Microsoft's chief security strategists are asking for help.
The massive software vendor is working harder than ever to do its part to improve online security, but the company cannot solve all the electronic world's ills alone and must have broader support from across the IT and Internet communities to speed up progress, Microsoft officials said at the ongoing RSA Conference 2008 in San Francisco.
[ For more coverage, see InfoWorld's special report on the RSA Conference 2008 ]
Despite the fact that Microsoft and other mainstream technology vendors have made a concerted effort to improve the quality of their products and services -- over the last several years, in particular -- to respond to the Internet's blossoming security epidemic, today's problems are too widespread and fast-moving to be addressed unless new industry standards and technological vehicles can be created to help foster stronger online protection, executives with the company said.
Only by driving industry collaboration around issues of online authentication and identity protection can the Web be made a place where people can again trust the systems and services they seek to use with any level of confidence, said Scott Charney, corporate vice president of Trustworthy Computing at Microsoft.
Just as Microsoft has utilized its Trustworthy Computing initiative in an effort to reduce the number of vulnerabilities in its products and integrate stronger security tools into its software and online services, the Internet community at large needs to readdress authentication and identity if it hopes to regain users' faith, Charney said.
The executive has also authored a 20-page white paper manifesto outlining Microsoft's hopes for broader collaboration around online security and trust. The company's chief research and strategy officer, Craig Mundie, outlined the vision further in his RSA keynote address on Tuesday.
"For a long time, the industry didn't do security well, and because of its market share, Microsoft became a very important player in all of this," said Charney. "We think that we've done a good job of improving things over the last six years, but still it's not enough, and we need industry cooperation to do more in the Internet space."
Charney's paper and Mundie's speech express the need for a vision of "end-to-end trust" to be embraced among many different technological and social constituencies to aid in everything from helping companies do business faster and more securely online, to better protecting children who access the Web.
Technology vendors, service providers, industry bodies, and government agencies must team to create methods by which people can communicate online with assurance about each others' identities while preserving important issues of privacy and anonymity, the experts said.
Microsoft's latest strategy calls for continued development of a "trusted stack" of IT products and online services, throughout which individual elements will authenticate with one another more comprehensively, reaching from the operating system all the way to end-user devices and applications.
Another prerequisite will be a system that includes elements of authentication and audit, while allowing individuals to preserve their identities online. The company also contends that there is a need for new industry standards and regulations that help the entire ecosystem to survive and flourish, Charney said.
"The things that we've done [at Microsoft] to date are foundational and need to be taken to the next level; we've made the OS more secure, but subsequently, the attacks have moved up the stack into applications," he said. "As an industry and as a society, we've already done a lot of good things to help improve online security, but a lot of the threats are such that we need to push this issue of trust and collaboration not just within the industry, but also with consumer groups, politicians, and privacy advocates."
In terms of the work already being done along these lines, Charney pointed to projects such as the Trusted Computing Group's Trusted Platform Module (TPM) hardware-based encryption standard as an example of the type of initiative that will need to be expanded even further in the coming years.
Microsoft will build hooks for more native systems of security and privacy into everything from its Windows OS and Office products to its own online properties and mobile device technologies, the executives said, but the company's central hope is that its call for action echoes across the RSA conference and the IT community at large, said Charney.
"Work with us, help inform us, we are a technology company, and we're trying to do a better job of engaging with important constituencies, including our governments. The result of those discussions bring into relief how hard these problems are, and how difficult the trade-offs will be," he said. "We're not presumptuous about this; it's easy to pose these questions -- the hard part will be finding the answers."