Monday, April 26

TEC 2010: Active Directory Family

The day one keynote speech this morning was presented by Microsoft's Conrad Bayer. One of the key take-aways from this morning's keynote for me for a consistent theme throughout the talk that Microsoft's Identity & Access solutions are now all part of the same product group. The Identity & Access group's solutions include Active Directory, ADFS federation, RMS rights management, FIM life cycle identity management, PKI/Certificates, identity synchronization, etc.

Bayer also talked about the future of these solutions and briefly discussed that ADFS could evolve to become an authorization server. Specifically, he talked about attributes and claims being the core components of authorization. The idea would be that ADFS could sit in between local and remote directory environments and provide answers to standards-based requests about claims. Bayer was asked later about the challenges around the idea that, for AD, groups are equivalent to roles, but other systems' roles require more than just group memberships. His answer pointed back to attributes and claims as being the way to meet those business requirements and seemed to say that applications would be where you would manage roles. The application would define and manage roles while leveraging the AD infrastructure to answer access-related questions via claims. He didn't say it (or even suggest it), but I wonder if this is a move toward a completely different paradigm than one based on roles. Perhaps roles will never be the right answer since what we've all seen is that in reality, people don't fit nicely into a pre-defined set of business roles.

Another thing that caught my ear was Bayer's point that Smartcards and Certificates are becoming more important as environments move to distributed and cloud-based solutions. Could it finally be the year of PKI? BTW - I see 'the year of PKI' as a modern-day proverb about something that it perpetually about to happen but never really does. Having said that, I'm a fan of PKI as a technology and can see that his point has some validity. The fact that a particular solution is in the cloud is not necessarily the problem. The bigger problem is that there are a variety of apps moving into the cloud each with different security models and underlying security mechanisms. PKI technology might help us figure out how to provide a manageable solution for that complexity.

At the end of the day, I think Microsoft made the right move by bringing these technologies together, but it sounds like it'll be a while before we see a truly unified, native/out-of-the-box set of identity features such as point and click federation, PKI, or rights management.

No comments: