SAN JOSE, Calif., Jan. 18, 2000 — In a renewed commitment to protecting customer data, Microsoft this week announced several measures to make computing safe and secure as the popularity of the Internet continues to rise.
The initiatives, announced by Microsoft senior vice president Brian Valentine at the RSA Data Security Conference and Expo, are aimed at enhancing the security of Microsoft products, educating customers about security and privacy issues, and working with the entire industry to protect customer information. By announcing its renewed commitment, Microsoft intends to elevate security and privacy as top issues for the computer industry and its customers.
“Computer security and privacy are important industrywide issues,”
said Scott Culp, a Microsoft product manager in charge of security issues.
“Every operating system and application has security vulnerabilities, and there needs to be an industrywide effort to improve the security and privacy of customer information.”
“Windows 2000 is the down payment on our security vision,”
Culp continued.
“As we developed Windows 2000, one of the questions we asked every step along the way was, ‘How does this affect security?’ In every facet of Windows 2000 development, security was a prime driver, and the result is the most secure operating system Microsoft has ever shipped.”
Microsoft plans to take what it learned from developing Windows 2000 and apply it to all future products.
“We’re committed to making every product what I call ‘a responsible security player’ in the user’s environment,”
said Steve Lipner, Microsoft’s lead program manager on security issues.
“We’re really pushing a high level of security awareness across all of our development groups.”
The company is also focusing on customer education to ensure that consumers know how to protect their information. For example, the company is developing security checklists that describe how to configure various Microsoft products to deliver the most effective levels of security. The company is issuing a written security statement to demonstrate the level of commitment customers can expect from Microsoft, and it announced plans for a security/privacy Web site that will provide consumers with easy-to-understand information regarding protection of their data.
Microsoft is discussing security and privacy jointly because the two issues are closely related.
“From a consumer perspective, a major motivator for deploying security is the need to protect consumers’ privacy,”
Lipner explained.
“So we think those two issues are naturally linked in a number of ways, particularly from the standpoint of consumer awareness.”
While the safety of customer information has always been a concern, the Internet’s ability to connect people through computing has led to increased security and privacy risks, Microsoft officials said. And as consumer and business uses of the Internet continue to rapidly evolve, it’s becoming increasingly critical to make computing safe and secure.
“It used to be that everybody’s network was an isolated island, and you had to get physical access to that little island before you could attack it,”
said Lipner.
“With the Internet, somebody could sit on the other side of the world and launch attacks against my network. The Internet also makes it easier for the bad guys to exchange hacker tools and information on how to attack a particular system.”
Microsoft also is relaunching its Security Response Center, which issues security patches and information bulletins, and responds to every report of a security breach within 24 hours. The Security Response Center gives customers a central place where they can report and receive information about security vulnerabilities, officials said.
“This is Microsoft’s most visible sign of its commitment to security,”
Culp said.
“The Security Response Team provides a single point within Microsoft that owns security as a global issue for all Microsoft products. Whenever we find out about a security vulnerability in any of our products, the response center works with the product teams to develop a fix and disseminates information about the fix to as many customers as possible.”
“The Internet has created huge opportunities for consumers and businesses to get access to and distribute large volumes of information,”
said Richard Purcell, Microsoft’s director of corporate privacy.
“The flip side of the coin is that it creates challenges for individuals to maintain control over how their personal information is used and distributed. We want to help create a trusted Internet infrastructure. To do this, we aim to offer consumers notice, choice, consent and control over all the information they provide to Microsoft. We also recognize the importance of getting the rest of the industry involved, and that’s why we’re proposing some concrete ways to do this today.”
To develop industrywide solutions to security and privacy issues, Microsoft this week announced plans to host a global security summit this summer. The company will invite a broad cross-section of participants to the summit, including representatives from the computer industry, government, academia and customers.
“Different individuals and organizations bring different perspectives to the issue of security, and we think it’s important to discuss what different approaches might work,”
Lipner said.
“By bringing these different individuals and groups together, we can build a set of solutions that is more powerful than what any organization could propose on its own.”
The enhanced security and privacy measures announced at the RSA Conference complement several Microsoft initiatives already in action to protect the privacy of customer information, Purcell said. For example, Microsoft has been a leader in the development of the Platform for Privacy Preferences (P3P), which establishes privacy standards on the Internet. Microsoft will be building the P3P standard into its own products, which will allow consumers to compare their individual privacy preferences to the privacy policies of the Web sites they visit. The company has also created a Privacy Wizard to make it easy for companies to write and post privacy statements on their Web sites. Starting this year, Microsoft instituted a policy of only purchasing advertising space on Web sites that post comprehensive privacy policies.
In addition to announcing enhanced security and privacy measures at the RSA Conference, Microsoft hosted a product exposition to demonstrate the security features in Windows 2000 and other products, including Office 2000 and Smart Card for Windows. The company also led seminars on secure music distribution, digital certificate validation and cryptography research within Microsoft.
“These are all demonstrations of our commitment to the community,”
Lipner said.
“We don’t just take the technology and build it into our products in the back room. We actually talk about it, so that other researchers and practitioners can understand the ideas we have and use them as a foundation for building more security and privacy features into their products for everyone’s benefit.”