Trustworthy Computing

Trustworthy Computing m Peter Birch Senior Architectural Engineer Microsoft Ltd (UK)

Agenda • Why is Security important? • What is Trustworthy Computing? • What are we doing today? • Microsoft Security Response Centre • Secure Windows Initiative • The Strategic Technology Protection Program • The future challenges – Questions?

Leaving Messages • Microsoft is as committed to developing the trusted computing model, as it was in moving into the internet and adoption of .Net • Security is part of Trustworthy computing and can only be achieved through partnership & teamwork • Security is ‘the journey’ there is no end point

Why is Security important?

Reported Vulnerabilities by OS in 2001 35 30 25 Number of incidents MandrakeS off Linux 7.2 SCO Open Server 5.0.6 20 Redhat Linux 7.0 15 Sun Solaris 8.0 Windows 2000 10 5 0 Platform An Industry-Wide Problem • Security breaches common • Windows UPnP • Oracle 9i Buffer Overrun • AOL AIM • CDE/Solaris • Viruses • Nimda, Code Red show tangible and cyber-worlds inextricably linked John McCormick, TechRepublic, Inc., September 24, 2001, based on data provided by Security Focus Bugtraq

UK Survey (PWC / DTI report) • 44% of UK business have suffered at least one malicious security breach • Average Cost of a serious incident £30,000 • Virus was the single largest cause of security breaches (33% of incidents) • Yet 1% investment, 27% has security policy, 49% have procedures for DPA, 11% have incident response, 44% have any type of insurance • http://www.dti.gov.uk/cii/docs/sbsreport_2002.pdf

Microsoft is committed • “Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work” – Bill Gates • “In the past, we’ve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We’ve done a terrific job at that, but all those great features won’t matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security” – Bill Gates

What is Trustworthy Computing? The Trustworthy Computing initiative at Microsoft is a long-term, company-wide initiative to deliver Trustworthy Computing experiences based on security, privacy, reliability and business integrity to our customers and the industry --via the .NET platform and other Microsoft products and services.

Why Trust? • Computers generally do not engender trust • Early stage of adoption • Trust is not just security, as it involves perception and environment • Telephones - almost always there when we need them, do what we need them to do, work as advertised, and are reliably available. • A combination of engineering, business practice, and regulation

Resilient to attack Protects confidentiality, integrity, availability and data Trustworthy Computing Security • Individuals control personal data • Products and Online Services adhere to fair information principles Privacy • Dependable • Available when needed • Performs at expected levels Reliability • Help customers find appropriate solutions • Address issues with products and services • Open interaction with customers Business Integrity

What are we doing today?

Microsoft Security Response Centre • Dedicated team in the Microsoft Security Response Centre • Policy Commitment • investigates all threats (Secure@microsoft.com) • Weekly Exec status • Customer bulletins - plain language • www.microsoft.com/security • Education • Brings back experience into the Product group • Non-disclosure of threats in the investigation phase • Trusted Computing Conf in Nov. - Developing new procedure standard with @stake, BindView, Foundstone, Guardent, Internet Security Systems,

Secure Windows Initiative • “To improve the security of all our software and products, so that our customers will get the level of security they require” • Training - dedicated security courses • Testing – internal / external experts (inc Universities). Penetration group. Systems up on the web • Tools – Automated analysis tools, eg Prefix / Prefast, RPC stress testing • Process – RAID, Security bug bash, Automated & Managed sign off • Product – Security over Feature – turn off services

Offering No-charge support for virus-related incidents Premier Support and Security workshops & services – Get Secure & Stay Secure • Security resource site: www.microsoft.com/security • Microsoft Security Notification Service Windows Security Newsletter Online Product Microsoft Security Tool Kit, Security Configuration Checklists, and PAG Security maintenance tools and resources Reboot only where necessary MSBA, MSUS Strategic Technology Protection Program

The future challenges

Devices Services Apps Future Directions • Machine-machine processes • Self-management by policy • Loosely coupled, self-configuring, self-organizing, adaptive • Edge of the network • Peer-to-peer applications; distributed processing, storage • New development, testing, operations, auditing tools • Hardware and networking improvements • Failover, redundancy; impervious to physical modifications; theft or loss; • Rigorous authentication, key management

News • Windows 2000 achieves Common Criteria at EAL4 • Professional, Server, and Advanced Server • Systematic Flaw Remediation • Includes Active Directory, Kerberos, IPsec, EFS, Single Sign-on, etc • Wide range of real-life deployment scenarios tested • Windows XP and Windows .net Server 2003 will enter evaluation

Leaving Messages • Microsoft is as committed to developing the trusted computing model, as it was in moving into the internet and adoption of .Net • Security is part of Trustworthy computing and can only be achieved through partnership & teamwork • Security is ‘the journey’ there is no end point

Questions?Visit http://www.microsoft.com/security for current information on securityBuilding a Secure Platform for Trustworthy Computing Whitepaperhttp://www.microsoft.com/enterprise/articles/security.asp

Trustworthy Computing