RSA 2013: Despite the gloom, there is cause for optimism in IT security, says Microsoft

Despite escalating security challenges, there is a case for optimism, says Scott Charney of Microsoft's Trustworthy Computing Group

Despite escalating security challenges, there is a case for optimism, says Scott Charney, corporate vice-president of Microsoft's Trustworthy Computing Group.

“There are significant advances the IT security industry has made, so my optimism is not delusional, but based in fact,” he told attendees of RSA Conference 2013 in San Francisco.

The hardware security has seen the introduction of UEFI, the Unified Extensible Firmware Interface specification designed to provide a more secure alternative to BIOS.

This has enabled the introduction of secure boot and measured boot in software such as Microsoft’s Windows 8 operating system.

“These are positive developments in security that the industry can build on,” said Charney.

Another hardware-related security development, he said, is the ability of devices to authenticate each other using Trusted Platform Module (TPM) chips built on a Trusted Computing Group specification.

The ability to verify that machines have booted into the operating systems without being tainted by malware is new and important, said Charney.

He views the elimination of root kits as an indicator of considerable progress, and predicts that there is a lot more to come from the IT security industry that will build on these foundations.

In software security, Charney said a growing number of software producers are adopting secure development practices such as EMC, Cisco and Adobe.

CSA Industry Leadership award

At RSA 2013, the Cloud Security Alliance (CSA) awarded Microsoft’s Scott Charney the CSA Industry Leadership award. The CSA said the award was in recognition of Charney’s contributions in the field of security and his engagement discussing security research and best practices for customers during the CSA’s early years. Recently, Microsoft became the first major provider to complete a CSA STAR entry, which allows potential cloud customers to review the security practices of providers.

“Already, there are a lot of large companies focused on secure software development, with some using Microsoft’s Security Development Lifecycle (SDL) or derivatives,” he said.

Charney believes that what Microsoft achieved through its SDL that was of importance to the whole industry was to prove that it was scalable across 36,000 software engineers.

“We proved that secure software development could be applied broadly, enabling organisation to certify against those principles,” he said.

A related development that provides further cause for optimism, said Charney, is the increasing demand for secure development, which is now even being included as a requirement in software contracts.

“Markets demanding secure software development is an inflection point; the future will look different because of it,” he said.

The fostering of innovation by governments, is another important development, said Charney, particularly regarding identity management.

In the past it has been challenging to align all the parties involved, he said, but by fostering innovation around electronic identity cards, governments in Germany and other countries have solved this problem.

Governments that want to offer e-government services are able to drive the initiative forward because the government is able certify identity, issue credentials, and provide services that consume them.

“Now only two parties need to align; the government and the citizen. Both want robust identity, and in this way we are starting to break through the barriers and drive identity management forward,” said Charney.

Cloud computing as a delivery model provides a new opportunity for governments and businesses to improve security.

“Getting users to update to the latest release of software or to patch their applications has always been a challenge, but now with cloud-based app provisioning, this can be done automatically,” said Charney.

Cloud computing makes it possible to improve operational security, he said, by enabling prevention and containment through stricter control of admin rights and whitelisting applications.

“If an organisation can do this, they will prevent around 85% of successful attacks we are seeing today, which is a huge achievement,” said Charney.

Basic security hygiene can be very important for businesses, said Adrienne Hall, general manager of Microsoft’s TWC group.

“The best CISOs typically have the basics well managed, and the time and money they save can be used for innovation to support the business and dealing with new threats,” she told Computer Weekly.

Hall said that in all likelihood the basics are overlooked because information security professionals are focusing instead on the latest threats and new development projects.

“It is more difficult to justify applying resources to maintenance and security fundamentals,” she said.

In his keynote, Charney said another encouraging development was the emergence of cybersecurity strategies.

Most recently, the European Commission has published its  cyber security strategy and proposed directive and the US president has signed an executive order aimed at protecting critical infrastructure.

These intitiatives will lead to greater harmonisation around security strategies and greater agreement around norms of behaviour in cyberspace, said Charney.

In terms of harmonisation, for example, the introduction of TPM to TPM authentication will remove much of the noise in the network and reduce the pool of suspect devices and actors to a manageable size.

Working to establish norms of behaviour will take a lot of time and effort, said Charney, but will ultimately lead to international co-operation on cyber security issues.

There was a time when few countries were aligned on dealing with money laundering, he said, but now there is broad agreement on the issue between most countries.

Charney believes similar agreement must be reached on norms and various illegal practices in cyber space that still enjoy backing by some nation states.

In 2010 Microsoft began advocating a public health model for the internet “We are now seeing the emergence of voluntary codes of conduct by ISPs around the world, where they will identify and help quarantine and remediate malware infected  computers,” said Charney.

At the same time, private/public partnerships are emerging to combat malware and online service providers are carrying out security health checks on their users’ machines.

According to Charney, the security industry has experienced tangible success in three broad areas: the fundamentals of how devices and services are built and deployed, ensuring safe and reliable operations through management, and the cultural context of economic forces, social requirements, and politics.

Fundamentals include UEFI and secure boot, early load anti malware, market demand for secure software development, and minimum app store security standards.

Management successes include reputation-based systems, application whitelisting, least-privilege approach for admins, and code review for applications.

Long-term influences in the socio-economic context include cybersecurity strategies, discussions on norms of behaviour, national identity projects, voluntary codes of conduct, and cybersecurity legislation.

“There is serious stuff happening on the internet, but there are several reasons to be optimistic about the future,” said Charney.

Key security industry accomplishments will have a long-term effect in making security less reactive and more predictive to enable organisations to put a stop to things before they can do any harm, he said.

“All these things form a basis for optimism and I am confident that with efforts of the security industry and governments around the world we can move into a more secure world,” said Charney.


Read more on Hackers and cybercrime prevention