Wednesday, June 15, 2011

Quest Acquires Symlabs Virtual Directory - And what EVERYONE missed about this acquisition!

Quest recently announced the acquisition of Symlabs, a virtual directory vendor. There are several things that are interesting about the acquisition and I will explore some of them in this blog.

First and foremost is what Quest says in their press release, as well as what they don't say. As they state in the press release, the major reason for the acquisition is to embed the technology into the existing products that Quest sells. In fact, they had already done this integration for their Defender application, allowing them to not extend the Active Directory schema by virtualizing this in the virtual directory. As many of you all know, a virtual directory can be used to solve a myriad of problems and this was just one of them. Of course this was not the only application that Quest has that will benefit from the virtual directory technology. Quest has a host of products and that is one of the reasons that this acquisition was so compelling for them, as it is not a one trick pony.

Something that is specifically not said in the press release is any mention of Quest selling the virtual directory independently. All accounts are that Quest will not be selling the product independently. This is not a real surprise either since selling a virtual directory solution is a pretty technical sale and not one suited too well for an organization like Quest.

Here is perhaps the most interesting thing about the acquisition that I believe EVERYONE has completely missed. It is no secret that Quest's Jackson Shaw was the primary influencer behind this acquisition. But now let's start with some history to see why this is so darn interesting (at least to me). Once upon a time (1999-to 2005) Jackson was a product manager for a fairly well known company called Microsoft. He was specifically in the Active Directory group. I even had the pleasure of working with him while working at a different Microsoft partner at the time, OpenNetwork.

Now we are getting to the interesting part. How did Jackson come to find himself at Microsoft? The same way that Kim Cameron (recently resigned from Microsoft) landed there. A little old company that they were a part of called ZOOMIT. Yes, the company that basically invented the metadirectory. Of course this product has gone through many name changes over the years at Microsoft but the core is still there. It was MMS, MIIS, ILM and now it is called FIM.

Jackson was a VP of sales at ZOOMIT, but as with many small companies that was just one hat he wore at the company. Suffice it to say that Jackson was very involved in the architecture and design of the worlds first metadirectory. I can tell you first hand that when you are involved in developing a product like this, you tend to be passionate about your product and technology. I know I sure am passionate when it comes to our Virtual Identity Server product and virtual directories in general.

So why is this history lesson so important? Well, let's take a look at what Jackson thinks now. A little more than 10 years later and one of the fathers of the metadirectory is quoted by Dave Kearns as saying "Let's be honest. The metadirectory is dead. Approaches that look like a metadirectory are dead".

Wow! That is a pretty big about face if you ask me!
Insert your favorite analogy here... Such as the vegetarian who suddenly switches to meat only.

The point of this is not to debate whether the metadirectory is dead. In my opinion, the bigger point is how this demonstrates that Jackson kept an open mind to new technologies. It would have been really easy for him to keep "blinders" on and to attack all problems with the same answer (synchronization). Instead, Jackson has seen that there is more than just synchronization and that virtual directory technologies often complement a synch process. I know many great technical people who are of the opinion that synchronization is ALWAYS the answer.

Back in 2009, his blog had a pretty interesting quote as well.

"Are meta-directory and virtual directory products melding – blurring the lines between themselves? Yes, and it’s high time that they did.

Generally speaking, I think a customer can benefit from both of these technologies so why not use one product for that? Simple is always better. A virtual directory is the perfect veneer to stick on top of your directory infrastructure(s) because it allows you to swap underlying directory pieces in and out as your business changes."

I think he pretty much nailed it with this quote and I believe every customer that is using a virtual directory would whole heartily agree with his statement.

Wednesday, March 23, 2011

RSA hacked!

This brings back memories of that Alanis Morrisette song “Ironic”. A security firm being hacked is akin to the fire department burning down. It’s simply something you wouldn’t expect to happen.

Now that it has, it is all about how big of a breach it was. As of today, that is not clear at all. The CEO’s open letter, was rather vague and didn’t give the details. I have seen a few blog entries from Mark Diodati that speculate as to what might have happened. It is an interesting read, but conjecture for the moment.

There are hundreds of the largest companies in the world using RSA’s SecurID product to provide two factor authentication into corporate networks. The ripple effect here could be huge. I know that many of Optimal IdM's customers utilize SecurID for their two factor authentication needs.

