Life in the fast lane or creating a more trustworthy internet l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 18

Life in the Fast Lane or Creating a more trustworthy Internet PowerPoint PPT Presentation


  • 193 Views
  • Uploaded on
  • Presentation posted in: General

Life in the Fast Lane or Creating a more trustworthy Internet. Doug Cavit Chief Security Strategist Trustworthy Computing. The Internet Revolution. Beneficial change. Social: Enabling a global village Economic: Easier, faster, cheaper commerce Political: Freer exchange of ideas.

Download Presentation

Life in the Fast Lane or Creating a more trustworthy Internet

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Life in the fast lane or creating a more trustworthy internet l.jpg

Life in the Fast Lane orCreating a more trustworthy Internet

Doug Cavit

Chief Security Strategist

Trustworthy Computing


The internet revolution l.jpg

The Internet Revolution

Beneficial change

  • Social: Enabling a global village

  • Economic: Easier, faster, cheaper commerce

  • Political: Freer exchange of ideas

Undesirable change

  • Loss of data subject control over information

  • Rise in identity theft

  • Targeted attacks against businesses & governments

  • Increases in other types of online and tech-facilitated crimes

Now required: End to End Trust

  • Users must be empowered to make informed trust decisions (including accepting the risks of anonymity)

  • Strong identity claims and reputation must be available to enhance security, privacy, and trust

  • Better accountability must be created to deter crime and facilitate responses


Threat trends l.jpg

National Interest

Personal Gain

Personal Fame

Curiosity

Threat Trends

Exponential Growth of IDsIdentity and access management challenging

Increasingly Sophisticated MalwareAnti-malware alone is not sufficient

Largest segment by

$ spent on defense

Number of variants from over 7,000 malware families (1H07)

B2C

Spy

B2E

Largest areaby

$ lost

B2B

mobility

Number of Digital IDs

Internet

Fastest

growing

segment

Thief

client/server

mainframe

Pre-1980s

1980s

1990s

2000s

Source: Microsoft Security Intelligence Report (January – June 2007)

Trespasser

Crime On The Rise

Attacks Getting More SophisticatedTraditional defenses are inadequate

Largest area by volume

Author

User

  • Examples

  • Spyware

  • Rootkits

  • Application attacks

  • Phishing/Social engineering

Vandal

GUI

Applications

Drivers

O/S

Hardware

Script-Kiddy

Amateur

Expert

Specialist

Physical


Microsoft s commitment t o twc l.jpg

Microsoft's Commitment to TwC

Trustworthy Computing

Business

Practices

Security

Privacy

Reliability

Secure against attacks

Protects confidentiality, integrity & availability of data & systems

Manageable

Protects from unwanted communication

Controls for informational privacy

Products, online services adhere to fair information principles

Dependable, Available

Predictable, consistent responsive service

Maintainable

Resilient, works despite changes

Recoverable, easily restored

Proven, ready

Commitment to customer-centric Interoperability

Recognized industry leader, world-class partner

Open, transparent

  • Launched in January 2002

  • A Microsoft company-wide mandate


Slide5 l.jpg

  • Security Fundamentals

  • Security Development Lifecycle

  • Security Response Center

  • Better Updates And Tools


Security and privacy progress l.jpg

Security And Privacy Progress

SDL and SD3

Defense in Depth

Threat

Mitigation

  • Security Development Lifecycle process

    • Engineered for security

    • Design threat modeling

  • SD3:

    • Secure by Design

    • Secure by Default

    • Secure In Deployment

  • Automated patching and update services

  • Malware Example

    • Consumer Education

    • Laws

    • Firewalls

    • Antivirus Products

    • Antispyware Products

    • Malicious Software Removal Tool

    • Memory Management (ASLR)

    • Law Enforcement

  • Microsoft Security Response Center (MSRC)

  • Microsoft Malware Protection Center (MMPC)

  • Windows Live OneCare and Forefront Client Security, powered by the Microsoft Malware Protection Center

  • SPAM (Sender ID, Phishing Filters)

  • Network Access Protection (NAP/NAC)


Building a trusted stack l.jpg

Building a Trusted Stack

Identity Claims

Authentication

Authorization

Access Control Mechanisms

Audit

Core Security Components

“I+4A”

