Microsoft: Internet, PCs Need New Security Model

Microsoft's Scott Charney at RSA
Microsoft’s Scott Charney at RSA
Source: RSA Conference

SAN FRANCISCO — Scott Charney admits it. His friends laughed because he used the words “Microsoft” and “security” in the same sentence back when he joined the software giant in 2002.

But with Microsoft’s (NASDAQ: MSF) big push into what it calls end-to-end trust, it’s time for the laughter to stop, says its chief security strategist, more formally known as corporate vice president for trustworthy computing.

During a keynote presentation here at the RSA Conference, Charney touted Microsoft’s progress with ways of ensuring that applications and other executables are legitimate, like identity systems, code signing, and Trusted Platform Modules (TPMs) — microcontrollers, often based on a PC’s motherboard, that store digital certificates, keys and passwords.

TPMs, especially, are critical in Microsoft’s vision of how security needs to develop. While the company has been pushing these technologies for nearly a decade, Charney said he believes that security has reached a point where dealing with it purely on the software side isn’t enough.

Trust is crucial to continued growth on the Internet, he said, and “we have to root trust in hardware, because it’s less malleable than software.”

And that, of course, requires collaboration and cooperation across the board — software and hardware vendors, consumers, enterprises, and society as a whole.

“We need to have alignment,” he said. “We need alignment between social forces, economic forces, political forces, and IT. Too often, the information technology community has a solution, but they can’t figure out how to monetize it or it’s not acceptable for some other reason. Too often, the politicians may have an objective, a worthy one like protecting children online, but the technology is not supportive and it has too many unintended consequences.”

“Too often, good ideas fail because the alignment isn’t there,” he added.

The goal of Microsoft’s End-to-End Trust Initiative, launched at last year’s RSA Conference, is to build a “trusted stack” incorporating all these layers by weaving in components to authenticate everything, including the user, the applications, the hardware and even the data itself.

He noted that the beta release of Windows 7 includes TPM support to enable encryption at the hardware level. Vista has tried to accomplish much the same thing with BitLocker, while Windows 7 will make portable USB devices secure through an encryption feature called BitLocker-to-Go.

“Trust” doesn’t mean the same thing to everyone, Charney said. “I do not mean absolute trust. This is not a binary concept,” he said. “Trust has to be reasonable and relative to what you’re trying to accomplish.”

[cob:Special_Report]Charney touted Microsoft’s claims-based identity system called Geneva, which is currently being tested in a Washington school district that includes 50 schools and nearly 24,000 students. Under the system, students, parents, teachers and administrators establish their identity in person at the outset, and then receive netbooks with identity information coded in that allows them to access educational materials online.

One highlighted example showed an online calendar that displayed only the events and activities directly related to the specific user accessing it.

The idea, he said, is to create a different model for thinking about identity that doesn’t rely on “secrets” such as place of birth or mother’s maiden name that aren’t in fact secret at all.

“The Internet has created incredible opportunities for our society such as e-commerce, new social interactions and more efficient government,” he said. “But it has also attracted the attention of criminals. While we believe the benefits of using the Internet far outweigh the risks, people still need to be safer online than they are today.”

News Around the Web