Mike Nash, Corporate Vice President, Microsoft Security Business Unit
REDMOND, Wash., April 14, 2003 — Mike Nash, corporate vice president for the Microsoft Security Business Unit and today’s keynote speaker at the RSA Conference 2003 in San Francisco, says Microsoft is making progress on its commitment to improve the security for its customers. Nash also says customers can count on continued security improvements. PressPass spoke with Nash prior to the April 13-17 conference, and asked him to spell out what Microsoft has delivered to date, and what the roadmap for the future looks like.
PressPass: As head of the Security Business Unit, what’s the scope of your job?
Nash: My job was created a year ago when Microsoft formed the Security Business Unit as part of its Trustworthy Computing initiative — the company-wide effort that aims to provide safe, private and reliable computing experiences for everyone. We look at Trustworthy Computing from the perspective of security, which is a pillar of the initiative along with privacy, reliability and business integrity. Our charge runs the gamut from securing existing products to creating new technologies that make the customer computing experience as secure and trustworthy as possible.
My job is even more exciting now because Microsoft just adopted a more comprehensive, company-wide approach to security. The reorganization brings together the Security Business Unit; the core Windows security team that has been looking at technologies like authorization, authentication and public key infrastructure (PKI); and the Windows Trusted Infrastructure Team that’s been focusing on our digital rights management strategy and the Next-Generation Secure Computing base. We have an even greater opportunity now to focus our investment in making Windows a platform for security innovation, both inside Microsoft and outside Microsoft by working with our partners to use technology as a way to help customers achieve our vision for secure computing.
PressPass: Can you provide an overview of what you’ve accomplished in the year since the Security Business Unit was formed?
Nash: It’s important to note that the first year of Trustworthy Computing has been as much about culture as it has about process. In other words, along with instituting new software development processes, we’ve fundamentally changed the way we handle and prioritize security. This includes helping Microsoft employees become better aware of and more capable of what they need to do to make their environment more secure.
We focused on two things in our first year. First and foremost, we made changes that we felt would have a positive impact on customers. For example, we created a separate free e-mail security alert system that helps us make consumers aware of just the issues relevant to them in a clear and prescriptive manner. Second, we focused on making longer-term investments in internal processes. This primarily meant driving improvements in the way Microsoft builds products. To improve the overall securability of Microsoft products, we needed to have a very clear understanding of the processes involved. The work being delivered as part of Windows Server 2003 is probably the best example of our ability to apply the Trustworthy Computing approach to building a new product. We’re also very proud of the work we’ve done with Microsoft groups outside the Windows division. For example, we’ve collaborated with the Exchange team, the SQL Server team and the Office team to help ensure that both the current and future versions of their products are more trustworthy from the security perspective.
Other deliverables include the Common Criteria certification for Windows 2000 and enhancements to the ISA Server product, our application firewall. Earlier this year, we delivered Feature Pack 1 for ISA Server, which is designed to help customers run Microsoft products in a more secure way while protecting them at the edge of their environment.
PressPass: Do you feel you’ve developed a true sense of what it’s like to be on the customer side of security issues?
Nash: That’s actually been the most rewarding and interesting part of the job for me this past year. Coming into this position, I had a reasonable sense of the customer view because I used to run Microsoft.com, so I’ve had a lot of first-hand experience in what it means to secure a large, highly visible Web site running Microsoft technology. In addition, I’ve spent a lot of my time this past year talking to customers, understanding their issues and serving in the role of customer advocate by bringing key issues back as action items here in the development organization. In some cases, after I’ve brought an idea back, and the product group has had a chance to reflect and respond to it, I’ve had opportunities to take ideas back out to customers and get feedback on those plans so we can make sure we’re prioritizing in such a way that customers will be more safe and secure when they use Microsoft technology. We’ve also had many groups of customers in various vertical areas provide us advice in how we can do a better job of making them more safe and secure.
PressPass: What key security areas do you think customers lose sleep over today?
Nash: Customers have given me feedback in five specific areas where they feel Microsoft still has room to improve with regard to security. One, customers say we must continue to remove vulnerabilities in products before they ship. Visual Studio .NET and Windows Server 2003 offer two excellent examples of how we take that advice to heart. In both cases, we’ve been proactive about understanding both the coding constructs used and the design issues to make sure our products support what we call the “SD3” approach. By SD3, we mean delivering products that are more secure by design, more secure by default and more secure in deployment. For example, in Windows Server 2003 more than 20 services have been eliminated from the default installation or run in lower privileged account to reduce the risk of security attacks and compromises.
Two, customers expect us to continue testing existing products to be sure they’re secure so we can proactively fix vulnerabilities before they experience any issues. This is especially vital for products that shipped before the Trustworthy Computing initiative became part of our release cycle. Examples of living up to this customer expectation include Windows XP SP (Service Pack) 1, SQL Server SP 3 and Exchange 2000 SP 3. We recognize that improving security after a product ships is an ongoing process because customer configurations, usage scenarios and threats constantly change.
Three, when customers and researchers discover security issues that eluded proactive detection, it’s imperative that Microsoft respond by delivering patches that are of high quality and available quickly. We know we’re making good progress in this area, but there’s more work to do.
Four, on a related note, Microsoft must make patches easier to deploy. We’re addressing this by looking at areas where we can invest more heavily in helping customers deploy patches quickly and correctly.
Five, customers look to Microsoft to provide better tools and resources to help them run secure environments. Some of that is technological in nature, and we are addressing it with technologies such as the Microsoft Baseline Security Analyzer. Some resources come in the form of guidance to help customers get secure and stay secure.
PressPass: Patch management seems to be a top concern for customers. What have you done to improve the patch-management process?
Nash: The Code Red, Nimda and, more recently, Slammer experiences were painful reminders that patches are necessary in today’s technology climate. But besides reminding us that systems are by nature susceptible to viruses and other intrusions, experiences like these teach us that patch deployment is just as important as patch development. Our job is not done until customers have installed the patch. Recognizing this fact, we’ve made a number of investments in improved patch management. For example, we can now use Windows Update to proactively distribute patches to consumers and small business customers (assuming they opt in to that system) as well as to automatically install patches using the auto-update feature available in Windows XP. We made the same capabilities available to customers running Windows 2000 by enabling the auto-update feature in Windows 2000 SP 3.
Customers in mid-sized and larger organizations liked the idea of auto-updates, but they needed a solution that could be managed by an IT shop. In July 2002, we shipped Software Update Services (SUS), a tool that works like a valve at the edge of the network, allowing IT managers to control which patches are deployed on desktops and servers within their environment. We know it’s working because every day, about 14,000 SUS servers download the latest content from our Web site.
We also support customers’ ability to download security patches if they use Systems Management Server (SMS). Feature Pack 1 for SMS, released in November, allows an SMS server to check Microsoft.com for the latest update, then use its built-in capability to inventory systems on the network and make sure they’re patched properly. In cases where they’re not, SMS can automatically download those patches from Microsoft.
Customers should also consider the healthy ecosystem of third-party patch management solutions that can be deployed in combination with Microsoft solutions.
PressPass: Do you have a plan for shortening the time lag between security patch releases and deployment by enterprise customers and home users?
Nash: We know we need to continue being proactive in terms of educating customers about the importance of patching their systems, and we need to provide new tools that can help make the process more seamless. At present, the key to minimizing the lag between patch availability and patch deployment is automation. For consumers, the best approach is Windows Update. For enterprise customers, the approach is SMS and SUS. Our strategy is to work with customers to help them understand which solution is best for them, and to provide guidance and support to make sure they have the tools deployed properly.
PressPass: Besides innovations in patch management, what can customers expect of Microsoft across the other areas of customer concern that you outlined?
Nash: First of all, customers can expect us to continue making the Trustworthy Computing initiative part of the ongoing software release cycle. Future products, including the next versions of Microsoft Office, Exchange and SQL Server, will all go through the Trustworthy Computing process before they ship. Second, we’re continuing to review existing products and understand where we can proactively make them more secure. The release of Windows 2000 SP 4, which is scheduled to ship later this year, is a great example of us proactively fixing security issues in our products. And third, in terms of other tools and investment areas, we’re looking at a number of different opportunities where we can help Microsoft customers be more secure, as well as ways to work more effectively with third-party solutions.
PressPass: Can you provide some specific examples of how Microsoft is delivering on its commitment to customers with regard to security?
Nash: I can cite three examples that demonstrate a huge investment, both in terms of the quality of our work and in terms of building in more capabilities. First is the work we’re doing on Exchange 2003 to make sure it follows the Trustworthy Computing process. Exchange 2003 has been built to be more secure by design, more secure by default and more secure in deployment. Keep in mind that, although I focus heavily on security, the same sharp focus has been applied from the reliability perspective, so Exchange 2003 is more reliable by design, by default and in deployment as well.
The second thing we’ve done is build in more innovation. For example, Exchange 2003 integrates security innovations and embedded technology such as encryption, authentication and filtering techniques that offer proven protection for business communications. Plus, we’re delivering a new virus-scanning API that enables third-party vendors to build anti-virus solutions and enhanced scanning capabilities on top of Exchange 2003, which is a platform innovation. Similarly, we’re including an anti-spam tool in Exchange 2003 to help vendors build more innovative anti-spam solutions and capabilities.
The third example draws from our security innovations in the wireless LAN space. Microsoft recently announced the availability of Wi-Fi Protected Access (WPA), a new standards-based wireless network security solution developed by the Wi-Fi Alliance, a group that includes Microsoft and other industry partners. WPA addresses opportunities for improvement that customers have cited in the existing Wired Equivalent Privacy (WEP) standard. By making WPA available via download for both Windows XP Professional and Home Editions, we help ensure that wireless customers who use WPA are safer and more secure. This work also demonstrates our ability to innovate on top of the core wireless capabilities that are built into Windows XP.
In addition, Windows Server 2003 integrates the latest secure networking standards, such as 802.1x and Protected Extensible Authentication Protocol (PEAP), to enable customers to increase the productivity of their mobile workforce while maintaining the highest levels of network security.
PressPass: How are you working with other industry players to improve security?
Nash: While recognizing that we have work to do in the area of Trustworthy Computing, we see our role here as one of leadership. As we work out the best ways to help our customers be successful, we realize that what we’re learning will be of value to people throughout the industry. One way we deliver on that is to document the key processes and procedures we followed in the course of our security push for Windows and other products. Much of what we’ve learned is available in the book “Writing Secure Code” by Michael Howard and David LeBlanc, which has already been published in a second edition.
In the education space, we’re working through the Trustworthy Computing Academic Advisory Board to garner input from renowned security experts — and finding that both sides benefit from the learning process. And, because it’s critical that the people graduating from computer science programs have a solid understanding of what it means to write secure code, we’re working with universities to make sure the right education initiatives and security training coursework are in place.
In the commercial space, we’re creating courseware based on what we’ve learned about security from a systems management and development perspective and making it available as a Microsoft Authorized Curriculum. This courseware trains people to operate Microsoft products more securely and trains them to write software that’s more secure by design, by default and in deployment.
Finally, we realize that as a technology provider, we’re not in this alone. We understand the importance of having strong partners in the security technology space, such as the Internet security organization CERT and the anti-virus vendor community. We need to work closely with third parties and make sure we’re investing together in ways to make customers more safe and secure.
PressPass: Can you elaborate on how Microsoft is working with the anti-virus community to make customers more secure?
