Microsoft at RSA Conference 2008

RSA 2008 Keynote: Craig Mundie

By Jeff Jones, Microsoft Trustworthy Computing

Yesterday was a busy day, so I got a bit behind with my updates on RSA, but I wanted to post about the Microsoft keynote, in addition to the others I attended.

The format was a fireside chat, with Craig Mundie, Microsoft's Chief Research and Strategy Officer sitting and talking with Chris Leach, Chief Information Security Officer at Affiliated Computer Services. 

I knew generally what Craig was going to talk about, but I was very interested to hear Craig's perspective and see how he thought about and talked about the End to End Trust topic.  In my opinion, this is one of the key topics that could help guide where Microsoft security efforts will go over the next 5 years, building on the past 5 years, and I am happy to see that leadership (Craig, Scott Charney) are approaching it as a dialog with the industry and recognizing that it needs interoperability and industry support.

Two key topics stuck with me at the end of the keynote:

1. How security and privacy are very independent, supporting each other, while also having a tension between them.
2. Any technological efforts supporting End to End Trust will need to be very inclusive in order to work in heterogeneous environments.  Past infrastructure efforts (e.g. PKI) have demonstrated that the level of work and investment required means that it is more likely to hit roadblocks if existing business processes are excluded.

Jeff Jones, Microsoft Trustworthy Computing

System Center at RSA

By Jeff Wettlaufer, Sr. Technical product manager, Microsoft System Center

Hi everyone, my name is Jeff Wettlaufer, and I am the Sr. Technical product Manager for System Center Configuration Manager.  This week at RSA, Microsoft System Center will be present like never before. With the recent releases of Microsoft System Center Configuration Manager 2007, Microsoft System Center Operations Manager 2007, Microsoft System Center Data Protection Manager 2007 and Microsoft System Center Virtual Machine Manager, the business of Management at Microsoft has taken Security to a new level. 

Through integration to the Windows Client and Server platform as well as Forefront, System Center has achieved new and improved security capabilities across a wide range of scenarios, including: Datacenter, mobile workforce, branch office as well as both physical and virtual environments.

For example, this week at RSA, System Center will be showcasing our ability to integrate with Windows Server 2008 Network Access Protection.  Today’s increasingly mobile workforce and the need for interconnection between partners and customers present an entirely new set of challenges for IT departments. In addition to ensuring that the desktop computers on the network are up-to-date and meet the company’s requirements for system health, network perimeters must also protect networks from roaming devices that may be vulnerable to security exploits.

Network Access Protection is designed to protect the network by validating the System Health when the Client attempts to connect. This set of technologies allows an IT administrator to restrict non compliant devices from accessing network resources.  Through Windows Server 2008 NAP, policy in the form of a relationship between the Network Policy Server and a NAP configured Windows client can verify elements visible with the Windows Security Center, for instance: firewall, automatic updates, anti-virus etc.  System Center brings an incredibly powerful addition to this health verification, in the form of Windows Updates. 

Configuration Manager brings out of the box support for NAP policy validation for the presence of Windows, 3rd party or Line of Business updates, not only guaranteeing that the client accessing the network is configured for corporate security settings, but that the client also has a current update configuration of all the approved patches.  And, just like Windows NAP, these policies from System Center can enforce network restrictions both on network access scenarios, as well as online in the production network, ensuring even when systems are inside the corporate boundaries, system health validation can be occurring at regular intervals.

Microsoft is a Diamond sponsor of the RSA Conference this year, and System Center has been involved all week in the Microsoft pavilion of the show floor (right between Windows Server 2008 NAP and Forefront pods), where a constant stream of Security professionals have been engaging with Product team.

For more information, check out our System Center site and blog.

Kind Regards,

Jeff Wettlaufer, Sr. Technical product manager, Microsoft System Center

RSA 2008 Crypto Panel: Martin Hellman on 0.01% Events

By Jeff Jones, Microsoft Trustworthy Computing

In the past, I haven't always stayed to hear the Crypto panel, but based upon the excellent one this year, I'll definitely include it in my plans going forward.  If you want to hear an overview of what they all said, I can recommend Robert Vamosi's story Cryptographers speak of threats, voting, and Blu-Ray rumors.

