By now, everyone knows that this is the year that Microsoft made a massive effort to improve its software security...
-- and customers certainly have the patches to prove it. The movement started last fall in reaction to the Code Red and Nimda viruses, and was punctuated by Bill Gates' January 2002 memo and description of the company's Trustworthy Computing Initiative. Microsoft has scrubbed its software and rooted out compromising vulnerabilities. One of the top executives leading the charge for better security is Michael Nash, corporate vice president of Microsoft's Security Business Unit, which was created in February. Nash gave SearchWin2000.com a progress report on what his group is up to and on how Microsoft is crafting its security strategy.
|Mike Nash, VP of MS Security Business Unit|
Microsoft has been talking about its commitment to building secure software since late last year. The Trustworthy Computing Initiative memo was nice, but what does having a security strategy really mean for Microsoft?
Mike Nash: Trustworthy Computing is about making sure that software provides the same level of trust that people would ascribe to a modern public utility. Just as public utilities are a core part of how people run their lives, and they are trusted. People trust the electric company. From a security level, I can control the electricity in my home. From a privacy perspective, how I use the service … is private to me. The electric company isn't sharing information in an inappropriate way.
From a reliability perspective, it's more than the availability. It's the quality in the way a service is delivered to me and responds to my expectations. From a business integrity perspective, the electric company stands by its commitment to provide electricity to my home. The price is where it is.
Software has a similar set of dimensions. Products and services should be trustworthy in the same way. Security-wise, it's making sure the owner of a system -- as a customer -- knows I and I alone control how the system will be used, how resources and information and applications are accessed.
A second big area is privacy -- making sure as an end user that I can control information and who gets to see it. I can expect a level of compatibility, and products will be suitable to the task for which I bought them.
And last, integrity. This speaks to my ability as a customer to expect a certain level of relationship from a vendor.
So what is the Security Business Unit doing to deliver on this vision?
Mike Nash: We realized we had a lot of work to do to improve the relative security of our products in a consistent way across the company and to have a group responsible for facilitating security across the company. Our focus is on education, training and enabling a company to improve security. A second task is about making sure there are tools and products, so our group is thinking about that. At the end of the day, our mission is to make sure we help customers securely run their business.
Can we expect to see additional security products coming from your business unit?
Mike Nash: Yes. It's very much a function of customer needs. Microsoft builds and supports many products. Our group has one tool, the Baseline Security Analyzer, and an application, the ISA server, which is a firewall that has been shipping for a year and a half. We are trying to understand now, as part of our working with customers, what their needs may be. We are looking for other areas where Microsoft may invest.
|Trustworthy Computing is about making sure that software provides the same level of trust that people would ascribe to a modern public utility. -- Nash|
Microsoft's philosophy has always been to make software simple. But making a more secure platform means locking down the software, which removes a lot of the simplicity. How does Microsoft balance the two?
Mike Nash: There are many cases where we can both make our products easier to use and improve their security. The feedback we get from customers is 'make products more secure.' In doing so, our approach is along the dimension of secure by design, secure by default, secure in deployments and to make sure we have good communication around security.
This is the taxonomy I use when talking to customers; it's the way we are leading the product groups to make sure security is a key aspect of what they are doing:
- Secure by design talks to reducing the number of vulnerabilities. We can deliver a higher level of quality so customers have fewer patches to deploy. We want to make enhancements to products before they ship and certainly before customers see them.
- Security by default means we want to turn off features in the operating system [in cases] where the customer may not be using that feature. We feel strongly that making HTTP access to a Web server is a key feature to the Windows Server product. But there are cases where customers may not need the Web server. [In the past] we installed the Web server by default. We found that even secure code, if it's installed but not being used or managed, may be a source of vulnerability. We decided to turn off the Web server by default, reducing system vulnerability.
- There is a feature in .NET Server 2003 called Secure Server Roles (SSR). SSR asks the administrator questions about how the server will be used. Based on the role of the server, this part of the setup facility will configure the server in a way that installs only features that are necessary to support a scenario. This reduces the attack server area while increasing the overall security of the system in a way that is presented to the customer with a drive toward simplicity. Feedback from customers is they want us to install what they need; no more, no less. So we are being more disciplined in our decisions.
- Security by deployment means as customers are using our products, we are giving them the tools they need to run in a secure way. Customers said they need an easy way to deploy patches. In the fall of 2001, we realized we needed a tool that lets customers verify that their system is configured with the right set of patches and parameters to indicate a secure system. We created the Microsoft Security Baseline Analyzer, which looks at patch level and other configuration parameters.
We also heard there was a need to automate patches. We have the Microsoft Windows Update Service, which lets a customer take critical fixes from Windows Update and deploy to their system. [Customers said] Windows Update works in the unmanaged PC space, but in cases where there is an IT staff, they want the ability to control which patches they take out to their system. We created SUS, which does the same thing as Windows Update, but it gives IT administrators a valve to control which patches to take into this environment. They can test patches and verify compatibility.
Lastly, for customers in large enterprises, we have Value Pack for System Management Server. It lets you do the same level of patch distribution out to machines managed by System Management Server. You can inventory a large environment, tell which systems are compliant with the administrator's definition of secure and which need to be updated.
What can you tell us about the company's efforts to create a common nomenclature and delivery method for patches?
Mike Nash: Our tools are powerful for patching the Windows part of the system as well as some applications, but we need to be more consistent about delivering patches to customers. We have gotten that feedback, and we are working hard to improve consistency in [the] way patches are named and in the technology used in deployment. It's an ongoing process to make them more consistent.
|The feedback we get from customers is 'make products more secure.' In doing so, our approach is along the dimension of secure by design, secure by default, secure in deployments and to make sure we have good communication around security. -- Nash|
Your company takes a lot of heat for selling software that is deemed insecure by the public, even though security issues are hardly unique to Microsoft. Do you think that IT administrators should shoulder more of the blame when viruses hit them?
Mike Nash: There is a lot of process and policy that great IT shops do that make them more secure than others. But our goal is to make sure Microsoft customers are more secure as they use our products. There may be things users can do to make their environments [more secure], which we want to encourage them to do. We also want to make sure we are making that goal easier to achieve.
Does Microsoft Chief Security Strategist Scott Charney have any role within Microsoft's Security Business Unit?
Mike Nash: We are partners in the security efforts around Trustworthy Computing. He reports to [Senior Vice President and Chief Technology Officer] Craig Mundie. I report to [Senior Vice President of the Windows Division] Brian Valentine. He is an attorney and was in law enforcement, but the key thing he is driving is policy -- in particular our work with the government. My focus is on the products. Together we complement one another in our ability to look at a problem.