A closer look at trust

 

Connecting state and local government leaders

As Microsoft celebrates half a decade of the Trustworthy Computing program's existence, there remains a basic inconsistency between convenience of use and computer security.

When Richard Kemmerer first joined the board of Microsoft's Trustworthy Computing Academic Advisory initiative as one of its inaugural members, he had a caveat for the software giant.

"One of the things I told (Microsoft) was that if you're looking for a yes man, you're barking up the wrong tree, looking in the wrong place, you got the wrong guy. I'm going to call it like I see it."

Looking back over five years as a member of the panel, which is charged with (among other things) shoring up security, Kemmerer -- currently a professor of computer science at University of California at Santa Barbara (UCSB) -- still feels the same way in making what he calls a fair assessment of software and security personnel in Redmond. While he's swift to laud the accomplishments made with the project and with the evolution of Microsoft products and services, he says, "Where security is concerned, there is still a long way to go."

Indeed, as Microsoft celebrates half a decade of the program's existence calling upon expertise from Kemmerer and other scholars and experts from as far away from Redmond as Tokyo and London, there remains a basic inconsistency between convenience of use and computer security that many believe can never be fully rectified. In the same way that a car alarm may lock a person out of a car for security reasons, Microsoft applications such as Internet Explorer have been known to inflict similar headaches on users recently. Additionally, some IT practitioners have suggested that Microsoft needs to help educate end users in a manner far more comprehensive than its monthly security bulletins.

To that end, Microsoft believes it's the IT community's job to stay on top of things and that the aim of the Trustworthy Computing movement is to gather the best objective research to achieve that goal.

"Organizations will need to continue to adapt their processes and technologies to effectively manage data protection as security and privacy threats continue to converge," said David Ladd, principal security program manager for Microsoft. "They will need to find ways for their privacy and security professionals to work together and work more closely with the parts of their organization that collect and use data."

In tandem with helping the software firm identify potential technical and policy hurdles that make security implementation an arduous task, Ladd said the board is doing "great work" to keep Redmond up to date on current and potential issues related to the abuse and theft of personally identifiable information. That said, even Ladd was willing to concede that security and reliability are a going concern, much in the way any business operation is.

"Since the formation of (the board) in February 2003, the group has provided Microsoft with a long-range, strategic, international perspective and guidance about security and privacy trends," Ladd added. "They've done this with a focus on supporting Microsoft's efforts to better protect customers through investments in technology innovation and fundamentals, such as the Security Development Lifecycle. Progress is already being made in these areas, but there is much work still to be done."

Trusted vs. Trustworthy: What's the difference?

It was 2002 when Microsoft first co-opted the term "Trustworthy Computing" as catchphrase in its efforts to shore up public trust of its IT market offerings. However, Redmond needed a conduit to the consumer and business procurement customer base -- people who were in the trenches. This led to the formation of the advisory board a year later.

After that, the company focused on gathering information to improve its performance in four core areas: security, privacy, reliability, and business integrity.

All agree that the initiative both altered and sharpened Redmond's focus within the confines of its internal development paradigm. It also raised the eyebrows of some questioning its aims.

"First off, let me say that it would be unfair to say that there hasn't been progress with this group," said Michael Cherry, an analyst with Directions on Microsoft, an independent consultancy tracking Microsoft's strategic endeavors since 1992. "I think the issue is that there's no metric to truly measure security. Security is not a fixed end point and that's the main challenge with Microsoft and its products going forward."

There's also Trustworthy Computing's ambiguous distinction, different altogether from Trusted Computing. According to the National Security Agency, arguably the biggest, most thorough anti-hacker operation in the world, a software or operating system can be "trustworthy" but not "trusted." On the other hand, it can be deemed "trusted" but not "trustworthy." The exact denotation found on the NSA's Web site, which says a "trusted system" is one vulnerable to attacks and not foolproof, a system that, while secure in some areas, can still be compromised by hackers. Conversely, a "trustworthy" processing environment is considered virtually impenetrable and "will not fail."

This is certainly not the case with Microsoft's Vista OS, according to 49 percent of respondents in a recent survey by Virus Bulletin who said Vista has not made their system safer. For the remainder of the responses, 26 percent said the OS did make their system safer and more telling, 25 percent didn't know.

In Microsoft's defense, TCAA board member Richard Kammerer of UCSB, who has been involved in IT security since 1976, says it's not so much a technology problem as a "crime problem" facing such a large software company.

"Microsoft is in the same boat as other software vendors," he said. "Is there such a thing as 100 percent secure? Of course not."

Kammerer added that throughout the board's work, Microsoft has been very open -- in fact, more than he thought it would be.

"When we ask to see something, they usually show it to us, and if we discover something through another channel and ask them about it, they usually show it to us. You can't put a grade on their products after five years; there are too many products to grade."

Because there are so many products and so many ways to use them with inifinite contrasts in a given IT architecture of a business, the real onus will remain on developers to tailor their needs to the individual enterprise and implement patch management strategies and product upgrades accordingly.

"This is critical work because -- as more people and organizations conduct business, communicate, and access information online and personalize the delivery of information -- companies are relying on both a greater use of sensitive or personal data and the ability to share information across borders and devices," said Microsoft's Ladd. "Unfortunately, data is increasingly becoming the currency of crime, so it behooves us to reach out to experts to help address this growing concern."

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.