'Trustworthiness' still a goal for Microsoft

Assessing the progress three years after the 'Trustworthy Computing' memo

January 15, 2005 -- a Saturday -- will almost certainly pass quietly on the bucolic Redmond, Washington, campus of Microsoft Corp. But for those in the field of information technology security, who often make a sport of following the company's struggles to secure its products, the date is certain to attract some notice: it's the third anniversary of a now-famous internal Microsoft e-mail dubbed the "Trustworthy Computing" memo.

Three years after the release of the 1,500 word memo from the company's founder and Chief Software Architect , Bill Gates, those inside and outside Microsoft credit Trustworthy Computing with setting in motion vast changes that have improved the security of many of Microsoft's products. At the same time, customers and industry experts wonder aloud whether Microsoft will ever fully realize Gates' vision, taming the company's massive stores of legacy software code and reconciling its desire to please consumers with its duty to protect them from threats.

Addressed to all full-time employees at Microsoft and its subsidiaries, Gates' Trustworthy Computing memo announced an ambitious program to make Microsoft's technology more secure and reliable, and signalled a profound change in the culture of the world's leading software maker. In it, Gates re-oriented the priorities of the company he founded in 1978, and which made him into the world's richest man in the 1990s by turning out easy-to-use software applications that were tightly integrated with the company's dominant Windows operating system.

Written just months after the Sept. 11, 2001 terrorist attacks in the U.S., the Trustworthy Computing memo likened the need to secure his company's software to the new imperatives of securing the nation's critical infrastructure such as airlines, electrical, telephony and water services.

Compared to the reliability of such critical services, "computing falls well short," Gates said, noting that the insecurity and instability of computing systems had a subtle but pernicious effect on technology adoption.

As explained by Gates in the memo, four important aspects comprised the new initiative: availability, security, privacy and trustworthiness.

On the issues of availability and security, Gates proposed an end to two of the most frequently heard complaints about his company's software: that it crashed far too frequently, and that it was riddled with vexing security holes that exposed customer information to harm.

Microsoft should also protect the privacy of its customers' data and allow them to control how their data is used, Gates said. Finally, Microsoft needed to look beyond bugs and availability, creating an industry-wide computing ecosystem that was "trustworthy" from "smart" software and services down to the processor chip, Gates said.

Within Microsoft, the memo "absolutely changed the mindset of the company," said Gytis Barzdukas, director of product management in Microsoft's Security Business and Technology Unit.

Barzdukas worked in Microsoft's Office product group when the memo was sent. As an example, he recalls halting development on Version 11 of Microsoft Office, the company's most profitable product, for an entire month in 2003 to conduct a security review of all Office components.

That kind of decision would have been unheard of in the go-go days of the 1990s, when Microsoft's focus was on shipping its products fast and on crushing the competition, such as rival Web browser Netscape, with key features, said John Pescatore, vice president at Gartner Inc.

"Microsoft was of the opinion that nobody cared about security -- what they wanted was integration ... something so easy that (their grandmother) can use it," he said.

At the organizational level, Microsoft shook up its product-focused development groups, creating the cross-product Trustworthy Computing group to develop policies for the entire company. Security experts in that group consult with Microsoft's key customers in the private and public sectors, and provide guidance on developing security strategy and architecture for Microsoft products, he said.

Internally, the company also devoted resources and people to security. For example, in addition to stopping development on both its Windows and Office products for a review of code security, Microsoft began investing more energy and resources into automated code scanning tools that can spot the mistakes that create security vulnerabilities in the company's products, Barzdukas said.

The result has been a 69 percent reduction in the number of critical security vulnerabilities in bulletins since Trustworthy Computing began, he said.

In three years, Microsoft has also trained legions of security experts within the company's ranks. To date, the company has more than 400 employees on staff with CISSP (Certified Information Systems Security Professional) certification, compared with just a dozen before the Trustworthy Computing memo was released, Barzdukas said.

For its consumer and enterprise customers, Microsoft also streamlined its processes for distributing software updates and emergency security patches. The company began aggressively pushing its automatic software update, available with the Windows 2000 and subsequent operating system releases. To date, the company has increased the number of people using the Autoupdate feature by between 300 and 400 percent, Barzdukas said.

