Channel Positive About Microsoft Palladium Security Project

Microsoft Intel AMD

The Palladium technology, which will consist of code integrated into a future version of Windows and security chips developed by Intel and other chip manufacturers, isn't expected to be available on PCs until 2005, Microsoft officials said.

The project entails Microsoft adding a "very, very small amount" of code to a future version of Windows while Intel and other vendors provide computer chips that work in conjunction with the core processor that offers public and private cryptographic keys, Microsoft officials said. Microsoft hasn't yet decided whether to expose the Palladium feature in the Windows control panel or present it as a separate utility, but the feature will be turned off out of the box. It will allow users to create virtual "vaults" where they can do e-business transactions and store sensitive data and information, Microsoft said.

Solution providers applauded the effort, which follows Microsoft's "Trustworthy Computing" initiative unveiled late last year.

"Having chip-level security tied to the OS is a good thing, from my perspective, although we are not a security-centric solution provider," said Ed Bell, CEO of CrossTier, which was acquired by systems integrator gedas USA last January. "By far the biggest negative perception out there about the Microsoft platform is weak security. This would trump the Unix security model since it would be tied directly to the hardware."

Ultimately, the Palladium technology would be incorporated on desktop PCs, servers and handhelds. It would offer security and system integrity down to the hardware level, enabling users to establish more secure and "provable" relationships with other users and systems beyond the corporate firewall. It would also enable corporate IT managers to open up more corporate data for their mobile and home workforce beyond what they feel comfortable offering over a VPN line today, Microsoft officials said.

"What we're talking about is a sea change, a paradigm shift, and it's not going to happen overnight," said Mario Juarez, group product manager for the Palladium group within the Windows division. "We're adding the ability for systems to be provable. If one engages in a public transaction, it gives them the ability to determine that the other system is what it says it is, with security inherent, and the user gets great control over what gets shared and on what terms."

Juarez declined to say whether the Palladium technology would be incorporated in the next Longhorn release of Windows due in 2004 or the following Blackcomb version.

Palladium is expected to be a significant enabling technology for Microsoft's .Net and Web services transactions. Additionally, it would open the flood gates for e-business and new possibilities for remote computing in mission-critical ways, Juarez said. For example, it will enable future combined cell phones-handheld PCs to access mission-critical data from a SQL Server database over a wireless connection, permitting mobile workers for financial services companies or hospitals to conduct mission-critical computing in remote locations.

"There will be new opportunities across the board," he said, noting the technology complements Web services and mission-critical remote computing. "The scope of computing will expand beyond what is possible today, and individuals and corporations will find it to be powerful."

While the implementation of the security and privacy features in the software and hardware PC architecture of the future might crush some opportunities for solution providers, the technology will generate many new opportunities with an explosion of Web services and wireless computing, Juarez predicted.

Solution providers, including Microsoft Gold Certified Partners for Security Solutions, supported the effort.

"There can be some downside to this, but ultimately, it benefits us in the long term. There's always a need for security solutions that are custom-tailored for individual offices," said Brad Serkan, president of Gorilla Consultants, one of Microsoft's newly appointed Gold Certified Partners for Security Solutions in Los Angeles. "Even integrating hardware and software together is not an absolute. It's one step better than what's there before to give SMB customers and large businesses greater protection, but going forward all businesses will have specific needs, and there will be a need for outside vendors."

Another Gold Certified Partner for Security Solutions agreed. "There is still going to be a need for configuration management across the hardware to help with internal/external vulnerabilities," said Chris Wilburn, group manager of Microsoft solutions for Bindview, a security solution provider in Houston. "I believe what they are trying to accomplish will help a great deal with internal threats. The management of file data and encryption should play a big role. Also, we believe that it is going to be critical to incorporate security and management at the access point, Web services, for partners and customers."

An Intel spokesman would not comment on how Palladium technology might be incorporated into its Pentium or Itanium line of processors or future chip architectures, but noted that integrating security into hardware is a major company initiative. "As our product plans progress, we will be very open for broad review of the new technology," said an Intel spokesperson. "We will work with the entire industry on the various building blocks of a safer computing environment."

Some are concerned that Microsoft might have too much control over computer transactions in the future. The Palladium technology will, for example, offer unique security APIs designed by Microsoft for third-party software vendors, and Microsoft's own product groups, to exploit for application and server software development. Some say this might give Microsoft an unfair advantage with Windows in the future.

Others are skeptical that this approach is the holy grail of secure Internet computing.

"This initiative, on the surface, seems to be very credible. The thought of having a public key cryptography system that will potentially solve all these problems is incredible," said David Thomason, director of systems engineering for SecureInfo, a security consulting firm and ISV based in San Antonio, Texas. "But we have heard this story many times before. The infamous 'silver bullet' that will solve all our problems has never really worked. Microsoft promises to make the source code to Palladium open source, and this adds credibility. However, the integration with hardware also has to be open source for a true public evaluation. I haven't seen where AMD and Intel are going to make that happen."

Responding to such criticism, Juarez emphasized the new charter recently laid out by Microsoft CEO Steve Ballmer, who is trying to engineer a major shift in the company's image following the ruling in the antitrust case. It is unclear if the Palladium APIs or code would become part of the WS-I specifications developed together by competitors including Microsoft and IBM, but the goal is cooperation and interoperability. "Sure, that's the kind of direction we want to go toward," Juarez said.

"We know we have responsibilities as an industry leader, and we need to do business in ways that are open," said Juarez, one of many Microsoft employees uttering the new battle cry recently issued from top management. "We do learn, and it's good evidence that we are a company that grows and matures."

At least one national privacy advocate that has gone to battle with Microsoft on Capitol Hill over its Passport.Net plans scoffed at the notion that this is an attempt by Microsoft to become a better corporate citizen. Rather, the advocate claimed the software giant merely wants to extend its monopoly in the Windows market to the Internet services era.

"I think I have become jaded by the steady stream of code names from Redmond ([Net, Hailstorm, Palladium that try to repackage the unpalatable idea that everyone should put all their data under Microsoft's control," said Jason Catlett, president of Junkbusters, a Green Brook, N.J.-based consumer privacy firm that stood with other groups and filed a complaint with the Federal Trade Commission last July claiming .Net and integration of Windows with Passport was an "unfair and deceptive trade practice."