Microsoft Security dude says it's always the gift-giving season at Microsoft

John “JG” Chirapurath as Santa

During the holiday season, Microsoft Subnet hooked up with John “JG” Chirapurath, director of marketing for the Identity & Security (I&S) unit at Microsoft, to pick his brain about some of the many new security and identity management tools coming out of Redmond. As a guest for Microsoft Subnet's "10 questions for" series, JG dished about new products Identity Lifecycle Manager 2; the latest version of Forefront (an integrated suite otherwise known as Stirling); the Intelligent Application Gateway SP2 and why the security and identity management teams were mashed into a single business unit. He also said that no matter the time of year, the spirit of Santa lives on in his division (see the answer to question 10 to see what we mean). What follows is an edited transcript of the interview.

Microsoft Subnet: Hi, thanks for meeting with me today. Let's launch right into question 1: Microsoft's Identity and Security group has had all kinds of interesting announcements but it sounds as if Microsoft is going in a million different directions with identity management. There have been announcements about Forefront/Stirling, IAG SP2, Geneva, data leakage prevention … can we start with a big picture view of Microsoft's product strategy around identity management?

JG: In July of this year, we brought the identity and security businesses together. What we found from customers was that identity and security were two sides of the same coin as far as customers were concerned. Identity says, "let the good guys in" and Security says, "but keep the bad guys out." When a customer loses identities, it leads to a security risk for the organization. If a customer has a security vulnerability, the first thing a hacker does is go for the organization's identities. So we brought the efforts together. My unit is responsible for identity and security technologies that ship in Windows (notably Active Directory), in our cloud offerings (e.g. Geneva), our Forefront family of products, as well as new management releases such as "Stirling" and Identity Lifecycle Manager "2".

Microsoft Subnet: Question 2. Will these products be integrated ... or are many of them intended to be stand alone?

JG: Within our mission, we have several key bets. The first is the platform bet. We are committed to providing a comprehensive platform that is not only identity aware (e.g. Active Directory) but is also secure by default (e.g. features like BitLocker). This platform works whether in physical environment or virtual, whether on premises or in the cloud. The Geneva announcement was related to our platform and as part of that we disclosed a road map that showcased how customers could extend the identities to other partners as well as the cloud.

The next big bet is around universal access. When we talk about access, a customer has several needs related to the "how" as well as related to the "what." For instance, an example of a how is "remote access" - a way to remotely connect to enterprise resources. The "what" is things the enterprise is trying to get access to - network resources, application resources or information resources. As access is layered on the identity and security platform, it is identity aware by default. In this area we made several key announcements recently. We announced Intelligent Application Gateway SP2 - our remote access solution. In December we made an announcement with RSA that was related to information access. We are partnering with RSA to provide a comprehensive solution to information access and protection by converging data leakage prevention and enterprise rights management approaches.

The next big bet is comprehensive protection. This is the Forefront family of products that protect a customer's resources from the network edge, server applications like mail, and portals and clients like Windows. And the final key bet is management - this is where Forefront codename "Stirling" comes in with ILM 2.

Microsoft Subnet: Question No. 3: Please explain how ILM “2” fits into the scheme, particularly with Active Directory. How is ILM 2 different from other identity management solutions?

JG: ILM brings together two related challenges that customers have with identities. It offers traditional identity management with certificate/smart card management (and is the first product in the market to do so). Previously a customer had to approach two vendors to buy these products. With ILM they can buy it in one place. ILM 2 takes this one step further. It adds two key things - self service capabilities integrated with familiar desktop productivity applications like Microsoft Office (notably Outlook) and developer features -- so customers have the option of extending the features if they seek to. ILM 2 can manage the identities in Active Directory through a feature it offers called Sync. Sync can manage identities stored in any directory in the enterprise, not just AD.

Microsoft Subnet: No. 3. Let's zero in on Intelligent Application Gateway SP2. IAG 2007 is a SSL VPN/application firewall/end point security and "content inspection" hardware appliance. SP2 will have a software option, as a virtual machine that can be dropped on Windows Server 2008. I assume it will run natively with Vista … will it also run with XP? Please explain how it will support Linux and Macs (as promised).

