Jackson's Identity Management & Active Directory Reality Tour Travelblog

SCIM, PEX and what the parrot saw

2012-01-11T22:26:00.000-08:00

I was talking with my older son the other day about renovations. He’s worked a lot on house renovations over the years and has a lot of experience dealing with the usual suspects: plumbing, flooring and drywall.

During the conversation I asked him about using PEX tubing for plumbing renovations. PEX is a fairly new innovation in the plumbing world and it seems like an interesting replacement for copper piping and all the cutting, bending and soldering fun that comes along with copper. Chris’ response was interesting: “I wouldn’t use it in a job until it’s been tried true and tested for 20 years.” A lively debate on old-school versus “cool” quickly ensued. Further discussions with plumbers found a camp of “Never used it” to “Prefer it”.

How does this relate to SCIM (Simple Cloud Identity Management)? Well, we now have this brand new piping called SCIM. But so far there are very few plumbers or contractors that are using it. The fact that we’ve got this cool new standard is, unfortunately, not going to mean that all the plumbers and contractors are just going to swap over from their tried-and-true (copper) standard to PEX (SCIM).

Don’t get me wrong. The guys at salesforce.com, Google and others have done an awesome job inventing this new tubing – and it was done in record time. Everyone involved in the invention of SCIM deserves credit. But, we need some plumbers and contractors to start using it in anger. The fact of the matter is until we get more plumbers and contractors using SCIM we are looking at a long uptake cycle unfortunately.

I still bear the scars from the “build it and they will come days” of X.400, X.500, OSI, token ring, Meridian LanStar, the Defense Message System (DMS) and my personal favorite: the back-of-a-cocktail-napkin (literally) LIPS standard. I’m hoping SCIM will not follow the same path but neither I nor the group involved in inventing SCIM can snatch success from the jaws of failure without that help.

Will Quest Software support SCIM? Absolutely – as soon as customers start demanding it and ISVs start building it into their products.

P.S. Please see Sean Deuby's excellent overview article in WindowsITPro on SCIM.

Like this post? Please +1 it or tweet it (below)!

Technorati Tags: SCIM,simple cloud identity management,identity management

Sudo video

2012-01-10T08:58:00.000-08:00

Last month I blogged about our release our Sudo plugins for sudo 1.8.1. There’s a short two minute video that Jason Fehrenbach recorded that highlights some of the key features of these plugins. Take a look at the video to get a quick overview of the reports that you can run that show the access and privileges a Unix user has per host, examples of the event log, accepted and rejected commands by user or host. There’s also an example of the keystroke playback of a successfully executed sudo command session. Good stuff!

Like this post? Please +1 it or tweet it (below)!

Technorati Tags: identity management,sudo,Quest Software,QSFT,privileged identity management

Access Request Portal in Quest One Identity Manager

2012-01-09T20:45:00.000-08:00

Late last year I highlighted a Quest One Identity Manager (Q1IM) video about “Self-Service Provisioning”. There’s also a video that highlights the Q1IM Access Request Portal that’s about three and half minutes long.

Barry Gerdsen highlights the Access Request Portal, the WYSIWYG editor for customizing the portal and gives an example of the various tables, charts and graphs that you can easily include in the portal. The portal can help you sift through your identity data to turn it into actionable information and knowledge.

If you have a few minutes take a look!

Like this post? Please +1 it or tweet it (below)!

Technorati Tags: identity management,Quest,QSFT,Quest One Identity Manager,Voelcker,self-service

Top 10 Common Passwords

2012-01-05T05:00:00.000-08:00

I was going to title this “Popular Passwords of 2011” but unfortunately I can’t find the original FBI article referred to in the January 4, 2012 article in the Los Angeles Times: “Some passwords are easy for hackers to crack”

According to the article the top ten most common passwords used are:

1. password
2. 123456
3. 12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon

It would be interesting to do an audit of a company to see how many of their users have passwords in the top 10. I really wouldn’t have guessed “monkey” or “dragon” were a favorite but what do I know? I hope no one has a privileged user account out there protected with any of the top 10!

Technorati Tags: identity management,privileged identity management,privileged account management,security

Quest in the ‘Challengers’ Quadrant for User Administration

2012-01-03T17:20:00.001-08:00

Quest Software has been positioned in the “Challengers” quadrant in Gartner Inc.’s 2011 Magic Quadrant for User Administration. We were recognized for “Completeness of Vision” and “Ability to Execute”.

We were rated much better than last year and, I believe, that’s partially in recognition of both the acquisitions we have made and the hard work of all the folks in sales, marketing and product management.

Yes, we still have a long way to go but we aren’t resting on our laurels. As you know, we acquired BiTKOO a few weeks ago and their technology and products are going to take us even further towards offering not only best-of-breed products but a simpler, easier to implement IAM suite – an IAM suite that incorporates leading-edge technologies like XACML-based authorization management integrated across our whole portfolio.

We’re all looking forward to 2012 and the challenges it will bring us! Happy New Year to everyone!

Technorati Tags: identity management,QSFT,Quest Software

Quest Acquires BitKoo and Dives Into Authorization

2011-12-19T07:18:00.001-08:00

Back in the mid-90’s Netscape’s release of their LDAP directory product heralded the beginning of many companies starting to centralize identity information and authentication. Over the last few years many companies have started to struggle with all of the applications they have – especially web-based apps – and how they could possibly externalize their authorization processes. There’s been an OASIS standard defined for authorization called XACML and a number of ISVs have built software that leverages XACML.

Quest has chosen to move forward with BitKoo as our “big bet” in the authorization market. We feel that BitKoo provides the best fit for our customers with their .NET-based architecture, their plugins for SharePoint and their overall capabilities and architecture. And, with all of our privileged account and other identity management products we have a natural fit for BitKoo's software.

I’m looking forward to working with the BitKoo team!

Technorati Tags: BitKoo,authorization,identity management

Quest Releases Privileged Account Management Plugins for Sudo

2011-12-15T06:46:00.000-08:00

Most every company out there that uses Unix or Linux is also using Sudo to manage delegation of root privileges. The only alternative for additional capabilities like centralized policy management or keystroke logging was an expensive privileged account management product - until today with the release of our plugins for Sudo.

Quest's Privilege Manager for Sudo plugins provide a central policy server that eliminates the need for box-by-box management of sudoers files, and offers visibility and relevant reports on Sudo policy and use, including access control; separation of duties; and policy tracking, versioning, and change history. Privilege Manager for Sudo enables users to continue to use Sudo as the enterprise-wide primary privileged account management solution for Unix/Linux systems. This results in no end user or administrator retraining requirements, fewer help desk calls and a faster time-to-value.

Joab Jackson at ComputerWorld interviewed me for an article he wrote on this which you can find here. The software is available now and Quest has included 10 licenses at no-cost if you want to try it out at your organization!

Self-service Provisioning with Quest One Identity Manager

2011-11-08T09:58:00.000-08:00

There’s a great 5 minute video that gives a nice overview of the self-service provisioning capability within Quest One Identity Manager. I’ve embedded it below or you can get to it here. There are a few key things worth highlighting about this demo that I think you’ll be interested in so watch for:

How Scott Harris – the approver of Candice Clark being provisioned – is given an indication that there are no separation of duty (SOD) conflicts apparent if Candice is provisioned. What is cool here is that this SOD check is built right into the approval request. This helps move compliance front-and-center to the business manager who is responsible for approving the request.
Scott can also easily see the history of the request. In a more complicated scenario Scott would be able to see who else was involved in the workflow request, who initiated the request and via the same interface Scott can also see the next decision steps for the workflow.

Rather than different interfaces for compliance and complex workflows it is possible for business managers to easily understand that they have provisioning requests waiting for them, why they got the request, if approving the request would violate any compliance rules and who else might be involved in approving the request.

These types of capabilities really enable business owners in an organization to participate fully in their company’s identity and access governance initiatives.

Technorati Tags: identity management,Quest Software,QSFT,access governance,access management,data governance

Quest Authentication Services now IBM VIOS Certified

2011-10-24T09:17:00.000-07:00

Quest Authentication Services (QAS) 4.0 was recently awarded IBM Virtual I/O Server (VIOS) certification.

