Trustworthy Computing

  • View
    59

  • Download
    9

Embed Size (px)

DESCRIPTION

Trustworthy Computing. m. Peter Birch Senior Architectural Engineer Microsoft Ltd (UK). Agenda. Why is Security important? What is Trustworthy Computing? What are we doing today? Microsoft Security Response Centre Secure Windows Initiative The Strategic Technology Protection Program - PowerPoint PPT Presentation

Text of Trustworthy Computing

  • Trustworthy ComputingPeter BirchSenior Architectural EngineerMicrosoft Ltd (UK)m

  • AgendaWhy is Security important?What is Trustworthy Computing?

    What are we doing today?Microsoft Security Response CentreSecure Windows InitiativeThe Strategic Technology Protection Program

    The future challenges Questions?

  • Leaving MessagesMicrosoft is as committed to developing the trusted computing model, as it was in moving into the internet and adoption of .Net

    Security is part of Trustworthy computing and can only be achieved through partnership & teamwork

    Security is the journey there is no end point

  • Why is Security important?

  • An Industry-Wide ProblemSecurity breaches commonWindows UPnPOracle 9i Buffer OverrunAOL AIMCDE/SolarisVirusesNimda, Code Red show tangible and cyber-worlds inextricably linked

    John McCormick, TechRepublic, Inc., September 24, 2001, based on data provided by Security Focus Bugtraq

    SUZEW - imagery? Oracle Ad, newspaper articles, academic papers

  • UK Survey (PWC / DTI report)44% of UK business have suffered at least one malicious security breachAverage Cost of a serious incident 30,000Virus was the single largest cause of security breaches (33% of incidents)Yet 1% investment, 27% has security policy, 49% have procedures for DPA, 11% have incident response, 44% have any type of insurancehttp://www.dti.gov.uk/cii/docs/sbsreport_2002.pdf

  • Microsoft is committedOver the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work Bill Gates In the past, weve made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. Weve done a terrific job at that, but all those great features wont matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security Bill Gates

  • What is Trustworthy Computing?The Trustworthy Computing initiative at Microsoft is a long-term, company-wide initiative to deliver Trustworthy Computing experiences based on security, privacy, reliability and business integrity to our customers and the industry --via the .NET platform and other Microsoft products and services.

  • Why Trust?Computers generally do not engender trustEarly stage of adoptionTrust is not just security, as it involves perception and environmentTelephones - almost always there when we need them, do what we need them to do, work as advertised, and are reliably available. A combination of engineering, business practice, and regulation

  • Trustworthy ComputingResilient to attackProtects confidentiality, integrity, availability and dataSecurityPrivacyReliabilityBusiness IntegrityDependableAvailable when neededPerforms at expected levelsIndividuals control personal dataProducts and Online Services adhere to fair information principles Help customers find appropriate solutionsAddress issues with products and servicesOpen interaction with customers

  • What are we doing today?

  • Microsoft Security Response CentreDedicated team in the Microsoft Security Response CentrePolicy Commitmentinvestigates all threats (Secure@microsoft.com)Weekly Exec statusCustomer bulletins - plain languagewww.microsoft.com/securityEducationBrings back experience into the Product groupNon-disclosure of threats in the investigation phaseTrusted Computing Conf in Nov. - Developing new procedure standard with @stake, BindView, Foundstone, Guardent, Internet Security Systems,

  • Secure Windows InitiativeTo improve the security of all our software and products, so that our customers will get the level of security they requireTraining - dedicated security courses Testing internal / external experts (inc Universities). Penetration group. Systems up on the webTools Automated analysis tools, eg Prefix / Prefast, RPC stress testingProcess RAID, Security bug bash, Automated & Managed sign offProduct Security over Feature turn off services

  • Strategic Technology Protection Program

  • The future challenges

  • Future DirectionsMachine-machine processes Self-management by policyLoosely coupled, self-configuring, self-organizing, adaptiveEdge of the networkPeer-to-peer applications; distributed processing, storageNew development, testing, operations, auditing toolsHardware and networking improvementsFailover, redundancy; impervious to physical modifications; theft or loss; Rigorous authentication, key management

  • NewsWindows 2000 achieves Common Criteria at EAL4Professional, Server, and Advanced ServerSystematic Flaw RemediationIncludes Active Directory, Kerberos, IPsec, EFS, Single Sign-on, etcWide range of real-life deployment scenarios testedWindows XP and Windows .net Server 2003 will enter evaluation

  • Leaving MessagesMicrosoft is as committed to developing the trusted computing model, as it was in moving into the internet and adoption of .Net

    Security is part of Trustworthy computing and can only be achieved through partnership & teamwork

    Security is the journey there is no end point

  • Questions?

    Visit http://www.microsoft.com/security for current information on security

    Building a Secure Platform for Trustworthy Computing Whitepaperhttp://www.microsoft.com/enterprise/articles/security.asp

    CDE Common Desktop Environment a buffer overrun flaw leaving the system vulnerable to root attack24% teaching staff to Human Rights act1% - only 27% spend more than 1% of IT budget on information securityDPA data protection act