REDMOND, Wash., Feb. 15, 2006 – At the RSA Conference 2006 in San Jose, Calif., Microsoft and a wide range of industry partners have joined together this week to showcase some of the many ways that the industry is collaborating to improve information security and network protection. The centerpiece of that showcase was the Microsoft Partner Pavilion, where Microsoft and 23 partners demonstrated a wide range of security solutions and technologies that can help businesses and consumers secure their information and protect their networks.
On Tuesday, Microsoft Chairman and Chief Software Architect Bill Gates spoke about Microsoft’s vision for creating a more secure digital future, where interconnected networks worldwide provide security for users to work and play across a multitude of devices, products, services and organizations. According to Gates, achieving that vision will require cooperation and partnership that extends across the industry, so that everyone has access to the tools and information they need to build products and services that are more safe and secure.
Earlier, PressPass spoke with Mike Nash, corporate vice president, Security Technology Unit, about Microsoft’s security vision and its efforts to foster industry-wide collaboration.
Mike Nash, Corporate Vice President, Security Technology Unit
PressPass: During his keynote at RSA, Bill Gates emphasized that security is an issue that can only be addressed if companies across the industry work together. Why does Microsoft feel that security needs to be treated as an industry-wide issue?
Nash: We believe that unless there is industry-wide cooperation, it is very difficult to make progress on important security issues. That is why we work closely with industry leaders, other vendors, governments and law enforcement organizations to identify and address the key challenges that customers face with computer security.
I also think that the industry needs to demonstrate that when it comes to security we’re not just looking out for our own interests. We need to protect our mutual customers and strengthen their trust in the computing ecosystem at large. To do that, we need to work together.
PressPass: How is Microsoft working to help the industry create a more secure computing environment for customers?
Nash: In the larger sense, our vision is based on cooperation and collaboration that spans the industry, but at the end of the day all of these efforts must increase the level of trust that customers have with their computing environment. This can only happen if we change the customer experience to earn that trust. There are several levels to this cooperation. For example, as we have made progress on the core security of the Microsoft Windows platform, it is clear that hackers are shifting their focus to applications on Windows and other platforms. As a result, we must make sure that we are sharing best practices about how to architect more secure products and implement more secure code. At the same time, we have also been reminded of the need for Microsoft to partner with other security vendors to protect customers. While this includes working with software and hardware vendors to make sure that we build more comprehensive security solutions together, it also means that we must continue to work to identify and stop emerging threats early to reduce the impact on customers.
In addition to working with the security industry, it is also important for us to work with ISVs (independent software vendors) who build non-security products to help them take advantage of the security capabilities on the Windows platform. This, too, will create a more secure experience for our mutual customers.
We believe we can achieve this vision by working together to create and support an ecosystem of trust, promote more secure engineering practices, simplify security for computer users and developers, and develop fundamentally secure platforms.
One of the goals of the Microsoft Partner Pavilion at the RSA Conference 2006 is to demonstrate to customers how the industry is collaborating to develop security solutions and offerings that will support that trusted ecosystem. Our partners are a key component to creating this more secure computing environment for all customers.
PressPass: Can you elaborate on the four components to Microsoft’s vision that Gates outlined in his keynote?
Nash: In his keynote, Bill talked about establishing trust in computing to realize the full potential of an interconnected world. The four principles of that vision are a trust ecosystem, engineering for security, simplicity and fundamentally secure platforms.
The trust ecosystem that Bill talked about is an environment where people, devices and code can be properly identified and decision of trust can be made more accurately. Too often, we ask users to make decisions of trust without proper context. We asked them to decide which programs or Web sites to trust and which e-mail to read or not read. The idea of the trust ecosystem is to build a system of reputation services that the user can depend on to make better choices. Wherever possible, we think the system should make those decisions as transparently as possible. An essential part of this trust ecosystem is a wide range of digital identities for people, organizations, devices and code. To help achieve this, Microsoft is working closely with industry partners in support of the Identity Metasystem, an open and interoperable architecture for protecting users’ identities.
There’s another important aspect to the trust ecosystem. In the physical world, we’re all accountable for our actions. If you walk into a store, take something off the shelf and then leave without paying, there’s a strong likelihood that you’ll be caught and that there will be consequences. That’s not always the case in the digital world. To foster that accountability, there needs to be industry cooperation around the creation of computing reputation services that rank not only individuals and organizations, but also code and devices. That model will help computer users make more informed decisions and ultimately build deeper trust in computing.
Engineering excellence is the second part of this vision. This is really all about improving the process of designing and building products to make them more secure. The key is sharing best practices like our Security Development Lifecycle which focuses on defining a repeatable process, training engineers about how to follow those processes and building accountability in the product lifecycle to verify that the process was followed. We also continue to invest in tools to make engineers’ jobs easier such as PREfast, which scans for buffer overruns and other common coding mistakes that can lead to a security vulnerability. To make this work, we believe in sharing our best practices, but also in learning from the industry. Our investments in Learning Paths for Security, the Microsoft Developer Network (MSDN) community and the Trustworthy Computing Academic Advisory Committee are some examples of that sharing. We believe that it is important to make these widely available so everyone can create more secure software, which will lead to a more secure ecosystem for customers.
The third aspect of this vision is a simplified security experience. The fact is that securing a computer or network environment is still very complex. Consumers often don’t have the information or knowledge to make the right decision. Even for IT professionals, managing enterprise security remains a difficult challenge. We need to work together as an industry to develop a common approach for establishing security policies and making sure that they are maintained. We also need to provide developers with more straight forward APIs and tools that can help them build more secure software. We also need to continue to invest in clear and simple guidance. For example, we have made information about Microsoft’s Security Development Lifecycle available to developers.
The fourth principle of this vision is a fundamentally secure platform – a platform built from the ground up to maintain the confidentiality and integrity of information. This platform must also provide infrastructure that enables isolation, trusted identities that can be verified with multi-factor authentication, policy based access control and unified audit across applications. Microsoft investments in a more secure platform include Windows Vista with improved support for smart cards, an enhanced firewall that provides bi-directional protection and Windows Defender that provides anti-malware protection.
PressPass: What role does Microsoft play in this industry-wide collaborative effort to improve security?
Nash: Microsoft is working broadly with partners to improve security for our mutual customers and to provide better tools, guidance and education to help customers stay safe and secure. We also have a role to play in providing authoritative guidance when we do see a threat emerging. We have the responsibility to work collaboratively with developers, IT professionals and ISVs to address these emerging challenges. We do that through industry partnerships like the Virus Information Alliance (VIA), the Global Infrastructure Alliance for Internet Safety (GIAIS) and the SecureIT Alliance.
The Microsoft Partner Pavilion at RSA 2006 is a showcase for some of the great work being done by our partners around security as well. Those partners include Hewlett-Packard, which is demonstrating new security hardware that will build on advanced security features in Windows Vista as well as Windows Rights Management Services (RMS); EndForce, FullArmor and RSA Security, which are delivering Network Access Protection (NAP) solutions, and BMC Software and Citrix, who are both doing great work in identity and access control.
Of course, we continue to invest heavily in technologies that make our products and services more secure, and in tools and technologies that help Microsoft and other companies implement development processes that produce more secure software. We’re also focused on providing clear, actionable guidance so that people can better protect themselves. The support and collaboration of the industry including vendors, law enforcement, public interest groups and government organizations is another key component to educating customers on how to protect themselves.
PressPass: You mentioned emerging challenges. How have the challenges around security changed in the last few years?
Nash: We’ve seen an evolution from the days when hackers were largely looking for notoriety to today’s environment where hackers are primarily motivated by financial opportunities. These people are perpetrating crimes like ID theft, phishing and distributing malware in order to steal information and then profit from that information.
The threat landscape is evolving in another way, too. Now, not only are we dealing with threats to the platform, but we’re also seeing more and more attempts to find exploitable weaknesses in the applications that sit on top of that platform. That makes it even more important that we find ways to work together as an industry to tackle security issues.
PressPass: What are some of the things that Microsoft is doing with partners to foster industry-wide collaboration?
Nash: We sponsor or participate in a wide range of programs and organizations that focus on specific security-related issues. One example is the Global Infrastructure Alliance for Internet Safety (GIAIS), a working group that includes the world’s leading Internet Service Providers that was created to improve security and safety on the Web. Another is the Virus Information Alliance (VIA), which includes a broad range of anti-virus software vendors that share information in real time about current threats to customers.
During his speech, Bill also announced that the SecureIT Alliance has doubled its size since its formation in October 2006 to more than 70 members. This organization was created to enable ISVs and Systems Integrators (SIs) to work more closely with Microsoft and with each other in order to build and integrate security products into the Microsoft platform. The alliance will provide members with greater visibility into Microsoft developer programs. The SecureIT Alliance Web site, which launched officially on Feb. 14, will serve as a community where members can share the information and best practices needed to build more secure solutions. The Web site will also have a public side to provide information aimed at helping customers understand security issues and find a vendor who can help them with their specific security needs.
PressPass: What is the main thing you would like partners to take away from Gates’ speech at RSA? How would you sum up the call to action?
Nash: The idea here is that open collaboration is what it’s all about. Security can’t happen in a vacuum. It’s a large effort and the more that people get involved, the more quickly problems get fixed and information is released to help protect customers. As part of that, we are committed to providing the security information and data people need to make more secure products as well. This is true for anyone in this industry, including our competitors. We don’t hold back security information so we can make our products better than everyone else’s. Even if you are a competitor, we will share best practices, tools, and prescriptive guidance because that is essential if we are going to build the kind of accountable, interconnected global community that Bill was talking about.
As for the call to action, it’s pretty simple: get involved. Join a group. Take part in a program. Whether it’s an anti-spam group or an organization focused on identity management or virus protection, be active. It doesn’t have to be a Microsoft program, although there are plenty of those. I think everyone in this industry understands that we’ve got to work together to address evolving cyber threats. The more companies that are active and involved, the better we will be as an industry at limiting vulnerabilities, solving issues that arise and building greater trust in the computing environment for all of our customers.