The fourth anniversary of its Trustworthy Computing Initiative is marked with mixed reviews from users.
Microsoft is known for a lot of things, but humility isn't one of them.
So, in 2003, when the company decided to launch an event where it welcomed some of its biggest critics--hackers and independent experts--to discuss security, it caught some by surprise.
It wasn't an easy event to get going, explains George Stathakopoulos, Microsoft's general manager of product security. The company had been caught in an embarrassing cycle where it was continually responding to bug reports found by this community.
"There was no communication between the two; we weren't building relationships," Stathakopoulos says. Because of this, the Microsoft security team wasn't sure anyone would attend its so-called Blue Hat Summit. They waited nervously right up until the party began. Then invitees started showing up--in droves.
"There was tension," recalls Stathakopoulos, "and then the drinks started, and the sea of people started their heated discussions."
Microsoft had turned a corner.
While the Blue Hat Summit was a positive first step, as long as the vulnerabilities continue to attack the Windows platform and as long as there is a slew of monthly fixes, patch weary IT administrators and their bosses will continue to give Microsoft's Trustworthy Computing (TwC) Initiative mixed reviews. Executives in many of the largest Windows shops recognize the improvements, but believe Microsoft still has miles to go before it gets where it needs to be.
"[Microsoft's] intentions are laudable, and I salute them," says Arun DeSouza, manager of global computing technologies at automotive manufacturer Inergy Automotive Systems.
But DeSouza knows that security is more than just patching Windows. It's also about the privacy and stability of the system. So are they there yet? "They're still years away from achieving that," he says.
It's All About Trust
At the initial launch of TwC, Microsoft chairman and chief software architect Bill Gates revealed that Microsoft had spent more than $100 million and retrained thousands of software developers and engineers. Last year, Gates said that Microsoft spent about $2 billion a year on security.
Today, Ben Fathi, the newly-named general manager of Microsoft's security technology unit, says security has so permeated each department and project that there is simply no way to accurately make these calculations anymore.
At the RSA Conference 2006 earlier this year, Gates didn't focus on enterprise security products, unlike previous years when keynote stars were platforms such as XP SP2, IE 7.0 and Rights Management. Instead, he discussed Microsoft's ambitious goals for a "trust ecosystem," an overarching method of accountability between people and computing systems. His message was that it's not enough to design software to be secure; security has to be simple, and users need tools to make better decisions of trust.
Going forward, Gates sees the necessity of de-emphasizing passwords and focusing on an "InfoCard" with two-factor authentication. Infocard is the code name for a WinFX component required by the Windows identity metasystem. It's specifically hardened against tampering and spoofing to protect the user's digital identities and maintain user control. Microsoft is also expanding the role of Active Directory to envelop certificate services.
But, it will take years for a vision like this to play out. The acid tests of Microsoft's success will come later this year and early next year when its new desktop, Windows Vista, is made available, and then again later in 2007 with the delivery of its new Windows Server, code-named Long-horn. Microsoft estimates that at least one-third of its engineering investment in the development of Vista has been focused on security.
Both platforms are the first to be built from the ground up using Microsoft's stringent software development criteria, the Software Development Lifecycle (SDL). SDL is one of the many processes put into place post-TwC under the direction of Stathakopoulos. With this process, a security team member is assigned to every product, and the products undergo consistent security reviews. There are various levels of testing before software is given a final security review and deemed ready to ship.
Vista introduces some notable improvements. One much anticipated feature in the OS is the least privileged user account, which makes it possible for IT shops to prevent users from downloading harmful software or changing settings unless they have an administrative password. There is also hardware-based volume encryption for PCs called Bitlocker, and antispyware technology acquired from Giant Software. Vista also has provisions for using smart cards, like InfoCard, to log in.
Internet Explorer 7.0 will have built-in heuristics and support for high-assurance certificates for safer browsing and improved blocking of phishing attempts.
Customers will have to wait for Longhorn to get Network Access Protection, a feature that quarantines PCs found to have inadequate patch protection as they try to access a network. The server version will also include the Internet Information Server 7.0 upgrade.
Though Vista and Longhorn are the first platforms to get the full SDL treatment, others have benefited from TwC. Windows XP SP2, released in summer of 2004, was billed as a service pack but had so many changes to the desktop OS regarding security that it was considered by many to be an entirely new version of the software.
"We've seen benefits with XP SP2 and SQL Server 2005," says Neil Macehiter, a partner at Macehiter Ward-Dutton, a U.K.-based consulting firm. "The vulnerabilities are far less than they've been historically."
The numbers seem to agree. After Windows Server 2003 had been on the market for 1,000 days, the number of critical bulletins dropped from 87 to 51 over Windows 2000 Server, calculates Scott Charney, Microsoft's chief security strategist. In the 785 days after Office 2003 was released, the number of critical bulletins dropped from 11 to six. SQL Server 2000 SP3 was released in January 2003, and since then critical bulletins have dropped from 16 to three.
"They're good numbers, but not good enough," Charney acknowledges.
What's important about Microsoft pro-ducts coming to market is that they've all been though SDL. Charney says he knows Microsoft will never reduce the number of vulnerabilities to zero, but aims "to get to the point where the level of risk in the IT world is akin to risk of what we are used to managing in the physical world."
