RSA: Microsoft Still Working To Solidify Security

These were among the key themes of a Tuesday keynote speech at RSA 2009 in San Francisco, in which Scott Charney, corporate vice president of Trustworthy Computing at Microsoft, outlined the company's ongoing efforts to continue to improve the security of its products through what it calls the End to End Trust model.

When it comes to verifying users' identities online, the old method of using Social Security numbers, date of birth and mother's maiden name is no longer good enough, Charney said. As a result, Microsoft has been working to build a trusted stack of hardware, software, data and people that will address the traditional deficiencies of passwords.

"The way we do identity today is completely flawed," Charney said. "We need a different model to think about identity, and not an authentication model that strips away anonymity."

Microsoft's decision to share its security development life cycle with the development community has helped solidify the notion that security is an ecosystem problem, according to Charney.

Last week, Microsoft rolled out a public beta of its Stirling security suite and a host of partnerships with security vendors to allow their security event data to flow through Microsoft's Forefront Stirling Management Console. In addition to illustrating the ecosystem idea, this helps Microsoft gather disparate pieces of data and develop a picture of a particular organization's security posture, Charney said.

In the past year, Microsoft has publicly released a threat-modeling tool for ISVs, and with the help of partners, is teaching other organizations how to emulate the security development life cycle process.

"Attacks are moving up the stack, and we need ISVs everywhere to do more threat modeling," Charney said.