How identity and access management are the next key steps for Microsoft

Opinion by Dan Raywood

In a change from the usual musings on the weeks's news, I have decided to use the notes from an interview as a basis for this week's 'review'.

In a change from the usual musings on the weeks's news, I have decided to use the notes from an interview as a basis for this week's ‘review'.


I was invited by Microsoft and Bite PR to meet with Doug Leland this week. Doug is the general manager of the identity and security business group at Microsoft and was over from Washington to talk about all areas of identity management, remote access and the general security side of the company and its offering.


So amongst the surroundings of Microsoft's smart central London office, Leland and I talked all things in this area, he began by explaining that the sector that he was heading up was only formed around nine months ago, and was looking to impact and address the identity and security sector.


However is the first problem that people associate Microsoft with office packages, internet and (in this sector) patching? Leland claimed: “Security affects the entire structure, the threat landscape is becoming more and more sophisticated and it is not just the operating system but the application is being targeted, so we need defence in depth.


“The application could be the mail system, it does the job of hitting the system and the threats have gone down, it is coming from outside.”


So this is the end of security that he meant, after all anyone with a hotmail address needs to have a sturdy password and has probably experienced a spam message from time to time.


In the area of identity, I asked Leland what he saw as the major issues for him and his team to deal with. He claimed that access for employees was the most prevalent as remote mobile users want access to the network and company needs to ensure that they do it securely.


Leland said: “I saw some statistics by Forrester where they claimed that by 2012, 70 per cent of the workforce will contact remotely. Mobility connection is looking to offer access to non-employees and share data across the boundaries or to let customers in to do a self service, there is a going need for access but there is a need for protection.


“We started with email but now companies are looking to provide access to applications – for example when the sales team needs access to the customer data, this means that there is more and more need for application access.”


I asked if access is another area that is as important as the connection? Leland said: “Security lies with both identity and access, and it fundamentally comes down to a combination of technology and solutions and it is the responsibility of the various communities to ensure that they are implementing the right solutions.”


Leland further explained that his division is calling what they are doing ‘business ready security', with key strategies to develop the IT to allow visible business and individuals to be more productive.


So if a company has remote workers and is securely allowing them access, is the next challenge for them to know who is logging in? After all, it is all very well to have a network that is secure but what if no-one can get in, or the opposite where anyone can enter.


Leland explained that ‘security is more about locking down but also about access; you need a good understanding of who you are giving access to.' He further explained that authentication ‘needs to be made simple with a goal of adding value' and ‘needs to be flexible depending on the value of the asset'.


Staff who are working remotely need to have the ability to gain access to files from the network, and by bringing protection and access together and you need to know that the customer is key.


Leland said: “The challenge with remote access is that the options are broader. In the old days it was easier as you connected by plugging in a cable, then wireless came along so you could sit outside the office and to protect that you blocked 802.11, now it is no longer as simple as you are protecting the virtual private network. To do it properly you have to have an automated application, so you can provide access and ensure that it is shut off. This goes back to risk and compliance.


“Security and policy need more context as it is now less black and white and now you need to know more. Do you have a managed device? Has it been patched? You need to know that too, if an employee has an unmanaged PC, then you have no idea whether it is up-to-date, it could be spreading viruses amongst the company and to your customer base. You need a context of who has what, when and where.”


This year will see the introduction of several new products from Microsoft, Leland explained that the intention is ‘about driving down administrative cost and driving up objectives'.


Among the launches is ‘Stirling' for the management suite that can single a console out for protection procedures, is installed in the server and that allows the company to focus on compliance. This is currently in the Beta stage.


Anti-virus will be shaken up with the launch of ‘Morro' that Leland described as ‘a world class product at a great price'. He claimed that the intention is to deliver a type of product to PCs that are unprotected, typically in emerging markets where users don't have credit cards or access to products, and are usually part of botnets. Beta products will be available later this summer.


Finally Forefront ID manager will cover provision identity, and has an impact from a compliance perspective. Leland claimed that as businesses are downsizing and to ensure access privileges are removed you need to be able to attest to who has privileges.


“Most companies have this automated and often it will depend on the HR system that triggers a set of events to remove the details when someone leaves. Companies are not deploying solutions and you'll find systems where people have had access for years,” said Leland.


“There is a lot of value in the buying of security management that allows managed and unmanaged devices to connect, once you have validated the user identity and know who is connecting; the identity has to be part of the infrastructure.”


He further claimed that Microsoft is ‘the only company who has access to identity and security and the only one articulating that there is a new way to account security in a different position and with products in a business ready strategy'.


So to answer my original point, how does Microsoft and security fit together? When I was a security minion a year ago before I joined SC, Microsoft to me was office and hotmail, and during my time here I have learned about WSUS and now Morro.


Leland claimed that the company had ‘been in security since the first launch as we have got to build it into the systems and add security to it'. He said: “What is newer is the security solutions business that layers on the top of existing systems. It is newer for Microsoft and was new for the early 2000s, when we made strategic acquisitions and now this year is the next generation of technologies.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events