Analysis: Is Active Directory coming to the cloud?

Microsoft boffins were understandably nervous at last week's TechEd developer conference on the Gold Coast.

Microsoft global chief technology officer Norm Judah.

After executives at the company unwittingly unveiled a Samsung tablet before its official release at the New Zealand conference the week before, they had every right to be.

They hoped the same would not happen here.

They got close.

The conference progressed with few hitches, until global chief technology officer Norm Judah took to the stage at the closing locknote on Friday afternoon.

There, Judah heavily emphasised Microsoft's cloud strategy; how they saw it, how it had evolved (virtualised servers are about to surpass their physical counterparts) and how companies should develop their own private cloud; preferably, of course, building internally with HyperV or with Microsoft through Windows Azure.

But, when it came to providing a "unique view" of Microsoft in five years' time, Judah revealed a product named "Active Directory Enterprise Access".

Except the product doesn't exist, as far as we know.

Even Microsoft public relations seemed perplexed and were unable to provide an answer to repeated requests for clarification.

The slip equally raised eyebrows from the TechEd audience.

Alongside the slide, Judah pushed the need for authorisation and identity to make its way to the cloud, following in the recent footsteps of the Office 365, which brought a user's information into Microsoft servers.

So is this the fabled entry of Active Directory to the cloud?

When pressed by iTnews, Judah said he didn't want to "pre-announce" anything but did indicate that the company was developing cloud solutions. An identity and authorisation element, he said, was likely to hang onto that.

"It's a problem we have to solve," he told iTnews.

It seems a problem Judah is keenly interested in. Throughout his talk, the global CTO pressed on the need to harness control of user devices by storing the context of each device in the cloud and sharing them between the growing armoury of personal and corporate tools used by the employee.

That, however, would bring its challenges when it came to providing the authentication and authorisation required from each of the devices to access corporate data.

"The explosion we're seeing today in terms of sensor-based networks and active networks is going to have significant impacts on the work we need to do around security and access and control in huge ways," Judah said. "How do you provide the right level of control for an anonymous device or an anonymous user to your corporate assets?"

The answer, he said, would come through the "discontinuity" of placing access authorisation into a service.

"It simply goes back to much of the work we did ten years' ago around Active Directory. In the modern paradigm, this is much more around devices, people coming into the network and really, the device or person can be anonymous but as soon as somebody is trying to access corporate assets - who are they and do they have the rights to do what they're doing," he said.

"Authentication and authorisation start to become key leverage points when we're talking about the cloud and this massive proliferation of devices that's happening from sensors... to every device that you can think of that is a potentially authenticating device."

Transforming the legacy of Active Directory would be no mean feat - in tracking the transition from software to service, Judah explained how the Exchange Server 2010 product Microsoft built with 800 engineers took a total 1200 engineers to transform it into the Office 365 suite launched earlier this year.

The complexities of moving boxed software to a cloud service would come at a cost to Microsoft. But, by Judah's own admission, it was a problem they would have to solve in order to fill the missing link between storing device data in the cloud and authorising a device to access that data.

Fortunately, it is not the first time the notion has been floated.

Microsoft has been working on an SQL-based add-on internally dubbed "Next Generation Active Directory" that would theoretically aggregate links to distributed Active Directory repositories on an instance stored internally or on Windows Azure.

A key benefit, according to Microsoft representatives, was to relieve pressure on requests to a centrally hosted Active Directory architecture and allow IT to install new applications with fewer concerns around how Active Directory would tie in.

One element of the instance would theoretically allow companies to utilise multiple instances of the product, rather than a single, "monolithic" version.

However, concerns around the data security of hosting user credentials with a third party - not to mention the reliability of a service - seem to have left many unconvinced that a cloud-based Active Directory is really needed.

With the continued consternation around data sovereignty and where a company's precious assets are actually hosted, providing Redmond with the keys to user authorisation and access could appear, for some, a step too far.

The next generation of Active Directory could be here, but providing the "Enterprise Access" to consumer devices may be a hurdle many companies simply aren't willing to leap.