[ISN] Gates says security boils down to four focus areas

InfoSec News isn at c4i.org
Wed Feb 15 03:14:45 EST 2006


By John Fontana
Network World

Bill Gates Tuesday opened the annual RSA Security Conference with an
overview on the state of security that was long on vision and broad
with its details.

Gates, Microsoft's chief software architect, said the industry must
meet a set of four high-priority initiatives in order to improve
security in an ever increasing digitized world that is working more
and more over the Internet.

Gates started off light saying he was glad to be keynoting at RSA
because his other invitation "was to go quail hunting with Dick
Cheney. I'm feeling really safe right now," he said.

Gates then launched into the importance of security going forward and
categorized a set of priorities under four headings: trust ecosystem,
engineering for security, simplicity, and fundamentally secure

"It is a very big challenge to make sure that security is not the
thing holding us back," Gates said. "The Internet is such a critical
infrastructure for productivity, for reliability, for privacy that the
dream we have can only be realized if we not only build secure
approaches but make them easy to administer and make it so the users
understand exactly what to expect. That means a lot of invention and a
lot of improvement from where we are today."

Gates gave very little in the way of new initiatives or ideas at
Microsoft for meeting his four broad goals, instead tailoring his
remarks around announced features in the upcoming Windows Vista client
operating system including smart card support, identity technology
called InfoCard, and improvements in the Internet Explorer browser.

The only real announcement was that Microsoft's Certificate Lifecycle
Manager was now in beta. The announcement came as an aside during a
demo showing how a user who lost his smart card, laptop and phone
could quickly get replacements.

Gates used the demo to highlight his trust ecosystem, one of his four
priority areas for improving security.

"We have chains of trust," Gates said. "What we need to do is track
those trust relationships, to grab permissions, to revoke those trust
relationships, to develop reputation over time." He said today people
live without a trust ecosystem.

"It can't be something whether it is one unique piece of software or
one unique organization, it has to be totally federated so all the
trust statements can be understood and reasoned against. With that we
get reputation, for code, for users, across all the different
activities they do."

He said one key of the ecosystem would be about people and the need to
manage certificates, including issuance and revocation. Gates said
over the next 3 to 4 years corporate users should start to see a shift
away from passwords to two-factor authentication in the form of smart
cards. And he said high-value certificates would help users reliably
identify Web site owners.

In terms of engineering for security, Gates used as an example
Microsoft's use of tools and new design practices for developing
secure code. "Code has to operate as expected," he said.

In terms of simplicity, Gates said Microsoft has to get dramatically

"The number of screens you have to get involved in, the number of
places you have to go to find out what went on are still too high," he

Gates pointed out some of the things that Microsoft is doing to get
better, such as: the inclusion of the OneCare security service in
Vista, improvements to the Security Center in the operating system,
the use of group policy controls by IT, and the use of InfoCard, a
system now supported in IE 7.0 that lets users control the
dissemination of their own identity information.

"Security and management are not really two separate things," Gates

Under his goal for fundamentally secure platforms, Gates pointed out
Vista, which he said would take Microsoft to new heights in terms of
security. He highlighted user protection controls that limit
administrative rights and protect malicious code from running amok,
along with Windows Defender for blocking spyware. Beta 2 of Defender
also was released today.

Gates wrapped up by saying the industry needs to focus on all four of
these security areas.

"The opponent in this case - is not standing still," he said.

More information about the ISN mailing list