SAN JOSE, Calif. — Feb. 14, 2006 — In his keynote address at the RSA Conference 2006, Microsoft Corp. Chairman and Chief Software Architect Bill Gates shared Microsoft’s immediate and future plans to achieve a more secure digital future, where interconnected networks worldwide allow people to work and play across a multitude of devices, products, services and organizations, with greater confidence in the security of their experiences. Gates highlighted advancements in the forthcoming Windows Vista™ release such as isolation techniques to reduce the impact of malware, improved identity and access controls, and better data protection. He also showcased innovations surrounding the platform such as Windows OneCare™ Live, and industry partnerships such as the SecureIT Alliance. He called for the industry to come together to achieve a more secure computing experience for all users.
“This rapid adoption of the digital lifestyle offers new computing opportunities for both personal and business use,” Gates said. “Our vision for security is to create a world where there is greater trust — where people and organizations can use a range of devices to be more reliably and securely connected to the information, services and people that matter most to them.”
Gates emphasized that the vision of a digital lifestyle can only succeed if it is designed with security at its core. Gates highlighted Microsoft’s unique intelligence on the ever-evolving threat landscape — insights gleaned from more than 2 billion executions of the Microsoft® Malicious Software Removal Tool, more than 230 million users of MSN® Hotmail®, Microsoft’s product support services, Windows® Defender, and the Online Crash Analysis tool — noting that these insights enable Microsoft to not only respond more quickly to the evolving threat environment (including an increasing threat of botnets and rootkits and the growing threat of attacks on multiple devices), but also to design long-term security strategies that anticipate future trends. Accordingly, he emphasized four principles required to achieve the vision of a seamlessly connected, more secure digital lifestyle for consumers and businesses: a trust ecosystem, security engineering, simplicity and fundamentally secure platforms.
Fostering a Trust Ecosystem
A “trust ecosystem” is an environment that engenders trust and accountability between people and businesses. Today trust ecosystems exist in the physical world — they can be as simple as a loss of reputation, or expulsion from a group, or something as severe as a conviction for a criminal act — but Gates asserted that trust must be extended to the Internet, and that a key component, reputation, must cover not only individuals and organizations but also code and devices. Gates gave as an example the kernel mode driver signing feature of Windows Vista, which will help protect against changes to system structures and help limit the spread of malicious software by identifying the publisher and by requiring code to comply with certain policies to ensure integrity.
“A trust ecosystem should be established to help users and organizations more efficiently and safely leverage current and emerging online technologies,” said Dan Blum, senior vice president and group research director of Burton Group Inc. “Microsoft has presented an ambitious vision for protecting online computing, but fulfillment of that vision requires industrywide involvement.”
Gates emphasized that the industry needs to work together to provide a wide range of digital identities for people, organizations, devices and code. Gates highlighted work Microsoft is doing with the industry in support of the Identity Metasystem, a way users and sites can more safely and privately exchange personal identity information across the Internet.
To help end users, organizations and developers connect to the Identity Metasystem, Microsoft will introduce new technologies including “InfoCard,” the code name for a new feature of Microsoft Windows that simplifies and improves the safety of accessing resources and sharing personal information on the Internet. Gates announced that “InfoCard” will be delivered as part of WinFX®, Microsoft’s managed code programming model, and will support Windows Internet Explorer 7on Windows Vista, Windows XP Service Pack 2, and Windows Server™ 2003 Service Pack 1 and R2.
“The Identity Metasystem addresses the fundamental need for a platform-independent identity architecture for the Internet,” said Lawrence Lessig, professor of Law at Stanford Law School and founder of the school’s Center for Internet and Society. “It insulates consumers and businesses from the intricacies of the numerous individual identity systems that are in use today, and provides a much-needed framework for information to be shared more easily and securely online.”
Gates also discussed the company’s commitment to further simplifying the overhead associated with identity and access management in the enterprise. Beginning with the future release of Windows Server, code-named “Longhorn,” Microsoft will expand the role of Active Directory® to include Rights Management Services, Certificate Services, Metadirectory Services and Federation Services. The expanded capabilities of Active Directory will provide customers with a unified identity and access infrastructure that spans enterprise and Internet scenarios. Gates also announced the first beta of Microsoft Certificate Lifecycle Manager, a policy- and workflow-driven solution that streamlines the provisioning, configuration and management of digital certificates and smart cards, and increases security through strong, multifactor authentication technology.
Engineering for Security
Gates called on all companies to strive for excellence in security engineering at all stages of development to ensure more-secure product design. Engineers around the world must be consistently trained in secure design and coding practices. He encouraged the software community to change the engineering culture so security is no longer an afterthought, but a guiding principle from the very beginning of development. To provide a more secure ecosystem, Gates encouraged industry partners to publish and share best practices for developing more-secure code and, as an example, cited Microsoft’s implementation of the Security Development Lifecycle (SDL). The details of this formalized process have been made publicly available for developers, including its code-scanning tools such as PREfast and FxCop in Visual Studio® 2005.
Security is complex, making it difficult for IT professionals, consumers and developers to make the appropriate decisions or accurately implement security measures. In his address, Gates called on the computing industry to simplify security to make it easier for developers to write more-secure applications, Web services and platforms, and to help ensure that customers can use and switch between applications, services, platforms and devices while being confident that their information is protected. A key to simplicity, Gates said, is integration with the platform that can help drive ubiquity and ease the ability for third-party developers to write extensions that take advantage of the platform.
