Deep dive into unknown depth (of PKI and HyperV technology)

Recently, we announced that a report on strong authentication with tokens would be released. The response to that was tremendous - from either side of the market. Some (customer) companies pre-registered to get it, some vendors called back to make sure their products were included, and guess what: NOT all of them were included. This led to two things: me going back to square one and getting briefings with all "new" vendors" and rewriting some portion of the report as well as me tinking: "if I do not know these vendors try to get into the market - how should the market (aka customers) know?". Looks like some vendors did invest a lot in product engineering, such as AXSionics e.g., but a lot of those at the same time did not invest much into developing their go-to market strategies and a marketing plan. There are a number of sayings arounds marketing (such as that 50% of the budget is wasted, one just does not know which half this is) but let me get that straight: a complex service or solution such as strong authentication does not sell by itself. You need to analyse the market, identify your tagert customer base and address these possible customers as directly as possibly. I do not judge print media here, but simply advertising in a trade magazine will hardly work... We as analysts have to serve both sides of the market, thus granting us a very special position that allows us to gain deep insight into customer needs as well as into current market situations. We certainly are no "know-it-alls" as the above introduction reflects, but we certainly can add valuable information to either authentication strategies or marketing plans! Ok, enough shameless self-marketing at this point and back to the deep dive: I guess one thing that sets KuppingerCole apart from other analysts is the technological background of the analysts. Most of us are or have been IAM practioners before switching to "critize mode". This background makes us TEST what vendors tell us - in my personal situation that means: drowning in cards, tokens, readers and software for strong authentication. I really love this retreat to "playing" with technology - at least as long as it works! My test stopped working last week, when I tried to use a Microsoft PKI to issue certificates for my Vista laptop. Little did I know what horrors the switch from XP to Vista on my test client would bring... I used to run a pretty straight forward test environment for certificates, namely a Win2k3 Enterprise Edition server mit Certificate Services. All was well with the usual XP clients and users receiving certificates, using smartcards and tokens of all types to do the SC-login. Well, Vista and W2k3 Certificates Services do not work together that easily, namely some components that allow the certificate enrollment procedures via browser. Ok, testing certificates and cards in a productive environment is not the best idea anyway, so I decided to give Server 2008 a shot, using virtual machines on 2008 HyperV as the basis for my lab. Being a strong user of VMware before, HyperV set some traps for me: storing the virtual machines in a subdirectory of the "public" user directory of the system drive was one. Saving the machine state in a similar location AFTER I had re-routed the location of the images to D: drive was even more nuisance. Not being able to "import" such an image if it had not been "exported" before almost drove me crazy. I ended up with some 100 Gigabytes of mostly useless images and wasted tremendous amounts of time with this... Oh, did I mention networking? Have you ever tried to setup a Win2k8 domain with DHCP in the virtual realm and then have DHCP clients (aka, my Vista laptop) receive their IP info over the physical interface of the host machine? Fun stuff to do - works (sometimes), unless you try to join the domain with this client (networking to/from the virtual realm stopped working after reboot of the newly joined client). A "restart" of the network interfaces at the host machine worked, allthough I still do not know why... Anyway, now I am set to create myself multi-tiered (or teared?) PKI environments comprising a W2K8 based PKI, some EJBCA and all the paraphernalia one has to gather... Only thing I miss yet, is a decent Hardware Security Module (HSM) for my EJBCA to recover encryption certificates not created with SC-based key material. I certainly grew some extra grey hair with this, but at least I am up-to-date with my PKI infrastructure! Looking forward to your responses, inquiries and "didn't you know..." comments... Sebastian



KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

KuppingerCole on social media

Subscribe to our Podcasts

KuppingerCole Podcasts - listen anywhere


How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00