Category-breaking innovation

Selected by five columnists, these products and services offer fresh approaches to today's network problems.

Best of the tests Testing outside the box Really cool tools Open source, tried and true Category breaker Fave raves

What makes this service so special? Until now, corporations willing to use mobile data to improve field productivity and service had to make significant, often unacceptable, trade-offs. Applications had to be "dumbed down" to work over slow and unreliable services via devices with frustratingly small screens and keyboards. Verizon Wireless' CDMA2000 EV-DO service, marketed as BroadbandAccess, performs more like DSL or cable modem service than familiar cellular data. BroadbandAccess heralds the long-touted era of 3G wireless. With Evolution-Data Optimized technology, organizations not only can extend enterprise networks into the field but also can reach customers equipped with handheld multimedia devices in new ways - perhaps changing the way we conduct business.

Who's using it? Because CDMA2000 EV-DO rolled out during the second half of 2004 in select cities, corporations are just starting to kick its tires. One of Verizon's biggest mobile data customers, UPS, is testing it. Other companies are doing the same but are reluctant to talk about it for competitive reasons. However, this is a technology that many users will start to employ on their own, so it behooves IT leaders to learn what EV-DO can and can't do in order to better manage and secure its use.

Verizon now offers at least partial coverage for BroadbandAccess in 30 cities and plans to cover 150 million people (about half the U.S. population) by the end of 2005.

Suitable business applications include e-mail (even with large attachments), Web browsing, database queries and multimedia messaging. Consumer applications include games, mobile TV, mobile commerce and location-based services.

How much will it cost the average enterprise? Verizon initially targeted business users exclusively, selling PC cards for $100 (after a $150 mail-in rebate) with a one-year service contract and $50 with a two-year contract. The service costs $80 per month with unlimited use.

What else should we know? CDMA2000 1xEV-DO is the first offering that gives users a genuine taste of the 3G wireless services promised for more than five years. With its peak data rate of 2.4M bit/sec, and users reporting actual throughputs of 300K to 500K bit/sec, EV-DO delivers "always on" performance rivaling that of most Wi-Fi hot spots (many of which are constrained in throughput by their DSL backhaul links).

As of Jan. 10, 2005 Verizon offered BroadbandAccess service in 30 cities: Atlanta; Austin, Texas; Baltimore; Boston; Chicago; Cincinnati; Columbus, Ohio; Dallas/Forth Worth; Dayton, Ohio; Hartford, Conn.; Houston; Jacksonville, Fla.; Kansas City, Mo.; Las Vegas; Los Angeles; Madison, Wis.; Miami/Fort Lauderdale; Milwaukee; New Haven, Conn.; New Orleans; New York/Newark; Orlando; Philadelphia; Phoenix; Pittsburgh; Providence, R.I.; San Diego; St. Petersburg/West Palm Beach, Fla.; Tampa, Fla.; and Washington, D.C.

That's not to say CDMA2000 EV-DO is the only robust mobile data solution. Users of Cingular Wireless' competing WCDMA service report performance almost as fast as EV-DO's. But EV-DO has a significant head start and is likely to achieve nationwide urban coverage sooner. Currently 10.4 million users worldwide subscribe to CDMA2000 EV-DO services; the vast majority of these users are in Korea and Japan. Though the number of WCDMA subscribers has reached 13.3 million globally, EV-DO is the more mature service with a better selection of devices (plug-in cards for notebook PCs and multimedia handsets). Plus, EV-DO users don't compete with voice users for bandwidth the way WCDMA users must; however, that advantage could quickly vanish as EV-DO operators launch wireless VoIP services.

Expect CDMA2000 EV-DO and the competing WCDMA solutions to continue evolving - perhaps leapfrogging each other as further enhancements are introduced. A new version of EV-DO promises higher data rates (up to 3.1M bit/sec), multicasting of multimedia content, greater capacity, and QoS support for low-latency applications such as voice. WCDMA promises even higher peak data rates (as high as 14M bit/sec) using a technology called High-Speed Downlink Packet Access, which Cingular recently trialed in the field.

Both enterprise users and consumers stand to benefit as proponents of the two competing solutions play "Can you top this?" Finally, mobile professionals will be able to access the Internet and e-mail, whether on the road or in the office, in essentially the same way. However, the impact of new multimedia handsets - with gaming and location-based services thrown in for good measure - is harder to predict; the advertising and mobile-commerce opportunities seem endless.

What makes this service so special? Anyone who can bring Microsoft and Linux together deserves consideration for a Nobel Prize, but that's beyond our power. The least we can do is recognize Vintela with the Category-Breaker Award for simplifying the management of heterogeneous - Windows, Unix and Linux - networks. Vintela Authentication Services lets you manage a single logon/password for Unix, Linux and Windows efficiently - and securely - while extending Microsoft's implementation of Kerberos authentication to the 'nix platforms.

Who's using it? This simple, elegant solution was adopted by almost 100 organizations, such as Advanta Bank, Boeing, Brown & Williamson Tobacco, Cross Country Healthcare, Lockheed Martin, Paymentech, RotaDyne, the U.S. Department of Agriculture and Vertex Pharmaceuticals.

