c h a i r m a n ’ s m e s s a g e

Taking Security to the Next LevelFriends,

Security is a cornerstone of Microsoft, a recognition of the immense importance the company accords to providing safe and secure products and services, that enhance the experience of its customers.

Microsoft’s “Security” journey began way back in January 2002, when Bill Gates unveiled the Trustworthy Computing (TwC) initiative, which had security as one of its key pillars. With this launch, Microsoft underlined its commitment to building trust in the IT ecosystem, underlining the criticality of infrastructure protection and brought to the fore the importance of information security.

Since then, Microsoft has invested considerable energy and resources to continually enhance trust ensure the security of its products. In a company where mandatory rules are frowned upon because of their adverse impact on innovation, the Security Development Lifecycle (SDL) is compulsory. Products that fail to pass a Final Security Review are subject to scrutiny until critical security issues are escalated and resolved. Furthermore, product improvements and upgrades are put through a rigorous process of testing and retesting, involving close interaction with thousands of customers and capturing their feedback.

The company is also working closely with software developers and sharing Best Practices on how to create secure code. Today, almost one third of Microsoft investments are in the area of security.

Having put these “security pillars” in place, Microsoft is working to reach the next level of secure computing by evolving a more comprehensive, holistic “security strategy.”

In this issue, we are taking a look at Microsoft’s next big move, “End-to-End” Trust, which is aimed at combating one of the biggest challenges facing the world today—an insecure Internet that is in danger of losing credibility in the eyes of users. We look at the moves that are being made at a global level as well as in India to realize the “End-to-End Trust” vision and make the Internet safe for individuals, businesses and Governments. Crucial issues related to identity a n d p r i v a c y , w h i c h g o h a n d - i n - h a n d w i t h s e c u r i t y a r e a l s o

discussed, as are the v a r i o u s i n i t i a t i v e s launched by Microsoft—products, devices and joint programs with the Government and law enforcement agen-cies—that are future proofing the Net against all elements of risk. Ravi Venkatesan Chairman Microsoft India

I S S U E 9 | A P R I L - J U N E 2 0 0 8

c o n t e n t s

Theme: Security

2 In FOCUSTaking Trustworthy Computing to the InternetFor the ubiquitous Internet—that touches individuals and organizations alike—to reach its full potential, a safer, more trust online environment is needed. It will take an End-to-End Trust Vision, like the one enunciated by Microsoft and extensive coopera-tion between the technology industry, customers, partners, governments and other important constituencies, to build an Internet that is secure for businesses and consumers.

6 TeCh TRenDS -1Identity and Privacy over the Internet

7 TeCh TRenDS - 2Moving up the Security “Value Chain”

9 CASe STUDYSecuring Children Against Online ExplotationA look at the large number of security initiatives that Microsoft has un-dertaken for both ends of the usage spectrum—enterprise as well as individual consumers.

10 Q & AInterface catches up with LOknATh BEhErA, Police Commissioner, Kerala to discuss issues related to cyber crime and securing the Internet.

11 InF0BITS

12 FACTS & FIgUReS

2 M I c R o S o f t I N t E R f A c E • APRIL - JUNE 2008

It is an accepted fact that the Internet has completely transformed the way the world lives and works. While social networking represents the new town square; blogging has turned citizens into journalists, and e-commerce sites have spurred global competition in the marketplace. At the same time, the Internet’s rampant growth has spawned an evolving threat landscape.

The range of criminal activity that the Internet supports is vast—from consumer threats (e.g., becoming a “bot,” ID theft, and child endangerment), to enterprise threats (e.g., the theft of stored personally identifiable information, economic espionage, and extortion via threats of denial of service attacks), to Government threats (e.g., information warfare), there is little doubt that creative, adaptive, and sophisticated adversaries are misusing the Internet to bad effect.

The Internet has four key attributes that attackers simply love: global connectivity; anonymity; lack of traceability; and valuable targets. In addition, it is difficult for computer users to know, or find out, what programs

i n f o c u s

Taking Trustworthy Computing to the Internet

are running on their machines, what machines they are connecting to, and with whom they are dealing. As a result, those prone to prey electronically on others have considerable opportunity for success, with little risk of being identified and being held accountable for their actions.

According to a recent Study by Gartner, “Phishing attacks in the United States soared in 2007 as US$ 3.2 billion was lost to these attacks. The survey found that 3.6 million adults lost money in phishing attacks in the 12 months ending in August 2007, as compared with the 2.3 million who did so the year before.” Governments too have expressed increasing concern about public safety and national security, including information warfare. Indeed, if online activity has to provide all its potential benefits, security on the Internet cannot remain at current levels.

Internet getting bigger, more vulnerableToday, the Internet is continuing to grow, expanding its reach and resulting

in even more online activity. New connection models, such as “Anywhere A c c e s s ” ( w h e r e p e e r - t o - p e e r connections enable new business models and allow people to access their data from anywhere on any device), mean that global connectivity and the number of valuable targets will increase, thus attracting even more criminal activity. It is therefore critically important that the world finds new ways to both improve the security of computer networks and put people back in control of their computer environments.

Although technology product and services providers have launched initiatives to make their products and services more secure in the increasingly connected scenario, more needs to be done to make the Internet robust enough and privacy-enhanced enough for many of its potential uses. A host of social, political, economic, and technological issues must be addressed and the rules of the game completely changed. To do so, all the stakeholders—the technology industry, customers, partners and Governments—will have to get together to build a more secure, private and reliable computing experience.

