Microsoft is serious about security and sees a growing role for smart cards, PKI, and biometrics. It unleashed a 20-city Microsoft Summit tour in April, while its CEO, Steve Ballmer, talked up security and the software giant’s role in it, in an April speech to Homeland Security Secretary Tom Ridge and other government officials in Washington. Meanwhile, Microsoft Chairman Bill Gates made it clear in a six-page e-mail to subscribers at the end of March that “security is as big and important a challenge as any our industry has ever tackled.”
The Executive E-Mail, which is sent out periodically by Mr. Gates and other Microsoft executives, focused on four security areas: Isolation and resiliency, updating, quality, and authentication and access control.
Most interesting, at least to readers of SecureIDNews is the last category, where Mr. Gates discussed not just simple password authentication, but smart cards, public key infrastructure (PKI) and, further on down the road, the possibility of biometric ID cards to control logical access.
“In an era where millions of computing devices are interconnected…there are many potential opportunities for unauthorized individuals to gain access…In this environment, access control (who, what and when) and authentication are critical aspects of ensuring an organization’s security,” Mr. Gates wrote.
While passwords are the most common, they can also be the weakest link, particularly if users choose easy-to-remember phrases, such as their spouse’s or mother’s name, he pointed out. Microsoft has taken a tiny step forward with its Windows Server 2003 software family that features a check for password complexity and warns the user if the password doesn’t meet those standards, added Mr. Gates.
“We also are expanding our support for strong, two-factor authentication mechanisms through partnerships with companies like RSA Security, Inc. and Verisign,” wrote Mr. Gates. (See related article on the Electronic Authentication Partnership.)
Windows Server 2003 and Windows XP support smart cards, a step forward in logical security. The smart card that stores certificates, public and private keys, passwords, or other personal information, “provides a strong form of authentication because it uses cryptography-based identification and proof of possession of the private key held on the smart card when authenticating a user to a network; in other words, something you have and something you know,” wrote Mr. Gates.
He doesn’t have a lot to say about the biometric ID card, viewing it as “farther out” in the development process. But he says the “tamper-resistant” system “will provide an innovative, simple and affordable solution for providing cryptographically secure photo-ID cards using a unique combination of public key cryptography, compression and barcode technologies.”
He is high on PKI, adding that Windows Server 2003 can help companies implement such an infrastructure. “A PKI provides the mechanisms needed to support issuance and life-cycle management of digital certificates…Use of this authentication technology can provide strong authentication based on industry standard public key cryptographic technology,” he wrote.
He also delves briefly into another security procedure, IP Security, or IPsec, a set of protocols developed by the IETF (Internet Engineering Task Force) to support secure exchange of packets at the IP layer. According to the Webopedia, IPsec has been deployed widely to implement Virtual Private Networks (VPNs).
Mr. Gates calls Ipsec “an important component of a comprehensive defense-in-depth information protection strategy.” He says “IPsec eliminates many threats by mutually authenticating computers and restricting incoming network traffic based on that authentication.”
His e-mail added: “Microsoft’s IPsec implementation—in use in our own corporate network—is completely standards-compliant and will interoperate with all other compliant IPsec implementations, including those that support network address translation.”
Three other security categories were covered in the e-mail:
–Isolation and resiliency–a two-pronged attack involving isolating malicious software code and creating systems that can identify and stop such code.
–Updating–”Although the evolving nature of threats requires a broader, multi-pronged response,” Mr. Gates wrote, “Microsoft is continuing to make significant upgrades to the quality of our updates…and building more advanced tools to help IT administrators optimize their infrastructure for security.”
–Quality–Its “rigorous engineering excellence” initiative is showing dividends, Mr. Gates contends, in that the number of Windows Server 2003 security bulletins has dropped from 40 to 9 in the first 320 days, as compared to Windows 2000 Server. Internal tools help. “We use code-checking tools that automatically search for classes of bugs that can lead to security vulnerabilities, program crashes and hangs,” Mr. Gates wrote. “We have committed to making these engineering advances available to other software developers through training and tools…”
But most of this is worthless if people don’t know about them or how to use them. “By the end of this year, our aim is to reach 500,000 business customers worldwide with information on how to optimize their systems and networks for security,” he added, which is the reason behind the Security Summits that Microsoft began in April. The company has also created a Security Guidance Center for developers and IT pros at http://microsoft.com/security/guidance.
“Security…is not a case of simply fixing a few vulnerabilities and moving on. Reducing the impact of viruses and worms to an acceptable level requires fundamentally new thinking about software quality, continuous improvement in tools and processes, and ongoing investments in resilient new security technologies designed to block malicious or destructive software code before it can wreak havoc,” Mr. Gates concluded.