Microsoft's Alacris Deal Will Drive ID Management, Smart Card Solutions

On Monday, the Redmond, Wash., software giant announced a deal to acquire Ottawa-based Alacris, an ISV partner and maker of ID and smart-card management software, for an undisclosed amount and to release Microsoft-branded beta code of Alacris technology at a future date.

It remains unclear how and when Microsoft will integrate the Alacris technology into Windows. However, the company aims to ease the process of provisioning smart card hardware, managing digital certificates, handling certificate revocation and auditing user activity in Windows environments, said Michael Atalla, group product manager for Microsoft's Windows Security Division.

Windows Server 2003 offers strong authentication through its Active Directory and Microsoft Certificate Service, or public key infrastructure (PKI), which supports smart card infrastructure from outside vendors, Atalla said. Alacris' solution is integrated with the Microsoft Certificate Authority, and Alacris' idNexus 3.0 for Microsoft Windows Server 2003, unveiled in July, provides extended life-cycle management for digital certificates, smart cards and USB token-based identity solutions.

Atalla said the first release from Microsoft will be based on much of that code, but he couldn&t say exactly how it would be integrated into Windows. Nevertheless, he said, Microsoft has an ambitious plan for enhancing identity access, Active Directory federation, and PKI and smart-card integration in Windows Vista and the next major Windows server upgrade, code-named Longhorn.

Sponsored post

To date, the implementation of a smart card infrastructure has been too complex and costly for solution providers and customers in the SMB space. White-box makers and VARs that service the midmarket space, for instance, report little to no use of smart cards.

But industry observers say the Alacris deal could spur smart-card adoption across the board and provide a new opportunity for solution providers to enhance their customers& network security. Some solution providers called the acquisition a smart move by Microsoft.

"Access management is a core part of a customer security strategy. And although it's not clear yet what Microsoft's integration strategy is going to be, by purchasing Alacris, Microsoft is giving solution providers more options to provide their customers with security solutions tied to a common Windows operating environment," said Paul Freeman, president of Coast Solutions Group, Irvine, Calif. "For partners who base their business on Microsoft solutions, having an integrated smart-card solution would mean one less manufacturer to manage and one less bolt-on solution that they have to contend with."

Channel partners now have several options for identity and access management on the Microsoft platform, ranging from simple passwords to using Passport.Net, digital certificates and third-party access products, as well as using smart cards and biometrics atop certificates.

Though the Alacris code can be used singularly to manage digital certificates, Microsoft's acquisition of the company will likely increase the use of smart cards and enhance its reputation in the security arena, according to channel partners.

"Alacris was a partner before the acquisition, [but] because of this [purchase], I think it&s likely that smart card technology will be something Microsoft will evangelize publicly and may even push into the mainstream development stack. That will change the whole ballgame,” said Andrew Brust, chief of new technology at Citigate Hudson, a custom application development shop in New York.

"The acquisition will likely accelerate such deployments and makes good business sense for Microsoft, while at the same time increasing their credibility in the domain of security and secure systems," Brust added. A smart card is a physical way of making credentials portable, and some enterprises are using Java- and Windows-based smart card solutions to control access to buildings and computers. Now some small and midsize businesses are looking at digital certificates and smart cards as authentication solutions for their corporate networks as well, observers said.

"We have seen some companies move toward the smart card as the network authenticator," said Ken Winell, CTO of Visalign, a West Chester, Pa.-based solution provider. "We think the technology is a good alternative to the RSA Secure ID keys, but [there&s] not a huge demand."

The Alacris acquisition follows news last week that Microsoft is prepping improved authentication features for the Windows client and server as well as and a new Security Token Service for InfoCards, which won't be available for the Windows server until after Longhorn ships.

Microsoft's Infocard technology, now under development, is complementary to smart card technology and represents a logical--rather than physical--way to manage and store users' credentials and access rights for different applications, according to Jamie Burton, CEO of The Burton Group, Salt Lake City. Microsoft's deal to buy Alacris will bring high-end authentication to the masses, he said.

"Smart card use is going up, but gradually and slowly," Burton said, adding that businesses primarily have been using passwords but now are starting to move to token-based security and smart cards. "As the technology becomes easier to deploy, you'll see more integration with systems and service deployments, and small- and medium-sized businesses will be able to do it. There haven&t been products for SMBs to deploy this stuff, so the channel hasn&t had opportunities. But there will be opportunities now."

Yet Jeffrey Sherman, president of Warever Computing, Los Angeles, said such a solution would appeal more to enterprise, upper-midmarket and midmarket firms than to small businesses.

"Identity management is generally useful only to larger organizations. The part of identity management that immediately comes to most people's minds is the authentication and security part of the equation. In a small environment, simple passwords are often good enough," Sherman said, noting that in a small office everyone usually knows who's there and who's who. "In a large organization, however, that extra layer of protection of everyone knowing everyone else in the company simply doesn't exist. It must be replaced with far stronger technology solutions, and there are obviously lots of solutions, including smart cards, dongles and biometric devices."

Alacris partners with smart card manufacturer Gemplus. Microsoft&s branded technology would make it easier to deploy smart cards but isn&t designed solely for smart card use, according to Atalla. For example, it can be used to manage digital certificates for simply adding signatures to e-mail and enabling secure wireless access, IPSec and VPN solutions, hesaid.

While Microsoft's Alacris buy likely will raise interest in more robust authentication and identity management solutions, Kevin Raineri, business development manager at Huntington Beach, Calif.-based solution provider Alvaka Networks and president of Veritec Global, said he typically implements passwords and security policies to address customers' identity management needs. He&s also pushing new "audio" smart-card technology from Canadian vendor Identita Technologies, which frees customers from the need to buy smart card readers.

"It validates the trend toward two-factor authentication," said Raineri, whose company is marketing the Identita solution. "We have consulted with companies that want user authentication. We do security policies and passwords, and I've been dealing with new technology in smart cards that doesn&t require reader. That&s been problematic."