It's about a year since Bill Gates called on 49,000 employees worldwide to make "trustworthy computing" a top priority. In a memo, as reported in January 2002, Gates outlined the company's practice of making "software and services more compelling for users by adding new features and functionality ...[but]... those great features won't matter unless customers trust our software". He added, "When we face a choice between adding features and resolving security issues, we need to choose security."
Last May, Brian Valentine, senior vice president of Microsoft's Windows division and an executive sponsor of the Trustworthy Computing security initiative, listed progress in training and code review. For instance, there was one day of intensive training last January for every Windows employee covering off coding mistakes. There were also steps to work design process security milestones into beta and alpha development cycles.
Last November at COMDEX in Las Vegas, a panel of Microsoft executives touted an 'about-face on the issue of security' with the company moving from a customer-focused mind-set to one that put security on an equal footing with features. The Microsoft's Security Response Centre automatic update feature offered in Windows XP Service Pack 1, a vulnerability rating system, and Palladium were cited as evidence. However, panellist Craig Mundie, senior vice president and chief technology officer of Microsoft's advanced strategies and policy, expressed doubts about a comprehensive security fix being near at hand. Microsoft corporate privacy officer Richard Purcell noted a trade-off between increased user privacy and security and user convenience. He believed that achieving trustworthy computing would be a long and painstaking process needing a change in how people and governments use technology as much as changes in the technology itself.
According to reports, Peter Biddie, Palladium product manager, suggested that Palladium could bring an integrated hardware and software-based security architecture to protect the entire chain of communication between users connecting across an insecure environment, ultimately making packet-sniffing programs, worms, and viruses obsolete. Some commentators described Palladium as potentially a 'big brother nightmare'.
This January, and Bill Gates is issuing celebratory memos noting new product design methodologies, coding practices, test procedures, incident handling and support processes, and some $US200 million spent on improving Windows security. Now, the company is looking to academia for guidance with formation of the Microsoft Trustworthy Computing Academic Advisory Board. It is made up of 14 experts in computer security and software development from top universities around the world, including Vijay Varadharajan from Macquarie University in Sydney.
So how do you score Microsoft for its Trustworthy Computing initiative? Is it long and painstaking and too little to notice, or do you believe your Microsoft environments more secure than they were a year ago? E-mails to David_Beynon@idg.com.au