SAN FRANCISCO – Microsoft's top security executive used his RSA Conference 2012 keynote to examine the past and...
future of Trustworthy Computing, the risks of big data in the cloud and concepts that could one day better secure that data.
Scott Charney, Microsoft's corporate vice president of Trustworthy Computing, took advantage of the opportunity to note the 10-year anniversary since the famous Bill Gates memo that began the software giant's systemic effort to incorporate security into all its products and processes.
He lauded Trustworthy Computing's success in driving down the number of vulnerabilities in Microsoft software, reducing the number of exploitable vulnerabilities and creating enhanced end-to-end trust mechanisms on the Internet, but noted that continued progress is necessary because software vulnerabilities can never be completely eliminated.
To that end, he referenced new security technologies incorporated into past versions of Windows -- including the NEAT (necessary, explainable, actionable and testable) threat communications concept and Bitlocker To Go built into Windows 7 -- and emerging technologies that will be built into the upcoming Windows 8 OS, including support for the hardened UEFI BIOS standard, a trusted boot mechanism that loads antimalware early in the process, and Dynamic Access Control.
Yet Charney spent the bulk of his time expressing concern over the numerous scenarios in which big data is finding its way into the cloud. He specifically mentioned geolocation data and how it is key to taking advantage of innovative and helpful Internet services via mobile devices.
He referenced a project in which Microsoft used cloud-based analysis to help a health care provider identify trends to determine why some patients were returning for treatment within 30 days, with the analysis identifying a virus affecting patients staying in a specific hospital room. The processing power that can be applied to big data in a cloud environment, Charney said, can identify a trend like that, which would otherwise go unnoticed.
However, Charney said there are dangerous big data privacy implications that arise from tracking where individuals are at virtually all times. Perhaps most concerning, he said, are the questions surrounding whether the government should be able to access data about any individual if that data resides in the cloud.
Charney said legal precedent established that an individual's Fourth Amendment rights do not apply if a person willingly provides information to a third party, but the recent Supreme Court ruling in U.S. vs. Jones – that it’s illegal to use a GPS device to track someone's whereabouts without first obtaining a warrant – suggest the need to rethink that conclusion, especially in a world where individuals are increasingly surrendering personal data to the cloud.
Charney advocated for a system in which cloud data is associated with metadata that expresses attributes about the data, dictating how it should be treated, used and eventually destroyed. He espoused the benefits of a system in which cloud data could be tagged with metadata instructing the cloud provider to destroy it on a certain date so those who choose to make use of cloud services can have more control over.
Attendees, however, expressed skepticism regarding whether Charney's concepts could ever come to fruition. Jeremy Ehiert with DigitalGlobe in Longmont, Colo., questioned how such a paradigm would be enforced to compel service providers to treat data as the data provider intended, not to mention modify the metadata.
Attendee Adam Hovak with ITT Exelis in Virginia said most data doesn't have that level metadata detail associated with it, and the exponential growth of data existing in cloud environments will only make it more difficult to create such a system.
View all of our RSA 2012 Conference coverage.