• Sidebar: Consequences of Poor Computer Security
• Sidebar: The Trustworthy Computing Framework
• Illustration: Key Trustworthy Computing Events

Since the introduction of its Trustworthy Computing initiative in Jan. 2002, Microsoft has focused substantial resources on addressing customers' security concerns, as well as reliability and privacy issues with its products. Beginning with the Windows Division and moving to other product groups, internal reviews of Microsoft technologies, processes, and practices are having a measurable positive impact. However, the ultimate goal of Trustworthy Computing—a point where customers trust and rely on computers at the same level that they trust and rely on telephones—is still far from being realized. For Trustworthy Computing, to borrow a famous quote from Winston Churchill, "This is not the end. It is not even the beginning of the end. But it is, perhaps, the end of the beginning."

Security Is the Cornerstone

Security—assuring that the confidentiality, integrity, and availability of data and systems are protected from attack—is the cornerstone of Trustworthy Computing. Unless security vulnerabilities are addressed first, reliability and privacy cannot be assured. For example, if security vulnerabilities bring a line-of-business server offline for repair, then reliability and privacy goals are hopelessly undermined. (See the sidebar "Consequences of Poor Computer Security".)

Several well-publicized exploits have taken advantage of security vulnerabilities in Microsoft products over the past few years. The company's first major security eye-opener occurred in July 2001, when a self-propagating worm known as Code Red ran rampant, infecting hundreds of thousands of Windows NT 4.0 and Windows 2000 servers. Code Red generated an enormous level of networking traffic, bringing the Internet itself to a crawl and clogging many organizations’ internal networks. Another major incident occurred during the summer of 2003, when the Slammer worm infected servers running SQL Server, as well as Windows clients running the desktop version of SQL Server. In both cases, the aggregate cost of repairing infected systems may well have been in the billions of dollars, not including the harder-to-measure costs of lost productivity (while computers and networks were down) and damaged credibility (having to admit systems were infected and therefore not secure). (For a timeline, see the illustration "Key Trustworthy Computing Events".)

Lessons Learned

Microsoft learned many harsh lessons from its security experiences, including the following:

A framework focuses efforts. As Microsoft embarked on the Trustworthy Computing initiative, it found it needs a framework to help product groups focus their efforts. (See the sidebar "The Trustworthy Computing Framework".)

A security strategy must be proactive. Considering that patches for both the Code Red and Slammer vulnerabilities existed weeks or months prior to the attack but were not widely deployed (even by Microsoft on its internal systems), the attacks demonstrated that the cost of addressing security issues proactively is certainly more predictable, and arguably much less expensive, than reactive, after-the-fact measures.

Patches need to be "trustworthy." The risk that inadequately tested patches will themselves break systems, which occurred in some cases, inhibits customers' willingness to immediately install the latest software updates.

Good security communication is essential. Customers often have difficulty appreciating how security vulnerabilities apply to their environment and how severe a threat they represent.

Customer involvement is essential. Regardless of Microsoft's best efforts, security problems persist unless customers implement patch deployment procedures and infrastructures, and keep up to date on Microsoft's latest security efforts—including new tools (such as Systems Management Server and Software Update Service), policies (such as new products shipping in locked-down mode by default), services (Windows Update), and communications procedures (for example, how Microsoft uses threat levels to classify vulnerabilities).

Security is affecting Microsoft's bottom line. Microsoft’s Chief Financial Officer John Connors admitted as much in Nov. 2003 when he acknowledged enterprise sales over the prior quarter were weak in part because customers, partners, and the Microsoft sales force were distracted by concerns over the Blaster worm and the security vulnerability it exploited. At best, the billions of dollars spent either preventing or undoing the damage was siphoning off IT resources that might otherwise have been spent on new Microsoft products and technologies. In the worst case, security vulnerabilities were causing customers to skip over a new product upgrade entirely, on the assumption that the version they are currently using is better understood, more mature, and inherently safer than a newer technology. Somewhere in the middle were customers opting to delay consideration of a new product upgrade for a year or more until subsequent service packs plug most security vulnerabilities.

