Microsoft Trustworthy Computing Turns 10: Whats Next

  /     /     /  
Publicated : 22/11/2024   Category : security


Microsoft Trustworthy Computing Turns 10: Whats Next


10 years after Bill Gates famously declared a security emergency within Microsoft, the stakes are much higher. TWC Next will include a focus on cloud services such as Azure.



Slideshow: Windows 8 Upgrade Plans: Exclusive Research (click image for larger view and for slideshow)
Microsoft is marking the 10th anniversary of Bill Gates game-changing security memo with a focus on new types of attacks that threaten businesses and individuals who are significantly more wired than when the companys chairman launched his now-famous Trustworthy Computing initiative.
Today, information and communications technology (ICT) underpins every aspect of our personal and professional lives, said Microsoft chief research and strategy officer Craig Mundie, in an e-mail to employees Thursday.
While it is indisputable that ICT has transformed for the better how we live, society still confronts some long-standing and evolving challenges, Mundie said. We must protect the security of the electrical power grid, the global financial system, and the telecommunications system, even as determined and persistent adversaries set their sights on these and other critical infrastructures.
[ Malicious attacks accounted for 40% of disclosed breaches last year. Learn more:
Hack Attacks Now Leading Cause Of Data Breaches
. ]
Gates fired off his
Trustworthy Computing memo
to employees on Jan. 15, 2002, amid a series of high-profile attacks on Windows computers and browsers in the form of worms and viruses like Code Red and Anna Kournikova. Code Red, which used buffer overflows to exploit a weakness in Windows Servers Internet Information Services (IIS), infected more than 300,000 PCs.
The onslaught forced Gates to declare a security emergency within Microsoft, and halt all production while the companys 8,500 software engineers sifted through millions of lines of source code to identify and fix vulnerabilities. The hiatus cost Microsoft $100 million. If we dont do this, people simply wont be willing--or able--to take advantage of all the other great work we do, Gates said in his memo. We must lead the industry to a whole new level of Trustworthiness in computing.
To accomplish that, Gates identified three principles that Microsoft products were to be designed around--availability, security, and privacy. In practice, that meant placing security on an equal footing with usability and speed-to-market in Microsofts development cycles.
Getting your product to market first and killing Netscape was how you got rich at Microsoft. After the Gates memo came out, having your product have fewer top-class bugs and security vulnerabilities and less patches became as important a criterion for measuring the product managers as making an early shipping date, said Gartner research fellow John Pescatore.
As a result, Microsoft products like Visual Studio and Windows Server gained built-in security features for guarding against vulnerabilities caused by errors like stack overflow and were hardened with architectural changes, such as library randomization and formal Secure Development Lifecycle procedures, and the company made many of its own internal safeguards available to third parties.
Slideshow: Windows 8 Upgrade Plans: Exclusive Research (click image for larger view and for slideshow)
Gartners Pescatore said the changes inspired by Gates memo have largely worked. You cannot say today that Apache Web server is more secure than IIS; before the memo it was easy to say that.
In his e-mail Thursday, Microsofts Mundie acknowledged that the threats facing the computer industry have changed in the past decade and that the stakes are higher, given ITs ubiquity in almost every facet of daily life. Massive amounts of data are now stored in the cloud and accessed through mobile devices. TWC Next, the ensuing decade-plus of Trustworthy Computing, will focus on the new world of devices and services. Everyone at Microsoft and the entire computing ecosystem has a role to play, said Mundie.
A big part of TWC Next is securing
cloud services like Azure
, said Microsoft Trustworthy Security director Jeff Jones, in an interview. The computing environment today is drastically different than it was 10 years ago, said Jones. Among other things, Microsoft is formulating secure development lifecycles specifically related to cloud services, Jones said.
[ What should be tops on CEO Steve Ballmers to-do list? See
5 Moves Microsoft Must Make In 2012
. ]
Microsoft also is developing technologies and practices to guard against the changing nature of security threats. At the time of Gates memo, worms that could infect hundreds of thousands of PCs in days were the big danger. Todays cybercriminals are more focused on stealing valuable data from individual users and corporate PCs.
The threats have evolved. Now you have professional criminal organizations targeting credit card numbers and other data through methods like phishing. As exploits get technically harder, attackers have turned to social means, said Jones. The idea that you can keep people out completely when you have persistent and well funded attackers--thats something the community has to think about.
Protecting against the newer threats has meant adding features that can limit the damage if a user is exposed to an attack. Internet Explorer 8 and IE9 defend against unauthorized Active X executions, and on the client side theres the addition of barriers such as BitLocker in Windows 7 and
Secure Boot in Windows 8
, which guards against BIOS level attacks.
We have to keep raising the bar. We have to be as committed today as we were 10 years ago, said Jones.
InformationWeek is conducting our third annual State of Enterprise Storage survey on data management technologies and strategies. Upon completion, you will be eligible to enter a drawing to receive an Apple iPad 2. Take our
Enterprise Storage Survey
now. Survey ends Jan. 13.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Trustworthy Computing Turns 10: Whats Next