'Trustworthiness' still a goal for Microsoft

Saturday 15 January 2005 will almost certainly pass quietly on Microsoft's campus. But for those in the field of IT security, the...

Saturday 15 January 2005 will almost certainly pass quietly on Microsoft's campus. But for those in the field of IT security, the date is certain to attract some notice: it's the third anniversary of a now-famous internal Microsoft e-mail dubbed the Trustworthy Computing memo.

Three years after the release of the 1,500-word memo from the company's founder and chief software architect , Bill Gates, those inside and outside Microsoft credit Trustworthy Computing with setting in motion vast changes that have improved the security of many of Microsoft's products.

At the same time, customers and industry experts wonder aloud whether Microsoft will ever fully realise Gates' vision, taming the company's massive stores of legacy software code and reconciling its desire to please consumers with its duty to protect them from threats.

Addressed to all full-time employees at Microsoft and its subsidiaries, Gates' Trustworthy Computing memo announced an ambitious programme to make Microsoft's technology more secure and reliable, and signalled a profound change in the culture of the world's leading software maker.

Written just months after the September 11 terrorist attacks in the US, the Trustworthy Computing memo likened the need to secure his company's software to the new imperatives of securing the nation's critical infrastructure such as airlines, electrical, telephony and water services.

As explained by Gates in the memo, four important aspects comprised the new initiative: availability, security, privacy and trustworthiness.

On the issues of availability and security, Gates proposed an end to two of the most frequently heard complaints about his company's software: that it crashed far too frequently, and that it was riddled with vexing security holes that exposed customer information to harm.

Microsoft should also protect the privacy of its customers' data and allow them to control how their data is used, Gates said. Finally, Microsoft needed to look beyond bugs and availability, creating an industry-wide computing ecosystem that was "trustworthy" from "smart" software and services down to the processor chip, Gates said.

Within Microsoft, the memo "absolutely changed the mindset of the company," said Gytis Barzdukas, director of product management in Microsoft's Security Business and Technology Unit.

Barzdukas worked in Microsoft's Office product group when the memo was sent. As an example, he recalls halting development on Version 11 of Microsoft Office, the company's most profitable product, for an entire month in 2003 to conduct a security review of all Office components.

That kind of decision would have been unheard of in the go-go days of the 1990s, when Microsoft's focus was on shipping its products fast and on crushing the competition, such as rival web browser Netscape, with key features, said John Pescatore, vice-president at Gartner.

"Microsoft was of the opinion that nobody cared about security - what they wanted was integration... something so easy that [their grandmother] can use it," he said.

At the organisational level, Microsoft shook up its product-focused development groups, creating the cross-product Trustworthy Computing group to develop policies for the entire company. Security experts in that group consult with Microsoft's key customers in the private and public sectors, and provide guidance on developing security strategy and architecture for Microsoft products, he said.

Internally, the company also devoted resources and people to security. For example, in addition to stopping development on both its Windows and Office products for a review of code security, Microsoft began investing more energy and resources into automated code scanning tools that can spot the mistakes that create security vulnerabilities in the company's products, Barzdukas said.

The result has been a 69% reduction in the number of critical security vulnerabilities in bulletins since Trustworthy Computing began, he said.

In three years, Microsoft has also trained legions of security experts within the company's ranks. To date, the company has more than 400 employees on staff with CISSP (Certified Information Systems Security Professional) certification, compared with just a dozen before the Trustworthy Computing memo was released, Barzdukas said.

Update distribution

For its consumer and enterprise customers, Microsoft also streamlined its processes for distributing software updates and emergency security patches.

The company began aggressively pushing its automatic software update, available with the Windows 2000 and subsequent operating system releases. To date, the company has increased the number of people using the Autoupdate feature by between 300% and 400%, Barzdukas said.

Microsoft also improved its policies for releasing security patches, moving from a scattershot system of "as needed" software updates to a predictable, monthly schedule of software security updates and a clearly articulated rating system for security updates.

On the subject of "trustworthiness", Microsoft has taken pains to share information and best practices with other companies in industries such as anti-virus software, Barzdukas said.  Today, the company takes an active roll in a number of industry groups, from the Virus Information Alliance, a group of leading anti-virus and e-mail security companies that share information on new virus outbreaks, to the Global Infrastructure Alliance for Internet Safety, a security-focused working group of global internet service providers (ISPs).
The company also took the lead on important industry standards, including WS Security, a web services security standard Microsoft co-authored with IBM, and Sender ID, an e-mail sender authentication standard that the company has aggressively promoted to ISPs and e-mail technology companies as a partial fix for phishing scams and spam.

Security matters

Perhaps the biggest accomplishment of Trustworthy Computing, though, has been making security matter - not just to the company's founder, but to its executives and product managers, Pescatore said.

Citing a recent visit to the Redmond campus to discuss the upcoming release of the company's SQL Server product, code-named Yukon, Pescatore said that security is still one of the top three features of the product. That continued focus on security will, over time, foster a more security-conscious culture at Microsoft, he said.

Jeff Payne, chief executive officer of Cigital in Dulles, Virginia, which provides software security consulting, agrees with that assessment. "Trustworthy computing has started to get [Microsoft] to realise that you have to balance speed to market with the security people expect," he said.

