Transcript of keynote remarks by Bill Gates, Chairman, and Craig Mundie, Chief Research & Strategy Officer, Microsoft Corporation
“The Imperative to Connect: Advancing Trust in Computing”
RSA Conference 2007
Moscone Center
San Francisco, Calif.
February 6, 2007
Keynoting RSA 2007, Microsoft Chief Research and Strategy Officer Craig Mundie (left) and Chairman Bill Gates discuss the challenges that pervasive Internet connectivity pose to the security industry. San Francisco. Feb. 6, 2007.
ANNOUNCER: Ladies and gentlemen, please welcome Microsoft’s Chief Research and Strategy Officer, Craig Mundie, and Microsoft Chairman, Bill Gates. (Applause.)
BILL GATES: Well, good morning. It’s exciting to be back here, and get a chance to talk about security and where we are. It’s a very fitting time to do this. We’ve reached a couple of interesting milestones recently. It’s literally five years since I first sent around to all of Microsoft a memo about Trustworthy Computing and how we needed to make that our top priority, and really make some big advances there.
It’s also just last week that we launched [Windows] Vista. That’s a big milestone for us in terms of security, because we had a chance to apply our development process, our secure design lifecycle process to that product, and so it’s a platform that not only has advances in security, it’s a platform with a lot of rich capabilities that people can build on top of.
So, a lot of progress. Craig Mundie is here with me. He was the one who motivated me to send that memo around. In fact, it was five years ago when he keynoted RSA, and Craig is going to be taking over full responsibility for all the security things we do. So we thought it would be fun for he and I just to talk about some of the needs that are out there, particularly the evolving needs, and some of the advances that are going to fulfill those needs, particularly with some industry standards and cooperation that will make that possible.
So, Craig, give us an update. How do you feel that the industry is doing on Trustworthy Computing?
CRAIG MUNDIE: Well, we’ve made some progress, and clearly the industry has made a lot of progress, too. As you said, I mean, it’s actually more than six years ago that you and I first started talking about the issues that we face. And interestingly, this was at a time where we were talking about the ILoveYou virus and things like that. They were really fairly mundane in comparison to the kind of threats that we all face today.
We have focused a lot of energy on this question of Trustworthy Computing. Back when Bill wrote that memo, and I was here the last time to talk about it, we decided that there were really several elements to Trustworthy Computing. One, of course, was security, and it’s what we’ll focus mostly on today. But in part the reason that we created it was at the same time we recognized that we were also having a lot of tension at the time around privacy. This was before 9/11 to some extent when we first started thinking about it. The world was tilted a lot more toward the privacy issues at that time. And then the combination of the events we see in the network and the events we see in the society at large made security come back into the front of the picture.
But going forward, we found we really needed to find a way to work through all these issues and create a system that was reliable, maintained people’s privacy with respect to the data, and security as a key aspect of both those parts.
There were a number of other issues that we decided also contributed to trust, and recently we’ve even added one, interoperability, to that set of parameters, but it’s been a big issue.
When we started this, I think we knew it would be a big task. And it was probably the thing that has brought about the most cultural as well as engineering process changes in the way that we build our products.
As Bill mentioned, [Windows] Vista and now Office 2007 are really the first two products that have been through this entire security design lifecycle process.
This won’t make them perfect. To some extent the challenge that we face in building our products and the challenge everybody faces in administering them and using them is that humans are human, and they make mistakes. And a large part of what we have to do going forward is not to just deal with the engineering aspects of the software that we build, and trying to make sure it’s as good as it can be; we have to deal with the fact that errors do happen, whether they’re operational or design, or whether they’re intentional.
And so a lot of what we want to talk about today and share with you is our thinking about what other things we’ve been doing, other than just getting rid of buffer overruns and a lot of other things, that we think will ultimately contribute to a much more security capable environment.
Clearly to do this the industry has had to be a partner to us. We clearly have a foundational role because we build the platform that many of these other things are built on. But I do think that the industry has made a lot of progress and will continue to do some more.
So, let’s go on now and talk about the world as it is going to be, and what’s really been motivating us to make not just these engineering changes in our flagship products, but the kinds of changes that we think are going to be required to deal with the world that we’re entering.
So, one part of this is that the world is just a lot more connected than it ever was. It’s not just the Internet in the enterprise sense or the business to business sense; we now have many, many devices. People are interested in connecting cell phones, televisions, automobiles, just every manner of smart widget, and they all want these things to be part of an environment that allows them access to whatever they want from wherever they are.
