Executive Summary:

Microsoft’s new Identity and Security Business Group head, Doug Leland, provides an update about Microsoft’s identity and security strategy and how that will affect IT pros. Interoperability and compliance are key needs it’s addressing with its identity and access solutions. Leland also discusses how Microsoft is addressing securing workloads, both on-premises and in the cloud.


Identity, access, and security have always been top-of-mind topics for IT pros, but recent developments in hosted services, cloud computing, and Software as a Service (SaaS) have created challenges: How do you ensure the integrity of identity information in the cloud? How can you be sure that the right people are getting access to your vital corporate information in both on- and off-premise services?

Microsoft saw the writing on the wall in these areas and merged its Access and Security division with its Identity and Access division late last year, creating the Identity and Security Business Group. This merging of identity and security could mean Microsoft products and technologies such as Active Directory (AD), Windows Rights Management (WRM) Server, Active Directory Federation Services (ADFS), Microsoft Forefront, and Identity Lifecycle Manager (ILM) all might work more closely together in the future, making it easier for IT pros to deploy and manage their access and security infrastructures. To see what Microsoft has planned in this area, we recently spoke with Doug Leland, General Manager for the Identity and Security Business Group.

Jeff James: What are your overall goals for the Identity and Security Business Group?

Doug Leland: Our overall goals are to provide identity and security solutions for the broadest range of customers out there, from some consumers all the way up to the largest enterprises, and provide a range of customer solutions from being able to protect their endpoints—endpoint security—to being able to protect their strategic workloads—for example messaging and collaboration. At the same time we want to be able to provide unprecedented access to information applications and networks, all supported through a unified management experience across both identity and security.

Jeff James: What are some of the reasons why you think it’s important to combine security and identity?

Doug Leland: I think the key drivers for us in bringing identity and security together are anchored in our customers' needs, and of course in the needs of our partners, who are ultimately providing those services to our customers. One of the things we've observed in talking to our customers and our partners is that the business needs around identity and security have been converging for years. We saw this convergence of business requirements, and that dictated a need for us as a company to be able to solve these problems together.

Jeff James: Based on your market research and feedback from customers, what are the top things IT pros are looking for help with in the security and identity areas?

Doug Leland: Compliance is certainly one of the key needs, and that's an area where we believe the identity and access solutions we provide help enormously. The second area is around business agility, which we think of as helping customers realize the benefits of business models or new ways of conducting business. The third area is around being able to do all this, to ensure compliance and ensure agility but to do it at the right cost, with effective cost benefit. Those are the key needs that we hear reflected again and again from our customer base.

Jeff James: Could you talk about Microsoft's current identity and security products and where you're heading in the future?

Doug Leland: In the identity and security space, there are a range of point solutions that are available in the marketplace. And more and more as customers are investing in these point solutions, they are realizing that they're not really the best answer. The problem with these solutions is primarily around cost—the cost of acquiring them, which tends to be at the higher end, and the cost of integrating them with the existing systems, and then ultimately the challenges associated with not having end-to-end visibility across those point solutions.

One of our strategies is to provide unification across identity and security management, so that through a single console an IT pro can both manage the implementation of identity and access management, and also security management, and at the same time provide the end-to-end visibility that is needed to ensure the company is in compliance.

The second key aspect is delivering end-to-end access and end-to-end protection. This is kind of the yin and the yang of identity and security. At its core, security is all about keeping the bad guys out, and identity is all about letting the good guys in. That's why I call it the yin and the yang or two sides of the same coin. Our strategy here is to deliver a set of solutions that provide that end-to-end access and protection, and what we mean by end to end is that it’s a multi-layered approach from the network to the applications to the data, and ultimately providing both that protection and that identity-access layer in the stack, so to speak.

The first strategy is about extending the platform. We feel the best way to provide secure access to companies, and good end-to-end or secure end-to-end protection, is to be able to build these technologies into the core infrastructure, into the platform, that these companies are implementing. And to be able to extend that and make those capabilities available to the applications that ride on them, but also to foster the development of a broad ecosystem of partners who are taking advantage of these platform capabilities and delivering applications themselves that are inherently identity-aware and are more secure.

Jeff James: How does this product strategy work with things like OpenID, your own Sterling product, Cardspace, and other products?

Doug Leland: Interoperability and integration is a core piece of the strategy, and particularly when you think about an identity infrastructure, where identities need to be able to operate across a wide range of resources—will those resources be within your organization? It might be an application, website, or internal portal, but you might also have an employee or identity that needs access to resources outside your application, for collaborating with an organization or taking advantage of software delivered as a service (which, of course, Microsoft is now doing with our Business Productivity Online Services), where identity is critical to providing that foundation for authentication and access, secure authentication, and secure access of those services.

