SAN FRANCISCO – Microsoft's top security executive believes a comprehensive set of Internet health check systems is still needed to protect the Internet security of the society at large, but a new twist on the concept could have a major effect on enterprises.
Most of the [security] models we have today are reactive. While we're going to continue to look for badness, can't we also enforce goodness?
corporate vice presidentMicrosoft's Trustworthy Computing group
In his annual keynote address, Scott Charney, corporate vice president of Microsoft's Trustworthy Computing group, offered no new product announcements to RSA Conference 2011 attendees. Instead he echoed a theme he has extolled widely in recent years: Extra measures are needed to ensure computers are secure before they are granted unfettered access to the Internet.
Comparing Internet security to public health, Charney said computing devices not only need to be treated when they get sick with malware, but they also need to be vaccinated with proper antimalware, firewalls and other protections to prevent them from getting sick in the first place.
Microsoft's concept, which he called Collective Defense, seeks to enable verification of that security vaccination, checking a computer's status before it is granted full Internet access. If the computer is found to be in need of remediation, either to remove an infection or update antivirus signatures, for example, users receive guidance and assistance on how to properly raise their security levels.
"Most of the [security] models we have today are reactive," Charney said. "While we're going to continue to look for badness, can't we also enforce goodness?"
During Charney's RSA Conference 2010 keynote, he spoke of the need for governments and ISPs to lead the implementation. However, Charney said he's since realized that model had flaws: Consumers concerned about privacy may not want to have their machines scanned forcibly, ISPs would face a sizable burden to implement such scanning largely on their own, and individuals who rely on Internet services like VoIP could be adversely affected during emergencies.
Instead, Charney advocated for companies to take the lead by providing Internet health checks for their customers. He highlighted a video demonstration in which a bank offered such a service to customers as an added security benefit. Once a customer consents to a machine health check, his or her computer security is validated before access is granted to the bank's Web-based banking application.
Attendee Laurel Wilson, a vice president with San Francisco-based Wells Fargo and Company, said such a system makes sense from a business point of view in order to decrease fraud and ensure the bank's customers are secure. She also liked the idea of offering a helping hand on security to those who may not be as computer savvy.
"My 87-year-old mother just started using Internet banking for the first time," Wilson said, and while it's made her mother's life easier, she expressed concerned about her mother's ability to safeguard her online security.
However, Wilson also wondered whether such Internet health checks could be too restrictive. Noting the recent protests and government upheaval in Egypt, she wondered whether an added layer of security would make it too difficult for individuals to access critical online services.
Charney echoed those concerns, noting that, around the world, Internet access is quickly becoming a cherished, fundamental human right. "There aren't many fundamental rights that rise to that level of prestige in the world," Charney said.
In response, Charney likened insecure Internet usage to smoking. People have the right to smoke and put their own health in jeopardy, he said, but an insecure computer is like second-hand smoke, in that it can inadvertently harm others.
Conference attendee Steve Taylor, an assistant vice president with Texas Star Bank in Van Alstyne, Texas, agreed with Charney's assertion that the need for broad computer security outweighs individuals' concerns, and that the added layer of security would be helpful for an organization like his.
But Taylor wondered whether too many individuals wouldn't bother or would look to bypass restrictions, thinking only of themselves. "I'm all for it, but it's hard to get people to buy in."
Charney noted that a Collective Defense model driven by individual enterprises and Web application providers would, in fact, be optional; the user would remain in control, but there may be consequences for non-compliance or opting out. Revisiting the online banking example, Charney said a user that skips the computer health check might not be restricted from using the bank's online account management system, but the user might be limited in how much money he or she could move or spend.
"On the Internet, if you don't run a firewall, antivirus or backup your data, you may get wiped out, but you have a right to get wiped out," Charney said. "But when you connect to the Internet, it's a place used by many. It's not just about your risk; you're accepting risk for the whole ecosystem."