Mike's Musings on Identity Management

Quest Acquires Symlabs Virtual Directory - And what EVERYONE missed about this acquisition!

2011-06-15T13:27:00.012-04:00

Quest recently announced the acquisition of Symlabs, a virtual directory vendor. There are several things that are interesting about the acquisition and I will explore some of them in this blog.

First and foremost is what Quest says in their press release, as well as what they don't say. As they state in the press release, the major reason for the acquisition is to embed the technology into the existing products that Quest sells. In fact, they had already done this integration for their Defender application, allowing them to not extend the Active Directory schema by virtualizing this in the virtual directory. As many of you all know, a virtual directory can be used to solve a myriad of problems and this was just one of them. Of course this was not the only application that Quest has that will benefit from the virtual directory technology. Quest has a host of products and that is one of the reasons that this acquisition was so compelling for them, as it is not a one trick pony.

Something that is specifically not said in the press release is any mention of Quest selling the virtual directory independently. All accounts are that Quest will not be selling the product independently. This is not a real surprise either since selling a virtual directory solution is a pretty technical sale and not one suited too well for an organization like Quest.

Here is perhaps the most interesting thing about the acquisition that I believe EVERYONE has completely missed. It is no secret that Quest's Jackson Shaw was the primary influencer behind this acquisition. But now let's start with some history to see why this is so darn interesting (at least to me). Once upon a time (1999-to 2005) Jackson was a product manager for a fairly well known company called Microsoft. He was specifically in the Active Directory group. I even had the pleasure of working with him while working at a different Microsoft partner at the time, OpenNetwork.

Now we are getting to the interesting part. How did Jackson come to find himself at Microsoft? The same way that Kim Cameron (recently resigned from Microsoft) landed there. A little old company that they were a part of called ZOOMIT. Yes, the company that basically invented the metadirectory. Of course this product has gone through many name changes over the years at Microsoft but the core is still there. It was MMS, MIIS, ILM and now it is called FIM.

Jackson was a VP of sales at ZOOMIT, but as with many small companies that was just one hat he wore at the company. Suffice it to say that Jackson was very involved in the architecture and design of the worlds first metadirectory. I can tell you first hand that when you are involved in developing a product like this, you tend to be passionate about your product and technology. I know I sure am passionate when it comes to our Virtual Identity Server product and virtual directories in general.

So why is this history lesson so important? Well, let's take a look at what Jackson thinks now. A little more than 10 years later and one of the fathers of the metadirectory is quoted by Dave Kearns as saying "Let's be honest. The metadirectory is dead. Approaches that look like a metadirectory are dead".

Wow! That is a pretty big about face if you ask me! Insert your favorite analogy here... Such as the vegetarian who suddenly switches to meat only.

The point of this is not to debate whether the metadirectory is dead. In my opinion, the bigger point is how this demonstrates that Jackson kept an open mind to new technologies. It would have been really easy for him to keep "blinders" on and to attack all problems with the same answer (synchronization). Instead, Jackson has seen that there is more than just synchronization and that virtual directory technologies often complement a synch process. I know many great technical people who are of the opinion that synchronization is ALWAYS the answer.

Back in 2009, his blog had a pretty interesting quote as well.

"Are meta-directory and virtual directory products melding – blurring the lines between themselves? Yes, and it’s high time that they did.

Generally speaking, I think a customer can benefit from both of these technologies so why not use one product for that? Simple is always better. A virtual directory is the perfect veneer to stick on top of your directory infrastructure(s) because it allows you to swap underlying directory pieces in and out as your business changes."

I think he pretty much nailed it with this quote and I believe every customer that is using a virtual directory would whole heartily agree with his statement.

RSA hacked!

2011-03-23T14:40:00.004-04:00

This brings back memories of that Alanis Morrisette song “Ironic”. A security firm being hacked is akin to the fire department burning down. It’s simply something you wouldn’t expect to happen.

Now that it has, it is all about how big of a breach it was. As of today, that is not clear at all. The CEO’s open letter, was rather vague and didn’t give the details. I have seen a few blog entries from Mark Diodati that speculate as to what might have happened. It is an interesting read, but conjecture for the moment.

There are hundreds of the largest companies in the world using RSA’s SecurID product to provide two factor authentication into corporate networks. The ripple effect here could be huge. I know that many of Optimal IdM's customers utilize SecurID for their two factor authentication needs.

The question in my opinion is how will RSA handle this in the next few days/weeks? Will they handle this like the Tylenol scare of 1982 where Johnson & Johnson did by most accounts an excellent job of handling a recall, or will this be a ValueJet disaster? In my opinion, right now no news is bad news. RSA needs to hit this head on with what happened and what the level of risk/exposure is there for customers.