So interoperability becomes fundamental, and we've been working with the industry around a set of frameworks and a set of standards, and we've been working with other companies who are establishing those standards. OpenID is an example of a standard that we are working with, and it doesn't stop there. When you look at the platform capabilities that we're building around Active Directory, which supports LDAP, we're actively building in and supporting the core standards which allow for a high level of interoperability at the identity and security level.

Jeff James: Could you talk about Microsoft’s relationship with RSA, working together to develop a modular approach to protecting information, and what you're doing with RSA?

Doug Leland: One of the key dialogues or challenges that customers are facing right now is protecting the information assets that they have as an organization, whether that be HBI—high business impact—data or PII—privacy information that we hold about many of our employees and/or the customers and businesses that we deal with. And as we've seen with the rising publicity around data breaches over the last couple of months and even years, this problem is only growing and it's being exacerbated by the downsizing that's taking place. Now you have the rise of a disgruntled employee who has easy access to the crown jewels of the organization, which is the information.

Given this backdrop, we saw the opportunity to again converge a set of needs around securing information, which has been approached via a market approach which is called data leakage protection. And converge that approach with the enterprise ID management approach, which is all about providing identity-based access information, enabling customers to access information but access it securely and have those access privileges be part of the information itself. So we reached across the aisle to one of our key partners, EMC or RSA (the security division of EMC), to partner at a technology level and a sales and marketing perspective to deliver a unified solution across the classic DLP and the enterprise rights management space, to build a more comprehensive solution that addresses these broader-range needs for securing the information and providing access to the information.

Jeff James: We've heard from readers concerned not only about security and identity in the cloud but also between the cloud and their own on-premises environments. How do you address IT pros’ concerns?

Doug Leland: We’re hearing the same thing from customers, in terms of their desire to take advantage of the cost benefits and economics of being able to operate in a Software+Services environment where they have a choice of running workloads either on-premises, or in the cloud, or some combination of both. And we believe from the company perspective that it's an “and” versus “or.” In other words, we will deliver solutions for use on-premises, but also in the cloud, and those need to be able to easily migrate back and forth, and also to interoperate, meaning customers will live in a hybrid world of some workloads living on-premises and some workloads living in the cloud. Our strategy is to provide protection for those workloads, whether they live on-premises or in the cloud.

A couple of examples: Today, when a customer purchases the Business Productivity Online Suite from Microsoft, it comes protected by Forefront. So, specifically when a customer buys SharePoint Online or Exchange Online, those come already protected with their companion Forefront products, Forefront Security for Exchange or Forefront Security for SharePoint. That is a model we will continue to follow, and we will also build out what you may think of as standalone offerings for cloud-based protection of either non-BPOS workloads or protection of on-premises solutions. A key example already available today is Exchange Hosted Filtering, which provides spam filtering for on-premises Exchange mailboxes.

Jeff James: We’ve heard from readers that using AD is like going to the dentist—you know it's good for you and you know you need to do it, but it can be painful, from an ease-of-use perspective. How do your new products address those concerns, and how will they work with the new AD features in Windows Server 2008 R2?

Doug Leland: As you mentioned, Active Directory is the core, the heart and soul of any good identity infrastructure. Management of that system is key, and it's also consistent with what we're hearing from a customer needs perspective of helping reduce the cost of these systems. So that is an area we focused on for our 2008 release and are continuing to focus on for our upcoming release of Windows Server 2008 R2.

In terms of overall manageability, there are a number of significant advancements that have taken place, and one of them is the adoption of PowerShell. We are using PowerShell for all of our management interfaces, and that has dramatically increased the usability from an IT pro or administrative perspective. We’ve also moved to a task-based paradigm. And within that paradigm, we can more easily identify and walk an admin through a particular task or a set of tasks if that's the way the interface is built up. So, I think customers and administrators will see a huge benefit in terms of the overall manageability of the system.

In addition we offer other products for managing identities and managing the life cycles of those identities and those resources in the organization. One of those is Identity Lifecycle Manager, and that is a tool that is designed to help organizations manage identities (users), manage groups, manage policies associated with those groups, and ultimately help them report on that and meet their compliance needs. ILM 2007 is available for purchase today, and the next major release of that product, Identity Lifecycle Manager version 2, is currently in the release candidate (RC) phase.

Jeff James: Any estimate on when the final release of that might be?

Doug Leland: Well, the testing is going well—we released that RC back in November—and we're getting a lot of great feedback from customers. We have a policy that you're probably familiar with, which is called dogfooding, and that is we won't release our enterprise products until we are running them in our own production environments, so we're working closely with MS IT in deploying that out, scaling that out, right now actually, and we're moving towards the final release in a couple of months.