Gates says security boils down to four focus areas

Bill Gates Tuesday opened the annual RSA Security Conference with an overview on the state of security that was long on vision and broad with its details.

Gates, Microsoft’s chief software architect, said the industry must meet a set of four high-priority initiatives in order to improve security in an ever increasing digitized world that is working more and more over the Internet.

Gates started off light saying he was glad to be keynoting at RSA because his other invitation “was to go quail hunting with Dick Cheney. I’m feeling really safe right now,” he said.

Gates then launched into the importance of security going forward and categorized a set of priorities under four headings: trust ecosystem, engineering for security, simplicity, and fundamentally secure platforms.

“It is a very big challenge to make sure that security is not the thing holding us back,” Gates said. “The Internet is such a critical infrastructure for productivity, for reliability, for privacy that the dream we have can only be realized if we not only build secure approaches but make them easy to administer and make it so the users understand exactly what to expect. That means a lot of invention and a lot of improvement from where we are today.”

Gates gave very little in the way of new initiatives or ideas at Microsoft for meeting his four broad goals, instead tailoring his remarks around announced features in the upcoming Windows Vista client operating system including smart card support, identity technology called InfoCard, and improvements in the Internet Explorer browser.

The only real announcement was that Microsoft’s Certificate Lifecycle Manager was now in beta. The announcement came as an aside during a demo showing how a user who lost his smart card, laptop and phone could quickly get replacements.

Gates used the demo to highlight his trust ecosystem, one of his four priority areas for improving security.

“We have chains of trust,” Gates said. “What we need to do is track those trust relationships, to grab permissions, to revoke those trust relationships, to develop reputation over time.” He said today people live without a trust ecosystem.

“It can’t be something whether it is one unique piece of software or one unique organization, it has to be totally federated so all the trust statements can be understood and reasoned against. With that we get reputation, for code, for users, across all the different activities they do.”

He said one key of the ecosystem would be about people and the need to manage certificates, including issuance and revocation. Gates said over the next 3 to 4 years corporate users should start to see a shift away from passwords to two-factor authentication in the form of smart cards. And he said high-value certificates would help users reliably identify Web site owners.

In terms of engineering for security, Gates used as an example Microsoft’s use of tools and new design practices for developing secure code. “Code has to operate as expected,” he said.