“VIOS allows a single machine to run multiple operating system (OS) images at the same time but each is isolated from the others. This logical partition (LPAR) controlled by the HMC or IVM that owns hardware adapters like SCSI disks, Fibre-Channel disks, Ethernet or CD/DVD optical devices but allows other LPARs to access them or a part of them. This allows the device to be shared. The LPAR with the resources is called the VIO Server and the other LPARs using it are called VIO Clients. For example, instead of each LPAR having a SCSI adapter and SCSI disk to boot from they can shared one disk on the VIO Server. This reduces costs but eliminating adapters, adapter slots and disks.”

Like a post? Please +1 it below. Thanks!

More on privileged account (mis-)management

2011-10-20T20:53:00.000-07:00

Check out this story I read on InformationWeek: Are Your IT Pros Abusing Admin Passwords?

Just goes to show you that this is a problem that is nearly endemic due to the fact that we have far too many passwords to remember - and that includes privileged account passwords.

42% report that IT staff freely share passwords and access to multiple business systems and applications.
25% of survey respondents said that at least some of the superuser passwords that grant all-access rights to hardware, applications, or databases were less complex than the business' end-user password policies required.
48% of survey respondents reported that privileged account passwords at their business had remained unchanged for at least 90 days.

It's only getting worse with more and more cloud applications and services being used. What's going on with your admin passwords for salesforce.com, for example? What are you going to do about Office365? Exactly.

Privileged Identity Management (PIM) Market to Grow 24% Through 2014

2011-10-19T07:39:00.000-07:00

I came across this report yesterday. Not surprising to see the following statement highlighted:

One of the key factors contributing to market growth is the growing compliance requirements.

Hopefully, we have all come to realize that the reason for many software acquisitions in this area - identity and access management - are to help companies meet compliance requirements. And, that most of the components of an IAM suite enable a customer to better comply with these regulations.

Update: Martin Kuppinger sent me an email and made a couple of good points that I felt were worth highlighting:

24% CAGR growth is too low. I agree! The issues around privileged account/identity management are only growing. We've seen some great examples recently of how poor controls around privileged accounts have led to some IT disasters. And, as the report highlights, compliance regulations aren't getting any easier.
It's easier to be compliant when PxM (Privileged whatever Management) becomes tightly integrated with Provisioning and Access Governance, unlike today, where we frequently see things done separately for "normal" and privileged accounts, users, and identities. This is very true. It isn't really possible to consider PxM outside of provisioning and access governance any more. The days of just managing "root" on your Unix boxes are long gone. In fact, I wonder how companies are going to handle their Office365 administrative account? How they handle their Salesforce.com privileged accounts? PxM needs to include the cloud too!

Technorati Tags: privileged identity management,identity management,QSFT,Quest Software

Achieving PCI DSS Compliance with Quest One Solutions for Privileged Access

2011-10-04T10:08:00.000-07:00

We just published this whitepaper. It’s pretty hard to over-emphasize how the management, control and audit of both shared/privileged account passwords is mandatory in meeting PCI requirements.

Like all regulatory requirements, there is no single product or policy/procedure that can assure compliance! PCI compliance requires that your enterprise deploy many security technologies, and have specific policies and procedures in place.

This white paper focuses on the unique issues and solutions associated with both privileged password management and remote vendor access in meeting PCI compliance requirements. Many of the requirements highlighted cannot be resolved or adequately addressed by existing enterprise security technologies such as firewalls, VPN and IDS solutions. Existing legacy policies and procedures are also unable to meet many of the requirements standards presented under PCI.

Technorati Tags: PCI,Quest Software,QSFT,EDMZ,identity management,compliance

Microsoft, BHOLD and what the parrot saw

2011-09-23T22:29:00.000-07:00

Microsoft has acquired certain assets of BHOLD, a leading provider of identity and access governance functionality. BHOLD will continue as an independent entity. The terms of the deal will not be disclosed. Roadmap and licensing will be announced later.

