Likewise Blog

If you’re not on the floor at Moscone Center this week, you’re missing out on one of the best virtualization conferences of the year. VMworld 2010 is one of the best attended industry events I have seen in at least three years. Virtualization, and VMware, are still at the top of mind today if the turnout at VMworld 2010 is any indication. Attendees are very engaged, and actively looking for solutions to support their virtualization initiatives.

Likewise has a great booth location (#1606) this year, near the show floor entrance.  We have a steady stream of people visiting our booth showing strong interest in Likewise Open, Likewise Enterprise, and the tech preview for the Likewise Virtual Storage Appliance. Interest at the booth ranged from enterprises looking to better integrate Unix and Macs with their existing AD infrastructure, to storage vendors asking how they could leverage Likewise to enhance their product offerings.

Likewise support for VMware environments is highlighted on several fronts at the show.  The Active Directory support now shipping as part of the ESXi 4.1 release which Likewise provides was highlighted as a main feature of the release.  In a track session on ESXi 4.1, our support was covered in a detailed demonstration and the presenter directed attendees to the Likewise booth to find out more about what Likewise can do to better integrate Linux, Unix, and Mac OS environments with Windows Active Directory. As a result, we saw a steady stream of attendees at the Likewise booth to learn more.

We also had a chance to talk to attendees and hear the reaction to our directory integration in ESXi 4.1. Reactions ranged from moderate enthusiasm to “this is amazing!” when we confirmed that upgrading their environment from vSphere 3.x to 4.1 would provide directory integration automatically. We’ve been really excited about our announcement since March, but having an opportunity to hear what it means to users has us even more stoked.

Perhaps the best story yet is a Likewise user that stopped by the booth on Tuesday and talked virtualization security with us for a while, and learned what more we can do for them.  We gave him a t-shirt, and he went on his way.  This morning, he walked by the booth wearing his t-shirt.  He came and told us, “I received a bunch of t-shirts from vendors yesterday.  But I decided to wear the one from the company that does the most for me.” And that’s us!

If you’re at VMworld this week, stop by the booth and say hi. We’ve got plenty of t-shirts to hand out and are looking to talk to as many VMware and virtualization users as possible, live and in person. We’d like to hear about how you’re using virtualization, cloud technologies, and the challenges people are seeing integrating integrating all these technologies in a rapidly changing data center.

The show is half over, but this promises to be a great week!

Who’s watching the watchmen? This is one of the top concerns inside IT shops as companies work to protect both their own and their customers’ valuable and confidential information.  And this problem is getting worse, not better, with the growth in applications and infrastructure.  The current merger and acquisition frenzy causes yet another set of problems around privileged users as companies grow through acquisition and merge disparate IT infrastructure, people, and processes.

Specifically, who’s ensuring that administrative privileges are doled out to the right users, and how do you integrate those controls so that it’s not only possible to provide limited administrative access – but centralize the process as well?

We are at VMworld this week in support of the partnership with VMware announced in March.  Likewise’s authentication technology has been licensed by VMWare and ships with ESXi and is exposed in VMware vSphere beginning with 4.1. By integrating Likewise Identity Service into ESXi, we’re able to fill a major gap in privileged user management for enterprises using vSphere.

By tying vSphere users into Microsoft Active Directory (AD), we can reduce the complexity of managing users and ensure that there’s no “identity sprawl” when deploying VMware. In addition, IT can delegate the appropriate level of permissions using AD so that department IT staff are limited in the services they can administer and deploy. Want to make sure a branch office IT staff can administer virtual machines, but not deploy new machines? By integrating ESXi with Microsoft Active Directory, it’s easy to set up fine-grained permissions for administrators across the enterprise – just as we’ve always done with users on Linux, Unix, and Mac OS systems.