How much will it cost the average enterprise? Pricing is based on a combination of $200 per managed host/server and $25 per managed user. Vintela offers volume and site discounts.

What else should we know? Simply put, VAS reduces the number of times your telephone rings.

Anyone trying to manage a heterogeneous network of Windows, Unix and Linux boxes (with a mixed bag of servers, hosts and desktops) is aware of the numerous problems that cross-platform authentication and authorization can bring: the phone calls, the begging, the pleading, the yelling and the crying - and that's just when the help desk calls you.

A great outpouring of grief followed the Windows 2000, with Active Directory, release because Microsoft implemented authentication and authorization schemes based on the traditionally Unix-based Kerberos service. Essentially, most Unix/Linux implementations use Kerberos for authentication and ignore the authorization aspects, while Microsoft uses the authorization services heavily (click here  for the background on this). Windows 2003 Server continued to use Kerberos in this non-traditional way. Vintela saw this not as a problem, but as an opportunity. It has simply extended the Unix and Linux-based Kerberos so that it supports the uses Microsoft is making of the technology and thus supports cross-platform sign-on and authentication.

VAS is simple, it's elegant, and it complies with the Kerberos standard as written.

VAS also provides the ability to manage a single username/password combination for each platform, one of the two major methods of providing single sign-on to the enterprise. The other method (using a service to store multiple usernames and passwords while acting as a proxy for the user) can be a disadvantage when the proxy service is down. With VAS, even if users can't access Active Directory they can still log on to one of the supported platforms because the username and password is the same for each.

The number of supported platforms is pretty comprehensive:

• AIX 4.3.3
• AIX 5.1
• AIX 5.2
• HP-UX 11i v1 (B.11.11 / PA-RISC)
• HP-UX 11i v1.6 (B.11.22 / IA-64)
• HP-UX 11.0 (PA-RISC)
• HP-UX 64-bit support
• Sun Solaris 8 and 9 SPARC
• Solaris 64-bit support
• SuSE 8.0, 9.0 and later
• Red Hat 7.3 and later
• Red Hat Enterprise Linux

All user management in a VAS-supported network takes place within the familiar confines of the Active Directory utilities. Yet any password change done within any of the supported operating systems - actually any Kerberos-aware application or service - is automatically changed for all.

Figuring out the pricing for VAS is probably more complex than implementing and maintaining it, since it's based on a combination of the number of VAS-enabled Unix/Linux servers and Unix-enabled user accounts (one account per person) that will be stored and authenticated in Active Directory. Vintela defines a VAS-enabled Unix/Linux server as "any machine running Unix and/or Linux with VAS client software installed having concurrent log-in sessions that originate from five or more VAS user accounts." List price is $200 per server, $25 per user, but volume and site discounts are available.

VAS can simplify your life. But the company isn't resting on those laurels. Once you've implemented VAS, you'll also want to look at Vintela Group Policy, which extends Microsoft Group Policy to the same Unix and Linux platforms. But that's a story for another day.

What makes this service so special? Access Enforcer combines role and permission provisioning with workflow in a powerful new way. Access Enforcer automates the access-provisioning approval workflow. If users request online access to resources for which they don't have permission, Access Enforcer automatically forwards the request to internal approvers within a pre-specified, customizable business workflow. Updates to roles and permissions are automatically applied to enterprise directories only when access requests are approved within the appropriate workflow. When implemented within Virsa Systems' Continuous Compliance Suite, Access Enforcer automatically ensures that users aren't granted roles or permissions that might violate applicable laws or create conflicts of interest. (Access Enforcer is a separately licensable suite component.)

Who's using it? Virsa Systems developed Access Enforcer at the request of its user group of more than 100 enterprise customers in various verticals: aerospace, agribusiness, chemicals, consumer products, defense, financial services, government, healthcare, higher education, high-tech, media, oil and gas, pharmaceuticals, transportation and utilities. Almost a dozen customers currently have Access Enforcer in various stages of deployment, the company says. All have deployed Access Enforcer over SAP's enterprise applications and platforms.

How much will it cost the average enterprise? Pricing is based on a software license of $50,000 per instance deployed.

What else should we know? Role provisioning is one of the most difficult, complex and imperfect processes within identity management environments. Access Enforcer automates that process to the maximum extent feasible while ensuring corporate accountability and compliance with Sarbanes-Oxley and other laws and regulations.

What's truly innovative about Access Enforcer is the extent to which it automates role provisioning in keeping with approved enterprise workflows. We can best understand Access Enforcer's value by understanding how roles are traditionally provisioned in most organizations.

Traditionally (without Access Enforcer), users complete forms that request access to one or more business applications. Those forms are then submitted to a first-line supervisor who reviews, approves and forwards them for secondary approval by IT security or directly to administration for entry into the target system. Often, the managers who review access requests are expected to research and catch any potential conflicts of interest between the roles that the requester currently has and any new roles and permissions being requested. The temptation to expedite an under-researched access request can seriously backfire, exposing the corporation to significant legal, regulatory, security and financial risks.

However, with Access Enforcer, companies can speed up the request approval process while ensuring continued compliance with controlling laws, regulations and policies. Access Enforcer works as follows: