Microsoft out of 'the doghouse' on security, analyst says

Software maker improves reputation for 'Trustworthy Computing'

Microsoft's reputation for lax software security used to be so bad that one of the guys who runs it, Scott Charney,corporate vice president of the company's Trustworthy Computing initiative, said at last year's RSA Conference that friends laughed when he used the words "security" and "Microsoft" in the same sentence.

Today, as Charney prepares to deliver another keynote at RSA Conference 2010 in San Francisco next week, those two words can now be said together without eliciting a chuckle.

"Microsoft is no longer in the doghouse," says Andrew Storms, director of security operations at nCircle Network Security. "If you look at who's doing the most work both internally and publicly ... and working hard to try to do the right thing ... Microsoft's name continues to come up near the top of that list."

No software or computer network can be completely secure, but the goal of computer security is to reduce the risk, head off more threats and remain vigilant. Charney explained the "Charney Theorem" in his 2009 keynote: "There’s always a certain percentage of the population that’s up to no good."

While improving its security reputation, though, Microsoft still gets some egg on its face from time to time. Eight years after the Trustworthy Computing initiative was launched at Microsoft, the company was in the news, as recently as last month. Storms notes that when hackers in China broke into the network of Google and several other U.S. tech companies, an attack called "Operation Aurora," one of the ways they did it was by exploiting a vulnerability in the Windows Internet Explorer, version 6, Web browser.

"The sad news about it was that [Microsoft] already knew about the bug and they already had a fix that was to be released in a number of weeks," Storms says. Also, Storms wonders why any computers would still have IE 6 on their computer, which is two versions old. With the current IE 8, the most that attack would have done is crash the browser, not broken into the computer to plant a Trojan or compromise it in some other way. Despite the efforts of Microsoft or other software makers to protect against security risks, it's still up to the end user to read the warnings and install the security patches, he said.

Microsoft also gained the trust of Network World's John Fontana who wrote in 2008 of a sitdown he and other IDG editors had with Charney.

At RSA Conference 2009, Charney unveiled an open platform claims-based identity management system, code-named "Geneva," which gives someone access to a computer network or software program without revealing any more personal information than they have to. He compared it to a customer showing a drivers license to a bartender to prove they're old enough to drink. The license reveals the holder's name address, photo, height, weight, date-of-birth and more. All the bartender needs to see is the photo and the date-of-birth but all that other information is exposed.

Charney also unveiled a Direct Access feature in the Windows 7 operating system that allows remote access to a corporate network without having to use a VPN for routine checking of e-mail or the Outlook calendar.

Next week, Charney's going to talk about the continuously evolving threat leandscape, global concerns about cybercrime, security concerns related to cloud computing, and Microsoft's ongoing efforts to enable what it calls "End-to-End Trust."

Another issue Microsoft will have to face next weeek is not a security breach but a high-level departure from the Trustworthy Computing team. IDG News Service reported last week that George Stathakopoulos, general manager of the Product Security and Security Engineering and Communications Group at Microsoft, has left to take a security management position at Amazon.com.

Security is becoming increasingly important at Amazon, Robert McMillan writes, given its Elastic Compute Cloud service to provide cloud computing services to businesses.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2010 IDG Communications, Inc.

IT Salary Survey: The results are in