LAS VEGAS – Microsoft last week laid out a future role for Active Directory in which it will employ user identity data to access applications and secure collaboration between users and partners on internal and external networks.

Microsoft says the perimeter defense surrounding networks today can be replaced with a distributed security model that relies on sets of statements about a user, called a claim, to secure such tasks as verifying identity, validating payment or access, or personalizing services.

Click to see: Microsoft envisions that corporate Active Directory deployments will become identity providers and supply claims about a user.

Users say this decentralized model has the ability to not only tighten security but cut costs for securing network resources. Those gains, however, will come with requirements for creating contractual and technological trust relationships among companies and among claim providers, and managing the risk inherent in those relationships

“As the perimeter goes away, the number of things you have to trust increases,” says Gil Kirkpatrick, CTO of NetPro, which develops Active Directory management tools. “Organizations will need to have policies for establishing trust with providers.”

Trust in the claims-based model has three components: the relying party, typically an application that requests the claim in order to decide what it can do for the user; the identity provider, which provides the claim; and the user, who decides what if any information he wants to provide to the application.

Microsoft is gearing up to build the infrastructure to support the model, the company says.

Directory provider v. Identity provider

“We are moving from being a directory provider to an identity provider,” says Stuart Kwan, director of program management for identity and access at Microsoft. He said the directory will take on a key role in Microsoft’s Identity Metasystem, a model for distributed identity architecture.

Coupled with an emerging technology Microsoft developed called Security Token Service (STS), a gateway to handle claims, Microsoft envisions an architecture that pushes claims out to applications that know how to interpret and act upon them.

Active Directory would become just one of many STS gateways in the distributed model.

Today, applications typically pull user access data from the directory to determine access rights to network services.