Interview: Exec: MS serious about security

Neil Charney, director of Microsoft's .Net Platform Strategy Group, talked to the IDG News Service on Wednesday about a variety of topics related to Microsoft's .Net architecture for Web services, including security, application development, the recasting of Hailstorm and the criticism that .Net will lock users into using Microsoft software. He spoke by phone from Microsoft's Latin America Enterprise Solutions Conference 2002 in Boca Raton, Florida. Below are excerpts from the conversation.

Q: Users are concerned about IT security in general, and particularly about the security of Microsoft products, which has been an ongoing issue for some time now. How important is security for the success of the .Net architecture?Bill (Gates)'s (Trustworthy Computing) memo and announcement, as well as all of the work we've done before that time, as well as since, (related to security), is indicative of our commitment to security.

I don't think it's an issue that's limited to Microsoft. It's an issue for our entire industry. ... Sun (Microsystems Inc.) even announced the appointment of a security czar of some sort (recently). ... There's no question that the industry needs to focus on security and the broad issues involving security, trust and privacy. Microsoft is not alone in the area of concern over security. If you look at any of the other members of the industry, you'll see they're grappling with security issues as well.

What we've done with our Trustworthy Computing initiative is make security a key focus. There's a very clear message inside Microsoft that security is primary, that in a case where features are being debated and security is an issue, security wins out. ... But it would be irresponsible to claim that anything is entirely secure in our industry.

A big part of the foundation of .Net are open standards ... collectively referred to as Web services, which play a key role in .Net. There has been a very clear alignment in the industry around this as a model for computing. As companies have started to implement Web services we're finding companies are solving problems today using Web services and they're also finding that there are enhancements they'd like to see in the Web services platform, specifically around security. So we announced (two weeks ago) along with IBM (Corp.) and VeriSign (Inc.) a security specification called WS-Security for secure Web services. That's a real response to what customers have been asking us for. ... You can build secure Web services solutions today if you use SSL (Secure Sockets Layer) and other mechanisms. But what people really want is a consistent, standardized approach to that. So there has been a lot of interest in the WS-Security specification already.

Passport (Microsoft's single sign-on and authentication service), one of the largest Web services out there, has never been compromised. ... There was one theoretical (security) issue that was raised (about Passport) and it was addressed before anyone had a chance to exploit it. That's an example of a place where we've put a lot of effort in securing that data and ensuring the privacy that's there. ... In terms of commitment to privacy, you take a look at Passport (and you see) we have an approach based on user control of the data. ... Our philosophy has been that the user controls their data, which actually flies in the face of a lot of the industry in terms of their approach on the Internet (where in many cases) ... your information tends to be shared without you knowing it and without you confirming it.

Q: Some critics say that Microsoft is developing the .Net architecture in a way that isn't platform-neutral and that will force customers to use only Microsoft's software, from the handheld devices all the way up to the high-end servers. How does Microsoft respond to that?We are very much committed to working on a standards-based approach to Web services. ... One of the basic tenets of .Net is to be able to connect across platforms. We know that most companies have a heterogeneous systems infrastructure. They are not all Microsoft Windows. They're running Linux, Unix, a variety of different things. The question is: how do they work together? They're going to make the decisions based on the right thing for their platform choices. So one of the benefits of .Net is that they can now access that data, aggregate it (and) make it available either using Web services or any of the number of connectors that we have built into our products, which are, by the way, the largest in the industry for connecting with other systems running on non-Microsoft platforms.

Q: Microsoft recently recast .Net My Services, formerly known as Hailstorm, as a technology it will provide to companies and service providers, so that they can in turn provide the Web services Microsoft was originally going to offer. Why did this happen, and how does this affect Passport?It's an exciting extension of the initial proposal. ... We got very interesting feedback from the companies we talked to (about Hailstorm). They said: "This is interesting. We could really use this inside our company. We're not sure that I want to necessarily connect with you outside the firewall. I may. But where this really becomes interesting is when I can have resources available, calendaring available, identity available, inside the firewall." That really meshes well with our infrastructure approach and offering, which is to provide the tools and technologies for companies and systems integrators.

We haven't really seen any decline in interest in Passport (as a result of the Hailstorm recasting). All it's done is allow us to focus our efforts and resources on delivering what we think is going to be a very interesting enterprise audience for that.

Q: Another concern cited by some IT users is whether their existing Microsoft-based application code will run in the new .Net application development environment. Could you comment on this?There are certainly some enhancements (in Visual Studio .Net) that developers should be learning about, and we're doing a lot in terms of training ... to (help them) take advantage of those new capabilities. That said, a lot of work went into interoperability with previous versions of Visual Studio, so that if you have applications running and you want to be able to access them programmatically, there's a lot of work done for that interoperability through the (.Net) Framework (the programming model for the .Net platform). ... For the most part, we've found that developers are pleasantly surprised at the transition. Because of the productivity gains they get now with Visual Studio .Net, any investments early on in the training for some of those enhancements are really recouped in what they are able do now.

Join the newsletter!

Error: Please check your email address.

More about IBM AustraliaMicrosoft

Show Comments

Market Place