The question in my opinion is how will RSA handle this in the next few days/weeks? Will they handle this like the Tylenol scare of 1982 where Johnson & Johnson did by most accounts an excellent job of handling a recall, or will this be a ValueJet disaster? In my opinion, right now no news is bad news. RSA needs to hit this head on with what happened and what the level of risk/exposure is there for customers.

SearchSecurity quotes sources that say they believe the hack is limited. Again, this is simply conjecture at the moment. Let the FUD begin from RSA's competitors...

Thursday, February 17, 2011

Quest Software and recent acquisitions

I noticed on Jackson Shaw’s blog that identity management is big over at Quest these days with recent acquisitions and more to come. Interesting. Let me take you down a path and then pose a question.

Back in 2004/2005 Oracle took an honest look at their identity management stack and realized that customers really did want a one stop shop (if it was possible). Sure it is a lofty goal to have every identity management tool, but they did look at their gaps of standard identity management tools such as Single Sign On and User Management (Oblix) , Provisioning/De-Provisioning (Thor), Virtual Directory (Octet String) and filled them via these acquisitions. There was a little overlap in the products, but actually very little.

Sure Oracle could have gone out an developed them from scratch, but that would have taken many physical years (and a ton of "man" years) to get to the features and functionality (and stability) of these products that already had a solid customer base and were good, mature products. Buying the technology (and the people who built it) and re-tooling it for their purposes was the path they chose. I know most of these products have now had “Oracalized” versions released with greater integrations between them.

So the question asked looking backwards is: Did Oracle make the right choice? Well I think the obvious answer is a resounding YES. I’ll give two reasons. One, look at the stock price from 2005 to now. Sure Oracle has made other acquisitions, etc. but overall they have performed very well and Wall Street has agreed. If I compare Oracle stock to say Microsoft’s over this period I believe it is a yes as well.

Two, look at market share specifically in identity management. Oracle leap frogged ahead of the competition and took a resounding lead. Analyst firms clearly put them out in front.

So now my question today is: Is Quest the new Oracle in identity management? And if they are, who are they going to take the business away from? Oracle, IBM, CA, Microsoft? Obviously we here at Optimal IdM partner heavily with Microsoft. Forefront Identity Manager (FIM) is selling well and we fill their virtual directory gap they have with our Virtual Identity Server (VIS) solution. While we aren’t Microsoft, our products are built with their technology and leverages & extends the existing investment that a customer has already made.

So what is Quest’s strategy on identity management and who do you think has the most business to lose?

BTW – I do believe that is truly a “lose” scenario. Sure, the identity management market gets bigger each year, but how much bigger? Not that much in a relative sense. Someone at a major un-named vendor told me once that they don’t have any way to track how much business they lose. When you look at it this way, it is really easy. It is simply the sum of revenues of your direct competitors. If a customer purchases Oracle's IdM solution over Microsoft's, well Microsoft lost that deal (even if they weren't aware of it).

Come on folks, it’s not like we are talking rocket science, or developing a virtual directory, which is trickier than you might think!

Saturday, February 12, 2011

Part 2 - Optimal IdM’s Virtual Identity Server has saved customers over 1 Trillion Dollars to date!!!!

This is Part 2 of why I believe implementing Claims security for Marriott is a poor choice. I'll try and keep this relatively brief and point out 3 main reasons.

1. As I laid out in Part 1, basically Marriott giving discounts is a cost of doing business. The fact that they are giving it Microsoft or Quest is irrelevant. Implementing Federation and Claims does nothing to enhance their bottom line. Further, they would still have to maintain and support their existing User ID and Password authentication that they have today for all of the users companies that don't Federate with them. They wouldn't get 100% of all companies would they?

2 - A key mantra that we at Optimal IdM have preached is the following. "When solving a given problem, minimize (and avoid if at all possible) creating new problems." There are several ways that implementing Federation and Claims would introduce other issues.

Here is just one of them that came to mind. Here is the scenario to consider. Jackson is an employee of Quest and Quest implements Federation/Claims with Marriott. So as Jackson hits the Marriott website he is redirected to Quest to authenticate. He authenticates the local ADFS at Quest using his Quest's credentials and a claim is presented to Marriott. All is well in Jackson's scenario.