But the mechanisms that we grew up to create security, it really grew out of the enterprise environment where there was formal administration of the activities, and yet even there we’ve struggled; we can create the connections but they’re too hard.
The threat landscape has evolved in fairly dramatic ways. When we first started working on this, most of the attacks were done for the purpose of notoriety. We were worried about script kiddies and other things like that. Today, it’s a lot more serious, it’s a lot more nefarious than it was five or six years ago. And the fact that we have so many things connected and we have so many people connected, not just hundreds of millions of PCs, but growing on billions of phones, and rolling out more and more things all the time, this challenge is going to get tougher.
And, in fact, it’s really clear that the vast majority of the devices that people want to use to gain access to things, and those things will become increasingly sensitive like their health records and other things in the future, that they aren’t in an administered world. And so it’s really incumbent on us, not just Microsoft, but the industry to come up with some strategy to deal with that, and to find a way of balancing the risk and dealing with the tension that exists between people saying, look, I just want to get access to whatever it is, wherever it is, anytime I want, and yet I want the security to be absolutely foolproof. And that is a tall order, and it is one that collectively we’re all going to have to step up to.
BILL GATES: There’s no doubt that people want more flexibility. We sometimes use the term “anywhere-access.” You have partners in business that you want to share some of your information with but not all of your information. You have people in your personal life that you want to share information with at various levels of capability.
The initial reaction when the Internet provided this anything can talk to anything type capability was to look back and say, well, why had we been secure before the Internet, and the fact was that the datacenter, the glass house is very isolated.
And so the first idea was to say, OK, let’s have that boundary, that one perimeter, and use that, which has been a reasonable concept. But, in fact, if we look what actually goes on in terms of consultants coming into your company, employees who are not on site that need full access capabilities, we can’t think of that glass house, that kind of network topology as the way that we do this isolation, as the way we define what can connect to what. So, we need a far more powerful paradigm in order to do this.
A great example is companies who are working together. For example, General Electric and Boeing may have a joint customer for an airplane, GE doing the engines. Well, they want to have confidential information that they share back and forth. Today, how is that done? Well, it’s done with e-mail attachments, but that’s a very inefficient way to work that’s done by sending the paperwork around. We really haven’t given this notion of general isolation, logical isolation, and yet now we see an approach that we’ve pioneered and others understand that’s based on standards that’s going to make that possible.
CRAIG MUNDIE: One of the things that’s really quite different in the way that we think about the future is we kind of built our systems, including the way we wrote our code and everything else assuming that everybody was really good, and that we knew who they were, they were in our company, and as long as we were secure at that boundary of our enterprise, life was pretty good. And then along came the Internet, and it sort of poked a lot of holes through that barrier that we had at the edge.
Well, as Bill said, we also find that we’ve been gradually working our way from the network and the computers there for our employees, and they were all here; well, then we gave them laptops and they started to leave, and that created a set of problems. And then we said, oh, well, we’ve got vendors, we have, in fact, thousands of people who work for us as vendors, and they need to access our things, too. So, we said, well, but they don’t have offices here. So, we kind of tried to figure out how do we extend the network out to where they are.
And now, as Bill said, we’ve really gone even beyond that. It isn’t that we have a vendor, we don’t have somebody we have sort of a contractual relationship with, we have just people that we want to work with, and we want to do it on an ad hoc basis.
So, many of the mechanisms that we have started with the presumption that we knew who people were and we had some controlling relationship with them, whether it was contractual or operational, and that’s really all evaporating.
And so many of the mechanisms that we had before, security was really a blocking thing. I mean, we put it there as a way to keep people out or keep people in, and a lot of what we think about – and Bill and I will talk a little bit now next – is how do you invert this thing to where these security mechanisms actually become a thing that makes it simpler for anybody to be granted permission to get at something, and in granting them that simple permission that says I’m the Boeing guy and I want to have my partner at GE Engines figure out how to get at this SharePoint, that’s all the decision I want to make. I don’t want to speak for the company about anything else, I don’t want to create an environment where just because he can come in and get this schematic doesn’t mean he should be able to get at everything on the corporate network. And yet we really don’t have that simple mechanism historically to allow the one working person to make a very prescriptive authorization, and yet we think that that’s really what the world is going to have to move to.