Furthermore, by integrating Likewise Identity Service into ESXi, VMware is helping companies improve security right out of the box. When someone leaves a company it is a simple, easy and automated task – using AD – to ensure that person’s email and computer privileges are shut down. That’s not always true with privileged users outside of AD. Often, the process is manual and time consuming and leaves“ghost accounts”– a big red flag for auditors because it opens up significant vulnerabilities. By having a single directory in Active Directory for HR provisioning and deprovisioning, we remove the problem of having to manually manage each privileged account. Companies are able to extend privileged user management from Windows desktops to Linux servers and VMware ESXi. The company password policies, syslog configuration, time synchronization, limiting access to sudo and su all flow from your policies in Active Directory to ESXi.

Now we have one set of credentials, one user, but with fine-grained permissions that ensure that company policies are enforced, and the user has the appropriate permissions – and no more – from their desktop to the VMware infrastructure. One set of credentials encompasses the user’s desktop login, their server login and sudo settings on Linux and Unix, and their role in VMware ESXi. Active Directory’s security settings follow users everywhere – from first hire to retirement, when the account is turned off by HR.

By integrating VMware into the same infrastructure that is now shared by Windows, Linux, Unix, and Mac OS, everybody wins.

It’s been less than a year since we debuted Likewise CIFS – a Linux-based, high-performance, Windows-compatible file server. Ever since our  first Likewise CIFS licensing wins, HP and EMC/Data Domain, we’ve had a steady stream of requests to package Likewise CIFS in a way that could be easily provisioned for end-users. Frankly I’ve been stunned by the number of requests that we get regarding Likewise CIFS from a range of enterprise, mid-enterprise, and SMB customers.

Initially, our foray into CIFS was purely as a technical piece of our AD-bridge solution.  We were unsatisfied with other options and we wrote our own CIFS client module to solve file transfer issues for Likewise Open and Likewise Enterprise.  Later we were prodded, pushed, and cajoled by several of licensees of our authentication technology, Likewise Identity Services, to provide our CIFS solution as a commercial offering.

Next week at VMworld we’re going to debut a technology preview of a Virtual CIFS Storage Appliance that will be shipping later this year.  The appliance allows customers to migrate physical legacy file servers, and achieve the cost and power savings of virtualization as well as significant performance advantages for SMB1 and SMB2 file shares on Likewise CIFS.

Likewise CIFS on top of VSphere/vCenter brings a new level of flexibility to file sharing. Our customers have told us that redundancy is king for their data, and they’ll be able to enjoy load balancing and automatic failover with the Likewise CIFS appliance on top of VMware solutions. They’ll also be able to ensure the continuity of business data with snapshotting, and simple backup and restore functionalty.

The VMware appliance is just part of the Likewise vision of bringing interoperability to mixed networks. Earlier this year we partnered with HP to bring Likewise CIFS and Likewise Identity Service to the StorageWorks platform and, as requested, we’re busy working with other Likewise partners to offer Likewise CIFS and Identity Services as part of other solutions.

Come by the Likewise booth (#1606) next week at VMworld and see why Likewise has the answer to file-sharing woes in large organizations.

I just finished reading Mike Vizard’s excellent post, “Authentication in the Cloud” and I thought it would be worthwhile to go into more depth about the issues regarding authentication and cloud computing. While the topic seems pretty straightforward (“validate my username/password”), it gets incredibly messy very quickly.

Before I talk about authentication in the cloud, let me review something more mundane: authentication on your private network. What happens when you login to your machine and then try to access some resource, say a file server or database, on your network? Yes, of course, when you login to your computer, something needs to assure that your username and password are valid.

If you’re logging into a Windows machine, this authentication is performed by a component called the “Local Security Authority Subsystem Service”. If you run Windows Task Manager and list the running processes for all users, you will see a program called “lsass.exe” – that’s the one. By the way, if you run Likewise on a Linux/UNIX/Mac machine, you will notice that we add a daemon called “lsassd” – guess what that does?

LSASS (Microsoft’s or ours) can authenticate a user one of two ways: using “local” credentials or using Active Directory credentials. If your machine is “joined” to Active Directory, you will typically login to your machine with your AD account (including the appropriate “domain” name). If your machine is not joined to Active Directory (it’s in “workgroup” mode), you will login to the machine using local credentials. In the local case, your username and password are validated against account information stored on your own machine. In the AD case, however, something more significant happens: LSASS authenticates your credentials using the Kerberos protocol to talk to an AD domain controller.