They must also gain a better understand of the interplay between the two realms—security and privacy. The primary goal of security is to protect the confidentiality, integrity, and availability of data and systems—the attributes that criminals attack. To the extent security protects the confidentiality of data, it serves to protect privacy. But security often involves collecting evidence of a person’s activities (both evidence of past activity, such as audit logs; and ongoing activities, such as keystroke monitors). In that context, security may involve surveillance and raises serious privacy concerns, a point that must be kept in mind when one addresses the growing cyber crime problem.

Outlining the End-to-End Trust visionMeanwhile, there are key pieces to creating greater trust on the Internet. At the April 2008 RSA conference, Microsoft initiated a broad dialog about the future of security and privacy on the Internet, unveiling its End-to-End Trust vision. End-to-End (E2E) Trust is an industry call to action that proposes

For the ubiquitous Internet—that touches individuals and organizations alike—to reach its full potential, a safer, more trust online environment is needed. It will take an End-to-End Trust Vision, like the one enunciated by Microsoft and extensive cooperation between the technology industry, customers, partners, Governments and other important constituencies, to build an Internet that is secure for businesses and consumers.

M I c R o S o f t I N t E R f A c E • APRIL - JUNE 2008 3

According to a recent

Study by Gartner,

“Phishing attacks in the

United States soared in

2007 as US$ 3.2 billion was

lost to these

attacks. The survey

found that 3.6 million

adults lost money in

phishing attacks in the

12 months ending in

August 2007, as

compared with the

2.3 million who did so

the year before.”

three needed elements for a more secure and trusted online environment.

The first is the creation of a trusted stack where security is rooted in hardware and where each element in the stack (hardware, software, data and people) can be authenticated in appropriate circumstances. The second piece involves managing claims relating to identity attributes. There is need to create a system that allows people to pass identity claims (sometimes a full name perhaps, but at other times just an attribute such as proof of age or citizenship). This system must also address the issues of authentication, authorization, access and audit. Finally, what is required is a good alignment of technological, social, political and economic forces so that real progress can be achieved. The goal is to put users in control of their computing environments, increasing security and privacy, and preserving other values that they cherish such as anonymity and freedom of speech.

End-to-End Trust is expected to give people, devices, and software the ability to make and implement good decisions about who and what to trust throughout the ecosystem. This will in turn help protect security and privacy as well as help bring criminals to justice when electronic malfeasance occurs. In short, the opportunity exists to create a trusted, privacy-enhanced Internet.

right time to talk about Internet securityClearly, the time to take the online security bull by the horns is now. More

than ever before, the environment is ripe and ready for these initiatives. Some serious issues, such as botnets, ID theft and child safety have served to focus people’s attention on security and privacy issues. Some important technologies, such as public key infrastructure (PKI) and smart cards, are now mature enough for b road deployment. Some important debates, such as how to achieve more security and more privacy instead of trading one for the other, have led to new thinking about how a more secure and privacy-enhanced Internet environment can be created. And companies have learned through past experience how to align technology, social forces, political will and market dynamics to achieve great progress on important issues.

According to Microsoft, there are essent ia l ly f ive major secur i ty components required to help facilitate trust, whether the “thing” being trusted is a person, device, operating system, software application, or piece of data.

IdentIty ClaIms. Who does the person or what does the device or software claim to be? As a starting point, someone may claim to be a given person or simply claim to have a certain attribute. A device may claim to be an eBay server or a router, and an application may claim to be a particular version of Microsoft Office Word. The claim may also relate to source or integrity (this is a packet from an X Company router, or this spreadsheet was sent from Y and has not been altered since being sent). An identity claim is, of course, only one part of the equation; in many contexts, reputation is equally critical and (especially because it is hard to speak about identity in absolute terms) will serve to add additional layers of assurance to an identity claim. This will be the case regardless of which element in the stack the claim attempts to validate. Robust reputation policies, processes, and systems will need to be built out to support the many trust decisions people need to make.

authentICatIon. These are mechanisms that allow identity claims to be verified. In the physical world, formal documents (a national identity card, a passport, or a driver’s license)

are used to verify identity, even if the item used was not created for that purpose (e.g., a driver’s license may be used by a bartender to ensure someone is old enough to purchase alcohol even though the intended purpose is to prove the right to operate a vehicle). Also, there are people whose function it is to verify identity (e.g., the notary public for documents, the Post Office for passport applications). There are clearly electronic analogies; certificates are used to identify a device, or digital signatures to identify the author of software, and a root certificate for the organization verifying that claim.

AuthoRIzatIon polICIes. Assuming an identity is authenticated, there is some formal or informal policy that permits or prohibits activity based upon that authenticated identifier. Also of importance is who gets to determine the policy.

aCCess ContRol meChanIsms. Consistent with policy, a person may request access to a resource (e.g., the liquor store in the physical world, or an e-mail account in an electronic world). Access will be granted or denied based upon policy and verification of any necessary attributes. At times, people may obtain access to resources without, or in excess of, authority, thus potentially violating computer crime laws.

audIt. All the above (identity claim, proof of authentication, policies for authorization, request for access, decision on the request, and any unauthorized access attempts) must be d o c u m e n t a b l e , a s o p p o s e d t o documented. How much audit data is collected, retained, analyzed, and disseminated will depend on numerous factors, including the level of security required, the cost of collecting and storing audit data, and regulatory requirements.

