SAN FRANCISCO-Buoyed by the success of Trustworthy Computing at Microsoft-a five-year initiative that saw the company move from security pariah to industry trendsetter-the software giant is proposing a vendor-neutral push to build an ecosystem of trust on the Internet.
Microsoft used the spotlight of the RSA Conference 2008 here April 8 to start the dialogue on what is being called End to End Trust, a concept built around authenticating identities and securing Web-based transactions and communications.
During a fireside chat-style keynote address, Microsoft Chief Research and Strategy Officer Craig Mundie announced the release of a white paper outlining the proposal and called for “robust and meaningful discussion” from partners and competitors alike.
“The opportunity is now,” Mundie said, noting that the rise in malware-related identity theft and child safety issues has pushed security and privacy issues to the front burner.
At its core, Microsoft’s End to End Trust proposal calls for the creation of a trusted stack where each element in the stack-the operating system, applications, people and data-can be authenticated and is equally trustworthy.
The proposal, which Mundie said will require buy-in from partners and competitors alike, also calls for a system that enables people to preserve their identity claims while addressing issues of authentication, authorization, access and audit.
Although the proposal is being billed as a clone of Microsoft’s long-term TwC, a collaborative effort that underscores security and privacy principles at every stage of software creation, company officials are careful to stress that it must emerge as a vendor-neutral approach with closer alignment between technological, social, political and economic forces.
“We need to come together and work on extending Trustworthy Computing to the Internet,” George Stathakopoulos, general manager of security response at Microsoft, said in an interview with eWEEK. “I think you can safely say that the Internet today is where we were five years ago. We were not in the best shape. In 2002, we had to deal with the big worm attacks and we were struggling to cope. We adopted the Trustworthy Computing initiative and we accomplished a lot over the last five years.”
A Trusted Stack
Stathakopoulos said there are enough similarities between Microsoft’s 2002 problems and the existing security nightmares haunting the Web.
“We don’t want this to be interpreted as a Microsoft play,” he said. “We’re saying that these are the concepts that we generally support and we’ve put them together in this white paper and we’re asking the industry to talk about it. We’d like to see everyone put the same energy into it that we put into the Trustworthy Computing initiative.
“The problem might be a little different but we think we can find ways to fix things. It’s about how you exist online, what’s your identity claim, how do you interact with the Internet. These are things we need to be talking about in a very serious way.”
In the white paper, Microsoft spells out its own vision of how End to End Trust can be achieved through a “trusted stack” that features security rooted in the hardware, a trusted operating system, trusted applications, trusted people and trusted data.
“The entire stack must be trustworthy because these layers can be interdependent, and a failure in any can undermine the security provided by the other layers; for example, a document may be created by an identified individual, using secure hardware and a secure operating system, and sent to another as a signed attachment with integrity, but if it was created with an insecure application, it may not be trustworthy,” according to the white paper.
“When trust is misplaced, it must be possible to identify the improvidently relied-upon party and have the right social and political mechanisms in place so that proactive and reactive steps can be taken. An appropriate audit capability can provide the evidence needed to inform response and drive an accountability framework.”
The white paper also focuses heavily on establishing trusted identities on the Internet without abolishing the concept of anonymity.
Microsoft also makes it clear that the proposal is not meant to create unique, national identifiers or support the creation of mega-databases that collect personal information.