Microsoft Ties Security to VeriSign, Certifications

Microsoft moved to bolster its code-securing effort called Trustworthy Computing Initiative by announcing two security initiatives Tuesday.

Microsoft and VeriSign said they would jointly develop improved solutions for authentication security, digital rights management (DRM) and other online security enhancements. Financial terms of the deal were not disclosed.

The new security products from Microsoft-VeriSign are aimed at achieving improvements in existing software, while providing automated renewal of digital certificates, secure e-mail and digital signatures. The alliance also plans to help improve network security with reliable access to wireless LANs or virtual private networks .

The two partners also said they plan to help customers embed PKI (public key infrastructure) security into desktop and
networked applications.

Microsoft also announced the availability of a new security certification
program for system administrators and systems engineers: MCSA: Security and
MCSE: Security. These programs will
give IT professionals training to improve enterprise security.

“By introducing these new certifications, we’re supporting the “Secure in
Deployment” tenet of the company’s Trustworthy Computing Initiative,” said
Lutz Ziob, general manager for Microsoft’s Training and Certification
group. “This tenet speaks to an organization’s ability to apply recognized
and established best practices around security, so that Microsoft products
and technologies are rolled out in the most secure way possible. We’ve
taken those best practices and developed prescriptive certification tracks
to help IT professionals demonstrate their acumen in designing and
implementing a secure computing environment. We’ve also included CompTIA’s
Security+ credential in these tracks to extend the certifications to
include cross-platform skills as well.”

“Microsoft is beginning to make real progress in Trustworthy Computing on
behalf of our customers and partners, particularly in the way we think
about, design and develop our products and services to be more secure,
reliable and privacy-compliant from the start,” Scott Charney, chief
trustworthy computing strategist at Microsoft, said during his Tech Ed
2003 keynote in Dallas Tuesday.

“Although much work remains to be
done, we are delivering tools and resources so customers and partners can
successfully manage their networks for optimum security in deployment.”

Still, critics of Microsoft’s security strategy have had a lot of fodder
with the
recent discovery of security holes in its Passport personal information storage service, which were later patched, and other questionable levels of security for critical applications for businesses, governments and individuals.

But the Trustworthy Computing Initiative is trying to change that, and
Charney, together with Nico Popp, vice president of product development in
the Security Services Division at VeriSign , said new
efforts will see the two partners developing several security initiatives
for enterprise customers, including PKI auto
enrollment of VeriSign certificates, interoperability of certificate
authorities, and secure mobile access. The initiatives will be built on the
Windows Server 2003 PKI platform.

The pact is expected to improve upon existing security use of digital
signatures for Microsoft’s Windows Server 2003. Digital signatures provide
some authentication security, but with the recent security problems
associated with Microsoft’s Passport product, the company is moving to
improve security software within its products.

The deal aims to provide improved online security, especially for remote
access. The two companies will build the security solutions into not only
Microsoft’s Windows Server 2003, but also VeriSign’s Managed PKI (public key infrastructure) Services.

VeriSign specializes in making server software that is able to handle a
large number of digital signatures, and is expected to launch a service
later this year that will be closely tied to the new features inside
Microsoft’s Windows Server 2003.

Improvements in digital signatures could be helpful in the exchange of
contracts and proposals sent over networks. In addition, corporate partners
could send documents that would include a digital rights management tag
along with an e-mail, which would enhance document security for both
parties.

The two companies said they would market the new solutions to enterprise users aiming
to provide secure online information and digital identity management
systems.

Developing reliable and secure PKI authentication systems has proven
to be complicated and difficult, as many companies have been slow to
install
the servers and software to support the technology.

VeriSign’s deal with Microsoft for authentication security and digital
rights management is not exclusive, and the company is expected to strike
similar deals with a variety of other software vendors.

Microsoft said that CompTIA Security+ supports the industry-wide objectives
of the two new certifications. Candidates will
have a choice between Security+ and the Microsoft Internet Security and
Acceleration (ISA) Server 2000 exam to satisfy one of the specialization
requirements for the MCSA: Security and MCSE: Security certifications,
CompTIA added in a statement.

Both the MCSA: Security and MCSE: Security certifications are specific to
Windows 2000 and immediately available. Microsoft said certifications for
the Windows Server 2003 platform will be available later in the year. To
earn the certifications, Microsoft said candidates will have to pass core
exams for either the MCSE or MCSA credentials, and then pass a number of
security specialization exams to demonstrate ability in areas like security
foundations, security implementation and security design.

“While the core MCSA and MCSE certifications validate the ability to
implement baseline security measures, the new MCSA: Security and MCSE:
Security designations go beyond that baseline and look specifically at
things like managing and troubleshooting service packs and security
updates, and being able to implement and troubleshoot secure communications
channels,” Ziob said. “This might include the implementation of IPSec or
the wireless encryption protocol, or the configuration of remote access
security, so that people can engage remotely using a virtual private
network, or VPN. It might also include Smart Card or biometric
authentication methods, as well as advanced security procedures, such as
implementing a public key infrastructure, or PKI.”

News Around the Web