So, what we want to talk about now is what is it that actually has to change for us to be able to do that. And so we’ve broken this into three broad concepts, and I’m sure there are other taxonomies that we could use which maybe make it even clearer, but at least for today we’re going to talk about three things. We’re going to talk about the network and how we think that is actually going to be built and constructed differently, and operated somewhat differently.
We’re going to talk about protection, the new concepts that we have to apply in order to be able to make sure that the data is secure all the time, not just when it’s moving. That’s been historically whether it was cable television or enterprise data, we really tend to worry more about whether it was exposed while it was in transit. But if you look at the problems that people have today, and, in fact, where a lot of the issues are in terms of the loss of Personally Identifiable Information, it isn’t that it’s getting biffed off the network, basically it gets lost because somebody loses a laptop in a taxicab or at the TSA screening station, and then everything that was there is exposed. So, there are a lot of things that govern that.
And then, of course, to do all those things require that we think differently about identity. So, we’ll talk now a little bit about each one of those things.
So, let’s start with the network, Bill, and let’s talk about how we think that the network itself is going to have to be changed from a configuration and management point of view.
BILL GATES: Yeah, the key thing on all these things is that we need evolutionary approaches. The Internet is so great today, we’ve got the TCP/IP standard, so we need to work with that as the starting point. And one thing that we’ve found, really a fantastic capability, is that along with IPV6 is this IPsec capability. And so the notion that you could pick and say who should connect to who, or when that connection is made actually insist that there be a certificate, some proof, some trustable proof of what those two end points are, this actually gives us the capability. And so that’s a foundational piece.
And I remember going all the way back to the bad days of Slammer where we had a customer who said, “OK, here’s our factory floor, we want that to be isolated from everything else. We have a very limited set of applications out there. We want to manage that and think about that separately from the consultants on site and the engineers and doing their work.” And there was no way for them to have some aspects, because the factory floor was not a separate company, they couldn’t use the firewall, but you wanted only to have in this case an explicit set of access capabilities from the rest of the network into these specific systems. And these systems weren’t on their own networks, but they were identifiable systems.
And that’s where by giving tools that can say who can connect to this machine using this IPsec, now we can have this kind of isolation, and so you can define what connection capabilities should actually be able to take place.
CRAIG MUNDIE: Another key thing that is going to happen now is this evolution to IPV6. I think that that’s also another key tool that can be used in building up the mechanisms to have this point to point capability.
As Bill talked about in the factory environment, we could say, well, here’s a system, and I want to make sure that it can only talk to that system, and this computer talks to that robot, and I don’t want anybody to get in the way of that. But ultimately we need a lot more granularity in that control. We have to be able to say I only trust this particular application, or I trust this person running that application in order to be able to do things. And so we really need to be able to do this with a lot more granularity.
We also want to be able to do it in a world where everybody is just on the Internet. And so we need to move to create a way of describing these things by policy, not topology. Almost all the protection in the past has tended to gravitate around the topology of the network, you can get at this segment or not that segment, you can get at this IP address or not that IP address. But today the demands are really for a lot more flexibility, not just within the part of the network you control, but to extend to the network parts that you don’t control.
Today, the actual shortage of IP addresses in the IPV4 environment, it forces us to introduce a lot of other mechanisms, for example, Network Address Translation. These things have also made it very complicated.
As we move to an IPV6 environment, and we have a lot more granularity in addressing, it’s not only going to accommodate the introduction of billions of new devices for which we similarly want to be able to describe what you’re authorized to access and who’s able to do what to them; we need to be able to do this where we can define logically what is the protection domain that we want to have a policy govern, and what is the policy with respect to the things that live outside this environment.
Microsoft itself has this challenge. We have one of the world’s largest enterprise networks. We have hundreds of thousands of partners around the world, and we have obviously millions and millions of customers. And so we have been ourselves facing this challenge.
About two and a half or three years ago, Bill and I started to sit down with the Microsoft IT people and said, look, how are we going to deal with this problem? And we really began to focus on the question of how could we use these new mechanism, in particular IPsec, IPV6, and the mechanisms of the directory in order to be able to come up with common policy descriptions that could be propagated in an automated way, that ultimately could be collapsed down to an individual making a policy choice, I want to grant Bill access to this particular application or this particular data set, and get that thing enforced by the network without depending on the network topology to do it.
