The Journey to Trustworthy Computing: Microsoft Execs Report First-Year Progress
Jan. 15, 2003
In the 12 months since Bill Gates proclaimed to customers Microsoft's commitment to Trustworthy Computing, Microsoft has made fundamental changes companywide to improve security, privacy, business integrity, and reliability in its products.

REDMOND, Wash., January 15, 2003 — It's a birthday of sorts today, but don't expect anyone on the Microsoft campus to pass out birthday cake. Don't look for the party favors. The folks at Microsoft are too busy.

Charney
Charney
Image: Page

A year ago today, Microsoft Chairman and Chief Software Architect Bill Gates delivered a rare, company-wide memo that outlined a concept he called Trustworthy Computing -- a call-to-action to improve the experience of Microsoft customers regarding what Microsoft has come to call the "four pillars" on which that concept is based: security, privacy, reliability and business integrity. Although Microsoft had been working towards this goal for several years, customer feedback told the company that it needed to do a better job.

To find out how Microsoft is delivering on Trustworthy Computing on year later and what that means for its customers, PressPass sat down recently with three of the Microsoft executives responsible for implementing the initiative: Scott Charney , chief security strategist, Craig Fiebig , general manager of the Security Business Unit and Richard Purcell , corporate privacy officer.

PressPass: What has Microsoft accomplished over the past year in Trustworthy Computing?

Trustworthy Computing After One Year: Highlights

November 2001

  • .NET Framework team conducts final security review of code base before ship


December 2001

  • Secure Windows Initiative team plans for security review of Windows Server 2003 code

  • Publication of "Writing Secure Code" by Michael Howard and David LeBlanc


January 2002

  • Bill Gates issues Trustworthy Computing Memo

  • MSN announces participation in a beta test of the first e-mail certification and seal program, Trusted Sender, to bring consumer trust to commercial e-mail

  • Windows group plansWindows "security push"


February 2002

  • 11,000 employees begin training on writing secure code

  • Windows security standdown begins for threat models and code reviews

  • .NET Framework ships


April 2002

  • Windows security-push standdown ends ; implementation and testing continues to late 2002

  • Microsoft Baseline Security Analyzer (MBSA) releases

  • Detailed Privacy Handbook distributed company wide, serves as basis for Privacy Health Index measurement tool


June 2002

  • "Palladium" project announced

  • Software Update Services (SUS) releases, a critical patch deployment tool for small and medium-size businesses


May - July 2002

  • SQL Server, Exchange, Office complete security pushes


September 2002

  • WindowsXP SP1 releases

  • MSN 8 launches with new advanced parental controls that help parents improve children's safety online

  • MSN 8 advanced spam prevention and controls

  • With MSN, Microsoft is first company to receive TRUSTe privacy policy certification in EU

  • Windows Media Player 9 Series beta releases with new privacy and security tab to allow user control of personal information

  • Wireless Home-Networking product ships with WEP security turned on as default


November 2002

  • System Management Server (SMS) Feature Packs launch for large businesses

  • Security response communications improves by updating severity rating system and producing consumer security bulletins


December 2002

  • Microsoft Baseline Security Analyzer (MBSA) v1.1 releases

  • "Writing Secure Code" Second Edition publishes

Charney: Let's start by talking about security, one of the four pillars of Trustworthy Computing. We have accomplished a lot, but still have a long way to go, in the security space. Today, our customers have reason to feel more secure in their computing. In the Windows division alone, we made an investment of more than US$100 million to provide greater security, and have enhanced security in four key areas, what we refer to as the "SD3+C paradigm": we made our software more secure by design, secure by default, secure in deployment, and improved communication with customers.

When I say "secure by design," I mean we've made a massive change in how we create software, to make it tougher to compromise. "Secure by default" refers to our decision to turn off some features by default so that our products come out of the box in a more secure mode, and to provide guidance so that users can make their own, informed choices between levels of security and levels of functionality. And "secure in deployment" means we're giving customers new tools to make it easier to maintain their security after our products are deployed in the customer's IT environment. Finally, we have also greatly improved our communication to customers regarding security issues.

PressPass: Let's talk about each of those areas. But first, tell me how you got started. On January 15, 2002, Bill Gates unveiled the Trustworthy Computing Initiative. What did the company do on January 16? How did you begin to implement such a wide-ranging directive?

Fiebig: The process actually began long before January 15 last year. We had gone out on the road to talk and listen to our customers, sitting down next to them in their own environments, to get their take on how best for us to deliver on the idea of a more secure and more trustworthy computing experience. That may sound like a clich, but it's exactly what we did. Microsoft executives fanned out and talked to thousands of customers around the world to get their input. I've probably talked to several hundred customers over the past year about this myself.

We asked them what was the most important security issue for us to address first, and their consistent answer was that we needed to do a better job on patch management -- on delivering high-quality patches for vulnerabilities and communicating their availability more effectively. So we made that one of our primary efforts this year. It's an example of security in deployment.

Purcell
Purcell
Image: Page

Charney: The patch management story illustrates the complexities we've faced as we've made this unprecedented -- and still unrivaled -- effort to make computing more trustworthy. We've heard from customers who told us to get the patches out immediately -- but to test them thoroughly first! We made a conscious decision to test patches thoroughly, even at the cost of quick distribution, because a poorly designed patch provides no security at all. As added quality assurance, we require our Product Support Services organization to sign-off on all patches to ensure that they're packaged properly and that they'll install properly for customers.

Security updates are particularly challenging for enterprise customers running a variety of applications and environments, because widely deployed patches could have unintended consequences on legacy or custom code somewhere in those enterprises. For these customers, we introduced Software Update Services (SUS). Customers can download all relevant patches to a SUS server and test the patch safely in their environment before deployment. The patches can then go on approved lists and then other computers in their environment can automatically download them.

Even as we fixed the security update process, customers told us we had to communicate more effectively with them about those updates. So we responded by making changes to our security bulletin system, including the development of a more streamlined distribution process, as well as the creation of non-technical versions of each bulletin, so that all computer users can easily benefit. We had to tinker with this whole process a bit, and it took some time to get it right. However, we now have a system that our customers say they really like. Indeed, improving our communication with customers about security has been a theme throughout the past year.

Fiebig: Before we could make any of these changes in patch management, we first had to address challenges within our own organization. The largely decentralized way we managed development at Microsoft meant that different groups had their own update installers, and users had to manage multiple and sometimes incompatible update processes -- not an acceptable situation. To begin solving that challenge, we created a Patch Management Working Group. We put everyone involved in this issue together in one room and charged them with fixing the problem in a unified way. Based upon conversations with our customers, this group has identified 11 key issues with our patch management process and we are working hard on solutions.

PressPass: You mentioned making products more secure by design.

Fiebig
Fiebig
Image: Page

Fiebig: Sure. In the "secure by design" category, we trained more than 11,000 developers and other employees to write more secure code, and halted new development of Windows for more than two months while we conducted code reviews, threat modeling -- that's an analysis to identify vulnerabilities -- and penetration testing -- that's actually attacking a product in the lab to attempt to cause denials of service or unauthorized access. Again, the challenge here was that we had no model to rely on -- we were doing a "security push" of a type that no one in the industry had ever attempted before. We created a "securitypush" methodology in the course of developing our security-by-design process.

We've been applying what we learned in Windows development to our other products, such as Office, as they undergo new development cycles. We're also sharing what we learned with customers and the rest of the industry. For example, two of our developers -- Michael Howard and David LeBlanc -- developed a curriculum of best practices for creating secure code and put it into a book that was used as part of the internal security training. Again, the challenge here was that we had no best practices to rely on. We were doing what no one in the industry had done before. The book, "Writing Secure Code," authored by Howard and LeBlanc, came out in December 2001. It's just been published in its second edition that includes the lessons we've learned since then.

Charney: In the "secure by default" category, we turned off or reduced more than 30 settings in the forthcoming Windows Server 2003 to make it more secure. We've taken similar actions with Windows XP Service Pack 1 and Microsoft Office XP Service Pack 1. This is a tremendous cultural change for us and our customers, who are used to products shipping with every feature turned on, so that they'll have maximum functionality out of the box. We have had to explain to customers why we're building the product, so that they can configure it to only run the minimum number of services necessary to accomplish their business purpose for that server.

For example, with Internet Information Services (IIS) 6.0, the Manage Your Server wizard enables customers who need to install IIS to easily do so, but otherwise leaves it turned off by default. By doing that, we've reduced the surface area open to attack by hackers. One CIO told me to install a wizard to automatically turn everything on, to minimize his downtime. The MYS wizard is easy to use and customers and reviewers have been very positive about it. But we made a decision to enable customers to make the conscious choice about what services to install. The whole process takes just a couple minutes.

PressPass: Weve spent much of this discussion talking about security, but that is only one aspect of Trustworthy Computing. Can you tell us more about how privacy fits into the initiative?

Purcell: To fully realize the potential of computing technology, people must be able to trust that their information is being used appropriately. What this means is that you need to be confident that both the content of your personal information, and the controls over its use, are secure. The way we see it, privacy is all about creating practices and technologies that put people in better control of their personal information.

As with security, privacy has been a major area of focus at Microsoft for years now. Over the past year, we've continued to work with customers, industry and governments to develop standards and technologies that increase individual control of personal information. The strides we are making are reflected in our latest releases and in changes we have made as a company.

PressPass: What products and services are reflecting these changes today?

Purcell: MSN 8 is a good example. The new parental controls help parents to be in charge of where their kids go online and with whom they exchange e-mail. The spam prevention tools help eliminate 70 percent of junk mail, enabling customers to exercise a key privacy right: the right to be left alone.

