News Stay informed about the latest enterprise technology news and product updates.

RSA: Microsoft sells security; users aren't buying it

Microsoft's chief security technical officer detailed his company's Trustworthy Computing initiative at RSA Conference 2002 this week. But some users felt Craig Mundie was giving them a sales pitch rather than discussing serious security policy.

SAN JOSE, Calif. -- The intent was to outline a specific security roadmap for the immediate and long-term future. The intent was to convince a jittery, cynical industry that security has surfaced as a No. 1 priority. The intent Wednesday at RSA Conference 2002 was to demonstrate that Microsoft was finally serious about security.

The outcome was more cynicism, more jitters and more skepticism.

Microsoft rolled out its chief security technical officer, Craig Mundie, yesterday with a presentation spelling out its Trustworthy Computing initiative that detailed Microsoft's new and improved stance on security. Users, however, were left with many of the same unanswered questions and the same raised eyebrows about what is coming out of Redmond.

"That was a great sales pitch. But, if I wanted a sales pitch, I would have gone to the booth," said Michael Krenzin, program manager for Sparta, Inc., a government consultant on network security and PKI. "I was expecting, with more of a technical audience listening in, that he would have brought more detail."

Instead, Mundie spent 40 minutes speaking in general terms of trust toward Microsoft and how the company would improve software design, improve the way it implements technology and change internal policy.

"Marketing hype," said Yujin Kim of JP Morgan Chase. "It's the same thing, really."

Mundie did take the opportunity to announce that Microsoft would open its Kerberos specification -- a secure method for authenticating a request for a service in a computer network.

"Microsoft will grant a royalty free license to the specification of Group Membership PAC Data and provide access to interpret and generate authorization data in Privacy Access Certificates," Mundie said. "This will help customers and partners to be able to interpret Kerberos authorization data."

Kerberos has been a sticking point for users because of interoperability issues. Kerberos lets a user request an encrypted "ticket" from an authentication process that can then be used to request a particular service from a server, according to online technology glossary

"I found it interesting they chose this show to announce their capitulation to opening their Kerberos protocol," Krenzin said. "When Windows 2000 came out, it arrived with Kerberos enabled. We all soon found out that it uses non-standard fields and implemented a non-standard handshake protocol in those fields. No one else can use it. There's no way to peer between Windows and Unix, for example. Once again, Microsoft took the opportunity to say 'It's my way, or the highway.'

"Now that it's open," Krenzin said, "people will be able to write applications that work in their environments."

Mundie also gained points with users when he announced that future versions of some popular Microsoft applications would have unneeded services disabled by default. Mundie cited, for example, that IIS6 in .NET will be disabled by default.

Mundie said that Microsoft will also enhance the education of its developers, requiring training to learn the latest best practices.

"We are changing code practices, changing the default behavior of our systems and enhancing security in our deployment," he said.

But, there were still unanswered questions.

"I wanted more on their whole .NET strategy," Krenzin said. "They're promising it could solve all of the world's problems. But, it can solve all of the world's problems only if Microsoft is the only vendor out there."


Best Web Links on securing Microsoft products

searchSecurity's coverage of RSA Conference 2002

Dig Deeper on Microsoft Windows security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.