I want to highlight the points that Martin Hellman raised with respect to 99.9% probability as a martin of safety, complacency and low probability events.

He had one slide - a picture of a glider soaring very low over a runway at the bottom of a high speed, low pass flight.  Hellman is a pilot and pointed out that this activity is safe for those that do it 999 out of 1000 times, but went on to talk about how cautious pilots are when they first attempt it, but after 50 or 100 times of doing it successfully, they simply aren't as cautious or nervous and as a consequence don't necessarily address every risk as seriously as they did early on.

He also talked about The Black Swan: The Impact of the Highly Improbable and gave several excellent examples of how people underestimate the impact of low-probability, high-impact (even catastrophic) events.

The parallel to the issues of Internet Security are pretty clear.

Targeted attacks are increasingly part of the landscape, but it is much harder to convey their seriousness to the average person than some of the high-profile worms and viruses of the past that got on everyone's radar.  And yet, we heard from Symantec's Stephen Trilling this week how credit card numbers go for as low as $0.40 in the malware underground economy.

Martin's call-for-action was for security industry practitioners to try to be the group of voices that convince the non-security folks to take security more seriously.  I'm happy to join his efforts in that an extol you to do the same.

Regards ~

Jeff Jones, Microsoft Trustworthy Computing

New Identity and Access Features in Windows Server 2008

By Simon Vining, Senior Product Manager, Identity and Access

In my work for the identity and access team, I’m frequently asked what’s “new” in WS08 that delivers on Microsoft’s vision for end-to-end integrated identity and access? The short answer is “LOTS.” The long answer is “more seamless security and simplified collaboration.”

What do I mean? Permit me to elaborate.

The new read-only domain controller capabilities in Active Directory (AD)enable a more secure method for local authentication of users in remote and branch office locations using a read-only replica of your primary AD database. We’re also delivering more secure and transparent single sign-on for employees and partners through Active Directory Federation Services (ADFS). We’ve tightened the cryptography and increased the manageability of our certificate services through PKIView for monitoring the health of Certification Authorities (CAs) and have a new, more secure COM control for certificate Web enrollment of ActiveX. While all of this is noteworthy, our customers are most excited about the new enhancements for Active Directory Rights Management Services.

In the words of Mark Gandy, enterprise architect at Dow Corning, “Active Directory Rights Management Services was the ideal solution for us because it integrates seamlessly with both the Microsoft Office system on the desktop and our Windows Server based IT infrastructure. We decided specifically to go with Active Directory Rights Management Services in Windows Server 2008 because of the many enhancements it offers over the previous version, including its inclusion as a core server role, an improved management interface, and the ability to easily extend its reach to support collaboration with business partners.”

In addition to Dow Corning, identity and access solutions in Windows Server 2008 are getting rave reviews by Continental Airlines, Pacific Coast Building Products, and Windrush Frozen Foods, just to name a few. Additionally, the 250K seat deployment of Windows Server 2008 identity and access solutions at the Department of Veterans’ Affairs was featured here.

In Windows Server 2008, we have made the platform more secure, made it easier for customers to collaborate with one another and improved identity and access features. In general, all of our identity and access solutions are designed to help organizations manage identities and resulting access privileges, and these enhancements, not only work to that goal, but are also a huge leap forward in our commitments to customers for stronger security and enhanced ease of use.  

For more info on our IDA solutions, visit, www.microsoft.com/ida

Thanks for your time and interest,

Simon Vining, Senior Product Manager, Identity and Access

What to Really Watch at RSA 2008: Is Data-centric Security Catching on?

By Manu Namboodiri, Director of Product Marketing, BitArmor Systems, Inc.

At BitArmor, we have been talking about data-centric security for a while now. We know that data centricity is not only the future of security – it’s the future of IT (we’ll get to why I can say that in a bit).

So, when I got a hold of Windows Vista, and later Windows Server 2008, I must say that I was very encouraged. Not only will enterprise users enjoy unprecedented capabilities to create, share, and digest information, Microsoft has moved a long way toward creating a foundation for enterprise security. Specifically, Microsoft technology is enabling highly secure software code execution (particularly at the kernel level), and BitLocker will do wonders for the assurance of system integrity and protection of disk data at rest.

