Roundtable Discussion: Top Security Concerns: A 360-Degree View from Microsoft

Remarks by Doug Cavit, Chief Security Strategist, Trustworthy Computing, Microsoft Corporation
Ben Fathi, Corporate Vice President, Security Technology Unit, Microsoft Corporation
Ryan Hamlin, General Manager, Technology Care and Safety Group
Ted Kummert, Corporate Vice President, Security, Access and Solutions Division, Server and Tools Business
The Security Standard Conference
Boston, Massachusetts
September 6, 2006

JOHN GALLANT (President, Editorial Director of Network World): So in January 2002 Bill Gates issued one of his famous Bill Gates memos that set a directional tone for the company. You may have been familiar with the one he issued earlier around the importance of the Internet. Recently we heard more about the direction of services and how services will play a role in Microsoft’s offering. But in January of 2002 it was around Trustworthy Computing, and how the company needed to steer in a new direction around that to make computing more trustworthy, as the name implies.

We have the opportunity today to talk with the folks who are leading security at Microsoft to find out how Microsoft has done, what work remains ahead.

And we decided to take a unique format with this. Rather than my questions or Bob’s questions, we really reached out to the folks who were registered for this event to ask you what questions you wanted to find out from Microsoft, and our discussion is based on that to make sure that we got the information that you were looking for.

We also took guidance from the CIO and CSO councils that Microsoft works with in shaping this conversation.

So let me please introduce our panelists, starting with Doug Cavit, who’s the Chief Security Strategist for Trustworthy Computing, Advanced Strategies and Policy Division; Ben Fathi, who’s Corporate Vice President of the Security Technology Unit; Ryan Hamlin, General Manager, Technology Care and Safety Group; and Ted Kummert, Corporate Vice President, Security, Access and Solutions Division, Server and Tools Business. Welcome, gentlemen. (Applause.)

It’s rare that I’m the only one with a sport coat on. This is kind of nice.

So I wanted to take a minute, and we’ll start with you, Doug, to talk a little bit about, give the audience a sense of what you do at Microsoft and what you’re responsible for, and we’ll go right down the line.

DOUG CAVIT: I’m the Chief Security Strategist for Trustworthy Computing, and what that is about is Trustworthy Computing really is the holistic view of the whole Trustworthy Computing experience, which comes down to making sure that we have secure experiences, that we take care and do a good job of protecting your privacy, that we have reliable, interoperable computing experience, and finally that we have good business practices within Microsoft. So it’s looking at the whole picture holistically and thinking about it in terms of how we work with industry and government across a broad spectrum, and how we weave the technology and the policy together, as opposed to just looking at any one piece of it.

JOHN GALLANT: Okay, great.


BEN FATHI: Hi. I’m responsible for the Security Technology Unit, which is part of the Windows operating system division. There are several groups that report to me. Fundamentally, I’m responsible for a lot of the core security technologies that go into the Windows operating system itself, but also the antivirus and anti-spyware engines that are used, both in Windows and by my partners here, Ryan and Ted, as well as providing and running what we call Security Development Lifecycle, SDL, which is a set of processes and tools that every product group across Microsoft uses to make sure that we have a consistent set of security standards that go along with every product from inception to release.

And my team also works on prescriptive guidance for all audiences from IT pros to consumers and government elites and developers.

And I’m also responsible for MSRC, Microsoft Security Response Center, which handles emergencies and exploits in the wild and comes out with patches.

JOHN GALLANT: Very good.


RYAN HAMLIN: I run a group called Technology Care and Safety, and that’s within the online services division, and several different initiatives, but the one that’s most noteworthy is the Windows Live OneCare consumer go-to-market application that we just launched in June, which is the kind of all-up take care of your PC, including a lot of the technologies that we offer in the protection space.

I also have responsibility for anti-spam company-wide in Exchange and Hotmail and Outlook, as well as all the anti-phishing efforts, some of the new work that we’re shipping down, the new version of IE.

I’m an executive sponsor for child safety, and have responsibilities for our parental controls software that ships in the new version of Vista, as well as some of the older stuff that we have in MSN.

And lastly, I run the privacy and policy group within the online services division.

JOHN GALLANT: Very good; thanks, Ryan.


