Microsoft offers three different ways for users to start a session: They can use their Microsoft-managed, organization-owned user ID; they can use their federated, company-owned user ID if user IDs are stored on-site; or they can use their Windows Live ID, which, according to Microsoft, is typical for signing in to Office 365 for nonbusiness purposes. Once a user is signed in, he or she is free switch among IDs (for example, from their personal Windows Live ID to the ID they use to access Office 365 for work purposes) from any Office app.
In the background, client-authentication APIs do the heavy lifting, enabling users to sign in and out or to switch among identities, according to Microsoft. Other APIs keep track of roaming settings (preferences and recently used documents) and the services available to each identity.
Office 2013 Preview includes more than 4,000 Group Policy control objects, according to Microsoft, to enable admins to create a broad range of desktop configurations, from lightly managed to highly restricted. Group Policy settings always have precedence over Office Customization Tool settings.
The list of new security features in Office 2013 extend beyond authentication and identity management. The preview includes a new escrow key capability, for example, which allows an IT admin to decrypt password-protected documents by using a private escrow key. Digital signatures support now extends to ODF (Open Document Format) files, plus XAdES (XML Advanced Electronic Signatures) have been enhanced. Additionally, Microsoft has added a new IRM (information rights management) client, which includes a UI intended to simplify identity selection. It also supports automatic service discovery of RMS (Rights Management Services) servers.
But again: The most significant security change here is the shift from device management to identity management in the cloud. Microsoft no doubt recognizes that companies are hesitant to hand over security control to a third party, especially in the cloud. That would explain why the company has taken pains to talk up the resiliency and security of its data centers in its security overview of Office 2013 Preview: They're ISO 27001 certified, HIPAA-compliant, and so forth. Additionally, Microsoft stresses that Office 365 doesn't scan users' email or documents to build analytics, mine data, advertise, or improve the service. Whether those assurances will be enough to lure companies to this new Microsoft Office model remains to be seen.
This story, "Office 2013 shifts security focus from devices to identities," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.