Friday, September 21, 2012

Follow up post to - "A Virtual Directory is not just for "legacy" applications"

I have a short follow up post to my post titled: "A Virtual Directory is not just for 'legacy' applications".

I am sure some folks will read that post and still think that virtual directories are still only about LDAP applications.  On top of that they will probably say to themselves that Federation will solve these problems of abstracting the application from the directory.

To the latter point, yes Federation does provide a level of abstraction, but there are many other factors to consider.   The Federation server (what ever it is) still needs to authenticate the user somewhere.  In the case of Microsoft's AD FS server, it can only authenticate to Active Directory. 

If you utilize Optimal IdM's Virtual Identity Server for Federation Services, however, you can now have an AD FS infrastructure that can authenticate users ANYWHERE.  Our Federation component is an Identity Provider (IP) that leverages our Virtual Identity Server (VIS) virtual directory to authenticate users in whatever data store they reside.   It doesn't matter if they are in another directory such as Sun or eDirectory or even in databases. 

Have multiple Active Directory forests?  Yep, leveraging our solution we make that a snap too.  No need for a ton of AD FS servers, trusts, etc.  Think about it this way. With a virtual directory any application whether it is SharePoint, CRM, or ADFS no longer needs to worry about multi-forest or where users are stored for that matter.  That is a compelling statement when you think about it.

Also, a virtual directory makes it very easy to source identity data (Claims in the Microsoft world) from ANY data source.  AD FS can only source claims from AD or SQL. By plugging our solution in with ADFS, ADFS no longer needs to worry about getting the data from disparate data sources.  The same thing rings true for a host of other applications. 

Thursday, September 20, 2012

A Virtual Directory is not just for "legacy" applications

Recently I was talking to someone who is working on "future technologies".  In this conversation, I got the perception that they believe that virtual directories are used only for "legacy" applications. Now keep in mind what "legacy apps" means to folks building infrastructures for the "future".  To them, a legacy app is an application that is currently running in the enterprise right now, not ancient applications from years ago.

In my opinion, trying to pigeon hole a virtual directory as being legacy is flat out wrong.  Sure companies use a virtual directory to solve some very classic problems that applications struggle with (such as multi-forest), but that is only part of the reason they deploy.  It isn't just about their currently deployed applications, but about their future applications too. 

For example, we have some of the largest Fortune 500 companies in the world that are architecting
our virtual directory as a key component in the architecture they are building for the future.  They see the virtual directory as vital element that is absolutely necessary to meet their objectives both known and unknown. It is the unknown that kills you in the future.

Think about this for a moment.   When Microsoft first deployed Active Directory they told everyone to have an empty root forest, right?  Ooops!  Later they changed their minds and said nope you don't need that.  How many enterprises still have that "old" architecture?  How many have multiple forests?  Why? 

The answer is simple.  It is very hard to change.   Without a virtual directory, applications are tightly coupled to the data store.  This, of course, is a bad thing in any IT architecture.  We don't let application developers code directly to the database tables do we? No.  We give them a stored procedure or view.  With a buffer or "black box" that the applications use, we can now change out infrastructure without impacting the applications.  

Our enterprise customers see this and use the virtual directory as their buffer layer or black box.  This lets them architect for the future, now.  They are using this virtual layer to provide this buffer for both on-premise and cloud.    Also, we at Optimal IdM don't stop at just the LDAP support either.  For example, with our integration with Microsoft's Graph API we can translate LDAP calls into RESTful web service calls.  

Nobody can predict the future.  However, when it comes to computer architectures, I do know that we will need to make changes in the future.  A virtual directory enables organizations to make changes easier and without impacting applications.  The cost savings are enormous and very quantifiable. 

So while our customers are deploying the virtual directory on a enterprise scale into the present environment, the key point is that they are doing this to enable flexibility in the future environment too.

That is a key concept that is lost on this person...

Tuesday, September 18, 2012

Cloud Adoption - The 80/20 rule...

Over the years I have worked for several small companies. These companies were in the 100-150 person range.  Back then (late 90's/early 2000's) the "cloud" wasn't really there with the exception of These companies that I worked for all had an on-premise Active Directory with some sort of email system such as Exchange and collaboration portals to share documents, etc.  Each of them typically employed 2 to 3 full time IT folks to keep it all moving. 

In today's world, a 100 person company can easily find ALL of their services in the cloud, without requiring any on-premise infrastructure or servers.  This is the "low hanging fruit" for Microsoft.  The companies are small and can easily log in to a cloud portal application, create their users and passwords and get to the cloud. These are the easy ones. 

Now lets move on up the chain to the medium and large enterprises.  These companies likely have an on-premise environment (i.e. Active Directory) and as the organization grows in size, its complexity grows.  They will have more and more user repositories, multiple platforms, etc.  Moving these organizations to the cloud is more complicated and difficult.  

Here is the rub and the 80/20

While you may be able to grab "80%" of the companies in the world under the non-complicated low hanging fruit scenario, this only represents "20%" of the total user population.  While there are fewer of the medium to large customers, they have more users and thus a greater total population. That wouldn't matter if cloud services were sold on a flat server/company fee, but most cloud offerings sell per user/per month. 

Here is some quick math shown in the spreadsheet below.   In the example, I averaged the "small" company at 100 users.  That would be a mix of some companies that have 5 or 20 people and some with 200 or 300.  As you can see for Microsoft's middle of the road Office 365 plan that would equate to $168 million dollars in annual revenue in my scenario of getting 10,000 of these companies.

Now let's look at my second example.  In this scenario, I assume that only 2,000 companies sign up for the cloud offering.  However, these 2,000 companies have on average 30,000 users (some higher/some lower).   In this scenario, using the same middle of the road Office 365 plan would result in annual revenue of 10 billion dollars...

Which would you rather have?  80% of the small companies or 20% of the large companies?  Obviously these aren't hard and fast numbers, but the 80/20 model is the base premise here.

Now it is probably pretty easy to see why my company Optimal IdM, developed our Virtual Identity Server for Office 365 solution.  This solution eliminates many of the most common deployment barriers for Office 365.  In a nutshell, we make complex environments easier to manage and cloud adoption a snap!   We charge a percentage of what Microsoft charges for Office 365 but as you can see with each new customer (they are typically large) that represents substantial recurring revenue.

It is sort of like target markets in general.  You would far rather have a product that has a target market with anyone in the world, then to have a product geared towards a specific age/gender/ etc.  In terms of cloud, I would far rather have a smaller number of customers that represent the bulk of the user base.

By not supporting multiple AD forests in Office 365 or other data stores for that matter, Microsoft went after the low hanging fruit.  The easy, non-complicated customers.   That's where partners come into play such as us.  We fill the gap and make adopting Office 365 fast and easy. We can take a customer to the cloud in a matter of days regardless of the number of data repositories they have and without changing or touching their existing infrastructure.  It is the easy and no risk way to go to Office 365. 

Saturday, July 21, 2012

Half a million clear text passwords hacked on Yahoo

Recently it was reported that Yahoo had almost a half a million passwords hacked.  That is bad enough, but what is worse is that the hack exposed clear text passwords!  Really???  To quote tennis great John McEnroe. "You can't be serious!"

I understand that the code came from a company they acquired but that doesn't matter at all to me and is simply no excuse.  To me, that only strengthens the case for short selling the stock (not to mention 5 CEO's in 5 years)...  They clearly didn't do any technical due diligence.  While a full blown review of the code they were buying might have been overkill, you sure do think they would have found that the passwords were being stored in clear text...

Unfortunately password hacks seems to have been a theme lately (i.e. LinkedIn, eHarmony, etc.).   LinkedIn got a lot of grief for not salting their password hash. Apparently these developers aren't even advanced enough to know how to hash a password let alone salt it. 

A whole host of questions pop into my mind after reading this.  Here are a few.

  • Do you know what your cloud vendor is doing?  
  • Are they storing your password hashed? 
  • Is your sensitive data (i.e. credit card numbers) stored encrypted? 
  • Do they have off-site back up that is encrypted?  
  • Are their employees screened? 

Link to posting on CNN Yahoo

Tuesday, July 3, 2012

Microsoft's 6.2 Billion Dollar Writedown

Yikes!  Microsoft reported yesterday that it took a 6.2 BILLION dollar charge almost entirely related to the acquisition of aQuantive. They acquired aQuantive back in 2007 for 6.3 billion dollars and at the time it was their largest acquisition. Since then they purchased Skype for 8.5 billion dollars making it now the largest acquisition to date.

For those not familiar with a charge/write down such as this, allow me to explain. They basically said that they have NOTHING left from the acquisition. Nothing.  Zilch.  They basically burned 6.2 billion dollars and almost all of it due to the acquisition of aQuantive.

Wow!  That isn't just a small minor mistake. That is a major goof if you ask me. Lots of folks clearly missed the mark.  The moral of the story for me is to take what a given vendor says to you with a grain of salt.   When they lay out their vision and tell you "x is going to be the standard, etc."  Know that it might not take.  The public and industry at large might not adopt the technology or product.  Lots of companies (not just Microsoft) are talking about cloud, saas, and private clouds, etc.  Is there widespread adoption?  These companies are spending millions/billions on what they see in the future, not what is here today and now.  What if they are wrong? 

Microsoft clearly thought they were going to get something from this acquisition and they valued it to the tune of 6.3 billion dollars.  To have just a few years go by and say we got nothing from it is staggering (to me).  Also looks to me like they tried to bury the news on a slow week with the 4th of July.

This also makes me look back at Skype acquisition.  I never blogged on that one but I sure had plenty of thoughts on it.  It didn't make sense to me when it happened and it doesn't make sense to me now.  In fact, with such a debacle as this it makes me second guess Skype even more.  Microsoft largely had all of the basic technology.  Sure Skype had the apps for the phones (primarily iPhone and Android) and a substantial user base, but keep in mind the company also had a loss of 7 million dollars when it was acquired.  Hmmm...  Almost sounds like the fury back in the .dot com bust days.  Lots of hype over business models that hadn't yet shown they could turn a profit. 

Microsoft does some pretty cool things, but they do make blunders.  I believe recent history here will repeat itself and in a few years Microsoft will find out that the Skype acquisition was not worth 8.5 billion dollars. 

A link to the press release can be found here

Wednesday, June 27, 2012

Internet Explorer is dead. Is Active Directory next?

I saw a post on a colleagues blog the other day that Chrome just surpassed Internet Explorer as the worlds most popular browser. On the one hand it surprised me and on the other hand it didn't.   Not only has Chrome gained ground but so has Firefox.  The King is dead.  Long live the King.

So my question is the following.  With all of the emphasis on the "cloud directory", is Active Directory on-premise going to suffer the same fate?

It may not sound as far fetched as some of you may think...  Let's look back at a few things in history.  Take Novell’s dominance in the LDAP directory space in the 80’s and 90’s. Few would have predicted that Microsoft would release Active Directory and nearly squash Novell in just a very few short years. Novell was the largest deployed directory and tons of small, medium and large business ran Novell eDirectory and Netware. I was one of those folks who deployed and supported eDirectory and Netware having been a CNE (long since dropped from my resume).

Active Directory (even in its first version) was a very good directory/network operating system (NOS).  My belief, however, is that the demise of eDirectory had more to do with the fact that Novell rested on its laurels too long.  They did not continue to innovate and add significant features to eDirectory. 

So the question still looms,  is Active Directory, next? There have been very few enhancements to Active Directory in the last few years. Server 2012 does have some nice new capabilities but not what I would consider significant.  So will competition wake Microsoft up, or will there be a new King of directories/network operating system (NOS) in this decade?  While many have called for the death of the LDAP directory, I personally don't see it going away anytime soon (on-premise at least).
Still think I am way off base?  Let's talk about Apple. Apple was nearly kaput. Stick a fork in them. They were done. Microsoft (for fear of the big Monopoly word) made an investment in them and bailed them out. What happened next, we now know is nothing but pure genius.  Apple is not a very large hardware or software maker. Nope.  They are simply the richest company in the world with respect to market capitalization.  Who would have made that prediction back then?  I know I certainly wouldn't have!

So what does this mean to me?  Well, my team over at Optimal IdM  is hard at work on a lot of very cool things that we believe will truly innovate the industry.  A key mantra of ours is interoperability.  We listen to our customers very closely.  We learn from them and work with them to build the solutions they need, rather than building something in a vacuum and trying to sell that to them. 

Stay tuned for more exciting information from us on how we are revolutionizing how organizations manage their infrastructures. 

Who knows maybe Optimal IdM will be the new king of directories/NOS?

Friday, June 22, 2012

Microsoft Graph API for Windows Azure Active Directory

Shortly before Tech Ed, Microsoft announced their new Graph API for accessing the Windows Azure Active Directory (WAAD). The Windows Azure Active Directory is sometimes referred to as the cloud directory since it is used by Office 365.

The Graph API is a set of RESTful web services that allows you to access the entire identity system that is running in Microsoft's cloud. Optimal IdM has been working with Microsoft under NDA to integrate with, and provide feedback on the API.

Microsoft's Ed Wu did the official unveiling at his Tech Ed session and this is where I also provided a live demonstration of our integration with the Graph API. It should be noted that the API is in preview mode, which is Microsoft speak for public beta. It is also, not quite complete as it currently supports read-only operations. Update capability will be coming shortly, with the final release likely coming in a few months.

As Ed points out in the session, the hope and plan is that all integrations with the cloud directory is performed via this API. The API is particularly interesting as it is a full fidelity interface that will allow anyone (customers/vendors) with an alternative way to provision/de-provision to the cloud other than using their Dirsynch tool. Dirsynch is their Forefront Identity Manager (FIM) product in a locked down configuration. They did have Power shell commandlets, but they did not offer all of the functions that are needed to truly provision/de-provision properly.

For us over here at Optimal IdM, we are particularly keen on leveraging this API for our Office 365 solution. Our VIS for Office 365 solution not only adds additional features and capabilities to Office 365 such as Denial of Service (Dos) detection and prevention, but also completely eliminates barriers that would have otherwise prevented customers from going to Office 365. A few good examples are multi-forest customers, or customers with a mix of user repositories. Leveraging our virtual directory, the synchronization components as well as the Federation components do not have to deal with any of the "ick". As soon as the full API is available, our VIS for Office 365 solution will use the API to manage all of the data in the cloud, without the need for Dirsynch.

In the demo, I showed how we created a new adapter for VIS, that uses the new API. So while new applications can leverage the new RESTful API, we can allow any standard LDAP application to read/write to the cloud directory. That is pretty cool for all of those legacy applications! Keep in mind that this is not just Office 365 but also Azure as a whole. So if you are writing a new app check out and use the API, but if you want to hook up your existing LDAP application (whatever it may be), then leverage our VIS solution.

In case you missed it at TechEd, check out the video here on Channel 9

For any of you Microsoft folks, we are presenting this at the upcoming Microsoft internal event TechReady, so find the session and come see for yourself.