If you haven't seen it yet, be sure to pay a visit to The ID Element - the one stop shop for all things identity on Channel 9 - where you will find all kinds of material on Identity and Access Control: weekly interviews with product team members, developer how-tos, news, aggregated resources and more. There will be content for identity experts and those just getting started with the topic; content for developers and for IT Pros; discussions at the architecture level and step-by-step code guides. Most recent videos include: Alex Weinert on Forefront Identity Manager 2010 and Donovan Follette on making the shift from ADFS v1 to Geneva Server . Enjoy!
Many companies and IT leaders are eager to realize the benefits of cloud computing, but security is often a concern. For example, a recent study by Maritz Research found that 59% of IT leaders in the US rated security as the biggest risk with cloud.
As part of our Business Ready Security strategy , we are taking a comprehensive approach to security across on-site and cloud infrastructure. This encompasses protection, access and management, all built around user identity and integrated with a highly secure, interoperable platform for a broad set of partner solutions. (At the Worldwide Partner Conference on 7/13, we also announced the official names of the products comprising the Forefront Protection Suite, previously known as codename “Stirling”, in an effort to align our portfolio with this broader definition of security.)
We are delivering both standalone security services and security technologies within Microsoft’s cloud infrastructure. Forefront Online Protection for Exchange is an example of a standalone service solution, providing email security for both on premise Exchange Server and Exchange Online (and other on-premise messaging systems.) Another example is System Center Online Desktop Manager, available in beta by the end of the year. It is an integrated security and management tool that will provide desktop management capabilities in the form of an online service.
Identity is a core part of our strategy, because it allows for more contextual protection and access to information and resources. With our Forefront platform, on-premise identities, such as those in Active Directory, work with cloud services. That enables simplified, secure user access to applications, such as Exchange, regardless of where the application is hosted.
Forefront's identity provisioning/de-provisioning and access management empower customers to integrate their investments in Active Directory and existing identities with cloud infrastructure. And, with solutions like Rights Management Services, in the future customers will be able to enforce persistent, identity-based policies around data anywhere it is stored, sent, or accessed - including the cloud.
We are also providing fundamental identity components for Microsoft cloud services, such as the Azure Services Platform. The Microsoft Services Connector, for example, extends identities from on premises systems to cloud services. The .Net Access Control Service issues and manages identity “claims.” Both are based on the next generation of Active Directory Federation Services, Windows Cardspace, and Windows Identity Foundation which comprise an open platform for simplified user access that works across organization boundaries for on-premise and cloud-based applications. Beta 2 of all three components is currently available.
Analyst Jon Oltsik of the Enterprise Strategy Group writes a column for Network World called "Networking Nuggets and Security Snippets." Last week he penned an interesting piece titled "The market impact of security/identity integration."
In the article Oltsik describes how governance, compliance and new electronic business processes are driving more alignment of security policy with users, roles and business activities. He goes on to provide his take on who the leaders, challengers, dark horses and question marks are among vendors in this newly converged space. He cites IBM, Microsoft and, tentatively, CA as leaders.
Yes, I'm flagging the story because Jon's take is very much in line with Microsoft's view and strategy. But it's worth a read.
Earlier this week the international open standards consortium OASIS announced that its members - including Microsoft, IBM, EMC, CA, Novell and others - have approved Identity Metasystem Interoperability (IMI) version 1.0 as an OASIS standard. The IMI standard is an important step toward broader adoption of Information Cards - a new way for people to register, login and share information with web sites without a username and password for each site.
From the press release:
"Information Cards offer the best of both worlds—greater privacy and easier access," said Marc Goodner of Microsoft, chair of the OASIS IMI Technical Committee. "As an approved OASIS Standard, IMI assures interoperability across platforms and services, which will result in Information Card usage becoming even more widespread."
Information Cards are the digital equivalent of the cards people carry in their wallet or purse. They are stored in a new application called a card selector and carry information about a person's identity and relationship to the card provider, such as their employer, bank, library, store, etc.
I’m very pleased to announce that today Forefront Unified Access Gateway Beta 2 is available for download from www.microsoft.com/uag . This beta release marks an important milestone in Microsoft’s remote access strategy as it brings together a host of access technologies into one environment.
Chances are you are reading this post from your laptop… and if you’re not currently outside of the corporate network, chances are you will be later today… You might be at home checking your email and getting some last minute work items done… That’s what UAG is all about! It’s about making sure that you, the user, remain as productive as you need to be regardless of what machine or network you are accessing from. Of course, it’s also about making sure that your company’s network and assets remain secure as you work remotely.
We know that when they say that “one size fits all”, it usually means that it fits some people well and the rest of us need to compromise. The same is true with remote access... Each technology is best suited for a different scenario/environment and the trick is to make sure you get the right one for the right task. A VPN client would be overkill for casual access from a kiosk or stealing a minute of time on your friend’s PC at home to check email… On the other hand, being limited to web-access only from your corporate laptop will leave you unfulfilled and wanting more. Unfulfilled, in this case also means: unproductive. That said, having multiple methods of remote access also translates to multiple $$$’s. Each environment needs to be well-managed, supported, scaled, etc. No less important is that each user needs to remember which environment is best to use in which scenario to easily achieve productivity. This means you’re doing less with more and that’s not good… and not just in this economy.
So here’s how UAG solves the problem…. It brings together a variety of remote access technologies such as DirectAccess, SSL VPN, Remote Desktop, web publishing, etc. under one roof and one user/admin experience. This way, administrators can easily roll out access to every type of user (employees, partners, etc) from virtually every location (corporate laptop, home PC, borrowed PC, kiosk, PDAs, etc). Users, in turn, get a simple and straightforward experience that adapts to the level of security of device they are using. If they come in from a corporate machine, they can get full connectivity through DirectAccess or for down-level PCs - SSL VPN. If they come from home PCs or borrowed PCs access policies will be tailored to their specific security. For instance, if they don’t practice safe-computing and don’t have an Anti-Malware software installed, running and up-to-date – UAG can decide to block access to uploads so no potentially harmful files will reach the network. If the user has an updated AV we may allow uploads but consider blocking downloads based on whether or not the Endpoint Session Cleanup (formerly: Attachment Wiper) can run to clean up any residue or temp files.
The policy options are limitless but they are also simple. Built in policies and administrative wizards help guide through setting up SharePoint, Exchange, DirectAccess, Terminal Services and much more….
The features I’m most excited about in UAG are our enhancements for DirectAccess. DirectAccess is really the next step of remote access and provides the best user experience possible. Wherever you may roam, you are simply connected, always-on, to corpnet. There is no need to open a VPN client, wait for connectivity, etc… You simply login and you are connected! What UAG brings to the table is a variety of capabilities to help simplify deployment and management, extend access to older servers and clients and grow the scale of the deployment. If you’re not yet looking at DirectAccess for your organization, you should…. And if you’re looking at DirectAccess you should look at UAG!
I could go on and on about the features and capabilities but why hear it from me?! Go and download the beta and see for yourself.
For more information you may want to try:
· The UAG engineering blog
· UAG website
· UAG TechNet Center
· DirectAccess site and UAG DirectAccess page.
Product Manager - UAG