In this issue, I'll finish up our look at the top 10 security issues for 2005 according to Unisys Chief Security Advisor Sunil Misra and his colleague Patrick O'Kane, chief architect of Unisys Identity and Access Management Practice. The full list can be found in the Dec. 1 newsletter (see link below). Today we'll go over predictions No. 8, 9 and 10.

These last three predict actions on the part of enterprises (rather than potential security breaches) and, not surprisingly, all relate to identity management. They're relevant to this discussion, as each "prediction" could very well have been made by Microsoft's own security or networking divisions. The last three predictions are:

8.  Adoption of federated architectures for identity and access management will accelerate.
9.  Enterprises will revisit role-based access control for identity and access management.
10. Virtual directory technology will increasingly become a strategic component of identity integration projects.

Microsoft and IBM created a federation architecture (WS-Federation) as part of their effort to standardize Web services architecture and protocols. Lately, many have predicted that the WS- initiatives will merge or meld with the Liberty Alliance initiative (fostered by Sun) to allow for a single federated identity architecture. This would drastically speed up adaptation of this technology.

Role-base access control (RBAC) has never really disappeared and has, indeed, been coming on strong for the past couple of years. Windows Server 2003, through Authorization Manager, allows for a rich RBAC implementation. (For a detailed look, see "Role-Based Access Control Using Windows Server 2003 Authorization Manager," http://msdn.microsoft.com/library/en-us/dnnetserv/html/AzManRoles.asp) If you're unsure about what a "role" is, there's a good explanation in one of last year's Identity Management newsletters (http://www.nwfusion.com/newsletters/dir/2003/0818id1.html), which should help.

Finally, Unisys believes that virtual directory technology will begin to take off. Now Microsoft's Identity Information Server (MIIS) is what's termed a "meta-directory" - a directory that combines data from multiple places into one database. A "virtual" directory, on the other hand, doesn't store the data, but simply points to it. ADAM, Active Directory/Application Mode, is a good candidate for "virtualizing" all of your identity information. By using a number of instances of ADAM (one for each identity center) and linking them to your enterprise Active Directory installation, you've built a "virtual" directory. Information can be read from AD, but it's only written to the authoritative ADAM for that data. See http://www.nwfusion.com/newsletters/dir/2003/1117id2.html for more on the virtual benefits of ADAM.