RSA 2011: Microsoft's How-To For Healthy PCs


Microsoft believes the public health model has interesting potential when applied to IT security, especially when identity management is added to the equation.

In the public health model, people are first educated on health risks, and there are efforts to detect disease and vaccinations to prevent them. It turns out that in IT, prevention is very similar.

In a Tuesday keynote speech at the opening of RSA 2011 in San Francisco, Scott Charney, Microsoft corporate vice president of Trustworthy Computing, described Microsoft's "Collective Defense" security strategy, in which health certificates and organizational policies are used to proactively test devices to ensure they're free of malware.

Mobility and cloud computing are putting pressure on IT departments to account for a proliferation of new devices. And the botnet scourge is necessitating more aggressive security policies. However, the Collective Defense approach offers a middle ground, Charney said. "Very often society needs something that IT is not able to deliver. But we're starting to see alignment," he said.

First unveiled last October, Collective Defense is aimed at the rise of cybercrime and the potential erosion of trust it could trigger in online banking. "With Collective Defense, the goal isn't to catch everything a priori -- we know we can't," Charney said. "But it raises the basic level of hygiene, and as new threats come out you have already built the infrastructure to stop it."

Identity management is particularly critical to protecting users' privacy and it's a big part of Collective Defense. "With claims-based identity, the user gets to retain control over their data, so why not do the same for health of machines?" he said. "This model allows us to think differently about promoting the health of PCs.

"We educate people on IT risks, such as the need to run firewalls. And there are efforts to detect malware," Charney said. "We give them programs in advance to prevent infection and when they get sick anyway, we treat them."

One stickler in the public health model is the question of who handles enforcement of scanning and security policies. Charney said the notion of using ISPs as security governance agencies has many flaws. In addition to putting a lot of burden on ISPs, consumers may not want their machine scanned for privacy reasons.

What's more, many PC users relay on their machines for VoIP and can't be bothered with having to install patches and reboot their systems in the event of an emergency, Charney said.

In the Collective Defense model, individuals would have the option of refusing to obtain a certificate of health for their device. There could be consequences for this, as there are when a DUI suspect refuses to take a Breathalyzer, but the choice to reveal this information remains with the user, Charney noted.