"It has been a one-or-the-other situation with security and access up until now, and that's not good enough. We have to think about the barriers to connection, whether they're offensive or defensive," said Michael Atalla, group product manager in the Identity and Access Product Management group at Microsoft. "Trust is harder to maintain as people get more connected, but we haven't come far enough to move to the next set of solutions."
The new strategy's four key areas include: systems, networks, identity and data protection. Microsoft already has substantial investments in each of these areas, but Atalla emphasized that the company will need to work with both partners and competitors in order to bring this all together.
"The users are largely telling us what they want and it's changing how we do business," Atalla said.
Under the heading of the evolution of systems, Atalla said Microsoft is planning to invest in technologies that make systems more resilient to attack. He pointed to features in Vista such as User Account Control, secure code execution and address space layout randomization as examples of the kinds of things that can help build a trusted I/O path to the user. This is not to be confused with the company's much-debated Next Generation Secure Computing Base strategy, which employs hardware-based security measures, digital rights management and a number of other technologies to authenticate not only users, but their machines and the content and applications running on them.
The network evolution has resulted in the complete dissolution of network boundaries in the last few years, making it difficult for security managers to decide which rules to enforce on which machines and when. As the barriers continue to fall, the security requirements that protect internal and external networks need to evolve to keep pace, Atalla said.
"What we need is to move to a policy-based network on which policies can be enforced regardless of where you are or what device you're using," he said. Microsoft has gone down this road already in its partnership with Cisco Systems to integrate the companies' respective network access control offerings.
Last year, Gates told the RSA audience he believed passwords were dead. The future of authentication, he said, lies in more advanced technologies such as hardware tokens, biometrics and Microsoft's CardSpace feature in Vista. Much was made of Gates' proclamation--especially by makers of strong authentication technology--but his message was nothing new. Security experts for years have been telling anyone who would listen that passwords are no longer good enough, especially in a corporate setting or when money is changing hands. Microsoft developers followed Gates' lead and included in Vista a number of upgraded authentication features, such as expanded support for biometric devices and other kinds of two-factor authentication, support for more cryptographic algorithms and protocols, and a backup and restore wizard for stored usernames and passwords. Gates will expand that discussion today when he talks about the evolution of identity.
"It's not important that Microsoft build an identity system and get everyone to use it. And it's not important that anyone else do that either," Atalla said. "What is important is that they all work together. Maybe that's something that you haven't heard from us in the past, but you'll hear more of it in the future."
To help get this effort moving, Microsoft today is announcing its Identity Lifecycle Manager, a new enterprise server that manages a variety of identity information, including smart card and certificate authority infrastructures. It builds on the company's existing user provisioning and metadirectory offerings.
The final piece of the vision Gates and Mundie will discuss is the evolution of data protection. Most of the current security offerings concentrate on defending against attacks or securing information while it's in transit. Microsoft officials believe that changes in the way people are accessing and using data require enhanced protection for that data while it's at rest. This means not just records sitting in a database, but also digital media content.
"We believe the future of information security must be about associating data with the containers and databases holding it," Atalla said. "It's important for the industry as a whole to invest in this."