Ten years ago, Microsoft chairman Bill Gates issued a call to arms that led to the establishment of the Trustworthy Computing (TwC) group in the company. Several industry-leading developments such as the Security Development Lifecycle (SDL) have come out of TwC, but things have changed.
How relevant is Microsoft's trustworthy computing mission in today's world?
Since 2002, the world has become increasingly data-centric, with a proliferation of devices, services and types of data, such as user-generated content and geo-location data; governments have become increasingly active in internet affairs; and the threat landscape has evolved to a state where opportunistic threats have been supplemented by attacks that are more targeted, persistent and determined.
“The new security challenges today are to some extent the same as the old security challenges – they’ve just been magnified,” according to Alan Levine, chief security information officer at US aluminium firm Alcoa.
“An organisation may be targeted by a determined adversary who has the time, skills and tenacity to prevail," he said.
Evolving strategy: prevention, detection, containment, recovery
These changes have not gone unnoticed by Microsoft's TwC group. At RSA Conference 2012, Scott Charney, corporate vice-president of Microsoft Trustworthy Computing, said the mission defined by Bill Gates 10 years ago remained as vital and important as ever.
In a related blog post, Charney acknowledged that TwC's pillars of security, privacy, reliability and supporting business practices must evolve in response to a changing world.
In security, he said there is a need to adopt a broader strategy that encompasses prevention, detection, containment and recovery.
According to Charney, the security challenge is to continue to improve basic hygiene to deal with traditional threats while developing a strategy to deal with persistent and determined adversaries.
Such a strategy would have to supplement traditional threat prevention and incident response with early detection methods and the ability to contain or limit threats, he said.
Containment is about limiting the damage to only a part of the organisation, he added. This could be achieved by each part treating other parts as outsiders rather than trusted insiders.
We need privacy principles that focus on use and accountability
Scott Charney, Microsoft TwC
In privacy, wrote Charney, there is a need to understand what it means to live in a highly connected, device-laden and data-rich world, and craft fair information principles that serve the twin goals of unlocking the power of big data while protecting privacy effectively.
"We need privacy principles that focus on use and accountability. We also have to think about how governments can balance their roles of protectors and users of the internet," he told attendees of the RSA Conference 2012. In this interconnected world, the old fair information principles that relied on notice and choice are no longer valid because simple, bilateral relationships are now rare, he said.
In reliability, Charney said there is a need to use engineering intelligence and pursue recovery-oriented computing to create products and services that respond with agility when things fail and help ensure the reliability of devices and services despite the complexity, interconnectedness and dependencies that now exist in information systems.
"Stakeholders need to consider how to use engineering intelligence and big data to understand the dependencies between systems and how to exchange information on how systems are managed and what the ecosystem looks like," he told attendees at the RSA Conference.
Charney said this could possibly be achieved by using metadata that would link through to a central repository of rules that could be continually updated to dictate how the associated data should be accessed and used.
"Finally, by being open and transparent in our business practices, we can engender the trust of those dependent on information technology," he wrote in the blog.
Future privacy principles
In a related whitepaper entitled TwC Next, Charney encourages industry and governments to develop more effective privacy principles focused on use and accountability, to improve end-to-end reliability of cloud services through increased fault modelling and standards efforts, and to adopt broader security strategies, including improved hygiene and greater attention to detection and containment.
According to Malcolm Crompton, a former Australian Privacy Commissioner, Microsoft has long been a contributor to the global debate and discussion on the future of privacy.
“The global framework proposed by Charney tackles many of the difficult realities of today’s environment; it’s a great contribution to the dialogue," said Crompton, who is now managing director of data protection firm Information Integrity Solutions.
As Microsoft's TwC group marks its 10th anniversary, it is planning to expand operations to tackle the security, privacy and reliability challenges in a new era of cloud and mobile computing, where connections are massively decentralised and distributed.
The global framework proposed by Charney tackles many of the difficult realities of today’s environment
Malcolm Crompton, Information Integrity Solutions
Just as Microsoft's Security Development Lifecycle (SDL) and privacy principles for developers operationalised the mission set by Gates in 2002, the next step is to figure out how to operationalise ways of mitigating the new risks at scale, Charney told Computer Weekly.
Microsoft plans to continue its leadership in trustworthy computing by being heavily involved in developing guidance, open standards and tools for managing privacy in a world of big data.
In this regard, the company is already working on several prototypes to enable organisations to share data with partners, but retain control over it and have the ability to change the rules of access.
Microsoft is also engaging with governments around the world, which are simultaneously users of the internet, protectors of individual users as well as the internet itself, and exploiters that capitalise on the power of technology for a variety of purposes, said Charney.
In times of need governments may use online services to keep citizens informed, and first responders can react more effectively than those not using cloud-based services because they have GPS devices, mapping capabilities, street views, videoconferencing and other cloud-based services.
But he pointed out that such benefits materialise only if these systems meet reasonable expectations of overall service reliability.
Recognising this fact, governments may play an increasingly active role in many aspects of the internet, said Charney, with some governments looking at legislatively mandating the adoption of information risk management plans for those managing information and computing systems.
Through engagement with governments and business organisations around the world, Microsoft is working to ensure that its trustworthy computing mission remains as relevant and as industry-leading as it has been in the past 10 years.