SearchSecurity quotes sources that say they believe the hack is limited. Again, this is simply conjecture at the moment. Let the FUD begin from RSA's competitors...

Quest Software and recent acquisitions

2011-02-17T19:02:00.002-05:00

I noticed on Jackson Shaw’s blog that identity management is big over at Quest these days with recent acquisitions and more to come. Interesting. Let me take you down a path and then pose a question.

Back in 2004/2005 Oracle took an honest look at their identity management stack and realized that customers really did want a one stop shop (if it was possible). Sure it is a lofty goal to have every identity management tool, but they did look at their gaps of standard identity management tools such as Single Sign On and User Management (Oblix) , Provisioning/De-Provisioning (Thor), Virtual Directory (Octet String) and filled them via these acquisitions. There was a little overlap in the products, but actually very little.

Sure Oracle could have gone out an developed them from scratch, but that would have taken many physical years (and a ton of "man" years) to get to the features and functionality (and stability) of these products that already had a solid customer base and were good, mature products. Buying the technology (and the people who built it) and re-tooling it for their purposes was the path they chose. I know most of these products have now had “Oracalized” versions released with greater integrations between them.

So the question asked looking backwards is: Did Oracle make the right choice? Well I think the obvious answer is a resounding YES. I’ll give two reasons. One, look at the stock price from 2005 to now. Sure Oracle has made other acquisitions, etc. but overall they have performed very well and Wall Street has agreed. If I compare Oracle stock to say Microsoft’s over this period I believe it is a yes as well.

Two, look at market share specifically in identity management. Oracle leap frogged ahead of the competition and took a resounding lead. Analyst firms clearly put them out in front.

So now my question today is: Is Quest the new Oracle in identity management? And if they are, who are they going to take the business away from? Oracle, IBM, CA, Microsoft? Obviously we here at Optimal IdM partner heavily with Microsoft. Forefront Identity Manager (FIM) is selling well and we fill their virtual directory gap they have with our Virtual Identity Server (VIS) solution. While we aren’t Microsoft, our products are built with their technology and leverages & extends the existing investment that a customer has already made.

So what is Quest’s strategy on identity management and who do you think has the most business to lose?

BTW – I do believe that is truly a “lose” scenario. Sure, the identity management market gets bigger each year, but how much bigger? Not that much in a relative sense. Someone at a major un-named vendor told me once that they don’t have any way to track how much business they lose. When you look at it this way, it is really easy. It is simply the sum of revenues of your direct competitors. If a customer purchases Oracle's IdM solution over Microsoft's, well Microsoft lost that deal (even if they weren't aware of it).

Come on folks, it’s not like we are talking rocket science, or developing a virtual directory, which is trickier than you might think!

Part 2 - Optimal IdM’s Virtual Identity Server has saved customers over 1 Trillion Dollars to date!!!!

2011-02-12T10:49:00.006-05:00

This is Part 2 of why I believe implementing Claims security for Marriott is a poor choice. I'll try and keep this relatively brief and point out 3 main reasons.

1. As I laid out in Part 1, basically Marriott giving discounts is a cost of doing business. The fact that they are giving it Microsoft or Quest is irrelevant. Implementing Federation and Claims does nothing to enhance their bottom line. Further, they would still have to maintain and support their existing User ID and Password authentication that they have today for all of the users companies that don't Federate with them. They wouldn't get 100% of all companies would they?

2 - A key mantra that we at Optimal IdM have preached is the following. "When solving a given problem, minimize (and avoid if at all possible) creating new problems." There are several ways that implementing Federation and Claims would introduce other issues.

Here is just one of them that came to mind. Here is the scenario to consider. Jackson is an employee of Quest and Quest implements Federation/Claims with Marriott. So as Jackson hits the Marriott website he is redirected to Quest to authenticate. He authenticates the local ADFS at Quest using his Quest's credentials and a claim is presented to Marriott. All is well in Jackson's scenario.

Now let's suppose Jackson gets fired from Quest (don't see that happening but go with me here). Hmmm... When this grand Federation thing was underway, Jackson would have ultimately authenticated using his Quest credentials, right? So how in the world is Jackson going to authenticate and "prove" his identity to Marriott now? In a 100% pure Federation model you would have no way of authenticating. Sorry Jackson you just lost all of your Marriott points!!! Will the real Jackson Shaw please stand up?

In my view, when it comes to you authenticating to Marriott it has a lot more to do with your "personal" identity and not your corporate affiliation. Of course one answer to that would be to use one of the public identity providers and not the individual companies, but then you are once again relying on Jackson to keep his profile up to date with his current company.

