Microsoft is raising the stakes in security, announcing on Thursday PKI services for Windows with VeriSign Communications and security certification training for Microsoft system administrators and engineers.
The company unveiled the programs during a speech at TechEd on Tuesday by Scott Charney, Microsoft chief security strategist and a former cybercrime prosecutor for the federal government.
Touting Microsoft's Trustworthy Computing initiative, Charney stressed the importance of everyone, including vendors and IT administrators, playing a role in security. He also noted the difficulty in finding Internet-based criminals.
"In cyberspace, an ounce of prevention is a ton of cure because after the fact there's very little to do about it," said Charney.
"Security clearly is issue No. 1 for us," Charney said.
Microsoft is mending its patch procedures to reduce the number of installer technologies, he said. "By the end of the year, instead of eight installer technologies, we will have two: one for operating systems, one for applications," said Charney. Microsoft's automatic patch update service will make patching easier also, according to Charney.
To boost security, Microsoft and VeriSign announced they are teaming up to provide PKI security services for Windows Server 2003, to enable enterprises to deploy secure communications and digital identity management systems more easily and enable interoperability across systems and networks.
Due in late-2003, the programs will focus on certificate auto-enrollment capabilities in Windows 2003 and Windows XP. Automating the issuance and renewal of digital certificates will enable customers to deploy systems such as secure e-mail, file protection, and digital signatures, according to VeriSign and Microsoft. Legally binding transactions would be enabled.
A second initiative is expected to focus on interoperability services that would enable enterprises to federate trust and extend internal PKI capabilities beyond the corporate network. This would provide for secure commerce and communications across enterprises.
VeriSign's efforts are intended to leverage desktop and back-office integration in Windows 2003. Microsoft and VeriSign also plan to collaborate on longer-term initiatives to address proliferation of spam, enabling services for Windows Rights Management and services that are compliant with the proposed Web services security specification, WS-Security.
"Microsoft and VeriSign are actually working together with the standards bodies to use digital signatures as a tool against spam," said Nico Popp, a VeriSign vice president of research and advanced products, who spoke briefly during Charney's presentation.
Microsoft also announced two security training programs based on the Microsoft Certified Systems Administrator (MSCA) and Microsoft Certified Systems Engineer (MSCE) credentials. Currently, the programs are specific to Windows 2000 but will be extended to Windows Server 2003 later in the year. Candidates to earn the certifications will be required to pass core exams for MCSE or MCSA credentials and also pass security-specialization exams to demonstrate ability in areas of security such as foundations, implementations, and design. One exam is the CompTIA Security+, which is an industry-recognized standard of competency for foundation-level security practitioners, Microsoft said.
A TechEd attendee said he liked what he heard from Microsoft about security and improving patching. "I do like the attention that Microsoft's starting to pay to security. I don't think they're quite there yet," said John Peterson, reliability specialist at Logan Aluminum, in Russellville, Ky.
Security often conflicts with free market instincts, in which it can cost hundreds of millions of dollars to abate minute risks, Charney said. But both government and private industry must have a role in security, Charney said. "Most of the responsibility falls on us," the people designing applications and maintaining them, said Charney.