More than a decade back Bill Gates issued a call to arms that led to the establishment of the Trustworthy Computing Group ( TwC) in Microsoft. Several industry-leading developments such as the Security Development Lifecycle have come out of TwC, but things have changed much in 2013 than what they were in 2002.
How relevant is Microsoft's trustworthy computing mission in today's world? A lot, especially in the emerging IT landscape, one would believe from a deliberation organized at Microsoft HQ in Redmond in May (this incidentally followed a Security Development Conference in San Francisco between May 13-15) tried looking for the answer. The increasing adoption of cloud computing by enterprises of all hues illustrates the relevance perspective like nothing else. Adding to it, not just the continuing, but growing threat of cyber crimes, all boiled down to a deadly concoction that needs a strong antidote like Microsoft's Trustworthy Computing Group.
Facilitating Cloud Adoption
Given that the future is the cloud is a fait accompli, it was still surprising that 44% of enterprises still cite security concerns as a cloud barrier; 61% feel industry standards and 59% transparency would increase confidence. Jeff Jones, director ,TwC, feels that Microsoft's Cloud Security Readiness Tool (CSRT) could go a long way towards providing this assurance.
The results of a survey across enterprises that have used CSRT over a six month period reveal that most organizations are relatively immature across almost all of the control areas represented in the CSRT. Most organizations are focused on information security through deployment of AV/antimalware software, security architecture through clock synchronization of networked PCs and controlling user access to data.
Nevertheless, vulnerabilities remain on several fronts as Jones admits. There is not much effort either on HR security through prudent hiring practices or on operations management through effective capacity planning and equipment maintenance. There is a distinct lack of focus on information security through consistent incident reporting or on legal protection through use of NDAs.
Disrupting Cybercrimes
Do the names Waledac, Kelihos, Nitol, Rustock, Zeus or Bamitol sound familiar? No they are not homeopathic medicines or Greek Gods but they are botnets that have been taken down since 2009. Since botnets exploit victims, both directly and indirectly, by stealing info, hijacking searches or through DDOS attacks or spamming and phishing, T J Campana, director, security, advocates a combined legal and technical approach from Microsoft to sort out this issue.
Microsoft, for one, has taken a very aggressive stance on cyber crime in recent years. The most visible piece of this arsenal is the Microsoft Digital Crimes Unit, a small group of engineers, security experts and lawyers, who spend their days tracking botnet operators, malware writers and helping law enforcement agencies, around the world, identify and find them.
"The bad guys are getting better at what they do, and we want to be a force-multiplier for good. Our job is not law enforcement. Our goal is to transform this fight to really disrupt and destroy the way cyber criminals operate," said T.J. Campana, director of security at the DCU. Microsoft, along with law enforcement agencies and other vendors have succeeded in taking down several botnets in the last few years, including Kelihos, Zeus, Waledac and Rustock. In many of these cases, along with sink holing the target botnet's command-and-control servers, the Microsoft DCU team has used court orders to physically seize servers. This tactic has been somewhat controversial, but Campana said the nature of the threats has made it necessary.
Privacy in Action
Some trends like ubiquitous computing, Big Data, socially tailored experience and greater use of biometric data has led to the growing significance of privacy. Brendon Lynch, chief privacy officer, Microsoft, reiterates that they support a shift towards a global privacy framework with increased focus on appropriate use of data.
According to Lynch, one of the most difficult issues to handle will be ubiquitous computing. Data is available constantly and in virtually any form the user desires. It can be an asset but likely to get more challenging in the near future as computing moves from being device centric to being virtually everywhere.
Microsoft has kept privacy considerations as part of the process for every product rollout, informs Lynch. The IT giant, not only employs many Certified Information Privacy Professionals, but its privacy program also encompasses Privacy by Design that includes all the people, processes and technologies that are committed to maintaining and enhancing privacy protections.
Protecting The Enterprise
Over 100,000 vulnerability reports that enterprise customers come across are managed and monitored by MSRC (Microsoft Security Response Center). Highlighting the action taken, Mike Reavey, senior director , MSRC added that MSRC not only identifies, monitors , resolves and responds to security incidents but also manages regular security bulletin release process and does all customer facing communications namely through tweets, blogs, webcasts or bulletins..
He said that security experts provide information to an enterprise about possible workarounds and mitigations. The security bulletin also helps assess risks and respond more effectively. He added that as soon as a security incident attacks a customer, the MSRC mobilizes Microsoft resources worldwide including external partners like industry collaborations and law enforcement partners like FBI, Interpol, etc.
Protection against Malware:
A recent Microsoft Security Intelligence Report (SIRv14)Â takes a close look at the importance of running up-to-date antivirus software. The research shows that, on an average, computers without antivirus software, are 5.5 times more likely to be infected.
Adding to this, Holly Stewart , senior program manager, said that "The Microsoft Malware Protection Center "(MMPC) helps protect more than 600 million computers worldwide on a monthly basis and is committed to raise the level of protection for all its customers."
By continuously gathering and analyzing data, and by working with organizations inside and outside Microsoft, the MMPC stays agile to combat evolving threats. Living up to its mission of protecting customers and systems, it quickly responds to malware outbreaks, advises customers, and engages in valuable partnerships.
Conclusion:
The clear indication from the current IT Trends  indicate that security leaders, like Microsoft, have to rethink their approach and give more importance to security, access and privacy considerations.Â
Rachna Garga
(The author was hosted by Microsoft in Seattle and San Francisco)
First published in DQ Week