In-Depth

Trustworthy Computing: Examining Trust

Microsoft's Trustworthy Academic Advisory Board has been keeping tabs on security issues -- external as well as internal -- that continue to challenge Microsoft's developers. Here's a peek into the board, which marks five years on watch.

• By Jabulani Leffall
• 03/04/2008

"One of the things I told [Microsoft] was that if you're looking for a yes-man, you're barking up the wrong tree, looking in the wrong place, you got the wrong guy. I'm going to call it like I see it."

Looking back over five years as a member of the panel, which is charged with (among other things) shoring up security, Kemmerer -- currently a professor of computer science at University of California at Santa Barbara (UCSB) -- still feels the same way in making what he calls a fair assessment of software and security personnel in Redmond. While he's swift to laud the accomplishments made with the project and with the evolution of Microsoft products and services, he said, "Where security is concerned, there is still a long way to go."

Indeed, as Microsoft celebrates half a decade of the program's existence calling upon expertise from Kemmerer and other scholars and experts from as far away from Redmond as Tokyo and London, there remains a basic inconsistency between convenience of use and computer security that many believe can never be fully rectified. In the same way that a car alarm may lock a person out of a car for security reasons, Microsoft applications such as Internet Explorer have been known to inflict similar headaches on users recently. Additionally, some IT practitioners have suggested that Microsoft needs to help educate end users in a manner far more comprehensive than its monthly security bulletins.

To that end, Microsoft believes it's the IT community's job to stay on top of things and that the aim of the Trustworthy Computing movement is to gather the best objective research to achieve that goal.

"Organizations will need to continue to adapt their processes and technologies to effectively manage data protection as security and privacy threats continue to converge," said David Ladd, principal security program manager for Microsoft. "They will need to find ways for their privacy and security professionals to work together and work more closely with the parts of their organization that collect and use data."

In tandem with helping the software firm identify potential technical and policy hurdles that make security implementation an arduous task, Ladd said the board is doing "great work" to keep Redmond up to date on current and potential issues related to the abuse and theft of personally identifiable information. That said, even Ladd was willing to concede that security and reliability are a going concern, much in the way any business operation is.

"Since the formation of [the board] in February 2003, the group has provided Microsoft with a long-range, strategic, international perspective and guidance about security and privacy trends," Ladd added. "They've done this with a focus on supporting Microsoft's efforts to better protect customers through investments in technology innovation and fundamentals, such as the Security Development Lifecycle. Progress is already being made in these areas, but there is much work still to be done."

Trusted vs. Trustworthy: What's the Difference?
It was 2002 when Microsoft first co-opted the term "Trustworthy Computing" as catchphrase in its efforts to shore up public trust of its IT market offerings. However, Redmond needed a conduit to the consumer and business procurement customer base -- people who were in the trenches. This led to the formation of the advisory board a year later.

After that, the company focused on gathering information to improve its performance in four core areas: security, privacy, reliability, and business integrity.

All agree that the initiative both altered and sharpened Redmond's focus within the confines of its internal development paradigm. It also raised the eyebrows of some questioning its aims.

"First off, let me say that it would be unfair to say that there hasn't been progress with this group," said Michael Cherry, an analyst with Directions on Microsoft, an independent consultancy tracking Microsoft's strategic endeavors since 1992. "I think the issue is that there's no metric to truly measure security. Security is not a fixed end point and that's the main challenge with Microsoft and its products going forward."

There's also Trustworthy Computing's ambiguous distinction, different altogether from Trusted Computing. According to the National Security Agency, arguably the biggest, most thorough anti-hacker operation in the world, a software or operating system can be "trustworthy" but not "trusted." On the other hand, it can be deemed "trusted" but not "trustworthy." The exact denotation found on the NSA's Web site, which says a "trusted system" is one vulnerable to attacks and not foolproof, a system that, while secure in some areas, can still be compromised by hackers. Conversely, a "trustworthy" processing environment is considered virtually impenetrable and "will not fail."

This is certainly not the case with Microsoft's Vista OS, according to 49 percent of respondents in a recent survey by Virus Bulletin who said Vista has not made their system safer. For the remainder of the responses, 26 percent said the OS did make their system safer and more telling, 25 percent didn't know.

In Microsoft's defense, TCAA board member Richard Kammerer of UCSB, who has been involved in IT security since 1976, says it's not so much a technology problem as a "crime problem" facing such a large software company.

"Microsoft is in the same boat as other software vendors," he said. "Is there such a thing as 100 percent secure? Of course not."

Kammerer added that throughout the board's work, Microsoft has been very open -- in fact, more than he thought it would be.

"When we ask to see something, they usually show it to us, and if we discover something through another channel and ask them about it, they usually show it to us. You can't put a grade on their products after five years; there are too many products to grade."

Because there are so many products and so many ways to use them with infinite contrasts in a given IT architecture of a business, the real onus will remain on developers to tailor their needs to the individual enterprise and implement patch management strategies and product upgrades accordingly.

"This is critical work because -- as more people and organizations conduct business, communicate, and access information online and personalize the delivery of information -- companies are relying on both a greater use of sensitive or personal data and the ability to share information across borders and devices," said Microsoft's Ladd. "Unfortunately, data is increasingly becoming the currency of crime, so it behooves us to reach out to experts to help address this growing concern."