DALLAS—Microsoft Corp.s chief trustworthy computing strategist called on the industry to help out with securing the Internet, and he also introduced a new product and new Microsoft initiatives to assist in the effort.
Scott Charney, who heads Microsofts security efforts, spoke at the companys TechEd conference here, saying the responsibility for ensuring public safety on the Internet rests with the industry overall. To that end, Microsoft Tuesday announced a new product with VeriSign Inc., of Mountain View, Calif., that will build on the Windows Server 2003 foundation and add public key infrastructure (PKI) capabilities to secure access to enterprise applications, both within and outside corporate boundaries.
Nico Popp, vice president of product development in the security services division at VeriSign, joined Charney onstage at TechEd to introduce the jointly developed solution.
VeriSign PKI on top of Windows Server 2003 provides: “ease of deployment, interoperability, ease of use and uncompromising security,” Popp said.
Popp said the technology will ship by the end of the year and services will be hosted in VeriSign datacenters and also at client sites. In addition, Popp said Microsoft and VeriSign are working together to use digital signatures in e-mail as a tool against spam.
Meanwhile, Lutz Ziob, general manager of training and certification at Microsoft, announced two new security certification programs for system administrators and systems engineers: the Microsoft Certified Systems Administrator (MCSA: Security) and the Microsoft Certified Systems Engineer (MCSE: Security). The new certification programs are targeted at Windows 2000, with certifications for Windows 2003 coming later this year, the company said.
Page 2
Charney filled his speech with anecdotes and one-liners that kept the audience rapt as he drove home his point that security is a joint effort between the industry and users.
“Attackers pick low-hanging fruit,” he said. “We cannot just rely on the government for public safety; a lot of the responsibility falls on us.”
Charney said the current situation is full of opportunity for hackers and intruders. Some statistics he included were that there will be 14 billion devices in use by 2010, 35 million users by 2005, and a 65 percent increase in Web sites. Yet, he said, there are about 90 percent detected security breaches, 85 percent detected computer viruses, and 95 percent of all breaches are avoidable with an alternative configuration.
In short, Charney said playing on the old adage, when the Internet is involved: “An ounce of prevention is worth a ton of cure.”
For instance, Charney said Microsoft needed new patch management tools so he created a patch management working group and “came up with commandments of patch management. And by the end of the year instead of eight installers well have two: one for operating systems and one for applications.”
Charney said the issue of security needs to be implemented at the early stages of the development process. The .Net Framework 1.0 led the cause and debuted code access security and the .Net Framework 1.1 build on the Trustworthy Computing foundation, he said.
Charney said Microsofts strategy is to make its products secure by design, secure by default and secure by deployment. To that end, Microsoft has had more than 2,500 developers doing security testing, including hiring outside “penetration testers” to try to break systems. In addition, Microsoft now offers 60 percent less attack surface than on previous versions of the operating system and with Windows Server 2003, more than 20 services have been changed to be off by default.
The tenets of Trustworthy Computing at Microsoft include security, privacy, reliability and business integrity. And Charney admonishes his charges to “protect the CIA: confidentiality, integrity and availability.”