The Bigger Issue of Trustworthy Computing

Microsoft’s security vulnerabilities also helped crystallize the view within the company that it was facing an even wider threat—the issue of "trustworthiness." Besides security, customers, partners, and consumers were also concerned about the following:

Reliability. Will the computer system be available when a user needs it and function at expected and promised levels?

Privacy. Are individuals given control over and notice of what data is being collected; do they have an explanation of how that data is to be used; can they correct inaccurate information; are forms of redress available when appropriate?

Business integrity. Can the organization providing the computer system or service (in this case Microsoft) be trusted? For example, can Microsoft be relied upon to clearly explain privacy policies and service levels and any changes made to them in the future?

These issues, along with security, kept showing up in many places. For example, among enterprise customers, security and reliability are paramount considerations when deciding whether to use Windows Server, SQL Server, and other Microsoft products as part of mission critical systems, or to employ open source software alternatives. Likewise, in the consumer realm fears about security, reliability, privacy, and business integrity all contributed to the scuttling of Web services such as Passport and .NET My Services (code-named HailStorm)— efforts that represented ambitious plans to become a major service provider and personal data repository for consumers.

What’s Ahead

Even though Trustworthy Computing is about more than security, the ongoing security concerns about Microsoft products have kept customers focused on the subject, and continuing to improve the security of existing products remains a necessary first step. For this reason, the first three chapters—the bulk of this report—focus on security.

This report includes the following chapters:

Secure by Design. Describes the changes under way to ensure that fewer vulnerabilities get into shipping software. We examine the progress Microsoft is making in this area, how customers might want to adopt some of Microsoft's "secure by design" practices for their own software projects, and how Microsoft must still change its development methodology to give security equal weight to both a product’s features and its ship date.

Secure by Default. Describes how Microsoft is reducing the attack surface, that is, eliminating the number of potential points of attack as well as the likelihood that any vulnerability an attacker might find in shipping software could affect a large number of users. We look at how Microsoft is beginning to ship software in a "locked-down" mode with advice on how customers can properly configure any locked-down features they want to use. In addition, we look at how this change will impact customers and what Microsoft still must do to help customers deploy all of its products securely.

Secure by Deployment. Describes how Microsoft will distribute patches to make it easier for customers to keep Microsoft’s products secure throughout their life cycle. We examine the information and tools Microsoft is providing to help customers know when and how to patch their software and how Microsoft could still make it easier for customers to maintain secure systems.

Security Communications. Describes how Microsoft is working to improve its security-related communication outlets.

Reliability. Describes how Microsoft is working to define reliability in a complete and consistent manner and working to design more reliable products, make products more reliable with little or no administrator action, and keep them reliable throughout the product’s life cycle.

Privacy. Describes how Microsoft is working to ensure that personal information Microsoft collects about customers and partners is kept private and used only as intended, and how Microsoft’s products allow customers to ensure the privacy of customer information Microsoft collects. Keys to privacy are giving people notice and choice about how their personal information is used and adhering to privacy directives such as the Safe Harbor.

Business Integrity. Describes how Microsoft is ensuring that its employees comply with its standards of business conduct to ensure that partners and customers can trust Microsoft.

Conclusion. Briefly summarizes future trends and changes that will impact security and Trustworthy Computing in the future. Discusses Microsoft’s biggest future security-related challenge: assuring consistency across the many product divisions within the company. Relevant issues include how groups disseminate information about security and vulnerabilities; how they create and distribute patches; and how patches themselves are applied and detected post-installation.

Appendices. Appendices to this report provide additional information, including the following:

• An overview of the Next Generation Secure Computing Base (NGSCB), a new security subsystem being added to Longhorn.
• A glossary, which provides definitions of computer security-related terms used in this report.
• A guide to additional resources about the subjects discussed in this report.