Sometimes the best gifts come after Christmas…

Sometimes we are lucky enough to have many gifts during the holidays – family, time off to relax, perhaps a few material items.

Team Work
Team Work (Photo credit: Easa Shamih (eEko) | P.h.o.t.o.g.r.a.p.h.y)

Sometimes we are even luckier to have the efforts of many recognized by leaders in your field.

Today was such a day for me, as we announced:

Quest One Identity Manager named Leader in Gartner Magic Quadrant for User Administration and Provisioning 

(Click here to get a copy of the report)

For me, this is much more than a validation of our approach, technology and skills – it is a validation of the very hard work of literally 100’s of folks involved in the process of ‘making something for someone’.

For this to happen – at the velocity and trajectory that we are tracking – takes a highly skilled, organized, targeted and motivated team to make it happen.  As I was forwarding some of this information around to my internal teams – going through the ‘who to thank list’ – it really hit me just how many folks and roles are involved in delivering a leading solution.  I went through the list of ‘functions’ or ‘roles’ in the organization and I stopped counting at 50 different roles.

You see, when you are in the ‘creation’ business – you are actually in many businesses – such as the service business, support business, consulting business, marketing business, communications business – and sometimes yes – even the travel business, therapy business or even the food business :)

team work
team work (Photo credit: yckhong)

Crossing boundaries – corporate, personal, geographic, language, motivations – is something we do on a daily basis.  This is the foundation of our personal and professional growth and always leads to learning from my perspective.  This group of teams, organizations and individuals grew and expanded their skillsets and knowledgebases in many ways last year.

Although late for ‘2012 in Review’ commentary – I want to say congratulations to the whole team – local and global – that contributed to this huge win for us.  Even more heartwarming for me is that our customers validate this analysis and continue to challenge us to grow!

Felicitaciones y los mejores deseos para 2013!
Félicitations et meilleurs voeux pour 2013!
Herzlichen Glückwunsch und alles Gute für 2013!
Поздравления и наилучшие пожелания на 2013 год!
Gefeliciteerd en de beste wensen voor 2013!
Gratulerer og beste ønsker for 2013!
Congratulations and Best Wishes for 2013!

Change hurts – but is usually for the better…

A USB MINI A-B cable showing the shape differe...
A USB MINI A-B cable showing the shape difference (a=rounded b=square) and the additional plastic insert in the mini A. The mini-A plug is white; the mini-B plug is black. (Photo credit: Wikipedia)

Sometimes Change hurts – but Sometimes it makes a lot of sense….

Change – something we always have to deal with these days – has always been a challenge for most of us I suspect.  Disregarding the myriad emotions and side effects of change that are most times very difficult to calculate and forecast – change is more often than not for the better and drives ‘betterment’ of an industry, business, organization or person.

While I’m not going to spend time on iphone vs. android and other facets of the mobile business – I will pick out a very specific ‘change’ to the industry that has been an interesting event to watch.  Apples’ introduction of the lightening adapter for the newest generations of their devices has been revered, complained about and flamed to pretty deep levels.  However, an interesting ‘benefit’ of the change here is the macro-sized effect that Apple has on the industry and the correction of (from my perspective) a very flawed design point that has lasted the better part of a decade now.

Even before Apple’s proprietary connector type (30 pin Doc Connector) – the USB connector was (and still is) the defacto ‘open’ connector standard.  The old style had a keyed mechanism that forced users to insert their connector in a specific way only – leaving the user to guess if the ‘logo up’, or ‘logo down’ is the way to connect device.

English: A typical USB connector.
English: A typical USB connector. (Photo credit: Wikipedia)

I never understood why the designers (or as I suspect – perhaps engineers did the design without design/usability specific input) felt that a keyed approach with a visual indicator – that is completely and utterly useless in the dark or without visible reference (think fiddling in your car to plug in your phone) – would be sufficient.  I have watched many people jam those poor connectors together (myself included many times) sometimes to ruin their equipment – or minimally swear and curse at the situation.

