Gates identifies isolation to progress IT security

21 May 2004

Microsoft chief Bill Gates has identified the need to find a balance between the isolation of mainframes and the connectedness that the internet offers as a key security consideration.

Addressing a CEO summit attended by top-level business executives, held at Microsoft’s Seattle headquarters yesterday, the company’s chairman and chief software architect explained the reason why earlier generations of computer systems were more secure and how this could be achieved again.

“The reason we didn’t have this historically is that your computer systems… it wasn’t that the software was written better or anything like that. They were isolated. Their mainframe is not sitting there with any teenager in the world able to throw arbitrary attacks at it. It was only accessible to a small set of people,” he pointed out.

The arrival of internet connectivity – which Gates emphasised was “absolutely a great thing” – has meant that this kind of isolation has been difficult to achieve.

“Some companies, by setting up the firewalls the right way, doing perimeter properly, did have isolation and so didn’t run into these problems. But it was way, way too difficult, and most found that they had at least some places where they didn’t have that isolation. So, making that be built into the software so they’re easy to set up – what do they have to do to achieve that? That’s been a big top priority for us, because that is the key technique.”

Gates said that he was “very optimistic” about getting those isolation pieces in place, while allowing for certain parts of a network that have to remain connected. The Microsoft founder also alluded to the need to be able to download security patches from the web.

“There will be a few systems that of course you don’t want to isolate: your website, your mail server. For those it is necessary to connect into the ability to update the software, so when there are critical improvements that need to be made, those can be sent out with very little delay using the internet as the tool to get the new stuff there well before there might be something that tries to take advantage of that. We’ve made a lot of progress working with IT departments to say: ‘OK, how can we have that structure in place?’,” he said.

“We’ve been on a learning curve ourselves, of having to really identify which improvements to software are just new features and very optional, and which ones are the very critical things that need to be put out quickly, and have been very well tested to make sure that when those go into place, they, themselves, don’t cause any problems. And that dialogue has been very rich over these last few years. In fact, in these last few months, we’ve gotten the percentage of customers who are isolated up very, very dramatically. We need to get that to 100pc. Over the next year we think we can get very, very close to that.”

Gates drew the audience’s attention to another element of security around authentication and access control. “That’s just a fancy way of saying if somebody can guess at a password and impersonate someone else, or if you haven’t set the access controls on the various information in your company to say who should have the ability to get at it, then no matter what happens on the software quality and isolation front, you’ve got the vulnerability.”

Gates said that there would be a shift in security risks to more targeted attacks, with passwords likely to be a key point of vulnerability for many organisations. He pointed to other technological developments that would reduce the need for passwords to protect critical information.

“We’re showing people how to move to smart card and biometrics for very critical things. That’s definitely part of the road map that we have in the security dialogue with IT departments.”

By Gordon Smith