The Benefits of a Trusted Stack A range of benefits arise from the fact that people, devices, software, and data are more robustly authenticated and their activities audited. These include the following:• better decisions throughout the

cont. on page 5...

Building the Trusted StackFive different components have to be worked on to build the trusted stack.

TruSTEd dEVICESBecause all software operates in an environment defined by hardware, it is critical to root trust in hardware. Today, many computers come with a Trusted Platform Module (TPM), a technology that will expand and enter new form factors.

TruSTEd OPErATIng SySTEMThe operating system must be verifiable based upon keys stored in the hardware (e.g., “trusted boot”). This allows the device to claim that the operating system has not been tampered with to bad effect. In addition, and equally important to a small subset of customers, operating system development organizations must take steps to prevent insertion of malicious code by members of the development community. Robust authentication may limit opportunities for the insertion of malware by restricting access to code bases, and auditing of internal business activities should permit the provenance of bad code to be determined, thus allowing for a more robust response process.

TruSTEd APPLICATIOnSToday, there are multiple ways to help protect people from software vulnerabilities and malicious code. To protect users from vulnerabilities, code can be rewritten in safer languages, checked with analytic tools, compiled with compilers that reduce vulnerabilities (e.g., buffer overruns), and sandboxed

when executed. To protect against malicious code, there are firewalls, anti-virus programs, and anti-spyware programs. But although these approaches make users safer, criminals are not deterred by such preventive measures. To increase accountability, there is another effort that must be undertaken: code signing so that source can be better identified.

TruSTEd PEOPLEA safer Internet needs to support the option of identities based directly or derivatively upon in-person proofing, thus enabling the issuance of credentials that do not depend upon the possession of a shared secret by the person whose identity or identity claim is being verified. To some extent, government activities and markets themselves are driving in-person-proofing regimes. For example, many governments are issuing (or considering issuing) e-ID cards for government functions. But, to be clear, in-person proofing need not be controlled by governmental or quasi-governmental organizations; banks often have relationships with their customers that start with branch visits, schools have relationships with students and may routinely take in-person attendance, and employers know their employees and often issue identity cards based upon in-person proofing.

TruSTEd dATAOne can identify the source of data and know whether the data has been altered without authority after being signed. Applications should incorporate seamless mechanisms for applying signatures

to their outputs, and read signatures before opening documents, so that data origin and data integrity can be easily checked. At the same time, management tools should permit users to apply policies based upon data origin and integrity so that fewer ad-hoc trust decisions are required. Finally, as with applications, sandboxing should permit data to be opened in logically confined domains so that harms resulting from the combination of malicious content and the inevitable (even if diminishing) residual vulnerabilities can be contained.

AudITAn audit trail is a record of a sequence of events from which a history may be reconstructed. An audit log is a set of data collected over a period of time for a specific component. A series of audit logs can be studied to determine a pattern of system usage that, over time, can be used to highlight aberrant behavior such as criminal activity or the existence of malware. Audit data is also necessary to roll back suspicious or harmful transactions. As is currently the case, audit data would be maintained in a distributed fashion by the individual, enterprise, Internet service provider (ISP), or government agency that manages a given resource, and each entity would decide to what extent this log data would be distributed or centralized within its own organization. The sharing of this information between organizations could be governed by policy and/or regulation. For example, government access might be governed by privacy laws, and private sector collection and sharing might be based upon existing fair information principles or regulatory requirements. In the end, this audit data would help organizations prove that they have fulfilled their obligations (i.e., compliance with business rules and regulations) and would provide a more robust way to catch bad actors on the Internet.

M I c R o S o f t I N t E R f A c E • APRIL - JUNE 2008 5

ecosystem—by and about people, devices, software, and data.

• better abili ty to hold people accountable for misconduct, and thereby deter such conduct , assuming that domestic cyber crime laws and international cooperation mechanisms are sufficient.

• better resolution of specific real-world problems. By conducting device-to-device authentication, organizations could reduce the number of external hackers with access to their systems, in large part because a hacker would need access to an “authorized” machine to connect to the victim’s network.

• better application of physical world mechanisms (e.g., law enforcement, political forces) to address cyber crime, economic espionage, and information warfare.

• new oppor tuni t ies owing to improved authentication and audit capabilities especially if robust management tools permit system administrators to increase the amount (or change the type) of audit data collected, depending on the threat level. This helps to balance the need for evidence with the cost of collecting and storing data.

• increase in the ability to reliably detect and attribute flooding and probing attacks

• autonomous defence, which would become possible if, for example, packets likely to be malicious (because they are reliably identified as coming from a dangerous source) could be dropped shortly after entering the network or at a computer’s interface to the network.

• better addressing of intractable insider threats using audit tools that would make it easier to identify suspicious access patterns for employees in a timely manner.

• lower risk to the ecosystem, owing to generation of trust measurements created through the authentication of identity, device (and its state), software, and dataAt the end of the day, the industry,

Governments and customers must understand the key goal: a more secure and trustworthy Internet ecosystem. In addition to empowering users to make good trust choices, the aim should also

be to mitigate common risks substantially, so that public faith in the safety of the IT ecosystem is restored and/or enhanced; permit security professionals to reduce their current efforts to address existing threats and allow them to redeploy those resources to address more intractable risks; make it more difficult to conjure up new criminal schemes because authentication and audit make it more difficult to complete crimes successfully; and enable law enforcement to find and prosecute a greater number of cyber criminals, thus increasing deterrence on the Internet.

