Trustworthy ComputingTrustworthy Computing
Peter BirchPeter Birch
Senior Architectural EngineerSenior Architectural Engineer
Microsoft Ltd (UK)Microsoft Ltd (UK)
AgendaAgenda
Why is Security important?Why is Security important? What is Trustworthy Computing?What is Trustworthy Computing?
What are we doing today?What are we doing today? Microsoft Security Response CentreMicrosoft Security Response Centre Secure Windows InitiativeSecure Windows Initiative The Strategic Technology Protection ProgramThe Strategic Technology Protection Program
The future challenges – Questions?The future challenges – Questions?
Leaving MessagesLeaving Messages
Microsoft is as committed to Microsoft is as committed to developing the trusted computing developing the trusted computing model, as it was in moving into the model, as it was in moving into the internet and adoption of .Netinternet and adoption of .Net
Security is part of Trustworthy Security is part of Trustworthy computing and can only be achieved computing and can only be achieved through partnership & teamworkthrough partnership & teamwork
Security is ‘the journey’ there is no end Security is ‘the journey’ there is no end pointpoint
Why is Security important?Why is Security important?
An Industry-Wide ProblemAn Industry-Wide Problem Security breaches Security breaches
commoncommon Windows UPnPWindows UPnP Oracle 9i Buffer Oracle 9i Buffer
OverrunOverrun AOL AIMAOL AIM CDE/SolarisCDE/Solaris
VirusesViruses Nimda, Code Red show tangible and Nimda, Code Red show tangible and
cyber-worlds inextricably linkedcyber-worlds inextricably linked
Reported Vulnerabilities by OS in 2001Reported Vulnerabilities by OS in 2001
Nu
mb
er
of
inc
ide
nts
Nu
mb
er
of
inc
ide
nts 3535
3030
2525
1515
1010
2020
55
00
Re
dh
at
Lin
ux
7.0
Re
dh
at
Lin
ux
7.0
Su
n S
ola
ris
8.0
Su
n S
ola
ris
8.0
Win
do
ws
20
00
Win
do
ws
20
00
SC
O O
pe
n S
erv
er
5.0
.6S
CO
Op
en
Se
rve
r 5
.0.6
Ma
nd
rak
eS
off
Lin
ux
7.2
Ma
nd
rak
eS
off
Lin
ux
7.2
PlatformPlatform
John McCormick, TechRepublic, Inc., September 24, 2001, based on data provided by Security Focus BugtraqJohn McCormick, TechRepublic, Inc., September 24, 2001, based on data provided by Security Focus Bugtraq
UK Survey UK Survey (PWC / DTI report)(PWC / DTI report)
44% of UK business have suffered at 44% of UK business have suffered at least one malicious security breachleast one malicious security breach
Average Cost of a serious incident Average Cost of a serious incident £30,000£30,000
Virus was the single largest cause of Virus was the single largest cause of security breaches (33% of incidents)security breaches (33% of incidents)
Yet 1% investment, 27% has security Yet 1% investment, 27% has security policy, 49% have procedures for DPA, policy, 49% have procedures for DPA, 11% have incident response, 44% have 11% have incident response, 44% have any type of insuranceany type of insurance
http://www.dti.gov.uk/cii/docs/sbsreport_2002.pdfhttp://www.dti.gov.uk/cii/docs/sbsreport_2002.pdf
Microsoft is committedMicrosoft is committed ““Over the last year it has become clear that Over the last year it has become clear that
ensuring .NET is a platform for Trustworthy ensuring .NET is a platform for Trustworthy Computing is more important than any other Computing is more important than any other part of our work” – Bill Gates part of our work” – Bill Gates
““In the past, we’ve made our software and In the past, we’ve made our software and services more compelling for users by services more compelling for users by adding new features and functionality, and adding new features and functionality, and by making our platform richly extensible. by making our platform richly extensible. We’ve done a terrific job at that, but all those We’ve done a terrific job at that, but all those great features won’t matter unless great features won’t matter unless customers trust our software. So now, when customers trust our software. So now, when we face a choice between adding features we face a choice between adding features and resolving security issues, we need to and resolving security issues, we need to choose security” – Bill Gateschoose security” – Bill Gates
What is Trustworthy What is Trustworthy Computing?Computing?
The Trustworthy Computing initiative The Trustworthy Computing initiative at Microsoft is a long-term, company-at Microsoft is a long-term, company-wide initiative to deliver Trustworthy wide initiative to deliver Trustworthy Computing experiences based on Computing experiences based on security, privacy, reliability and security, privacy, reliability and business integrity to our customers business integrity to our customers and the industry --via the .NET platform and the industry --via the .NET platform and other Microsoft products and and other Microsoft products and services.services.
Why Trust?Why Trust?
Computers generally do not engender Computers generally do not engender trusttrust
Early stage of adoptionEarly stage of adoption Trust is not just security, as it involves Trust is not just security, as it involves
perception and environmentperception and environment Telephones - Telephones - almost always there when almost always there when
we need them, do what we need them to we need them, do what we need them to do, work as advertised, and are reliably do, work as advertised, and are reliably available.available.
A combination of engineering, business A combination of engineering, business practice, and regulationpractice, and regulation
Trustworthy ComputingTrustworthy Computing
SecuritySecurity
PrivacyPrivacy
ReliabilityReliability
Business Business IntegrityIntegrity
Resilient to attackResilient to attack Protects confidentiality, integrity, Protects confidentiality, integrity,
availability and dataavailability and data
DependableDependable Available when neededAvailable when needed Performs at expected levelsPerforms at expected levels
Individuals control personal dataIndividuals control personal data Products and Online Services Products and Online Services
adhere to fair information adhere to fair information principles principles
Help customers find appropriate Help customers find appropriate solutionssolutions
Address issues with products and Address issues with products and servicesservices
Open interaction with customersOpen interaction with customers
What are we doing today?What are we doing today?
Microsoft Security Response Microsoft Security Response CentreCentre Dedicated team in the Microsoft Security Dedicated team in the Microsoft Security
Response CentreResponse Centre Policy CommitmentPolicy Commitment investigates all threats ([email protected])investigates all threats ([email protected]) Weekly Exec statusWeekly Exec status Customer bulletins - plain languageCustomer bulletins - plain language www.microsoft.com/securitywww.microsoft.com/security
EducationEducation Brings back experience into the Product groupBrings back experience into the Product group
Non-disclosure of threats in the Non-disclosure of threats in the investigation phaseinvestigation phase Trusted Computing Conf in Nov. - Developing Trusted Computing Conf in Nov. - Developing
new procedure standard with @stake, BindView, new procedure standard with @stake, BindView, Foundstone, Guardent, Internet Security Foundstone, Guardent, Internet Security Systems, Systems,
Secure Windows InitiativeSecure Windows Initiative ““To improve the security of all our software To improve the security of all our software
and products, so that our customers will get and products, so that our customers will get the level of security they require”the level of security they require” Training - dedicated security courses Training - dedicated security courses Testing – internal / external experts (inc Testing – internal / external experts (inc
Universities). Penetration group. Systems up Universities). Penetration group. Systems up on the webon the web
Tools – Automated analysis tools, eg Prefix / Tools – Automated analysis tools, eg Prefix / Prefast, RPC stress testingPrefast, RPC stress testing
Process – RAID, Security bug bash, Process – RAID, Security bug bash, Automated & Managed sign offAutomated & Managed sign off
Product – Security over Feature – turn off Product – Security over Feature – turn off servicesservices
OfferingOffering
OnlineOnline
ProductProduct
No-charge support for virus-related incidentsNo-charge support for virus-related incidentsPremier Support and Security workshops & Premier Support and Security workshops & services – Get Secure & Stay Secureservices – Get Secure & Stay Secure
Security resource site: Security resource site: www.microsoft.com/security www.microsoft.com/security
Microsoft Security Notification Service Windows Microsoft Security Notification Service Windows Security Newsletter Security Newsletter
Microsoft Security Tool Kit, Security Microsoft Security Tool Kit, Security Configuration Checklists, and PAG Configuration Checklists, and PAG Security maintenance tools and resourcesSecurity maintenance tools and resourcesReboot only where necessaryReboot only where necessaryMSBA, MSUSMSBA, MSUS
Strategic Technology Protection Program
The future challengesThe future challenges
Machine-machine processes Machine-machine processes Self-management by policySelf-management by policy
Loosely coupled, self-configuring, Loosely coupled, self-configuring, self-organizing, adaptiveself-organizing, adaptive
Edge of the networkEdge of the network Peer-to-peer applications; Peer-to-peer applications;
distributed processing, storagedistributed processing, storage
New development, testing, New development, testing, operations, auditing toolsoperations, auditing tools
Hardware and networking improvementsHardware and networking improvements Failover, redundancy; impervious to physical Failover, redundancy; impervious to physical
modifications; theft or loss; modifications; theft or loss; Rigorous authentication, key managementRigorous authentication, key management
Future DirectionsFuture Directions
DevicesDevicesServicesServicesAppsApps
NewsNews
Windows 2000 achieves Common Windows 2000 achieves Common Criteria at EAL4Criteria at EAL4
Professional, Server, and Advanced Professional, Server, and Advanced ServerServer
Systematic Flaw RemediationSystematic Flaw Remediation Includes Active Directory, Kerberos, Includes Active Directory, Kerberos,
IPsec, EFS, Single Sign-on, etcIPsec, EFS, Single Sign-on, etc Wide range of real-life deployment Wide range of real-life deployment
scenarios testedscenarios tested Windows XP and Windows .net Server Windows XP and Windows .net Server
2003 will enter evaluation2003 will enter evaluation
Leaving MessagesLeaving Messages
Microsoft is as committed to Microsoft is as committed to developing the trusted computing developing the trusted computing model, as it was in moving into the model, as it was in moving into the internet and adoption of .Netinternet and adoption of .Net
Security is part of Trustworthy Security is part of Trustworthy computing and can only be achieved computing and can only be achieved through partnership & teamworkthrough partnership & teamwork
Security is ‘the journey’ there is no end Security is ‘the journey’ there is no end pointpoint
Questions?Questions?
Visit Visit http://www.microsoft.com/securityhttp://www.microsoft.com/security
for current information on securityfor current information on security
Building a Secure Platform for Building a Secure Platform for Trustworthy Computing Trustworthy Computing WhitepaperWhitepaper
http://www.microsoft.com/enterprise/artihttp://www.microsoft.com/enterprise/articles/security.aspcles/security.asp