Microsoft also improved its policies for releasing security patches, moving from a scattershot system of "as needed" software updates to a predictable, monthly schedule of software security updates and a clearly articulated rating system for security updates.

On the subject of "trustworthiness," Microsoft has taken pains to share information and best practices with other companies in industries such as antivirus software, Barzdukas said. Today, the company takes an active roll in a number of industry groups, from the Virus Information Alliance, a group of leading antivirus and e-mail security companies that share information on new virus outbreaks, to the Global Infrastructure Alliance for Internet Safety, a security-focused working group of global Internet service providers (ISPs).

The company also took the lead on important industry standards, including WS Security, a Web services security standard Microsoft co-authored with IBM Corp., and Sender ID, an e-mail sender authentication standard that the company has aggressively promoted to ISPs and e-mail technology companies as a partial fix for phishing scams and spam.

Perhaps the biggest accomplishment of Trustworthy Computing, though, has been making security matter -- not just to the company's founder, but to its executives and product managers, Gartner's Pescatore said.

Citing a recent visit to the Redmond campus to discuss the upcoming release of the company's SQL Server product, code named "Yukon," Pescatore said that security is still one of the top three features of the product. That continued focus on security will, over time, foster a more security-conscious culture at Microsoft, Pescatore said.

Jeff Payne, chief executive officer of Cigital Inc. in Dulles, Virginia, which provides software security consulting, agrees with that assessment.

"Trustworthy computing has started to get (Microsoft) to realize that you have to balance speed to market with the security people expect," he said.

Microsoft's investments in technology and processes since the Trustworthy Computing memo came out have made life easier for John Halamka, chief information officer at CareGroup Healthcare System in Boston.

Halamka said that CareGroup hospitals, such as the Beth Israel Deaconess Hospital in Boston have had fewer issues with security breaks and viruses in recent years, due in part to Microsoft's improved patch delivery program and what appears to be tighter software development practices.

"You don't get the egregious (software holes) that you used to get in beta releases. It seems like they've put a significant amount of research and development dollars into better security and to ensure the integrity of their core products," Halamka said.

Payne voiced a similar opinion.

"The severity of (Microsoft) bugs and issues in patches has been going down significantly -- and that's what you want to see happen," he said.

Despite unquestioned improvements in both the security of its products and its internal processes for addressing security issues, however, Microsoft is still far from realizing the vision set out by Gates in the Trustworthy Computing memo, experts agree.

Chief among the challenges facing the software giant is shoring up the millions of lines of existing, or "legacy" computer code, some of it dating back to the early or mid-1990s.

"The big problem (Microsoft) has is just that Windows has been so bad for so long. There's a huge mass of (insecure) code," Pescatore said, noting that the company's decades-old obsession with features and integration is to blame.

"Lots of Microsoft's strategy entailed jamming applications into the operating system -- a Web browser, a media player -- and that violates the principle that keeping something small makes it more secure than something big," he said.

"They're trying very hard," said CareGroup's Halamka, "but they're also fighting the legacy of highly complex code that's going to make ongoing maintenance of their products hard."

At a deeper level, Microsoft also has to find a way to reconcile the diverging needs of its two main customer groups: consumers and businesses, Pescatore and others said.

"If you think about how Microsoft became great, it was by putting control in the hands of users -- helping users overcome the IT organization that wanted everything to run on a mainframe in the basement," Pescatore said.

However, in enterprise computing, putting power in the hands of users is the last thing IT administrators want, and Microsoft essentially sells the same products to both groups, he said.

The August release of a massive software update for the Windows XP operating system was a good example of Microsoft's often awkward attempts to meet the needs of both communities.

Almost two years in the making and months overdue, Windows XP Service Pack 2 (SP2) featured a new security interface, a much-enhanced version of the Windows firewall and a number of configuration changes that make it harder for Windows systems to be compromised.

