Trustworthy Computing One year on

1
Trustworthy Computing One year on
Stuart Okin Chief Security Officer Microsoft U
K
Microsoft Security Solutions, Feb 4th, 2003
2
Agenda

• Reminder Set the scene What is Trustworthy
  Computing?
  
• What have we done?
• What are we planning
• Call to Action
• Questions?

3
Leaving Messages

• Microsoft is as committed to Trustworthy
  Computing Security, Privacy, Reliability
  Business Integrity
  
• Trustworthy computing can only be achieved
  through partnership teamwork
  
• Trustworthy Computing is a journey, with a long
  term vision with highlights and obstacles along
  the road

4
Threat Remains Real

• 90 detected computer security breaches
• 40 detected system penetration from the outside
  up from 25 in 2000
  
• 85 detected computer viruses

• 95 of all breaches due to misconfiguration

Source Computer Security Institute (CSI)
Computer Crime and Security Survey 2002
Source CERT, 2002
5
An Industry-Wide Problem

• Why are Security breaches common?
• Microsoft - Windows UPnP
• Oracle Oracle 9i Buffer Overrun
• AOL AIM
• CDE/Solaris
• Apache Open SSL Buffer
• Viruses, Worms
• Nimda, Code Red
• Slammer
• People will have to believe the in technologies,
  companies and services

6
Vision

• Computers as Trusted as a Utility
• Trust is not just security, as it involves
  perception and environment
  
• Telephones - almost always there when we need
  them, do what we need them to do, work as
  advertised, and are reliably available.
  
• A combination of engineering, business practice,
  and regulation
  
• Computers generally do not engender trust

7
Trustworthy ComputingCore Tenets

• Resilient to attack
• Protects confidentiality, integrity, availability
  and data

Security

• Individuals control personal data
• Products and Online Services adhere to fair
  information principles

Privacy

• Dependable
• Available when needed
• Performs at expected levels

Reliability

• Help customers find appropriate solutions
• Address issues with products and services
• Open interaction with customers

Business Integrity
8
Trustworthy Computing
Security
9
Security Framework
10
Progress To Date
11
Trustworthy Computing
Reliability
12
Microsoft Services - Overview
Service Management
Problem Incident Management (MS reactive)
Release Mgmt
W2K
Config Mgmt
NT4
PREMIER
Performance
Change Mgmt
Backup/ Restore
Critical Systems Service Packages
Security
Business Continuity
Capacity Planning
Applications
Privacy Legal
Monitoring
Virus
Tools e.g. MOM
Application Monitoring
Firewalls
Deploy
Access
Server SW
Test
Server mgmt
Build
Server build
Design
Operating System
Others
Messaging
OS Mgmt
SQL
OS Build
DataCentre
Adv Svr
Windows
Fault Tolerant Servers
Hardware (Network)
Trusted Storage
Clusters
Hardware Mgmt tools
Performance
Time/Cost
13
Trustworthy Computing
Privacy
Business Integrity
14
What Will It Take To Address The Business
Integrity Goal?

• Privacy, for example
• In product design
• XP activation anonymous, no PII data collected
• P3P in Internet Explorer
• P3P support on all major web properties
• Conspicuous privacy notices in products
• With affiliations, sponsorships
• TrustE, BBBOnline no comparable bodies in
  Europe yet
  
• Computers, Freedom and Privacy 2002
• By third party audits
• Through organizational practices
• Adopted Fair Information Practices, GLB compliant
  in 1997
  
• European Safe Harbour Agreement on data
  worldwide
  
• Privacy training, Assessment and Health Index for
  all divisions

15
January 2002 to March 2003
16
April 2002 to June 2002
17
July 2002 to Sept 2002
18
Oct 2002 to Dec 2002
19
January 2003
20
Summary

• January 2002 Memo, follow up, vision
• Steve Ballmer Company Values of respect,
  customer focus, transparency
  
• Windows XP SP1, Office XP SP1, Windows 2000 SP3,
  and 72 security fixes for various products.
  
• AutoUpdate SUS, SMS Feature Pack MBSA
• 10 week halt in release cycles
• Training of 11,000 engineers
• Security Pushes for Windows, SQL, Exchange,
  Visual Studio, ISA, Commerce Server and Office B
  
• MS Internal Privacy tracking and measurement
  tools suite
  
• MSN 8 Parental Controls and Spam Controls
• Windows Media Player 9 privacy first-run
  experience
  
• IE6 and Privacy Wizard implementations
• Windows security - 100 million
• Win2K reliability 162Million, 500 men year on
  reliability improvements
  
• Software support now offers 5 years, plus 2
  years of extended service

21
Where are we planning?

• Short to Medium Term
• Improve Patch Management
• Quality
• Reduce Installers
• Single Microsoft Update Service
• Security Push / Engineering techniques in a
  box
  
• Windows 2003 Server (Secure by default)
• Longer term
• Integration of Security Products (inc ISVs) into
  system
  
• Next Generation Secure Computing Base
• Self Healing attack sensitive systems
• Move applications to .Net Framewrok

22
Call to action 1. Visit www.microsoft.com/secur
ity for current information on security2.
Subscribe register.microsoft.com/subscription/subs
cribeMe.asp?lcid1033id1553. Get the
toolkitwww.microsoft.com/uk/security
23
Leaving Messages

• Microsoft is as committed to Trustworthy
  Computing Security, Privacy, Reliability
  Business Integrity
  
• Trustworthy computing can only be achieved
  through partnership teamwork
  
• Trustworthy Computing is a journey, with a long
  term vision with highlights and obstacles along
  the road

24
Questions?
25
(No Transcript)