Executive Summary:
Microsoft’s new Identity and Security Business Group head, Doug Leland, provides an update about Microsoft’s identity and security strategy and how that will affect IT pros. Interoperability and compliance are key needs it’s addressing with its identity and access solutions. Leland also discusses how Microsoft is addressing securing workloads, both on-premises and in the cloud. |
Identity, access, and security have always been top-of-mind topics for IT pros, but recent developments in hosted services, cloud computing, and Software as a Service (SaaS) have created challenges: How do you ensure the integrity of identity information in the cloud? How can you be sure that the right people are getting access to your vital corporate information in both on- and off-premise services?
Microsoft saw the writing on the wall in these areas and merged its Access and Security division with its Identity and Access division late last year, creating the Identity and Security Business Group. This merging of identity and security could mean Microsoft products and technologies such as Active Directory (AD), Windows Rights Management (WRM) Server, Active Directory Federation Services (ADFS), Microsoft Forefront, and Identity Lifecycle Manager (ILM) all might work more closely together in the future, making it easier for IT pros to deploy and manage their access and security infrastructures. To see what Microsoft has planned in this area, we recently spoke with Doug Leland, General Manager for the Identity and Security Business Group.
Jeff James: What are your overall goals for the Identity and Security Business Group?
Doug Leland: Our overall goals are to provide identity and security solutions for the broadest range of customers out there, from some consumers all the way up to the largest enterprises, and provide a range of customer solutions from being able to protect their endpoints—endpoint security—to being able to protect their strategic workloads—for example messaging and collaboration. At the same time we want to be able to provide unprecedented access to information applications and networks, all supported through a unified management experience across both identity and security.
Jeff James: What are some of the reasons why you think it’s important to combine security and identity?
Doug Leland: I think the key drivers for us in bringing identity and security together are anchored in our customers' needs, and of course in the needs of our partners, who are ultimately providing those services to our customers. One of the things we've observed in talking to our customers and our partners is that the business needs around identity and security have been converging for years. We saw this convergence of business requirements, and that dictated a need for us as a company to be able to solve these problems together.
Jeff James: Based on your market research and feedback from customers, what are the top things IT pros are looking for help with in the security and identity areas?
Doug Leland: Compliance is certainly one of the key needs, and that's an area where we believe the identity and access solutions we provide help enormously. The second area is around business agility, which we think of as helping customers realize the benefits of business models or new ways of conducting business. The third area is around being able to do all this, to ensure compliance and ensure agility but to do it at the right cost, with effective cost benefit. Those are the key needs that we hear reflected again and again from our customer base.
Jeff James: Could you talk about Microsoft's current identity and security products and where you're heading in the future?
Doug Leland: In the identity and security space, there are a range of point solutions that are available in the marketplace. And more and more as customers are investing in these point solutions, they are realizing that they're not really the best answer. The problem with these solutions is primarily around cost—the cost of acquiring them, which tends to be at the higher end, and the cost of integrating them with the existing systems, and then ultimately the challenges associated with not having end-to-end visibility across those point solutions.
One of our strategies is to provide unification across identity and security management, so that through a single console an IT pro can both manage the implementation of identity and access management, and also security management, and at the same time provide the end-to-end visibility that is needed to ensure the company is in compliance.
The second key aspect is delivering end-to-end access and end-to-end protection. This is kind of the yin and the yang of identity and security. At its core, security is all about keeping the bad guys out, and identity is all about letting the good guys in. That's why I call it the yin and the yang or two sides of the same coin. Our strategy here is to deliver a set of solutions that provide that end-to-end access and protection, and what we mean by end to end is that it’s a multi-layered approach from the network to the applications to the data, and ultimately providing both that protection and that identity-access layer in the stack, so to speak.
The first strategy is about extending the platform. We feel the best way to provide secure access to companies, and good end-to-end or secure end-to-end protection, is to be able to build these technologies into the core infrastructure, into the platform, that these companies are implementing. And to be able to extend that and make those capabilities available to the applications that ride on them, but also to foster the development of a broad ecosystem of partners who are taking advantage of these platform capabilities and delivering applications themselves that are inherently identity-aware and are more secure.
Jeff James: How does this product strategy work with things like OpenID, your own Sterling product, Cardspace, and other products?
Doug Leland: Interoperability and integration is a core piece of the strategy, and particularly when you think about an identity infrastructure, where identities need to be able to operate across a wide range of resources—will those resources be within your organization? It might be an application, website, or internal portal, but you might also have an employee or identity that needs access to resources outside your application, for collaborating with an organization or taking advantage of software delivered as a service (which, of course, Microsoft is now doing with our Business Productivity Online Services), where identity is critical to providing that foundation for authentication and access, secure authentication, and secure access of those services.
So interoperability becomes fundamental, and we've been working with the industry around a set of frameworks and a set of standards, and we've been working with other companies who are establishing those standards. OpenID is an example of a standard that we are working with, and it doesn't stop there. When you look at the platform capabilities that we're building around Active Directory, which supports LDAP, we're actively building in and supporting the core standards which allow for a high level of interoperability at the identity and security level.