Both Ian Glazer (Gartner) and Martin Kuppinger (Kuppinger Cole) blogged about the acquisition today. I’m the parrot and here’s what I saw after reading the announcement:

It was an acquisition of “certain assets” of BHOLD. So basically the IP (software) got bought leaving behind debts and various other obligations.
The “certain assets” apparently didn’t include the customers: “Current BHOLD customers’ support experience for their current products will remain the responsibility of BHOLD.”
As Ian Glazer says: “Voelker was acquired by Quest. BHOLD is now Microsoft. This leaves Omada standing alone.” The guys at Omada have big egos so I hope this is a wake up call for them. I think you’re FIM-software days might be numbered.
Ian further says: “This is a sensible deal for Microsoft. Forefront Identity Manager lacks IAG capabilities and an acquisition strategy makes perfect sense.” I agree. It is a sensible deal. But Ian asks the excellent question of how and when the BHOLD goo will show up in FIM. Integrated? Stand-alone? No one knows at the moment but we’ll probably hear something from Microsoft on this topic soon.
Ian also said: “Catch that last bit? Authorization management. BHOLD had some interesting ways of behaving like a PDP for SharePoint.” I actually think this bit might be more important to FIM’s long-term cloud management aspirations. Again, we’ll probably hear something from Microsoft on this topic soon.

So net-net this was a good deal for Microsoft. And what does the parrot see as the top 3 things Microsoft needs to do now that they have acquired “certain assets”?? Execute, execute, execute.

Technorati Tags: identity management,Microsoft,BHOLD

How to ensure Active Directory availability

2011-09-22T13:17:00.000-07:00

We’ve released a white paper on this topic that you can find here (registration required) or here.

Today’s IT organizations refer to Active Directory as the ―heart of their infrastructure. Active Directory sits at the center of a Windows-based environment, and without it, the entire network can become useless. Because Active Directory is the key to the authentication and authorization functions that grant users access to nearly every resource they use throughout the day, an impaired Active Directory can cause performance, security, and availability problems throughout the network.

To manage Active Directory successfully, you’ll need tools to monitor its health and detect impending problems, as well as tools that can help correct those problems and even help you recover from a failure.

This paper explores some of the key capabilities you need to maintain a healthy Active Directory infrastructure, and examines techniques and technologies that can help recover from a failure, mistake or other problem condition.

I'll put a plug in for Spotlight on Active Directory. This is an awesome tool. In fact, if I was an AD admin or concerned with AD operations at all I'd have Spotlight on Active Directory at-hand or - at a bare minimum - bookmark the link to download it if I ever needed it: http://www.quest.com/spotlight-on-active-directory-pack/. The fact of the matter is we offer a fully functional 30-day evaluation license. So, if you ever find yourself in a bad situation you should download it and get some free diagnostics. It might just save your butt.

Technorati Tags: Quest Software,QSFT,Active Directory,Spotlight on Active Directory

Escalation Engineer – Identity Management in the UK

2011-09-15T01:18:00.000-07:00

If anyone out there is interested in a position at Quest in beautiful Somerset here’s a link to the job here. Feel free to e-mail me if you’d like to get more info or an introduction.

We are looking for an extremely bright individual with a solid background in IT to join our highly skilled, customer-focused team of escalation engineers for our first-class Identity Management solutions. Escalation engineers provide expert technical support for advanced issues, and act as a critical link between Quest Support and the engineering teams. If you have systems administration or technical support experience in either a Windows Active Directory or Unix/Linux environment, and can demonstrate a passion for problem-solving, then we want to talk to you.
We are always looking ahead at cutting edge technologies, so this is a fantastic opportunity to get your career off to a great start or simply to keep you ahead of the curve working for one of the top companies in the industry. Through Quest Software’s award-winning solutions, our customers can get more from their IT investments; we attract and hire only the best to deliver our commitments to our customers.
This role is based in Somerset, UK at one of Quest’s global Research and Development sites.

Technorati Tags: QSFT,Quest Software

FISMA Security Guide for Quest Password Manager

2011-09-12T08:49:00.000-07:00

We just released guidance on the security features of Quest Password Manager. It reviews access control, customer data protection, secure network communication, and more. There is also an appendix that describes how Password Manager’s security features meet the NIST-recommended security standards as detailed in the Federal Information Security Management Act (FISMA).

You can download a copy from here (registration required) or here.

Technorati Tags: QSFT,Quest Software,Quest Password Manager,security,identity management,FISMA

ActiveRoles Server European User Group 2011

2011-09-09T09:53:00.000-07:00

16:00 – 19:00 Sunday, 16 October
InterContinental Frankfurt

http://www.theexpertsconference.com/europe/2011/general-information/quest-user-groups/

We’re pleased to introduce this ActiveRoles Server user group meeting to “The Experts Conference”. This meeting will bring together users for an interactive discussion around best practices and roadmap plans. Join the ActiveRoles Server product, development and program manager team as we discuss best practices for ActiveRoles Server’s AD Windows Security, delegation and day-to-day Active Directory management. We’ll cover integration scenarios, group management, and more. Join us for an information-packed session!

For more information and to register, please email: Allison.Main@quest.com

Technorati Tags: QSFT,Quest Software,ActiveRoles,ARS,TEC,The Experts Conference

IT staff member wipes out company’s servers–after he was terminated!

2011-08-22T09:06:00.000-07:00

I read this InfoWorld article this morning and figured I’d pass it on. It’s yet another story where a terminated IT staff member subsequently does something bad.

Logging in from a Smyrna, Georgia, McDonald's restaurant, a former employee of a U.S. pharmaceutical company was able to wipe out most of the company's computer infrastructure earlier this year.
Jason Cornish, 37, formerly an IT staffer at the U.S. subsidiary of Japanese drug-maker Shionogi, pleaded guilty Tuesday to computer intrusion charges in connection with the attack on Feb. 3, 2011. He wiped out 15 VMware host systems that were running email, order tracking, financial, and other services for the Florham Park, New Jersey, company.
…

Using vSphere, he deleted 88 company servers from the VMware host systems, one by one.

I sure hope Shionogi had an effective backup policy in place. Aside from that, I wonder how long it will take for IT to understand the importance of de-provisioning an employee and better access control around privileged account management?

A few weeks ago I overhead someone saying that identity management was passé. I don’t think so! This is a great example of how far we still have to go…

Technorati Tags: identity management,privileged account management

Why wouldn’t you federate to Office 365?

2011-08-12T09:46:00.000-07:00

I don’t get it. Obviously I have blinders on. Apparently there are companies that prefer password synchronization – or nothing – between their corporate Active Directory and Office 365. Why?

Is it because setting up ADFS requires corporate ITs involvement? Is it because ADFS is perceived to be too difficult? Do they feel they are exposing their Active Directory on the internet so there’s a security risk? I’m not getting clear answers when I try to dig into this. I’m having trouble understanding why a company wouldn’t want to enable single sign-on. Do they not understand the benefits of single sign-on from the perspective of reducing password confusion, reducing helpdesk calls, etc?

Have any of you run into this? What’s your experience?

Technorati Tags: Office 365,single sign-on,AFDS,Active Directory,Active Directory Federation Services,identity management

What is the killer app for federation?

2011-08-08T09:20:00.000-07:00

What is the killer app for federation?

A killer application has been used to refer to any computer program that is so necessary or desirable that it proves the core value of some larger technology...A killer app can substantially increase sales of the platform on which it runs.

I don’t know the answer to this question unfortunately but I am seeking an answer. I do believe that federation is a means to an end but it is itself not the end. In other words, the benefits of federation are not sufficient to make federation itself a killer app. Is federated single sign-on (FSSO) an important benefit of federation? Of course it is. But is FSSO enough of a benefit that companies are flocking to get federation deployed? Nope. Is federation driving people to use Google, Office 365 or Salesforce.com? Nope. Again, FSSO is a nice benefit but many companies use Google or Salesforce.com without federation enabled.

Why did companies deploy Active Directory? Why is Active Directory deployed at nearly 100% of companies? Well, it’s not because Active Directory makes managing your users easier or because it provides single sign-on. Sure, those are awesome benefits for the company but those benefits generally accrue to the IT staff – not the business, not the company. What drove the uptake of Active Directory was a simple killer app called e-mail: Microsoft Exchange. The business benefit for an enterprise e-mail system drove companies to Exchange and Exchange requires Active Directory. Exchange was the killer app that drove deployment of Active Directory.

So the IQ test question becomes: Active Directory is to Exchange as Federation is to X?

What is X?