TED KUMMERT: So I run a group in the Server & Tools business in Microsoft called the Security Access and Solutions Division. And think of me from Microsoft’s investments in products and technologies and security as building on top of a platform and offering additional products to help secure and provide secure access to your deployed infrastructure.

And as a part of that responsibility I own in the space of security our protection products. Think of this as the threat and vulnerability mitigation products, and our secure access products.

And specifically we have our Forefront line of security products. Today, we offer a set of products based on the technology we internally call our Antigen technology, which is a multi-engine protection solution for our server applications. We have that offering for Exchange, Live Communication Services and SharePoint, we have an offering coming called Forefront Client Security, which is about an anti-malware solution with integrated management and reporting for the client.

And then in the secure access space we have our Internet Security and Acceleration Server, which is our firewall, VPN, proxy product, but that’s all about our product that’s about providing access to corporate access assets through network boundaries and key network boundaries within your organization.

So that’s my end-to-end responsibility. As we think about it, our goal is to build that suite of products, client, server and edge security, integrated with our secure access platform as a part of a holistic security solution for you, the business side.

JOHN GALLANT: So let’s start off with the question that shaped this panel overall. It’s been almost five years since the directional memo on Trustworthy Computing. Let’s talk about two aspects of that, talk about what’s been achieved, what are the major things that have been achieved since then, and then what work remains ahead, what are the things that you’re focused on for the next year and next five years.

BEN FATHI: I guess I’ll talk that. So the Trustworthy Computing memo was really a cultural shift for Microsoft. One of the first things that happened is we took all of the developers and testers and program managers in the Windows team, and took them off all the projects they were working on. We spent a fair amount of time training them on how to write secure code, and then spent a lot of time looking at attack surfaces in Windows, identifying them and trying to fix them. And what came out of that was the XP SP 2 release, which now has over 300 million copies worldwide, and everybody uses them.

More importantly I think, what we came out with is something called SDL, the Security Development Lifecycle. I mentioned this earlier. It is a set of processes really and tools that we’ve built over time and we’re continuing to improve that my group is responsible for, but really every single product at Microsoft, not just Windows and Office, but everything that we ship has to go through this process.

It starts from the inception of the product release. So the very first thing that happens is when the group wants to develop a product or component, that we team up a security buddy with them, and they’re responsible for educating the team on different attack vectors, you know, does this product or component listen to the network, does it modify system configuration, what kind of APIs does it have, what kind of requirements do you have; so starting with the requirements gathering, build security into the design of the component.

Then we take that design, obviously do reviews on it to make sure that in terms of security and privacy, which is another aspect of Trustworthy Computing, it matches our requirements.

Then we go through the implementation and testing phase. We have the team itself responsible for the product doing the testing, as well as penetration testers, either from my team or external penetration testers that we bring in to the company to help the team and attack the product, just like a Black Hat hacker would.
And finally, we go through the release cycle where we have something called the Final Security Review, FSR, where again program managers from my team work with the product team to run a set of tools and make sure that it matches a set of requirements that we have.

And just last year, we had over 300 products that Microsoft has shipped. Every single one of them went through this. And with three exceptions, they all passed. And the three exceptions, when that happens, we escalate to myself and to Craig Mundie, and we either block the product and have the team go back and delay their product release and fix the security issues, or we come up with some sort of mitigation.

And, of course, after the release, we’re not done, we go into the response phase where we look at patching the product as problems come up, and do postmortems to understand why didn’t we catch this problem.

So this is the entire lifecycle of the product, and SDL is something that we use internally. We have a set of tools that developers use that we’ve built into Visual Studio, for example, and our source code control system. And we also evangelize it. We’ve written books on the set of processes and tools. The latest one is called SDL, “The Security Development Lifecycle” by Michael Howard and Steve Lipner that’s available. And we evangelize it to ISVs, because this is not just a problem for Microsoft. We are a big target out there, we have a large installed base, but it’s really an ecosystem problem that we need to educate all developers out there and all companies on how to secure their products.

So that’s the biggest single fundamental change in the culture of the company, taking security importantly and building it into the development lifecycle.