Granted, perhaps the original team didn’t expect their standard to be so ubiquitous worldwide.  But then we see the same ‘design consideration’ (or flaw from my perspective) in the mini-usb connector.   Its keyed.  It’s even smaller.  However, the visual keyed approach – making visual representation of up/down – less important helps somewhat.   Of course, in the dark or under your desk – you can’t tell which is up or down.  Still fried gear sometimes when you’ve really jammed the connector into the socket – I’ve seen it really!

iPad mini 5W power adapter and lightning cord
iPad mini 5W power adapter and lightning cord (Photo credit: brownpau)

The new lightening adapter – putting aside cost implications and end user frustration with ‘useless’ connectors now – fixes one major component of device connectivity – being able to be used up or down – it works.

Simple really.  Difficult to do.  Success is variable and subject to many external forces.

(Good example of past ‘design choices’ added up over time – nasty! )

Will Apple be successful?  I leave that to others – but I will say that taking the old norms, breaking with tradition and doing ‘good change’ is something I think most of us strive for on a regular basis.  Speaking for myself, I try to approach old problems with updated questions, challenge historic design decisions and re-ask the questions to stakeholders – in the hopes of introducing positive, lasting, valuable and leading change.

Thanks for reading!

NB:  Adding to my list of ‘stupid things that should work in any orientation’ include:

–          Parking machines that issue stubs with mag stripes one way, then expect you to insert it a week later at the airport ‘the correct’ way.

–          Credit card readers of all stripes and sizes – I get you need to read the mag stripe – but why not have a reader on both sides?

–          Hotel room key systems – does the reader mechanism really cost that much to have on both sides?  My math says the reader is less than $0.30 to include – so really?  I mean Really?

New ActiveRoles Server Release…

Although the paradigm of enterprise IT and security have changed significantly over the years – one thing is true  – the foundation of your identity, security and access control strategy MUST be secure, stable and well maintained.

Our flagship product – a leader in the marketplace with over 60 Million seats sold over the years – has experienced some dramatic change over the years – and 2012 is no exception!

Although the role of the AD Administrator has gotten more complex, strategic and challenging over the years – one thing has always been there to help – Quest One ActiveRoles Server.  For years, we have helped administrators secure AD, delegate security permissions on a very granular basis – far more than native or competitive tools enable.

On top of that – we have been monitoring our customers on several specific issues associated to AD – and delivered to them a suite of tools to help manage it:

–          AD Group bloat and under-utilization

  • Many customers indicate that the explosion of groups within their environments continue unabated.  It is not unheard of for a customer to tell me they have a 10-30:1 of groups to users

–          Unable to keep up with day-day AD management tasks

  • Instead of always being fire drills, we’ve implemented a rapid to use, simple to deploy scheduled workflow infrastructure that allows you to search for information within AD or ARS datasets, perform an action and receive notification – all on a scheduled basis.  True to ARS form, this functionality of course is delegatable to other AD admins and can be set to run as them, yours, or ARS Service account to manage its security scope.

–          Fully customizable, fixed function AD Group management system.  Much like Quick Connect last year, we’ve decided to split off the End-User functionality of ARS to a more robust and specific platform – Quest One Identity Manager – Active Directory Edition

  • This change in market approach enables us to:
    • Provide a fixed-function, market specific AD Group Management Service – with a very rich and powerful workflow system
    • Enable customers to completely manage and customize the User Interface that is delivered to their end-users – something that is usually as important as the technology itself.
    • Enable an ability to scale to 100’s of thousands of end users using standard infrastructure such as IIS and MS-SQL – OOTB
    • Deliver to the auditors a fully functional, usable (and most importantly!) ad-hoc reporting and dashboard service so they can manage and monitor group recertifications/attestations – without asking IT for a report/excel/txtfile/export, etc.
    • Enable line of business or resource owners to manage their OWN resource recertifications (if wanted) without having to use IT for engineering
      • We find many customers has distinct and separate lines of business with differing security and audit policies – we enable this self-control and management out of the box!

In addition to managing AD, we have taken a few different approaches to enabling our customers to work better and more efficiently.  In 2011 we separated our builtin data synchronization tool from the ARS product line to give it more focus, more development resources and ultimately – more flexibility for our customers.    Quick Connect is going to expand rapidly this year past its current (and rich) connector set to do more in the cloud, more for ERP and more for webservices.  Stay tuned here on that one – we’ve just finished the roadmaps and I am very excited!

