Trustworthy ComputingTrustworthy Computing

Peter BirchPeter Birch

Senior Architectural EngineerSenior Architectural Engineer

Microsoft Ltd (UK)Microsoft Ltd (UK)

AgendaAgenda

Why is Security important?Why is Security important? What is Trustworthy Computing?What is Trustworthy Computing?

What are we doing today?What are we doing today? Microsoft Security Response CentreMicrosoft Security Response Centre Secure Windows InitiativeSecure Windows Initiative The Strategic Technology Protection ProgramThe Strategic Technology Protection Program

The future challenges – Questions?The future challenges – Questions?

Leaving MessagesLeaving Messages

Microsoft is as committed to Microsoft is as committed to developing the trusted computing developing the trusted computing model, as it was in moving into the model, as it was in moving into the internet and adoption of .Netinternet and adoption of .Net

Security is part of Trustworthy Security is part of Trustworthy computing and can only be achieved computing and can only be achieved through partnership & teamworkthrough partnership & teamwork

Security is ‘the journey’ there is no end Security is ‘the journey’ there is no end pointpoint

Why is Security important?Why is Security important?

An Industry-Wide ProblemAn Industry-Wide Problem Security breaches Security breaches

commoncommon Windows UPnPWindows UPnP Oracle 9i Buffer Oracle 9i Buffer

OverrunOverrun AOL AIMAOL AIM CDE/SolarisCDE/Solaris

VirusesViruses Nimda, Code Red show tangible and Nimda, Code Red show tangible and

cyber-worlds inextricably linkedcyber-worlds inextricably linked

Reported Vulnerabilities by OS in 2001Reported Vulnerabilities by OS in 2001

Nu

mb

er

of

inc

ide

nts

Nu

mb

er

of

inc

ide

nts 3535

3030

2525

1515

1010

2020

55

00

Re

dh

at

Lin

ux

7.0

Re

dh

at

Lin

ux

7.0

Su

n S

ola

ris

8.0

Su

n S

ola

ris

8.0

Win

do

ws

20

00

Win

do

ws

20

00

SC

O O

pe

n S

erv

er

5.0

.6S

CO

Op

en

Se

rve

r 5

.0.6

Ma

nd

rak

eS

off

Lin

ux

7.2

Ma

nd

rak

eS

off

Lin

ux

7.2

PlatformPlatform

John McCormick, TechRepublic, Inc., September 24, 2001, based on data provided by Security Focus BugtraqJohn McCormick, TechRepublic, Inc., September 24, 2001, based on data provided by Security Focus Bugtraq

UK Survey UK Survey (PWC / DTI report)(PWC / DTI report)

44% of UK business have suffered at 44% of UK business have suffered at least one malicious security breachleast one malicious security breach

Average Cost of a serious incident Average Cost of a serious incident £30,000£30,000

Virus was the single largest cause of Virus was the single largest cause of security breaches (33% of incidents)security breaches (33% of incidents)

Yet 1% investment, 27% has security Yet 1% investment, 27% has security policy, 49% have procedures for DPA, policy, 49% have procedures for DPA, 11% have incident response, 44% have 11% have incident response, 44% have any type of insuranceany type of insurance

http://www.dti.gov.uk/cii/docs/sbsreport_2002.pdfhttp://www.dti.gov.uk/cii/docs/sbsreport_2002.pdf

Microsoft is committedMicrosoft is committed ““Over the last year it has become clear that Over the last year it has become clear that

ensuring .NET is a platform for Trustworthy ensuring .NET is a platform for Trustworthy Computing is more important than any other Computing is more important than any other part of our work” – Bill Gates part of our work” – Bill Gates

““In the past, we’ve made our software and In the past, we’ve made our software and services more compelling for users by services more compelling for users by adding new features and functionality, and adding new features and functionality, and by making our platform richly extensible. by making our platform richly extensible. We’ve done a terrific job at that, but all those We’ve done a terrific job at that, but all those great features won’t matter unless great features won’t matter unless customers trust our software. So now, when customers trust our software. So now, when we face a choice between adding features we face a choice between adding features and resolving security issues, we need to and resolving security issues, we need to choose security” – Bill Gateschoose security” – Bill Gates

What is Trustworthy What is Trustworthy Computing?Computing?

The Trustworthy Computing initiative The Trustworthy Computing initiative at Microsoft is a long-term, company-at Microsoft is a long-term, company-wide initiative to deliver Trustworthy wide initiative to deliver Trustworthy Computing experiences based on Computing experiences based on security, privacy, reliability and security, privacy, reliability and business integrity to our customers business integrity to our customers and the industry --via the .NET platform and the industry --via the .NET platform and other Microsoft products and and other Microsoft products and services.services.

Why Trust?Why Trust?

Computers generally do not engender Computers generally do not engender trusttrust

Early stage of adoptionEarly stage of adoption Trust is not just security, as it involves Trust is not just security, as it involves

perception and environmentperception and environment Telephones - Telephones - almost always there when almost always there when

we need them, do what we need them to we need them, do what we need them to do, work as advertised, and are reliably do, work as advertised, and are reliably available.available.

