Saturday 15 January 2005 will almost certainly pass
quietly on Microsoft's campus. But for those in the field of IT
security, the date is certain to attract some notice: it's the
third anniversary of a now-famous internal Microsoft e-mail dubbed
the Trustworthy Computing memo.
Three years after the release of the 1,500-word memo from the
company's founder and chief software architect , Bill Gates, those
inside and outside Microsoft credit Trustworthy Computing with
setting in motion vast changes that have improved the security of
many of Microsoft's products.
At the same time, customers and industry experts wonder aloud
whether Microsoft will ever fully realise Gates' vision, taming the
company's massive stores of legacy software code and reconciling
its desire to please consumers with its duty to protect them from
threats.
Addressed to all full-time employees at Microsoft and its
subsidiaries, Gates' Trustworthy Computing memo announced an
ambitious programme to make Microsoft's technology more secure and
reliable, and signalled a profound change in the culture of the
world's leading software maker.
Written just months after the September 11 terrorist attacks in
the US, the Trustworthy Computing memo likened the need to secure
his company's software to the new imperatives of securing the
nation's critical infrastructure such as airlines, electrical,
telephony and water services.
As explained by Gates in the memo, four important aspects
comprised the new initiative: availability, security, privacy and
trustworthiness.
On the issues of availability and security, Gates proposed an
end to two of the most frequently heard complaints about his
company's software: that it crashed far too frequently, and that it
was riddled with vexing security holes that exposed customer
information to harm.
Microsoft should also protect the privacy of its customers' data
and allow them to control how their data is used, Gates said.
Finally, Microsoft needed to look beyond bugs and availability,
creating an industry-wide computing ecosystem that was
"trustworthy" from "smart" software and services down to the
processor chip, Gates said.
Within Microsoft, the memo "absolutely changed the mindset of
the company," said Gytis Barzdukas, director of product management
in Microsoft's Security Business and Technology Unit.
Barzdukas worked in Microsoft's Office product group when the
memo was sent. As an example, he recalls halting development on
Version 11 of Microsoft Office, the company's most profitable
product, for an entire month in 2003 to conduct a security review
of all Office components.
That kind of decision would have been unheard of in the go-go
days of the 1990s, when Microsoft's focus was on shipping its
products fast and on crushing the competition, such as rival web
browser Netscape, with key features, said John Pescatore,
vice-president at Gartner.
"Microsoft was of the opinion that nobody cared about security -
what they wanted was integration... something so easy that [their
grandmother] can use it," he said.
At the organisational level, Microsoft shook up its
product-focused development groups, creating the cross-product
Trustworthy Computing group to develop policies for the entire
company. Security experts in that group consult with Microsoft's
key customers in the private and public sectors, and provide
guidance on developing security strategy and architecture for
Microsoft products, he said.
Internally, the company also devoted resources and people to
security. For example, in addition to stopping development on both
its Windows and Office products for a review of code security,
Microsoft began investing more energy and resources into automated
code scanning tools that can spot the mistakes that create security
vulnerabilities in the company's products, Barzdukas said.
The result has been a 69% reduction in the number of critical
security vulnerabilities in bulletins since Trustworthy Computing
began, he said.
In three years, Microsoft has also trained legions of security
experts within the company's ranks. To date, the company has more
than 400 employees on staff with CISSP (Certified Information
Systems Security Professional) certification, compared with just a
dozen before the Trustworthy Computing memo was released, Barzdukas
said.
Update distribution
For its consumer and enterprise customers, Microsoft also
streamlined its processes for distributing software updates and
emergency security patches.
The company began aggressively pushing its automatic software
update, available with the Windows 2000 and subsequent operating
system releases. To date, the company has increased the number of
people using the Autoupdate feature by between 300% and 400%,
Barzdukas said.
Microsoft also improved its policies for releasing security
patches, moving from a scattershot system of "as needed" software
updates to a predictable, monthly schedule of software security
updates and a clearly articulated rating system for security
updates.
On the subject of "trustworthiness", Microsoft has taken pains
to share information and best practices with other companies in
industries such as anti-virus software, Barzdukas said. Today, the
company takes an active roll in a number of industry groups, from
the Virus Information Alliance, a group of leading anti-virus and
e-mail security companies that share information on new virus
outbreaks, to the Global Infrastructure Alliance for Internet
Safety, a security-focused working group of global internet service
providers (ISPs).
The company also took the lead on important industry standards,
including WS Security, a web services security standard Microsoft
co-authored with IBM, and Sender ID, an e-mail sender
authentication standard that the company has aggressively promoted
to ISPs and e-mail technology companies as a partial fix for
phishing scams and spam.
Security matters
Perhaps the biggest accomplishment of Trustworthy Computing,
though, has been making security matter - not just to the company's
founder, but to its executives and product managers, Pescatore
said.
Citing a recent visit to the Redmond campus to discuss the
upcoming release of the company's SQL Server product, code-named
Yukon, Pescatore said that security is still one of the top three
features of the product. That continued focus on security will,
over time, foster a more security-conscious culture at Microsoft,
he said.
Jeff Payne, chief executive officer of Cigital in Dulles,
Virginia, which provides software security consulting, agrees with
that assessment. "Trustworthy computing has started to get
[Microsoft] to realise that you have to balance speed to market
with the security people expect," he said.
"The severity of [Microsoft] bugs and issues in patches has been
going down significantly - and that's what you want to see happen,"
said Payne.
