Business Daily from THE HINDU group of publications
Monday, Dec 04, 2006
ePaper
eWorld
Features
Stocks
Cross Currency
Shipping
Archives
Google

Group Sites

 eWorld - Interview
Web Extras - Security
Security, the MS way

V. Rishi Kumar

The company tells eWorld that security is an enabler, not a defensive mechanism.


Ben Fathi

Ben Fathi, Corporate Vice-President, Security Technology Unit, Microsoft Corporation, has a job on hand to make Microsoft products impregnable from hackers and security threats. During his brief India visit, he spoke about his mandate to enhance user experience and make security an enabler rather than a defensive mechanism.

During his conversation with eWorld, in the presence of Lori L. Woehler, Director Security Mobilisation, Microsoft Corporation, and a team of Indian executives, Fathi spoke about how Microsoft views security and some key initiatives. Excerpts.

Security is central to consumers and enterprises today. How are you working to address this concern?

Microsoft is taking action today to offer better security choices, both through improving its own software and working with government, industry and customers to ensure security throughout the entire technology ecosystem.

While designing a product, we force developers to think about what we call threat modelling — which helps designers to envision how a hacker could attack the product's vulnerabilities and then address this during the software design and development stage. So teams within Microsoft work together to test the software and ensure it addresses all the security issues before the product is released.

We have embraced Security Development Lifecycle (SDL) that reduces the number of security-related design and coding defects and the severity of any defects. Vista has gone through this process from beginning to end. Defence and depth is the cornerstone to build fundamentally secure platforms. Since we provide the Operating System itself, we are able to build security features within to make it fundamentally secure. That is something security companies can't. So we build layers of protection into the OS such as a firewall, an antivirus or antispyware or other methods of protecting the customer against the attack. All those layers are important.

Apart from building the product, we work with partners and the ecosystem to make sure customers are educated.

With Microsoft moving over to a new operating system, Vista, security has become a key offering. How do you see that helping a Windows user?

What we want to do is make sure that when people use our product, security is an enabling feature.

Antispyware and firewall are built into the platform. Thus a Windows user is fundamentally more secure than ever before. When users go out on the Internet and shop online or when businesses work with partners exchanging data, they are secure and their private information isn't being jeopardised or being stolen.

We want people not only to protect themselves but use security to create and enable new scenarios, new experiences on the Web. For instance, Right Management Services allows people to share documents and information securely and allows users to assign access rights to digital information.

So, you can send me a document and set rights that say "Ben can access this only today between 2 and 3 p.m. You can't print or forward it, you can only read it." Therefore, you can put a very fine description with what I do with the document, and you can share that document not just with your co-workers, but other people outside of your profession. You can send information securely between two companies.

This secure exchange of information allows people to create new scenarios. We have built something called Windows Security Centre (WSC) that is really two things. It's a user interface that gives users information on the state of their machine. It assigns green, yellow or red, helping them very simply to understand how secure their system is and the actions they need to take to protect themselves. As part of the WSC, since Windows XP SP2, Microsoft has worked closely with the security ISVs (independent software vendors) and added new features in Windows Vista, such as providing a remediation state that helps consumers to update their installed security software directly from WSC to the third party security console, a "snooze" state to support the latest reporting states within security products as per feedback from independent security vendors, ability for them to modify the UI (user interface) with their product brands and logos, and more importantly, a new channel for the smaller ISVs to promote their offerings.

For example, your credit card information cannot be stolen by talking to WSC. When you want to purchase something online, it won't even allow your credit card information to be sent out unless the WSC tells that everything is secure on your machine. That is another way of enabling these types of new secure experiences on the Web.

OneCare is an optional, subscription service available to all Microsoft customers to enhance online security by providing real-time antivirus protection, something that every computer should have to address new and evolving threats. OneCare simplifies security and maintenance, managing firewall policies and automating updates and PC tasks for consumer PCs, as well as file back-up. User access control and kernel patch protection are other key features built into Vista.

With Network Access Protection, business users can create customised health policies to validate computer health before allowing access or communication, automatically update compliant computers to ensure ongoing compliance, and optionally confine non-compliant computers to a restricted network until they become compliant.

When security gets bundled, say, with Defender, will it be a better user experience?

We don't like to use the word bundling. Our effort is to provide a more secure platform by building security features in the platform. If you look at something like Windows Defender, for example, it is a free anti spyware solution. Anti spyware software is available for free on the Internet and other security companies are also integrating it with their solutions. When you buy antivirus software today, it includes a firewall, anti-spyware, anti-spam and anti-virus.