3. In the end, the biggest reason is this. Federation is fundamentally a Single Sign On solution. Don't try and make it more than what it is. It is a great answer for on-premise to the cloud, but not this scenario. Marriott does not have a SSO issue.

I believe the biggest reason for the confusion on scenarios such as this is that Claims ties authentication with authorization. That can make it very difficult to manage effectively in a decentralized fashion. Managing on-premise as well as cloud security is relatively in it's infancy and everyone is just now learning the limitations and issues.

The team at Optimal IdM has been hard at work on our cloud solutions, working closely with key customers and partners. In fact, we will be announcing soon some of the new solutions we have developed to help organizations manage claims authorization. From what we are seeing, it looks like this will fundamentally change the way organizations manage cloud security. More on that subject when it is ready for public consumption.

Optimal IdM’s Virtual Identity Server has saved customers over 1 Trillion Dollars to date!!!!

2011-02-09T11:34:00.008-05:00

I am back on the blogging bandwagon. Did that headline get your attention? I thought it might. So, what was the impetus for the headline? Well, it is in response to my colleague Jackson Shaw’s blog entry indicating that Marriott is losing millions by not supporting claims. Matt Flynn then chimed in and said that $$$ = motivation and perhaps that would spurn them on to support claims.

Well, I have a different spin on this and I’ll attack this in a two part blog. Part 1 is here and outlines why Marriott (in my opinion) is not losing millions by not supporting claims. First of all, I want to say that I like the claims model and it works in many situations. In fact, Optimal IdM will soon announce some very interesting news around our further integration with the claims model, but that is a topic for another day.

Now on to my theory. As with politics, two things are important to remember. One, follow the money. Two, the devil is in the details (Yes, you should read bills prior to passing them). Let’s look at Marriott’s business model. They sell hotel rooms. There are a finite number of rooms in a given hotel. There are fixed costs of the hotel (taxes, wages for staff, etc.). Whether Jackson stayed at this hotel that night or not is not going to change this hotels fixed costs. There are, however, variable costs. For a typical hotel like a Marriott Courtyard it costs about $20-30 to cover the costs of housekeeping, soap, coffee in room etc. That is “basically” the cost of goods sold. Therefore, selling any room over the variable cost makes good business sense as it is profitable. The only question is how much of a profit.

The fact that Jackson used to work for Microsoft and they are giving him a $10 discount is moot. Why? Because if they set up this grand federation scenario where they would now Federate with Quest (his current employer), they would likely have to give that same $10 to Quest. There is NO net revenue gain. Only if they could guarantee that they would not have to give the discount would it make sense to spend the bucks to re-do what they already have in place. And then you would have to (or really should do) a cost benefit analysis and a payback scenario. Plus, in part 2 I will outline the gotchas that this would add.

I almost always check the check box to get the AAA discount, but very rarely am I asked to prove it with my card at hotels. The fact of the matter is these discounts are factored into their business. Marriott would far rather have $10 less from me or Jackson then to have us go to Hilton or some other chain.

One other thing to think about. Those discounts go out the door when the hotel is at maximum capacity. At that point, everyone including road warriors with the highest status pay the rack rate. It really is simply a matter of supply vs. demand. Sorry Jackson I agree with you on many things, but this is not one that I can agree with. This is one thing that claims will not solve!

Stay tuned for Part 2 of all of the reasons I believe Federation/Claims is a poor choice for this scenario. I am sure I will use this as an example of when someone should not Federate in my speaking session at Quest’s The Experts Conference. My topic is When to Synchronize, When to Virtualize and When to Federate – Which is the Right Solution and When?

When to Synchronize, Virtualize and Federate data in the Enterprise

2010-04-14T09:35:00.005-04:00

So I am getting back on to the blogging bandwagon... Why?

A primary reason is that in any given day I seem to get asked similar questions by partners, prospects and partners. Of course getting asked the same question isn't necessarily a bad thing, but it does indicate that these folks (and I am sure others) don't know the answer. I am sure there are a whole other group of people who have the same question but never ask the question.

So I hope to cover from time to time some of the "FAQ's" on not only our product the Virtual Identity Server http://www.optimalidm.com/vis/, but also virtual directory questions and how they relate to other areas of identity management.

Along those lines today, I am posting this blog entry to highlight a new white paper available on our website today. The title is "When to Synchronize, Virtualize and Federate data in the Enterprise" and can be on our website here: http://www.optimalidm.com/products/VIS/Downloads.aspx. It is basically a summary of a session I did a few years ago at The Directory Experts Conference (now The Experts Conference http://www.theexpertsconference.com/). Optimal IdM is a Gold Sponsor this year, so please do stop by and see us at the show April 25th to the 28th in Los Angeles.

