RSA Conference 2012: Gauging the future for Microsoft’s privacy, security initiatives

From here, Microsoft can either take the security and privacy community to new levels, or let it go for naught.

At a time when the technology world is facing a fundamental shift in security practices, Microsoft is saying all the right things. Now, with the credibility of a decade’s worth of work under its belt, Microsoft is at an opportune position to either bring its work to a new level, or let it slip in pursuit of other objectives.

The 10-year anniversary of Bill Gates’ legendary internal memo that launched the Trustworthy Computing initiative was celebrated at the RSA Conference with a keynote from corporate vice president of Trustworthy Computing Scott Charney. In the address, Charney touched upon a quickly developing dynamic for the TwC initiative: the fine line between productive use of big data and invasion of individual privacy.

In the past decade Microsoft has made strides with its TwC initiative. Randy Franklin Smith, president and CEO of Monterey Technology Group, says the term “Microsoft security” was laughed at and considered an oxymoron before Gates made his call to arms in 2002. Research firms were warning customers of potentially devastating vulnerabilities, and, without TwC, Smith believes “there would have been a large jumping of ship off to other options just because of security.”

Now, 10 long years later, Microsoft’s progress puts it in good position to establish itself as a leader in the security community, Smith says.

“Security-wise, Microsoft has made tremendous strides,” Smith says. “They went from being the joke of the security community to being a leader in information security. They fulfilled their promise to work with not just partners but competitors, and again the proof is in the pudding because hackers had to greatly expand the technologies and products that they are targeting because of the improvements in Microsoft technologies and their security processes.”

In his RSA keynote, Charney praised the capabilities afforded through big data and how it will help establish standards for cloud security and reliability. At the same time, Charney was quick to cover all of his bases by expressing concern over the privacy implications stemming from the use of big data for security monitoring purposes, especially among government institutions.

It’s a sentiment that is shared among other TwC executives, and rightfully so. In a discussion I had with TwC director Dave Forstrom, excitement over the opportunities opened by the advent of big data was well-balanced with caution around the risk for invasion of privacy. It only makes sense for people like Charney and Forstrom to have a genuine interest in the company’s respect for individual privacy while working to improve security. They work in Trustworthy Computing. It’s their job to care and to let the world know what they plan to do about it.

“The importance there is from a security perspective you recognize there can be huge benefits in being able to leverage data that’s already at hand. This is data that’s already coming through our systems,” Forstrom says. “On the privacy front, though, that’s where we see there’s absolute strain. Big data exasperates privacy concerns, let’s be real about that.”

Fostrom touched upon the plans within TwC to help create a firm set of standards for use of individual user data and called for a shift in responsibility from the user, who is currently held responsible for the data he or she submits, to the collector.

With 10 years of work, extensive internal security resources and the credibility developed over the past decade, the TwC team is well-suited to establish itself as a leading advocate for the data security community. What remains to be seen is whether Microsoft takes its own advice.

Several of Microsoft’s current, most-hyped initiatives are in areas that have seen hotly debated privacy issues in the past. The Bing search engine is amid an uphill battle in a field that is watched and discussed by privacy advocates and global government officials on a daily basis. Microsoft has hardly seen the privacy criticism of the search engine market leader Google, but if it were to make progress in the next decade, who knows what kind of revelations or accusations could be made. Forstrom even acknowledged that the public mentality around privacy is shifting in the age of social media and constant access to the web, making for an even more complex outlook.

“There’s a desensitization that goes on relative to policy as we become more public-facing, more interactive,” he says. “From a consumer perspective we see people actually start to give up more in relation to privacy because they’re reaping the benefits of this interconnectivity.”

Then there’s the projected success of Microsoft’s young Windows Phone operating system. Apple, in its rise as both a mobile software developer and device manufacturer, has seen its share of criticism for privacy invasion. Could Microsoft, whose new manufacturing partnership with Nokia led IDC to predict it to become No. 2 in the market by 2015, end up with the same kind of reputation?

Personally, I think not. Especially with increasing visibility from independent researchers and hacktivist groups, and having come off a historic year for exposure of security threats, Microsoft would be foolish to walk the tight rope between security advocate and data abuser. The company has already made significant contributions to the community in the past few years, fighting the good fight against botnets and even recently sharing insight on the use of anonymous data. And with the company planning to launch a real-time threat intelligence feed - a project that Forstrom says does not fall under the umbrella of TwC but will contribute to its research – Microsoft already appears more than willing to take its efforts a step further. Plainly stated, the community would see through a front of false advocacy for security and privacy, and with the resources it has developed, that’s a front Microsoft wouldn’t need to put up.

Of course, this is one of those cliché moments when we say “only time will tell.” But considering how Microsoft has progressed since the launch of TwC, which Forstrom says “was born out of pain and us recognizing that we had responsibility to our customers,” it’ll be interesting to see how the company carries on this responsibility to its customers without the pain of its former reputation for ineptitude.

Colin Neagle covers Microsoft security and network management for Network World. Keep up with his blog: Rated Critical, follow him on Twitter: @ntwrkwrldneagle. Colin’s email is cneagle@nww.com.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.