Is an inevitability a strategy?

John Fontana of ZDNet has written a pretty high octane report on the blog posts John Shewchuk and I published last week.  The article starts with a summary:

The software giant begins talking publicly about Windows Azure Active Directory service and its strategy to use it as the foundation for its Identity Management as a Service strategy.

That's an interesting take on things.   But is “Identity Management as a Service” actually a strategy?  I wonder.  In my thinking it is an inevitability.  In other words, IDMAAS is the world we will end up in rather than the means of getting there.

So I think it is more accurate to say, as ZDNet also does, that Microsoft's strategy is to use Windows Azure Active Directory as the vehicle through which it offers Identity Management as a Service.   

I hope this distinction doesn't appear overly picky…   I just call it out because I would like to see our conversation focus primarily on what Identity management as a service must be.  After all, if we don't get that right, the best strategy for getting there will be largely irrelevant.

But enough of this.  John Fontana cuts to the chase:

After two years of work, Microsoft has unveiled details and its strategy around Active Directory for the cloud, anointing it the centerpiece of a comprehensive online identity management services strategy it thinks will profoundly alter the ID landscape. 

The company said changes to the current concepts around identity management need a “reset” to handle the “social enterprise.” Microsoft says it is “reimagining” how its Windows Azure Active Directory (WAAD) service helps developers create apps that connect the directory to SaaS apps and cloud platforms, corporate customers and social networks.

“The term ‘identity management’ will be redefined to include everything needed to provide and consume identity in our increasingly networked and federated world,” Kim Cameron, an icon in the identity field and now a distinguished engineer working on identity at Microsoft, said on his blog. “This is so profound that it constitutes a ‘reset’.”

At the center is WAAD, which is in use today mostly with Office 365 and Windows Intune customers. WAAD is a multitenant service designed for high availability and Internet scale.

In a companion blog post to Cameron’s, John Shewchuk, a Microsoft Technical Fellow and key cog in the company’s cloud identity engineering, provided some details on WAAD, including new Internet-focused connectivity, mobility and collaboration features to support applications that run in the cloud.

Shewchuk said the aim is to support technologies such as Java, and apps running on mobile devices including the iPhone or other cloud platforms such as Amazon’s AWS.

Shewchuk said WAAD will be the cloud extension to on-premises Active Directory deployments enterprises have already made. The two are married using identity federation and directory synchronization.

He said Microsoft made “significant changes to the internal architecture of Active Directory” in order to create WAAD.

As an example, he said, “Instead of having an individual server operate as the Active Directory store and issue credentials, we split these capabilities into independent roles. We made issuing tokens a scale-out role in Windows Azure, and we partitioned the Active Directory store to operate across many servers and between data centers.”

Some analysts are already noting the challenges Microsoft will have with its cloud directory.

Mark Diodati, a research vice president at Gartner focusing on identity issues, told me in a conversation about changes the cloud is forcing on enterprise ID management that, “the addition of tablets and smartphones into the enterprise device mix exceeds Active Directory’s management capabilities and there is an impedance mismatch using Kerberos across the cloud.”

While Shewchuk laid out the set-up for a Part 2 of his blog that will focus on enhancements to WAAD, Kim Cameron painted the bigger picture on cloud identity going forward.

He said companies adopting cloud technology will see dramatic changes over the next decade in the way identity management is delivered. “We all need to understand this change,” he stressed.

Cameron said identity management as a service “will use the cloud to master the cloud”, and will provide the most reliable and cost-effective options.

“Enterprises will use these services to manage authentication and authorization of internal employees, the supply chain, and customers (including individuals), leads and prospects. Governments will use them when interacting with other government agencies, enterprises and citizens.”

And he added that enterprises will have to move beyond concepts that have guided their thinking to date.

[Full article and links to interviews and related pieces.]

I'll be interested in hearing more about Mark Diodati's views.  I think he is right to say that you can't just hoist Kerberos-based AD into the sky and claim you've solved the world's problems.  

But that's why we have spent years now embedding web protocols like SAML into AD so that it could federate and become part of the Cloud.  The truth is that Windows Azure Active Directory has already transcended Kerberos – it tips its hat to the predominance of things like OpenID and OAuth on the Internet.  And this is but one example of a whole change in attitude.

Wait.  I'm already ahead of myself – getting into details about my little corner of reality before we've even defined a landscape…

[While we're at it, I notice that John Fontana, a tried and true bellweather when it comes to language, happily uses the acronym “WAAD” while refusing to taint himself with  “IDMAAS”:  hmmmm… could it be a sign?]

  

Identity Management As A Service

A few weeks ago at the European Identity and Cloud Conference I gave a keynote called Conflicting Visions of Cloud Identity. It was the first time that I reported publicly on the work I've been doing over the last year on understanding what cloud computing means for identity – and vice versa.

The keynote led to many interesting exchanges with others at the conference. The conversations ranged from violent agreement to “animated dissidence” – and most important, to the discussion of many important nuances.

It became clear to me that a lot of us involved with information technology could really benefit from an open exchange about these issues. We have the chance to accelerate and align our understanding and to explore the complexities and opportunities.

