SAN FRANCISCO — April 21, 2009 — During the RSA Conference one year ago, Scott Charney, corporate vice president of Microsoft’s Trustworthy Computing Group, released a foundational white paper outlining the company’s vision for “End to End Trust,” the concept of creating a more trustworthy Internet experience through technology innovations, broad collaboration and alignment.
Since then, Charney has begun the long process of making this vision a reality. In addition to his role at Microsoft, he began serving as co-chair of the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity for the 44th Presidency, and has begun work to align Microsoft’s various product groups, partners, customers and policy-makers to help realize that vision.
Scott Charney, corporate vice president of Microsoft’s Trustworthy Computing Group.
Today, Charney takes the stage at the 2009 RSA Conference to deliver an update on progress around the End to End Trust vision, and to outline the road ahead. PressPass spoke with Charney last week.
PressPass: Briefly, why did you write your white paper and what exactly is End to End Trust?
Charney: When we began moving down this path, we recognized that most people felt security and privacy on the Internet were not at acceptable levels, and we had to help make the ecosystem more secure. The End to End Trust vision breaks that broad problem down into four components: doing the fundamentals right; building a trusted stack with security rooted in hardware; creating and enabling systems that allow people to pass claims about their identity; and aligning social, political, economic and IT forces.
PressPass: What are the threats today and why is that vision necessary now?
Charney: As the general population moved to the Internet, so did the criminal population, and those criminals have become much savvier. Today you see organized crime groups targeting people and business on the Internet for financial gain. There are very rich targets — databases that store financial information, health data and proprietary information. If the Internet continues to grow globally as we hope it will, then there will be more data stored both on-premise and in the cloud, exposing more rich targets.
Against that backdrop, you have to think about how to better secure the entire online community, and we must also find a way to identify criminals and hold them accountable for their behavior.
PressPass: You mentioned that people want a safer Internet. Can you tell me what you hear from customers around the world?
Charney: Most predominantly, people recognize that there are very tough technical challenges confronting us if we want to make our computing infrastructures more secure and privacy enhancing, especially because criminals tend to adapt. People want to be able to verify the identity of the people and businesses they are working with online. If you’re banking online, the bank wants to know it’s you, and you want the bank to know it’s you too.
But people are also concerned about protecting their anonymity online. For reasons such as the ability to engage in free speech, anonymity is very important. So people are expressing concerns and engaging in a dialogue about how to create a more authenticated identity metasystem, while protecting anonymity, free speech and other democratic or social values.
PressPass: People would generally say they know whom to trust in the real world. How is it different online?
Charney: In the physical world we establish relationships over time and we know with whom we are dealing. In the physical world it would be very hard for someone to buy a storefront, make it look like your bank and trick you into walking in and giving up your ATM card or depositing cash.
The way that we authenticate people on the Internet is very different. Basically you go to a site and produce some information that is known as a shared secret. It might be your name, your date of birth, your Social Security number and your mother’s maiden name. Then they’ll verify that information.
But in many Internet transactions you’re actually dealing with an unknown person who may claim to have a certain identity, but there’s no way to verify their claim. And of course return addresses like mail addresses can be faked.
To help make it easier for people to know who, and what, to trust online we are working with others to create a more trusted stack and enable claims-based identity metasystems, supported by in-person proofing.
PressPass: You mention progress on “social, political, economic and IT alignment” as important to achieving End to End Trust. What does this mean?
Charney: Sometimes IT has a solution to a problem, but there’s no economic model that supports the deployment of that solution. Sometimes politicians want to achieve an admirable result such as protecting children online, but they also need the technology to support that intention. One of the goals of End to End Trust is to find those places where we can build alignment among different factors and create a real solution.
For instance, a real-world example of some of the concepts in End to End Trust is a proof of concept we have been working on with the Lake Washington School District in the suburbs of Seattle. Students will be proofed in-person at the school office and given a credential on a computer. From there they can use that credential in a claims-based model. With that, they can access the applications of school partners and say they’re a student, and based on that claim, gain access to tools and resources that are relevant to them.
So in this example, the school is already doing in-person proofing. The social mechanism is there to deploy this solution. And because the claims-based model is cheaper to deploy, they save money. As this is deployed, it will also enable a more interactive experience that matches the students’ needs. So you see this alignment of economic forces, IT and social concerns all coming together to solve a problem.
PressPass: So that’s one example. What are the broader implications of this?
Charney: If you want to get on a plane today, you have to show a driver’s license or a passport to verify your identity. That’s because people have a high level of trust in government-issued identity documents. If those documents had certificates on them and you could identify yourself over the Internet with that certificate, think about what that does for security and privacy on the Internet. You could reduce a lot of economic crime. But to make that happen, governments and technology providers need to go down this path of making IDs consumable on the Internet, and you need what we call an identity metasystem. The CSIS Report to the 44th Presidency actually focuses on this in detail, which is a good example of political alignment aimed at making this vision happen.