Kerberos is a wonderful thing. It can authenticate credentials without ever transmitting a password in either clear or hashed form. This is important because it makes it impossible to perform offline password cracking (i.e. trying millions of passwords until the cracking code matches your hashed password). Kerberos is also great because it supports single sign-on. Once you are logged in to your machine, you have a special “ticket” that can be used to acquire additional tickets for other services. Once you are logged on to your machine, if you go and access a Windows file server, the file server will not prompt you for credentials if your logon credentials are sufficient. Under the cover, the authentication code automatically acquires a “service” ticket for the file server based on your logon ticket. If you access a SQL Server database or a Microsoft IIS-protected web site, again, you don’t need to enter additional credentials because the necessary service tickets are automatically acquired. Nifty.

If you logged in using local credentials, you don’t get any of this goodness. When you try to access a file server, it will perform older “NTLM” authentication and realize that it doesn’t know anything about your local account – if the files on the server are protected, you will be prompted for credentials in order to access them. With SQL Server and with IIS you’ll need to use more primitive authentication techniques (“SQL authentication” or basic authentication, for example).

Challenges of Authentication in the Cloud

Consider now “the cloud.” Or, rather, clouds, because you’ll find several offerings that fit under the cloud umbrella.

Well, first consider that the initial cloud that any of us will encounter is really “the local VMware datacenter” or as it’s now being called, “the Private Cloud.” No problems with the Private Cloud – it’s connected to our network and can fully participate in the goodness of Active Directory and Kerberos.

The second cloud we’ll encounter is “the Hybrid Cloud” – an external cloud of computing resources that serves as an extension of the internal datacenter allowing workloads to be offloaded as needed. How authentication takes place in the Hybrid Cloud depends on exactly how its implemented. Many in the cloud business, however, suggest that it should be connected to the Private Cloud via virtual private network (VPN). If this is the case, the external cloud resources are effectively part of the internal network and we’re back to the simple Private Cloud scenario.

So, finally, let’s consider the “Public Cloud.” This is where things get messy.

The Public Cloud is generally defined as being external to the companies that use it. It is where SaaS-type applications (typically web-based) will run.  Microsoft’s Azure platform, for example, defines a very compelling set of libraries and software architecture that simplify the creation of massively scalable apps. “Let a hundred [web app] flowers bloom”, to misquote Mao Zedong. How does authentication work in this context? When you login to a web application, how are your credentials validated? The answer is, unfortunately, “all kinds of ways” – LDAP, database lookups, file lookups, even Kerberos, sometimes.

Tower of Babel in the Clouds

The problem with this lack of cohesive authentication strategy is that it makes it difficult to effect things that we take for granted in the Private Cloud. When somebody leaves the company, how do we disable his/her user accounts on outside SaaS apps? How do I keep track of my passwords for all my various applications, since they don’t support single sign-on? How can we enforce password policies when no two systems use the same authentication mechanism?

We are just beginning to solve some of these problems.  SAML (Security Assertion Markup Language) and ADFS (Active Directory Federation Services) are protocols, for example, that allow “identity federation.” They enable apps that run on the Public Cloud to authenticate users with their own corporate credentials. SalesForce, for example, allows you to login with your own corporate username and password if you set up a federation agreement with them. Unfortunately, identity federation is well defined only for some simple web application use-cases. There’s no easy way for me to back up my local disk to a Public Cloud service automatically using my corporate credentials to authenticate me to the service. I can’t write a local application that accesses a SQL database on a Public Cloud that enforces security using my federated corporate identity.

Ultimately, we need to remove the distinction between corporate and web authentication – all authentication should be based on Internet-routable protocols and the nature of identity federation should become simpler (there should be no need for internal/external identity federation servers).

This will take a long time – Microsoft’s version of LSASS knows nothing about web-based authentication protocols. When we do figure this out, however, we should make sure that we do not lose the many benefits of our current mechanisms. Kerberos is a great security protocol, offering the user much convenience. Let’s figure out how to more broadly apply it in the Public Cloud context.

