Aucsmith: Proof Lies in Windows Server 03

In an interview with eWEEK, Microsoft's Dave Aucsmith says Windows Server 2003 will be the real measure of Microsoft's security progress.

SAN FRANCISCO—There is a small group of true lifers in the security industry, and Dave Aucsmith is one of them. He began working on signal security several decades ago during his time in the military and then spent several years as the chief security architect at Intel Corp. Add to that his deep knowledge of cryptography and the 27 patents he holds, and you see why Microsoft Corp. hired him last August as a security architect in the new Security Business Unit. Aucsmith is now that groups chief technology officer and is responsible for the overall security architecture of all of Microsofts products. Senior Editor Dennis Fisher caught up with Aucsmith at the RSA Conference here to talk about the SBU, Trustworthy Computing and the Next Generation Secure Computing Base, the technology formerly known as Palladium.

eWEEK: Tell me a little bit about what youre trying to accomplish inside the SBU.

Aucsmith: My job is to put a unified architecture in place underneath all of these various security products and technologies. I try to combat the problem of all of the utter confusion that we give to our customers, developers and users. That problem developed historically, over time. It wasnt until very recently that the whole became important to us. It takes us about a year or 18 months to develop a new operating system, and were running pretty fast. We really cant push it much faster than that because of all of the testing we have to do. But the bad guys are running much faster than us. Out of the gate, theres a disparity in the way we can respond to changing threats. We use patch management. But the second part is what I call remedial security, which is things like anti-virus. We want to make it easier for other vendors to protect software and users by using things like the APIs we just put into Exchange. We want to make sure theres a ripe and productive community of people adding security to these products.

eWEEK: What kinds of things are you doing on a daily basis to make products more secure?

Aucsmith: One big thing is continuing to submit our products to the government for Common Criteria testing. I think theres real value in that because for one thing customers are asking for it. And for another, it forces us to do what were supposed to do. Our belief is that the market will reward us for that. If it doesnt, then well turn around and try something else.

eWEEK: Whats the next thing that the SBU will be working on?

Aucsmith: If you look forward, most of the security development will be around security management, how we go about specifying the security policies that you want these technologies to use. Thats where a lot of the work and effort will be. But at any one time, were working on any number of things.

eWEEK: Theres a lot of talk and concern about both Palladium and the upcoming Rights Management Server. How will those things play out for users?