Of course, actually executing some of these strategies will prove challenging in the existing scenario. For example, it was suggested earlier that ISPs could make dynamic trust decisions and use network access controls to protect the ecosystem. It is unclear, however, whether consumers (socially), regulators (politically), and access providers (economically) will accept scanning as a precondition to network access.

Finally, because governments have a primary role to play in investigating and prosecuting those who commit crimes, jurisdictional issues must be addressed. Much work has already been done in this area, from the G8’s seminal work on computer crime, to the Council of Europe’s Convention on Cyber crime. But these international agreements have their own limitations; the number of participating countries is limited, while the Internet is truly global.

It remains true that applying sovereign laws to a sovereign-agnostic Internet is challenging; thus, responding to computer crime which is often international in scope, is difficult.

In this context, the issue of interoperability will also become critical. End-to-End Trust cannot work without interoperability between heterogeneous systems (hardware, software, applications) and between the different laws and regulatory requirements governing countries. There has to be interoperability between the laws and policies so that they can come together and reduce some of the complexity surrounding security and the privacy issues.

Provided some of these complicated social, political, economic, and technical issues are addressed, the world can end

up with the Internet it wants, one which empowers individuals and businesses, and at the same time protects the social values people cherish.

Microsoft’s End-to-End Trust initiate is a key step in this direction. Considered “work in progress,” it is i n v i t i n g a l l t h e s t a k e h o l d e r s participating in the Internet story— u s e r s , i n f o r m a t i o n s e c u r i t y professionals, businesses and the Government to provide their inputs and make this vision a reality.

(Scott Charney, Microsoft’s Corporate Vice Pres iden t o f Trus twor thy Computing, has developed a white paper entitled Establishing End to End Trust which provides more details on Microsoft’s vision. Information about Microsoft’s proposal for a more trusted Internet and other event news can be found at http://www.microsoft.com/security/rsa2008, along with progress reports and blogger commentary from Microsoft and other industry experts. Do check it out.)

End-to-End Trustcannot work withoutinteroperabilitybetweenheterogeneoussystems (hardware,software,applications) andbetween the differentlaws and regulatoryrequirementsgoverning countries.There has to beinteroperabilitybetween the lawsand policies so thatthey can cometogether and reducesome of thecomplexitysurrounding securityand privacy issues.

cont. from page 3...

6 M I c R o S o f t I N t E R f A c E • APRIL - JUNE 2008

The Internet, where people don’t know who or where they are connecting to, limits what people can do and exposes them to great dangers. It is fair to say that today’s Internet, minus a native identity layer, is based on a patchwork of identity one-offs.

The increasing number of threats and cyber crimes could gradually diminish the Internet experience for users instead of lifting it. Further, the absence of a unifying and rational identity fabric will prevent people from reaping the benefits of web services.

The time therefore is now, to take corrective action, prevent the loss of trust and provide Internet users with a deep sense of safety, privacy and certainty about who they are relating to in cyberspace.

Creating an Identity MetasystemMicrosoft believes that no single identity management system will emerge and that efforts should instead be d i rected toward developing an overarching framework that connects different identity systems and sets out standards and protocols for ensuring the privacy and security of online interactions. Microsoft calls this concept the Identity Metasystem. The Identity Metasystem is not a specific product or solution, but rather an interoperable architecture that allows Internet users to use context-specific

identities in their various online interactions.

In order to evolve the Identity Metasystem, Microsoft has been working closely with Governments, organizations, individuals and other stakeholders of the Internet ecosystem to brainstorm on how this vision of a secure Internet can be realized.

Kim Cameron, Architect of Identity in Microsoft Corporation, has been raising awareness and pooling ideas from users across the globe about the c ruc ia l i s sue of Ident i ty over the Internet through his Identity Weblog (www.identityblog.com) and helping Microsoft establish its thought leadership in this space.

Cameron’s attempt has been to develop a formal understanding of the dynamics causing digital identity systems to succeed or fail in various contexts. He has done so expressing them as the Laws of Identity. These laws enumerate the set of objective dynamics defining a digital Identity Metasystem capable of being widely enough accepted that it can serve as a backplane for distributed computing on an Internet scale.

Taken together, these laws define a unifying identity metasystem that can offer the Internet the identity layer it so obviously requires.

The seven Laws of Identity are as follows:

Identity and Privacy over the Internet

Law 1: user Control and ConsentDigital identity systems must only reveal information identifying a user with the user’s consent. Law 2: Limited disclosure for Limited useThe solution which discloses the least identifying information and best limits its use is the most stable.Law 3: The Law of Fewest PartiesDigital identity systems must limit disclosure of identifying information to parties having a justifiable place in a given identity relationship. Law 4: directed IdentityA universal Identity Metasystem must support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for private entities, thus facilitating discovery while preventing unnecessary release of correlation handles. Law 5: Pluralism of Operators and TechnologiesA universal Identity Metasystem must channel and enable the interworking of multiple identity technologies run by multiple identity providers. Law 6: human IntegrationA unifying Identity Metasystem must define the human user as a component integrated through protected human-machine communications. Law 7: Consistent Experience Across Contexts A unifying identity metasystem must provide a simple consistent experience while enabling separation of contexts through mult iple operators and technologies

helping users manage PrivacyMicrosoft’s contr ibution to the engineering of the Identity Metasystem is CardSpace, a software that enables people to maintain a set of personal digital identities that are shown to them as visual “Information Cards.” These cards are easier to use than passwords. Furthermore, they employ strong cryptography, making them significantly more secure than passwords and other information typed into web forms. This new feature of Windows gives individuals unprecedented control of their digital identities, while also helping them manage their privacy. Users can install managed information cards from

t e c h t r e n d s - 1

M I c R o S o f t I N t E R f A c E • APRIL - JUNE 2008 7

identity providers such as their bank, employer, government agency, or membership organization, and they can create their own self-issued information cards. When a web site or web service requests a user’s credentials, Card Space will be invoked and allow the user to select a card. CardSpace then retrieves a verifiable credential in the form of a signed security token from the selected identity provider, or the self-issuing authority as the case may be, utilizing interoperable protocols. It then returns the token to the requesting application. This provides users with a simple, secure and familiar sign-on experience that is consistent across web sites and web services.

