Office 2013 shifts security focus from devices to identities

Business users may find the productivity-boosting potential of Office 2013 tantalizing; its ties to the cloud and support for devices beyond PCs means on-the-go users are never far from their important documents. IT admins, on the other hand, may feel more wary than excited by Microsoft’s move to untether its ubiquitous productivity suite from the desktop because it represents a significant shift from traditional end-user security.

Microsoft summarizes the nature of the shift pretty well in a security overview of Office 2013: “[This release] makes a fundamental change from computer-centered identity and authentication to user-centered identity and authentication. This shift enables content, resources, most recently used lists, settings, links to communities, and personalization to roam seamlessly with users as they move from desktop, to tablet, to smartphone, or to a shared or public computer.”

What that means is Office 2013 Preview lets users sign in once, after which they can work on and access local and cloud-based Office files, as well as connected services without having to enter new credentials along the way, according to Microsoft. Those connected services might include an organization’s SkyDrive account or a user’s personal cloud storage service. They also might include a user’s Facebook or LinkedIn account. This is true regardless of the identity provider or the authentication protocol used by a given app, per Microsoft. Supported protocols include OAuth, forms based, claims based, and Windows Integrated Authentication.

The ability to access any and all apps, services, and data from any device via single sign-on is all well and good for users, but from a security perspective, it means those apps and data could be just a successful phishing campaign, password crack, or malware infection away from falling into a malicious hacker’s hands. End-users generally can’t be trusted to perform the necessary due diligence to secure their devices and accounts, either.

Microsoft is attempting to equip IT admins with the necessary tools to comfortably and securely manage this new identity-centric Office paradigm. Generally speaking, admins will have the ability to control password policies across devices and services; the ability to use Group Policies to configure the operating environment; and the ability to manage using FIM (Forefront Identity Manager) or ADFS (Active Directory Federation Services). Active Directory is central to the system, but companies don’t need to run AD on-site.

Companies have choices: The bare minimum approach would simply put the management in Microsoft’s hands, though admins could still provision or de-provision identities and service access via a management portal or PowerShell cmdlets. Organizations also could use the Microsoft Online Directory Synchronization service for identity provisioning; authentication would take place in the cloud. Larger companies might add federated authentication to the mix via Active Directory Federation Server 2.0.

Microsoft offers three different ways for users to start a session: They can use their Microsoft-managed, organization-owned user ID; they can use their federated, company-owned user ID if user IDs are stored on-site; or they can use their Windows Live ID, which, according to Microsoft, is typical for signing in to Office 365 for nonbusiness purposes. Once a user is signed in, he or she is free switch among IDs (for example, from their personal Windows Live ID to the ID they use to access Office 365 for work purposes) from any Office app.

In the background, client-authentication APIs do the heavy lifting, enabling users to sign in and out or to switch among identities, according to Microsoft. Other APIs keep track of roaming settings (preferences and recently used documents) and the services available to each identity.

Office 2013 Preview includes more than 4,000 Group Policy control objects, according to Microsoft, to enable admins to create a broad range of desktop configurations, from lightly managed to highly restricted. Group Policy settings always have precedence over Office Customization Tool settings.

The list of new security features in Office 2013 extend beyond authentication and identity management. The preview includes a new escrow key capability, for example, which allows an IT admin to decrypt password-protected documents by using a private escrow key. Digital signatures support now extends to ODF (Open Document Format) files, plus XAdES (XML Advanced Electronic Signatures) have been enhanced. Additionally, Microsoft has added a new IRM (information rights management) client, which includes a UI intended to simplify identity selection. It also supports automatic service discovery of RMS (Rights Management Services) servers.

But again: The most significant security change here is the shift from device management to identity management in the cloud. Microsoft no doubt recognizes that companies are hesitant to hand over security control to a third party, especially in the cloud. That would explain why the company has taken pains to talk up the resiliency and security of its data centers in its security overview of Office 2013 Preview: They’re ISO 27001 certified, HIPAA-compliant, and so forth. Additionally, Microsoft stresses that Office 365 doesn’t scan users’ email or documents to build analytics, mine data, advertise, or improve the service. Whether those assurances will be enough to lure companies to this new Microsoft Office model remains to be seen.

This story, “Office 2013 shifts security focus from devices to identities,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.