That’s encouraging to me because it means we’re one step closer to a data-centric world. A better foundation means that we can develop better security software; software that can keep up with the blinding proliferation of distributed data. It simply no longer makes sense to build security around devices – data is the real asset, so data should be the real security priority. A data-centric approach to security is infinitely more scalable and manageable as the amount of an enterprise’s information assets rockets into the petabyte range (and as the monetary value of that data grows just as quickly).

There’s been some chatter about data-centric security brewing for a while now. We’ll be hearing more on the subject at RSA this year than we ever have before:

• The Jericho Forum is hosting their own event In San Francisco this week
• Many vendors have attempted to introduce messages about data-centricity – and we know the subject will be flying through the Expo Hall
• I’m leading a Peer2Peer session devoted to this topic

It’s going to be exciting to hear what folks are saying about data-centricity and how they’re leveraging Microsoft’s new platforms to drive security in that in that direction.  Enjoy the conference!

Manu Namboodiri, Director of Product Marketing, BitArmor Systems, Inc.

The Virtualization Bandwagon—Prep Before You Step

By Jason Yuan, McAfee Group Product Manager for Virtualization

Hello from Moscone Center, San Francisco, where it is the third day of RSA Conference, 2008. There’s a lot of talk these days about virtualization. A lot of talk. Why all the excitement? The answer is simple: Virtualization can save companies a lot of money. That’s why half of North American enterprises have a virtualization deployment, with EMEA following close behind at 35 percent. Virtualization is one of the hottest technologies we’ve seen in the past 20 years, and it’s only getting hotter.

At the highest level, virtualization allows a single piece of hardware to run multiple “virtual machines.”   That means cost savings through server consolidation, where a single physical server can now do what used to take anywhere from eight to 20 individual units. This not only saves money on hardware and human resources, but also in power costs, which suck up some 30 percent of the average datacenter expenses and account for 1.5 percent of all U.S. electricity use. Talk about going green in a big way. Virtualization also facilitates more efficient business continuity planning (BCP), allowing companies to scale instantly by turning additional virtual machines on or off to accommodate spikes (or dips) based on actual or anticipated loads. And it leads to better manageability of the desktop because virtualized images allow for standardized configuration, management and security of hundreds to thousands of desktops from a centralized location.

There’s no question that virtualization can dramatically reduce IT costs, which is an attractive incentive for any enterprise. From a security perspective, however, virtual machines are subject to the same threats as traditional physical systems. And virtualization technology has its own set of challenges, so it’s important to be prepared—or you might end up flat on your face. 

What are some of the risks of virtualization technology? For one it has become a prime target for hackers. To borrow a line from our CTO Christopher Bolin, “when a platform or application becomes broadly used, it will be attacked.” If the bad guys were to gain access to the virtualization infrastructure, they would have direct access to the data-rich hard drive, CPU and memory, bypassing traditional security measures, and without the knowledge of users. At McAfee we saw the amount of vulnerabilities associated with virtualization software code double from 2006 to 2007.

Virtualized environments also face the threat of contamination. Good security practice calls for segregated network zones, especially when different servers or dozens of desktops share the same physical resources. However, today’s virtual infrastructure does not offer any network-based segmentation inside a physical system. A worm or virus can spread quickly from virtual machine to virtual machine, much like a contagious disease can spread if the first person to get sick isn’t quarantined. By design a virtualized environment has no gates, and thus no natural protective segregation.

In a twist of irony, another risk of virtualization software lies in the images that are regularly taken to back up the system. Due to the ease of taking these snapshots, they are much more plentiful than in a traditional physical environment. These backups are often dormant, often for months. Several months is plenty of time in security terms. A recently developed threat can easily take down an unpatched operating system or application. When the virtual images are brought back online, they are immediately plugged into the production environment. In one instance, a worm was injected into a production network by an infected virtual machine, which brought down thousands of servers.