Technorati Tags: federation,SAML,ADFS,SSO,FSSO,Active Directory,Exchange,MSFT,Microsoft,QSFT,Quest Software

Top 10 Secrets for Managing NTFS File Permissions

2011-06-30T07:15:00.000-07:00

Randy Franklin Smith will be holding this technical webinar on managing NTFS file permissions on July 21…

Title: Top 10 Secrets for Managing NTFS File Permissions
Date: Thursday, July 21, 2011 11:00:00 AM EDT

Keeping files secure on file servers – and really any other type of server – is critical especially with the kinds of advanced persistent threats we’re up against today. But managing file permissions is laborious and error prone and done poorly or irregularly leads to significant access control risks. Factors that make file access control difficult include:

Conflicts between share and NT FS permissions, especially when multiple shares exist on a given branch
Difficulty of finding folders with inherited permissions or blocked inheritance
The sheer number of files
Loss of continuity with the admin who set everything up
Lack of knowledge about the files, the type of information they hold and who should really be the owner
Difficulty in finding all the files a given user or group has access to
Confusion over how permission inheritance works

On top of that, Windows Server 2008 has new features such as Access Based Enumeration and User Account Control can cause confusing situations when it comes to how permissions are applied as well.
In this webinar I will update you on how NTFS permissions work today and I will tackle the challenges listed above. In particular, I’ll demonstrate several free tools that will help easily list all shared folders and their share permissions, analyze a given folder hierarchy and find all explicitly defined permissions and analyze an entire server to find all objects a given user or group have access to.

I’ll also provide other proven tips on managing file permissions including how to backup permissions and compare a folder hierarchy’s current permissions to a previous snapshot to detect what’s changed.

Then I think you will benefit from learning briefly about how Quest Access Manager fills in the remaining gaps with some very advanced and imaginative techniques. For instance, Sudha Iyer, Quest product manager, will demonstrate how Access Manager helps you figure out who should be the business owner of file server folders by analyzing the activity on the folder’s files. You’ll also see how Access Manager provides an enterprise wide view of a user or groups entitlements and helps you implement business owner approved access control.
Please join me for this very technical, real training for free (TM) webinar. Click here to register

Technorati Tags: QSFT,Quest Software,Quest Access Manager,Access Manager,Identity Management,Security

Controlling & Managing Super User Access

2011-06-24T13:29:00.000-07:00

This “Primer on Privileged Account Management” was written by Kris Zupan who was one of the founders of eDMZ and is now Chief Architect here at Quest Software.

Effectively managing privileged accounts (sometimes called super user accounts) is becoming more and more critical as security and compliance emerge as the driving force behind most IT initiatives. Unfortunately, native tools and manual practices for privileged account management are proving to be inadequate for today’s complex heterogeneous enterprise.

This white paper explores the risks associated with privileged accounts, and explains how Quest’s solutions mitigate those risks by enabling granular access control and accountability while preserving necessary access and ease of use. This paper is intended for CIOs, IT directors and managers, security and compliance officers and administrators in enterprises of all sizes, especially those who have not established firm control over all of their organization’s privileged user accounts.

You can download a copy of this primer from the Quest website here.

Technorati Tags: Quest Software,QSFT,eDMZ,privileged account management,super user access,root access control,identity management

Find out who and what applications are hogging your Active Directory resources

2011-06-21T02:02:00.000-07:00

Do you ever feel like your Active Directory is slow to authenticate or that your domain controllers are working harder than they really should be? Do you feel like users or applications are not being efficient in their use of your AD domain controllers? Quest ChangeAuditor can help you prove it. ChangeAuditor for LDAP tracks queries to your Active Directory environment, and then translates raw data into meaningful intelligent data to keep your infrastructure efficient and it also provides detailed analysis. It analyzes all LDAP queries against your domain controllers to tell you in simple terms of “Who, What, When, Where and originating Workstation," saving you the time you once spent digging for more details.

A couple of examples to illustrate how and when you can use ChangeAuditor for LDAP to get answers to the questions about your Active Directory:

1. Improve in-house and COTS use of Active Directory:
A logistic company noticed that over time their AD logon process slowed down to the point where it was a problem for users. Other than buying new hardware or re-architecting their AD, they wanted to know if there were applications or users that were taking up more resources than are reasonable for day to day business use. Using CA for LDAP – they were able to identify some internal applications that were querying AD for a large number of objects over and over. They were able to refine the queries to gather only the attributes they required, on an as needed basis, and the resource utilization was brought back in line – improving their overall user AD responsiveness without any hardware or AD design changes.

