security lines were getting through faster than me. In addition, why was their first question when I showed up to their line "Can I see your drivers license please?"

I let the card expire and for the last two months Clear has been hounding me multiple times a week to renew. Yesterday, I finally told them to stop sending me e-mails and this was their response (above). I guess I got my wish.

Now my question is: What happens to those digital fingerprints and retinal scans they took? Checking their privacy policy reveals this interesting tidbit:

...a copy of your biometric information (but not your name) is retained by the Transportation Security Clearinghouse to prevent fraudulent enrollments under alternate identities.

So, the TSA has my biometric information but not my name in order to prevent fraudulent enrollments under alternate identities? Hmmm, does that mean that the TSA has my biometric information but not my name but does have my social security number? Otherwise, how would they prevent fraudulent enrollments?

Generally speaking I care about this. Specifically, for me, I don't because I've been fingerprinted many, many times by the US government already. (No, I'm not a criminal - I'm an immigrant!)

How much biometric detritus is floating around about me out there? About you?

Follow-up: See Kevin Kampman's (Burton Group) post on this topic here.

Technorati Tags:
Clear, security, identity management, biometrics, privacy

All Defender, all the time

Mr. Stuart Harrison has started to blog! As the product manager behind Defender you can imagine what he'll be discussing most of the time. Check out his latest post on our GrIDsure integration...

GrIDsure’s solution is based on its groundbreaking yet simple invention that allows users to authenticate themselves by remembering a minimum of a four block sequential pattern on a five by five grid. By integrating GrIDsure’s software-based solution, Quest will be able to offer its customers an enhanced level of scalable security at a very competitive price point, whilst enhancing the user experience.

Technorati Tags:
Active Directory, Defender, two-factor authentication, GridSure, strong authentication, passwords

Don't get caught in your identity underwear!

Brian Green's experience with not-so-secret questions began when he logged on to his World of Warcraft account in March of this year and found all of his characters in their underwear. Someone had stolen the account and sold off all of his virtual equipment.

This article made me burst out laughing but behind the humor of someone have all of their "virtual equipment" being sold off there's a serious point to be made: Secret questions used to secure password-reset functions can be woefully insecure.

In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study's participants could guess the correct answers to the participant's secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.

If it isn't obvious to all you really must ensure that your secret answers are, in fact, secret and secret means not easily guessed or easily subjected to social engineering attacks. I highly recommend that an out-of-band technique be used to send you your new password. For example, an SMS message with your temporary password to your mobile phone or the use of a one-time password (OTP) as part of your Q&A response profile. Both of these rely on something you know and something you have - much harder for the hacker to defeat.

Don't rely on "shoe size" and "pet's name" or you'll end up being caught in your identity underwear, too.

Technorati Tags:
identity management, passwords, strong authentication

Application Performance Monitoring

Last week I attended a conference here in Europe and a Gartner analyst by the name of Will Cappelli gave a talk on “Application Performance Monitoring: Technology Trends and Market Dynamics”. Normally, it's not the kind of talk that I would sit through but I decided to this time because I am not very familiar with this part of the market. I'm glad I did because Will gave me a perspective that I would have never seen myself:

• Monitoring applications have been performed differently than monitoring the infrastructure
• Application-centric monitoring is where things are moving – how to make the application successful in its environment
• From the businesses perspective the value that IT delivers is embodied in the application portfolio - not the infrastructure. (How often do you say "Wow, the network is fast" versus "Why is PeopleSoft slow?"
• This shift makes the IT operations management group even more important as time goes on
• APM = Application Performance Monitoring
• There is no Business Service Management without a matrix of APM
• We are almost at the point that the application can dictate the underlying infrastructure that it needs to perform appropriately (e.g., re-configure a VM)
• The boundary between application and infrastructure is going away
• You won’t be able to distinguish between virtual and physical applications soon
• You need holistic monitoring of your application stack – there is more than one way to this: 4 perspectives:

1. End-user experience monitoring (#1 thing to do – most fundamental task)
2. Discovering and Modeling the Application
3. Deep dive monitoring (middleware, database, network, off-the-shelf application stacks)
4. Ebb and flow of transactions (hard work, embryonic)
   

How do you tie these 4 data streams together? With a Performance Management Database (PMDB).

The market is moving towards vendors who can provide all of these things (the 4 functionalities + performance management). An integrated, suite approach provides the built-in integration that must be provided via significant integration across “best-of-breed” tools in order to weave together the performance management information together.

This was an interesting session. Especially how there is enough value of putting the 4 items together in a suite coupled with a PMDB to enable a "suite" vendor to succeed. Maybe this is why the identity management "suite" vendors have not succeeded? They haven't figured out the "PMDB" side of things that ties everything together and provides additional added value.

Know what I mean?

Self-service password resets and strong authentication

Dmitry Kagansky is one of Quest's architect's and works out of our UK office. He's recorded a demo of a few of our products that I thought might be of interest to you:

• Self-service password reset with Quest Password Manager
• Self-service registration of a Defender one-time password (OTP) token
• Integration of Quest Password Manager with Defender to enable an end-user to reset their password using their Defender token
  

It's a great demo that not only shows specific individual product capabilities but the advantages of the integration between these two Quest products.

Enjoy!

Technorati Tags:
Quest Software, passwords, strong authentication, QSFT, Active Directory

Martin's top 10 IAM trends for 2009...

Martin Kuppinger's "top 10 trends for 2009". Not sure if this was in reverse order or not but you get the idea...

• GRC as the business control layer of IAM
• Growing maturity of Identity 2.0 approaches
• Multi-purpose (smart)cards gain momentum
• Context and versatility becoming reality - re: authorization
• More IAM and GRC for the cloud. (Adoption of cloud services is held back by the immaturity of IAM and GRC for the cloud)
• Portable identity information for social networks.
• GRC going beyond IAM. (attestation, access controls)
• First impacts of new electronic passports/ID cards. (Not in the US, eh?!)
• Increasing service orientation in IAM and GRC.
• Privacy is back - and there are more solutions.
  

Technorati Tags:
Kuppinger Cole, EIC, QSFT, Quest Software, identity management

European Identity Conference!

OK, just arrived at the EIC here in Munich that's put on by our friends at Kuppinger Cole. I ran into Joerg Resch at our booth so we had a few minutes to chat about the conference. He was very happy to report that registrations have exceeded their expecations. In fact, Joerg told me they had a great rush of last minute registrations right up until 1AM last night!

That's great news for a great conference. I'm looking forward to seeing many old friends and meeting some new ones, too. If you are at the conference please drop by and say hello!

More posts over the next few days...


Technorati Tags:
Kuppinger Cole, EIC, QSFT, Quest Software, identity management

Quest Brings The Experts Conference to Europe

Registration has opened for The Experts Conference (TEC) Europe 2009. Formerly called the Directory Experts Conference (DEC), TEC Europe is an important international training event focused on advancing the skills of the most experienced users of Microsoft Identity and Access (IDA) and Microsoft Exchange Server technologies.

TEC Europe for Directory & Identity 2009 will provide advanced education on business-critical IDA technologies, including Active Directory, Forefront Lifecycle Manager (formerly Identity Lifecycle Manager), and Active Directory Federation Services (ADFS). Identity without Borders: Bringing the Identity Meta System into the Enterprise will serve as the theme and centerpiece for TEC Europe 2009 for Directory & Identity.

I personally am looking forward to this show - it's in Berlin!

Two-factor authentication, two promotions

We have a couple of promotions running at the moment for our Quest Defender product. The first one allows you to register for a token and once you receive it you can try it out on a web page that enters you to win an XBox360. The second promotion is for a "free Defender starter pack" which is 5 hardware tokens, 5 software tokens and a 10 user license valid for one year. Just head over to http://www.quest.com/defenderstartpack if you'd like to take advantage of that offer.

Technorati Tags:
QSFT, Quest Software, two-factor authentication, Active Directory, identity management, strong authentication

The Sun sets on Oracle

Sun Microsystems (NASDAQ: JAVA) and Oracle Corporation (NASDAQ: ORCL) announced today they have entered into a definitive agreement under which Oracle will acquire Sun common stock for $9.50 per share in cash. The transaction is valued at approximately $7.4 billion, or $5.6 billion net of Sun's cash and debt.

Talk about a dog's breakfast of identity management products now! I wonder how this will all work out for the customers? Oracle has been getting high marks from the analysts so will the Sun IDM suite go by the wayside? Or, will this only mean confusion for the next 18-36 months? Or both?!

Technorati Tags:
Sun, Oracle, identity management

Reality tour stopover in Paris

The reality tour is taking up temporary residence in the 1er arrondissement in Paris just down the street from the musée du Louvre. Just follow the arrow above to find me - after work of course - either at the "Brasserie de la Bourse" or across the street at "Le Café des Initiés" (with its "accès Wi-Fi gratuit et très performant est disponible en permanence" - yah baby!).

You can follow our personal adventure on my wife's blog over here. In the meantime, hopefully I can keep the baguette crumbs, cheese droppings and slopped wine from gumming up my keyboard.

Back to our regularly scheduled program next week...