Of course, no new release nowadays would be complete without Windows 2012 Server support – and I am happy to report that we support Windows 2012 Server for operations of the service itself,  Exchange 2012 and MS-SQL Server 2012!

Some other highlights from the release:

  • Automated workflow – Automates manual tasks to reduce errors and speed AD management
  • Simplified clean-up – Simplifies clean-up of AD objects to prepare environment for Windows 2012 and/or cloud integration
  • Interface “look and feel” – Makes working with ARS more intuitive
  • Enhanced Exchange management support – More completely manages your Exchange environment
  • Notification enhancements – Customizes notifications with more data and status information
  • Approval enhancements – Enables delegation, escalations and re-assignments of admin requests
  • Scanning & pruning – Makes it easier to manage Active Directory Group and object bloat
  • Native integration – Integrates with Quest One Identity Manager, Quest One Quick Connect, Office 365, Lync, Quest Authentication Services and Quest Defender

Review the full feature list and/or download the trial here:

Being more Successful, Agile in Descision making: The Art of the Imperfect Pitch

English: Human brain Polski: Mózg człowieka
English: Human brain Polski: Mózg człowieka (Photo credit: Wikipedia)

A great article I passed a while back and am now removing from my backlog of blogging articles is the concept of being perhaps more agile in presenting ideas or decision points for your management – by Professor Baba Shiv from Standford –

The first is: Figure out if the person you’re trying to pitch to is really open to new ideas. If not, find a champion in the upper managerial levels who you think might be. Float your idea to that person first, and then have him or her present it to the target manager

I spent a fair amount of time in consulting and one of the kisses of death for the newbies (and surprisingly some of the more experienced folks as well) was the usually wasteful and unrecognized effort called Gold Plating.  As simple as it reads, Gold Plating your consulting deliverable is demonstrated by padding it with superfluous content, spending an arduous amount of effort on minutiae of formatting, perfect colors, etc.

To be sure, some of these functions of the deliverable matter – financial information must be accurate for a large financial project and color-matching would be very important to a fashion customer.

However, I am sure if you look around you (or in the mirror) sometimes you will see the effects of perfectionism, perhaps a touch of OCD or other mental faculties (I won’t call them disorders) affecting someones work.

After reading the article below, it made me reflect on how I position things for decisions by others.  I had always felt (and sometimes been told) that I was perhaps lacking the attention to very fine detail, or perhaps was a little bit lazy.  Very well may be the case, or I find that I perhaps just focused on the important facets of the conversation, provided only what was needed to support the decisions and focused more on the delivery of the message versus burying them with paper.

The second is: Don’t provide your champion with a polished pitch. Let it be a little bit rough around the edges. This may seem counterintuitive, but having something that leaves room for expansion inspires people to get involved in your vision. Having the “perfect” solution, on the other hand, tends to inspire critique

Consider just yesterday here in Barcelona.  In a meeting with management about a specific business issue, I collaborated with several colleagues to work up a slide deck to present the idea.  It was not perfect – nor was it complete – we hadn’t planned on presenting it this early.  However,

Deliverables (Photo credit: terriem)

instead of spending another 5-40 hours each on chasing market data that may not exist, or doing up pretty graphics that would only be skipped or viewed for 5 seconds – I felt our time was better spent on the conversation and framing the data we had collected to facilitate a decision.  In this case (and most of yours as well), I had no personal agenda nor was I trying to drive to a specific decision – just wanted to come to one jointly with the group – and perhaps that’s what made it easy – I didn’t have to couch the ‘deliverable’ with extraneous information supporting the case.

Anyways – I invite you to read the full, verbose and to the point :) piece below!

Behind all this is scientific research about what makes people tick. Although the human brain is a sophisticated instrument, at its core, it’s nothing but the organ of an animal, prone to instinctive responses. If you really want to succeed at bringing innovation into your company, you need to be aware of how your brain works.