Information Card technology therefore promotes privacy in three primary ways:

The increasing number of threats and cyber crimes could gradually diminish the Internet experience for users instead of lifting it. Further, the absence of a unifying and rational identity fabric will prevent people from reaping the benefits of web services.

First, it helps users stay safe and in control of their online identi ty interactions by allowing them to select among a portfolio of digital identities and

use them at Internet services of their choice.

Second, it helps empower users to make informed and reasonable decisions about disclosing their identity information by enabling the use of a consistent, comprehensive, and easily understood user interface.

Th i rd , and more genera l ly, Information Card technology is hardwired to comply with data privacy laws and conforms to key requirements in the European Unionâs privacy regime, including legitimate and proportionate processing, security, and restraints on secondary use.

In short, this new framework and new technology offers a cutting-edge solution to the digital identity debacle that is stifling the growth of online services and systems.

Securing the EnterpriseThe company has for enterprises its Forefront family of security products that have been designed to provide an integrated, comprehensive and simplified way to address their myriad security issues. Forefront, in fact, is a key component of Microsoft’s strategy for providing end-to-end security for business customers.

Ye t a n o t h e r o f f e r i n g f r o m Microsoft for enterprises is the Identity Lifecycle Manager 2007 (ILM 2007) which provides an integrated and comprehensive solution for managing the entire lifecycle of user identities and their associated credentials. It provides identity synchronization, certificate and password management, and user provisioning in a single solution that works across Microsoft Windows and other organizational systems. As a result, IT organizations can define and automate the processes used to manage identities from creation to retirement.

ILM 2007 boosts the efficiency of companies by integrating with existing infrastructures to automate and centralize identity lifecycle processes and tools that were historically disparate and manual. It improves operational efficiency by gaining a single view of a user across multiple systems and integrates strong authentication tools seamlessly with end-to-end lifecycle management of smart cards and digital certificates.

Moving up the Security “Value Chain”

The large number of security initiatives that Microsoft has undertaken have targeted both ends of the usage spectrum—enterprise as well as individual consumers. While Microsoft has been moving to facilitate long-term End-to-End Trust on the Internet, enterprise customers, including Government users, have been seeking help to deal with security and privacy concerns that need to be immediately redressed. Microsoft has been helping these companies reduce their pain points through the use of its integrated solutions across IT security, identity, access and management.

t e c h t r e n d s - 2

Securing the ConsumerIn order to safeguard its consumers, Microsoft has developed innovative products and launched pioneering initiatives that further the security cause in the individual workplace and at home.

A special offering for its individual users is Windows Defender, a free program that helps them stay productive by protecting their computers against pop-ups, slow performance and security threats caused by spyware and other potentially unwanted software.

In order to help parents, children, women and bus inesses protec t themselves and their PCs from Internet risks, know about cyber laws, access software tools and report abuse and cyber crime, Microsoft has launched a special site, www.SecureyourPC.inhandling Identity Threats in the Indian MarketAs far as the Indian market is concerned, Microsoft is working on multiple levels to secure the identities of individuals and businesses against Internet crimes.

In order to educate customers about holistic security, the company has partnered with business intelligence firms to provide the most latest research on the issue. At the same time, it has also launched India’s very first “Security Awards” that recognize the outstanding security initiatives l aunched by indus t ry p layers . Similar Awards have also been introduced for SMB companies in the coun t ry in co l l abora t ion wi th PricewaterhouseCoopers (PwC), a leading global consultancy firm. The Microsoft Security Summit is yet another salvo, which the company has fired against cyber crime. The Summit, an annual feature in India, brings together the country’s leading IT professionals and developers to discuss the latest security trends and new and impending Internet dangers.

Recognizing that the BFSI vertical is extremely vulnerable to cyber crime and constantly dealing with compliance issues, Microsoft, in partnership with PwC and t he Ind i an Bank ing Association (IBA), has come out with a Security Handbook 2008, to help auditors comply with RBI guidelines on the security aspect. The Microsoft initiative, launched in March this year, is aimed at helping the banking sector manage the security of its assets.

Yet another security effort hit the road recently, when Microsoft, in collaboration with CERT-IN (the I n d i a n C o m p u t e r E m e r g e n c y Response Team) and the CI I , o r g a n i z e d a n I n t e r n e t S a f e t y Campaign, designed to heighten consumer security awareness. As part of this endeavour, students in three cities and 16 schools were educated, using resource kits, about how they could surf the Internet safely.

Working Closely with law En-forcement AgenciesMicrosoft has also been regularly interfacing with law-enforcement officials in India to share with them information about how technology can help fight crime.