And so the nice thing about this model of using IPsec to do that is it’s essentially certificates that identify the authorities that are being granted at both ends of a connection.
In the past we didn’t have a way to do that. We largely depended on people who operated your network infrastructure to make sure that that thing was secure, but since they didn’t have anything to do with the apps, and the apps didn’t have anything to do with how you set up the network, you really ended up with this weird situation relative to the role of network topology and enforcing security versus people who could at any given moment logically understand what their intention was relative to the app.
So, this essentially allows us to say no matter what the network topology is, no matter whether you are within or without the physical boundary of your particular organization, we can now operate by specifying policies that we want to implement, and having those things logically enforced by the network, as opposed to physically enforced.
BILL GATES: And one of those policies is actually what some people call a health check; that is, you can say is this system up to date in terms of the latest patches, and you can ask for proof that that’s there, and only let the connections take place if that health is there. And that can become very important where if you have people coming in on laptops, and you don’t know if they’ve done some updates that you think is very important, then you can give them limited access only to certain end points while they do that update, and then once they have the health certificate, then they can go in and connect up to the rest of the network.
That kind of quarantine or Network Access Protection actually fits into this model that whenever you’re making a connection, the notion of who the machine is or who the user is or what the health of that is can be part of the policy question, the policy of who is granted access when.
Now, making these policies so they’re simple to set up, it’s really been over this two and a half year process that we’ve seen how can you make that a fairly straightforward user interface in the directory to lay down those policies and now that’s part of what we’re doing with the “Longhorn” Server update.
CRAIG MUNDIE: Yeah, as we’ve studied this inside Microsoft, we actually started using IPsec to control access within our corporate network. And the poor IT guys came back to us one day and say, hey, you know, this is technically possible but it’s damn near impossible to make it work and be sure about it. And we found that they had actually had to write 4,000 rules that governed how the IPsec mechanism worked. And we realized that given that people will make mistakes, if you really want to trust these things, it’s got to get a lot simpler; not just the mechanics of putting it in but putting 4,000 in is a bit too many.
When we release “Longhorn” Server later this year, we’ve actually made enough changes architecturally in how we administer that and simplify it, the entire 4,000 rules at Microsoft have been collapsed to 40 rules. And I think that it’s that kind of thing that is actually going to move us from thinking of IPsec as a fairly arcane technology that maybe could be used in a very specific, really, really problematic environment to one where we think it will be the way that we build this model of seamless, easy anywhere access across all these families of devices, and for all these different classes of applications.
But we’re not really there yet, and so there are things that we’re doing that I view as on the path to this future world. So, for example, we have a new capability called an Intelligent Application Gateway. In a way that’s a tool that people can use to begin to walk down this path. If you today have a more conventional network and protection architecture, and yet you know that there are people who you want to give some access to, but you don’t want to say that just because they’re healthy, and I’ve given them access to the corporate network, doesn’t mean I want them to be able to run around and do anything on the corporate network.
And when you have, as we do, hundreds of thousands of SharePoints and other things, you don’t really want to depend on the individual owner of these logical assets to have to be able to put in the walls around everyone’s asset.
And so we’re really again inverting the model from one which assumes that just because you work for Microsoft you should have access to everything, and unless people could be very prescriptive about what you shouldn’t get access to, it was way too open.
And many people have been telling us, look, we not only have our employees, and to some extent our vendors; you know, increasingly we’re going to have our partners. And if you guys actually do a good job in making it easy for a partner to on an ad hoc basis be given permission to get at something on my network, I want to make sure that I can say they only get access to that.
And so while this IPsec, IPV6 model is essentially the way we think that we’ll do that in the large, it will take some time to move there.
There really isn’t a challenge, in our view, in moving to the IPV6 infrastructure, because it was actually in the Windows XP generation that we started building in the support for IPV6, and found a way to tunnel it through IPV4. So, you don’t have to contemplate some gargantuan infrastructure change-out in order to be able to move in this direction.
And so we want to give people a very easy way to go first to the benefits, both security and addressability benefits of the IPV6 infrastructure, and what we’ve done in both Windows Vista, and will come out in the Longhorn Server, is all of Microsoft’s products have been adjusted to work not only in a hybrid IPV6/IPV4 environment, but for those who have a real extreme need to operate a completely native IPV6 infrastructure, which also reduces another class of threats.
