Enabling Secure Anywhere Access in a Connected World
Published: February 6, 2007
During the last decade, digital technology has changed the world in profound and exciting ways. Today we communicate instantly with the people we care about without worrying about traditional limitations of time and location. At work, we collaborate with colleagues in distant cities. Global supply chains enable businesses to manufacture products and move them to market with incredible speed and efficiency. Mobile devices ensure that we are productive no matter where we are.
But these changes are just the beginning. As more and more of the world's information, commerce, and communications moves to digital form, it will open the door to a new world of connected experiences that link our interests and our communities into a seamless whole that extends across home, work, school, and play.
Already, a new generation of technology is transforming expectations for how we will conduct business, communicate, access entertainment, and much more. Increasingly, people envision a world of anywhere access - a world in which the information, the communities, and the content that they value is available instantly and easily, no matter where they are.
Of course we're not quite there yet. But whether we get there or not is no longer a question of the power of our devices and the speed of our connections. The real issue today is security. Ultimately, anywhere access depends on whether we can create and share information without fear that it will be compromised, stolen, or exploited.
The answer lies in trust - in creating systems and processes that are always secure so that people and organizations have a high degree of confidence that the technology they use will protect their identity, their privacy, and their information. This is an imperative that transcends any one company. Success will require hard work and extensive cooperation between companies, governments, and organizations from around the world.
Trust and security are critical priorities for Microsoft. I wanted to share my thoughts with you about the changing nature of security and the work that is being done at Microsoft to advance trust in computing and to help pave the way for future connected experiences based on secure and easy anywhere access.
Connectivity and the Evolving Threat Landscape
Today, connectivity - the basic foundation for anywhere access - can be a double-edged sword. Connectivity that streamlines the flow of information and communications can also open the door to malicious users. Meanwhile, where publicity once motivated many digital attacks, criminal financial gain is behind most security threats today. So in addition to viruses and worms, we must contend with spyware that logs keystrokes; rootkits that are used to hijack computers; and social engineering threats where criminals try to trick people into divulging the personal data needed to exploit digital information.
How widespread is the problem? In the United States last year, security breaches - some inadvertent, some purposeful and criminal - exposed the personal information of more than 100 million people. In 2005, 46 percent of fraud complaints filed with the U.S. Federal Trade Commission were Internet related. A 2006 report from the Cyber Security Industry alliance noted that 50 percent of Internet users are afraid their credit card information will be stolen. No company is immune to the danger. Malware targets products from virtually every software vendor. Every business is vulnerable to the risks that come with unauthorized access to corporate information.
In this changing threat environment, striking the right balance is extremely difficult. Easy access speeds communications but increases the danger that confidential information will be exposed. Stringent security measures reduce risk, but can make it too difficult for employees to access information or communicate with customers and partners and too complex for IT professionals to deploy and manage solutions.
The Road to Trust
Achieving the levels of trust needed to make connected experiences based on anywhere access possible will require an industry-wide effort to change the way we approach digital identities, build networks, and protect information.
The evolution of identity: The proliferation of identities and identity systems is a significant problem and a difficult challenge. We all struggle to remember an ever-growing number of user names and passwords as we move between systems at work and home. Because it is unlikely that a single digital identity system or technology will be universally adopted, a different approach is required - an approach based on creating a system of systems that provides the interoperability needed to link all identity solutions and technologies. This "identity metasystem" will be able to take advantage of the strengths of existing and future identity technologies while enabling the creation of a consistent and straightforward user interface. Solutions built on top of this metasystem will enable digital identities to be managed and protected effectively and easily.
The evolution of networks: To resolve the tension between providing access and maintaining security, new technologies for managing the way people and information move between corporate networks and the Internet are essential. In the face of a rapidly evolving threat landscape, the firewall - the fundamental tool for managing network security today - is no longer adequate. A better approach is security that is based on policy. With policy-based security, the rules that govern access to networks, resources, and information can be enforced seamlessly across platforms and devices.
The evolution of protection: It is impossible to overstate the importance of providing the right levels of privacy and information protection so that users can trust that their information is secure. To achieve this, we must be able to protect information not only when it is in transit, as we do today through encryption, but also on the server, the desktop, mobile device, and wherever else it may reside. Policy will also play an important role in the evolution of protection. By applying policy when information is created, we can enable information to flow freely and safely across systems and networks while maintaining appropriate control over how it is used, and by whom.
