Microsoft conference declares security an issue of trust

29 Jul 2004

They came, they saw, they carried shoulder bags in a revolting orange colour, but most of all they listened and talked with fellow developers from all over Europe. Who are we talking about? The delegates to Tech-Ed 2004, Microsoft’s annual European Developer Conference, which took place in Amsterdam this year.

This was a unique opportunity for the Microsoft developer community to interact with top Microsoft executives and experts in one location. Hot topics included the release of new developer tools, specifically Visual Studio Express aimed at non-professional developers, roadmaps for the deployment of new versions of SQL server and Windows, especially the much-anticipated Longhorn version of Windows now due in 2007.

One hot topic was the company’s Trustworthy Computing (TWC) initiative, which has become associated in many minds with computer security but which in fact covers much more than that.

“From a historical point of view, trustworthy computing came out of security,” admitted Detlef Eckert, chief security strategist, Microsoft EMEA. “But then the company said what we really need is trust on the internet and trust in computers.” But having trust in computers means more than security, he says. It involves respect for privacy, being able to rely on the computer for business and being able to trust the company and the entire computer industry. It is for this reason that TWC was an invitation to the whole IT industry to work towards trust in computer systems.

“Nevertheless, security is to the forefront of people’s minds when it comes to trustworthy computing,” he said. “Progress in security is most visible in three areas. Firstly, the latest product and service packs have gone through security checks and partial redesign and significantly fewer vulnerabilities. It’s not zero. Will it ever be zero? I don’t know. Nobody’s perfect. Plus you have people who are trying to find holes. So today what is a standard programming technique may be tomorrow’s vulnerability. For instance, some of the code used by Blaster probably qualified as neat code in the past. Today we know it is subject to attack.”

On this topic, Eckert pointed out that the latest version of Microsoft’s IIS, earlier versions of which were strongly criticised for lax security, so far has had zero vulnerabilities identified.

The second piece of progress, said Eckert, is an improved patch management system, while the third is a combination of security tools, products and features. “That means the platform is security enabled. It is perhaps most visible with the ISA Server 2004. You have for instance SMS2003 management tool and security features in Windows 2003 that allow you to deploy PKI [public key infrastructure] out of the box.”

A key component of the TWC is getting developers to participate. “This is now becoming an important issue for two reasons,” said Eckert. “First of all developers need to understand how to run a Microsoft system and if they don’t understand how then we are missing our trust objective. The second thing is that application developers need to understand security because malicious attacks are moving more and more to applications attacks.

“These are not the widespread virus attacks we are used to but rather very targeted attacks on a particular company or organisation, breaking into a network through the applications, and sometimes the company doesn’t even know that it happens. These are very dangerous developments and developers are still not fully aware of the need to introduce security in their applications. They believe that if their applications run on a ‘secure platform’ it is for the platform vendor to secure and if the platform is secure then the application is secure.” This, said Eckert, is a mistake.

The problem, he explained, is that most developers are not trained in security and are under heavy pressure to deliver. Management also needs to be more aware of security and need to start thinking about it early on in the development process. “The problem is when you don’t start your application development with security in mind, bolting it on later is a disaster,” he added.

And if developers who are not security conscious weren’t bad enough, then there are the developers who are over-conscious. “They do not trust the platform and do not trust standard implementations so they do their own,” said Eckert. “But the problem is if you take a secure algorithm you can still make terrible mistakes. So our recommendations are to use existing, already tested standards to the maximum.”

Some observers have suggested that Microsoft created TWC simply to draw attention away from its own poor record, while others suggest that Microsoft is the last company that should be trusted with such an initiative. However, Eckert firmly believes that Microsoft is the ideal company to lead TWC. “We haven’t seen any other company take up computing in the way that Microsoft has. It is a relatively unique initiative and for many it was a surprising move.

“We have always said that this is an industry challenge and we are building partnerships. For instance, we have the antivirus alliance as a partnership. Microsoft and IBM are leading the web security initiatives; IBM, Microsoft, Intel and AMD have formed the TWC group (TCG),” he explained.

The objective of TCG is to embed cryptographic keys on a chip that is sealed and stored on a computer’s motherboard. Security architecture can then be built on top of that. While it doesn’t guarantee that the computer will not be broken into, it will require a high degree of sophistication on the part of the attacker. And because each security chip is unique, gaining access to one computer will not help the attacker gain access to any other similarly protected device.

“Microsoft cannot change the world alone but I believe that because of its position in the software industry it was a very good move for the company to take the lead,” Eckert remarked. However, despite the progress being made, much remains to be done. It is important that the wider community – government, academia and other industries – be brought on board.

“It is one of my personal objectives to bring about a more community driven security approach. Microsoft on its own is not enough. We need a community to make TWC happen,” he concluded.