The Art of the Imperfect Pitch | Stanford Graduate School of Business.

Identity and Device Lifecycle Management even more important now…Employee iPads could cause more Microsoft-related costs

Was reading an interesting post here from – based on a report from ‘Directions on Microsoft’..

I  hadn’t considered this before – that allowing remote access to your resources for tablet users may have a licensing impact on your business – I have always been a big proponent of managing devices (access and the hardware itself) just as tightly as Identity.

Image representing iPad as depicted in CrunchBase
Image via CrunchBase

I was working on some marketing messaging today for another product line and our conversation was focused on how Cloud is changing the dynamics of where ‘premise’ was.  I know in my past as a network guy – the advent of VPN’s and other RAS services – extended my security perimeter to the coffee shop, the home, the airport, etc.  Complexity was increasing – attack vectors were expanding – and customer demands were increasing.

As the drive for BYOD continues – indeed well over 75% of the customers I speak to on a daily basis have or will have a BYOD policy in place – do keep in mind that they great devices need to be managed just as tightly as Identity.  This means revoking the certificates immediately on a termination action, sending the ‘kill’ command to the device when you deprovision someone, using your provisioning system to retrieve the device itself, etc.

The use cases for these new scenarios are complex – and indeed the workflow components begin to require the involvement of more people – physical premisses folks, RAS folks, building access control, etc.

Have a read of the below article – it brings up some interesting concerns that you may not have addressed as part of your project.

Employee iPads could cause more Microsoft-related costs: analysts

If your business allows employees to bring their own iPads or other tablets to work, then it’s possible you owe Microsoft more money for all your licence agreements.

Employee iPads could cause more Microsoft-related costs: analysts.

What WaaD does for the marketplace

English: Diagram showing three main types of c...
English: Diagram showing three main types of cloud computing (public/external, hybrid, private/internal) (Photo credit: Wikipedia)

yeah – I made up WaaD – just because it seems like the thing to do nowadays – make everything look like SaaS :)  In reality – WaaD is Windows Azure Active Directory.

Anyways, we’ve been working hard on bringing several key stories together for identity – not just simply federation or identity from multiple platforms – but extending the management model into the cloud, half into the cloud and/or all permutations therein :)

There exists myriad deployment methodologies for identity and platforms – and we’re starting to see some interesting approaches towards solving the problems.  As per usual, what I’ll call the greenfield approaches (those that are unencumbered with ‘legacy’ platforms, decisions or architectures), give us an idea of what the future looks like.

I was reading the following article from Matthew Heusser -Bring Your Own Identity Is Here! (Mostly). – Unchartered Waters – and he was covering some of what AD Azure can do for these ‘greenfield’ companies.  Although other providers can act like a single/centralized identity store for other platforms in the cloud – even Facebook could be considered this way *shudder* – I do see a unique opportunity here for cloud services/app providers to utilize AD Azure to further extend the very rich enterprise ecosystem for apps and services.

Yes the cloud is cool, and yes its here to stay.  Yes, everyone is (or will shortly) start using it in some fashion.  However, the ‘enterprise’ services/apps are much, much bigger, deeper and add significantly more to business.

When you combine them, you will have an unbeatable advantage – and this is what we are focused on – bringing the value of ‘enterprise’ and ‘cloud’ together.

Don’t understand the hype about Data Governance?

Our solutions are the problem
Our solutions are the problem (Photo credit: Waleed Alzuhair)

Recently I posted a link to a simple whitepaper that walked through some of the governance solutions for fileservers that we have under our belt.

Today, I wanted to share a report done by one of the leading analyst firms on the aspects of Data Governance as a whole – and its broad impacts to Identity and Access Management – both for the marketplace and customers alike.  Our first release in August was a milestone in our product line – more to come in the nearterm!

Here’s some highlights from @KuppingerCole:

  • “We strongly recommend that you evaluate the solution in the context of Access Governance initiatives and for standalone Data Governance requirements.”
  • “…Quest provides an innovative solution which integrates Access Governance and Data Governance in one solution, with strong functionality on both sides.”
  • “…it is a valuable complement to the existing Quest One Identity Manager as well as an interesting standalone solution for companies which want to start with Data Governance.”

