RSA 2012: Trustworthy computing more important than ever, says Microsoft

Information security is becoming increasingly challenging rather than easier, according to Microsoft's Trustworthy Computing group

Information security is becoming increasingly challenging rather than easier, according to Microsoft's Trustworthy Computing (TwC) group.

In this changing world, the focus on trustworthy computing and creating trust in the ecosystem is more important than ever, Scott Charney, corporate vice-president, TwC at Microsoft, told the opening session of RSA Conference 2012 in San Francisco.

"The world is in the midst of great change; we are at an inflection point; we need to think deeply about the future of IT because we are more dependent on IT than ever," Charney said.

There are three main forces that are creating change that information security strategies need to consider, he said.

First, the world is becoming increasingly data-centric, with a proliferation of devices, services and types of data, including user-generated content and geolocation data, said Charney.

Big data demands a new privacy model that can manage that data, he said, such as requiring anyone getting data from any source to use it only in appropriate ways and be accountable for doing so.  

Second, while governments initially took a hands-off approach to the internet, Charney said that over time they become far more active, not only as protectors of the internet and citizens who use the internet, but also as users and exploiters of the net.

This increased activity also raises questions about under what circumstances governments should be allowed access to citizens' data or data linked to cyber crime that is not stored within its borders.

Third, a new type of cyber threat has emerged alongside the traditionally opportunistic threats, that are aimed at everyone and do not target anyone in particular.

These threats, commonly known as advanced persistent threats or APTs, are not necessarily advanced, said Charney, but they are typically carried out by persistent and determined attackers.

This new breed of attackers, he said, is determined to achieve a particular objective and will work at that objective persistently over extended periods of time if necessary.

As Microsoft's TwC group marks its 10th anniversary, it is focusing on these three forces of change and planning to expand operations to tackle the security, privacy and reliability challenges in a new era of cloud and mobile computing, where connections are massively decentralised and distributed.

The next step is to look at the forces for change and figure out how to mitigate the associated risks at scale, Charney told Computer Weekly.

The challenge, he said, is similar to the one set by the memo from Microsoft chairman Bill Gates in 2002 that simply identified trustworthy computing as a key objective.  

The mission set by the memo then had to be analysed and translated into operational elements such as Microsoft's Security Development Lifecycle (SDL) and privacy principles for developers.

Microsoft plans to continue its leadership in trustworthy computing by being heavily involved in developing guidance, open standards and tools for managing privacy in a world of big data. 

In this regard, the company is already working on several prototypes to enable organisations to share data with partners, but retain control over it and have the ability to change the rules of access.

According to Charney, the world of data presents key challenges in the areas of security, privacy and reliability.

The security challenge is to continue to improve basic hygiene to deal with traditional threats while developing a strategy to deal with persistent and determined adversaries.

Such a strategy, said Charney, would have to supplement traditional threat prevention and incident response with early detection methods and the ability to contain or limit threats.

Containment, he said, is about limiting the damage to only a part of the organisation. This could be achieved by each part treating other parts as outsiders rather than trusted insiders.

"In the area of privacy, we need privacy principles that focus on use and accountability. We also have to think about how governments can balance their roles of protectors and users of the internet," he said.

In the reliability area, said Charney, stakeholders need to consider how to use engineering intelligence and big data to understand the dependencies between systems and how to exchange information on how systems are managed and what the ecosystem looks like.

While much has been achieved in the past 10 years, a changing world means there is still much to be done, he said, which will drive the future of Microsoft efforts in trustworthy computing.

Read more on Privacy and data protection