For some time, Microsoft has been stumping for what it calls collective defense as a way to minimize the threat posed by inadequately protected consumer PCs. Is such a program technologically feasible?
At RSA 2011, Scott Charney, corporate vice president of Microsoft's Trustworthy Computing Group, talked about collective defense, otherwise known as an Internet health check, network access control, trusted network connect, and other permutations depending on which industry group you are talking to. Charney and Microsoft have been talking about this over the last year or more. To expand on another recent user question, the technological feasibility of performing NAC on a large scale is unknown, which Charney alluded to in his RSA keynote.
There are some large policy issues that would need to be resolved prior to ISPs or other organizations being able or allowed to check the security or health of customer or client systems on a large scale. The issue of who would determine what settings are secure enough for online banking, watching YouTube videos, accessing educational content, social networking, etc., is potentially difficult to overcome. Such a policy, if put into practice, would also need address the issue of user privacy. Many organizations, though, have overcome these hurdles to implement NAC on their networks, but have done so under the auspices of corporate usage agreements and security policies.
One of the potential information security threats involved with the Microsoft security check proposal is companies need to be able to trust the system performing the checks: If an attacker were to take over the system that controlled the health checks, he or she could perform malicious actions against every computer attempting to connect to the Internet via that ISP – obviously a serious risk. Organizations would also need to be prepared for checks that turn up false negatives, since it's possible that newer or targeted malware could subvert the health check.
Dig Deeper on Microsoft Windows security
Related Q&A from Nick Lewis
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading
Cloud security providers need to play catch-up with the evolving advancements in cloud technology. Find out what the top CSPs offer today and which ... Continue Reading
Cloud security certifications serve to bolster security professionals' resumes and boost value to employers. Learn about the top certifications ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.