COFEE, a small device for crime investigators (see Box), has been made available to Law Enforcement Agencies (LEAs) in India who have been trained on the tool. Microsoft is

also working with the International Centre for Missing & Exploited C h i l d r e n ( I C M E C ) a n d t h e international police force Interpol. The organizations are helping Indian law enforcement agencies, such as the Central Bureau of Investigation (CBI), in how to use technologies, tools, and procedures for countering online child pornography and other cyber crimes against children. After a pilot training program for the CBI and the police in Kerala, Microsoft plans to extend it to other states in India. The training is part of an ongoing partnership between Microsoft , ICMEC, and Interpol, which have so far trained more than 1,800 law enforcement staff in 94 countries.

Clearly, Microsoft is deeply commi t t ed t o p rov id ing more h o l i s t i c s e c u r i t y e x p e r i e n c e to i t s cus tomers and ensur ing that the ubiquitous Internet is a trusted domain, both for individuals and businesses.

“Coffee” with Microsoft!• Microsoft has developed a

small plug-in device that in-vestigators can use to quickly extract forensic data from computers that may have been used in crimes.

• The Cofee, (Computer Online Forensic Evidence Extractor), is a USB “thumb drive” which contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cyber crime.

• It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.

• More than 2,000 officers in 15 countries, including India, US, Poland, the Philippines, Germany, New Zealand and the United States, are using the device, which Microsoft provides free.

Patch Tuesday• Microsoft has developed a unique

Practice, where it announces new security updates on the second Tuesday of each month (Wednes-day in India due to the time differ-ence) and publishes a bulletin to announce the update.

• Called “patches,” these free “band-aid” like updates are meant to plug vulnerabilities and loopholes in existing Microsoft products.

• Customers that are using Micro-soft products can automatically update features in their software (Vista, MS Office, etc.), by keep-ing the update feature on.

• Users are sent alerts about the upgrade and Microsoft advises enterprises to have in place the process that captures these updates every time.

M I c R o S o f t I N t E R f A c E • APRIL - JUNE 2008 9

The SituationWhile the Internet, with its unmatched educational resources and entertainment, is being used extensively by young people to research school projects, play educational games and communicate with their peers, it also contains unimaginable dangers. Inappropriate and sometimes illegal content and online predators are making cyber space extremely risky for children. The Internet facilitates online child exploitation in a number of ways. It gives criminals preying on children a new, anonymous route to identify, groom and lure them for exploitation. At the same time, the Internet also makes tracking these forms of child exploitation harder for law enforcement. Criminals can use new and sophisticated technical tools to avoid detection. And because the Internet spans national boundaries, a child predator’s activities can easily occur in several countries simultaneously, outside the jurisdiction of any one law enforcement agency. Clearly, there is need for the private industry to help the public sector combat child exploitation online.

The SolutionAs a technology innovator, Microsoft

has taken on the special responsibility to deliver training and tools that can help law enforcement officers protect children. The company has developed the Child Exploitation Tracking System (CETS), a unique software tool that helps protect children from exploitation online. It does so by enabling the identification and prosecution of offenders and allowing governments to store, search, share, and analyze evidence in child exploitation cases, from the point of detection through the investigative phase and across police agencies.

An investment of over US$ 9 million and the joint effort of Microsoft Canada, the Royal Canadian Mounted Police and the Toronto Police Services have resulted in the development and launch of CETS in 2005. The solution uses standard Web and security-enhanced technologies, allowing agencies to work together seamlessly on investigations related to the exploitation of children, based on existing legal agreements. The Extensible Markup Language (XML)-based system allows investigators to both provide and receive information from almost any computer that contains relevant data, regardless of the hardware or software.

Law enforcement have quickly embraced CETS; since its launch in 2005, it has been deployed in eight countries—Canada, Indonesia, Brazil, Italy, the United Kingdom, Chile, Romania and Spain. A total of 1,236 law enforcement officers have been trained on CETS to date. And Microsoft is working with seven other countries to support further expansion of CETS.

The BenefitsCETS has brought the following benefits to law enforcement agencies around the world:• It allows different agencies to access

and collaborate on child exploitation cases in a secure manner.

• It lets them tailor their information sharing to the limits of the local laws and clearly defined legal sharing agreements in place.

• It enables agencies to upload i n fo rma t ion they ob ta in i n investigations and automatically compare it with information from o ther inves t iga t ions to f ind connections.

• CETS helps agencies prioritize leads and investigations that are often overwhelming in volume. By identifying important investigations that need immediate assistance, such as when there is a risk to a child, CETS helps investigators tackle the most pressing cases first.

• Using CETS, investigators can capture, share, and search information at all stages of an investigation, and as the CETS database grows, it becomes increasingly valuable.

• Recognizing that anti-child exploitation teams have grown roles and become more specialized, CETS is adaptable for new kinds of users such as analysts and undercover investigators.

• CETS includes built-in integration with Microsoft Virtual Earth, so that law enforcement can locate sites of interest on a map and find other records and points of interest, such as schools or community centers, nearby.

• CETS proved its significance even before it was officially launched: while it was being tested in 2004, it uncovered a link between seemingly unrelated child pornography cases on different continents, ultimately resulting in the rescue of a four- year-old child in Toronto.

