Identity and security developments at Microsoft

In amongst all the exciting new product announcements for new Windows releases and cloud computing platforms it’s all too easy to miss out on some of the core infrastructure enhancements that Microsoft is making. Last week I got the chance to catch up with Joel Sider from Microsoft’s Identity and Security group – a new organisation at Microsoft formed to address the issues of identity and security (which are really two sides of the same coin) and which, until recently have been treated as individual point solutions.

Joel explained to me that, with a single business group and a single engineering group, Microsoft is able to focus on the complete product stack, from System Center and Identity Lifecycle Manager (ILM – formerly MIIS), through Forefront security to the Windows platform, including Active Directory, Rights Management Services (RMS) and Network Access Protection (NAP).

Two of the products under the umbrella of the identity and security group have been in the news recently:

  • A release candidate of Identity Lifecycle Manager “2” is available now. Due for final release in the first half of 2009, ILM “2” provides self-service for employees, enhanced administration and automation for IT professionals, and extensibility for developers. In developing this product, Microsoft’s focus was in allowing IT departments to set policies for access, empowering end users and knowledge workers to perform actions and tasks (e.g. reset passwords, manage group membership, etc.). Until the release of this product, such actions would have required the use of third party products (e.g. Quest Active Roles Server and unlike MIIS, which was powerful but had a limited user interface, the focus with ILM is on providing an intuitive management interface and self service capabilities whilst still allowing extensibility (e.g. for audit and compliance purposes). ILM uses a concept of sets to group objects (e.g. “All people”) and then a workflow (authentication, authorisation, or action) may be applied to complete a number of steps (e.g. in a password reset scenario to answer a number of security questions; or approving membership of a group and sending out a notification in a group membership scenario).
  • Intelligent Application Gateway (IAG) service pack 2 is also due for release shortly. Originally available only in hardware appliance form, the former Whale Communications product can now be run as a Hyper-V virtual machine to reduce costs and increase flexibility in the infrastructure. In addition, IAG supports access from non-Microsoft browsers (e.g. Firefox) and platforms (i.e. users running Linux and Mac OS X) and has additional optimisers for recently released applications. (For those who are unaware of IAG’s capabilities, it provides granular access to specific applications via an SSL VPN with support for almost any application but optimisations for those which it has an awareness of – that’s the “intelligent” part of IAG).

Other significant developments taking place within the identity and security group include: the Windows Azure .NET Identity Framework (codenamed Geneva) which provides a Microsoft.NET identity access control service; Windows Cardspace; and the Forefront integrated security product (codenamed Stirling) which will combine the various disparate Forefront components.

From my perspective, I’m really encouraged to see Microsoft working to provide a more focused approach. As I’ve written before, many of Microsoft’s identity and security products are the result of acquisitions and, whilst it’s important not to lose the features and functionality that made these products successful in the first place, they also need to be tightly integrated to avoid the inevitable confusion caused by feature overlap and conflicting goals. It seems to me that Microsoft is working towards providing a sensible and logical identity and security portfolio for customers and partners.

Forefront Security overview

A few weeks back, I spent some time learning about the Microsoft Forefront security products.  I’ve written before about Forefront Client Security and intend to write some more posts that go into some detail on the other Forefront products, but I thought I’d start by taking a look at the suite as a whole.

The Forefront suite of applications currently includes a number of products:

Looking first at the client, Forefront Client Security provides virus and spyware protection in a single product for client and server operating systems with updates received using Microsoft Update.  That all sounds OK but, for some critics, the natural question to ask is "what does Microsoft know about client security?".  Well, it seems that they know quite a lot:

  1. First, Microsoft purchased GeCAD Software – a respected Romanian anti-virus vendor.
  2. Next, Microsoft purchased GIANT Software – a respected anti-malware provider.
  3. The Microsoft Malicious Software Removal Tool provides more than just the ability to remove malware from PCs as he reporting information helps indicate how widespread a particular issue is.
  4. Microsoft also purchased FrontBridge Technologies, whose scanning technology protects many organisations from viruses and spam.
  5. Another Windows Live service that provides Microsoft with reconnaissance information is the Windows Live OneCare Safety Scanner (indeed the entire OneCare product range – although these consumer products have little in common with Forefront Client Security).
  6. Oh yes, and the fact that they run one of the world’s largest free e-mail services won’t hurt their ability to gather diagnostic information.

So that’s the client – what about the server products?  Based on the former Antigen products gained with Microsoft’s acquisition of Sybari Software there are currently two products carrying the Forefront brand name – plus Microsoft Antigen for Instant Messaging (to be replaced with an OCS-compatible product under the Forefront banner).  Making use of multiple anti-virus engines, the Forefront Server Security products provide realtime and manual scanning for messaging and collaboration products.

Finally, at the edge, ISA Server has been with us since 2000 (we had Proxy Server before then) and has become a well-respected application-level firewall and proxy server that is available in both software-only and appliance formats.  Intelligent Application Gateway (IAG) is a newer product, built around ISA Server by another company that Microsoft recently acquired – Whale Communications.  IAG provides SSL VPN capabilities, combined with a detailed understanding of how applications work (positive logic) in order to ensure that only valid traffic is allowed to cross the network boundary.  Whilst IAG is currently only available in appliance format, with Microsoft being a software company I can’t help feeling that a version of IAG will be released in software form at some point in the future.

Unfortunately, this mix of products from different backgrounds means that Forefront doesn’t feel as tightly integrated as some other product suites (e.g. Microsoft Office) but that is changing as the components are updated.  In addition, Microsoft has announced a product (codenamed Stirling) which they are touting as:

"[…] a single product that delivers unified security management and reporting with comprehensive, coordinated protection across clients, server applications, and the network edge. Through its deep integration with the existing infrastructure, such as Microsoft Active Directory and Microsoft System Center, customers can reduce complexity, making it easier to achieve a more secure and well-managed infrastructure."

For anyone looking at purchasing Forefront products, Software Assurance (SA) might not be a bad choice as there are new versions of IAG planned based on the forthcoming ISA Server codename Nitrogen and ISA Server codename Oxygen products (don’t quote me on this as information is a little sketchy on these!) and further updates planned across the Forefront suite.

IT security is no longer an afterthought and has become an integral part of any organisation’s IT infrastructure. I’m impressed by the range of options that Microsoft can provide in the Forefront suite and, if they can convince critics that they have a credible range of products (they are currently suffering from "the Škoda badge problem"), then over time I expect to see Microsoft take a dominant position in Windows Server security.