TechEd: Microsoft warns of five-year wait for secure applications

IT security is a comparatively new issue, Stuart Okin, Microsoft's chief security officer in the UK, told delegates at the...

IT security is a comparatively new issue, Stuart Okin, Microsoft's chief security officer in the UK, told delegates at the company's TechEd developer conference in Barcelona this week.

"It is a subject that has come to the fore recently. The user community has altered enormously in two years and that has changed the focus," Okin said as he talked about Microsoft's Palladium security initiative.

Users should expect to wait until 2007 for Palladium-based application, he warned. Microsoft would be prepared to license the intellectual property for its proposed Palladium security chip to any software manufacturer, but certification of that software would be essential if the system is to work, Okin told delegates.

"Last week, details of Palladium were leaked, or squirreled out by a journalist," Okin said. "This is still at a consultation mode and we will issue white papers by the end of the month and ask for feedback. So nothing is certain yet."

Palladium will change the fundamental architecture of a PC. "It's a combination of hardware and software, a security chip and a public and private key system," he said. "It's designed to guarantee privacy, and to guarantee that if you get rogue software on the machine it'll be moved to a vaulted environment where it can't affect the rest."

This sort of development is necessary if the Internet is to reach its full potential, Okin told delegates. "We want people transacting millions of dollars, millions of euros, over open systems, and for that to happen you have to be able to guarantee a source. And that takes a combination of hardware and software."

Palladium will have very powerful digital rights management capability, and will be able to tell whether software is licensed, or digital files have been copied, but "its prime function is to ensure security and privacy", he said.

For that to happen, a degree of software restriction is necessary, he said. "We'll release white papers at the end of the month, and I'd ask people to wait until then, until we have a chance to get feedback. One thing I can guarantee is that it will be 'off' by default, an opt-in technology," he said. "It will live or die by user acceptance."

Advanced Micro Devices and Intel are working with Microsoft, "But there won't be hardware on the market until 2004, 2005, and it'll probably be another two years beyond that before applications are developed," Okin said.

Microsoft UK now has 15 people dedicated to security, working with developers, vendors and customers, Okin said. Other European subsidiaries may follow suit, depending on their size, he added.

Read more on IT risk management