2. Don’t migrate before you know who is using your AD and how:
During a migration, an internal application was hard-coded to attach to a specific domain controller – but the users and administrators didn’t realize this until the domain controller was shut down. This broke a critical application. If they knew ahead of time that there was an application that was hard-coded, they would have updated the application before the migration, rather than having to restore an old domain controller and maintain 2 directories until the application was updated

How does it look? Here’s an example screen shot:

You can immediately see the container the application is querying, the scope of the query, the number of results, how many times (occurrences) the query has been made in the last few minutes – and the actual query they are making. All information you can use to see who’s using your directory resources.

Save yourself the headache of finding out the hard way that someone or something is not being a good “directory citizen” or abusing their access to Active Directory. Querying over and over, scoping queries that retrieve way too much information, or even hard-coded queries that go against specific domain controllers – all of which can be problematic to your directory. You can even see if someone is NOT using secure and signed queries. Quest ChangeAuditor for LDAP provides you with a proactive solution to problems you may not know you’re already having.

Technorati Tags: Active Directory,identity management,Quest,QSFT,ChangeAuditor,LDAP

Controlling Privileged Account Access

2011-06-20T06:36:00.000-07:00

Tomorrow (Tuesday, 6/21) at 1PM eastern we are presenting a webcast on this topic…

Access through privileged accounts is one of the most troublesome security and compliance challenges. Manually controlling administrative access is tedious and error prone and leads to a lack of accountability, auditing and, at times, administrators having more access than necessary.

Join Quest Software for this informative webcast where we will walk you through the issues of common privileged account scenarios such as:

Controlling remote vendor access
Enabling developer access to production
Managing the issuance and approval of credentials
Facilitating separation of duties
Providing limited rights for daily administrative tasks
Managing a Sudo environment

You will also see how Quest One Privileged Account Management solutions help you control access. They make it easy through granular delegation and policy-based control of administrative accounts as well as tightly controlled and audited issuance of full administrative credentials.

Register for the webcast today

Technorati Tags: QSFT,Quest Software,sudo,privileged account management,eDMZ,identity management

Quest acquires Symlabs for their virtual directory and federation technology

2011-06-06T06:00:00.000-07:00

Today, Quest Software announced the acquisition of Symlabs a privately held solutions provider that specializes in virtual directories and federation solutions. The addition of Symlabs virtual directory software will enable Quest products to easily consolidate identity data that is stored in a distributed environment whether it be stored in directories or databases. Symlabs also brings additional federated identity capabilities that will broaden our federated single sign-on solutions and capabilities.

Quest has been an OEM customer of the Symlabs virtual directory product for some time now. It was actually this exercise that started me to think about how customers – including Quest – weren’t really deploying a virtual directory (VDS) for the sake of having a virtual directory. Customers are deploying a VDS to solve very particular problems like easing the integration of identity data and systems into an existing identity management project or allowing directory-enabled applications to be kept in place despite the fact that the underlying directory was being re-architected or migrated.

So one of our goals will be to incorporate Symlabs’ VDS technology into a number of existing Quest products to make it easier to solve some of these problems. Our existing migration products have successfully helped thousands of customers migrate from one platform to the another but one of the problems that keeps coming up is: How do I migrate my directory-enabled applications? Most customers turned to a virtual directory for help. That’s why we feel that including a virtual directory capability as part of our migration products will prove useful to our customers. The same goes for our identity and access management product Quest One Identity Manager. We already provide a wealth of connectors for our customers to integrate their systems with Q1IM. Why not expand their capabilities and benefits by including a virtual directory as part of our identity and access management product?

I think Quest is uniquely positioned to leverage virtual directory technology into a host of products that the traditional virtual directory companies just don’t have today – like migration products. We'll also leverage Symlabs’ federation product by incorporating it into our existing federation and WebSSO products giving them broader reach and extended capabilities.

Exciting times!

Technorati Tags: Quest,QSFT,Symlabs,virtual directories,federation,identity management,LDAP,Active Directory,WebSSO