Gates discussed a number of Microsoft efforts to simplify security for users, including the Windows Security Center in Windows XP SP2 and Windows Vista, which allows the status of security protections to be easily visible by consumers, regardless of the vendor. Another example Gates highlighted was the underlying design goal of Windows OneCare Live, which was developed to improve overall PC health instead of focusing on merely one need.
Building a Fundamentally Secure Platform
Platforms must maintain the confidentiality and integrity of information and resources, regardless of whether information is being stored or transported across devices, services or networks. Gates said that isolation technologies to protect against the threat of malware, trust-based multifactor authentication, policy-based access control, and unified audit across applications must be built into the computing experience at the platform level, and he outlined a number of technology investments Microsoft is making to bring this vision to life.
He highlighted Windows Vista, the forthcoming operating system, and noted that it has been developed with the highest attention to security. For example, it includes Windows Service Hardening, a feature that restricts critical Windows services from doing potentially malicious activities in the file system, registry, network or other resources that could be used to allow malware to install itself or attack other computers. Other features include a two-way firewall and built-in anti-malware protection, Windows Defender. In addition, it will include User Account Control, which makes it easier to deploy a more secure and manageable desktop for standard users, and information protection via BitLocker™ Drive Encryption. Gates announced the public availability of the second beta of Windows Defender for existing Windows systems, which includes several enhancements and new functionality that reflects ongoing input from customers. The free beta download is now available for customers running Windows XP, Windows 2000 and Windows Server 2003.
Industry Call to Action
Gates appealed to the industry to come together to develop more-secure products with a common understanding of how software should behave and work together. He asked the industry to support a trust ecosystem that will allow people to embrace a digital lifestyle with more secure, accountable and reliable technology.
Gates highlighted the company’s commitment to building industry partnerships to promote security. A notable example is the SecureIT Alliance, formed by Microsoft in October 2005, which now has more than 70 members. The industry consortium’s goal is to enable independent software vendors and systems integrators to work more closely with Microsoft and each other to build and integrate security products for the Microsoft platform. The SecureIT Alliance has launched its official Web site, http://www.secureitalliance.com, which has been expanded to include an interactive developer forum for member partners. Microsoft is also a founding member of the Anti-Spyware Coalition, an organization comprising leading anti-spyware vendors, academic leaders and related advocacy groups who all share a commitment to ensuring that users maintain control over what is running on their computers.
“The world is adopting the vision of an interconnected global community at a rapid pace,” he said. “It is our responsibility as industry leaders to provide customers with the information and tools they need to live their personal and professional lives without fear of security or privacy breaches. Every computer user should have the right to go online securely, and we are committed to turning this vision into reality.”
More information about Microsoft’s vision for secure computing can be found in the RSA virtual pressroom.
Addendum: Recent Microsoft Security Product Announcements
In support of Microsoft’s vision for secure computing and the company’s ongoing commitment to providing integrated security, efficient management, and fast and secure access, Microsoft also recently announced the following product milestones:
Windows OneCare Live PC care subscription service will be available beginning in June 2006 for $49.95 per year for up to three PCs. The service will offer consumers the value of protection and maintenance, all in one solution.
Internet Security & Acceleration Server (ISA Server) 2006 Beta is now available for customer download at http://www.microsoft.com/isaserver. A cornerstone of Microsoft’s security product strategy, this latest version of the firewall, VPN and Web cache solution helps customers secure their Microsoft-based application infrastructure, streamline network control, enhance performance, safeguard IT environments, and reduce the complexity and costs of security management.
Microsoft is also announcing the acquisition of a Web filtering product, DynaComm i:filter, from FutureSoft Inc. The product enables business customers to manage access to the Web in their environments. The acquisition will help Microsoft better address customer needs for more secure and productive Web access. Microsoft has acquired only the Web filtering product from FutureSoft. The company remains independent following this acquisition.
An early beta version of Microsoft Client Protection, the new security product that helps protect business desktops, laptops and servers from current and emerging threats, has been shipped to selected customers. Microsoft plans to make the public beta version of Microsoft Client Protection available in the third quarter of 2006. Microsoft Client Protection is targeted for release to manufacturing by the end of 2006.
Microsoft Antigen anti-virus and anti-spam solutions for Exchange and SMTP servers have also been shipped in private beta to selected customers, and will be generally available in the next six months. Antigen for Exchange, Antigen for SMTP Gateways, Antigen Spam Manager and Antigen Enterprise Manager protect against viruses, worms, spam and inappropriate content with a layered, multiple-scan engine approach.
Further details about Microsoft security products are available in the PressPass interview with Ted Kummert, corporate vice president for the Security, Access and Solutions Division for the Server and Tools Business at Microsoft.
Founded in 1975, Microsoft (Nasdaq “MSFT”) is the worldwide leader in software, services and solutions that help people and businesses realize their full potential.
Microsoft, Windows Vista, Windows OneCare, MSN, Hotmail, Windows, WinFX, Windows Server, Active Directory, Visual Studio and BitLocker are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass on Microsoft’s corporate information pages. Web links, telephone numbers and titles were correct at time of publication, but may since have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://www.microsoft.com/presspass/contactpr.mspx.