Microsoft touts trust-based ID

Microsoft says the perimeter defense surrounding networks today can be replaced with a distributed security model

LAS VEGAS – Microsoft last week laid out a future role for Active Directory in which it will employ user identity data to access applications and secure collaboration between users and partners on internal and external networks.

Microsoft says the perimeter defense surrounding networks today can be replaced with a distributed security model that relies on sets of statements about a user, called a claim, to secure such tasks as verifying identity, validating payment or access, or personalizing services.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

LAS VEGAS – Microsoft last week laid out a future role for Active Directory in which it will employ user identity data to access applications and secure collaboration between users and partners on internal and external networks.

Microsoft says the perimeter defense surrounding networks today can be replaced with a distributed security model that relies on sets of statements about a user, called a claim, to secure such tasks as verifying identity, validating payment or access, or personalizing services.

Click to see: Microsoft envisions that corporate Active Directory deployments will become identity providers and supply claims about a user.

Users say this decentralized model has the ability to not only tighten security but cut costs for securing network resources. Those gains, however, will come with requirements for creating contractual and technological trust relationships among companies and among claim providers, and managing the risk inherent in those relationships

“As the perimeter goes away, the number of things you have to trust increases,” says Gil Kirkpatrick, CTO of NetPro, which develops Active Directory management tools. “Organizations will need to have policies for establishing trust with providers.”

Trust in the claims-based model has three components: the relying party, typically an application that requests the claim in order to decide what it can do for the user; the identity provider, which provides the claim; and the user, who decides what if any information he wants to provide to the application.

Microsoft is gearing up to build the infrastructure to support the model, the company says.

Directory provider v. Identity provider

“We are moving from being a directory provider to an identity provider,” says Stuart Kwan, director of program management for identity and access at Microsoft. He said the directory will take on a key role in Microsoft’s Identity Metasystem, a model for distributed identity architecture.

Coupled with an emerging technology Microsoft developed called Security Token Service (STS), a gateway to handle claims, Microsoft envisions an architecture that pushes claims out to applications that know how to interpret and act upon them.

Active Directory would become just one of many STS gateways in the distributed model.

Today, applications typically pull user access data from the directory to determine access rights to network services.

The push model not only provides information that is usable in many different places, it also affords network efficiencies, makes more identity more accessible to application developers, puts less stress on the directory, provides more flexibility in defining users and their rights, and gives the ability to federate identity with those outside the corporate network.

“You need extroverted systems, not introverted,” says Kim Cameron, Microsoft’s identity architect, who says the distributed model will replace today’s more rigid systems that are based on a single point of truth, typically a directory of user information.

He says identity systems that are rigid and cannot connect to other systems will become irrelevant and a competitive disadvantage.