And a lot of the governments around the world, the U.S. Department of Defense and others, you know, they’re well down the path, and actually some of our big customers now are even moving faster to this type of deployment.
So, some of these new tools give them a way to I’ll say get warmed up for the kind of policy driven specifications of access that we think they’re going to use in the future, and to move gradually down this path. All of the mechanisms to do the IPsec capability are there; what we’ve been missing is the ease of administration, and by the end of the year with our product and the other tools that are going to come from the partners, we’ll be able to move people I think quite gracefully in this direction.
In the Network Access Protection, as Bill mentioned, health is going to be an interesting question. One company’s determination of how healthy something has to be to gain access to a particular class of resources may be different, but we just announced 100 companies I think who are going to work with us in this area in kind of a plug-in architecture, so you can pay your money and take your choice about what health assessment you want to give your computers or phones or whatever else is going to attach.
So, I think we’re very optimistic that there’s a roadmap for this direction, and all the related administration operational technologies, and we’re quite convinced.
So, Microsoft itself is on the path of deploying this. We’re beta testing, of course, already the “Longhorn” Server technologies, and the architecture we’re describing to you is the enterprise network architecture that Microsoft itself is moving to.
BILL GATES: So that’s isolation; let’s talk about protection.
CRAIG MUNDIE: OK. So, if you look on this slide, you have one of the images that comes into my mind when I think about the way that we’ve been protecting things in the past. Whether it was our systems, our applications, the information, it’s sort of like we’ve been in the medieval age of computer networking and access. And we say, you know, we just have to build more and more fortress-like protections, so we build thicker walls, higher turrets, put moats out in front, bigger drawbridges. And what we didn’t really see coming yet is essentially the airplane and the air-to-surface missile and other things. The threat model is changing in fundamental ways.
And we could continue to invest in this fortress mentality of protecting everything, but I don’t think that that will be sufficient. There are clearly benefits to having some of these capabilities, and we need to move gracefully beyond them, but I think most people would agree that our castle is fairly porous, because a lot of the assets actually leave the castle. And increasingly not only do we have them leaving, but we have people who say, hey, no matter where I am, I want to be able to get at the stuff in the castle, and so please leave the drawbridge down, and make sure there’s lots of little paths for me to come back, and so I think that that’s an issue.
I think the other issue that we really have to deal with in protection is this idea that the information asset has to be protected all the time. It has to be in its own bank vault, and when you want to use it, you should take it out and give people access to it in an appropriate way, but when you’re done, the thing should basically go back to being secure. And that largely wasn’t the way that we did this in the past.
And so there’s a lot of different capabilities that we have been working to introduce in order to be able to secure data at rest, and, of course, make sure that it’s appropriately sequestered in flight or in transit, too.
There are lots of different places this shows up, in everything from how do you protect music and movies to how do you protect the corporate asset. So, Bill, let’s talk a bit about rights management and how you see that evolving.
BILL GATES: Well, one of the things that e-mail has done is made it very easy to send around in the company confidential information. But sometimes you actually want to – the creator of the message wants to proscribe the behavior about some of that message, you know, who is it forwarded it to, is it printed out, and likewise for documents that you create.
The problem with e-mail has often been that one person will say, well, I’ll just forward that to one more person, and that person forwards it to another person and so on until it’s on the front page.
And so when you compose a piece of e-mail, the ability to just say this is about personnel issues, this is an attorney-client thing, this is about our earnings release, and then have the appropriate scope of who can send it, who can receive it, and what’s done with it, you really need that to be enforced. And so that’s one face of rights management is allowing mail messages and documents to have those things flagged with them.
Likewise, you want to have policies about how long people can keep things around, what are their retention policies for different types of information. And so the infrastructure for Exchange and SharePoint, it’s just now that they have these capabilities to define rights management.
Another piece of this is that when you get into this rights managed world you’re talking about information that’s in an encrypted form. And so the scenario that Craig talked about of losing the laptop, if you have the BitLocker capability, then the information isn’t just there. And, in fact, all these security things are always about the weak link. And we’re going to talk about passwords later, which might be the weakest of all the weak links right now, but if you do everything else right but somebody loses their laptop, that becomes the weak link.
CRAIG MUNDIE: So, there are many additional interesting challenges, even if we want to build this rights management capability. We started down this path, and there was really no effective way to build a hardware route of trust and then work it all the way up the stack into the operating system and the application.
