• United States

Gates says security boils down to four focus areas

Feb 14, 20064 mins

Bill Gates Tuesday opened the annual RSA Security Conference with an overview on the state of security that was long on vision and broad with its details.

Gates, Microsoft’s chief software architect, said the industry must meet a set of four high-priority initiatives in order to improve security in an ever increasing digitized world that is working more and more over the Internet.

Gates started off light saying he was glad to be keynoting at RSA because his other invitation “was to go quail hunting with Dick Cheney. I’m feeling really safe right now,” he said.

Gates then launched into the importance of security going forward and categorized a set of priorities under four headings: trust ecosystem, engineering for security, simplicity, and fundamentally secure platforms.

“It is a very big challenge to make sure that security is not the thing holding us back,” Gates said. “The Internet is such a critical infrastructure for productivity, for reliability, for privacy that the dream we have can only be realized if we not only build secure approaches but make them easy to administer and make it so the users understand exactly what to expect. That means a lot of invention and a lot of improvement from where we are today.”

Gates gave very little in the way of new initiatives or ideas at Microsoft for meeting his four broad goals, instead tailoring his remarks around announced features in the upcoming Windows Vista client operating system including smart card support, identity technology called InfoCard, and improvements in the Internet Explorer browser.

The only real announcement was that Microsoft’s Certificate Lifecycle Manager was now in beta. The announcement came as an aside during a demo showing how a user who lost his smart card, laptop and phone could quickly get replacements.

Gates used the demo to highlight his trust ecosystem, one of his four priority areas for improving security.

“We have chains of trust,” Gates said. “What we need to do is track those trust relationships, to grab permissions, to revoke those trust relationships, to develop reputation over time.” He said today people live without a trust ecosystem.

“It can’t be something whether it is one unique piece of software or one unique organization, it has to be totally federated so all the trust statements can be understood and reasoned against. With that we get reputation, for code, for users, across all the different activities they do.”

He said one key of the ecosystem would be about people and the need to manage certificates, including issuance and revocation. Gates said over the next 3 to 4 years corporate users should start to see a shift away from passwords to two-factor authentication in the form of smart cards. And he said high-value certificates would help users reliably identify Web site owners.

In terms of engineering for security, Gates used as an example Microsoft’s use of tools and new design practices for developing secure code. “Code has to operate as expected,” he said.

In terms of simplicity, Gates said Microsoft has to get dramatically better.

“The number of screens you have to get involved in, the number of places you have to go to find out what went on are still too high,” he said.

Gates pointed out some of the things that Microsoft is doing to get better, such as: the inclusion of the OneCare security service in Vista, improvements to the Security Center in the operating system, the use of group policy controls by IT, and the use of InfoCard, a system now supported in IE 7.0 that lets users control the dissemination of their own identity information.

“Security and management are not really two separate things,” Gates said.

Under his goal for fundamentally secure platforms, Gates pointed out Vista, which he said would take Microsoft to new heights in terms of security. He highlighted user protection controls that limit administrative rights and protect malicious code from running amok, along with Windows Defender for blocking spyware. Beta 2 of Defender also was released today.

Gates wrapped up by saying the industry needs to focus on all four of these security areas.

“The opponent in this case… is not standing still,” he said.