"The severity of [Microsoft] bugs and issues in patches has been going down significantly - and that's what you want to see happen," said Payne.

Despite unquestioned improvements in both the security of its products and its internal processes for addressing security issues, however, Microsoft is still far from realising the vision set out by Gates in the Trustworthy Computing memo, experts agree.

Chief among the challenges facing the software giant is shoring up the millions of lines of existing, or "legacy" computer code, some of it dating back to the early or mid-1990s.

"The big problem [Microsoft] has is just that Windows has been so bad for so long. There's a huge mass of (insecure) code," Pescatore said, noting that the company's decades-old obsession with features and integration is to blame.

"Lots of Microsoft's strategy entailed jamming applications into the operating system - a web browser, a media player - and that violates the principle that keeping something small makes it more secure than something big," he said.

At a deeper level, Microsoft also has to find a way to reconcile the diverging needs of its two main customer groups: consumers and businesses, Pescatore and others said.

"If you think about how Microsoft became great, it was by putting control in the hands of users - helping users overcome the IT organisation that wanted everything to run on a mainframe in the basement," Pescatore said.

However, in enterprise computing, putting power in the hands of users is the last thing IT administrators want, and Microsoft essentially sells the same products to both groups, he said.

The August release of a massive software update for the Windows XP operating system was a good example of Microsoft's often awkward attempts to meet the needs of both communities.

Almost two years in the making and months overdue, Windows XP Service Pack 2 (SP2) featured a new security interface, a much-enhanced version of the Windows firewall and a number of configuration changes that make it harder for Windows systems to be compromised.

The update was good news for most home users of Windows, whose machines make up the bulk of compromised hosts on the Internet. However, security experts and even Microsoft itself began warning well in advance of SP2's release that some changes could affect other installed software.

Almost as soon as the update was available to Microsoft's enterprise customers, companies - including IBM - warned their employees not to download it, for fear that installing SP2 would break or destabilise critical enterprise applications.

Microsoft also found itself in hot water over its decision to push out the 75Mbyte to 100Mbyte update to user desktops through its automatic update feature, potentially circumventing the IT policies of many of its enterprise customers, and causing a huge bandwidth crunch.

Seemingly unaware that many enterprises used the automatic update feature to distribute software patches to their users, Microsoft was forced to delay distribution of SP2 over automatic update for nine days, while customers used a Redmond-developed tool to deactivate the delivery of SP2 using the automatic update feature. 

Trustworthiness challenges

Microsoft also faces challenges on the issue of "trustworthiness", experts agree.

While ostensibly agnostic in its efforts to promote better security across the computing world, Microsoft has also engaged in a war of words with the open source software community over the question of whether its proprietary software is less secure than Linux.

In recent years, Microsoft funded a study by Forrester Research that found Linux more expensive to develop applications for than Windows. The company also raised eyebrows when it purchased $21m in licences from Unix provider The SCO Group in May 2003, shortly before that company renewed threats to sue IBM over portions of the Linux code SCO claims to own.

On the question of standards, Microsoft is still widely perceived as a company that wants to go its own way and use its dominance of the desktop operating system market to force adoption of its own standards, Pescatore said.

An example of this can be found in its strong backing of the Sender ID e-mail sender authentication, a nascent standard that Microsoft is aggressively promoting.

The company won praise from the standards community after it agreed to combine a Redmond-developed technology standard called Caller ID with a very similar technology called Sender Policy Framework, developed by Meng Weng Wong at e-mail forwarding company Pobox.com.

However, the merged Sender ID standard soon ran into trouble after talks between Microsoft and leading open-source software groups to resolve concerns about patent and licensing issues with the proposed standard broke down, prompting  the Internet Engineering Task Force and major corporate backers, such as America Online, to withdraw support.

Still, Trustworthy Computing may succeed in improving the security of the internet, even if it fails in some of its stated goals, experts agreed.

"We've been saying for a long time that someone needed to step up and take a lead in the software market to develop better software... [Trustworthy Computing] is pushing everyone in the software market to step up and answer questions," Payne said.

Pescatore agreed, saying that Trustworthy Computing has prompted changes from other companies, such as locking down features on newly shipped [or "out of the box"] products.

More recently, Microsoft competitor Oracle announced plans to change to a monthly software patch distribution cycle, similar to the popular system Microsoft now uses, Pescatore and others noted.

And, for companies like Cigital, Trustworthy Computing has been a boon for business - sending a message that security was important and prompting countless companies that start thinking about the cost of poor security, Payne said.

While outsiders may debate the significance of Trustworthy Computing, Microsoft is celebrating the release of SP2, which Barzdukas called a "major milestone".

Many of the more advanced security features Microsoft has promised are tied to the release of the next version of Windows, code-named Longhorn, which Microsoft has tentatively scheduled for 2006.

In the meantime, the company plans to announce a number of other "interim" Trustworthy Computing milestones in the first half of 2005, but is not yet ready to share details about them, Barzdukas said.

As for the future of the programme, Barzdukas said it may never formally end. "It's a new standard in the industry. A new way for Microsoft to do business. We're never going to be completely secure from the technology perspective, so Trustworthy Computing for us is a journey - kind of like life," he said.

Paul Roberts writes for IDG News Service

Read more on IT strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.