But we started a few years ago with our friends in the hardware world to put PPMs in the chips and other things, and this is essentially starting to lay the groundwork, the infrastructure so that we, in fact, can have certificate based routes of trust that start in the hardware and allow us to build this capability up. And so we’re still some distance away from really being able to use that in a wholesale way, but I think we’re making some progress.
One of the things that we’re doing is recognizing that if we’re going to give people these certificated-based mechanisms, we’ve got to make it a lot easier for them to move these things around. And so we’re building with partners little devices that are just like the keys of your car, they’re the keys to your computer, if you will, and you can carry these certificate tokens around, you can have biometric mechanisms to deal with them. And they give us the ability to move these things in a direction where we have a lot more control.
The other issue we have is you have to trust the application. In the past, if you said, look, I made sure the data got to you securely, but once I told you what the key was to unwrap the package, like an SMIME message or something else, it’s then you didn’t really know how to enforce these other rights that you wanted to specify.
And so we are building essentially a class of applications, which people who have the ownership or responsibility for the data can elect to trust, they can do it because they trust the program, the vendor, the programmer, they can trust it because they tested it, but it’s the ability to bestow trust on a particular application that allows this to happen.
People can always seek to subvert these mechanisms, and that ultimately is you could say the ultimate weak link, but in the event that we want to put appropriate speed bumps or barriers up to reinforce sociologically and operationally for people what they’re supposed to be able to do, and what you didn’t intend for them to be able to do, the manifestation of these things in the various applications is going to be a very important part.
BILL GATES: So, let’s move on to identity. And this, as I suggested, I think is where the weakest link in these systems have been. You know, the overhead for password reset, the ease of guessing people’s passwords, they use the same passwords on consumer things they sign up for that they use in the corporation. So passwords are not only weak, passwords have a huge problem in that you don’t – if you get more and more of them, the worse it is. And so that in the past if you want to just say get to a partner’s Web site, they might give you a different account and a different password, and that would have to be managed, if you changed your role they wouldn’t know to go and change that.
So we have passwords, and, of course, we have to evolve from them, but we see Smart Cards as the specific, but certificates in general is the way that these things should go, that you’ll be presenting certificates as opposed to weak passwords.
CRAIG MUNDIE: The other thing I think we really have to focus a lot more energy on is the idea that in this Web 2.0 world one of the things that’s really happening is programs are becoming proxies for people. So, in the past we just assumed that if you were sitting there and you were in front of the screen, then whatever you were authorized to do, that was okay. But more and more we really want to have programs that work on our behalf. And we need to be able to say, you know, I want to give this program proxied access to the things that I would normally do, I want it to operate on my behalf. And so many of these issues of establishing trust have to be done there.
We also have the issue, even as we talked about in trying to establish the network control mechanisms and access mechanisms, we have to have a lot more rigorous identity for the machines themselves, simply because there are so many of them and we need to be able to identify them in ways where we don’t have assurances, for example, about the IP address. If you have a lot of things that live behind a NAT, and now you’re saying, well, look, I really want to be able to say that that app running on that machine in that other company is the one place where I expect them to come in and gain access, you know, you have to have again some way of reaching through and doing that.
So, these IPsec mechanisms allow us to have that kind of granularity. We can potentially have a lot, even if you wanted to use IP addresses, if you knew that you had an IPV6 address and you didn’t have to deal with the NAT problem, you have another level of granularity in that control. So, there are many different aspects of this that I think are going to improve.
Again, one of our big challenges at Microsoft was we just really had not given people great tools to deal with managing all these identities. And so the work that we’re doing with meta directory and the Active Directory capabilities I think are going to be a key part of these kinds of things.
BILL GATES: Yeah, certificate management requires, of course, good revocation policies, good ability when somebody forgets their Smart Card to handle that, and that’s a set of products that we actually acquired about a year ago, and now are putting out in full form that we think really is the milestone where enterprises should start the migration from passwords to Smart Cards.
And this is part of a general thing where when you go to a site and you want to get capabilities there, instead of using a password, you should present some sort of certificate that creates a chain of trust about who you are and what you should be allowed to do.
CRAIG MUNDIE: One of the things that is a real challenge is people now more and more have to be able to make a decision about what persona they want to present in a given situation, have some kind of contextually relevant way of choosing what credential they want to present to people, and for what purpose.
