SAN FRANCISCO, Feb. 7, 2007 — During their keynote yesterday at RSA Conference 2007, Microsoft Chairman Bill Gates and Chief Research and Strategy Officer Craig Mundie outlined a vision for a digital world where people can easily and seamlessly connect across networks, platforms and devices – with confidence that their information won’t be compromised or stolen. Achieving this “anywhere access” vision, they said, will require serious, industry-wide collaboration and a commitment to investing in interoperable systems, processes and products.
To that end, Microsoft is hosting more than 26 companies in its Microsoft Partner Pavilion at RSA, with each company showcasing examples of security solutions and technologies to help customers be more secure. It is also hosting a Microsoft Network Access Protection (NAP) Partner Pavilion, which represents more than 40 working solutions from an ecosystem of 100 partners for NAP, a policy enforcement platform.
Ben Fathi, Corporate Vice President of Development, Windows Core Operating System Division at Microsoft
PressPass spoke earlier this week with Ben Fathi, corporate vice president of Development, Windows Core Operating System Division at Microsoft, about the company’s security vision and its efforts to foster industry-wide collaboration to help achieve the company’s vision of anywhere access.
PressPass: Can you elaborate on the vision of secure and easy anywhere access?
Fathi: Technology advances in the last decade have delivered profound changes, creating a world in which more of our experiences depend on being connected. As extreme as these advances are, they’ve only laid the groundwork for even more profound changes that will evolve over the next decade.
People increasingly want seamless and pervasive anywhere access; they want to move between locations and use different network devices, yet still have the information they want, in the right format. They want to seamlessly and securely access data and applications across firewall boundaries. Consider a travelling salesman who wants to access the latest company inventory database while on the road, or an individual who arrives at a friend’s home and wants to show him pictures of his children on his own home machine.
Whether we succeed in realizing these ubiquitous connected experiences depends a great deal on security. People must be able to move seamlessly across networks and the Internet with the same user experience and access what they want when they want it and have complete confidence that their data won’t be exploited or stolen.
To achieve this vision for anywhere access, it is imperative that the industry work together and continue to invest in technologies that enable secure and interoperable computing experiences. To get there, we must re-examine and transform networks, protection and identity.
At Microsoft, Trustworthy Computing has played an important role over the last five years in helping to lay a foundation for the company and the industry to improve security and privacy for customers, and we’ve made some solid progress. However, cybercrime and threats continue to evolve and threaten people’s confidence in their online computing experiences. We must all work to design systems and processes that give people and organizations confidence that the technology they use will protect their identities and privacy.
PressPass: How can the industry address security issues together and still achieve anywhere access?
Fathi: Anywhere access isn’t about one platform or one technology or application, so we think the industry needs to collaborate to create standards-based approaches that enable applications to work together seamlessly and securely across network boundaries. To the extent that those applications use different communication protocols, security handshakes, and firewall traversal technologies, they need to use standards to enable seamless access. We should work together, for example, to develop standards for identity systems that manage the massive collection of digital identities people and businesses use today. Unless we collaborate to cross the boundaries of networks and organizations using different identity systems, we won’t be able to successfully achieve this vision.
It’s critical that the different players in the industry focus on collaborating across partnerships and competitive lines much more deeply than we have in the past. As an example of this type of cooperation, Microsoft and IBM are working together to forward the Web Services standards, which are gaining momentum as the standard way to communicate securely through Web services. Because of the effort IBM, Microsoft and others in the industry have put into the Web services architecture, we now have a mechanism for helping to ensure security across Web services, whether someone is connecting from a handheld device or a PC to a J2EE or a .NET application.
PressPass: What did Gates and Mundie mean when they said that to achieve anywhere access, the industry must transform networks, protection and identity?
Fathi: Achieving the trust and fulfilling the vision will require fundamental changes to the way the industry builds networks, responds to evolving threats, protects information and approaches the concept of digital identity.
In building networks, traditional security has been driven by topology; we’ve largely relied on constructing firewalls to secure networks. But as businesses and consumers reach out to connect using various platforms, devices and applications, these traditional security measures need to evolve as well. This is because a lot of the connections we’re trying to make today require traffic to move through these walls.
Rather than continuing to rely solely on this strategy, the industry needs to look at network security from both a topology and, more importantly, a policy perspective. We have to start looking at how we can allow the traffic to flow, yet still control access in a network. This includes everything from who can send e-mail or access documents, to who can access Web services and applications, over a network. Network security that is policy-driven and topology-driven holds a much greater potential for creating a seamless boundary between the corporate network, the home network and the Internet. This is complicated by end-to-end security needs of individuals and the administrative need to inspect packets and data flowing across corporate networks.
As network security evolves to incorporate a policy-driven model, security threats will continue to evolve and move closer to the different elements in the network itself, such as the desktop, device or application. So the integrity of systems must continue to improve to make PCs, servers and devices more resilient to attack, and the methods of protecting information must become more fundamental and dynamic. Protecting information as it’s created at the application level is becoming critical. It isn’t acceptable to protect that information only while it’s in transit. Whether the data is in its container or traversing the ecosystem, it must always be protected using the correct policy.
PressPass: What is meant by ‘digital identity,’ and how must it evolve to ensure anywhere access?
Fathi: Digital identity is fundamental to interactions in the online world. Unfortunately, many of the challenges associated with the Internet stem from the lack of widely deployed, easily understood, and secure identity solutions. This should come as no surprise. After all, the Internet was designed for sharing information, not for securely identifying users and protecting personal data. However, the rapid proliferation of online theft and deception and the widespread misuse of personal information are threatening to erode public trust in the Internet and thus limit its growth and potential.
In the same way that network security and protection must evolve, so must the way we protect and manage digital identities. The digital identities of people — and the devices associated with them — ultimately constitute personal information. The proliferation of digital identities has grown exponentially in the past few years. Many businesses and consumers have multiple devices and applications, each with its own digital identity that they work with online, at work or at home. This means new privacy risks are emerging all the time for people, as well as for applications and devices, because all of these things have identities in a connected world. We must improve the tools businesses and consumers employ to manage all of these digital identities. For instance, we must simplify the tools IT professionals use in the enterprise world and ensure that simple end-user experiences are built into common interfaces to manage digital identities.
So the industry needs to be more innovative about how to protect and manage different identities so that only the necessary information about those identities is shared in each transaction and that it is shared in a secure manner. This will help protect privacy.
PressPass: How is Microsoft collaborating with partners on the network, protection and identity fronts?
Fathi: In the network area, more than 100 networking and security partners have pledged support and integration with Microsoft NAP, a policy enforcement platform built into Microsoft Windows Vista and the next version of Windows Server, codenamed “Longhorn.” NAP represents the largest partner ecosystem for network access control, and includes anti-virus, security software, software update, security appliance, network device and systems integrators. Partners such as Lockdown Systems, Nevis Networks and ConSentry Networks are demonstrating more than 40 of these working NAP solutions in the Microsoft NAP Pavilion at RSA. In addition, we’re working with other NAP partners such as Alcatel, Citrix, Cybertrust, Juniper, McAfee, Samsung, Symantec and Trend Micro, who have their own presence at RSA. Microsoft is working closely with other key players in this space, such as Cisco and the Trusted Computing Group. Last year, we announced an interoperable architecture between Microsoft NAP and Cisco’s Network Admission Control, and we have customers that are currently testing this integrated solution in their networks.
In the identity space, BMC Software is announcing at RSA updated connectors for its Identity Management for .NET solution that will extend the Microsoft Identity LifeCycle Manager 2007 (ILM 2007) identity and access platform, which Microsoft announced yesterday. The connectors will greatly simplify the work required to integrate the BMC solution across heterogeneous environments to make it easier for customers to implement a centralized identity management system. Gemalto, another Microsoft partner, is announcing that it has integrated its .NET digital security solution with ILM 2007. The company is demonstrating at the conference how ILM 2007 streamlines the deployment and management of identity certificates using Gemalto .NET cards.
In the protection space, 12 certificate authorities, including VeriSign Inc., Cybertrust and Entrust are now issuing Extended Validation (EV) SSL Certificates. Microsoft’s Internet Explorer 7 is the first browser to fully support EV SSL Certificates, the next generation of the popular SSL Certificates. Now, when a user visits a site with a valid EV SSL Certificate, Internet Explorer 7 will alert the user to the available identity information by turning the background of the address bar green and displaying identity information. With EV Certificates, Microsoft will offer a better mechanism to validate the identity of a Web site, which will help boost consumer confidence in online transactions.
In addition, Microsoft regularly partners with CA, which is demonstrating its Windows Vista-supported antivirus solution for consumers in the Microsoft Partner Pavilion at RSA. We’re also announcing the addition of worldwide partners including Australian Computer Emergency Response Team (AusCERT), BrandProtect, MySpace.com and NetCraft as new data providers of Microsoft’s Phishing Filter online database. These new providers join Microsoft’s current anti-phishing data providers to help keep consumers safe against ever-changing phishing threats. Our partnerships with these companies and end users has helped us protect users from web fraud and identity theft by blocking over 10 million attempts to visit known phishing sites, and is currently experiencing a rate of more than 1 million blocks a week.
Of course, all the companies I’ve mentioned represent just a fraction of the partners we’re working with in the area of security. We are continually engaging with partners on all levels to ensure anywhere access.
PressPass: What are some of the things that Microsoft and partners are doing to foster industry-wide collaboration?
Fathi: Microsoft sponsors participate in a wide range of initiatives, programs and organizations that focus on security-related and interoperability issues. These can be broad issues, such as Web services security, in which several dozen or even hundreds of partners might be involved, or they might be issues that involve just a few partners, such as the work we’ve done with Sun Microsystems, Red Hat and Certicom to evolve the Suite B cryptography standards.
We have grown the SecureIT Alliance, a group of more than 100 independent software vendors and systems integrators that work with Microsoft and each other to build and integrate security products into the Microsoft platform. We are also a founding member of the newly formed Interop Vendor Alliance, a community of more than 30 software and hardware vendors working together to enhance interoperability with Microsoft systems. The organization includes members such as Sun, Novell, BEA, AMD, NEC and Network Appliances. In addition, we share information about security threats and best practices with industry partners and governments through the Microsoft Security Response Alliance.
PressPass: What is the main thing you would like partners to take away from Gates’ and Mundie’s speech at RSA?
Fathi: In addition to investing in network security, protection and identity, it’s imperative that we deepen the dialogue between players in the security industry. We must all demonstrate that we’re not just looking out for ourselves. To strengthen trust in the technology ecosystem, we must all play a role in protecting our mutual customers, and we can only do that by working together.
