Microsoft and trustworthy computing – not a paradox

Behind the scenes, Microsoft’s TwC group does a lot of work across security, cyber crime, threat intelligence and malware protection

Ten years after Microsoft set up its Trustworthy Computing group, many people see this as a contradiction in terms, a kind of oxymoron like the term “adult male”, but is that really fair?

After a visit to Microsoft’s Redmond campus, it is easier to argue that Microsoft's Trustworthy Computing (TwC) initiative is much less of a contradiction than the term “adult male”.

The perception that Microsoft is not doing as much as it should or could in terms of securing its products probably persists because much of what it is doing is behind the scenes.

However, most people would be surprised to hear just how much is being done, quietly and in stark contrast to the noisy malware attacks around the year 2000 that are still remembered by many.

The Trustworthy Computing group, which was set up in response to those disruptive assaults on its products, is not attached to any particular product. Instead it works across the whole organisation.

Improving trust in technology

TwC is constantly checking the product groups are adhering to the principles of security, privacy and reliability that company founder Bill Gates realised were essential to his company’s success.

“We are continually shaping and changing the company to focus product teams on improving trust in technology,” said Adrienne Hall, general manager at TwC.

The perception that Microsoft is not doing as much as it should or could in terms of securing its products probably persists because much of what it is doing is behind the scenes

This involves integrating policies, standards and procedures – including risk management and incident response across the company on security, geo-political issues, online safety and trust in cloud.

It also includes the continual evolution of Microsoft’s Security Development Lifecycle (SDL), which it has made available, free of charge, to all software developers.

In addition to Microsoft’s own product groups, TwC is charged with reviewing and applying the same policies to all content for its gaming consoles and application store produced by outside parties.  

TwC also publishes a security intelligence report twice a year, which not only helps inform product groups what to do, but identifies potential vulnerabilities for customers.  

The group keeps a watchful eye on the major IT trends of mobile, social, cloud and big data that affect business decisions to ensure products are in step with the security challenges each introduces.

“A lot of investments we make are aimed at ensuring consistency in the way we respond to topics in products, which includes looking at arising issues and new legislation,” said Hall.

This involves taking cognizance of the fact that the world’s mobile worker population is expected to reach 1.3 billion, or 37% of the total workforce, by 2015; that 65% of companies are deploying at least one social software tool; that 70% of organisations are either using or investigating cloud computing services; and that an 80% growth in unstructured data is predicted in the next five years.

Security partnerships

In terms of cyber security, this means an increased focus on identity and access management, mobile malware, security in the cloud, and cyber criminal exploitation of big data.

Several security-related units come under the aegis of TwC. These include the digital crimes unit (DCU), the security response center (MSRC), and the malware protection center (MMPC).

The DCU is aimed at disrupting cyber crime through cross-industry partnerships using technical and legal breakthroughs that increase the cyber criminals' operating costs and destroy their supporting infrastructure. 

This unit has been involved in taking down several key botnets that form the backbone of modern cyber criminal activities, including Waledac, Rustock, Kelihos, Zeus, Nitol, and Bamital.

The DCU also liaises with all the Microsoft security teams to pass on cyber threat intelligence to targeted organisations through computer emergency response teams and internet service providers.

The MSRC is perhaps the most visible part of TwC as it looks at all reported vulnerabilities, works out how to defend against them, and issues the security advisories, bulletins, automated workarounds, and security improvement guides and tools, including the SDL.

Another important role of the MSRC is liaising with the finders of vulnerabilities and other software suppliers through the Microsoft Active Protections Program (MAPP).

“No one company, technology or individual can do it alone. It is all about partnerships in getting information to people to help organisations protect themselves,” said Phillip Misner, principal security programme manager at the MSRC.

Microsoft has more than 100 security partners that receive around 1,000 newly discovered malware samples on a daily basis

The MMPC gathers intelligence on emerging threat trends from one million malware samples, 250 million threat reports and 320 million early warning reports daily.

On a monthly basis, it scans 600 million customer machines and one billion web pages. All this data is fed into Microsoft’s malware protection technologies and broader protection strategies.

Microsoft has more than 100 security partners that receive around 1,000 newly discovered malware samples on a daily basis.

And finally, Microsoft has a long-standing privacy programme and has several hundred full-time and part-time employees who have formal privacy responsibilities.

“Privacy by design includes all of the people, processes and technologies that are committed to maintaining and enhancing privacy protection,” said Brendon Lynch, chief privacy officer at Microsoft.

“Our privacy principles and privacy statements are designed to help individuals and organisations make informed decisions about the data they share with Microsoft,” he said.

Microsoft is currently running a privacy awareness campaign in the UK, France, Germany and the US.

Taking security seriously

Taken collectively, Microsoft’s TwC group does a significant amount of work across security, cyber crime, cyber attack response, threat intelligence, malware protection and privacy.

This work contributes not only to improving security for Microsoft’s customers, but also to the overall capability of the cyber security and software development communities.

For this reason, Microsoft’s Trustworthy Computing group is no oxymoron as it contains no real contradiction in terms. Arguably, without the work of TwC, computing would be far less secure than it is.

Image: iStockphoto/Thinkstock

Read more on Application security and coding requirements