Microsoft’s long history of security problems gives most CIOs significant heartburn, especially when they consider the conditions under which they’ll open up Microsoft systems to the Internet. And recent developments with the .NET MyServices initiative haven’t helped.
First, Microsoft announced a far-reaching plan to provide hosted data services for the masses. Using the .NET Passport as the key, Microsoft initially intended to host—and allow users to manage—personal data, including mail, calendars, and wallets. Then, based on the backlash from customers, service providers, privacy advocates, and even the government, Microsoft altered its approach. The MyServices platform can be hosted by others, but Microsoft isn’t offering hosting services.
To many, the future of the .NET Passport and Microsoft’s federated authentication model became clouded. Over the next year, corporations using global Internet authentication schemes to secure customer transactions will have to begin making investments in core Kerberos technologies. They’ll also have to decide how and with whom to integrate those Kerberos domains. To help companies with that planning process, Microsoft has made a definitive statement about how Passport and other MS products and initiatives will be integrated with the Web Services-Interoperability (WS-I) standards (most importantly, WS-Security) during this transitional time.
As part of its contribution to the WS-I committee (a collaborative effort involving IBM and other major software vendors), Microsoft is working to integrate the proposed specifications into its infrastructure, platform services, and development tools. When completed, companies will be able to use Microsoft products to build applications and systems that can participate in open, standards-based, federated identity solutions. The strategy, and associated new products, is called TrustBridge.
The product roadmap
Before TrustBridge products are released in 2003, Microsoft is working to extend existing products to allow companies to begin taking advantage of federated identities. Customers using Microsoft Windows Servers and Active Directory already have the fundamental building blocks for managing and securing identity. Advancements to the new Windows .NET Server will help enterprises move more rapidly toward using identities.
For example, the Windows .NET Server will allow companies to directly federate their existing Active Directory with another Active Directory over the Internet. This would allow two companies to grant permission to each other’s users to directly access resources on the other’s network. In addition, the Windows .NET Server can be configured to accept a .NET Passport as a credential type.
By design, TrustBridge will run on existing Windows .NET servers and will allow you to federate enterprise identities with other organizations running Windows, the .NET Passport service, and third-party, Kerberos-based systems running other authentication or operating systems.
If Sun and its Liberty Alliance decide to implement an authentication system based on the Kerberos standard, Kerberos will become to authentication what TCP/IP became to network protocols. Just as proprietary protocols like IPX and NetBios have given way to the IP standard, proprietary authentication mechanisms will bow to Kerberos standards.
When released, TrustBridge technology will include support for browser-based single sign-on, complete trust management and auditing tools, and full integration with existing Windows server tools. Given IBM’s active participation in the standards effort, it’s a certainty that the first release of TrustBridge will also have full integration with key IBM middleware products, like WebSphere, that support WS-Security.
Preparing for the federated identity
Because the .NET Passport service has over 200 million active accounts and performs over 3.5 billion authentications monthly, it will continue to be a key Microsoft initiative to drive consumer adoption of Internet-based authentication. By providing a means for partner sites to verify identity, and for companies to permit access via Passport credentials, Microsoft will continue to drive value for consumers, Web sites, and companies. When Passport adopts the WS-Security specification in 2003, it will be able to participate in a federated identity system with enterprise or Internet-based authentication systems.
CIOs that have a significant investment in Microsoft technologies should start preparing to participate in a federated environment by doing some planning and implementation now.
First, all future directory technology from Microsoft can only be utilized by moving to Active Directory. Tech leaders should implement Windows Active Directory now and begin managing user names, passwords, and profiles centrally. CIOs can begin deploying on Windows 2000 now and then upgrade to .NET Server once it becomes available.
The second step is to begin investigating the functionalities in .NET Server. The functionality required to implement multicompany federation will be available in .NET Server as soon as it ships—as long as all of the companies have implemented Active Directory on the .NET Server.
Third, begin researching WS-Security technologies and seeking out products and service with a planned roadmap to support its authentication methods. As tech leaders develop specifications for future systems—whether buying or building them—they should include WS-Security compliance as part of the requirements.
Finally, consider whether there are existing scenarios for using Passport authentication rather than an in-house-developed authentication mechanism. Once Passport adopts TrustBridge, it can serve as the public authentication mechanism through which to provide customers and partners the authorization to use private assets. Companies with existing systems can leverage the Passport infrastructure and benefit more quickly from its Kerberos adoption.
Once deployed by Microsoft, IBM, and other WS-I participants, the universal Kerberos identity mechanisms will provide unprecedented opportunities to allow users to interact with systems regardless of the underlying platform. By taking the lead in developing these Web services standards, and implementing them in their products, IBM, Microsoft, and other WS-I members will certainly benefit by becoming leading providers of truly interoperable systems. And companies that begin researching and adopting the products based on these standards will obviously reap the benefits first.