JG: As I mentioned, IAG is an access solution. What it is able to do and what customers buy it for is to govern access to applications (such as SharePoint) in a fine-grained way. For example you can publish an internal portal to customers or partners and set up fine-grained privileges, like a customer has read-only rights but a partner can read and delete. It achieves this by linking these privileges with identities. SP2 as you noted now comes with the option of running it in a virtualized environment. It goes back to the promise of the division - whether on prem/cloud/physical/virtual, our solutions will work. So it also added support for things like Linux and Macs.What that means is you can use these clients and access applications governed by IAG in the middle as easily as you would from a Windows machine.

Microsoft Subnet: No. 4. Will IAG SP2 in virtual form require client-side software?

JG: No. There is no extra overhead on the customer as IAG doesn't require any changes. IAG sitting in the middle recognizes the type of client and deals with it as seamlessly as it does with Windows.

Microsoft Subnet: No. 5. The literature also says IAG SP2 will support Firefox … in what way?

JG: IAG is client agnostic and browser agnostic. Let's say the only browser available is Firefox on your machine (say a kiosk for example). You can access the application via IAG seamlessly, download or look at your information and when you exit the session, the information is flushed from the cache so you have a secure experience.

Microsoft Subnet: No. 6. Microsoft is further developing its desktop virtualization strategy with Windows Server 2008. Windows Server 2008 Release 2 (now in beta) is supposed to include a feature called DirectAccess, which the Windows Server team says will be an embedded wireless VPN between Windows clients and Windows Server. It is supposed to eliminate the need for a VPN. If that's the case, what future do SSL VPN technologies have (including IAG)?

JG: IAG is very powerful with DirectAccess as part of the access strategy from Microsoft. What we provide is enterprise deployment for DirectAccess for both managed and unmanaged access (e.g. non-standard devices like phones that may not be connected to the enterprise). More on this later. We will be talking about this in detail in the coming months.

Microsoft Subnet: No. 7… the last IAG question -- pull this all together for me by describing what kind of end user would use IAG (a heavy Microsoft application/backoffice house seems likely) and a typical user's environment. What products/security systems does it replace?

JG: The typical customer is one who needs to provide access to their employees, customers and partners in a fine grained way. Example, a bank's customers may need to connect to the online banking application but have their identity govern what they can and cannot do. Another example is a manufacturing company who wants to give its suppliers access to their ordering systems. For IT, they would need to acquire IAG, configure it via policy - what applications to provide access to, at what granularity, and to whom, and they are up and running! It is drop in and easy but provides powerful capabilities

Microsoft Subnet: No. 8. When it comes to the identity management market overall, mobile devices – Windows Mobile 6x, the iPhone and others – have been mostly left out in the cold. What is the plan to bring smartphones into the identity management fold?

JG: Today we are able to actually enforce security and load and manage certificates on Windows mobile so they can be treated as managed devices like PCs in the enterprises. We are looking to expand the features here and I will be happy to share more details at a later date.

Microsoft Subnet: No. 9. How does any of this fit with Microsoft's network access control technology, NAP (which is also baked into Windows Server 2008 and Vista)?

JG: NAP, as you know, is a protection technology and we can use products like IAG as well as in the future Stirling to enforce NAP, turn it on/off, ensure policy driven granular access in general

Microsoft Subnet: No. 10 I always ask a James Lipton "Actor's Studio" type of question for the pure fun of it. If Microsoft were a child sitting on Santa's lap, what present should it ask for?

JG: Peace, love, and happiness for the World

Microsoft Subnet: That's sweet, but from my cyncial point of view, kinda corny. Anything else?

JG: Well, I'd ask Santa what he's doing in my seat because we have whole bag of presents for our customers this year.

Microsoft Subnet: LOL. Fair enough. We will check back with you to hear more about identity management for mobile devices and some of those other presents you plan to give all year.

Visit the Microsoft Subnet web site for more news, blogs, podcasts. Also see: 8 little-known technologies that instantly make Microsoft shops run smoother17 job-hunting resources for Windows prosGlenn Weadock: Windows Search optionsWindows & Macs Need Side Impact Crash TestingLibrary of Windows management tools from A Better Windows Worldall Microsoft Subnet Microsoft newsletter. (Click on News/Microsoft News Alert.)

Subscribe to

Sign up for the

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.

IT Salary Survey: The results are in