Microsoft Counters Security Critics with 'Trust Ecosystem'
This morning in Nice, France, in the heart of the controversy over Windows Vista's security architecture, Microsoft helped open Day 1 of RSA Conference Europe 2006 with a demonstration of what the company is calling its "trust ecosystem." It's a marketing offensive strategy as well as a politically defensive strategy, selling both customers and legislators on the idea that the company's entire security architecture, from here on out, is predicated on partnership.
Every year, information technology becomes besieged with more and more "ecosystems." Originally, the term was borrowed to refer to an environment whose components are capable of sustaining themselves by nurturing each other. Today, it is that to which all systems of market partnership aspire.
One of the highlights of Microsoft's RSA presentation may potentially play more effectively to a European audience than it might to an American one, for reasons that are more sociologically related than anything else: Today, the company rolled out Beta 2 of a new Web-based management application for Windows Server 2003 R2, entitled Certificate Lifecycle Manager. Its target market is the Web-enabled enterprise where smart cards and digital authentication are part of the basic requirements for doing business.
CLM Beta 2 -- designed for use with Internet Explorer 6, though not yet tested with IE7 -- provides an administrator with a front-end console, with which the smart cards and digital certificates (both on and off the cards themselves) are managed centrally. With CLM, Microsoft is making its presence known in one more market where other players have traditionally dominated - ironically, RSA itself among them.
But what makes CLM different from other certificate management consoles is that it ties Active Directory into the scheme directly, associating each employee's user identity with her work identity, not just for logging onto the computer but also conceivably for entering the building, entering the meeting room, powering on the company laptop, starting the company car, and any other application for which smart cards are used to grant access.
In a Windows Server environment, CLM serves not just as a central console but as a certificate server, or what Microsoft describes as an "administrative proxy" for multiple certificate authorities (CA). A CA is a component which is already used in Active Directory to validate identities using digital certificates, and is the basis for a complete group policy-managed system. There, an administrator has the ability to grant access to system resources to individuals or to groups of users, and certificates are key for representing identity in a fashion that cannot easily be repudiated.
For this whole scheme to work, CLM has to be extended to work with smart cards. Europe is the center of the smart card-driven world. There, a wide array of security providers provide smart cards, and although the leading international standard (ISO 7816) describes the interface to smart cards -- how other components may communicate with them -- it doesn't govern their internal architecture. As a result, there's conceivably dozens of ways a smart card can potentially work, and up to this point, smart card management has largely been the job of their respective vendors.
Enter the notion of Microsoft's "trust ecosystem," albeit embryonic. As Microsoft's director of identity and access products, John G. Chirapurath, told BetaNews, "[CLM] lowers the cost associated with digital certificates and smart cards by enabling organizations to centrally manage the certificate-based infrastructures." In other words, potentially multiple vendors, but a single point of control.
Of course, to pull this off, all those smart cards have to communicate with CLM. And that's not something Microsoft can accomplish by itself -- not without a massive undertaking in reverse --engineering. "What we provide is a well-integrated, anchored solution for certificate management," remarked Chirapurath. "But one of the things that we also want to make it easy for our partners to basically have their cards or certificates managed via CLM."
So here's the trick: Smart card vendors are being invited to write what Microsoft calls "mini-drivers" (with due apologies to the noted actress), which would enable their cards to be recognized and managed under CLM. "All a smart card manufacturer needs to do to have their smart card managed via CLM is to write a little piece of code that we call a 'mini-driver' or a 'card module,"' Chirapurath told us, "and bingo, CLM is able to manage that smart card."
To try to entice other vendors to follow suit, Microsoft has signed on at least one vendor, but the big one: Gemalto. As Chirapurath confirmed, "Europe is at the vanguard of a lot of the smart card and certificate-based, strong authentication solutions that are being deployed today. Gemalto is fairly strong in Europe, so one of the things we want to do is serve these markets better, where the pain around managing smart cards, issuing certificates, is being felt."
"One key challenge that enterprises face is the plethora of different ways to assert credentials, to manage identities," Chirapurath continued. "Microsoft's mission here is to lower these deployment costs, and remove some of these blockades associated with deploying and managing these kinds of infrastructures."
To accomplish this, Microsoft is building what appears to be the blueprint for an infrastructure for an ecosystem, in hopes that many other vendors will follow suit. If it works, then this ecosystem could in itself be the blueprint for an inkling of a plan: a way for the company, going forward, to evangelize partners on new security platforms and architectures, before those architectures make so much change to the way things currently work, that vendors end up complaining.
In so doing, the company could very well be moving the ball forward on an offensive plan that was put in place a quarter-century ago: to establish a non-repudiable system for portable, electronic, ubiquitous identity.
"What we are looking to do is not restricted to just the certificate-based world," Chirapurath admitted to us. "We want to horizontally expand the abilities to other identity management systems." That direction of expansion is a very familiar one, both for Microsoft and for those who have worked either with or around the company over the years.