A combination of engineering, business A combination of engineering, business practice, and regulationpractice, and regulation

Trustworthy ComputingTrustworthy Computing

SecuritySecurity

PrivacyPrivacy

ReliabilityReliability

Business Business IntegrityIntegrity

Resilient to attackResilient to attack Protects confidentiality, integrity, Protects confidentiality, integrity,

availability and dataavailability and data

DependableDependable Available when neededAvailable when needed Performs at expected levelsPerforms at expected levels

Individuals control personal dataIndividuals control personal data Products and Online Services Products and Online Services

adhere to fair information adhere to fair information principles principles

Help customers find appropriate Help customers find appropriate solutionssolutions

Address issues with products and Address issues with products and servicesservices

Open interaction with customersOpen interaction with customers

What are we doing today?What are we doing today?

Microsoft Security Response Microsoft Security Response CentreCentre Dedicated team in the Microsoft Security Dedicated team in the Microsoft Security

Response CentreResponse Centre Policy CommitmentPolicy Commitment investigates all threats (Secure@microsoft.com)investigates all threats (Secure@microsoft.com) Weekly Exec statusWeekly Exec status Customer bulletins - plain languageCustomer bulletins - plain language www.microsoft.com/securitywww.microsoft.com/security

EducationEducation Brings back experience into the Product groupBrings back experience into the Product group

Non-disclosure of threats in the Non-disclosure of threats in the investigation phaseinvestigation phase Trusted Computing Conf in Nov. - Developing Trusted Computing Conf in Nov. - Developing

new procedure standard with @stake, BindView, new procedure standard with @stake, BindView, Foundstone, Guardent, Internet Security Foundstone, Guardent, Internet Security Systems, Systems,

Secure Windows InitiativeSecure Windows Initiative ““To improve the security of all our software To improve the security of all our software

and products, so that our customers will get and products, so that our customers will get the level of security they require”the level of security they require” Training - dedicated security courses Training - dedicated security courses Testing – internal / external experts (inc Testing – internal / external experts (inc

Universities). Penetration group. Systems up Universities). Penetration group. Systems up on the webon the web

Tools – Automated analysis tools, eg Prefix / Tools – Automated analysis tools, eg Prefix / Prefast, RPC stress testingPrefast, RPC stress testing

Process – RAID, Security bug bash, Process – RAID, Security bug bash, Automated & Managed sign offAutomated & Managed sign off

Product – Security over Feature – turn off Product – Security over Feature – turn off servicesservices

OfferingOffering

OnlineOnline

ProductProduct

No-charge support for virus-related incidentsNo-charge support for virus-related incidentsPremier Support and Security workshops & Premier Support and Security workshops & services – Get Secure & Stay Secureservices – Get Secure & Stay Secure

Security resource site: Security resource site: www.microsoft.com/security www.microsoft.com/security

Microsoft Security Notification Service Windows Microsoft Security Notification Service Windows Security Newsletter Security Newsletter

Microsoft Security Tool Kit, Security Microsoft Security Tool Kit, Security Configuration Checklists, and PAG Configuration Checklists, and PAG Security maintenance tools and resourcesSecurity maintenance tools and resourcesReboot only where necessaryReboot only where necessaryMSBA, MSUSMSBA, MSUS

Strategic Technology Protection Program

The future challengesThe future challenges

Machine-machine processes Machine-machine processes Self-management by policySelf-management by policy

Loosely coupled, self-configuring, Loosely coupled, self-configuring, self-organizing, adaptiveself-organizing, adaptive

Edge of the networkEdge of the network Peer-to-peer applications; Peer-to-peer applications;

distributed processing, storagedistributed processing, storage

New development, testing, New development, testing, operations, auditing toolsoperations, auditing tools

Hardware and networking improvementsHardware and networking improvements Failover, redundancy; impervious to physical Failover, redundancy; impervious to physical

modifications; theft or loss; modifications; theft or loss; Rigorous authentication, key managementRigorous authentication, key management

Future DirectionsFuture Directions

DevicesDevicesServicesServicesAppsApps

NewsNews

Windows 2000 achieves Common Windows 2000 achieves Common Criteria at EAL4Criteria at EAL4

Professional, Server, and Advanced Professional, Server, and Advanced ServerServer

Systematic Flaw RemediationSystematic Flaw Remediation Includes Active Directory, Kerberos, Includes Active Directory, Kerberos,

IPsec, EFS, Single Sign-on, etcIPsec, EFS, Single Sign-on, etc Wide range of real-life deployment Wide range of real-life deployment

scenarios testedscenarios tested Windows XP and Windows .net Server Windows XP and Windows .net Server

2003 will enter evaluation2003 will enter evaluation

Leaving MessagesLeaving Messages

Microsoft is as committed to Microsoft is as committed to developing the trusted computing developing the trusted computing model, as it was in moving into the model, as it was in moving into the internet and adoption of .Netinternet and adoption of .Net

Security is part of Trustworthy Security is part of Trustworthy computing and can only be achieved computing and can only be achieved through partnership & teamworkthrough partnership & teamwork

Security is ‘the journey’ there is no end Security is ‘the journey’ there is no end pointpoint

Questions?Questions?

Visit Visit http://www.microsoft.com/securityhttp://www.microsoft.com/security

for current information on securityfor current information on security

Building a Secure Platform for Building a Secure Platform for Trustworthy Computing Trustworthy Computing WhitepaperWhitepaper

http://www.microsoft.com/enterprise/artihttp://www.microsoft.com/enterprise/articles/security.aspcles/security.asp