We've got to rebuild trust, says Microsoft security chief

Microsoft UK's new chief security officer discusses how he will tackle polices, openness and feature creep.

Microsoft UK's new chief security officer discusses how he will tackle polices, openness and feature creep.

Security for Stuart Okin, the new chief security officer at Microsoft UK is about three things: people, process and technology. With security now the number one priority for the software giant, Okin and his counterparts across the Microsoft Empire, will play a crucial role.

Microsoft needs to improve the reputation of its software, which is often regarded as an easy target by hackers. With the dominance of its products such as Windows and Microsoft Office, security breaches can have an enormous impact on users around the world.

Okin wants everyone associated with IT security both at Microsoft and in IT departments to appreciate these three tenets. "Technology like the public key infrastructure and [the security standard] IPSEC are a baseline," he said.

Users need to implement technology to lockdown their IT environment and automate delivery of security updates, said Okin. It is here, he believes Microsoft has a role to play.

The company is providing a free download of Windows Corporate Update Edition. The software, currently in beta, provides a central server for downloading patches. "It is aimed at our corporate customers who do not want end users downloading patches," Okin explained.

The sheer flexibility of Microsoft's desktop software has attracted much criticism from security experts. Microsoft Office, for instance, allows powerful macros to be run using VBScript, which is capable of automating many tasks in the package.

It can be extremely useful, but macro viruses such as Melissa and its variants, can use this feature to wreak havoc on users' desktops. If there were no macros in Office, there would be no way such viruses could run.

So, does Okin have the clout to influence the technical direction of Microsoft product development? It is a tricky question as the company's founding value has been to provide users with more and more power. Nevertheless, Okin is confident he will.

"Essentially I will be able to pass on our customers' needs [in terms of security requirements] to the MS development groups," he told CW360.com. The message from Microsoft is clear: 'We will implement security ahead of [new] features'," Okin added.

One of the issues Okin will need to balance is Microsoft's disclosure policy on security issues. "We will not talk about a vulnerability until there is a patch," he explained, "as we do not want to expose users to a risk."

In some cases, such as in the simple network management protocol (SNMP) hole that emerged last week, affecting systems management tools, he said, "You have to respond. We will tell users how to mitigate the issue. It depends on the threat."

To help clarify the situation on disclosure Microsoft, along with other IT firms, is working with the Internet Engineering Taskforce (IETF) to develop a policy on dealing with security vulnerabilities.

Okin wants to see users running the Active Directory in Windows 2000 for setting up security polices. With .net, Microsoft's forthcoming Web services platform, Okin said: "Users will be able to use XML to enable security polices that dictate how code is accessed."

He said his goal for this year was: "To move to a position where customers trust their computing environment." There is a commercial aspect to this. As and when users roll out IPSEC, PKI or smartcard programmes, Okin hopes Microsoft and its partners would play a consulting role in the implementation of such security measures.

Read more on Microsoft Windows software