Instead of writing about it, let me share with you the words of my mentor and senior most leader of our department:

---

From: Joey M. Sudomir
Sent: Friday, May 10, 2013 12:31 PM
To: !!! All THPR Information Technology
Subject: Jonathan Merrill

Team,

It is with very mixed emotions that I let you all know that Jonathan Merrill has submitted his resignation, and that his last day with Texas Health Partners will be Friday, May 24^th. As many of you know, Jonathan has been starting many new chapters in his life, and he has a wonderful opportunity to start a new professional journey as well. Although I hate to lose him, I understand and support his decision.

Most individuals in this organization, IT or otherwise, will never fully realize what Jonathan has meant to this company over the last 7 years. We have come so far from a technical maturity standpoint, and Jonathan has been the main driver of that change, through both his intellect and sweat equity. He has positioned us very well to carry on in his absence, but at the same time, we need to take a moment to honor his work. If you have the chance before he leaves, I strongly suggest you find the time to reach out to him to say thank you and wish him well. We will do our best to arrange a farewell get-together after hours, but always difficult to schedule with everyone’s calendars.

I would also personally like to thank / recognize Jonathan for all he has done for my career. As I have told the team before, anytime a leader in an organization advances their career, their team is at least 50% responsible. In my case, Jonathan and all the work he has done for this organization have gone a long way towards me achieving kudos that are more rightly deserved for him and the team.

Lastly, Scott Wentworth has agreed to serve as the Interim ESG Manager while we work towards getting the position posted and reviewing applicants. We are very excited for this leadership opportunity for Scott, who has spent the past year as a mentee under Jonathan from a team leader perspective.

Jonathan….congrats on your new opportunity. We will miss you!

Thanks,

Joey Sudomir
VP - Information Technology
Texas Health Partners

I recently took a trip to New Orleans and when walking to my gate, I came across this giant advertisement:

I was as surprised as this fellow in the picture.  Our experience with NetApp has been poor.  Nay, piss poor.  NetApp’s response to our long laundry list of issues after my blog to their Co-Founder, Dave Hitz, was sending in system engineer “experts”, 5 people of various disciplines sat with us with curious intent on how a small spec of an organization got the attention of NetApp.

What sold me on NetApp was a very successful demo, showing rapid recovery of SQL and Exchange data.  Compared to what we’ve seen, NetApp clearly had the best showing of them all.  Sales people do matter and the NetApp sales organization is very good.

As of today, we are much further along with NetApp than where we were last year.  Foremost, because of the brute force of learning by fire.  We’ve had three major data loss events over the past 19 months and all can be laid at the feet of NetApp.  All of them education issues and “gotchas” of the software NetApp is so proud of.

It’s clear to me that senior leadership at NetApp don’t have a clue how bad their situation is.  Probably because the hardware IS GOOD.  We’ve had little issue with the hardware and downtime has not been the issue.  Their Achilles' heel is the very thing they tout as their strength:  the software.

I’ve recently spoke with the former storage manager for Yahoo.com and he, exacerbated, explained how limiting and poor the software is forcing Yahoo to develop their own.  I invited a few colleagues to a NetApp/Microsoft sponsored event, which really was a sales pitch around the integration between NetApp and Microsoft’s System Center.  As they fed us lunch, we spoke to many NetApp storage customer and could not find one single happy customer.  Not one.

I checked back on Dave Hitz’s blog and noticed he stopped blogging and one post that really summarizes where NetApp is at from a software development front:

Mike's comment that this require coordination across different groups means nothing to me as an end-user. I understand the challenges of legacy development teams and the egos that go with them. But if Dave is thinking about reinvention at the 1000 feet level, I am hoping someone else is thinking about reinvention of the products and features and doing so faster than the pace Dave talks about ...

http://www.businessweek.com/magazine/content/07_23/b4037036.htm

'After a couple of hours on the firing line, Ford's engineers got defensive. Interrupting the testers, they started airing their side of the story in front of the new boss. Sensing that the meeting was deteriorating, Mulally says he handed each one a pad and pen. "You know what? Let's just listen and take notes," he said. The episode was a perfect illustration of what Mulally considers one of Ford's major problems: the tendency of employees to rationalize mistakes instead of fixing them. "We seek to be understood more than we seek to understand," he observes.'

Personally, I don’t feel NetApp is so incompetent to rationalize all their mistakes.  I do feel the organization is suffering from a serious lack of understanding of what they are actually trying to do.  In my opinion, it’s “build a better mousetrap” and that’s NOT the case.  Instead it’s “add features until you go blind”, something Microsoft is currently doing.  And that’s not exactly winning hearts and minds either.

Would I have selected NetApp as our storage vendor then now knowing what I know now?  No.  I can’t professionally recommend them to any organization unless they already employ a healthy storage team with much storage administration experience under their belt.

What’s the answer?  Compellent?  Nimble?  I can’t say.  The topic is worthy of deeper dive if we look at storage vendors in the future.  But as of today, I would vote NO to NetApp.

JMM

Sitting with our hospital IT management, a striking situation caught my attention worthy of a quick blog.  IT education has already been a real challenge on several fronts.  Educating our IT support personnel, our system and network administrators, even our development people are critical to any successful IT organization.  Running a first class IT organization requires continual investments with our people with the right IT skills.

But that is not the heart of what concerns me equally.  When talking about how our file servers are used and listening to the frustration of managers complain about our user community, clearly the problem was education.  Our customers didn’t know what to expect or what to do.  And somehow, they are supposed to just know?

Which brings into the focus one of the many facets of IT that often goes ignored:  the education of our user community is a duty of Information Technology.  Educating them on the basic IT functions ensures the proper usage of the technology and inevitably, lowers IT support and improves business productivity

So, how to go about educating users?  What caught my attention was this peer group’s reluctance to develop ongoing education of the basic IT functions.  Sending an email to the user community when the behaviors are clearly out of control was the consistent response to issue.

Sending emails is not education.  It’s a simplistic and reactive form of communication.  I challenge the argument that less education breeds better users and inevitably gets IT better treatment.

Educate your user community.  Grow and develop trust by empowering your people.  And breed a culture of knowledge focusing on the needs of the business and watch your community take to the technology and produce amazing results.  It can happen.  Start with you.

JMM

This week, I was invited by one our network vendors, McGuire Solutions, to join them attending a unique event at Dallas’ Museum of Flight.  One that was surprisingly eye opening.  Exciting, yet humbling.  And although the story line that framed the event was hokey, the topic and technologies were not.  Symantec’s Cyber Readiness Challenge pits you against an evil corporation and espionage is the name of the game.  Using every day tools, you dive into various technologies to uncover company secrets.  You decrypt files, find servers, grab documents, etc..

This event is part educating people, part exercising “white hat” hacker skills, and part getting security people together.  I met a variety of people at this event and was pleasantly surprised by who attended: IT security people, IT managers, business owners, and… regular people.  Yep, regular people who are not in IT or security business, but intensely interested and want to listen and learn.  I was impressed.

Oh, and don’t forget this event is sponsored by Symantec, so there was 6 tables at the back selling their security tools and giveaways.  The Symantec sales people were pretty cool and not overly pushy.  Definitely this event was about the challenge and not salesy.

I took a few pictures of the event as it was pretty fascinating to watch.

Picture 1 – Setting Up For Cyber…

The gentlemen you see in this picture is John Madison, one of the security engineers that work for McGuire Solutions.  Here he is setting up his hacking tool kit, which I am not completely informed as to what all is here, but can tell you it runs Backtrack hacking tools, like almost everyone else in the room.

Couple of notes here, we were on the only ones to bring in a PC.  Everyone else just brought their laptop.  So, you can imagine we gathered quite a crowd early on.

Picture 2 – The Battleground

This picture was taken about the midway point in the competition.  As you can see, everyone else had laptops.  I wish I could say the McGuire team was in a solid lead, but not so much.  Valuable lesson to be learned here – You don’t need a crazy amount of hardware and hacking tools to do a lot of damage.  Takes know-how.

Picture 3 – Misery, Agony, And Defeat…

This was the last picture I took.  With about 15 minutes left in the competition, my friends at McGuire Solutions began to see the end in sight.  The final quarter had tempers flaring, frustration, and then some general humbling.  Being active security professionals in the industry, they had expected to do much better.  Alas, we didn’t get off Level 1, unfortunately.  And Greg McGuire, the gentleman on the right, looked on grimly, but was pretty cool about it.  Truth is, this was their first event of this kind and did indeed test their skill.  The team walked away with a better idea on what needed to be known before walking into another one of these events.

The gentlemen that won the event was one of the people sitting at our table.  He was a security guy working for a financial company in the DFW area (named withheld at his request).  However, he had mentioned attending a recent SANS Institute training event where you practice hacking a city network in a similar event.  Just looking at him, you’d easily underestimate him, but clearly is a force to be reckoned with.

My Thoughts

I thoroughly enjoyed the event and actually learned quite a bit.  In fact, next time I will bring my own laptop and try it myself as I actually was helping the McGuire team get on the board a few times (make sure you know your NSLOOKUP commands).  The event was about 3 hours long and Symantec was giving away prizes along the way.  Everything from backpacks to gyrocopters to Kindles and Amazon gift cards.

I looked upon this event with avid respect and awe.  I’ve always been keen on testing people’s skills and growing knowledge through doing via competition.  This event had all those elements baked in and I loved it’s venue and execution.  Frankly, there should be more events like these in various areas, such as Active Directory, Exchange, Routing/Switching, Firewalls, etc.  I am very curious about the software that hosts the event and using it in that context.

Symantec did a great job.  I definitely will go back if they host it next year.  Amazing time and learned a lot.

JMM

Growing up as a kid, I did have a few TV role models that I look back on with revered reminiscence.  Here is my list

---

#4.   James Phelps - Mission Impossible

Mission Impossible came on during the prime time hours and was one of the shows I religiously watched before my parents forced me to hit the sack.  I found the show fascinating to watch as mission after mission carried out with ruthless precision, cerebral tactics, and amazing results.  The show only got better as it moved along.

To me, James Phelps was the consummate strong leader, demonstrating coolness under pressure, a calculating demeanor that you would expect from a elite spy organization.  Also well spoken, well dressed, and always the professional.

Killing off Phelps in the Tom Cruise movie Mission Impossible was a surprising twist as it stepped away from the legacy MI into modern MI.  Too bad subsequent movies haven’t really lived up to the panosh of the original series.  Oh well, progress I guess…

 

 

---

#3.  Flint – GI: Joe

Warrant Officer Dashiell Fairborn, code name Flint, was my absolute favorite Joe during the cartoon series in 1984.  Why?  Besides my already deep love of the military by then, Flint embodied an identifiable character.  Typically in trouble for not following orders to the letter, Flint always found himself at odds with his superiors and typically exceeded his limits in executing the mission.  As a typical Joe, he always accomplished the mission, but not without not a few unexpected circumstances.  Having been in trouble more than a few times, Sergeant Slaughter reconditioned and retrained Flint putting him back onto the Joe team and always considered someone reliable and skilled in getting the job done.

I identified with Flint as a kid.  I found myself at odds with my parents and teachers more than a few times and frustrated I didn’t quite fit in.  Flint reminds us that getting the job done is most important and sometimes you have to crack a few eggs to make an omelet.  And while Flint always respected his peers, the team, and especially the USA, it takes guts to speak out when something isn’t right and make an unpopular decision, even if it was the right thing to do for all the above.

---

#2.  Robert McCall - The Equalizer 

Probably my favorite TV shows as a kid!  The Equalizer was a former British secret agent retired and helped those folks who couldn’t help themselves.  Everything from gangsters and bullies to terrorist organizations and spies, Robert McCall flexed his training and expertise with MI:5 and applied his trade to the mean streets of New York city in retirement.  Not to mention his choice of car, a Jaguar XJ6, perfect for a man of impeccable style and amazing style.

I found this show as fascinating as the others.  While being retired as secret agent trade doesn’t completely allow one to step away from their past, I idolized people of his character and ability.  A consummate professional, he was a savior to most, a hero of many, and all done for the good of humanity.

McCall to me was who I hoped to be at his age.  Someone with amazing capability to do whatever needed done, helping others without need for award or acknowledgement.  I learned much from him and feel he is a amazing role model.

 

---

#1.  John Luc Picard – Star Trek: Next Generation

John Luc Picard, captain of the starship Enterprise, NCC-1701-D.  A trained and accomplished leader, his career is an example to all future leaders.  His leadership style is to value knowledge, lead by example, to challenge people by pushing their potential, and embrace a regimented lifestyle in executing the mission of peace keeper in the galaxy.

In the battle of the captains, I would pick Picard amongst all others.  Watching Picard’s effect on his crew is amazing.  One episode in particular where Worf takes executive officer responsibilities and handles it badly, Data reminds Worf of Picards’ professionalism and leadership, as an example to follow.

Even to today, I model my leadership after his principles.  As a manager of people, I can attest how difficult it is to be a successful leader and having the responsibilities’ assigned of keeping a small city mission ready.

Managing an enterprise of information technology is just one aspect of what a star ship captain must deal with, but I find myself understanding the breadth and depth of all the various technologies under my own supervision and the challenges each face.

JMM

Many of you have been emailing me about how little activity has occurred on the site and it’s proliferated even onto LinkedIn.  What have I been doing and what’s going on with Jonathan?

Foremost, Cinzia and I have been separated since September and in the process of divorce.  Probably the single most devastating event that has occurred in my life, the loss of my best friend and spouse of 14 years.  There are probably many reasons why it culminated to this point, nonetheless, it’s taken a deep emotional toll on my well being and has effected me in all parts of my life.  I still deeply miss her and have many hopes for the future, for her and my children.

During this time, I’ve reflected upon my life, my relationships, and my career.  And although I have have lost much, I am putting the pieces back together and trying hard to focus on what’s next for Jonathan.  I feel strongly there are many more chapters to write in front of me, which is why I am starting first with a real campaign to lose some weight.  As of today, I am 45 pounds down from where I was.  Although most of this loss was stress related, I’ve taken to walking, the treadmill, and swimming to ease the stress and keep the weight down.

And starting January 7, I’ve decided in embark on the Visalus 30-day challenge.  My family has been on Visalus for some time and their weight loss stories are pretty incredible.  I’ve been struggling to get past 45 pounds, so I am hoping to lose another 30 pounds in 30 days.

Career-wise, and although I’ve entertained a few offers, I’ve decided to stay put at Texas Health Partners.  I am not ready to leave the city that Jonathan built just yet as we’ve got some pretty big projects planned.  Further, working with my management team has been a blessing and challenged me as a person, a technician, and a leader.  There is more to grow on and will be focusing effort on building up the next generation of IT leaders in the process.

Net-net, I am looking ahead with spirit, vigor, and positive determination.  I’ve not lost faith as friends and family have intervened and been a wonderful source of sustenance and support.  I’ve leaned on these people and come through the other side with just flesh wounds, but faith and sanity intact.

Thank you for reading and looking forward to writing for you in 2013.

JMM

Looking at the tablet landscape, I am dismayed that there have been a lack of choice competing with the Apple iPad in the Microsoft Windows space.  In fact, I am appalled that it’s taken this long to get manufacturers to make the big choices and get products out there that are in such major demand.  I understand Intel didn’t exactly help, but I hold the manufacturers equally to blame with some pretty big misses.

With that said, I cannot consciously support Microsoft’s decision to compete with manufacturers.  Here is a few of my reasons:

1.  Please stop doing hardware.  Microsoft’s strengths have always been software, but the company is a monolith now with so many divisions.  Long time Microsofties and watchers all agree, their current course has too many paths.  And when you try to be everything to everyone, you end up making no one happy.  Take those R&D dollars and put it back on software development.  Get out of the hardware business.

2.  Windows RT is just another OS.  Trying to explain why healthcare apps won’t just run on Windows RT will be as popular as explaining why they won’t just run on Apple’s iPad.  I’ve already had a expert tell me to virtualize the application, so it will run anywhere.  Great, that would actually be on less reason for Microsoft Surface and one more reason to allow Apple iPad.  Until Windows RT has the application base, it will be an off-shoot and not have the business applications, turning this into a novelty item.

