David Aucsmith, CTO of Microsoft's Security Business Unit (SBU), sees his mission as schizophrenic because he must both secure current products and create security products. Under his helm, the SBU, which includes the Microsoft Security Response Center, is working on both tracks. InfoWorld columnist Wayne Rash spoke with Aucsmith about the company's Trustworthy Computing initiative and the methodologies the SBU has developed to improve product security.
What kind of progress are you making in Microsoft's Trustworthy Computing initiative? Probably the best example of that progress is the fundamental change in the way we design, develop, and test software as we ship it out the door.
We'll certainly first see the effect of those changes with the Window Server 2003. But it applies to all software that we currently develop within the Windows group and major products such as Office.
How is progress measured? Ultimately, we measure it by a reduction in vulnerabilities — and particularly, a reduction of exploited vulnerabilities. The other way to measure it is the commitment and the follow-through of the process that's been in place and how that process refines. ... We are cycling in feedback from vulnerabilities that are found in the field, so that we learn and grow, and the process evolves.
Are there going to be some changes in how the security management process or security management applications work? Yes, there obviously has to be. If you look at the CERT (CERT Coordination Center/CC) statistics, there's something that roughly says about 95 per cent of the exploited vulnerabilities are a result of misconfiguration for some reason or another. ... It's at least illustrative of the fact that we have made our systems very hard to manage in a secure way. All along, we have actually been solving security problems as they've been presented, except we haven't done it in a very uniform way. We have solved a bunch of individual security problems, and the management system reflects the fact that it is administering a bunch of different security solutions on our products and makes it very, very hard to get right.
So, two things that you will see from us in the future: One is more integration of those security components themselves, and the second is a better and more integrated management infrastructure for managing the security of those products as well.
What are you doing to help ensure that the overall network environment is safer? Obviously we have less ability to address that [in a heterogeneous environment] than we do with our own operating systems and with Microsoft-centric environments. But we are making investments in the edge firewall components like ISA that will provide at least some level of a perimeter defence to protect the internal networks as well.
You're likely to see some level of network defensive capability inherent in all the various OS releases that we have in the future.
In other words, what we're trying to do is promote defence in depth. What we would encourage is for other vendors in the network environment to do the same so that the entire network — each individual entity within the network — has some level of defensive capability, and then you also have the traditional perimeter defences as well.
What about finding ways to operate with other operating systems in a fashion that would help enhance security? There is some standards work under way so that things like audit records can be collected across heterogeneous devices. We certainly participate in those. I'm not sure that you'll see us anytime soon have specific products for other people's operating systems. But I think you will see things like the audit mechanism where it will at least operate within heterogeneous environments and hopefully make a better synergy for everyone.
If you could have your single, biggest wish come true in terms of security at Microsoft, what would that wish be? What we need is a sort of overarching framework that we can hang security on, where it makes sense for both third-party products, products that we sell, inherent capabilities in the operating systems that allow for multiple security models to be used, allows for different policies to be used in different environments, and is trivial to administering. So that's equivalent to world peace for security.
And what do you think your biggest challenge is going to be? There's a technical problem [and] there's a policy problem. The technical problem is how do I get security while respecting the legacy systems and the interoperability backwards compatibility that we now have? That's just a difficult technical problem to solve.
From a policy perspective, we have a host of interesting things, and it goes back pretty much to this weakest link argument. In order to really help our customers be more secure, [there has to be] a whole industry effort. ... We're perfectly happy to champion that and take the lead, but we would like others to get onboard as well. We're willing to work with the industry in general to try to bring the level of security up on the software that we manufacture and the components that we build.