This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."
Download it now to read this article plus other related content.
While the Blue Hat Summit was a positive first step, as long as the vulnerabilities continue to attack the Windows platform and as long as there is a slew of monthly fixes, patch weary IT administrators and their bosses will continue to give Microsoft's Trustworthy Computing (TwC) Initiative mixed reviews. Executives in many of the largest Windows shops recognize the improvements, but believe Microsoft still has miles to go before it gets where it needs to be.
"[Microsoft's] intentions are laudable, and I salute them," says Arun DeSouza, manager of global computing technologies at automotive manufacturer Inergy Automotive Systems.
But DeSouza knows that security is more than just patching Windows. It's also about the privacy and stability of the system. So are they there yet? "They're still years away from achieving that," he says.
It's All About Trust
At the initial launch of TwC, Microsoft chairman and chief software architect Bill Gates revealed that Microsoft had spent more than $100 million and retrained thousands of software developers and engineers. Last year, Gates said that Microsoft spent about $2 billion a year on security.
Today, Ben Fathi, the newly-named general manager of Microsoft's security technology unit, says security has so permeated each department and project that there is simply no way to accurately make these calculations anymore.
At the RSA Conference 2006 earlier this year, Gates didn't focus on enterprise
Going forward, Gates sees the necessity of de-emphasizing passwords and focusing on an "InfoCard" with two-factor authentication. Infocard is the code name for a WinFX component required by the Windows identity metasystem. It's specifically hardened against tampering and spoofing to protect the user's digital identities and maintain user control. Microsoft is also expanding the role of Active Directory to envelop certificate services.
But, it will take years for a vision like this to play out. The acid tests of Microsoft's success will come later this year and early next year when its new desktop, Windows Vista, is made available, and then again later in 2007 with the delivery of its new Windows Server, code-named Long-horn. Microsoft estimates that at least one-third of its engineering investment in the development of Vista has been focused on security.
Both platforms are the first to be built from the ground up using Microsoft's stringent software development criteria, the Software Development Lifecycle (SDL). SDL is one of the many processes put into place post-TwC under the direction of Stathakopoulos. With this process, a security team member is assigned to every product, and the products undergo consistent security reviews. There are various levels of testing before software is given a final security review and deemed ready to ship.
This was first published in May 2006