3.  Stop trying to be Apple.  This clearly is a move to capitalize on Apple’s successful business model.  The problem is… you don’t have that culture.  It’s not baked into the software.  It doesn’t permeate the halls of Redmond.  It’s not prolific in the Microsoft story.  Microsoft culture is different and was successful because of the focus on the software.  The maddening part is seeing Microsoft trying to be something it is not.  Forage your own path and embrace your roots.

4.  Have Nokia do it.  Nokia makes a damn good phone.  But, my perception of Nokia is that company is teetering on the verge of either being super successful or a big failure.  The Microsoft partnership should be bolstering Nokia’s software development efforts.  Windows 7/8 phone is a win, despite what market performance says.  Releasing a tablet that runs Windows 7/8 phone would directly compete with the iPad in usability.  Nokia has the engineering knowledge to do this right with the power of the Nokia brand to back up why this would be a good purchase for the consumer.

5.  Clinical application and Windows 8 DNA just don’t mix, yet.  It’s only just now we are starting to see Windows 7 and x64 support.  The big names are so very slow in updating their software and drag their feet to support modern operating systems.  Although I am excited about adding touch to the mix, it will be at least 1-2 years before clinical applications will support Metro UI.  And only after watching the market to see if Windows 8 ends up in the same bin as Windows ME.

If not Microsoft Surface, then what?

Right now, we are purchasing Samsung Series 7 Tablet.  Our executives love the portability and functionality.  With Intel Core i5, it has the power it needs to actually be a useful slate.

We are eagerly awaiting Dell’s Latitude 10 Tablet.  Although I am worried about performance with Intel Atom processors lacking the oomph to make it a viable platform for portable clinical applications.

JMM

Software chosen, we moved into the next phase which was performing the deployment.

We approached the deployment methodology this way:

1.  Purchase SED Drives – We purchased Seagate’s Momentus 7200 FDE, Model # ST9250411AS.

2.  Clone old drive onto new drive – We purchased Miray’s HD Clone and used a standard USB hard drive cloner we picked up a a local PC store.  We dedicated a laptop to performing the cloning, a Dell Precision M2400.

3.  Load SecureDoc agent on PC  - We tried pushing it via GPO and were unsuccessful in our attempts.  We performed manual installs.

4.  PC inherits the policy and turns on full disk encryption – Once the PC phones home, it picks up the policy and turns on the encryption.  Slick!

We performed our corporate office first, which was approximately 40 laptops, just to see how it would go before we put the process into effect at our hospitals.

Here is the list of gotchas that caught us:

-  ACPI vs. IRRT vs. ATA Mode.  The suggested configuration is ACPI.  As we began the deployment, we discovered half of the corporate office laptops were configured IRRT and the other half was ACPI.  And a few of our level 1 technical people, during the troubleshooting, configured the mode ATA.  A soupy mess.

This particular situation actually has a typical “IT story” around it.  This as this particular issue was actually raised a few months back by CompuCom’s security consultant Andrew Reese.  An honorable mention should go out to him as he accurately predicted this would happen without addressing it in the testing phase.  Our dumb luck was every test laptop was already configured correctly as ACPI, so the issue didn’t really rear it’s ugly head until we began pulling customer laptops.

Although we created a remediation plan and baked the instructions into our deployment methodology, we found a lack of consistency from installers which contributed to more ATA mode and less ACPI configurations, which had a performance impact.

-  Dell E-Series Laptops vs. Everything Else.  We had two different SecureDoc installs which represented two different versions of boot loader that would get installed on the laptop.  Version 4.x of the install worked on every laptop, but didn’t have many features or functions and limited our abilities to what we could do on versus off network.  Version 5.x of the install worked only on E-Series laptops, which had all the bells and whistles and worked as we needed.  Another situation where testing failed to manifest this result, so once again as we deployed, we steadily worked with WinMagic’s onsite technical engineer Hal Hagan, to address this with separate boot loaders.

Once this was resolved and PC’s rebooted, the policy applied and encryption was affected.  Yay!

-  Boot Loader Matters.  The differences between 4.x and 5.x were significant enough to create little gotchas everywhere in our post-deployment.  Different boot loaders perform differently depending on whether the device is off network or on network.  The differences are stark and should be closely examined when looking at what your trying to lock down and on what boot loader.  Synchronization with Active Directory being one of the key issues between boot loaders that has caused us to modify our encryption methodology.

- Intel Anti-Theft.  Probably one of my most exciting features we’ve deployed and greatest disappointments seeing in execution then having to pull back.  Being a proponent of leveraging our Intel vPro investment, this feature was a part of our security response in the event of a theft.  Intel, however, has made it a tad difficult to get it off the ground, requiring command line executables with arguments as long as my arm.  Using WinMagic’ administrator console can get the initial configuration out the door, but the care and feeding turned out to be a gotcha, especially if the laptop is dead in the water from not phoning home within the right time frame.  Our reasonable timeframe was too aggressive for some mobile users and this topic is still one for discussion.

---

Part 3 of this series be our wrap out of the encryption project and conversations we’ve had with WinMagic for the past 12 months, as October rounds out 1 year since we’ve deployed this solution.

JMM

What if your organization’s leadership directed you to deploy an enterprise encryption solution in 120 days?  Could you do it?

I received that message in May 2011 and our basic business goals were full disk encryption (FDE), low laptop performance impact, and low administrative overhead (easy to support).  Our IT organization is pretty lean and our fear was introducing the encryption solution would dramatically increase our support requirements to our end users.

We began researching the industry and came up with some exciting concepts.  From http://www.trustedcomputinggroup.org/resources/selfencrypting_drives_sed_overview:

1.  Transparency: No system or application modifications required; encryption key generated in the factory by on-drive random number process; drive is always encrypting.

2.  Ease of management: No encryption key to manage; software vendors exploit standardized interface to manage SEDs, including remote management, pre-boot authentication, and password recovery

3.  Disposal or re-purposing cost: With an SED, erase on-board encryption key

4.  Re-encryption: With SED, there is no need to ever re-encrypt the data

5.  Performance: No degradation in SED performance; hardware-based

6.  Standardization: Whole drive industry is building to the TCG/SED specifications

7.  Simplified: No interference with upstream processes.

Selection results from August 2011:

Product	Pros	Cons	Verdict
Wave Technologies	- Dell recommended technology. - Supports SED drives. - Sales staff helpful and knowledgeable.	- Not web-based. - Multiple applications. - Deployment rocky during test deployment. - Most expensive solution.	Performed a test but testing team did not choose due to the multiple applications required to manage the encryption functions, not intuitive to manage, and cost/value questions.
Microsoft	- Easy to deploy and with MDOP, very manageable! - Enforceable through AD GPO.	- Does not support SED technologies - Poor reporting / auditing.	Did not test as the solution did not meet technical requirements, although testing team liked the solution.
Symantec	- Solid web demo. - Likeable UI, easy to use.	- Sales people not very excited by SED drive support.  Tried pushing us to software client.	Did not test as there was a perceived uncertainty from sales staff that made us uncomfortable.
McAfee	- Another solid web demo. - UI consistent with every other McAfee product. - Awesome sales staff.  Super helpful.	- Bloated client and administration console. - Really only a contender if using other McAfee products. - No SED drive support.	Performed a test but did not choose due to a EPO Orchestrator requirement and lack of SED drive support.
Credant	- Dell recommended technology. - Supports SED drives (Seagate and OPAL). - Very knowledgeable sales staff.	- Horrid UI.  Inconsistent.  Font was super small. - Credant initially offered to send us an engineer to help us get the test environment up, but reneged.  When we ran into trouble, took us a long time to resolve. - Cost/value questions.	Performed a test but did not choose due to difficulty with getting the test environment running and successfully managing SED drives.  2nd highest cost.
WinMagic	- Easy to install, configure, and deploy.  Testing went quick. - Full SED drive support (both Seagate and OPAL support) - Support for Intel Anti-Theft using vPro technology	- 80s UI - Easy to get overwhelmed due to the multitude of features and options. - Was on the cusp of a buy-out from Trend Micro.  Rumors flying around of staff reductions and viable future.	Performed a test and was product was chosen.  3rd highest cost, but met all requirements.

Summary

WinMagic’s SecureDoc was selected and we began the next phase… deployment.  Which I will write about in next week’s blog.