Feel free to download the report free of charge – I think it is interesting reading and gives you a viewpoint into this growing segment of the market – and your auditor will love you for it :)    Download Here –>

Great HowTo: Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

Just wanted to let you know that we’ve produced a great whitepaper on protecting your unstructured data on distributed systems..

Protecting Unstructured Data on File Servers, NetApp, EMC and SharePoint

Don’t know what unstructured vs. structured is??

@props to @JamieManuel:

What is Structured Data:

Data stored in any of the following applications would be considered structured data:

Data that is housed in the above examples is structured in that it resides in fixed fields in a database for example.

Ok, so what is ‘Unstructured Data’?

Unstructured data refers to data such as word docs, excel spreadsheets, pdf scans, photos, videos and more.  Think of all of the unstructured data that you have on your computers or that you access on file shares or SharePoint sites.


Information contained in these files can include customer payment and contact details, proprietary information, financials, competitive differentiators and so on.

What is the Difference, and why do I care?  Download the whitepaper to learn more :)

Finally – Office 365 Directory Synchronization customization

A few weeks ago Microsoft finally released the enhancement to their DirSync story that allows for much more flexibility for synchronizing AD information to the o365 cloud infrastructure.

We’ve been doing this for quite some time now with our own Quick Connect for Cloud Services connector – with some important differences.

Primarily – because we manage not just AD specifically, we can add many different connectors to the sync job.  For this, you may want to add department code from SAP to the o365-Lync service, set licensing for o365 based on a role in SAP or your IAM tool, etc.

While the new Dirsync seems to focus primarily on exclusions for inclusions of data sets, we focus on just what you want, and when.  Additionally, we’re fully bi-directional on our sync – we can pull back data from o365 and push into onprem AD, flat file, what have you.  This is important to manage licensing costs more closely, pull usage information from the cloud and update onprem metrics or billing systems – many different options.

We’re also finding another important use case that is missing AFAIK – not everyone wants/can/needs to deploy ADFS to get a reduced signon to o365.  We have some customers who can’t afford it, don’t understand it, or can’t maintain ADFS – and are plenty happy having a reduced signon approach – that is having your on prem AD password sync’d to the cloud – and using that same password for desktop or cloud access.
Finally – and perhaps very much more important for any heterogeneous customer base – we support more than just Office365.  To date, we’re supporting Google Apps, Postini, and for direct integration and synchronization – and expect this list to grow quickly in the next 6-12 months.  We’re focused on providing our customer options, abilities and simplicity in executing their technology strategy – it drives everything we do.

Anno Domini @ The Factory Theatre, Sydney 24/0...
Anno Domini @ The Factory Theatre, Sydney 24/09/2010 (Photo credit: Jamie Gilbert)

So to wrap up, I say welcome to the club Dirsync team – looking good and keep it coming!

Except below

Office 365 Directory Synchronization customization

by andreakkerman

Good news: customizing the Office 365 Directory Synchronization is now allowed for filtering of OU’s, Domains and Users!

This feature has been much requested in the field, so we’re pleased it’s finally now supported.

What Microsoft is specifically supporting is:

Exclude OU’s from being synchronized

This allows for exlusions of OU’s (and underlying objects) and is done by specifying which OU’s to exclude in the Directory PartitionsContainers in the ILM configuration.

Exclude domains from being synchronized

This options is to exclude whole domains (not forests) from being synchronized. Configured trough the Directory Partitions configuration in ILM

Exclude specific users from being synchronized

This is done by filtering on AD object attributes. For example you could specify that all user objects that have “Netherlands” in their AD Country attribute will not be synchronized. You have freedom to select on which AD object attribute you want to filter. So if you want to make a very specific filter, you could opt to fill an ExtensionAttribute on specific user objects and use this to filter on in the Dirsync. Again, configuring the filters is done through the ILM management console.

If you already have Dirsync running, any configuration changes made will simply be applied after the next synchronization run (default=every 3 hours).

Here’s MS’ post on the O365 community:

via Office 365 Directory Synchronization customization «.