Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Scott CharneyCorporate Vice President, Trustworthy Computing Microsoft Corporation
© 2008 Microsoft Corporation
Users must be empowered to make informed trust decisions (including Users must be empowered to make informed trust decisions (including accepting the risks of anonymity)accepting the risks of anonymity)Strong identity claims and reputation must be available to enhance security, Strong identity claims and reputation must be available to enhance security, privacy, and trustprivacy, and trustBetter accountability must be created to deter crime and facilitate responsesBetter accountability must be created to deter crime and facilitate responses
Social: Enabling a global village Social: Enabling a global village Economic: Easier, faster, cheaper commerceEconomic: Easier, faster, cheaper commercePolitical: Freer exchange of ideasPolitical: Freer exchange of ideas
Loss of data subject control over informationLoss of data subject control over informationRise in identity theftRise in identity theftTargeted attacks against businesses & governmentsTargeted attacks against businesses & governmentsIncreases in other types of online and tech-facilitated crimesIncreases in other types of online and tech-facilitated crimes
© 2008 Microsoft Corporation
Hardware
O/S
Drivers
Applications
GUI
User
Physical
ExamplesExamples
• SpywareSpyware
• RootkitsRootkits
• Application attacksApplication attacks
• Phishing/Social Phishing/Social engineeringengineering
Attacks Getting More SophisticatedAttacks Getting More SophisticatedTraditional defenses are inadequateTraditional defenses are inadequate
National InterestNational Interest
Personal GainPersonal Gain
Personal FamePersonal Fame
CuriosityCuriosity
AmateurAmateur ExpertExpert SpecialistSpecialist
Largest Largest area by area by volumevolume
Largest area byLargest area by $ lost$ lost
Script-KiddyScript-Kiddy
Largest segment by Largest segment by $ spent on defense$ spent on defense
Fastest Fastest growing growing segmentsegment
AuthorVandal
Thief
Spy
Trespasser
Crime On The RiseCrime On The Rise
mainframemainframe
client/serverclient/server
InternetInternet
mobilitymobility
B2EB2E B2CB2C
B2BB2B
Pre-1980sPre-1980s 1980s1980s 1990s1990s 2000s2000s
Num
ber
of D
igit
al ID
sN
umbe
r of
Dig
ital
IDs
Exponential Growth of IDsExponential Growth of IDsIdentity and access management challenging Identity and access management challenging
Increasingly Sophisticated MalwareIncreasingly Sophisticated MalwareAnti-malware alone is not sufficient Anti-malware alone is not sufficient
Number of variants from over Number of variants from over 7,000 malware families (1H07)7,000 malware families (1H07)
Source: Source: Microsoft Security Intelligence Report (January – June 2007)Microsoft Security Intelligence Report (January – June 2007)
© 2008 Microsoft Corporation
SecuritySecurity PrivacyPrivacy ReliabilityReliability BusinessBusinessPracticesPractices
Secure Secure against attacksagainst attacksProtects Protects confidentiality, confidentiality, integrity & integrity & availability of data & availability of data & systemssystemsManageableManageable
Protects from Protects from unwanted unwanted communication communication Controls for Controls for informational privacyinformational privacyProducts, online Products, online services adhere to fair services adhere to fair information principlesinformation principles
Dependable, AvailableDependable, AvailablePredictable, Predictable, consistent consistent responsive serviceresponsive serviceMaintainable Maintainable Resilient, works Resilient, works despite changesdespite changesRecoverable, Recoverable, easily restoredeasily restoredProven, readyProven, ready
Commitment to Commitment to customer-centric customer-centric InteroperabilityInteroperabilityRecognized Recognized industry leader, industry leader, world-class partner world-class partner Open, transparent Open, transparent
Trustworthy ComputingTrustworthy Computing
© 2008 Microsoft Corporation
Microsoft Security Response Center (MSRC)
Microsoft Malware Protection Center (MMPC)
Windows Live OneCare and Forefront Client Security, powered by the Microsoft Malware Protection Center
SPAM (Sender ID, Phishing Filters)
Network Access Protection (NAP/NAC)
Security Development Lifecycle process• Engineered for security• Design threat modeling
SD3:• Secure by Design• Secure by Default• Secure In Deployment
• Automated patching and update services
Malware Example
Consumer Education
Laws
Firewalls
Antivirus Products
Antispyware Products
Malicious Software Removal Tool
Memory Management (ASLR)
Law Enforcement
© 2008 Microsoft Corporation
“I+4A”
Trusted HardwareTrusted Hardware
SecureSecureFoundationFoundation
Core Security Core Security ComponentsComponents
Identity ClaimsAuthenticationAuthorization
Access Control MechanismsAudit
Trusted PeopleTrusted PeopleTrustedTrustedStackStack
Trusted DataTrusted Data
Trusted SoftwareTrusted Software
Integrated Protection
SDL and SD3
Defensein Depth
ThreatMitigation
© 2008 Microsoft Corporation
Reduce types and severity of threats (e.g., de-value PII and reduce ID Theft)
Create accountability for online crime
Enable greater, safer personal Internet usage
Enter new markets, expand Internet presence, and collaborate with partners and customers while reducing costs and risks
Improve public safety and national security efforts, including disaster response (e.g., priority routing)
© 2008 Microsoft Corporation
Successful end-to-end trust needs solutions aligned with
Societal valuesMarket forcesRegulatory environment
These ideas, raised by many before, have not been implemented, in part because of misalignmentWe must come together to change the status quo, and find ways to address international barriers to implementation
© 2008 Microsoft Corporation
Economic ForcesEconomic Forces
SocialSocialRequirementsRequirementsPolitical/Political/
LegislativeLegislative
Core Security
Components
Trusted Stack
Secure Foundation SDL and
SD3Defensein Depth
ThreatMitigation
“I+4A”Identity ClaimsAuthenticationAuthorization
Access Control MechanismsAudit
Integrated Protection
© 2008 Microsoft Corporation
We need a broad dialogue onWe need a broad dialogue on Technology InnovationsTechnology Innovations Economic ForcesEconomic Forces Political StandardsPolitical Standards Social ChangeSocial Change
www.microsoft.com/endtoendtrustwww.microsoft.com/endtoendtrust
© 2008 Microsoft Corporation
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.