The update was good news for most home users of Windows, whose machines make up the bulk of compromised hosts on the Internet. However, security experts and even Microsoft itself began warning well in advance of SP2's release that some changes could affect other installed software.

Almost as soon as the update was available to Microsoft's enterprise customers, companies -- including IBM -- warned their employees not to download it, for fear that installing SP2 would break or destabilize critical enterprise applications.

Microsoft also found itself in hot water over its decision to push out the 75MB to 100MB update to user desktops through its automatic update feature, potentially circumventing the IT policies of many of its enterprise customers, and causing a huge bandwidth crunch.

Seemingly unaware that many enterprises used the automatic update feature to distribute software patches to their users, Microsoft was forced to delay distribution of SP2 over automatic update for nine days, while customers used a Redmond-developed tool to deactivate the delivery of SP2 using the automatic update feature.

Microsoft also faces challenges on the issue of "trustworthiness," experts agree.

While ostensibly agnostic in its efforts to promote better security across the computing world, Microsoft has also engaged in a war of words with the open source software community over the question of whether its proprietary software is less secure than Linux. In recent years, Microsoft funded a study by Forrester Research Inc. that found Linux more expensive to develop applications for than Windows. The company also raised eyebrows when it purchased $21 million in licenses from Unix provider The SCO Group Inc. in May 2003, shortly before that company renewed threats to sue IBM over portions of the Linux code SCO claims to own.

On the question of standards, Microsoft is still widely perceived as a company that wants to go its own way and use its dominance of the desktop operating system market to force adoption of its own standards, Pescatore said.

An example of this can be found in its strong backing of the Sender ID e-mail sender authentication, a nascent standard that Microsoft is aggressively promoting.

The company won praise from the standards community after it agreed to combine a Redmond-developed technology standard called Caller ID with a very similar technology called Sender Policy Framework, developed by Meng Weng Wong at e-mail forwarding company Pobox.com.

However, the merged Sender ID standard soon ran into trouble after talks between Microsoft and leading open-source software groups to resolve concerns about patent and licensing issues with the proposed standard broke down, prompting the Internet Engineering Task Force and major corporate backers, such as America Online Inc., to withdraw support.

The company also withdrew from a United Nations group developing software standards for commerce citing vague "business reasons," reportedly after the company grew dissatisfied with intellectual property rights guidelines used in the group.

"Microsoft is not being a good citizen on security standards," Pescatore said. "I think they still have a hard time resisting the temptation to say 'We're so big, we can get our standard adopted,' versus saying 'We'll be a good citizen and adopt this standard, even though there's not competitive advantage to doing so.'"

Still, Trustworthy Computing may succeed in improving the security of the Internet, even if it fails in some of its stated goals, experts agreed.

"We've been saying for a long time that someone needed to step up and take a lead in the software market to develop better software... (Trustworthy Computing) is pushing everyone in the software market to step up and answer questions," Cigital's Payne said.

Pescatore agreed, saying that Trustworthy Computing has prompted changes from other companies, such as locking down features on newly shipped (or "out of the box") products.

More recently, Microsoft competitor Oracle Corp. announced plans to change to a monthly software patch distribution cycle, similar to the popular system Microsoft now uses, Pescatore and others noted.

And, for companies like Cigital, Trustworthy Computing has been a boon for business -- sending a message that security was important and prompting countless companies that start thinking about the cost of poor security, Payne said.

While outsiders may debate the significance of Trustworthy Computing, Microsoft is celebrating the release of SP2, which Barzdukas called a "major milestone."

Many of the more advanced security features Microsoft has promised are tied to the release of the next version of Windows, code named "Longhorn," which Microsoft has tentatively scheduled for 2006. In the meantime, the company plans to announce a number of other "interim" Trustworthy Computing milestones in the first half of 2005, but is not yet ready to share details about them, Barzdukas said.

As for the future of the program, Barzdukas said it may never formally end. "It's a new standard in the industry. A new way for Microsoft to do business. We're never going to be completely secure from the technology perspective, so Trustworthy Computing for us is a journey -- kind of like life," he said.

(Joris Evers of the IDG News Service contributed to this story.)

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies