Microsoft: Security Management Too Complex

In a Tuesday keynote speech at RSA 2008, Craig Mundie, Microsoft's chief research and strategy officer, said the software giant has met the initial challenges of trust and security and is now shifting its focus to building a 'trusted stack' of software that encompasses not just the OS, but also devices, applications, identity, and data integrity.

"Today we are in a transitional situation at Microsoft. We moving beyond the first generation of trust and security and moving into the trusted stack," said Mundie.

As the security industry has matured, attackers' focus has shifted from desktops and servers to locations higher in the stack, and the prevalence of cell phones, laptops, and thumb drives are giving miscreants additional ways of accessing sensitive data, Mundie said.

Now that the foundation has been laid for good design practices for security, management and identity represent the biggest challenges the security industry faces, Mundie said. "Overall, management systems are not integrated and are too complicated. We recognize that it's too hard and costs too much," he said.

Sponsored post

Microsoft two years ago started weaving interoperability into its Trustworthy Computing initiative, Mundie noted. In February, Microsoft unveiled a strategy for increasing its support for industry standards and improving its traditionally frosty relationship with open source communities.

As part of its interoperability push, Microsoft has been steadily moving down the path of allowing any device to access any data set, and run any application from any location, a capability that's being driven by identity management advances, according to Mundie.

"As we move beyond getting the platform right, we find ourselves in technical and policy areas. Identity, and the claims around it, will be critical to finding a balance between privacy and security requirements," he said.

The idea of authenticating not just a user, but a user in a role within an application context is another important part of Microsoft's trusted stack vision, said Mundie. "This is another thing that will have to percolate through our management system, and we're focused on adding that," he said.

When credit cards first came out, users initially worried about what banks might do with their personal information, but the fact that these trust issues were quickly ironed out suggests that the same scenario will play out in the trusted stack, according to Mundie.

"As online privacy and security and the trusted stack become a substitute for the things we do in the physical world, society will come to feel more comfortable with security and then we'll see the emergence of demand for new forms of credentials," said Mundie.