In his keynote address at the RSA Conference 2006, Microsoft Corp. Chairman and Chief Software Architect Bill Gates shared Microsoft’s immediate and future plans to achieve a more secure digital future, where interconnected networks worldwide allow people to work and play across a multitude of devices, products, services and organizations, with greater confidence in the security of their experiences.
Gates highlighted advancements in the forthcoming Windows Vista release such as isolation techniques to reduce the impact of malware, improved identity and access controls, and better data protection. He also showcased innovations surrounding the platform such as Windows OneCare Live, and industry partnerships such as the SecureIT Alliance. He called for the industry to come together to achieve a more secure computing experience for all users.
“This rapid adoption of the digital lifestyle offers new computing opportunities for both personal and business use,” Gates said. “Our vision for security is to create a world where there is greater trust—where people and organizations can use a range of devices to be more reliably and securely connected to the information, services and people that matter most to them.”
Gates emphasized that the vision of a digital lifestyle can only succeed if it is designed with security at its core. Gates highlighted Microsoft’s unique intelligence on the ever-evolving threat landscape—insights gleaned from more than 2 billion executions of the Microsoft Malicious Software Removal Tool, more than 230 million users of MSN Hotmail, Microsoft’s product support services, Windows Defender, and the Online Crash Analysis tool—noting that these insights enable Microsoft to not only respond more quickly to the evolving threat environment (including an increasing threat of botnets and rootkits and the growing threat of attacks on multiple devices), but also to design long-term security strategies that anticipate future trends.
Accordingly, he emphasized four principles required to achieve the vision of a seamlessly connected, more secure digital lifestyle for consumers and businesses: a trust ecosystem, security engineering, simplicity and fundamentally secure platforms.
Fostering a Trust Ecosystem
A “trust ecosystem” is an environment that engenders trust and accountability between people and businesses. Today trust ecosystems exist in the physical world—they can be as simple as a loss of reputation, or expulsion from a group, or something as severe as a conviction for a criminal act—but Gates asserted that trust must be extended to the Internet, and that a key component, reputation, must cover not only individuals and organizations but also code and devices. Gates gave as an example the kernel mode driver signing feature of Windows Vista, which will help protect against changes to system structures and help limit the spread of malicious software by identifying the publisher and by requiring code to comply with certain policies to ensure integrity.
“A trust ecosystem should be established to help users and organizations more efficiently and safely leverage current and emerging online technologies,” said Dan Blum, senior vice president and group research director of Burton Group Inc. “Microsoft has presented an ambitious vision for protecting online computing, but fulfillment of that vision requires industrywide involvement.”
Gates emphasized that the industry needs to work together to provide a wide range of digital identities for people, organizations, devices and code. Gates highlighted work Microsoft is doing with the industry in support of the Identity Metasystem, a way users and sites can more safely and privately exchange personal identity information across the Internet.
To help end users, organizations and developers connect to the Identity Metasystem, Microsoft will introduce new technologies including “InfoCard,” the code name for a new feature of Microsoft Windows that simplifies and improves the safety of accessing resources and sharing personal information on the Internet.
Gates announced that “InfoCard” will be delivered as part of WinFX, Microsoft’s managed code programming model, and will support Windows Internet Explorer 7on Windows Vista, Windows XP Service Pack 2, and Windows Server™ 2003 Service Pack 1 and R2. “The Identity Metasystem addresses the fundamental need for a platform-independent identity architecture for the Internet,” said Lawrence Lessig, professor of Law at Stanford Law School and founder of the school’s Center for Internet and Society. “It insulates consumers and businesses from the intricacies of the numerous individual identity systems that are in use today, and provides a much-needed framework for information to be shared more easily and securely online.”
Gates also discussed the company’s commitment to further simplifying the overhead associated with identity and access management in the enterprise. Beginning with the future release of Windows Server, code-named “Longhorn,” Microsoft will expand the role of Active Directory to include Rights Management Services, Certificate Services, Metadirectory Services and Federation Services.
