MONDAY, March 3rd, Chicago (surprisingly warm).

I've already reported from the pre-conference workshop last Sunday that gave a very good introduction to Identity Lifecycle Manager 2 and Certificate Lifecycle Manager, and Microsoft's Joe Long kicked off DEC 2008 with his keynote session presenting Microsoft's vision on Identity Management, and how Active Directory will evolve to meet those needs in the future. Apart from being a good summary on what I had already heard a day before, it highlighted Active Directory being in the centre of Microsoft's Identity Management ecosystem, surrounded by four cornerstones: Identity Lifecycle Management (ILM), Strong authentication (i.e. smart cards and CLM), data protection (Rights Management) and federation (ADFS). The idea is certainly going in the right direction. It is certain however, that Microsoft leaves many opportunities to be filled by partners that can harness the framework and complement it by filling in the gaps. No surprise of course, that some of these partners were present at DEC, showing off their latest wares.

As expected, many of the sponsors used the opportunity at DEC to announce availability of new products and releases. Netpro, the organisers of the event, went even further and "pre-announced" (announced that they will announce?) an upcoming new release to its ChangeAuditor product, a leader in the Windows auditing space. The upcoming 4.5 release is to feature a new SQL Server module and comprehensive Exchange auditing, including permission change and non-owner mailbox alerting. As companies in this space continuously strive to catch up with the ever-increasing demands of audits, this helps Netpro maintain a competitive edge in the space, as was explained to me by Brad Hibbert, who kindly took the time to brief me on Netpro's plans. Brad also mentioned that Netpro will release a free tool built on top of Netpro's SOA architecture that will integrate and extend the native Users and Computers interface. According to Brad, this AD Management tool will add business rules, workflow, and task automation to the ADUC interface. It help tighten security and instill better Idm practices into AD management, without requiring people to change how they manage AD today. The first release is planned to ship in May. Later this year a subsequent release will also provide a web console for AD management with these same capabilities.

Netpro is also planning a script management solution in Q3. This will allow organizations to integrate their custom scripts and batch jobs into an management console that will provide distribution, scheduling, security delegation, auditing and performance statistics. Over time NetPro will also publish its SDK such that other vendors and integrators will be able to extend the architecture to write and snap in additional management tools and utilities. This will make it much easier for many organisations to manage custom tools, scripts and batch jobs written for the purpose of administrating and automating the identity management infrastructure, and definitely tickled my interest. I shall be following up with Brad and share some further insight.

I've also taken a closer look at Centrify, after my colleague Martin told me to check them out, and he was right: I was positively impressed after talking to David McNeely, Centrify's director of product management. He told me how Centrify's DirectControl product seamlessly integrates Unix, Linux, Mac, Java and web platforms with Microsoft Active Directory. The product goes so far as to extend group policy objects onto those other platforms and allow for delegated administration. Another feature is zoning, which is used for two things: identity mapping from AD to the target system (so that my account "felix" on AD could, for example, be mapped to my Linux account "felixg" on the Linux development system, and to my accont "fga" on the production Solaris servers). Zones can also be used to manage granular access permission on specific sets of machines (like the "sudo" command on many UNIX machines). A second product, DirectAudit, can provide a complete log of everything that a user does on a system - up to the point of being able to replay an individual session like a VCR. Although I can understand the requirement for such a detailed audit on a highly sensitive system, I actually found it kind of scary from an old system administrator's point of view. :-)

Monday was also the day of the Directory & Identity Experts Panel Discussion, in which I had the privilege of joining Joe Long and Robert DeLuca from Microsoft, Kevin Kampman from the Burton Group, Gil Kirkpatrick from netpro, Laura DiDio from the Yankee Group and Christopher Voce from Forrester. Joshua Hoffman from TechNet magazine chaired the panel and opened up with a few questions before opening the flood gates to the audience. Joe was definitely in the front line of fire, being barraged with many questions with regards to when Microsoft would finally support SAML 2, SPML, virtual directories and other things that Microsoft doesn't really seem to want to get its hands dirty with, at least at this time. I certainly felt sympathy, but he did a good job of defending Microsoft's position. I got my share of questions as well. I have to admit that I was a bit nervous in the beginning, and in hindsight might have done a bit better with the first question about where I see OpenID in two years. But I think I did a pretty good job on the other questions of whether LDAP will be replaced by something else, and what needs to be done in order to enable applications for federation. After the expert panel, many lively discussions in the hospitality suites, and their aftermath! A perfect first conference day, and I collapsed happily into federated DreamSpace.