Moving forward, we have a huge amount of work still to do. Vista is really the first version of the operating system that’s gone through the SDL from inception to end, and there are a huge number of security improvements that I won’t go into the details but that improve the security of the platform.

Moving forward, we want to look at the trends that are out there in the industry and in the Internet and try to improve on those features. Our strategy has always been defense in-depth. So, yes, we have a fundamentally secure platform, but we need to continue to improve that with things like a firewall, with antivirus, anti-spyware. So there is a lot more work to be done.

DOUG CAVIT: I guess I have a unique perspective on this. I was a CIO for a medium sized shop five years ago, and thinking back to when the memo was written, what I was looking for Microsoft was four things: I was looking for consistency in terms of being able to rely on them in terms of what comes out; I was looking for transparency, I really wanted to know what was going on so I can make my own informed choices as a CIO, so I could protect myself and to make sure my business was protected; I was looking for Microsoft to partner with me to give me information and to help me, as well as me being able to share feedback with Microsoft and then being able to then act on it; and then finally I wanted to see that things were actually happening, that there was actually a track record to say that things were happening.

And what’s interesting is in those intervening five years we think we’ve met a lot of those goals. There’s been huge amounts of change in terms of transparency, in terms of talking about vulnerabilities, in terms of how our processes work like SDL, in terms of the products that we’ve shipped; the consistency, we’re now delivering patches on a regular basis so that you can anticipate and you can patch on a regular basis and make sure that you have the most up to date software running in your business.

We’ve done a great job in terms of partnering, in terms of working with customers, in terms of making sure we have CSO councils. We have meetings with CIOs that we really try hard to listen and get the feedback, and that we also are thinking about security holistically, that we’re working not just to solve the problems with technology, but we’re actually trying to weave policy and technology together, working with industry, working with government to try to change the ecosystem, to try to attack it at the source, to try to change the regulations, to try to make sure that we get people informed that they’re doing the right things at the consumer and the business level.

JOHN GALLANT: So five years ago, what grade would you have given Microsoft in security, and what grade would you give it today?

BEN FATHI: I would probably have given Microsoft a C- or a D, and today I would say a B+.

JOHN GALLANT: Okay. So going back again to the second part of the question, what are the things that you’re working on for the future that would bring it to an A?

RYAN HAMLIN: I’ll add. I think a lot of where we’re going in the future is tied to the services space. I mean, clearly, when we went into this years ago, I think maybe all of us were a bit naïve on how drastic this ecosystem change is, and the threats every minute, every hour are constantly in motion.

And so I think moving from that B+ or B, B+ to an A, A+, I think a lot of it is in this services space and being able to quickly react to the threats as they happen. And I think you’ll see across all the products that Microsoft is working on today that there’s a core application but there’s a tightly coupled service that goes hand-in-hand with that. And that’s really how you really stay on top of all these emerging threats.

JOHN GALLANT: Well, let’s talk about that, because that was a question I was going to ask farther in. That’s a big initiative now to bring this service component to bear on Microsoft products. Talk a little bit about how it positively changes the security experience, but does it open any risks in terms of the security experience and change the parameters for customers.

TED KUMMERT: So I’ll start with that. I think at a first level, security and being responsive to the issues that our customers are facing requires a service delivery model, that every anti-malware offering today is, in fact, a service.


TED KUMMERT: Now, there’s also the differentiator of is that managed, is that hosted by someone else or hosted on premise, but everything requires a high level of service capability in order to be responsive to what’s going on in the environment, and that’s a place that we’re investing today across all of the services.

There’s also, of course, choices, and we talk to a lot of customers about that, the choice between hosted offerings versus on-premise solutions. And we think there’s a lot of benefit toward our investments there. We’re obviously doing the kind of managed offering for consumers in terms of Windows Live OneCare, but in the business product space we have our Exchange Hosted Services Filtering product for Exchange that provides anti-malware and anti-spyware filtering as a managed service, and there’s a lot of benefits to that.

There are some additional benefits for us in terms of how does this affect our products. As we deploy our on-premise solutions to operate them as a hosted service on your behalf, we’re walking in your shoes in terms of taking our software and deploying it and using it on a day-to-day basis to provide a high level of service to you, the customer, which is the same thing we’re asking you to do when we sell our on-premise solutions. And this can only help to improve our products. It can improve our products because it’s a place for us to continuously improve and drive faster innovation, and it’s a way for us to improve all of the aspects of it, because we’re operating it and servicing it, and running a 24 by 7 available service on a day-to-day basis. So I see a lot of benefits of it.

In terms of how we’ll move forward in terms of other offerings in the business space from a hosted perspective, that’s the place where we’re kind of continuing to get feedback from customers and looking at what are our kind of best near term opportunities to add additional offerings in addition to Exchange Hosted Services Filtering that we have.

RYAN HAMLIN: Yeah, just to build on what Ted and I think Ben was saying earlier about this kind of defense in-depth strategy, I think when we step back and we see what kind of the evolution that we’ve gone through as a company over the last several years, I think we stepped back and said, you know what, we need to build a base foundation, right. Not to use a house analogy, but you build a house on a very strong foundation. And I think we step back and now with Vista coming out, we believe we have this great, strong foundation.

And then you have this depth that each of the organizations can then add more value. So sometimes that value is in the servicing elements that Ted was talking about, it’s in the integration of all the pieces. On the consumer side it’s certainly making it simpler for consumers, and again I’ll say it goes across the enterprise as well. The manageability of those services are really the depth offering. And I think that’s where again there’s value that we’re adding back in now on this very strong foundation that we’re building with it started with XP SP 2 and certainly now with Vista.

JOHN GALLANT: Let’s talk a little bit about how that would change the fix process today. One of the areas that people express frustration about is the whole patching process — you mentioned patching. What are you doing to improve the patching process today, and how do you see services changing that in the future?

BEN FATHI: I guess I’ll take the first part of that. One of the things we’ve done over the last couple of years is after talking to a lot of CSOs, a lot of customers, looking at their pain points, what we were told is that they want a consistent, repeatable set of processes for when patches come out, and they want them to be manageable and deployable. So we’ve gone from a haphazard model of shipping patches when they’re ready to a monthly cycle. The second Tuesday of every month we have a set of patches that come out. We announce what’s in the patches several days before that so that they’re prepared, they know what the size is, they know which applications on what platforms could possibly be affected. We’re also working with third parties in some cases, such as Adobe. Recently we had I believe a fix for Shockwave that was included in one of our patches.

So again I know Microsoft always gets that big, bad target on our head because we have such a large installed base and so much software, but it is an ecosystem problem, we fundamentally believe in that, and we want to work with our partners to improve that ecosystem.

So by having standard releases of patches on a monthly basis, by identifying and giving prescriptive guidance to our customers on when to deploy them, how to deploy them, how important they are, whether it’s a critical or important or moderate impact on their business, we’re trying to help them be ready for it and take action when possible.

Moving forward, I don’t think that model changes much. There have been a lot of questions every time I talk to CSOs, do you see that patch Tuesday going away, because Vista is more secure. Frankly, no, I don’t think it will go away, because the majority of our products still out installed, deployed are Windows 2000, XP, Windows 2003. So for all of those we will continue to have patches on a regular basis. Yes, I think there will be buts for Vista and patches for Vista as well. No software is 100 percent secure; we always say that, there is no single silver bullet in security. So we will continue to patch our products. Hopefully, the frequency goes down and the urgency goes down as we put these layers of defense in depth in place, so that customers can take their time, understand what the impact is, and deploy them in a more orderly fashion.

JOHN GALLANT: So, Ben, you mentioned Adobe sending out a release. Do you expect to see more partners taking advantage of that?

BEN FATHI: We have been working with them. I think a lot of partners are doing their own downloads. If, let’s say, you have a Yahoo! Messenger that has a bug, it automatically checks in and updates itself every once in a while. So some partners download that way. In several cases where there have been significant impact to the user base in terms of a security vulnerability, we have worked with them to include it in our downloads to make sure that it gets to as many machines as possible, and we welcome that kind of opportunity to work with our partners. I don’t have any specific examples of other partners doing that right now, but we welcome them.

JOHN GALLANT: Okay. I want to step up a little and look from an industry perspective. As you focus your efforts on security, what trends are you seeing in terms of criminal activity on the Internet, and what are the kinds of things that you think companies could be doing to handle those threats better, and what are you doing to stay ahead of those threats?

BEN FATHI: I guess I’ll take that one, too. Thanks, Ryan.

So in terms of trends, we have a lot of data. We are in a really unique position, having such a large installed base, and there are a number of different vectors that we get this data in. We don’t talk about one of the most important ones, MSRT; the Malicious Software Removal Tool is something that we released about a year, year and a half ago, that is automatically downloaded from Windows Update every time, every month as you get patches. And it’s a very small program that runs quietly on your machine, and it’s sort of an antivirus product, but doesn’t do an entire scan of your system, it just looks at what’s in memory. And it has signatures for the most prevalent kinds of malware.

So we look at that, we try to clean the machines, and it’s been executed over 4 billion times over the last year and a half, which is an amazing number. And it’s cleaned over 18 million viruses. So what we do is based on that, if we see suspicious data on the machine, we collect some of that data and bring it back.

There’s also other aspects: Defender, as I mentioned earlier, is our anti-spyware software that’s available on XP and built into Vista. It’s currently in beta, releasing in a month or two for XP, and it’s also included in Vista.

That also has a component called SpyNet that is an opt-in model where users can opt in and send us more data on suspicious looking software or packages on their machine.

We get data from Hotmail, all the spam mail. There’s over 3 billion pieces of mail going through Hotmail every day, and up to 95 percent of it is spam. It’s an amazing number.

So we take all of this data and we look at it, and we mine it for new kinds of malware, and look at the trends. And what we’ve found is over the past year or so we see a lot of movement towards targeted attacks and financially motivated attacks. The e-crime survey that was published today I believe also agrees with that trend-finding where we’re seeing fewer incidents of malware on the Internet, but more financial damage because of them.

The other thing we’re seeing is a prevalence of botnets and rootkits. Rootkits are basically viruses that get on a machine and get into the kernel and by getting into the kernel they have complete control over the machine, and they can hide themselves, so they’re really hard to get rid of once they’re on a machine.

So these are some of the trends that we’re seeing.

In terms of what we’re doing to improve the situation, there are four tenets basically that we have that Bill talked about at RSA 2006 that moving forward we’re trying to improve. The first one is building a trust ecosystem. By that what I mean is today we have — everybody sees security as a defensive measure. What we want to do is turn that around. By pulling in things like identity and access, and federation services across multiple companies, we want to make it an enabling technology so that you and I can share data securely and privately without having to worry about security implications of that.

The second is engineering for security, and that’s all about SDL. That’s what I talked about, about improving, building much better software.

The third is simplifying security, which is what Ryan talked about in terms of making it easy for consumers and businesses to manage their security.

And finally, the fourth one is building a fundamentally secure platform, and that’s what the operating system is, and that’s what a lot of my team delivers.

I’ll give you a couple of examples. So I mentioned rootkits. One of the things we’re doing in Vista is on 64-bit versions of Vista we have something called Kernel Patch Protection, which has actually been shipping since XP SP 2 and Server 2001 on 64-bit machines. This is a piece of code that runs in the kernel, and think of at a high level the checksum’s different components of the kernel, from code to data structures, so that if a piece of malware gets into the kernel and tries to modify kernel instructions or data, we block it and we don’t allow that to happen.

The point is we’re trying not to address every single malware that comes out, every signature — obviously we do that with antivirus and anti-spyware — but try to get rid of an entire class of attacks by protecting against rootkits, for example.

So that’s just one example, but it gives you an idea of what we’re doing moving forward to try to attack these new trends.

JOHN GALLANT: Great, and Bob will be running a discussion tomorrow, I believe, Bob, on the e-crime survey where we’ll share results from that survey that was released today.

So let’s talk a little bit about Microsoft’s plans in the security product market. More and more products coming out from Microsoft, we hear some of the smaller security vendors saying that you’re validating their market spaces, and let’s talk about what’s the scope, what will you offer, where will you and won’t you play in the security market.

TED KUMMERT: Okay, so I’ll start with that, and I think Ryan will probably have something to add from a consumer market perspective.

I want to start with just how we think about our product investments relative to security. There’s really two components to it from my perspective. The first is about Windows and all of our products being more secure and resilient and hardened as deployed in your environment, release over release. This is all the investments we’re doing in the SDL and our development processes, these are all the security features in Vista and all of our products, this is all the work we’ve done in prescriptive guidance, this is all the work we’ve done in terms of promulgating SDL as something you can use to write applications and the ecosystem you can use.

This is our highest priority. We’re not confused about that as being the most important investment we make in securing in security. That’s number one.

The second part of it is recognizing the reality of the world that we live in, and that there is a need for additional products to provide for protection. And from a business products perspective, my division is in two spaces, a class of threat and vulnerability mitigation products, as well as secure access products to protect your deployed infrastructure, that deployed infrastructure having people and processes and evolving down level. We think there’s a lot of value that we can add.

When we think about the value, kind of our investment, why are we investing in this product space, one reason is frankly customers have asked us to, but there are a lot of benefits we think we bring and can uniquely offer.

One thing is just increasing kind of the levers we have to pull in the presence of issues, vulnerabilities and classes of exploits. There’s obviously the most important thing we do in terms of servicing our platforms that are out there and deployed in terms of issuing patches and guidance as to what to do in the presence of a vulnerability as we work to close them and block classes of exploits.

There’s the long term architectural investments we can make in the platform to cut out in a more wider swath classes of exploits and vulnerabilities, and those are a lot of the technologies that are coming in Windows Vista in terms of PatchGuard to block rootkits from loading into the kernel, address space layout randomization to reduce the attack surface for exploits, Windows service hardening to detect when services have been potentially compromised. All of those are kind of longer term architectural investments.

But then at the middle level our ability to respond with even at a basic level signatures from an anti-malware, that adds a level of ability for us to respond to vulnerabilities and exploits.

And as we participate in more levels, that’s going to increase our knowledge, and we’re going to do a better job at all levels of the more knowledge we have of all the vulnerabilities and exploits that are out there.

The other thing we hear a lot from customers is about the cost and complexity. And complexity obviously is a driver of cost. It’s also an issue relative to knowing that your security, your intended security policy has actually been implemented, and you’re actually in compliance with what you intended to do.

And so as we think about the Forefront line of products, there’s obviously the things at a basic level about providing a comprehensive solution, defense in depth, protecting at the client, server, and the network boundary, protecting across the full lifecycle, assessment protection, containment and recovery once you’ve had a security incident, protection from the known and the unknown; those are all the basis level of things.

But we have a big focus on integration and the value we can deliver via integration; by unifying policy across all of these security products, how can we make it easier to manage these products and know that you’re in compliance with your intended security policy. From integrating with the rest of your deployed infrastructure, one of the things we’ve done in Forefront client security is we layer in directly and use Active Directory group policy, we utilize SMS and WSUS for signature distribution; it’s all built on infrastructure that you’re already deploying and operating.

We think there’s a lot of value in terms of end-to-end visibility of your security environment, for reporting and analytics that actually can cover your full environment.

I actually read a piece recently, and I wish I could give the author credit, on the Internet, which likened the problem of security event management to taking a broken mirror and gluing it together and trying to see the full image again. And we think there’s a lot of opportunity to bring together security information to enable you better visibility in real time and forensically as to what’s gone on in your environment.

And lastly, a thing we’ve talked to a lot of customers about is the convergence of systems management and security management. And we are building within our Security Center framework, and with our systems management framework when we implement our security management solutions. And however that transition is going to take place, we believe this transition will take place over the next five to ten years, we’re going to enable you to take those steps as individual components might move across from one discipline to the other as these become more components of what you’re operating.

So we think we’ve got a lot to add from the perspective of not only offering a comprehensive solution, but also in simplifying it, and by simplification we think we can raise the level of security.

JOHN GALLANT: So a couple questions about your initiatives. You’re selling the products that need to be secured. Isn’t it a conflict of interest to sell products to secure them?

RYAN HAMLIN: So I’ll take that one. Just building a little bit off what Ted was saying as well, when we talk about certainly there’s this customer need, and then we add unique value — sorry, I keep using these analogies; I’ll go for a car analogy now instead of a home analogy, but the car analogy that I like to use —

JOHN GALLANT: Can a sports analogy be far behind?

