Reflections on Microsoft keynote at RSA 2007

Kristin Johnsen, senior director of security outreach, Trustworthy Computing Group at Microsoft spoke to Brian McKenna following the Bill Gates and Craig Mundie keynote at RSA 2007.

One could get a sense from the Microsoft keynote of a chapter coming to and end in the Microsoft and security story. The famous memo from Bill Gates on trustworthy computing was five years ago. Are you moving on?

I’d characterize it a bit differently. We’re going to stop counting now. That is to say, stop counting the days since the memo. Security is now a bigger part of our DNA than it was five years ago. We’re not moving on at all. We’ve clearly not solved all the problems. We think we’re better, and have learned a lot. And we are teaching others. But we are not done. Security is not done, any more than crime is done.

To what extent is your messaging now – as exemplified by the keynote – addressing what in the UK we’d call a ‘Jericho Forum agenda’. That is do say, a deperimeterization story, with the emphasis on data security over network security? Is that right?

What we believe is that the notion that you can make an impenetrable fortress around your network is just not true. It doesn’t work right now, and will work even less well in the future. The approach to be taking now, from a network perspective, is policy not typology. All of us in the industry have to get better about identity not being just affiliated with individuals, but with code, hardware, resources, and so on. Need a verifiable identity so we can do a better assessment of trust.

Can you recap the cultural change at Microsoft in respect of re-educating the engineering workforce on security.

First we start with engineers. You join Microsoft and you do a course in engineering excellence that involves understanding coding securely. Every year we expect people to refresh — because the security industry keeps morphing.

Also the development teams have to allocate responsibility for security. Not that these are security products as such, but we want them to be secure products. The teams have to develop threat models, they have to plan when do a security review, and when to pass the code to our centralized internal audit function, who hack away at it.

Is Microsoft significantly happier now with its reputation in the infosec community?

Significantly happy would be to put it too strongly. Less distressed is how I would expressed it. We aren’t satisfied. For example, In [Symantec’s] John Thompson’s [RSA] keynote people laughed at the concept of a platform provider delivering security. That wouldn’t make you happy, would it?

Where are we now with the reaction of the mainstream security vendors to kernel patch protection and threat of that to their businesses?

After they raised their grievances we invited the top 12 or so security vendors – McAfee, Symantec, Sophos, and so on – and we asked them what APIs they needed in order to enable their products on 64bit – because kernel patch protection is only on 64 bit. And then we developed a new set of interfaces to be released with SP1 to meet their needs. We released those in the middle of December. They are now testing those interfaces to see if they will suffice to make their products work.

Nevertherless, AV companies been feeding off the vulnerabilities in a code base – your code base. Surely, Vista has to pose a threat?

Even if there were no vulnerablities in software, all software — which is unlikely — there would still be security issues for other reasons; reasons to do with users, policies, infrastructure, and so on. So there are lots of reasons to have layered security, and therefore opportunities for viable businesses. Ultimately, this is about end users and their experience.

How future proofed is Vista?

Our goal is that Vista will have half as many vulnerabilities as XPSP2. We’re realistic. Things will evolve that we did not think of. Vista was built over the last five years; three years from now something completely new could show up. Basically we’ve been shutting down pathways, threat vectors.

And how do you envisage the scale and speed of the deployment in the enterprise?

For consumers it will turn with the hardware cycle. On the enterprise we are optimistic that we will see a faster uptake than what we saw with XP or with Windows 98. But it is too early to tell. It’s an eight to ten year product