Bill Gates is back at RSA as a keynote speaker for the fourth
consecutive year, and while his annual speeches here may not have
the hype or "cool" factor of a Steve Jobs address at MacWorld,
attendees have come to expect a few fireworks during Gates' talks.
This year will be no exception.
@31841In his speech today, Gates and co-presenter Craig Mundie,
Microsoft's chief research and strategy officer, will articulate a
new plan that the company will use to move beyond the "Digital
Decade" vision Gates has talked about for years. This new four-part
strategy centers on the evolving nature of computing and the new
services users are demanding as they move beyond the old
device-centric model. And in order for these new applications and
services to work as they should, the systems, networks and
connections they use must be secure, company officials said.
"It has been a one-or-the-other situation with security and
access up until now, and that's not good enough. We have to think
about the barriers to connection, whether they're offensive or
defensive," said Michael Atalla, group product manager in the
Identity and Access Product Management group at Microsoft. "Trust
is harder to maintain as people get more connected, but we haven't
come far enough to move to the next set of solutions."
The new strategy's four key areas include: systems, networks,
identity and data protection. Microsoft already has substantial
investments in each of these areas, but Atalla emphasized that the
company will need to work with both partners and competitors in
order to bring this all together.
"The users are largely telling us what they want and it's
changing how we do business," Atalla said.
Under the heading of the evolution of systems, Atalla said
Microsoft is planning to invest in technologies that make systems
more resilient to attack. He pointed to features in
Vista such as User Account Control, secure code execution and
address space layout randomization as examples of the kinds of
things that can help build a trusted I/O path to the user. This is
not to be confused with the company's much-debated Next Generation
Secure Computing Base strategy, which employs hardware-based
security measures, digital rights management and a number of other
technologies to authenticate not only users, but their machines and
the content and applications running on them.
The network evolution has resulted in the complete dissolution
of network boundaries in the last few years, making it difficult
for security managers to decide which rules to enforce on which
machines and when. As the barriers continue to fall, the security
requirements that protect internal and external networks need to
evolve to keep pace, Atalla said.
"What we need is to move to a policy-based network on which
policies can be enforced regardless of where you are or what device
you're using," he said. Microsoft has gone down this road already
in its partnership with Cisco Systems to integrate the companies'
respective network access control offerings.
Last year, Gates told the RSA audience he believed passwords
were dead. The future of authentication, he said, lies in more
advanced technologies such as hardware
tokens,
biometrics and Microsoft's CardSpace feature in Vista. Much was
made of Gates' proclamation--especially by makers of strong
authentication technology--but his message was nothing new.
Security experts for years have been telling anyone who would
listen that passwords are no longer good enough, especially in a
corporate setting or when money is changing hands. Microsoft
developers followed Gates' lead and included in Vista a number of
upgraded authentication features, such as expanded support for
biometric devices and other kinds of
two-factor authentication, support for more cryptographic
algorithms and protocols, and a backup and restore wizard for
stored usernames and passwords. Gates will expand that discussion
today when he talks about the evolution of identity.
@31809The proliferation of identities that users create and then
have to manage online has helped cause a huge spike in
identity-related crimes, privacy concerns among users and other
associated ills. Addressing this problem requires a heterogeneous,
interoperable identity metasystem on which both vendors and users
can rely.
"It's not important that Microsoft build an identity system and
get everyone to use it. And it's not important that anyone else do
that either," Atalla said. "What is important is that they all work
together. Maybe that's something that you haven't heard from us in
the past, but you'll hear more of it in the future."
To help get this effort moving, Microsoft today is announcing
its Identity Lifecycle Manager, a new enterprise server that
manages a variety of identity information, including smart card and
certificate authority infrastructures. It builds on the company's
existing user provisioning and metadirectory offerings.
The final piece of the vision Gates and Mundie will discuss is
the evolution of data protection. Most of the current security
offerings concentrate on defending against attacks or securing
information while it's in transit. Microsoft officials believe that
changes in the way people are accessing and using data require
enhanced protection for that data while it's at rest. This means
not just records sitting in a database, but also digital media
content.
"We believe the future of information security must be about
associating data with the containers and databases holding it,"
Atalla said. "It's important for the industry as a whole to invest
in this."
<<Return to our special coverage of RSA Conference
2007