By Jeff Jones, Microsoft Trustworthy Computing

Yesterday was a busy day, so I got a bit behind with my updates on RSA, but I wanted to post about the Microsoft keynote, in addition to the others I attended.

The format was a fireside chat, with Craig Mundie, Microsoft's Chief Research and Strategy Officer sitting and talking with Chris Leach, Chief Information Security Officer at Affiliated Computer Services. 

I knew generally what Craig was going to talk about, but I was very interested to hear Craig's perspective and see how he thought about and talked about the End to End Trust topic.  In my opinion, this is one of the key topics that could help guide where Microsoft security efforts will go over the next 5 years, building on the past 5 years, and I am happy to see that leadership (Craig, Scott Charney) are approaching it as a dialog with the industry and recognizing that it needs interoperability and industry support.

Two key topics stuck with me at the end of the keynote:

1. How security and privacy are very independent, supporting each other, while also having a tension between them.
2. Any technological efforts supporting End to End Trust will need to be very inclusive in order to work in heterogeneous environments.  Past infrastructure efforts (e.g. PKI) have demonstrated that the level of work and investment required means that it is more likely to hit roadblocks if existing business processes are excluded.

Jeff Jones, Microsoft Trustworthy Computing

By Jeff Wettlaufer, Sr. Technical product manager, Microsoft System Center

Hi everyone, my name is Jeff Wettlaufer, and I am the Sr. Technical product Manager for System Center Configuration Manager.  This week at RSA, Microsoft System Center will be present like never before. With the recent releases of Microsoft System Center Configuration Manager 2007, Microsoft System Center Operations Manager 2007, Microsoft System Center Data Protection Manager 2007 and Microsoft System Center Virtual Machine Manager, the business of Management at Microsoft has taken Security to a new level. 

Through integration to the Windows Client and Server platform as well as Forefront, System Center has achieved new and improved security capabilities across a wide range of scenarios, including: Datacenter, mobile workforce, branch office as well as both physical and virtual environments.

For example, this week at RSA, System Center will be showcasing our ability to integrate with Windows Server 2008 Network Access Protection.  Today’s increasingly mobile workforce and the need for interconnection between partners and customers present an entirely new set of challenges for IT departments. In addition to ensuring that the desktop computers on the network are up-to-date and meet the company’s requirements for system health, network perimeters must also protect networks from roaming devices that may be vulnerable to security exploits.

Network Access Protection is designed to protect the network by validating the System Health when the Client attempts to connect. This set of technologies allows an IT administrator to restrict non compliant devices from accessing network resources.  Through Windows Server 2008 NAP, policy in the form of a relationship between the Network Policy Server and a NAP configured Windows client can verify elements visible with the Windows Security Center, for instance: firewall, automatic updates, anti-virus etc.  System Center brings an incredibly powerful addition to this health verification, in the form of Windows Updates. 

Configuration Manager brings out of the box support for NAP policy validation for the presence of Windows, 3rd party or Line of Business updates, not only guaranteeing that the client accessing the network is configured for corporate security settings, but that the client also has a current update configuration of all the approved patches.  And, just like Windows NAP, these policies from System Center can enforce network restrictions both on network access scenarios, as well as online in the production network, ensuring even when systems are inside the corporate boundaries, system health validation can be occurring at regular intervals.

Microsoft is a Diamond sponsor of the RSA Conference this year, and System Center has been involved all week in the Microsoft pavilion of the show floor (right between Windows Server 2008 NAP and Forefront pods), where a constant stream of Security professionals have been engaging with Product team.

For more information, check out our System Center site and blog.

Kind Regards,

Jeff Wettlaufer, Sr. Technical product manager, Microsoft System Center

By Jeff Jones, Microsoft Trustworthy Computing

In the past, I haven't always stayed to hear the Crypto panel, but based upon the excellent one this year, I'll definitely include it in my plans going forward.  If you want to hear an overview of what they all said, I can recommend Robert Vamosi's story Cryptographers speak of threats, voting, and Blu-Ray rumors.

I want to highlight the points that Martin Hellman raised with respect to 99.9% probability as a martin of safety, complacency and low probability events.

He had one slide - a picture of a glider soaring very low over a runway at the bottom of a high speed, low pass flight.  Hellman is a pilot and pointed out that this activity is safe for those that do it 999 out of 1000 times, but went on to talk about how cautious pilots are when they first attempt it, but after 50 or 100 times of doing it successfully, they simply aren't as cautious or nervous and as a consequence don't necessarily address every risk as seriously as they did early on.