Nash: It goes without saying that virus detection is a critical part of good security practices, and we want to do everything we can to make that practice simple and reliable. Besides continuing to educate users on the importance of keeping up-to-date anti-virus software on their systems, we’re making it easier for anti-virus product vendors to have the hooks they need into the Microsoft platform. At RSA, we are announcing partnerships with anti-virus vendors to deliver more comprehensive security solutions. In addition, the Microsoft Exchange team has been working actively with anti-virus software vendors across the industry on the new anti-virus API 2.5. The new version of the API reflects feedback from vendors and will be incorporated in our Exchange 2003 product, which is scheduled to ship around mid-year.
PressPass: You talk a lot about secure by design, secure by default and secure in deployment. What does “SD3” really mean?
Nash: SD3 is a framework we created to manage and measure our approach to security across the company. Secure by design means our code is designed to be secure. In other words, from an architectural perspective, the right capabilities for security are built in. For example, many of the issues that customers face have nothing to do with a product’s security features per se; more often, a security vulnerability traces back to a non-security component of a product. So we’ve created a process to understand what causes products to be secure, and we make sure we have a process to engineer any vulnerabilities out of products before they ship.
Secure by default is about reducing the attack surface areas of our products and technologies.. This means that, out of the box, a system is configured for security, but only the features necessary for a customer scenario are enabled by default. It also means that as customers enable other features, those features are configured in a way that maximizes security.
Secure in deployment means creating a combination of tools and guidance that help customers simplify the process of protecting, defending and recovering, and managing their products from a security perspective. Our key charge in this regard was providing guidance to our developers, testers and program managers on what it means to build more secure products, but secure in deployment is also a way of measuring our effectiveness in building products that are more secure.
PressPass: What’s the outlook for Microsoft’s Security Business Unit? How are you building on the progress you made in the first year?
Nash: While the first year of Trustworthy Computing was largely about changing our processes and laying some important groundwork for customers, Year Two will see us delivering more tangible results that customers can experience directly. The best example of building on our first-year progress is Windows Server 2003, which is a significant milestone in terms of having a product that is secure by design, by default and in deployment. Year two will also be marked by the fact that we’re doing a broader set of work across a broader set of products to improve the core security of our offerings. For example, many of the processes that we’ve applied to Windows Server 2003 will be applied to new versions of Microsoft products, such as Office 2003, and to updates of existing products, for example, Windows 2000 SP 4. Perhaps more important is the opportunity we have in the year ahead from bringing together the Windows Trusted Infrastructure Team, the core Windows security team and the SBU team. We now have one group empowered and responsible for building a platform for security.
PressPass: Where will you focus your attentions next? What technologies can customers expect to see coming out of the SBU in the future?
Nash: The key technologies that customers will see in the short term include our Rights Management Services, which will be an out-of-band feature for Windows Server 2003, a new version of ISA Server and updates to Microsoft Baseline Security Analyzer, which is designed to help customers verify the configuration of their systems. Further along the roadmap, customers can expect to see platform innovations such as the Next Generation Secure Computing Base (NGSCB) –new security technology for the Microsoft Windows platform that uses a unique hardware and software design to provide greatly increased security and privacy protections for computing in an interconnected world. NGSCB is fundamentally about building greater trust in PCs that run Windows, and it’s a long-term investment for Microsoft. We’re working with our hardware partners on NGSCB to make sure we build it in such a way that a broad set of people can easily adopt it. We’re also working closely with broader industry groups. Our work with the Trusted Computing Group will help to ensure that open industry standards are developed around Trusted Computing to enable greater security innovation across the industry. By the way, we’ll provide a great deal of depth on what NGSCB means and does at WinHEC in May.
PressPass: Where can Microsoft customers find the latest information on security issues and Trustworthy Computing?
Nash: The best resources available today are the main security page on Microsoft’s Web site ( http://www.microsoft.com/security/ ) and our TechNet page ( http://www.microsoft.com/technet/treeview/default.asp ).