Microsoft launches new tools for its "U-Prove" I.D. project

Microsoft executive explains that U-Prove balances privacy with homeland security needs.

This story has been updated to clarify where U-Prove technology is likely to be deployed.

There's been an ongoing debate over the last decade about how best to balance privacy versus security in the context of homeland security. Can the government tap our phones or e-mail accounts in order to thwart a possible terrorist plot? Do we have to open our bags to TSA screeners before we can get on a plane in order to prevent a hijacking? The privacy versus security debate also applies to how we use computers and came up this week during the RSA Conference 2010 in San Francisco.

Among the announcements Microsoft made at RSA was the release of an SDK for its U-Prove identity management technology. I interviewed Doug Leland, general manager of the Identity and Security Business Group, and Lee Nackman, corporate VP for the Identity and Security Division at Microsoft, about balancing privacy and security for enterprises and their employees, and about other identity management security issues.

U-Prove uses cryptography technology so that an employee can provide the information s/he needs to in order to gain access to, say, a software application, but not reveal any more information than that. It's analogous to a bar patron who's asked by a bartender to produce his drivers license to prove that he's of legal drinking age. The customer only has to prove he's at least 21, but the license reveals his name, address, height, weight, eye color and other information that the bartender doesn't need to decide to pour him a tall cold one.

U-Prove in the computer world will only reveal the customer's age.

"If you are concerned about privacy in general, you want to be able to show that you're entitled to something without giving away any information," said Nackman. Microsoft released the SDK for writing U-Prove applications in C# or Java along with documentation available under an Open Specifications Promise from Microsoft and "very generous and broad licensing arrangements," Nackman added.

U-Prove technology is expected to find a market on the public Web, such as at e-commerce or e-government Web sites, rather than in enterprises at large, a Microsoft spokesman later explained.

Also announced at RSA was Microsoft's release to manufacturing of Forefront Identity Manager 2010, the latest version of its identity management software to handle identity-based access by employees to certain parts of an IT network.

"It enables customers to be able to provision users and groups with their credentials, whether it be passwords or in the case of strong authentication, smart cards or biometric identification to set their credentials and their entitlements," said Leland.

And it does it more quickly and simply than the access management technology of old, he added. First American Title, a title insurance company with about 13,000 employees, had been burdened by a manual process for getting a new employee access to the company's computer network, during which time I presume the new hire twiddled his thumbs and hung out in the break room a lot because what can you do at work these days without a computer?

"Now they have fully implemented Forefront and what used to take days now takes seconds or minutes," he said. "It's saved them significant amounts of time on their help desk," added Nackman.

Identity and access management issues also extend beyond the on-premise network to the emerging cloud computing environment. Nackman said customers aren't likely to shut down their on-premise network and move everything to a cloud vendor all at once, but instead gradually transition computing activity to the cloud. Identity management needs to make that transition as smooth as possible.

If a company use Active Directory to manage its list of employees, their privileges and other information about the internal network, they need to "federate" that directory to the cloud, said Nackman. "What you want to do is have a way of taking the information that is in the Active Directory and using that same information in the cloud," he said. "You don't want to to duplicate all that stuff."

Sounds like a good plan in an era where your employees want to be productive and use the company's IT resources to do their jobs regardless of whether they are down the hall or in the cloud.


Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022