JMM

Hospitals really need a good single sign on solution.  So many applications.  So little integration with Active Directory.  So when I was pushed towards ExpreSSO, a product from the former Sentillion corporation, I was blown away at it’s simplicity and ease at creating the various connectors and login objects.  It’s film-like interface was pretty easy to use and intuitive.  My excitement soared at the potential.

Basically, it’s single sign on (password management) + shared workstation mode + badge reading (tap in/tap out) + password self service.  Cool stuff.

When the product arrives, it is literally two Dell PowerVault servers running Linux, setup in a clustered environment, called ExpreSSO Vaults.  Think “password vaults”.  Configuration is via a web interface and desktop control via a deployable agent.  Setup of connectors and passwords once configured is fairly straight forward and it indeed works.

So far so good.  But like every doomed project without score carding or even a demo/pilot, ExpreSSO has been a real problem in execution and a disappointment in practice. 

Here is a brief list of the issues we’ve seen:

1.  Product is designed for Windows XP.  And still is.  No mapped drive profile support.  That effects %PATH% and using GPO with re-directs, like My Documents in Windows 7.  Doesn’t work with shared workstation.

2.  Product is designed for Windows XP…No Windows 7 x64 support.  No Windows 2008 R2 support.  Yes, Windows 2003 x32 support.

3.  No auto-upgrade of the ExpreSSO agent.  No auto-deployment.  No auto-upgrade.

4.  Single site, single subnet.  Both vaults must be on the same IP subnet and be on the LAN.  No enterprise DR.

5.  Single domain.  No forest support.  ExpreSSO doesn’t support hosting vaults at the enterprise level, but only at the domain level.  Cost prohibitive.

6.  ExpreSSO’s configuration includes similar policies that can be configured and would take precedence over Windows GPO.  Problem is ExpreSSO’s policies are not as granular as Active Directory GPO.  We found ourselves rolling back ExpreSSO’s policies in favor of AD policies.

Workarounds… and more workarounds…

Then, in Feb 2010, Sentillion Corporation was purchased by Microsoft.  Probably the most positive thing that could have happened to Sentillion.  Imagine what could have happened.  Many rumors surfaced.  Some exciting.  Some validated (not all) by roadmap conference calls where customers expressed much enthusiasm.  Such as:

1.  ExpreSSO re-write from Linux to Windows.  Cool.

2.  Complete Active Directory integration, including GPO integration.  Wow!

3.  Single sign on as a Windows feature?  Check a box and get ExpreSSO?  Thrilling!

4.  Support for all the Windows platforms!  Bravo!

Nevertheless, none came to fruition.  In fact, the product has virtually stagnated with only routine bug fixes and patch support.  What was Microsoft doing with Sentillion’s assets?  Wow, what a missed opportunity for a game changer!

Which brings us to today.  Microsoft has created a joint venture with GE named Caradigm.  Basically, a rebranded Sentillion, battered and bruised from Microsoft ownership since many staff members were either scuttled or moved up and into the Microsoft organization.  But, putting on a determined face, many of the issues above are being addressed, having just had a conversation with Jim Campbell, VP of Development.  He acknowledged many things and came across as very confident.

However, it’s with great skepticism whether Caradigm can be trusted to pull it off as they have monumental challenges in front of them.  Two years of lackluster development, poor product support, and no perceived vision moving their product forward in line with Microsoft’s vision, which result in a unsatisfactory void with nothing but assurances from sales and development teams.

So, I leave you with these open items, from our meeting:

- ExpreSSO platform will stay on Linux.  No code uplift planned for 12 months.

- ExpreSSO will not have Windows 2008 R2 support until 1^st Qtr 2013, including virtualization on Hyper-V.

- ExpreSSO will not have full Windows 7 support until 1^st Qtr 2013, although partial support exists today.

- No plans for Windows Server 12 or Windows 8 support in the next 12 months.  No support for tablet architectures other than Citrix connectors for BYOD until 1^st Qtr 2013, which will introduce Hyper-V VDI support.

Shameful waste of time as they are so far behind technologically.  Disappointing.

Heavily invested, what can we do now but wait and see?

JMM