Securing Children Against Online Exploitation

Strong and lasting collaboration between industry and law enforcement is an important component in Microsoft’s aim to eradicate online child exploitation. The development of CETS is a prime example of such a partnership.

c a s e s t u d y

10 M I c R o S o f t I N t E R f A c E • APRIL - JUNE 2008

Is cyber crime a big menace in kerala?In a knowledge society, where education levels are high, people are using new age tools such as the Internet extensively. In Kerala especially, where a large population is constituted by NRIs, the use of the Net is significant. The near and dear ones of these Indians spread across the world, are using the Internet and social networking sites, to stay in touch with them. With the penetration of computers having gone up significantly, the instances of cyber crime and online abuse too have escalated.

What are some of the typical instances of cyber crime you are encountering in your field of work?In the last one year, Kerala’s High Tech Crime Enquiry Cell has received over 1,000 complaints related to cyber space crime. They range from cyber pornography to malicious and obscene e-mails and abuse of social networking sites, cyber fraud and phishing. The abuse of the mobile phone is also quite prevalent, with perpetrators sending MMSes, SMSes and indulging in obscene verbal communication. Feigning anonymity or using someone else’s phone are very common in Kerala. Hacking is popular as well. Even the VIPs are not spared. Recently, the Chief Minister’s site was hacked. Over the last year, however, we have started reg i s te r ing more d i ff i cu l t and

complicated cases of hacking and identity theft.

What have been the steps you have taken to combat cyber crime in the state?Considering the existing environment and the importance of involving the corporate sector which has the necessary skill sets, we asked the UNODC (the United Nations Office of Drugs and Crimes) and Microsoft to organize training for us. Together, they conducted a program in 2007 that was very useful for our law enforcement officers. It was a hands-on training, that went off very well, where they taught us new things and new methods of fighting cyber crime which we did not know about before. They provided us training on Cofee, a simple and useful tool Microsoft has developed. The training team also taught us to fruitfully and usefully leverage Microsoft’s Law Enforcement Portal for gaining knowledge about online security and crime. It is initiatives such as these that are helping sow the seeds of partnership between the public sector and the private sector to jointly handle abuses of cyber space.

how exactly has Cofee helped you in cyber investigation and in tracking cyber criminals?Cofee is a simple and easy-to-use tool and we have deployed it in cracking over a 100 cases. At the same time, I would like to state that more such efforts are

required. The tools that we use to combat cyber abuse and online crime are getting redundant at a fast rate. It is the social responsibility of the software vendors to provide hi-tech tools to law enforcement agencies to fight these new kinds of cyber menaces on a day-to-day basis.

Recently, a complaint case came to us in Kerala and we are taking the help of Microsoft to investigate the crime, which is extremely complex. We are also working with other software developers in the same way.

how have companies like Microsoft enabled kerala to become a more cyber secure state?Microsoft has been a big help. Microsoft products are more abused by Cyber Criminals as their use is more. So Microsoft must help Law Enforcers proactively. All giants developing software should have Internet security as their key goal. Together they must ensure that that ordinary people, children, youth, professionals and the silver generation uses the Internet safely. They must work closely with law enforcement agencies who cannot build tools quickly. An Online Support Line is desperately required, where law enforcers can actually discuss the issue with experts in security and product development online and have it investigated even as they interact. Say if I have a problem related to a Microsoft product where abuse is taking place I should be able to access online support.

Are Public Private Partnerships going to be way forward in handling cyber abuse and crime?The private sector can help in developing appropriate tools and conducting training and sometimes provid ing the logis t ics to law enforcement agencies. They need to update them on the latest technology trends in cyber crime and ways to handle them. They can help improve the skills of investigators so that more and more criminals can be caught. The reality is that cyber criminals are extremely smart and talented and usually think ahead of the times. They can only be caught with the help of technology and it is the corporate sector, which is better informed and equipped with the state-of-the-art that can help the public sector.

“All giants developing software should have Internet security as their key goal.”—LOKNATh BEhERA, Inspector General of Police (headquarters), Kerala

q & a

M I c R o S o f t I N t E R f A c E • APRIL - JUNE 2008 11

i n f o b i t s

Microsoft has recently announced the first public beta version of its latest Identity Lifecycle Manager product, which has been codenamed ILM “2,” a move that is expected to have a huge impact on the identity management marketplace. It’s the first integrated identity management system that gives identity management tools to audiences beyond the IT department, including powerful self-service capabilities through Microsoft Office for end users and familiar .NET- and WS-based tools for developers.

With ILM “2” end users have access to powerful self-service tools they need to manage their own identities and access privileges. Microsoft is doing it through Office’s user interface, which end users are familiar and comfortable with, so that there is no learning curve. The result is identity management that is more

ILM “2” to Impact Identity Management Space

policies and processes to actually put them into practice, Microsoft is providing rich administrative tools and e n h a n c e d a u t o m a t i o n f o r I T professionals, including a central m a n a g e m e n t a n d e n f o r c e m e n t capability, so that end users can’t circumvent established enterprise security policies.

ILM “2” also offers developers the ability to innovate on top of ILM to address new scenarios with .NET- and WS-based extensibility capabilities. Additionally the open and extensible architecture of ILM 3 will allow partners to deliver complementary solutions to manage additional hardware security tokens such as OTP devices and third party Certificate Authorities. Microsoft is anticipating a release to manufacturing (RTM) in the first quarter of 2009.

Microsoft Chairman Bill Gates met with ITU Secretary-General Hamadoun Touré to extend the collaboration between ITU and Microsoft. At the meeting, Bill Gates emphasized that ICT is a key component fo r ach iev ing the Mi l l enn ium Development Goals.

