Microsoft focuses identity management effort

Amid the growing buzz around identity management, Microsoft is trying to pull together a platform that would offer corporations entry into a new generation of end-user management, security and regulatory compliance.

The software giant is tuning its client, servers and gateway software to align with the basic tenets of identity management, namely authentication, user management, access management and directory services. So far, the existing pieces lack cohesion and some aspects, such as Web-based access management, are missing altogether.

Thankfully for Microsoft, many competitors are facing similar construction projects. Additionally, corporate customers are far from deploying expansive identity-management platforms, preferring to focus on projects such as Web-based single sign-on.

The goal for Microsoft and others such as HP, IBM, Novell, Oracle and Sun is to provide an infrastructure that will support the federation of identities across secure corporate boundaries using XML-based Web services standards. Standardizing identity mechanisms will help cut costs, personalize access and ensure privacy.

"If Microsoft does this well - identity management on the Windows platform - and then [federates] it out to other platforms, it's the path to world dominance," says John Enck, an analyst with Gartner. "Sun, Oracle, IBM, Novell are all trying to get their act together on this. If you control your own platform you have a better chance for success."

The piece parts

In the meantime, Microsoft is banking its success on Windows Server 2003, Active Directory, Active Directory Application Mode, its recently revamped metadirectory server called Microsoft Identity Integration Server, and partnerships with vendors such as Netegrity and Oblix to fill the hole for Web access management.

Also in the mix is a mish-mash of tools the company hopes to pull together under the identity-management banner. Those include its Authorization Manager in Windows 2003, for building role-based access-management controls, Audit Collection System to track changes made to user identities or access rights, and BizTalk Server 2004 to support integration of platforms and basic workflows that help automate the creation and deletion of user accounts.

In addition, Microsoft is adding single sign-on adapters next year in BizTalk and Host Integration Server 2004 that make Windows user identities valid for accessing applications such as SAP and PeopleSoft or other platforms such as mainframes. Similar capabilities, namely password synchronization, exist today in Microsoft's Services for Unix, Services for Macintosh and Services for NetWare.

"All of this stuff is separate and it should be brought together to be uniform," Enck says. "But it's hard to pull it all together and it's not simple to implement. Today it's piecemeal and takes a lot of integration."

Identity management is gaining popularity because companies realize that network services that closely control user access to individual systems offer more security than perimeter defenses.

Proponents of identity-management systems say they make user management more affordable - through management of user information - while improving security, easing repetitive tasks such as reducing help desk calls for password resets, and dictating what users and systems have access to.

The drivers of the technology are mainly regulatory issues and legislation that require companies to protect user privacy, to ensure the accuracy of corporate financial data, and to audit and log their efforts to ensure compliance. Those pieces of legislation include the Sarbanes-Oxley Act, Gramm-Leach-Bliley Act, and the Health Insurance Portability and Accountability Act. Many companies in regulated markets are looking to develop some consistency regarding access to Web-based resources, which is a large part of how they share information.

"Companies feel they can use identity management to build standard security around the Wild West of Web development," says Jim Barrett, director of the security and integration practice at PricewaterhouseCoopers.

Microsoft and its competitors are scrambling to meet corporate needs. In 2003, IBM began tying together its suite of products - including Access Manager, Identity Manager, Directory Integrator, Privacy Manager and Directory Server. Oracle introduced its Identity Management platform including directory services and integration, provisioning, a delegated administration application, and authentication and authorization services. Novell unveiled its Identity Automation Framework, which incorporates its nSure product line that includes eDirectory, provisioning, authentication and auditing technology.

HP bought Baltimore Technologies for its Web access-management software, and Sun purchased provisioning vendor Waveset Technologies to add to its Sun Java System identity-management platform.

"From a pure identity-management perspective we have closed out the feature and functionality requirements," says John Fanelli, Sun's senior director of business management for system network identity, communications and portal services. "We think identity management is a two-horse race between Sun and IBM, but we are by no means counting Microsoft out."

The future

The next step is to integrate identity between companies using different platforms - so-called federated identity. To accomplish federation, vendors will have to employ a number of XML-based Web services standards, including Security Assertion Markup Language (SAML) and Services Provisioning Markup Language (SPML). IBM and Microsoft are working on a collection of protocols under the WS-Security banner that relate to identity, and Sun is a co-founder of a competing effort called the Liberty Alliance. IBM, Microsoft and Sun support SAML, but only Sun supports SPML.

Microsoft is focusing on something it calls Federation Server, which will implement Web services protocols such as WS-Security and others it is developing with IBM such as WS-Federation and WS-Policy. The server's intent is to support the exchange of identity credentials across corporate boundaries. Experts say it might be a way to eliminate the need for access-management software, which Microsoft currently does not develop in-house.

Microsoft also will add what it calls Indigo, a technology that won't be available for more than two years but will extend identity standards across clients and servers.