REDMOND, Wash., Jan. 13, 2005 — Scott Charney wants people to think of using their computer in the same way they think of using their telephone.
Scott Charney, vice president, Trustworthy Computing, Microsoft Corp.
Not that Charney, vice president of Trustworthy Computing at Microsoft, is trying to advocate voice over other communication choices. Rather, he points out that people will walk up to almost any telephone, pick up the receiver and take for granted that they will get a dial tone. Even though the phone system occasionally fails, people are still confident that they will get a dial tone, their call will be completed, and their conversation will be secure and private.
Charney wants people to think about computers in the same way. And that is why Microsoft is full steam ahead on its Trustworthy Computing initiative, which marks three years of progress on January 15. Launched by an internal memo from Chairman and Chief Software Architect Bill Gates in 2002, Trustworthy Computing is a long-term effort to create and deliver secure, private, and reliable computing experiences for everyone.
Charney says Microsoft made significant progress in Trustworthy Computing’s third year, progress reflected in its technology investments, industry leadership and customer guidance. Even so, he says, Microsoft recognizes there is a long way to go.
“Remember that the telephone evolved over several decades to reach today’s level of trust; party lines were hardly secure or private,” he says. “Computers have reached global ubiquity in only 20 years, but the industry is still maturing, and reliability, security and privacy — the things that create trust — are still improving. People recognize the value of computing, but many people still wonder if something bad will happen when they are using their personal computer.
“Trust in computing is critical if technology is to deliver on its promise. Microsoft’s leadership will hopefully help the industry generate that trust sooner rather than later.”
Technology Investment and Innovation
Technology advances in the third year of Trustworthy Computing came both in products and processes at Microsoft. For example, several groups across the company collaborated with Microsoft’s Safety, Technology and Strategy Group to integrate anti-spam and anti-phishing technology into Hotmail, MSN, Microsoft Office 2003 and Microsoft Exchange Server 2003. New error-reporting technology in Microsoft Windows XP and Microsoft Office XP automatically captures details about product or service failures and offers users the opportunity to report those details to Microsoft to help advance product improvements. Information rights management technology in both Office 2003 and Windows Server 2003 addresses information protection concerns regarding e-mail, spreadsheets and Office documents.
Development of Microsoft products that are either used in an enterprise, are routinely connected to the Internet or are used to process sensitive or personal information is now guided by the Security Development Lifecycle (SDL). The SDL is a formalized process that incorporates security checkpoints and milestones at every stage of a product’s lifecycle, from earliest conception through use by the customer. And the security update process has been improved and simplified to minimize downtime and improve manageability of downloading and installing security updates.
The highest-profile technology advance of the past year was Windows XP Service Pack 2 (SP2), a major update to the Windows XP operating system that incorporates numerous security and privacy enhancements. More than 140 million copies have been distributed since its release in August 2004, offering customers stronger default settings, more manageability and control over security and privacy configurations, and improved functions for security updates.
Customers notice the difference. Signature Capital, a commercial leasing/financing company in Austin, Texas, standardized on Windows XP SP2 to increase infrastructure security and reduce troubleshooting downtime. Almost immediately after installing XP SP2, productivity went up because less time was spent fighting viruses or pop-ups, or fixing system problems. (See link to Signature Capital case study, right.)
“The new security functionalities of the Internet Explorer browser have removed a lot of our previous vulnerabilities and insecurities,” says Keith Buchanan, president of Signature Capital. “Prior to Windows XP Professional, our employees were having trouble with constant Internet pop-up ads and viruses that took away from productivity. Since having Windows XP Professional with Service Pack 2 installed, we haven’t seen any of these problems.”
This year’s launch of the latest version of Microsoft Internet Security and Acceleration (ISA) Server also proved beneficial to customers looking for secure online connectivity. In one case, Croatian confectionary manufacturer Kra replaced a frame-relay remote-connection network with ISA Server 2004, reducing costs and decreasing virus and worm infection from mobile machines. ISA Server quarantine tools have dramatically cut the number of viruses brought back from the field. (See link to Kras case study, right.)
“Our investment in ISA Server 2004 VPN client and site connectivity has more than paid for itself,” says Goran Zadravec, systems manager at Kra. “We have a flawless quarantine service, overall security has been bolstered with public key infrastructure technology, administrative overheads are lower, and the network is more stable.”
Responsible Industry Leadership
Charney says Microsoft takes seriously the responsibility that comes with a leadership role; the company either co-founded or participates in numerous organizations addressing Trustworthy Computing topics. These include the Anti-Phishing Working Group, which develops and then promotes the visibility and adoption of industry-wide solutions; the Anti-Spam Technology Alliance, which drives technical standards and promotes collaboration in the development of industry guidelines; the Global Infrastructure Alliance for Internet Safety, a security-focused working group of global Internet service providers (ISPs); the Virus Information Alliance, whose members exchange critical technical information about newly discovered viruses and worms to allow timely communication to customers; and the National Cyber Security Alliance, a public-private partnership between government and industry focused on enhancing critical infrastructure protection.
Microsoft continues to promote the Anti-Virus Rewards Program, initially funded with US$5 million from Microsoft, to help authorities identify, prosecute and convict those who unleash malicious viruses and worms on the Internet. Microsoft is also reaching out to academia with the Trustworthy Computing Request for Proposal (TwC RFP), which will fund a variety of academic projects to create, test and disseminate Trustworthy Computing-related curricula at academic institutions.
Microsoft’s efforts are, of course, global. There are widely available programs — such as the Government Security Program, which gives governments access to source code for Windows and Office — as well as partnerships with specific governments. In November, for example, it renewed an agreement with the Korea Information Security Agency (KISA) on cooperative work meant to increase security in the Korean computing infrastructure. This includes training for KISA employees and ISPs, strengthening anti-spam efforts, testing and verifying patches in the Korean environment, and more.
“The efforts for the development of a more secure computing environment won’t succeed with only government efforts — it also requires cooperation with industries and end users,” says KISA President Hong-sub Lee. “Thanks largely to the devoted support of Microsoft, we are able to take a big step forward and continue our work in strong cooperation. I look forward to Microsoft and KISA sharing an even stronger relationship in the future.”
At the same time, Microsoft walks the walk internally, starting with a deep commitment to Trustworthy Computing by its senior leadership team. Chairman Bill Gates, CEO Steve Ballmer, and CTO Craig Mundie lead the way, with help from vice presidents who serve as executive sponsors for the core pillars of Trustworthy Computing (Mike Nash, Security; Brian Arbogast, Privacy; Brian Valentine, Reliability). Hundreds of employees and partners have been trained and certified to help them assist customers with their security needs. More than 400 employees on staff currently hold CISSP (Certified Information Systems Security Professional) certification, one of the highest numbers of CISSP certified staff of any company in the world. Before the Trustworthy Computing initiative was launched, that total was less than 20. Thousands more have been trained in writing secure code.
Microsoft maintains dedicated full-time privacy staff in many of its major business units, along with several hundred privacy champions within product groups. For example, MSN maintains a network of more than 70 privacy champions and the Windows group has 160 privacy leads. Hundreds more have been placed into product groups across the company to help drive privacy protections in planning and development. Microsoft continued to receive external industry recognition of its privacy efforts in the past year, and was selected by the International Association of Privacy Professionals (IAPP) for its 2004 HP Privacy Innovation award for exemplary leadership and support for privacy issues.
Employee performance is now evaluated in part based on key aspects of the Trustworthy Computing initiative. Further, Microsoft has established formal Standards of Business Conduct that apply to Microsoft employees as well as its supply chain, and specific guidelines for ethical business practices and regulatory compliance. These and other corporate citizenship efforts help ensure that in all activity, internal or external, Microsoft strives to maintain the highest standards in its business conduct and meets society’s ethical, legal and commercial expectations.
Customer Guidance and Engagement
Trustworthy Computing by definition is dedicated to improving user experiences with computing, so a major focus at Microsoft in the last year has been on providing helpful tools and information to customers, partners, IT professionals and consumers. This includes a worldwide education campaign to create broader awareness of best practices in PC protection and to demonstrate how to make protection technologies easier to enable.
Small businesses and at-home consumers also have a wide selection of online guidance resources. For example, Security at Home provides the home user with information on viruses, spam, spyware, mobile security and more. The Microsoft Security Homepage provides extensive, more detailed information and advice for more sophisticated home users as well as small businesses.
Web users will find helpful tips and information at MSN Security regarding privacy and e-mail protections as well as ways to keep kids safe online. There is also GetNetWise, a Microsoft-supported site that offers ways to protect families from malevolent Web surfers. Microsoft’s anti-spam and anti-phishing Web site provides information on how Microsoft is working with customers, partners, and governments to help protect e-mail as an essential and valuable communications tool for users worldwide. Finally, there are sites discussing online safety that were created by Microsoft, or created by industry partnerships that include Microsoft, such as www.staysafeonline.org and www.staysafeonline.info.
Microsoft also has taken education directly to the customer on a global scale. This includes adding 18 Chief Security Advisors, 11 Strategic Security Advisors, six Regional Privacy Leads and 28 Subsidiary (national-level) Privacy Leads around the world. These are Microsoft employees whose job is to address security and privacy issues directly with the customer. Microsoft’s global outreach also includes events such as Security Summits; online tools such as the Microsoft Security Guidance Kit and monthly security webcasts, all of which played a key role in helping Microsoft provide security training to more than 600,000 IT professionals, partners and developers worldwide. In addition, groups across Microsoft worked with customers to develop a book highlighting best practices and tips to help IT professionals deploy IT systems and better manage their reliability.
To help customers make their systems more efficient and reliable, Microsoft offers the Enterprise Engineering Center (EEC), where customers can deploy and test Microsoft products in a re-creation of their own heterogeneous environment. Customers work with Microsoft developers to ensure proper configuration and address issues that arise so the customer leaves with better understanding of how to get the most out of their system and products.
Additionally, customers can access the Microsoft Operations Framework (MOF), which provides operational guidance that enables organizations to achieve mission-critical system reliability, availability, supportability, and manageability when using Microsoft products and technologies. This guidance is available in the form of white papers, operations guides, assessment tools, best practices, templates, support tools, and services.
BP p.l.c., one of the world’s largest petrochemical companies, took advantage of MOF to maximize the performance of its Microsoft solutions and introduce a robust change management program. Allen Lewis, chief of staff for Digital Business Operations at BP, says reliability, scalability and availability of production systems in the United Kingdom-based company have improved. (See case study link, right.)
“MOF provided a very useful framework against which to benchmark BP’s own infrastructure management processes,” Lewis says. “It gave us guidance, direction and, above all, it gave us a degree of assurance that we were doing the right things. Now that we have successfully introduced a robust change management system internally, it makes sense to include a few key suppliers so that the benefits of our approach are strengthened by the supply chain.”
Full steam ahead in 2005
“Although derided by some as a public relations stunt, Trustworthy Computing has a real, material effect on Microsoft’s business,” wrote Michael Cherry, lead analyst at Directions on Microsoft. “The Trustworthy Computing initiative will be around for a long time, and customers are waking up to the importance of security, reliability, and privacy and realizing that they need to work closely with Microsoft to secure their computer systems and make them reliable.”
Charney could not agree more. “Microsoft remains fully committed to what has always been a long-term initiative,” he says.
Already in January, Microsoft has issued the beta of its Windows AntiSpyware solution, as well as a tool, to be updated monthly, that removes viruses infecting a PC. Work is proceeding on other releases, including anti-spam technology, as well as implementation of the Sender ID Framework in MSN, Hotmail and other products. Charney says Microsoft will continue its collaboration with governments, industry organizations and academia in addressing privacy and security issues and providing customer education and guidance. Much more will be done in Microsoft’s internal processes, including adding privacy standards to the Security Development Lifecycle process.
Charney says Microsoft will remain fully active in continuing the momentum of Trustworthy Computing and fully ingraining the effort into the company’s culture. The ever-changing landscape of computing makes it all the more important that it does.
“Two years ago, the focus was on denial-of-service attacks” he says. “While still a concern, the threats continue to evolve. Spam has become a global issue, followed by new threats such as phishing, spyware, and botnets. As our use of and dependence on technology continues to grow, so will the issues confronting us. We must not only address today’s issues, but anticipate and prepare for the future.
“We want people to take it for granted that they can securely, privately and reliably use their computer every time. So it is incumbent on us to make every effort toward that end, now and in the long term. Our customers deserve nothing less.”