In the physical world we actually solved this problem for most people. We have a variety of tokens, physical tokens that we use or are given to us in order to represent these things. We have credit cards, driver’s licenses, national passports, and many other little mechanisms that we use to draw this relationship and make it simple.
I kind of think that in this whole era we’ve been in so far it’s roughly equivalent to the text mode interface. If you were expert and you really knew what you wanted to do, maybe you could find the right token that you wanted to present. If you look in a Windows desktop of the last generation, you would find, well, there’s lots of certificates in there on your behalf, and your IT department might have put some in there, you might have put some in there, so they control everything from Web browsing to access to the Exchange Server, but where do they show up in any way that you understand their role? And to some extent even how they’re named may, in fact, be completely opaque in terms of understanding what each of them does for you. And yet more and more we’re going to have to have ways to do that.
And so I think that one of the focuses, and one of the things I personally really like is the work that was done in Windows Vista with this capability we call CardSpace. What I think we tried to do there is to create a vehicle that allows people to have a GUI for credentials that represent their identities or different personas in any of these situations. It should be no more difficult for someone, given a particular situation, whether they’re shopping or applying for some e-government transaction, it should be no more difficult for them to identify themselves in a relevant way, in a controlled way online than it is for them to walk into somebody’s office or a counter or a grocery store, and reach in their pocket or purse and take out a credit card or a driver’s license. Each of those things in the physical world you know conveys a certain amount of information, and you can make a rational choice about whether you’ve disclosed enough or not disclosed enough in order to meet a particular requirement.
We’ve just never given anybody the equivalent of a drag and drop metaphor or a GUI for all of the credentialing that’s obviously going on, and is going to have to go on to a much greater degree in the world that we are moving to.
And so that is one of the things that’s in the [Windows] Vista system. I think people are going to have to acclimate to it. But it’s a place where you can create your own credentials, you can have people give you credentials that you need to present in the future, and the system is then able to actually help you reason about what the right credential is.
In many of the mechanisms that we’ve built through the WS-* protocols, when somebody wants you to identify themselves, they can essentially hint in a way that’s invisible to the user through the protocol what kind of credentialing they’re looking for. And we’ve even come up with ways where we can only highlight the set of credentials of all the ones that you have that might be candidates to fulfill that requirement. And I think a lot of these things are going to go a long way toward solving some of these problems.
Let’s talk a little bit about why it’s important to have this in this speak forth kind of environment, and how we’re going to build that kind of capability.
BILL GATES: Well, everywhere you go on the Web there are issues about reputation and trust. Some blog environments, they just want anonymous people to be able to say anything or rate anything, and then other environments they want you to present some credentials about who you are. And that’s just not going to scale with the kind of password things that we have today, because there’s no way in that to know what level of trust there is, and if you don’t have any level of indirection that can let it get to critical mass.
And so we actually saw some of the people who were working out in the Web 2.0 land were thinking about these issues of trust, and they came up with this Open ID 2.0. At the same time, we, with a lot of partners, were working on the WS-Security standards. And what we’ve seen is that these two things, one sort of growing up from the blog Web 2.0 world, and one from the enterprise space about federated applications, that they really are very, very complementary, and, in fact, that’s one thing we’re announcing today is that we’re going to support this Open ID 2.0, and there extending what they’ve done so that this credential capability moving beyond passwords, the CardSpace capability, they’re going to have that as a standard capability, partly because they see that it solves some problems, some attacks and some complexity for the user that a pure password approach is always going to have.
CRAIG MUNDIE: So, I think with this decision today to really work to bring together formally the Open ID 2.0 plus CardSpace capability, this gives us a tool that where people will say, look, if I have assets that are not super valuable in a Web browser access environment, I can use traditional means. If I actually want a bit more security, but I’m still in a Web browser environment for access, then this marriage of CardSpace and Open ID 2.0 actually is a big step forward, because it eliminates the potential for the man in the middle attack, which was one of the fundamental issues in the Open ID protocol, and we think that’s a really good thing.
But then there are all these other cases that we talked about earlier on the stage about I want to be able to let somebody at Intel read a document that’s on my SharePoint at Microsoft. That’s now a browser-based environment, and to be able to have that level of granularity, that level of identity exchange really requires the fuller capabilities of the WS-* specification, which the industry I think has broadly endorsed.