Trusted Data

Trusted People

Trusted

Stack

Trusted Software

Trusted Hardware

INTEGRATED PROTECTION

Secure

Foundation

SDL and

SD3

Defensein Depth

Threat

Mitigation


Making effective trust decisions l.jpg

Making Effective Trust Decisions

  • Trust decisions …

    • are not binary

    • may change as circumstances change

    • are auditable

    • may be rolled back if bad

  • Effective trust decisions must

    • Be based on a trusted stack

    • Balance privacy, security & risk

    • Be easy and informed

    • Made automatically where possible

  • Can people protect themselves and their family as they can in the physical world?

privacy

security

Trusted Data

Trusted People

Trusted Software

Trusted Hardware


Building alignment l.jpg

Building Alignment

  • Successful end-to-end trust needs solutions aligned with

    • Societal values

    • Market forces

    • Regulatory environment

  • These ideas, raised by many before, have not been implemented, in part because of misalignment

  • We must come together to change the status quo, and find ways to address international barriers to implementation


Benefits l.jpg

Benefits

  • Reduce types and severity of threats (e.g., de-value PII and reduce ID Theft)

  • Create accountability for online crime

  • Enable greater, safer personal Internet usage

  • Enter new markets, expand Internet presence, and collaborate with partners and customers while reducing costs and risks

  • Improve public safety and national security efforts, including disaster response (e.g., priority routing)


Twc for the internet l.jpg

TwC for the Internet

TwC – a good foundation

Enterprises can secure intranets,Internet not yet safe

People would do more online if they felt safer

TwC for the Internet

  • Vulnerabilities greatly reduced but will never be zero

  • Defense in Depth limits damage but cannot eliminate successful attacks

  • Disabled features only protects against misuse of unused features

  • For-profit crime is driving increasingly sophisticated attacks

  • Too hard to know if a computer should be trusted

  • Not possible to prove claims of identity beyond the intranet

  • Porous enterprise boundaries make suspicious activity harder to detect

  • Users need to be able to assess risks

    • connecting to sites

    • using software

    • interacting with people

  • Users need assurance of security & privacy

  • Identity claims when required need to be provable

  • Users need to be able to choose to be anonymous

  • Users need informed control of their computing experience

  • Users need a simple way to make trust decisions on sites, software & data

  • Bad actors like online criminals should be held accountable for their actions, which harm security and privacy

  • Requires broad industry, government and citizen collaboration


Establishing end to end trust l.jpg

Establishing End to End Trust

Trusted Stack

Core Security Components

Trust Founded on “Identity Claims,” not Identity

Protecting Privacy

  • Needed for a trusted stack

    • HW, SW, people & data validation

    • Robust trust model

    • Informed decisions based on integrity & reputation

  • Scalable across all user scenarios

  • Identity Claims

  • Authentication

  • Authorization Policies

  • Access Control Mechanisms

  • Audit

  • Authenticate users on certified attributes

  • In-person proofing

  • Protects identity, reveals only data required to be

    • Authenticated

    • Authorized for Access

  • Actions auditable, and privacy protected

  • Stolen identity claim insufficient to cause data breach or ID loss

  • Users should be able to control their PII

  • Anonymity should be protected in appropriate contexts as a key social value, and clear to all parties

Data

People

Software

Hardware


End to end trust l.jpg

End To End Trust

Economic Forces

Identity Claims

Authentication

Authorization

Access Control Mechanisms

Audit

Core Security

Components

“I+4A”

Trusted Data

SocialRequirements

Trusted People

Political/

Legislative

Trusted Software

Trusted Hardware

Trusted Stack

Integrated Protection

SDL and

SD3

Defensein Depth

Threat

Mitigation

Secure Foundation


Imagine if we had l.jpg

Imagine If We Had…

  • Safe electronic playgrounds for children

  • Secure and easy electronic commerce with minimal identity theft

  • Trustworthy systems and connections with user control

  • Far less need to disclose personally identifiable information

  • A more secure infrastructure able to respond in real-time to developing threats


Slide15 l.jpg

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


Slide16 l.jpg

Appendix

Unused Slides for Scott’s standard keynote


Next steps l.jpg

Next Steps

  • www.microsoft.com/endtoendtrust

We need a broad dialogue on

  • Technology Innovations

  • Economic Forces

  • Political Standards

  • Social Change


Return to some scenarios l.jpg

Return to Some Scenarios

  • Safe electronic playgrounds for children

  • Secure and easy electronic commerce with minimal identity theft

  • Trustworthy systems and connections with user control

  • Far less need to disclose personally identifiable information

  • A more secure infrastructure able to respond in real-time to developing threats


  • Login