Microsoft outlines security policy

Malicious worms, hackers, and dire scenarios of cyberattack are giving cybersecurity more attention, but is it getting more action? It is at Microsoft Corp., says executive Craig Mundie, describing the progress of the software giant's year-old Trustworthy Computing initiative.

Systems smart enough to monitor, update, and repair themselves will help reassure people who continue to complain that technology is unreliable, says Mundie, Microsoft's chief technical officer of advanced strategies and policy. He spoke at a community program at Microsoft's campus here Wednesday.

Security functions are part of every Microsoft project now, he says. Efforts range from developing systems that automatically plug holes to new ways to identify remote systems you encounter online.

Seeking Reassurance

It's part of an emerging industry-wide focus on security that mirrors national security concerns. But for the technology industry, it's also a preemptive effort to reassure customers and avoid having security measures imposed by law, Mundie says.

People's fear of flaws could slow their enthusiasm for adopting technology, Mundie says. And the government might try to impose policy standards that could slow technology development. "We're starting to see interest in regulating the computer industry as more and more of society is relying on this equipment," Mundie says.

Concerns may heighten as we go online with more diverse devices, from handhelds to phones to custom boxes, Mundie adds. Microsoft expects those capabilities to boost productivity even more than PCs already have, he says.

But, he adds, "the concern that has emerged is, will all this be caught up short simply because people don't trust the computer system?"

Heightened Alert

Clearly, the world is more focused on cybersecurity than more than a year ago, when Microsoft internally conceived its Trustworth Computing initiative. Then came terrorist attacks and the widespread Nimda worm.

Since Microsoft announced its Trustworthy Computing concept, it has hosted a security conference and even declared a one-month moratorium on software development. Programmers instead used the time to swat bugs and close holes.

Some security efforts began three years ago, when Microsoft applied for Common Criteria for Information Technology Security Evaluation for Windows 2000, a federal standard. The shrink-wrapped retail version earned the certification--not a specialized version--so anyone can benefit from its verified security, he added.

Today, security issues claim as much as 40 percent of Microsoft's spending in some development projects, Mundie said. During its recent Windows security assessment, Microsoft "spent about $100 million on the analysis of both shipped versions and what we could do in new design choices for both the .Net server process and subsequent implementations," notably Longhorn, the Windows update not due out for several years.

"We recognized that to address this we had to do it pervasively, and that requires a culture change," Mundie said. For example, loading applications with features is a common competitive tactic, but also results in lots of features that are infrequently used, and they are often ripe for security holes, he said.

Pervasive Priority

The crux of the Trustworthy Computing effort is a memo by Microsoft Chair Bill Gates pointing out that it doesn't matter how good a product is, if people don't trust Microsoft and trust its work, the product won't succeed. Consequently, security issues are considered in all projects.

For example, Microsoft is working toward self-monitoring systems with features such as Windows Update, which automatically checks for critical updates, Mundie says.

Service Pack 1 for Windows XP, released in September, changes defaults for several functions to the more secure alternative. For example, if you don't have encryption activated on a wireless link, the OS won't automatically install the link and connect you. Also, the firewall configuration default is changed to on.

The Service Pack also plugged a number of security holes, including one serious flaw that Microsoft had not previously acknowledged. Mundie didn't mention it, but Microsoft also recently provided a separate fix for that hole after some customers reported problems installing SP1.

As another security measure, Microsoft beefed up the parental controls in MSN 8, the recently-released client for its online service.

More Doors Ahead

Security is a priority in future products, Mundie says.

"We view this as a long journey," he says. "The stage right now is remediation, fixing sins of the past, and making design changes for future."

Microsoft continues to develop its digital rights management technology, already built into Media Player and Reader to protect copyrighted material. Another major effort, called Palladium, is a hardware-software security measure about which Microsoft has revealed little publicly.

Palladium is designed to help devices that communicate with each other clearly identify their origin, including the software they're running and person using them, to enable greater trust and smoother information exchange, Mundie says. It is intended to extend to general devices the kind of security often built into specialized machines.

A year ago, Microsoft observed a dichotomy of goals regarding security, Mundie says. People wanted privacy online, and saw anonymity as ensuring it; while technical professionals striving for security saw anonymity as the enemy of security.

But today, "security is about making computers resilient to attack," he says. "As the bad guys get smarter and the tools they use get better, we have to further develop our defenses."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peggy Watt

PC World
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?