Microsoft this week detailed a multi-year plan to tie together its security and access protection technologies into a policy-based network model intended to secure distributed computing.
The plan is to combine Active Directory, authorization/authentication technologies such as smart cards or biometrics, IPv6, IPSec, anti-malware and Network Access Protection (NAP) - the company's technology that determines the "health" of computers before allowing them on a network.
At lease one customer welcomes the effort.
The goal is to give users a means to build security into extended networks based on well-defined policies that control who has access to what from where and how - instead of creating physical boundaries such as firewalls.
"We are trying to get there with a collection of kludges and patches," says Ted Campbell, manager of trading systems for Amerada Hess. "If they build this into Windows, we can start to do some of this more easily." Campbell say it's disappointing that Microsoft won't really start to get off the ground until 2007 with the Longhorn Server.
"Microsoft seems to want to be a one-stop shop and pull together all the development policy and management into some centralized thing," he says.
Microsoft's plan, outlined at the TechEd conference by Bob Muglia, the senior vice president of the Windows Server division, is part of an effort Microsoft calls "integrating the edge." The effort is one of several Microsoft is focused on to evolve its Windows Server System to support varying roles within corporations, including .Net distributed applications, intelligent distributed storage and its Dynamic Systems Initiative.
The plan is to create a network that is secured and controlled based on policies in contrast to building network topology to meet security initiatives. Microsoft said it hopes to figuratively eliminate the firewall as the demarcation line that separates the intranet from the Internet.
"Corporate policy needs to define corporate boundaries," Muglia said. "It should be policy and not topology that defines the edge of the network. The physical boundaries of today are not viable for the future."
Muglia said that of all the Windows Server System initiatives, the work on redefining the edge of the corporate network is the farthest out, perhaps five to 10 years.
Muglia said the glue is Active Directory, which provides the user credentials, access controls and digital certificates that are key for security. Before year-end, Microsoft will ship Active Directory Federation Service, which will let business partners integrate their Active Directory infrastructures and share identity information.
Other technologies are farther out, such as Microsoft's NAP, which Muglia said will keep unpatched and unsecured machines off the network. First slated to ship this fall, it is now is scheduled for 2007. Microsoft also is working on integration with similar technology that Cisco is developing.
Also on the slate is anti-malware technology. Microsoft recently bought anti-virus/anti-spam vendor Sybari and anti-spyware firm Giant Company Software.
Adoption of two-factor authentication, which Muglia said now is the norm within Microsoft, will be critical, as well as a standard and secure way to exchange identity credentials, which Microsoft is working on with Web services and its InfoCard technology.
Also necessary is IPSec, which is supported in Windows Server 2003, and will provide integrity and authentication for IP packets. Another cog is IPv6, which will open up the Internet addressing space to support the flood of devices beyond the PC.
"The long term thinking is about models," Muglia said. Models, he said, could be created from a set of best practices. "A company would just choose best practices, and it would snap in policy to support that." The policy could be customized, but management of all the pieces will be difficult.