Another example is the recently launched Windows Media Player 9 Series, which helps customers to customize their media experience and even to get suggestions for new music they're likely to enjoy. Windows Media Player 9 Series went through the most comprehensive privacy review in the industry. Hundreds of hours were spent examining each and every feature to ensure disclosure of, and user control over, player interactions with the Internet. This has resulted in a robust set of privacy and security settings -- available from the Tools menu by selecting Options -- that helps users to easily understand and control which services are enabled in the player. In addition, when users first launch Windows Media Player 9 Series, a dialog pops onto the screen to help them establish their personal privacy settings and other customization features for the player.

PressPass: You said Microsoft has made changes as a company to enhance privacy. Can you detail some of these changes?

Purcell: We have developed a range of new tools and training seminars for our employees to ensure they fully appreciate the importance of maintaining the privacy of our customers and know how to maintain that privacy when developing products and services or interacting with our customers. We have a comprehensive privacy handbook that outlines policies and best practices for data protection and privacy. We now also offer online training -- a sort of Privacy 101 course. And most importantly, we're now mandating that all groups at Microsoft measure the privacy awareness of their employees and track their progress with something we call the "Privacy Health Index."

PressPass: How did Microsoft's agreement in August with the Federal Trade Commission concerning the Passport online authentication service affect what you are doing in the area of privacy?

Purcell: This agreement has helped us raise the bar for Internet security and privacy. We had been working very hard in this area, and the agreement with the FTC has helped us clarify a number of issues and to ensure we are doing an even better job. Just as importantly, I think this decree helped renew the commitment of the entire industry to ensure all online privacy and security statements and practices are perfectly aligned.

Purcell: Security and privacy are inextricably tied in the eyes of our customers. They want to know how their information is used and that it is safe. The entire premise of Trustworthy Computing is to address all of these issues collectively and enhance trust broadly in ways that makes sense for everyone. You can be sure that those of us in the privacy area at Microsoft are working hand in hand with Scott and the security groups to ensure our efforts are synchronized. In fact, my office is right down the hall from Scott's, so you can bet we're always in touch.

PressPass: What advances has Microsoft made in reliability in recent years?

Charney: The Windows group has dedicated the equivalent of 500 years of work time to enhance the reliability of its products. And the investment is really beginning to pay off. The error-reporting features in Windows XP and Office XP are giving us a clearer view of the kinds of problems we and industry partners need to fix with service packs, future releases or through another new advance, Microsoft Windows Update. Windows Update is a Web service that closes the customer-feedback loop. It allows customers to keep their computers current with the latest technology, especially security and compatibility updates, by automatically notifying them when updates are available.. We've also recently created a secure Web site for our software and hardware vendors to review the error reports and help us identify recurring problems. As a result of our close cooperation with hardware vendors, more and more customers are achieving server availability with Windows 2000 Server of 99.999 percent and even 100 percent.

PressPass: How much of Microsoft's work around reliability shows up in Windows Server 2003?

Charney: A great deal of it. Windows Server 2003 was built to significantly surpass Windows 2000, our previous benchmark for reliability. We have reviewed every line of code underlying this server family to root out possible failure points or exploitable weaknesses. We have also introduced new and enhanced features to increase reliability. The new Common Language Runtime (CLR) software engine reduces downtime that is a result of bugs and security holes caused by common application-programming errors. CLR doesn't reduce the number of bugs in an application running on the program, but it does prevent an application-programming error from bringing down the server.

Also, both the enterprise and datacenter editions of Windows Server 2003 will support 8-node clustering and network load balancing, which helps improve the performance of Web-based applications and services, as well as contributes to the higher availability of the system.

PressPass: What is "business integrity" about and how has that advanced in the past year?

Purcell: Business integrity means that not only do people have to trust a company's products; they need to also trust its businesses practices. At Microsoft, we understand that acting responsibly with customers involves being transparent in all business dealings, hiring and promoting according to core values of integrity, leadership and passion, and carefully and respectfully addressing problems with products or services.

This kind of transparency has a direct correlation to establishing trust with customers by building loyalty and long-term customer relationships.

PressPass: What can customers look forward to in Year Two of Trustworthy Computing?

Charney: We will continue to focus on all four pillars of Trustworthy Computing including, in the security space, our SD3+C paradigm (secure by design, secure by default, secure in deployment, and communications). Windows Server 2003, our first product designed from the ground-up for greater security, is expected to ship on April 24, so customers will get a much better sense of what we've been doing to enhance security by design.

We'll continue to look at the default settings of products rolling out throughout the year to ensure greater security by default out of the box. And we'll boost security in deployment by introducing new security products and continuing to improve the patch management process and tools that became available this past year, such as the Software Update Services that I mentioned earlier, and the Microsoft Baseline Security Analyzer, which customers can use to help identify many security issues in their deployments of Windows 2000 Server, Windows XP, and some of our other products. Trustworthy Computing is a long journey. We expect to continue to build on year one's progress for years to come.

Read More: