Identity and Access Management in Enterprise 2.0

Microsoft's new identity and access management offering can help enterprises achieve agile aims.

ORLANDO, Fla.-This is the story of how the most banal function in the enterprise can go from impeding changes critical to a company's survival to providing the most critical support for changes sweeping across the competitive landscape.

Microsoft's second take at identity and access management-what it calls Identity Lifecycle Manager 2-is intended to help support customers as they adapt to major changes sweeping the enterprise space: virtualization, mobility and Webification.

Microsoft is no stranger to identity and access management, but the company seems to have rethought key elements of its current ILM product by putting users at the center of the application suite.

With Version 2 of ILM, Microsoft is giving IT professionals the freedom to focus on more value-added activities while giving organizations the benefits of a work force that can use the applications it needs where and when it needs them, and the freedom to interact seamlessly with partners and other organizations outside the traditional firewall.

The main innovation of ILM 2 is to allow end users to manage their own identity provisioning, credentials and even groups to which they belong, using an Office 2007-based user interface.

Speaking at a panel discussion at Microsoft's TechEd conference here, Doug Leland, general manager of the identity and access business group at Microsoft, noted that IT and help desk workers spend a disproportionate amount of their time dealing with end-user ID issues, while there has been a dearth of tools allowing information workers to manage their identities themselves.

Leland quoted surveys showing that a quarter of all help desk calls are ID- and password-related. ILM 2 "puts the user in control of IDs and access privileges" through an Office 2007 interface, he said. (According to Leland, customers get the same functionalities if they're still using Windows XP and Office 2003, although ILM has been optimized for Office 2007.)

While it may seem as if giving users power over permissions increases security risks, Leland, in a Q&A on the Microsoft PressPass Web site, said it actually improves security.

"In addition to empowering the individuals who are drafting the policies and processes to actually put them into practice, we also provide rich administrative tools and enhanced automation for IT professionals, including a central management and enforcement capability, so end users can't circumvent established enterprise security policies. Also, customers have told us that when you have IT folks trying to implement business policies that they may not fully understand-as is the norm today-that can create security and compliance risks. What ILM '2' does is really change the game as far as identity management goes."

The new version of ILM takes a holistic view of users, making it easier for them to port their identities to mobile devices.

Companies are also looking for ways to get more efficient by allowing partners, consultants and other third parties access to their networks. But this agility needs to be secured as well.

"We need to provide access, but in a secure manner," Leland said.

Gartner describes the identity management issue as "the confusion, frustration and lost productivity organizations must deal with as they struggle to manage legitimate access for their employees, partners and customers to the electronic systems they genuinely need."

And the advent of cloud-based computing has created new challenges for security-minded enterprises. "In order to run those, you need to be able to authorize and authenticate identity. We are building that capability into our software plus services offering. I view this as being a key enabler for software as a service," Leland said.

Leland said ILM 2 also supports identity and access management across both physical and virtual environments. The application can be extended across form factors and operating system environments by Microsoft partners.

For instance, Omada Solutions provides role-based access control and compliance, Gemalto is in the two-factor authentication space and Quest Software extends Active Directory and Active Directory federation to non-Windows environments.

Leland said Microsoft is also unique "in that we view ID management and credential management as two sides of the same coin. In most other cases, those are viewed as two separate issues," he said.

Other enhancements to the 2007 version of ILM include:

- policy management, allowing managers to create ID and access rights based on business policies by leaning on an existing Active Directory infrastructure and Windows Workflow Foundation;

- credential management, giving managers access to a full range of credentials in a single environment; and

- group management, allowing managers to create and manage groups.

One Achilles heel to Microsoft's approach, however, is that it relies on Active Directory and the notion of roles-an approach that may well become irrelevant as Enterprise 2.0 evolves from the Information Age into the Virtualization Age, in which knowledge workers take on several and overlapping roles.