RYAN HAMLIN: It’s coming, it’s coming, it’s coming; just give me a little more time. (Laughter.)

On the car side, when we think about you build a basic car, and then every manufacturer builds it so that you can change the oil, you can upgrade the stereo, you can add wheels, you can do all these things, these value-add on top of that base framework of the automobile. And where I think when we come into this, we say it’s not a conflict of interest, there’s a great platform that’s being built, and we’re opening that platform up for all parties to build value proposition on top of that. And in the case of on the consumer side I’ll speak about some of the things, the tenets that Ted was talking about, about making it simple, and making it evolving, and from a security standpoint we saw this need on the consumer side to say, you know, consumers just want this thing to work, they want their PC to work, they don’t want to figure out what is all this stuff underneath.

The same way that I guess I used to change my own oil, I don’t do that anymore, I take it in and I pay a fee for someone to actually service that, and that’s acceptable to me because I see the value added. So again I go back to this build a basic platform, add those value-added services, and I don’t think there’s a conflict of interest because of those value-added services are open for all to come and play and add value on top.

JOHN GALLANT: So is there a commitment that your security products will be heterogeneous or is the focus Windows only?

TED KUMMERT: Well, certainly, I mean, that’s another thing we hear from customers is we need full visibility, and full visibility including solutions you don’t build, from a protection perspective, from a secure access product perspective, and protecting non-Microsoft solutions, that’s a requirement that we’ve heard over and over again from customers.

In terms of our approach there, I see three pillars to it. The first is obviously the support of creating and supporting industry standards. And from a security management perspective it is about a lot of the standards that are most important are in the systems management area. You know, an example of standards efforts that we support and are a part of, WS-Management, another we just recently with a set of other companies are moving forward to establish a standard in the space of service modeling language, and we will continue to support and adopt and promulgate standards that we think can help address the interoperability and manageability end-to-end of the heterogeneous environment. That’s at a first level.

The second is the extensibility that we build into our products themselves, such that partners, customers can add value and provide unique add-ins to the security offering that we have. That has always been a strength of Microsoft and one that we will continue to push forward in this space.

And the third is where we actually partner deeply with industry partners to work on specific interoperability, and, in fact, later this morning Cisco and Microsoft, as an example, will be announcing interoperability between Cisco’s Network Admission Control and Microsoft’s Network Access Protection, and a specific interoperability solution that we’ll be bringing to market when Longhorn Server ships at the end of the second half of next year.
And here’s a great example of an important customer problem, which is about increasing network integrity by ensuring system health as a part of the connection process to the network, you know, it’s a part of the network access control process; and Cisco and Microsoft each moving forward on both of their initiatives, Cisco’s NAC and Microsoft’s NAP, but then hearing clearly from customers these are solutions we will likely some of us will deploy at the same time, and we need interoperability from you. And so we had an agreement two years ago that we signed in order to pursue that, and we actually got a specific delivery plan, roadmap and architecture that we’ll be talking about.

So that’s another place, but the three pillars are standards, the extensibility and building it as a platform, and the third is the partnerships and building specific interoperability where driven by customers to do so.

DOUG CAVIT: I’ll also say that Microsoft looks at the ecosystem as not being a Microsoft problem, but as a whole industry problem, so that’s why when working with government and with industry as well, we’re trying to take this holistically and talking about defense in depth in terms of really working on the standards to help promulgate standards and get best practices out there.

You know, it’s interesting, you can read statistics that say 18 percent of people say their data is really secure if you talk to CSOs and CIOs, and so that’s really a bad number if you think about it. We really need to get that number up. And the way we do that is offering great products, it’s offering great guidance, and it’s working with the broader sets of industry and government to try to build the whole ecosystem so that people can get more confidence in their data and in their processes that they’re working with.

JOHN GALLANT: It makes sense.

And our time is getting short, and one area that I want to make sure that we touch on came up from a number of people in advance is the area of mobility. Computing is getting more mobile, there’s a lot of information out on machines that aren’t connected directly to the corporate network. What’s Microsoft doing to make the mobile computing experience more trustworthy?

TED KUMMERT: I’ll start. You know, the obvious trends we hear about consistently are the trend toward mobility, you know, there are more customers, partners, employees connecting from without the classical edge of the network year over year, and that trend will continue.