We put Defender into the operating system as there is no real market out there for anti-spyware, it is freely available. Instead of forcing the user to search for free software, we provide it in the platform for free. The second is, there are viruses and spyware that can hit your machine before you have had a chance to install anti spyware software or firewall. We have integrated these two things into the platform. If you look back at some of the big viruses and worms of recent years — Slammer, for instance — some of these actually infected user machines as soon as they got on the Internet, before they had a chance to act and install protection for themselves. That is why it is important to include the protection in the OS. We have interfaces to disable these in-built security features, Defender, firewall, etc, and install other third party antivirus or anti spyware products. Therefore, customers are completely free to choose their preferred security software. We are not bundling software - the idea is to protect the users and give them choice.

Traditionally, Microsoft has been a `delight' for hackers. With the new initiatives, will it be tougher for them to crack through security? There is no foolproof security. It will be a lot harder for hackers to break into Windows Vista. When we see different attacks against our products, we don't just try to address that specific attack or that one bug, we try to fix the bug to the entire class of our products. So, for example, buffer overflows are a very common way of attacking a computer when you download a virus that utilises that condition when it attacks your machine. Therefore, we have created a tool that automatically protects against buffer overflows. That is an example of how it will be a long process for the hackers to break in, because when they find a new vulnerability to attack, we go and fix it across and address it completely.

A significant part of system security depends on the user. For instance, installation of pirated software can make your system vulnerable. What can be done to help users understand their role?

What happens is that when people buy pirated software either on a CD or downloaded from somewhere, a very large percentage of that software comes with trojans and malware. People think they are saving a little bit of money by getting pirated software, but actually what is actually happening is they are getting trojans on their machine and their financial information is getting stolen or they are getting viruses on their machine. It is important to educate users that security is not just about technology but a combination of technology, people and processes. Through the Windows Genuine Advantage programme, we ensure that users who have been given pirated software are provided legitimate versions of the software so they can get automatic Windows updates from the Microsoft Download Centre.

Given your focus on security and the enhanced features, will it be easy to transition to Vista? Will a user get enhanced support?

There are a lot of features, security enhancements in Windows XP SP2 such as a firewall or other security features that are already included in Vista. There are several other enhancements in the new system but we can work backward easily.

A lot of companies have standardised on Windows XP and they are not going to upgrade to the latest version the minute it comes out. We believe in protecting our customers and the money they have spent on XP or Windows 2000-whatever. That's why we are providing the additional security products that you can use to protect your existing systems.

Migration or transition to the new software becomes easy and existing applications continue to work. Programmes make migration easy from old to new machine, including automatically copying all the data.

One of the other issues is the need for higher computing power and higher graphics capabilities for Vista?

If you have bought a machine in the last year or two, it should be fine running this stuff. There are also a lot of features you can turn off to reduce the load on the system. It depends on what you want to use the system for.

If it's basic, then you don't need to buy a new machine. But if you do need more memory, you do need better graphics if you want to take advantages of all the latest features. I think a lot of people would therefore buy a new PC that would come loaded with the new Windows Vista.

What are you doing to transition small and medium businesses into the new environment and new operating system? Obviously one thing that is compelling is the ability to do a lot more things on this new operating system. So how do you view transition into the new OS for these companies?

We spent a lot of time doing application compatibility testing, working with the ISVs to make sure that their applications continue to run on this. So that if you have a small business, you have some Windows XP machines, some server, you needn't upgrade everything to this machine. All those applications should continue to run and over a time you can upgrade everything to this in our next version. We have tools that will help you migrate or update as well.

Security is a huge concern. Companies provide their employees with laptops, for example. We have included something called Bitlocker, which is encryption for your entire disk. Even if a laptop gets stolen, nobody can get your data off your laptop.

I understand you are launching 5-6 versions of Vista. A home user is not going to buy top end. So what is it you offer this user?

There are seven versions across home users and enterprise segments. As a consumer you really have got several choices depending on your requirements, usage and the hardware. In terms of security, all of the security enhancements are available on all of the versions except for Bitlocker.

There have been reports of Microsoft inviting hackers to test Vista. What's the finding?

We did that perhaps about six months ago and handed over 3,000 copies of a pre-release version at the Black Hat security conference to display some of the key security features and functionality being fitted into Vista.

The idea was to let them look at the software so they can report security vulnerabilities. And then we can work with some of them to make sure the product is as secure as it can be. As far as I know there were no findings reported then.

But our focus is to keep fixing security issues and bugs whenever they are reported to us. I think it was the first time anybody has released a pre-release version of an operating system to hackers and our objective was to make this product more secure than any other Windows systems available previously. So if these hackers find problems, great... we will fix them.

vrishi@thehindu.co.in

More Stories on : Interview | Security

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Fighting shy of the call

Office '07 - It's different
Wondering - lost in time
Hunting far and wide
Working of the Internet
`Satyam will play the game differently'
Security, the MS way
Zooming in on the scene
Quiz
Engineers are among the key people in the world
Cartoon

The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription
Group Sites: The Hindu | The Hindu ePaper | Business Line | Business Line ePaper | Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |

Copyright © 2006, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line