You could have easily missed this one.  VMware and Novell announced they are expanding their strategic partnership.

VMware and Novell Expand Strategic Partnership to Deliver and Support SUSE Linux Enterprise Server for VMware vSphere Environments

There is a much bigger story here on two fronts.  The first is that while the language in the release carefully avoids the word “free,” this is in fact how VMware’s vSphere customers will view this announcement.  vSphere licensees are now also entitled to a license of SUSE Enterprise Server (SLES)–once the crown jewel of the SUSE business.  For free.  And software patches and updates.  For free.  I’m not going to make any prognostications about how this may or may not change the landscape, but I’m pretty sure that large VMware shops are going to at least take a pretty hard look at SUSE.

More details on the “free” part of this announcement on VMware’s site:  SUSE Linux Enterprise Server for VMware

The second story playing out in front of us I believe is a larger one.  The value the OS has to IT operations has been waning over time.  Of course this has almost always been true on the business side of the shop–they care much more about applications for example and not very much about whether servers run Linux or Windows or Solaris.  But IT operations teams cared about operating systems because it was their foundation on top of which they built everything.  The foundation is changing. It isn’t the operating system–it is becoming the virtualization layer.  I believe the VMware / Novell announcement is another small step in the ongoing movement towards the complete commoditization of the operating system.

This announcement is also very relevant to our space.  As I’ve previously blogged, customers are increasingly looking for common IT services across the hypervisor, guest operating systems (Windows and Linux) and various other management and application elements.  Authentication is as often as not one of the first things that organizations want to unify across these layers and almost always this involves a mix of different operating environments.

Both VMware and Novell are Likewise partners and both are commercial licensees of various pieces of Likewise technology.  Novell, both through their partnership with Microsoft and through their licensing of Likewise Enterprise for SUSE Enterprise Desktop, has been aggressive in differentiating around Linux/Windows interoperability.  As we’ve previously announced, VMware licenses our authentication technology know as LWIS (Likewise Identity Services) which, when it ships shortly in vSphere, gives VMware customers the ability to manage privileged user access via Active Directory.  Add in Likewise and SUSE and you have common authentication in mixed Windows environments across the hypervisor, SUSE and Windows guest OS instances, and various other applications.  Very cool.

Interesting article on virtualization and the cloud by Amy Newman at ServerWatch.

http://www.serverwatch.com/article.php/3871306/Big-Blue-Bets-Big-on-Red-Hats-Virtualization-Technology

Aside from covering the news (Red Hat/IBM and VMware/Likewise announcements) Amy makes some prognostications of how the virtualization market may play out over time:

• VMware wins virtual server market in mid- and large-sized enterprises.
• Microsoft takes the top position in SMB virtualization.
• Citrix owns the virtual desktop.
• Red Hat succeeds in the cloud.

Interesting.  Especially interesting for Likewise, as we work with all four of these companies.  We license portions of our technology to both VMware and Citrix; we partner with both Red Hat and Microsoft.  We know all of these companies very well.

Increasingly I’ve heard our customers discuss their Likewise deployments in context with their cloud initiatives.  Here’s my take on the cloud, enterprise computing, and Likewise:

• The cloud is nearing the peak of the hype cycle.

• For the enterprise, most of the action (meaning $s) is in the internal cloud.

• The internal cloud is the modern data center — highly virtualized with the promise of vast scalability with a utility computing model.

• Companies are looking for common IT services across hypervisors, operating systems (Windows and Linux), and management components.

• The internal cloud is a bridge to hybrid and pure cloud topologies for enterprise computing.

• Winning technology providers will be those that unify these various pieces and platforms.

• Many organizations view authentication and policy as the right place to begin this unification process.

The one thing I know for sure is that the winner of the virtualization/cloud scrum will embrace cross-platform computing.  CIOs want to work with companies that make the various platforms work well together, not ones that make the problem worse.

Many of our customers tell me that Likewise is a great position for the cloud computing revolution.  I agree.