And so we now I think with this have a complete continuum from the most simple browser-based kind of environment to the most complicated enterprise access control environment, and I think that that’s going to be a big, big step in the right direction.
And we’re happy, we’ve seen almost – you could say the time must be right. Independent of our own actions in this, a number of people in the Open ID community were beginning to say, well, we’re going to take this CardSpace thing and hook it up, and I think the agreement, which all of the participating founders of that Open ID activity have now agreed with us to do that, and they’ll I think be endorsing that later today. And we’ve seen everybody up to and including governments and banks starting to use the WS-Trust mechanisms in order to build their applications.
So, we think that this is really a big step forward and for the first time we can have a very, very smooth continuum, and, of course, one that has this common GUI metaphor for people to administer.
BILL GATES: Yeah, in terms of how all this is going to work together, interoperability is a very key thing. And so everything we’ve talked about this morning really has interoperability. The IPsec standards and the way we’re talking about using policy around that, that’s an open standard. This Open ID work that we’re doing, we take our specifications and apply what we call the Open Specification promise where those are out there. Of course, the WS-* process has been also a very open process with many companies involved in that. These certificate formats are obviously standardized elements as well. And so at the security level, interoperability is absolutely fundamental, and so it’s a piece of all the advances that we’ve talked about here.
CRAIG MUNDIE: If you look at the slide behind me, you’d say, well, why in this discussion do you have a picture of the pins on a chip? Now, one of the things that I think we have to do better in the software security community is think about what the boundaries are of the systems that we’re trying to create. This is something Microsoft did not do well in our early days, and, in fact, until fairly recently. We built our systems, they were increasingly distributed, they were increasingly based on protocols for interaction. And we really never did a lot of thinking and even less engineering about where to create the boundary that says here’s where people are supposed to hook up and interact, and here’s the things we can do to promote that, and here’s the things that we actually have to do that actually create the intrinsic security of our system.
If you have a product like Intel or AMD does, each time you spin your product forward and you aggregate new capabilities, you encapsulate it in that nice ceramic or plastic package. You make very explicit decisions about what pins are out there that you want to hook people up to, and you can either create or not create plug compatibility.
I think to make all this work, we are committed, and the announcements that we just talked about are an example of that, both in terms of how we handle intellectual property, how we collaborate on the specification formation itself. All of these are possible for us to a degree that it wasn’t possible in the past, because we’ve made this leap in our own thinking to say there are certain cases where interoperability is essential; we intend to design it in, we’re going to aggressively pursue that kind of capability, and I think that that’s going to go a long way toward creating a lot more capability.
On the other hand, we are getting more hardcore about saying where we are building things that really are the core integral security mechanisms of our devices; then we’re really working hard to tighten those things up. And so the mechanisms that you see in Vista in terms of signed drivers and other things, those things are there in order to say, look, once you’ve created your chip, if you will, your boundary of this set of software systems, you want to lock it down, you don’t that to move out from underneath you, and you don’t want people to say, well, look, I really would like to just reach in, and I know that there’s some internal interface in that chip, just let me drill a hole through the lid, I want to use it. And we’re going to have to be very crisp in each generation of our systems now to decide which ones are there to promote interoperability and heterogeneous environments, and which ones are not.
Clearly, to achieve all this is going to require more and more industry cooperation and partnership. The psychology that we’ve developed at Microsoft about these issues around interoperability and protection, the model of, if you will, the new enterprise network, which actually means it just has a seamless boundary out into the Internet, the ability to have these protection and identity mechanisms, all of these things obviously will require value-add contributions by lots of people in the industry. And this slide is just an example of the kinds of companies that are already engaged in this activity.
So, just in closing, I want to thank Bill for his leadership in this as he moves on next year to fulltime in the Foundation. I’ll be back for sure next year at this conference, because I intend to continue to be the patron of security and Trustworthy Computing at Microsoft as we go forward.
It’s very clear to us that this connected world creates a requirement that we all work together to promote ease of access on any device for any application to any data set from anyplace in the world. And if we do that, things will be a lot better. They’ll be the kind of environment that in the digital world people are telling us they want to have.
We’re committed to doing the things necessary to bring that forward. We’re building these mechanisms not only into the product but into our own internal deployments to ensure that they meet these mission critical requirements. And we look forward to working with everybody in the industry in the years ahead to move to this next world of easy anywhere access.
Thanks a lot. (Applause.)