John Fontana of ZDNet has written a pretty high octane report on the blog posts John Shewchuk and I published last week. The article starts with a summary:
The software giant begins talking publicly about Windows Azure Active Directory service and its strategy to use it as the foundation for its Identity Management as a Service strategy.
That's an interesting take on things. But is “Identity Management as a Service” actually a strategy? I wonder. In my thinking it is an inevitability. In other words, IDMAAS is the world we will end up in rather than the means of getting there.
So I think it is more accurate to say, as ZDNet also does, that Microsoft's strategy is to use Windows Azure Active Directory as the vehicle through which it offers Identity Management as a Service.
I hope this distinction doesn't appear overly picky… I just call it out because I would like to see our conversation focus primarily on what Identity management as a service must be. After all, if we don't get that right, the best strategy for getting there will be largely irrelevant.
But enough of this. John Fontana cuts to the chase:
After two years of work, Microsoft has unveiled details and its strategy around Active Directory for the cloud, anointing it the centerpiece of a comprehensive online identity management services strategy it thinks will profoundly alter the ID landscape.
The company said changes to the current concepts around identity management need a “reset” to handle the “social enterprise.” Microsoft says it is “reimagining” how its Windows Azure Active Directory (WAAD) service helps developers create apps that connect the directory to SaaS apps and cloud platforms, corporate customers and social networks.
“The term ‘identity management’ will be redefined to include everything needed to provide and consume identity in our increasingly networked and federated world,” Kim Cameron, an icon in the identity field and now a distinguished engineer working on identity at Microsoft, said on his blog. “This is so profound that it constitutes a ‘reset’.”
At the center is WAAD, which is in use today mostly with Office 365 and Windows Intune customers. WAAD is a multitenant service designed for high availability and Internet scale.
In a companion blog post to Cameron’s, John Shewchuk, a Microsoft Technical Fellow and key cog in the company’s cloud identity engineering, provided some details on WAAD, including new Internet-focused connectivity, mobility and collaboration features to support applications that run in the cloud.
Shewchuk said the aim is to support technologies such as Java, and apps running on mobile devices including the iPhone or other cloud platforms such as Amazon’s AWS.
Shewchuk said WAAD will be the cloud extension to on-premises Active Directory deployments enterprises have already made. The two are married using identity federation and directory synchronization.
He said Microsoft made “significant changes to the internal architecture of Active Directory” in order to create WAAD.
As an example, he said, “Instead of having an individual server operate as the Active Directory store and issue credentials, we split these capabilities into independent roles. We made issuing tokens a scale-out role in Windows Azure, and we partitioned the Active Directory store to operate across many servers and between data centers.”
Some analysts are already noting the challenges Microsoft will have with its cloud directory.
Mark Diodati, a research vice president at Gartner focusing on identity issues, told me in a conversation about changes the cloud is forcing on enterprise ID management that, “the addition of tablets and smartphones into the enterprise device mix exceeds Active Directory’s management capabilities and there is an impedance mismatch using Kerberos across the cloud.”
While Shewchuk laid out the set-up for a Part 2 of his blog that will focus on enhancements to WAAD, Kim Cameron painted the bigger picture on cloud identity going forward.
He said companies adopting cloud technology will see dramatic changes over the next decade in the way identity management is delivered. “We all need to understand this change,” he stressed.
Cameron said identity management as a service “will use the cloud to master the cloud”, and will provide the most reliable and cost-effective options.
“Enterprises will use these services to manage authentication and authorization of internal employees, the supply chain, and customers (including individuals), leads and prospects. Governments will use them when interacting with other government agencies, enterprises and citizens.”
And he added that enterprises will have to move beyond concepts that have guided their thinking to date.
I'll be interested in hearing more about Mark Diodati's views. I think he is right to say that you can't just hoist Kerberos-based AD into the sky and claim you've solved the world's problems.
But that's why we have spent years now embedding web protocols like SAML into AD so that it could federate and become part of the Cloud. The truth is that Windows Azure Active Directory has already transcended Kerberos – it tips its hat to the predominance of things like OpenID and OAuth on the Internet. And this is but one example of a whole change in attitude.
Wait. I'm already ahead of myself – getting into details about my little corner of reality before we've even defined a landscape…
[While we're at it, I notice that John Fontana, a tried and true bellweather when it comes to language, happily uses the acronym “WAAD” while refusing to taint himself with “IDMAAS”: hmmmm… could it be a sign?]