Not to say that I’m not a fan of virtualization software, or that it isn’t secure. Far from it. I believe virtualization is where we are all headed, but as a security professional it’s my job to take the safest route there.  So if you’re going to jump on the bandwagon, here’s some advice on how to do it:

1.    Invite the security folks to the table

If you’re going to launch a virtualization initiative, have security be part of it. It’s that simple, yet a surprising number of cross-functional tiger teams are still comprised solely of operations, applications and server groups. This oversight could be a resource issue, or an ignorance issue, or maybe a fear that the security people will slow everything down. But regardless of the reason, it needs to change.

2.    Apply certified security countermeasure to your virtualized environment

Just like physical machines, virtual machines are at risk of attack by viruses, worms, malware, etc., so it’s important to apply your existing security countermeasures to them. When picking security products, ask the vendors how these products are supported in your intended virtualization environment. If you run into issues with a specific deployment, make sure the vendor’s entire support staff (Tier 1, Tier 2 and Tier 3) is equipped to handle your configuration. In addition, be mindful of added management overhead you may introduce. It’s a good idea to use the same security measure for both virtual and physical systems, so you don’t have to use one set of security clients and management console for virtualized environment, and a different set for your physical environment.

3.    Engage a vendor-agnostic security consultant who knows virtualization

Deploying a secure virtualized environment involves more than just the technology. Objective, experienced consultants can help you manage the entire transition, from installing the software to training the people who are going to manage it. They can also make sure your keep the proper security processes in place to accommodate the new environment.

There is no “perfect” security system, but there are proven best practices for security, whether the environment is physical or virtualized. The problem is that not all companies that are migrating to virtualization are applying the correct security processes. Such process can admittedly be extremely expensive just to mitigate risk, but gambling with valuable company data, including customer data, is not an option for any company worthy of having customers. Research shows just one out of eight keep the same processes in place after the transition, which means seven others are inviting real trouble to walk through their virtual door.

So go ahead and virtualize. Just do it the secure way.

- Jason Yuan yuan@mcafee.com

Jason Yuan, McAfee Group Product Manager for Virtualization

ILM “2” ... coming soon and it’s all about TCO!

By John “JG” Chirapurath, Director, Identity & Access Marketing

JG here, from the identity and access team at Microsoft. As you probably remember, last year at RSA Conference USA, Microsoft announced availability of Identity Lifecycle Manager (ILM) 2007, which joined user provisioning and certificate & smartcard management in a single integrated offering. For far too long, the industry has treated two related functions – identity management & strong authentication – as fundamentally dissimilar things. This despite the fact that customers have stressed that they are not! Both functions are connected by Identity and its related workflows – the act of provisioning a user identity is deeply connected with issuing a certificate or a smartcard to that Identity. ILM 2007 sought to address this very need.

As I look back at last year, all of us here in the Microsoft identity & access group have been pleased and humbled by the reception of the approach and ILM 2007!  Customers have repeatedly told us that we have the winning approach from a TCO perspective, and it allows them to maximize their existing investments in infrastructure – be it Microsoft Windows or other heterogeneous systems.  

We have also heard repeatedly from customers that their experience with Identity & Access Management is unbalanced – the current state of the art forces IT departments and service desks to bear the biggest burden with respect to Identity & Access. They are forced to integrate a variety of best- of-breed solutions (even today’s suites are loosely coupled point solutions simply marketed as suites) with the right business rules & workflow while ensuring things like user provisioning and de-provisioning, entitlement management, group management, password reset work. On the other hand, people with the knowledge of the “what” – the organization’s line-of-business and functional workers – are forced to sit on the sidelines and wait for IT.  They crave meaningful and easy-to-use self service in their familiar desktop applications. Overall, customers are asking us to rebalance the responsibilities of Identity & Access Management in their organizations so they can deal with security and compliance in a cost effective and comprehensive manner.

These concerns are top of mind for us as we think about the next version of ILM – ILM “2”. I am pleased to report that we will announce a public beta shortly. ILM “2” will expand the capabilities of ILM 2007 and to add comprehensive user, group, credential, and policy management functions. Our mantra is TCO & true self service and as we did with ILM 2007, we will shift the state of the art and strive to bring balance to the enterprise.

Signing off from RSA 2008,

RSA Panel: Software Assurance: Driving Global Security, Integrity

By David Ladd, Principal Security Program Manager, Security Engineering and Community (SEC)

Hi there – Dave Ladd from the Microsoft SDL Team here...

Earlier this morning I attended a panel session at RSA entitled “Software Assurance: Driving Global Security and Integrity”, with Microsoft’s Steve Lipner participating as a panelist. During the question-and-answer portion, a number of folks asked about secure software development practices – with questions running the gamut from general to very specific.

Given that context, I’d like to announce the availability of the Microsoft Security Development Lifecycle (SDL), version 3.2 on MSDN. For those unfamiliar with the SDL, it is the process that our product teams use to ensure security and privacy during the development process. You can read more about it on the SDL Blog.

David Ladd, Principal Security Program Manager, Security Engineering and Community (SEC)

End to End Trust

By Peter S. Tippett, Vice-President, Security Services, Verizon Business

Scott Charney and Craig Mundie of Microsoft recently discussed (“Establishing End to End Trust,” and RSA keynote) potentially significant security benefits of new identity, trust and audit mechanisms implemented pervasively across devices, systems, applications, users, and data. 

Is this another doomed, fanciful promotion of identity for everyone?  I sure hope not, because I believe that a small amount of identity sprinkled appropriately almost everywhere would improve not only security, but also privacy.  Done well, it will both drive new user trust in the systems we frequent, and might also improve (or at least not diminish) ease of use.  Unfortunately, if history is any guide, the odds are against success.  

Failure to achieve such a vision would come from two fronts:  inappropriate worrying about potential privacy issues, and what I will call the “perfection problem.”  I’ll leave the bulk of the privacy argument for another time.

Let’s look at what is possible. Pervasive identity and audit would 1) significantly improve security and thus would mitigate the privacy issues related to overt malice; 2) it would improve everyone’s understanding of where their private information resides and who is accessing it (thus improving user trust in our systems pervasively) and 3) improved identity and other assurance mechanisms would also apply to the “privacy infringers” and their systems so they would be much more easily found out and would therefore be less likely to abuse. 

Less understood is the perfection problem.  By definition “good enough” identity is good enough.  But we, security practitioners, have an incredibly long and consistent history of insisting that only “nearly perfect” countermeasures are good enough.  

Practically, one can achieve ten or more “nines” of identity strength (one error in 10 million) with a well implemented PKI solution.  We at Verizon Business have implemented hundreds of high-end systems across more than 30 countries.  The total cost to implement and manage such systems is not inconsequential, even in large volumes. Imagine the expense if we now think of signing all that is being suggested (10 to 100 times more signatures per individual deployment and use.)   

Suppose, however, you could get one to two “nines” of identity strength for an incredibly small fraction of the cost of typical PKI solutions. Would you pay a dollar a year to reduce your spam 10 to 100-fold? If you deployed relatively “simpler” identity measures across devices, systems, applications, people and data -- there would be a synergistic amplification of the overall effectiveness of the collective identity and other assurance mechanisms. 

With good identity deployed broadly, in many cases, the criminals would simply not be able to connect to cause the malice in the first place.  And if they did commit malice, the investigation would be enhanced, making the criminal much more easily found and prosecuted. 

In other words we could achieve much more than 100-fold reduction in computer crime, fraud and privacy issues by sprinkling around a little identity information at all levels. 

Perfection is the enemy of good enough.  Long before we achieve pervasive deployment of great identity at any level, we would see the very real benefits of good enough applied nearly everywhere. 

There’s no time like the present to begin this journey.

By Peter S. Tippett, Vice-President, Security Services, Verizon Business

Nap is here at RSA

By David Burt, Product Manager, Security and Access Products

Hi, my name is David Burt on the Forefront team. Seven weeks ago, Windows Server 2008 officially launched, and with that Network Access Protection (NAP) was officially released to market. Last year at RSA, Windows Server was still in beta but was already being deployed by a number of customers. Before the official launch, we built up an impressive partner ecosystem – a Who’s Who.

It’s another busy RSA for NAP. Last year at RSA we announced our milestone of 100 NAP partners, which made NAP the largest Network Access Control (NAC) ecosystem in the industry.  A year later, we have more than 130 partners, including Cisco, Symantec, McAfee, Juniper, and many more.

