RSA Conference -- Day 1 Part 2

| | Comments (0) | TrackBacks (1)

As I mentioned in my last blog post, my day consisted primarily of an all-day session on building an identity management system at the RSA Conference. In the evening, I spent 3+ hours on the expo floor.  For the most part, I used my time to talk with the Microsoft product, sales, and engineering folks (including Vittorio!) to understand what Forefront Sterling is and how its different parts work with the sort of STS that my group and I have been creating. After reading the announcement about this the other day, I had dismissed it as nothing more than marchitecture. Marketing it may be, but it isn't something that should be quickly dismissed without fully understanding it. After taking the time to talk with the folks tonight at RSA, I have to say, I was very impressed with their level of expertise and willingness to help me come to this understanding and of the actual solution itself.

I use the term solution here purposefully because that is exactly what Sterling is - an end-to-end solution for system security that integrates with previously available Microsoft products as well as newly acquired ones to provide enterprise-ready security. Sterling, from what I understand after tonight's discussion, integrates the previous version of Forefront with of previously existing or recently acquired products to provide features such as:

  • URL filtering,
  • Reputation management - white-, black-, gray-listing of software (offered eventually perhaps as S+S like Bit9),
  • Spam filtering for Exchange,
  • Scanning of documents uploaded to SharePoint,
  • AV,
  • Malware detection,
  • User provisioning,
  • Automated resetting of forgotten passwords,
  • Directory synchronization, and
  • A centralized management interface and PowerShell API to tie it all together.

These features, and a truckload of others, are provided by the different products within the suite. Lots of these capabilities were provided previously by existing properties that were consumer-oriented (e.g., AV by OneCare and spyware handling by Defender) or available as a stand-alone product (e.g., Sybari Antigen for Exchange). The rebranding/renaming as Sterling is simply to communicate their newly unified nature.

The products that make up this suite include the following:

  • Forefront codenamed Sterling (which is a unified management console that works with System Center)
  • Forefront Security for Application Services (providing tailored security for Exchange, SharePoint, etc.)
  • Forefront Client Security (the business-oriented version of Defender, OneCare, and others that tie in with the Sterling System Center management UI to provide host security)
  • Forefront Edge Security
  • Identity Lifecycle Manager 2010

Identity Lifecycle Manager

The most exciting piece to me, at least, was Identity Lifecycle Manager. This product isn't new, but it was to me. If you're also new to the product, think of it as SharePoint with custom workflows revolving around identity management. It allows you to define (extensible) workflows that can be triggered by various preexisting or user-created events to launch a workflow that solves a particular challenge related to identity management. Some of the primary use cases that it helps solve include:

  • Forgotten password,
  • Replication of identities between heterogeneous directories,
  • Self-service abilities to be added/removed from Exchange distribution lists, and
  • Provisioning of user identities.

It helps address the first need by allowing users to choose or define (not sure which) security questions, one of which will be presented to them should they happen to forget their password. These questions are surfaced via a custom GINA that provides a button allowing a user who's forgotten their password to provide the answer to a previously setup security question directly from the typical login screen. (I'm not sure how this would work if you already have a custom GINA like the one provided by Check Point's Pointsec PC.)

Its ability to replicate identities from one directory to another isn't limited to AD and, from what I'm told, allows workflows to be kicked off based on events that occur in other data stores (e.g., SAP). The self-management of subscriptions to distribution lists is integrated into Outlook and can be governed by policies (events and workflows that solve a particular business rule) that require manual approval or not. If approval is required, the list's owner is sent an email where she can approve or deny the request from within Outlook. The automation around user identifies is flexible and extensible via custom WF activities which is good because, based on what Erik Heidt said during the tutorial earlier today, user provisioning is an extremely difficult and time-consuming job that requires an understanding of tribal, undocumented processes.

All of this in one day! What will day two entail? Stay tuned to my blog to read more tomorrow and follow me on Twitter for more frequent updates.