The expanded capabilities of Active Directory will provide customers with a unified identity and access infrastructure that spans enterprise and Internet scenarios. Gates also announced the first beta of Microsoft Certificate Lifecycle Manager, a policy- and workflow-driven solution that streamlines the provisioning, configuration and management of digital certificates and smart cards, and increases security through strong, multifactor authentication technology.
Engineering for Security
Gates called on all companies to strive for excellence in security engineering at all stages of development to ensure more-secure product design. Engineers around the world must be consistently trained in secure design and coding practices. He encouraged the software community to change the engineering culture so security is no longer an afterthought, but a guiding principle from the very beginning of development.
To provide a more secure ecosystem, Gates encouraged industry partners to publish and share best practices for developing more-secure code and, as an example, cited Microsoft’s implementation of the Security Development Lifecycle (SDL). The details of this formalized process have been made publicly available for developers, including its code-scanning tools such as PREfast and FxCop in Visual Studio 2005.
Security is complex, making it difficult for IT professionals, consumers and developers to make the appropriate decisions or accurately implement security measures. In his address, Gates called on the computing industry to simplify security to make it easier for developers to write more-secure applications, Web services and platforms, and to help ensure that customers can use and switch between applications, services, platforms and devices while being confident that their information is protected. A key to simplicity, Gates said, is integration with the platform that can help drive ubiquity and ease the ability for third-party developers to write extensions that take advantage of the platform.
Gates discussed a number of Microsoft efforts to simplify security for users, including the Windows Security Center in Windows XP SP2 and Windows Vista, which allows the status of security protections to be easily visible by consumers, regardless of the vendor. Another example Gates highlighted was the underlying design goal of Windows OneCare Live, which was developed to improve overall PC health instead of focusing on merely one need.
Building a Fundamentally Secure Platform
Platforms must maintain the confidentiality and integrity of information and resources, regardless of whether information is being stored or transported across devices, services or networks. Gates said that isolation technologies to protect against the threat of malware, trust-based multifactor authentication, policy-based access control, and unified audit across applications must be built into the computing experience at the platform level, and he outlined a number of technology investments Microsoft is making to bring this vision to life.
He highlighted Windows Vista, the forthcoming operating system, and noted that it has been developed with the highest attention to security. For example, it includes Windows Service Hardening, a feature that restricts critical Windows services from doing potentially malicious activities in the file system, registry, network or other resources that could be used to allow malware to install itself or attack other computers.
Other features include a two-way firewall and built-in anti-malware protection, Windows Defender. In addition, it will include User Account Protection, which makes it easier to deploy a more secure and manageable desktop for standard users, and information protection via BitLocker Drive Encryption. Gates announced the public availability of the second beta of Windows Defender for existing Windows systems, which includes several enhancements and new functionality that reflects ongoing input from customers. The free beta download is now available for customers running Windows XP, Windows 2000 and Windows Server 2003.
Industry Call to Action
Gates appealed to the industry to come together to develop more-secure products with a common understanding of how software should behave and work together. He asked the industry to support a trust ecosystem that will allow people to embrace a digital lifestyle with more secure, accountable and reliable technology.
Gates highlighted the company’s commitment to building industry partnerships to promote security. A notable example is the SecureIT Alliance, formed by Microsoft in October 2005, which now has more than 70 members. The industry consortium’s goal is to enable independent software vendors and systems integrators to work more closely with Microsoft and each other to build and integrate security products for the Microsoft platform.
The SecureIT Alliance has launched its official Web site, http://www.secureitalliance.com, which has been expanded to include an interactive developer forum for member partners. Microsoft is also a founding member of the Anti-Spyware Coalition, an organization comprising leading anti-spyware vendors, academic leaders and related advocacy groups who all share a commitment to ensuring that users maintain control over what is running on their computers.
“The world is adopting the vision of an interconnected global community at a rapid pace,” he said. “It is our responsibility as industry leaders to provide customers with the information and tools they need to live their personal and professional lives without fear of security or privacy breaches. Every computer user should have the right to go online securely, and we are committed to turning this vision into reality.”
More information about Microsoft’s vision for secure computing can be found in the RSA virtual pressroom.