He also talked about The Black Swan: The Impact of the Highly Improbable and gave several excellent examples of how people underestimate the impact of low-probability, high-impact (even catastrophic) events.

The parallel to the issues of Internet Security are pretty clear.

Targeted attacks are increasingly part of the landscape, but it is much harder to convey their seriousness to the average person than some of the high-profile worms and viruses of the past that got on everyone's radar.  And yet, we heard from Symantec's Stephen Trilling this week how credit card numbers go for as low as $0.40 in the malware underground economy.

Martin's call-for-action was for security industry practitioners to try to be the group of voices that convince the non-security folks to take security more seriously.  I'm happy to join his efforts in that an extol you to do the same.

Regards ~

Jeff Jones, Microsoft Trustworthy Computing

By Simon Vining, Senior Product Manager, Identity and Access

In my work for the identity and access team, I’m frequently asked what’s “new” in WS08 that delivers on Microsoft’s vision for end-to-end integrated identity and access? The short answer is “LOTS.” The long answer is “more seamless security and simplified collaboration.”

What do I mean? Permit me to elaborate.

The new read-only domain controller capabilities in Active Directory (AD)enable a more secure method for local authentication of users in remote and branch office locations using a read-only replica of your primary AD database. We’re also delivering more secure and transparent single sign-on for employees and partners through Active Directory Federation Services (ADFS). We’ve tightened the cryptography and increased the manageability of our certificate services through PKIView for monitoring the health of Certification Authorities (CAs) and have a new, more secure COM control for certificate Web enrollment of ActiveX. While all of this is noteworthy, our customers are most excited about the new enhancements for Active Directory Rights Management Services.

In the words of Mark Gandy, enterprise architect at Dow Corning, “Active Directory Rights Management Services was the ideal solution for us because it integrates seamlessly with both the Microsoft Office system on the desktop and our Windows Server based IT infrastructure. We decided specifically to go with Active Directory Rights Management Services in Windows Server 2008 because of the many enhancements it offers over the previous version, including its inclusion as a core server role, an improved management interface, and the ability to easily extend its reach to support collaboration with business partners.”

In addition to Dow Corning, identity and access solutions in Windows Server 2008 are getting rave reviews by Continental Airlines, Pacific Coast Building Products, and Windrush Frozen Foods, just to name a few. Additionally, the 250K seat deployment of Windows Server 2008 identity and access solutions at the Department of Veterans’ Affairs was featured here.

In Windows Server 2008, we have made the platform more secure, made it easier for customers to collaborate with one another and improved identity and access features. In general, all of our identity and access solutions are designed to help organizations manage identities and resulting access privileges, and these enhancements, not only work to that goal, but are also a huge leap forward in our commitments to customers for stronger security and enhanced ease of use.  

For more info on our IDA solutions, visit, www.microsoft.com/ida

Thanks for your time and interest,

Simon Vining, Senior Product Manager, Identity and Access

By Manu Namboodiri, Director of Product Marketing, BitArmor Systems, Inc.

At BitArmor, we have been talking about data-centric security for a while now. We know that data centricity is not only the future of security – it’s the future of IT (we’ll get to why I can say that in a bit).

So, when I got a hold of Windows Vista, and later Windows Server 2008, I must say that I was very encouraged. Not only will enterprise users enjoy unprecedented capabilities to create, share, and digest information, Microsoft has moved a long way toward creating a foundation for enterprise security. Specifically, Microsoft technology is enabling highly secure software code execution (particularly at the kernel level), and BitLocker will do wonders for the assurance of system integrity and protection of disk data at rest.

That’s encouraging to me because it means we’re one step closer to a data-centric world. A better foundation means that we can develop better security software; software that can keep up with the blinding proliferation of distributed data. It simply no longer makes sense to build security around devices – data is the real asset, so data should be the real security priority. A data-centric approach to security is infinitely more scalable and manageable as the amount of an enterprise’s information assets rockets into the petabyte range (and as the monetary value of that data grows just as quickly).

There’s been some chatter about data-centric security brewing for a while now. We’ll be hearing more on the subject at RSA this year than we ever have before:

• The Jericho Forum is hosting their own event In San Francisco this week
• Many vendors have attempted to introduce messages about data-centricity – and we know the subject will be flying through the Expo Hall
• I’m leading a Peer2Peer session devoted to this topic

It’s going to be exciting to hear what folks are saying about data-centricity and how they’re leveraging Microsoft’s new platforms to drive security in that in that direction.  Enjoy the conference!

Manu Namboodiri, Director of Product Marketing, BitArmor Systems, Inc.