So today I'd like to take a first step in that direction and lay out a few high level ideas that I'll flesh out more concretely in upcoming posts.  I hope these will goad some of you into elaborating, pushing back, and taking our conversation in other completely different directions.

Preparing for dramatic change

To me, the starting point for this conversation is that Identity Management and the way it is delivered will change dramatically over the next decade as organizations respond to new economic and social imperatives by adopting cloud technology.

We all need to understand this change.

Organizations will find they need new identity management capabilities to take full advantage of the cloud. They will also find that the most reliable and cost-effect way to obtain these capabilities is through Identity Management as a Service – i.e. using the cloud to master the cloud.

We can therefore predict with certainty that almost all organizations will subscribe to identity services that are cheaper, broader in scope and more capable than the systems of today.

Enterprises will use these services to manage authentication and authorization of internal employees, the supply chain, and customers (including individuals), leads and prospects. Governments will use them when interacting with other government agencies, enterprises and citizens.

Identity Management As A Service will require that we move beyond the models of identity management that have guided our thinking to date. A new service-based model will emerge combining more advanced capabilities with externalization of operations to achieve reduction in risk, effort and cost.

Redefining Identity Management

The term “Identity Management” will be redefined to include everything needed to provide and consume identity in our increasingly networked and federated world.  This is so profound that it constitutes a “reset”.

As a category, Identity Management will expand to encompass all aspects of identity:

  • registration of people, organizations, devices and services;
    management of credentials;
  • collection and proofing of attributes;
  • claims issuance;
  • claims acceptance;
  • assignment of roles;
  • management of groups;
  • cataloging of relationships;
  • maintenance of personalization information;
  • storage and controlled publication of information through directory;
  • confidential auditing; and
  • assurance of compliance.

The baseline capability of Identity Management will be to enhance the security and privacy of both organizations and individuals.

There will be a new market of next-generation identity management service providers with characteristics shaped by the importance of identity for both the protection of assets and the enhancement of relationships as we enter the era of the social enterprise.

Meanwhile, the current market for identity management products will be challenged by the simplification, cost reduction and increased innovation possible in the cloud.

Going forward, the term Identity Management As A Service will come up so often that we need an acronym.  For the time being I'm going to adopt the one my friend Eric Norlan proposed over six years ago : IDMaaS. While we're at it, it is worth looking at Eric's prescient article in ZDNet – he wrote it back in 2006 when he was a partner at Digital ID World. Eric reports on a conversation where Jamie Lewis (then CEO of the Burton Group) argued that “companies would find identity data too important to hand-over to others” – a view that certainly described the way enterprises felt at that time.  These issues are still critically important, though many profound evolutions have, I think, transformed the variables in the equations.  These new variables will be ones we want to drill into going forward.

Microsoft and IDMaaS

One of the reasons I want to share my thoughts about Identity Management as a Service now is that they constitute part of the theoretical framework that lies behind many of the decisions about the kind of organizational identity service we at Microsoft are offering. 

I'm therefore really excited to say that today we are able to start bringing you up to speed on exactly what that is.  Here's a quote from today's blog post by my close colleague and friend John Shewchuk, the Technical Fellow who plays a key role in getting our cloud identity offering engineered right: 

What is Windows Azure Active Directory?

We have taken Active Directory, a widely deployed, enterprise-grade identity management solution, and made it operate in the cloud as a multitenant service with Internet scale, high availability, and integrated disaster recovery.

Since we first talked about it in November 2011, Windows Azure Active Directory has shown itself to be a robust identity and access management service for both Microsoft Office 365 and Windows Azure–based applications.

In the interim, we have been working to enhance Windows Azure Active Directory by adding new, Internet-focused connectivity, mobility, and collaboration capabilities that offer value to applications running anywhere and on any platform. This includes applications running on mobile devices like iPhone, cloud platforms like Amazon Web Services, and technologies like Java.

The easiest way to think about Windows Azure Active Directory is that Microsoft is enabling an organization’s Active Directory to operate in the cloud. Just like the Active Directory feature in the Windows Server operating system that operates within your organization, the Active Directory service that is available through Windows Azure is your organization’s Active Directory. Because it is your organization’s directory, you decide who your users are, what information you keep in your directory, who can use the information and manage it, and what applications are allowed to access that information. And if you already have on-premises Active Directory, this isn’t an additional, separate copy of your directory that you have to manage independently; it is the same directory you already own that has been extended to the cloud.

Meanwhile, it is Microsoft’s responsibility to keep Active Directory running in the cloud with high scale, high availability, and integrated disaster recovery, while fully respecting your requirements for the privacy and security of your information.

John's post is called Reimagining Active Directory for the Social Enterprise.  It's done in two parts, and following that John will join into our broader conversation about the identity management reset.   I hope the combination of our two blogs can help animate an industry-wide discussion while providing a specific channel through which people can get the information they need about Microsoft's identity service offering.

Later this week:  The Changing Model of Identity Management.  I hope to see you there.