Now let's suppose Jackson gets fired from Quest (don't see that happening but go with me here). Hmmm... When this grand Federation thing was underway, Jackson would have ultimately authenticated using his Quest credentials, right? So how in the world is Jackson going to authenticate and "prove" his identity to Marriott now? In a 100% pure Federation model you would have no way of authenticating. Sorry Jackson you just lost all of your Marriott points!!! Will the real Jackson Shaw please stand up?

In my view, when it comes to you authenticating to Marriott it has a lot more to do with your "personal" identity and not your corporate affiliation. Of course one answer to that would be to use one of the public identity providers and not the individual companies, but then you are once again relying on Jackson to keep his profile up to date with his current company.

3. In the end, the biggest reason is this. Federation is fundamentally a Single Sign On solution. Don't try and make it more than what it is. It is a great answer for on-premise to the cloud, but not this scenario. Marriott does not have a SSO issue.

I believe the biggest reason for the confusion on scenarios such as this is that Claims ties authentication with authorization. That can make it very difficult to manage effectively in a decentralized fashion. Managing on-premise as well as cloud security is relatively in it's infancy and everyone is just now learning the limitations and issues.

The team at Optimal IdM has been hard at work on our cloud solutions, working closely with key customers and partners. In fact, we will be announcing soon some of the new solutions we have developed to help organizations manage claims authorization. From what we are seeing, it looks like this will fundamentally change the way organizations manage cloud security. More on that subject when it is ready for public consumption.

Wednesday, February 9, 2011

Optimal IdM’s Virtual Identity Server has saved customers over 1 Trillion Dollars to date!!!!

I am back on the blogging bandwagon. Did that headline get your attention? I thought it might. So, what was the impetus for the headline? Well, it is in response to my colleague Jackson Shaw’s blog entry indicating that Marriott is losing millions by not supporting claims. Matt Flynn then chimed in and said that $$$ = motivation and perhaps that would spurn them on to support claims.

Well, I have a different spin on this and I’ll attack this in a two part blog. Part 1 is here and outlines why Marriott (in my opinion) is not losing millions by not supporting claims. First of all, I want to say that I like the claims model and it works in many situations. In fact, Optimal IdM will soon announce some very interesting news around our further integration with the claims model, but that is a topic for another day.

Now on to my theory. As with politics, two things are important to remember. One, follow the money. Two, the devil is in the details (Yes, you should read bills prior to passing them). Let’s look at Marriott’s business model. They sell hotel rooms. There are a finite number of rooms in a given hotel. There are fixed costs of the hotel (taxes, wages for staff, etc.). Whether Jackson stayed at this hotel that night or not is not going to change this hotels fixed costs. There are, however, variable costs. For a typical hotel like a Marriott Courtyard it costs about $20-30 to cover the costs of housekeeping, soap, coffee in room etc. That is “basically” the cost of goods sold. Therefore, selling any room over the variable cost makes good business sense as it is profitable. The only question is how much of a profit.

The fact that Jackson used to work for Microsoft and they are giving him a $10 discount is moot. Why? Because if they set up this grand federation scenario where they would now Federate with Quest (his current employer), they would likely have to give that same $10 to Quest. There is NO net revenue gain. Only if they could guarantee that they would not have to give the discount would it make sense to spend the bucks to re-do what they already have in place. And then you would have to (or really should do) a cost benefit analysis and a payback scenario. Plus, in part 2 I will outline the gotchas that this would add.

I almost always check the check box to get the AAA discount, but very rarely am I asked to prove it with my card at hotels. The fact of the matter is these discounts are factored into their business. Marriott would far rather have $10 less from me or Jackson then to have us go to Hilton or some other chain.

One other thing to think about. Those discounts go out the door when the hotel is at maximum capacity. At that point, everyone including road warriors with the highest status pay the rack rate. It really is simply a matter of supply vs. demand. Sorry Jackson I agree with you on many things, but this is not one that I can agree with. This is one thing that claims will not solve!

Stay tuned for Part 2 of all of the reasons I believe Federation/Claims is a poor choice for this scenario. I am sure I will use this as an example of when someone should not Federate in my speaking session at Quest’s The Experts Conference. My topic is When to Synchronize, When to Virtualize and When to Federate – Which is the Right Solution and When?