RealTime IT News

Microsoft Ties Security to VeriSign, Certifications

Microsoft moved to bolster its code-securing effort called Trustworthy Computing Initiative by announcing two security initiatives Tuesday.

Microsoft and VeriSign said they would jointly develop improved solutions for authentication security, digital rights management (DRM) and other online security enhancements. Financial terms of the deal were not disclosed.

The new security products from Microsoft-VeriSign are aimed at achieving improvements in existing software, while providing automated renewal of digital certificates, secure e-mail and digital signatures. The alliance also plans to help improve network security with reliable access to wireless LANs or virtual private networks .

The two partners also said they plan to help customers embed PKI (public key infrastructure) security into desktop and networked applications.

Microsoft also announced the availability of a new security certification program for system administrators and systems engineers: MCSA: Security and MCSE: Security. These programs will give IT professionals training to improve enterprise security.

"By introducing these new certifications, we're supporting the "Secure in Deployment" tenet of the company's Trustworthy Computing Initiative," said Lutz Ziob, general manager for Microsoft's Training and Certification group. "This tenet speaks to an organization's ability to apply recognized and established best practices around security, so that Microsoft products and technologies are rolled out in the most secure way possible. We've taken those best practices and developed prescriptive certification tracks to help IT professionals demonstrate their acumen in designing and implementing a secure computing environment. We've also included CompTIA's Security+ credential in these tracks to extend the certifications to include cross-platform skills as well."

"Microsoft is beginning to make real progress in Trustworthy Computing on behalf of our customers and partners, particularly in the way we think about, design and develop our products and services to be more secure, reliable and privacy-compliant from the start," Scott Charney, chief trustworthy computing strategist at Microsoft, said during his Tech Ed 2003 keynote in Dallas Tuesday.

"Although much work remains to be done, we are delivering tools and resources so customers and partners can successfully manage their networks for optimum security in deployment."

Still, critics of Microsoft's security strategy have had a lot of fodder with the recent discovery of security holes in its Passport personal information storage service, which were later patched, and other questionable levels of security for critical applications for businesses, governments and individuals.

But the Trustworthy Computing Initiative is trying to change that, and Charney, together with Nico Popp, vice president of product development in the Security Services Division at VeriSign , said new efforts will see the two partners developing several security initiatives for enterprise customers, including PKI auto enrollment of VeriSign certificates, interoperability of certificate authorities, and secure mobile access. The initiatives will be built on the Windows Server 2003 PKI platform.

The pact is expected to improve upon existing security use of digital signatures for Microsoft's Windows Server 2003. Digital signatures provide some authentication security, but with the recent security problems associated with Microsoft's Passport product, the company is moving to improve security software within its products.

The deal aims to provide improved online security, especially for remote access. The two companies will build the security solutions into not only Microsoft's Windows Server 2003, but also VeriSign's Managed PKI (public key infrastructure) Services.

VeriSign specializes in making server software that is able to handle a large number of digital signatures, and is expected to launch a service later this year that will be closely tied to the new features inside Microsoft's Windows Server 2003.

Improvements in digital signatures could be helpful in the exchange of contracts and proposals sent over networks. In addition, corporate partners could send documents that would include a digital rights management tag along with an e-mail, which would enhance document security for both parties.

The two companies said they would market the new solutions to enterprise users aiming to provide secure online information and digital identity management systems.

Developing reliable and secure PKI authentication systems has proven to be complicated and difficult, as many companies have been slow to install the servers and software to support the technology.

VeriSign's deal with Microsoft for authentication security and digital rights management is not exclusive, and the company is expected to strike similar deals with a variety of other software vendors.

Microsoft said that CompTIA Security+ supports the industry-wide objectives of the two new certifications. Candidates will have a choice between Security+ and the Microsoft Internet Security and Acceleration (ISA) Server 2000 exam to satisfy one of the specialization requirements for the MCSA: Security and MCSE: Security certifications, CompTIA added in a statement.

Both the MCSA: Security and MCSE: Security certifications are specific to Windows 2000 and immediately available. Microsoft said certifications for the Windows Server 2003 platform will be available later in the year. To earn the certifications, Microsoft said candidates will have to pass core exams for either the MCSE or MCSA credentials, and then pass a number of security specialization exams to demonstrate ability in areas like security foundations, security implementation and security design.

"While the core MCSA and MCSE certifications validate the ability to implement baseline security measures, the new MCSA: Security and MCSE: Security designations go beyond that baseline and look specifically at things like managing and troubleshooting service packs and security updates, and being able to implement and troubleshoot secure communications channels," Ziob said. "This might include the implementation of IPSec or the wireless encryption protocol, or the configuration of remote access security, so that people can engage remotely using a virtual private network, or VPN. It might also include Smart Card or biometric authentication methods, as well as advanced security procedures, such as implementing a public key infrastructure, or PKI."