Bill Gates Publicly Passes the Microsoft Security Torch To Mundie
Gates shared the RSA stage with Microsoft chief research and strategy officer Craig Mundie, the man who's shouldering much of the security responsibilities at Microsoft these days. Missing from the keynote were the live demonstrations, product roadmaps, and bright red sweater Gates wore during last year's visit to RSA.
Instead, Gates and Mundie devoted a lot of their time to recounting the factors that have led security to be viewed as more of an impediment than a benefit to corporate IT systems and urging greater cooperation among security providers. As systems became increasingly distributed, no one considered that boundaries needed to be built into operating systems and software that define where people connect and how they connect. Erecting such virtual boundaries will require a lot more industry cooperation and partnerships. "At the security level, interoperability is absolutely fundamental," Gates said.
Microsoft's work to make its Vista CardSpace feature compatible with the OpenID 2.0 standard is a significant step in this direction. Although CardSpace will initially only be useful to the consumer side of Vista's user base, helping them authenticate to Web sites without the need to remember passwords, this use of certificate technology has potential for ultimately simplifying authentication to corporate networks and systems as well.
Certificates will provide a much more security alternative to the use of passwords, Gates said, adding, "Passwords are not only weak, they have a huge problem in that if you get more and more of them, the worse it is."
Expect certificates to bring their own set of security management challenges, encryption key management in particular. "Certificate management is complex," says Martin Roesch, founder and CTO of network security provider Sourcefire Inc. and creator of Snort, an open source network intrusion prevention and detection system. "There will be a learning curve where people will make mistakes in how they use certificates."
In much the same way Microsoft made personal and business computing more accessible to the masses through its development and marketing of the Windows operating system, Mundie's biggest challenge will be making security more intuitive and easier to implement. The state of security implementation and use today is "roughly the equivalent of a text-based interface," Mundie said, adding that one of his goals is to create more of a drag-and-drop interface around security.
One former Microsoft employee felt Gates and Mundie focused on a lot of security technology that's already available but not widely deployed at the expense of laying out a more dynamic vision of security's future. "All of the things that Bill and Craig talked about are harder to set up," says Mark Shavlik, one of the developers of Windows NT in the late 1980s and early '90s and now CEO of security vendor Shavlik Technologies.
Shavlik added that this year's Gates keynote lacked the passion of previous years' presentations, where "you walk out excited about what's coming."
Instead, Gates chose to make Tuesday's keynote more memorable as the one where he publicly passed the security torch to Mundie. Gates even credited Mundie with motivating him to write the original memo more than five years ago in which Gates laid out his plans for Microsoft's Trustworthy Computing initiative.