Security, Reliability, and Privacy: Trustworthy Computing at Microsoft
At Microsoft, Trustworthy Computing provides the foundation for the work we do to create trusted computing experiences. Announced five years ago, Trustworthy Computing is a core principle that places security, reliability, and privacy at the center of all of our efforts. One example of the impact of Trustworthy Computing is the Secure Development Lifecycle, a rigorous software development process that makes security a critical focus for every line of code that we write.
Trustworthy Computing is an important reason why Windows Vista is the most secure operating system that Microsoft has ever delivered. Developed from the ground up using the Secure Development Lifecycle process, Windows Vista includes new security features that help computer users protect sensitive information and give IT administrators new ways to protect corporate networks and preserve data integrity and confidentiality.
Windows Vista also offers new controls that enable parents to manage exactly what their children can do on the computer. These controls allow parents to restrict computer use to specific times and determine which games their children can play, which programs they can use, and which Web sites they can visit.
The 2007 Microsoft Office system and Microsoft Exchange Server 2007 were also built using the Secure Development Lifecycle, and they include a wide range of new security features that help protect against phishing scams and other threats to privacy and information security.
Together, Windows Vista, the 2007 Office system, and Exchange Server 2007 represent an important step forward in Microsoft's efforts to deliver tools to help protect information and privacy. And we continue to focus on developing comprehensive security solutions for consumers and businesses that provide more secure, controlled access to information and network resources. Examples include:
Windows Live OneCare: A comprehensive service for consumers, Windows Live OneCare automatically manages important PC maintenance and security tasks.
Microsoft Forefront: Designed for businesses, Microsoft Forefront is a family of security products that provides advanced protection against the latest threats and enables secure access across client operating systems, application servers, and the network edge, with a focus on simplified management and integration with existing IT infrastructure.
Identity Lifecycle Manager 2007: Building on Microsoft Identity Integration Server, Identity Lifecycle Manager 2007 adds new capabilities for managing strong credentials such as smart cards while providing an integrated approach that links certificate and password management and provisioning across Windows and enterprise systems.
Windows CardSpace: An important component of Microsoft's efforts to create an identity metasystem, Windows CardSpace enables any Windows application to provide users with a common way to work with digital identities so that people can use their digital identities on any machine, running any operating system.
Achieving Trust Through Industry Partnership and Collaboration
Before trust can become a reality, systems, processes, programs, and applications must work together reliably and securely. That is one important reason why Microsoft is committed to interoperability: before digital identities and information protected by policy-based security can move seamlessly between platforms and devices, systems must be able to interoperate. Today we are working closely with governments, organizations, and partners to create and implement industry-wide standards that will enable systems and applications to work together so that connectivity can be seamless and pervasive, and people can access digital information more securely no matter where they are or what device they have at hand.
Examples of industry partnerships and initiatives aimed at enhancing interoperability and improving trust and security include:
Interop Vendor Alliance: Launched in November, 2006, this global group of software and hardware vendors is working together to enhance interoperability through scenario-based testing and by sharing information about interoperability solutions with customers.
Microsoft Network Access Protection (NAP): This policy enforcement platform built into Windows Vista and Windows Server "Longhorn" helps ensure that only safe devices can access networks. More than 100 technology partners in the networking and security industry have joined the NAP ecosystem and have products that work with NAP.
SecureIT Alliance: This Web-based community was created to enable companies across the industry to develop, enhance, and promote applications that interoperate with the Microsoft platform. A central clearinghouse for security technology professionals, the SecureIT Alliance includes more than 100 members from countries around the world.
In addition, during the development of Windows Vista, Microsoft worked closely with leading security companies including Symantec and McAfee to provide technical support resources, access to application testing and compatibility labs, and developer training. Our goal is to ensure that our partners have the information they need to provide consumers with a broad range of security and safety software and services that can help to make computing experiences safer from the moment they begin using Windows Vista.
Today, nearly 1 billion people use digital technology in their day-to-day lives to communicate, connect, and create. As we continue to work together as an industry to create trust, we will be able to deliver incredible new connected experiences that transform the way people explore ideas, exchange goods and services, teach and learn, and share experiences with the people they care about. In the process, we have the opportunity to bring new levels of value and excitement to each of those 1 billion people, and hundreds of millions more.