This year, our partner pavilion includes:

•        Juniper

•        Foundry Networks

•        McAfee

•        Blue Ridge Networks

•        Avenda Systems

•        UNET Systems

•        Sky Recon

•        Nortel

Stop by our NAP pavilion booth #951, and get a demonstration of NAP!

David Burt, Product Manager, Security and Access Products

Microsoft’s approach to securing and managing infrastructure

By Doug Leland, General Manager Identity and Access Business Group

As general manager for the identity and access group, in my day-to-day work I speak with a broad range of customers – from small businesses to very large enterprises and across the broad range of industries and organization types. Consistently, they talk about the problems of keeping costs down while trying to secure and manage their environments. They’ve deployed IT security products, identity management products, information protection products, remote access products, and systems management products. Yet they still have the same challenges - problems with malware, regulatory compliance, loss of sensitive information as well as high business enablement costs. This clearly hits the bottom line through high IT costs, customer dissatisfaction, damage to the brand, legal issues, and loss of business. 

Why do they continue to have the same challenges? It’s because point products often add to the problem. Best-of-breed point products tend to operate in their own silos with no central policy, which makes it difficult to coordinate responses to threats or issues or to efficiently enforce security & compliance audits. Additionally, since each of these point products has to be individually configured and managed, it can make them expensive to operate and maintain. Having to manage all these products also risks mis-configuration, which can leave an organization even more vulnerable.

At Microsoft, we’re focused on delivering integrated solutions from the platform to the applications that sit on top of it -- spanning identity infrastructure, data access, threat mitigation and systems management. This helps customers save time, reduce costs, capitalize on existing technology investments, and protect their environments.

Let’s look at one example. Imagine a large enterprise who wants to securely collaborate with its partners and vendors that are outside its network.

With Windows Server 2008, they have everything they need. Active Directory Federation Services (ADFS) in Windows Server 2008 enables organizations to share a user's identity information across partners. Meantime, Rights Management Services (RMS), which is also in Windows Server 2008, helps safeguard digital information from unauthorized use — both online and offline and inside and outside the enterprise. As a result, employees of both companies can transmit sensitive information, defining who has rights to view across the relationship. Additionally, the provisioning or de-provisioning of this takes minutes — with reduced complexity, improved management, and better security. This saves time and lowers costs. And they can build on this through other Microsoft solutions that integrate easily with it — Forefront’s Internet Security & Acceleration Server for pre-authenticating RMS and ADFS functionality; Microsoft’s Identity Lifecycle Manager 2007 for managing user identities across their lifecycle and heterogeneous environments; and so on.

With point products, it’s another story.  This enterprise — and its partners — each need to buy the identity infrastructure from a 3^rd party, and also buy an information protection/leak prevention system from yet another 3^rd party.  Then they need to set up these point products and configure them across organizations, while also trying to get these solutions to scale.  At a minimum, the process takes many hours, if not days, to provision the service.  This delay could lead to sensitive information being left unintentionally exposed.

We have a great roadmap for products that further expand these benefits. For example, the public beta 1 of Forefront code name “Stirling” — released at the RSA Conference — is an integrated security system that combines next-generation Forefront endpoint, messaging & collaboration, and network protection with a central management console. As an integrated security system, Stirling protection technologies share and use security information – responding to new and existing threats automatically, compared to the hours it takes today with point products and manual investigation.  Stirling also integrates with existing infrastructure – Active Directory, System Center, Network Access Protection – so that customers can be more efficient and maximize the value of their existing investments.

We are also making it easier to gain the benefits of these integrated solutions. Through Microsoft’s Core Infrastructure Optimization model, we provide prescriptive guidance for how customers can work with and build on their existing investments. And through Microsoft’s Enterprise CAL suite – which includes Forefront, Identity & Access, System Center, and Windows Server solutions – we provide a simplified, cost-effective way to purchase these integrated solutions. 

To sum up, our objective is to help lower the total cost of ownership for our customers’ IT infrastructure.  Through an integrated approach to IT security, identity & access, and management, we’re looking to do just that. You can learn more about our integrated solutions through the links below and the benefits they can deliver.  

Forefront:    www.microsoft.com/forefront

Identity & Access:   www.microsoft.com/ida

System Center:   www.microsoft.com/systemcenter

Windows Server:   www.microsoft.com/windowsserver

Windows Client:    www.microsoft.com/vista

Core IO Model:   www.microsoft.com/business/peopleready/coreinfra

Enterprise CAL:  www.microsoft.com/calsuites/enterprise

Doug Leland, General Manager Identity and Access Business Group

Critical Connections – Protecting the Infrastructures that Unite Us

By Paul Nicholas, Microsoft’s Critical Infrastructure Protection

Paul Nicholas with Microsoft’s Critical Infrastructure Protection team here…

At noon today I will be participating in a dialogue on the initial findings and lessons learned from Cyber Storm II. (If you happen to be reading this from the conference, come and join us for this RSA Town Hall Meeting lead by Homeland Security Assistant Secretary Greg Garcia!) When preparing for the discussion, I started to think about the dramatic advances in technology we’ve seen over the last 30 years.

The development of the microprocessor, the rise of the personal computer, the emergence of the Internet all have revolutionized the way information is created, stored, shared and used. Today, as technology continues to advance and improve, new breakthroughs are transforming the world once again. This remarkable transformation is founded upon an increasing number of ever more powerful and diverse devices, the growing ubiquity of broadband networks and increasing services delivered from immense data centers. This resulting connectivity — the linking together of individuals, businesses and nations through software and services — is a key driver of the modern global economy. 

In particular, connectivity enables the reliable functioning of today’s critical infrastructures, those vital services and essential functions - from energy and communications to banking and transportation, that underpin everyday life.  Because computing is integrated into critical infrastructures and commerce, the threats to them have become increasingly sophisticated and driven by malicious intent.  Where publicity once motivated many digital attacks, criminal financial gain is behind most attacks today.  So, in addition to viruses and worms that shut down systems, we must contend with spyware that steals personal information, targeted attacks that infiltrate data, worms and viruses that hijack computers and install “backdoor trojans” or “bots,” and automated social engineering threats where attackers try to trick people into divulging personal data or install software unknowingly.

Because of the complexity and global interconnectedness of these critical infrastructures, their protection is an important national and international policy concern.  Securing and maintaining critical infrastructure requires close collaboration between infrastructure owners and operators, technology vendors, and governments. Achieving this protection is a continuous process and one that draws upon the shared expertise of all of these stakeholders.

At Microsoft, providing secure, private and reliable computing experiences across the information technology ecosystem is central to our vision for software and services. Our commitment to Trustworthy Computing extends beyond the desktop to that broad cyber ecosystem on which we all depend.  As a result, we are organizing our critical infrastructure protection program to drive strategic change -  both within Microsoft and externally -  that advances critical infrastructure security and resiliency and builds trust with governments and critical infrastructure providers.

Microsoft is committed to partnering with governments and institutions from around the world to reduce the risks to critical infrastructures and advance the security and integrity of the software and services that support them.

However, real change and real security will only come through collaboration and partnership. Governments, infrastructure owners and operators, and technology vendors must work together to understand and mitigate emergent risks to critical infrastructures.

Paul Nicholas, Microsoft’s Critical Infrastructure Protection

RSA 2008 Symantec Keynote: John Thompson

By Jeff Jones, Microsoft

Following RSA President Art Coviello on the keynotes this morning was John Thompson, CEO of Symantec. The topic of the keynote was "Information Centric Security: The Next Wave."

On one hand, this was one of the more interesting sessions of the morning, because John brought up his Research Labs VP, Steve Trilling, who shared lots of interesting security factoids from their research:

• 70% of malware during the latter half of 2007 stole PII
• Symantec believes computing may have reached an inflection point where more malicious code is created daily than non-malicious code
• The bad guys have all the elements of a full scale economy, including specialized job roles and a supply and demand market dynamic

In the underground economy:

• Stolen e-Bay accounts sell for $8
• Bank can accounts sell for $1000
• Credit card numbers can go for as little as $0.40
• World-of-Warcraft level 70 accounts go for $4 and up

This last point was interesting - a WoW account can be worth 100x that of a valid credit card number. As was said in the keynote, "Even in virtual worlds, there is real money for hackers."

On the other hand, there wasn't a lot of new information discussed concerning the title - Information Centric Security.  Mr. Thompson did say that we should start taking a more information-centric approach to security, or as he paraphrased it, "take a risk-based approach to protecting data." 

Most security professionals, (not security technologists or security product folks, necessarily), have advocated a risk-based approach to protecting data for as long as I can remember.  It is still a good idea and while I am glad Thompson reinforced the importance, I don't see it as the next wave.

One other call to action that John Thompson made was the call for a national approach to security and privacy disclosure laws.  He pointed out that in addition to the well-known California law, 40 other state-level bills are currently being considered. In my opinion, should they pass, it would be a nightmare of overlapping and conflicting requirements.

Regards ~

Jeff Jones, Microsoft

TWC IE 8 Security Vision blog

By Craig Spiezle, Director, Windows Security & Privacy Product Management

I would like to welcome you to RSA.  Just a month ago Microsoft launched Internet Explorer 8 beta 1 for developers.  Internet Explorer 8 expands on Microsoft's security and privacy investments in Internet Explorer and helps deliver an end-to-end approach to protection.  The new browser includes security features focused on social engineering, new defenses against Web server-based attacks, and additional improvements driven by the Security Development Lifecycle (SDL) intended to address the browser-based exploits. 

IE 8 has been build upon the progress we’ve made against the latest generation of social engineering and server-side attacks as well as exploits targeted at the browser, yet online crime and deception continues to increase across many vectors.   The first line of defense against these types of attacks is more secure coding practices. IE 7 was the first browser to be developed under the rigor of the SDL and has been shown to have fewer vulnerabilities in its first year of release (14 fixed) compared to IE 6 (28 fixed), a trend we expect to continue with IE 8.

Core to the IE team’s mission is our commitment to offer consumers increased safety and functionality.  One of our goals for IE 8 is to provide users choice and control without being overwhelmed by too many trust decisions, while providing businesses the ability to customize deployment.  We’re focused on making sure IE 8 delivers the safest online experience, enhancing users’ peace of mind.

Visit us in the Microsoft booth and attend theater presentations daily to learn more about IE 8.  Download the beta today at www.microsoft.com/ie/ie8 or read more on my colleague Eric’s blog at http://blogs.msdn.com/ie/

Craig Spiezle, Director, Windows Security & Privacy Product Management

Microsoft debuts newest addition to Forefront security products line

By David Burt, Microsoft

Hi, my name is David Burt on the Forefront team. Today at the RSA conference in San Francisco, Microsoft revealed the public beta of its latest addition to the Forefront security products line, an integrated security system codenamed “Stirling.” This new offering will deliver comprehensive, coordinated protection across your IT environment that is easier to manage and control.

Customers have deployed a variety of best-of-breed technologies from security vendors to try to understand if their companies are secure. Often, these solutions have been expensive, difficult to use and fail to fully secure the system they are intended to protect. 

Forefront codename “Stirling” aims to solve this with a single dashboard for visibility into real-time enterprise security state. By integrating with existing infrastructure software, such as Active Directory, System Center, and Network Access Protection (NAP), “Stirling” reduces the complexity of managing security.

“Stirling” allows your infrastructure software to talk to each other about security, and to manage itself through policy, and then remediate issues with each other. This automation lets security professionals think about the future and focus on putting out security fires.

Included in “Stirling” are the next generation versions of Forefront products for protection of endpoints, messaging and collaboration applications, and the network edge, including Forefront Client Security; Forefront Security for Exchange and SharePoint; and  ISA Server, which has been renamed Forefront Threat Management Gateway.  Combining these products with the management console creates an integrated security system that reaches from desktop to network edge.

The target RTM for Forefront codename “Stirling” is H1 CY2009. For more information on Forefront codename “Stirling,” visit www.microsoft.com/stirling   If you’re attending RSA, please come by booth #1517 and pick up the beta to learn more.

David Burt, product manager