F o c u s i n g o n I T U ’s G l o b a l Cybersecurity Agenda (GCA), Dr Touré highlighted the importance of Internet safety for children and his plans to launch a global coalition to focus on protecting children in cyberspace. Dr Touré sought collaboration with Microsoft to promote digital literacy in ITU’s Internet Training Centres and to make libraries of digital resources avai lable in schools and other institutions in developing countries. Discussions with Microsoft also centred on global concerns such as strengthening cyber security to build confidence in the use of networks and a p p r o a c h e s t o t e c h n o l o g y standardization and interoperability among heterogeneous systems.

Microsoft Corp. is offering customers greater choice and more flexibility among document formats, as well as creating additional opportunities for deve lopers and competi tors, by e x p a n d i n g t h e range of document formats supported i n t h e 2 0 0 7 Microsoft Office system. Office 2007 already provides support for 20 different document formats within Microsoft Office Word, Office Excel and Office PowerPoint. With the release of Microsoft Office 2007 Service Pack 2 (SP2) scheduled for the first half of 2009, the list will grow to include support for XML Paper Specification (XPS), Portable Document Format (PDF) 1.5, PDF/A and Open Document Format (ODF) v1.1.

When using SP2, customers will be able to open, edit and save documents

ITU and Microsoft to collaborate on achieving millennium development goals

using ODF and save documents into the XPS and PDF fixed formats from directly within the application without having to install any other code. It will also allow customers to set ODF as the default file format for Office 2007. To provide ODF support for users of earlier versions of Microsoft Office (Office XP and Office 2003), Microsoft will continue to collaborate with the open source community in the ongoing development of the Open XML-ODF translator project on SourceForge.net.

Microsoft expands list of formats supported in Office

balanced and effective while at the same time accurate and cost effective. In addition to empowering the individuals who are drafting the

CUT 14

12 M I c R o S o f t I N t E R f A c E • APRIL - JUNE 2008

Microsoft Corp.’s most recent Security Intelligence Report (SIR), a comprehensive analysis of the threat landscape has pointed to new trends in cyber crime. The purpose of the six-monthly report is to keep customers informed about the major trends in the threat landscape and provide valuable insights and security guidance on how to make better, more informed decisions with regard to products, technologies and resources. The latest report builds on previously gathered data, but also includes new sections focused on issues of security breach notifications, spam and phishing, Internet safety enforcement, and the storm worm—a highly visible, continually updating and adapting trojan dropper.

According to the Study (downloadable from www.microsoft.com/sir), greater intra-organizational planning and collaboration is needed as security and privacy threats converge.

The Report indicates the following: There is an acceleration in the number of security attacks

designed to steal personal information or trick people into providing it through social engineering.

Attackers are increasingly targeting personal information to make a profit and are threatening to impact people’s privacy.

During the first half of 2007, 31.6 million phishing scams were

Microsoft’s Study Analyzes the Threat Landscape in the Cyber World

The Burton Group, the IT research firm focused on in-depth analysis of enterprise infrastructure technologies, has released a report that highlights the top IT security issues enterprise organizations should watch out for.

According to the Study, the threat environment is much more sinister, in which the majority of externally originated attacks are not just criminal in nature, but targeted and intentional.

The key highlights of the study include the following:Enterprises are not only under pressure from cyber crime

and insider abuse, but are facing increasing and evolving compliance demands, highlighting the importance of establishing effective and measurable security programs.

The security software market is going through consolidation and change, as major vendors increase R&D, integration and acquisition efforts.

Large platform vendors such as Microsoft, Cisco, Novell, Oracle and EMC are entering the market with their own offerings, even as traditional software security specialists such as CA, Checkpoint, IBM, McAfee, RSA and Symantec step up their efforts.

Vendors are building converged perimeter devices.

detected, an increase of more than 150 percent over the previous six months.

There was a 500 percent increase in trojan downloaders and droppers, malicious code used to install files such as trojans, password stealers, keyboard loggers and other malware on users’ systems.

Two notable families of trojans detected and removed by the Microsoft Malicious Software Removal Tool were specifically targeted at stealing data and banking information.

Microsoft also released findings from a recent survey of

Top IT Security Issues Enterprises Should Watch Out for...Carriers and service providers are becoming more assertive in the information security services market. Organizations are taking various approaches to the problem of network admission control for mobile and local devices.

SOA heralds a sea-change in software deployment and efforts are underway to secure web services.

The need to increase identity assurance is recognized across multiple industries.

Provisioning deployments are proliferating and identity federation is ready for prime time.

More enterprises are turning to role-based access control and fine-grained authorization to enforce data and application restrictions and comply with a variety of regulations.

Organizations are under the gun to build a security management “control layer” that can control and monitor a welter of mismatched, feature-crammed technologies and tools. Wider use or improvement of existing standards and creation of new standards for control and feedback is imperative to facilitate interoperability among these systems.

Security technologies must be deployed in accordance with a well-thought information security architecture.

more than 3,600 security, privacy and marketing executives across a variety of industries in the United States, the United Kingdom and Germany, including financial services, healthcare, technology and government. Conducted by the Ponemon Institute LLC, the study found that as security threats increasingly target personal information, more collaboration among security and privacy officers is critical to avoid costly compromises or breaches of personal information. The study for the Microsoft Trustworthy Computing Group, titled “Microsoft Study on Data Protection and Role Collaboration Within Organizations,” found that organizations with poor collaboration were more than twice as likely as organizations with good collaboration to have suffered a data breach in the past two years.