Microsoft has acquired five companies and one technology since the launch of its Trustworthy Computing Initiative. Here is how the technology has been integrated into Microsoft's product offerings:
There will always be the belief that Linux, by virtue of its Unix roots, has been designed bottom-up to be more secure. But a vast majority of organizations, certainly at the enterprise level and within medium-sized companies, recognize that the issue is irrespective of whether the OS is designed or engineered with security in mind.
"Most issues come down to the skill of the administrator, how often patches are installed and the overall security of the network," Macehiter Ward-Dutton's Macehiter says. "Windows and NT have been used in mission-critical environments. These organizations go through a risk management process, and the risks are independent of the underlying OS."
But by now, everyone realizes that Microsoft, being the dominant OS platform, is the number one target for malicious attacks. "It's always easy to bash them, but they are the big boys. That's who everyone is gunning for," says Paul Edwards, a senior system engineer at fleet management company PHH Arval.
In the past few years, IT experts have focused on securing Windows by securing what's around Windows--it's more realistic than expecting Microsoft to excel in all things related to security.
"I rely more on Cisco [Systems] and Symantec as my first line of defense," says Gary Boy, manager of IT operations at Installed Building Products, a construction company.
"I would rather the OS be the OS. I don't expect it to be the all-in-one answer."
Boy says it's good for innovation, competition and pricing if he sticks to using third-party products for features like Web blocking, monitoring and other features Microsoft has or is building into the OS.
'I'm Tired of Patching'
One improvement to its overall security processes that customers frequently cite is the creation of Patch Tuesday, a single day every month when patches are released. Though this has helped bring order to what was once chaos, it does not make the patching process less laborious in shops with a lot of servers to reboot.
"Having a monthly patch release is great, but it's every month," says Alan Thomas, a senior technical consultant at National Gypsum, a manufacturer of building materials. "I'm tired of patching. Maybe it would be okay if it were only a few times a year."
The patch cycle is sometimes interrupted by a serious vulnerability. When that happens, the conspiracy theories kick in about whether Microsoft is acting in everyone's best interest. In late December 2005, there was concern that Microsoft might be sitting on a patch to fix the Windows Meta File zero-day bug. Third-party vendors rushed to provide a patch for the flaw; Microsoft eventually issued one out of schedule in early January. There were IT managers wondering why it took as long as it did to issue the patch; others thought perhaps Microsoft reacted as fast as it did because a third party was about to release one.
Microsoft puts its patches through a lot of testing. Mike Nash, outgoing corporate vice president of Microsoft's security technology unit, says the company released the patch only when it had achieved Microsoft's quality goals. He spelled out the thinking Jan. 5 on the Microsoft Security Response Center blog: "The goal has always been to have software more secure and trustworthy, and the way we are talking about security is transparent and honest to be worthy of trust. The way we do it is as important as what we do."
As part of Microsoft's Trustworthy COMPUTING Initiative, many of its new and forthcoming products have security integrated in their feature sets.
SQL Server 2005 (Released: November 2005)
Newer Platforms = Better Security
For the broad market, securing Windows against vulnerabilities might mean spending the money to get on the newer platforms, such as XP SP2 or Windows Server 2003 SP1.
There was recent evidence in 2005 with the Dasher and Zotob worms. Customers on XP SP2 were not hit, says Harry Waldron, a Microsoft Most Valuable Professional (MVP) and IT manager at a major insurer. "These are the fruits of TwC. Some of the outbreaks impact only older technologies."
Microsoft will make the overall installed base more secure where feasible, Nash says. Microsoft's new antispyware software, Defender, for example, will be built into Vista, but will also be available for Windows 2000 and XP.
Earlier OSes, like Windows 98 and ME, are architectures built before Microsoft understood the Internet. "We do know that there are a lot of customers running older platforms, and it's important to help them be secure," says Fathi. "A lot of the work we are doing for Windows Vista will be made available down-level for older platforms."
For large IT shops, this is welcomed news. Moving to the latest versions of software is always challenging because most companies are unable to roll out new copies of an OS right away.
"I sure hope it will help to be on Vista," National Gypsum's Thomas says. "But for us, Vista is a long way out. We have XP SP2, but it's the best we can do for now, and exploits still come out."
The Threat Is Everywhere
Of course, IT experts can't just study their software and perimeter security tools to be sure their systems are locked down. A huge threat today comes from the inside.
Cybercriminals have sometimes taken jobs in banks just to get access to the systems--even the cleaning staff might be a security breach, warns Allan Pomerantz, chief security officer at the Philadelphia Stock Exchange. "Today someone can walk into your shop with an iPod--with its 60 gig capacity--jack it into your computer and download your entire customer database," he says. "Memory sticks fit into everything--someone can use one to inject a Trojan into your computer."
Customers have to get used to using policy restrictions and non-Windows security devices to help balance risks and recognize that there will always be potential for another security breach.
Some of Microsoft's strongest feedback through the years has come from their MVPs. These subject-matter experts have insisted that Microsoft deliver security improvements in its next-generation desktop and server technologies. But, Microsoft isn't the only company that has to step up.
"The industry has always recognized the need for improvement," says MVP Waldron. "Microsoft, or anyone, will get there. We've all got to stay one step ahead of the bad guys."