Tech Ed: Microsoft and VeriSign raise security stakes

Microsoft is improving its security offering, by announcing publick key infrastucture services for Windows with VeriSign...

Microsoft is improving its security offering, by announcing publick key infrastucture services for Windows with VeriSign Communications and security certification training for Microsoft system administrators and engineers.

The moves were unveiled during a speech at the TechEd conference by Scott Charney, Microsoft chief security strategist and a former cybercrime prosecutor for the US government.

Pushing Microsoft's Trustworthy Computing initiative, Charney stressed the importance of everyone, including suppliers and IT administrators, playing a role in security. He also noted the difficulty in finding internet-based criminals.

"In cyberspace, an ounce of prevention is a ton of cure because after the fact there's very little to do about it," said Charney.

Microsoft is mending its patch procedures to reduce the number of installer technologies, he said.

"By the end of the year, instead of eight installer technologies, we will have two: one for operating systems, one for applications," said Charney.

Microsoft's automatic patch update service will also make patching easier, he added.

To boost security, Microsoft and VeriSign announced they are teaming up to provide PKI security services for Windows Server 2003. This will enable enterprises easier deployment of secure communications and digital identity management systems and enable interoperability across systems and networks.

Due in late 2003, the programs will focus on certificate auto-enrolment capabilities in Windows 2003 and Windows XP. Automating the issue and renewal of digital certificates will enable customers to deploy systems such as secure e-mail, file protection, and digital signatures, according to VeriSign and Microsoft. Legally binding transactions would be enabled.

A second initiative is expected to focus on interoperability services that would enable enterprises to federate trust and extend internal PKI capabilities beyond the corporate network. This would provide for secure commerce and communications across enterprises.

VeriSign's efforts are intended to leverage desktop and back-office integration in Windows 2003. Microsoft and VeriSign also plan to collaborate on longer-term initiatives to address proliferation of spam, enabling services for Windows Rights Management and services that are compliant with the proposed web services security specification, WS-Security.

"Microsoft and VeriSign are working together with the standards bodies to use digital signatures as a tool against spam," said Nico Popp, a VeriSign vice-president of research and advanced products, who spoke briefly during Charney's presentation.

Microsoft also announced two security training programmes based on the Microsoft Certified Systems Administrator (MSCA) and Microsoft Certified Systems Engineer (MSCE) credentials. The exisitng programmes are specific to Windows 2000 but will be extended to Windows Server 2003 later in the year.

Candidates to earn the certifications will be required to pass core exams for MCSE or MCSA credentials and also pass security-specialisation exams to demonstrate ability in areas of security such as foundations, implementations, and design. One exam is the CompTIA Security+, which is an industry-recognised standard of competency for foundation-level security practitioners, Microsoft said.

Paul Krill writes for InfoWorld

Read more on IT strategy