PressPass: What progress have you made on End to End Trust over the past year from a technology standpoint?
Charney: First off, we’ve always said this is a long-term vision. Having said that, we have made some real progress, both in terms of technology as well as the human element.
When it comes to fundamentals and getting people to build more secure software code, we have created the SDL Pro Network, a group of partners who work to help other organizations deploy the Security Development Lifecycle (SDL). We’ve also made publicly available the Microsoft SDL Threat Modeling Tool so that people building software can model threats to their code and mitigate those threats.
We continue to apply the SDL internally along with things like defense in depth and specific threat mitigations. In the past year, the Conficker worm actually didn’t affect updated versions of Windows Vista because of some of the defense-in-depth techniques we had applied.
We have also released Internet Explorer 8, which has a SmartScreen filter that does a very good job of blocking access to Web sites known to contain malware. It has other privacy-enhancing features such as InPrivate Browsing, which allows you to browse on a machine and not have all your activities stored in its memory.
Upcoming in Windows 7 is something called AppLocker, which gives organizations the ability to prevent unsigned code from running in their system. Also, in the past we’ve applied Trusted Platform Module (TPM), which is a hardware-based security technology, so people can encrypt their mobile device, which of course makes it much more difficult to steal data from the device. We’ll continue to look for ways to use the functionality of TPM to increase security and privacy.
PressPass: A key element to your vision is what you call the “trusted stack.” What does that mean?
Charney: When you’re getting online, the first thing you buy is hardware, and you want to know that it’s safe to use. You want to know that your operating system is what you think it is. You want to know the applications you run come from a company you know and trust. Then, you’re going to get data from people, such as attachments in e-mail, and you want to know it’s safe to open them. And finally there are people in all these transactions, and you want to know their identity. So the trusted stack is this notion that from hardware all the way through your experience, you can have a reasonable degree of trust that you know what and whom you’re dealing with and can make intelligent trust decisions.
PressPass: It might seem strange to some people to talk about security in hardware.
Charney: The point about hardware is important because it’s harder to tamper with hardware than it is with software. You can upgrade your operating system or download a new application fairly easily. It’s a bit harder to swap the motherboard. So the more hardware-based security is, the more it can be controlled. A classic example is the difference between having a username and password versus a smart card. Other people can guess your username and password perhaps, but if they want to use the smart card, they have to have physical proximity to you to take it, and of course if that happens, you’ll know.
PressPass: How do the various elements in End to End Trust help make people’s use of the Internet more secure and private?
Charney: It’s really about giving people the right information so they can make intelligent trust decisions. Ultimately you want the whole communications chain to be robustly authenticated, especially when you’re engaging in commercial transactions where you have economic risk. And then there are times, of course, when people want to be in an anonymous environment. So how do we give people the ability to take more control? By giving them the right information so they can make an informed choice. It’s about empowerment of individuals.
PressPass: How far along are we in achieving that goal?
Charney: Although we’ve made a lot of progress, there is more to be done. Some of it is hard engineering work. And we’re going to have to work on those problems over time.
Moving forward we need a robust way for people to assert identity over the Internet, and it needs to be based on in-person proofing. And that requires not just the building of the technology, but the social acceptance of the use of that technology, and the government’s effort to get it done.
PressPass: What should people be doing to create more progress and change?
Charney: In the IT industry, we have the ability to fundamentally build security and privacy into our products, and take advantage of what technology is bringing. IT professionals should learn secure code development. Study the SDL or other processes. Use the Microsoft SDL Threat Modeling Tool. Educate their users about threats. Just with these simple steps, we can all have an impact and help create change today.
In the economic sense, it’s important for organizations to find clever ways to use these techniques and technology solutions to drive down costs and find alignment between what they want to achieve from a policy perspective and how practical it is from an economic perspective. The Lake Washington School District, again, is a great example — you can keep students safer and drive down IT costs at the same time.
And politically, everyone can take part in the discussion. As we focus on identity and security issues on the Internet, talk to your elected representatives about what position you want them to have. Organizations like the Federal Trade Commission put out notices for public comment. You should participate in the political process on the issues important to you.
PressPass: Lastly, you have a new Web site for End to End Trust. Can you tell us about that?
Charney: If you want to know more about these issues, the Web site is a great resource. The white paper is there, and it goes into all these issues in greater depth. In addition to the white paper, others in the industry have started to comment, and the home page features videos with some leading thinkers, talking about why End to End Trust is needed. So if you go to the site you can see how companies and organizations other than Microsoft are thinking about the End to End Trust vision. But don’t let your interest end there — take the conversation to your online communities, your social networks and your areas of influence so we can all work together to build a safer, more trusted Internet.