Despite unquestioned improvements in both the security of its
products and its internal processes for addressing security issues,
however, Microsoft is still far from realising the vision set out
by Gates in the Trustworthy Computing memo, experts agree.
Chief among the challenges facing the software giant is shoring
up the millions of lines of existing, or "legacy" computer code,
some of it dating back to the early or mid-1990s.
"The big problem [Microsoft] has is just that Windows has been
so bad for so long. There's a huge mass of (insecure) code,"
Pescatore said, noting that the company's decades-old obsession
with features and integration is to blame.
"Lots of Microsoft's strategy entailed jamming applications into
the operating system - a web browser, a media player - and that
violates the principle that keeping something small makes it more
secure than something big," he said.
At a deeper level, Microsoft also has to find a way to reconcile
the diverging needs of its two main customer groups: consumers and
businesses, Pescatore and others said.
"If you think about how Microsoft became great, it was by
putting control in the hands of users - helping users overcome the
IT organisation that wanted everything to run on a mainframe in the
basement," Pescatore said.
However, in enterprise computing, putting power in the hands of
users is the last thing IT administrators want, and Microsoft
essentially sells the same products to both groups, he said.
The August release of a massive software update for the Windows
XP operating system was a good example of Microsoft's often awkward
attempts to meet the needs of both communities.
Almost two years in the making and months overdue, Windows XP
Service Pack 2 (SP2) featured a new security interface, a
much-enhanced version of the Windows firewall and a number of
configuration changes that make it harder for Windows systems to be
compromised.
The update was good news for most home users of Windows, whose
machines make up the bulk of compromised hosts on the Internet.
However, security experts and even Microsoft itself began warning
well in advance of SP2's release that some changes could affect
other installed software.
Almost as soon as the update was available to Microsoft's
enterprise customers, companies - including IBM - warned their
employees not to download it, for fear that installing SP2 would
break or destabilise critical enterprise applications.
Microsoft also found itself in hot water over its decision to
push out the 75Mbyte to 100Mbyte update to user desktops through
its automatic update feature, potentially circumventing the IT
policies of many of its enterprise customers, and causing a huge
bandwidth crunch.
Seemingly unaware that many enterprises used the automatic
update feature to distribute software patches to their users,
Microsoft was forced to delay distribution of SP2 over automatic
update for nine days, while customers used a Redmond-developed tool
to deactivate the delivery of SP2 using the automatic update
feature.
Trustworthiness challenges
Microsoft also faces challenges on the issue of
"trustworthiness", experts agree.
While ostensibly agnostic in its efforts to promote better
security across the computing world, Microsoft has also engaged in
a war of words with the open source software community over the
question of whether its proprietary software is less secure than
Linux.
In recent years, Microsoft funded a study by Forrester Research
that found Linux more expensive to develop applications for than
Windows. The company also raised eyebrows when it purchased $21m in
licences from Unix provider The SCO Group in May 2003, shortly
before that company renewed threats to sue IBM over portions of the
Linux code SCO claims to own.
On the question of standards, Microsoft is still widely
perceived as a company that wants to go its own way and use its
dominance of the desktop operating system market to force adoption
of its own standards, Pescatore said.
An example of this can be found in its strong backing of the
Sender ID e-mail sender authentication, a nascent standard that
Microsoft is aggressively promoting.
The company won praise from the standards community after it
agreed to combine a Redmond-developed technology standard called
Caller ID with a very similar technology called Sender Policy
Framework, developed by Meng Weng Wong at e-mail forwarding company
Pobox.com.
However, the merged Sender ID standard soon ran into trouble
after talks between Microsoft and leading open-source software
groups to resolve concerns about patent and licensing issues with
the proposed standard broke down, prompting the Internet
Engineering Task Force and major corporate backers, such as America
Online, to withdraw support.
Still, Trustworthy Computing may succeed in improving the
security of the internet, even if it fails in some of its stated
goals, experts agreed.
"We've been saying for a long time that someone needed to step
up and take a lead in the software market to develop better
software... [Trustworthy Computing] is pushing everyone in the
software market to step up and answer questions," Payne said.
Pescatore agreed, saying that Trustworthy Computing has prompted
changes from other companies, such as locking down features on
newly shipped [or "out of the box"] products.
More recently, Microsoft competitor Oracle announced plans to
change to a monthly software patch distribution cycle, similar to
the popular system Microsoft now uses, Pescatore and others
noted.
And, for companies like Cigital, Trustworthy Computing has been
a boon for business - sending a message that security was important
and prompting countless companies that start thinking about the
cost of poor security, Payne said.
While outsiders may debate the significance of Trustworthy
Computing, Microsoft is celebrating the release of SP2, which
Barzdukas called a "major milestone".
Many of the more advanced security features Microsoft has
promised are tied to the release of the next version of Windows,
code-named Longhorn, which Microsoft has tentatively scheduled for
2006.
In the meantime, the company plans to announce a number of other
"interim" Trustworthy Computing milestones in the first half of
2005, but is not yet ready to share details about them, Barzdukas
said.
As for the future of the programme, Barzdukas said it may never
formally end. "It's a new standard in the industry. A new way for
Microsoft to do business. We're never going to be completely secure
from the technology perspective, so Trustworthy Computing for us is
a journey - kind of like life," he said.
Paul Roberts writes for IDG News Service