Comparing these technologies and figuring out when to use which is still one of the most frequently asked questions that I see. This white paper doesn't dive into all of the details, but does give you the highlights. If you are interested in diving into this in more detail, then you will want to attend one of our upcoming Webinars that we are doing on this topic. Check out our website http://www.optimalidm.com/ or drop me a note if you are interested.

BTW - I should point out that any decent sized enterprise likely needs to leverage ALL of these technologies. I am not the only one saying this, but more on that later.

To cache or not to cache?

2009-02-17T09:20:00.024-05:00

Well it is time to dive right in to this blogging thing with a topic that always seems to come up with virtual directories and that is the subject of caching. It always seems to be a lively debate/discussion, so here are a few of my thoughts on two of the most common questions.

Question 1: Do you need to cache data with a virtual directory?

Being a consultant for many years, I have to give it my stock answer (and the right one IMHO) and that is "it depends". As with any application or system you are designing, the requirements and the environment should dictate the design. For example, some of our clients use the Virtual Identity Server for SharePoint edition of our virtual directory to quickly and easily stand up a SharePoint instance that can authenticate people from an External Active Directory forest and an Internal Active Directory Forest. For this type of cross-forest authentication deployment, there is probably not a need to cache this persistently or in memory.

Question 2: If needed, does this cache NEED to be persisted?

I know of one virtual directory vendor that is adamant that cache MUST be persisted. Yes there are times when a cache should be persisted, but saying that the cache always needs to be persisted just doesn't make sense to me. Perhaps they need to persist cache to overcome performance problems in their core engine and can't run sufficiently without it.

Yes, I believe a virtual directory should support both memory and persistent caching, but more importantly it should be architected correctly within the product and not be a hack add-on just to have a check mark on the features list. Keeping track of what each vendor supports can get confusing and sometimes it is misstated.

Mark Wilcox for example, posted in his blog that "OVD does provide a Cache plug-in that is granular - you can apply it globally or per adapter. It also doesn't require any other data-store (or software license, neither of which our competition can currently claim)."

While our Virtual Identity Server (VIS) virtual directory is focused on the more Microsoft centric shops, we are a virtual directory and therefore I suppose a competitor to OVD. With that said, the statement is not true. VIS does not require a separate data-store or software license to use caching. In fact, VIS doesn't require the installation of a custom plug-in to support caching. It is built right into the core engine and is a simple point and click configuration change in the GUI. VIS supports caching not only globally and per connection, but optionally down to which object classes you want to cache.

I think Matt Flynn sums it up well when he closes his post on the subject with, "My opinion is that it's a nice feature to have in the tool bag when needed, but it's not always needed."

Greetings

2009-02-08T13:51:00.014-05:00

Greetings everyone. My name is Mike Brengs and I am a Managing Partner at Optimal IdM, a software and consulting company based in the greater Tampa Bay Florida area that specializes in identity management. We are also the developers of the Virtual Identity Server, which is a Microsoft .NET LDAP Virtual Directory.

This is the first of what hopefully will be many blogs that I post. Why am I blogging? Good question and I am glad that your reading. The old tree falling in a forest quandary comes to mind... One of the reasons I am writing is because I am the "resident IdM evangelist" at Optimal IdM and along with that job I spend part of my time doing workshops, speaking engagements, etc. This extra role suits me well because for those of you who know me, know that I do tend to speak my mind.

Of course speaking publicly on a subject matter where I have some expertise is one thing. Going on the record and posting your thoughts and beliefs for everyone to read is quite another. This must be how politicians feel, where words can be taken out of context and scrutinized. Hopefully I won't make to many goofs and if I do can find some syrup for my waffling. Almost daily I will see a blog posting, read a newspaper article, or talk to a customer or analyst and think to myself; "If I had a blog, that sure would be a good post..." So in the end, I believe I have some thoughts and comments that a few of you out on the Internet might want to hear and find valuable.

One of the main areas that I will focus on is LDAP Virtual Directories (our Virtual Identity Server product is an LDAP Virtual Directory). As I talk to people, I find that many people are either not familiar with or have the wrong understanding of what an LDAP Virtual Directory is or how this can be applied to solving real problems for organizations. I am always amazed when I talk to our customers at the unique ways they are using the technology and in the end I hope you will too.

So I hope you will enjoy reading my blog and find it useful and informative. If you don't like my blog, then please send me your name, Social Security number, date of birth, Mother's Maiden Name and your Bank Routing Information. I will issue a refund of your monies paid immediately.