An examination of Microsofts Trustworthy Computing initiative, and what it means to enterprise security practitioners
CISO Prudential Financial of America
JOSEPH COOPER, CISSP
Chairman & CEO Digital Defense
Senior Director of Product Management Microsofts Security & Technology Unit
Gates MandateTrustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony.
--Bill Gates, January 17, 2002
Trustworthy Milestones 2002Retrained 11,000 developers and engineersRevamped MSRCRetrofitted XP (SP1) and Win2K (SP4)Released MBSAReplaced the complier in Win2003Released Win2003 with services off by defaultChanged philosophy on shipping products
Trustworthy Milestones 2003Released SQL Server 2000 SP3Improved Exchange 2003 & Office 2003Changed vulnerability announcementsLaunched ISA 2000 FP1Released patching toolsAcquired AV company, formed alliance
Trustworthy AmbitionsWindows XP (beta; due summer 04)Integrating WUS with Windows, other appsActive defenses, synergistic strategySubstantial more secure OSes & apps: Yukon (SQL), 2005; Longhorn (Windows), 2006
Trustworthy Ambitions=End goal: 2014 or longer
Microsoft is doing enough to improve its software security.Strongly Disagree 40%Somewhat Disagree 30%Strongly Agree 2%Somewhat Agree 18%
Will Trustworthy Computing eventually make a difference?
Redmonds AssessmentI think we have made a good start in the last two years, and I believe we will have made enormous progress 10 years from now.STEVE BALLMERCEO, Microsoft
Is Microsoft doing enough to improve the security of its products?
Is it on the right track?
Patching Windows Is Best Characterized As:Unavoidable 46%An Overblown Problem 5%Onerous 48%
Microsoft Is Doing Enough To Ease The Patching Problem.Strongly Disagree 28%Somewhat Disagree 33%Strongly Agree 3%Somewhat Agree 20%
Is the Windows patching problem getting better?
Synergistic SecurityTheres no one thing thats going to solve this. Mitigation is part of it.MIKE NASHCorporate VP, Microsoft SBU
Will Microsofts synergistic security strategy lead to better overall security for Windows and its other applications?
What does Microsoft need to do to win and retain the confidence of its enterprise customers?