The other element of that is from a broader range of devices. It’s the corporate owned and managed laptop, it’s the home PC, it’s the public Internet kiosk, it’s managed or unmanaged mobile devices providing connectivity. And this increases the tension between providing security while unlocking access to the business, because there’s clearly a tension there. And in general our approach is to move toward implementations that are governed more by policy than they have been historically governed by topology. So you can make access decisions to corporate assets based on your policy, and policy of who the user is, where they are, what location may affect what information is appropriate to expose, the state of the machine they’re on such that you can validate its integrity, and then other business policy that you would apply.

And that’s the top level in our approach, and examples of that in terms of things we’re doing in our products, I mentioned Microsoft Network Access Protection. This is a policy-driven platform for basically about increasing network integrity by ensuring system health prior to connection, and allowing for a platform such that multiple networking technologies and authentication mechanisms can be plugged into that, and allowing for you to have a policy based on your definition of system health to allow connectivity into your network.
And in the next level up, the boundary in your network, the edge is still an important enforcement point for access policy. Historically it’s been provide access, full VPN connectivity or not, and there’s been issues with that being hard to manage and a complete, you know, a wide surface area to allow people to connect with internally. So part of our strategy is to increase the options. It’s connectivity and policy applied at the network level, but what can we do at the application level. And there we have our ISA Server product that is a firewall VPN product. We’re adding a feature we call Secure Web Publishing. We recently shipped ISA Server 2006. That’s about allowing SharePoint sites to be securely published through the edge. So that gives you an option; if you want to provide that level of information access, the user doesn’t have to use a full VPN.

And then we made a recent acquisition of Whale Communications, which has an information application gateway, which is essentially an SSL VPN product, and it also provides for application level access, specific application policies and proxies, and policies to govern access. And this allows essentially more fine-grained control, and it’s about putting IT more in control of implementing a policy for information access.

So our strategy is really to bring these initiatives together over time as we bring forward Microsoft NAP with Longhorn Server, future versions of ISA to bring that together as a part of one secure remote access platform, governed by extensive policy.

JOHN GALLANT: Ben, do you want to have a quick comment?

BEN FATHI: Yeah, let me just quickly add a couple of other data points.

One of the areas that we’ve invested in the platform is Windows Rights Management Services, which has been available for several years now, and the client is built into Vista. This gives you the ability to take any object really, whether it’s a file, a document, or a piece of e-mail, and put protections on it based on identity. So you can say Ted can read this piece of mail but he can’t write it and change it or forward it or print it, and Ryan can’t look at it, or Ben can only read it until next Tuesday. So you can put all kinds of fine-grained control on that.

And it’s a public set of APIs, so we’re working, there are third parties that have built vertical solutions on top of that in the CAD/CAM space, in the health space. And in Office 12 we’ve integrated it with Exchange, so it’s also policy based. An administrator can say any mail from Bill Gates is not allowed to be forwarded outside the company, for example.

JOHN GALLANT: That would be a problem. (Laughter.)

BEN FATHI: So you can protect your data.

The other area we’ve invested in, just one other example is we heard a lot from customers, and you’ve heard all the headlines in the news about lost and stolen laptops and data on their, personally identifiable information, corporate data, and it’s a major problem.

So one of the things we’ve built, and obviously in the past we’ve had EFS, our Encrypting File System, which allows you to encrypt a certain set of files, but what we’ve built into Vista is something called BitLocker drive encryption, which allows you to encrypt the entire hard disk at a block level on the laptop, and in the server scenario also applies to servers in branch offices, for example, that don’t have physical security, so that you don’t have to worry about that data getting lost. It uses hardware encryption technology from a trusted platform module, which is a standard, and it encrypts the entire disk on the system, so it makes it much more easy to secure your data.

JOHN GALLANT: Very good.

Okay, we’re out of time. A couple things. I wanted you to notice the purple screen behind you, because we would never put a blue screen behind you. (Laughter.) Okay?

I want to take a moment to first thank folks in the audience who submitted questions that helped shape this, that was great, and I want to thank our panelists, Doug Cavit, Ben Fathi, Ryan Hamlin, Ted Kummert; thank you very much for joining us today. (Applause.)