REDMOND, Wash., Jan. 16, 2007 – In 2002, Microsoft Chairman Bill Gates launched a concerted effort to make providing a secure, private and reliable computing experience for everyone a top company priority. Five years later, Microsoft is seeing the benefits of this work. A host of products and services, including Windows Vista, are clearly reflecting the principles of Trustworthy Computing.
PressPass recently spoke with Adrienne Hall, senior director of Trustworthy Computing strategies at Microsoft, to discuss the company’s Trustworthy Computing progress and plans as the nature of security and privacy threats continues to evolve.
PressPass: What is the status of Trustworthy Computing as it reaches its five-year mark?
Hall: Trustworthy Computing started five years ago as a vision. We wanted to make personal computing as secure and reliable as common utilities, such as the telephone. At the time, we talked about how almost anyone in the developed world could buy a new telephone and plug it into a phone jack without ever worrying whether or not it would work. People simply assumed they would get a dial tone and had a level of expectation about the quality of the experience they would have. Our goal was to develop that same type of trust in people’s computing experiences. The basic desire to improve the level of trust in computing has remained a constant, and will continue to be part of what we see as the long-term journey of Trustworthy Computing.
PressPass: How has this journey evolved over time?
Hall: Microsoft has transformed Trustworthy Computing from a startup initiative to a company tenet – a core principle that shapes everything we do and influences every aspect of our business. With that in mind, we expanded the concept of Trustworthy Computing into the areas that are integral to a trustworthy computing experience: security, privacy, reliability and business practices.
Over the past five years, we’ve also seen a cultural shift within the company and a heightened commitment to all the elements that comprise Trustworthy Computing. We regularly look at how much we invest in technology to provide the best customer experience possible, as well as how effectively we share knowledge, learn from others and collaborate with industry partners, government and academia to improve the overall computing experience. In addition, we regularly assess whether the guidance, training and tools we provide are timely, accurate and easy-to-understand.
PressPass: How does Windows Vista reflect Microsoft’s Trustworthy Computing efforts?
Hall: Windows Vista contains a number of new features and technologies that, taken together, are designed to make Windows-based PCs much more secure and reliable and online experiences safer. These improvements help individuals and organizations keep their PCs free from viruses, worms and spyware, and maintain the integrity of sensitive personal and corporate information.
In addition, companywide Trustworthy Computing policies and internal guidelines were followed throughout the development of Windows Vista. Our Security Development Lifecycle (SDL) requires mandatory developer training on writing secure software code and rigorous review and testing of code before it’s included in the product or service. This helps ensure that security is an intrinsic part of how Microsoft develops software. Likewise, our software development process follows Microsoft’s internal privacy guidelines, which reflect customer expectations and global privacy laws. In 2006 we released a public version of these privacy guidelines, so our best practices can be shared with other companies to help them develop more privacy-enhancing software and services. Similarly, Microsoft is committed to providing industry partners with fundamental tools and resources to help build more secure products via the SDL, including threat-modeling tools and developer training on writing secure code.
Throughout the development of Windows Vista, we extensively tested the product. For example, in addition to the tens of thousands of people who participated in the beta testing program, we also received more than 130,000 customer-feedback reports, and provided online services for independent software vendors and corporate developers that helped them assess the reliability and quality of their applications against the various builds of the operating system.
PressPass: Can you give us some examples of features in Windows Vista that demonstrate the company’s progress with Trustworthy Computing?
Hall: Many of the security- and privacy-enhancing features in Windows Vista benefit consumers, technology partners, business- and public-sector customers alike. For consumers, there’s Windows Defender, which helps protect computers against security and privacy threats, as well as performance issues related to spyware. The Phishing Filter in Internet Explorer 7 helps people browse more safely by advising them about suspicious or known phishing Web sites. And, Family Safety Settings help monitor and manage Web sites that children might visit and help keep them safe from online threats.
For businesses and organizations, BitLocker Drive Encryption provides enhanced data protection should laptops be lost or stolen. This protection is achieved by encrypting the entire Windows volume. According to a recent study by the Ponemon Institute LLC, 61 percent of survey respondents said that accidental data leaks occur “frequently” or “very frequently” because employees or contractors lack sufficient knowledge about preventative measures or because employees or contractors are careless. User Account Control reduces security risks by limiting the privileges granted to standard users and granting administrative access only when needed (such as when installing new software or changing the system configuration). It gives typical users most of the capabilities they need for day-to-day work, while helping protect systems and networks from unauthorized tampering.
With a USB key or removable storage device, a company’s valuable intellectual property could just walk out the door. A USB key with malware configured with an “autorun” script could also be used by an attacker to install malicious software on an unattended machine. Another feature is Group Policy for Devices, which enables IT administrators to manage or block the installation of unsupported or unauthorized devices. These features will give IT administrators greater control over the security and privacy of information on a company’s network.
PressPass: Microsoft has made some organizational changes in its security and privacy teams. What’s the status with those changes?
Hall: The changes announced last Oct. 12 were part of the company’s effort to create a broader Core Operating System Division. We are combining the Security Technology Unit, Trustworthy Computing, and the Engineering Excellence teams under one group, with Scott Charney, vice president, Trustworthy Computing, at the helm.
Our commitment to trustworthy computing experiences means we’ll continue to have individuals around the corporation who are focused on security, privacy, reliability and business practices that are responsive to our customers’ needs. But over the last five years, we’ve added resources and built up teams in several places around the company. Bringing these teams together will help us more closely align efforts and allow for greater flexibility in the future.
Again, our priorities will remain fundamentally the same, but bringing together these teams will combine our strategic investments into one group.
PressPass: What can we expect as Microsoft continues its work towards Trustworthy Computing in the years to come?
Hall: During the late 1990s, Microsoft’s strategy was to ensure its products allowed customers to take full advantage of the Internet – and that was critical. In the same way, Trustworthy Computing will be critical to our success in the next 10 years and beyond. It will affect every product, every service, every customer and partner interaction, and every employee.
As the technology industry continues to focus more attention on privacy and security, cyber criminals will respond with more sophisticated attacks. Therefore, we must consider security, privacy, reliability and business practices holistically. Microsoft will stay focused on addressing security and privacy concerns; continue to develop systems architected for trust; and partner across industry, government and academia to address the challenge of cybercrime. Take, for example, the security and privacy threats posed by organizational data breaches: while technologies like BitLocker Drive Encryption help mitigate risk, Microsoft also believes a strong, national standard for privacy protection will benefit consumers and set clear standards for legitimate businesses, allowing commerce to flourish. Microsoft is a founding member of the Consumer Privacy Legislative Forum, a group of diverse industry and consumer leaders advocating for this strong standard in the U.S.
We’re proud of our efforts to date, and yet we recognize that there is much more to do. Our work will never be complete.