Companies find new ways to build computer security
SAN FRANCISCO Computer security is often about keeping
the bad guys out. On Tuesday, Microsoft unveiled a
series of technologies that make it easier to let
the right people in.
Microsoft Chairman Bill Gates and chief research
and strategy officer Craig Mundie made the announcements
at the RSA security conference here. The keynote discussion
followed the conference kickoff, a Broadway-style
rendition of Queen and David Bowie's song "Under
Pressure," with added lyrics about "a world
without malware" and dancers dressed in monk's
costumes alluding to this year's theme of a Renaissance
cryptographer, Leon Battista Alberti.
Microsoft's new products and partnerships are all
designed to help companies and people get access to
their software programs and information, while still
protecting both the users and their data from intruders.
Instead of locking data and users inside a techno-fortress,
the technologies will allow people and companies to
set up specific rules about who has access to information,
and how and when, without limiting the freedom to
move from place to place and use several devices.
"We've been in the Medieval Age of computer
networking and access," Mundie said, with an
image of a castle behind him. "We build thicker
walls, higher turrets, put moats out in front, bigger
drawbridges. And what we didn't really see coming
yet is essentially the airplane and the air-to-surface
missile and other things," he said, referring
to more powerful intrusion methods and malicious software
called malware.
Another problem, according to Mundie, is that people
often leave the relative safety of the corporate "castle"
to access information from home, on the road or at
another business' office, which opens up security
holes in companies' networks.
"We have people who say, `Hey, no matter where
I am, I want to be able to get at the stuff in the
castle, so please leave the drawbridge down, and make
sure there's lots of little paths for me to come back,'"
Mundie said.
Microsoft's Identity Lifecycle Manager 2007, available
in May, will allow companies to manage how their employees
access data, whether it's a person using a "smart"
card with radio frequency identification chips inside
or a worker using one program to retrieve information
from another. The term "lifecycle" refers
to the fact that there's a secure process for getting
to data, including signing in, acquiring the information,
and then taking it off the machine once it's been
used.
"They're trying to build more intelligence into
the technology environment, so the system runs itself
better," said Ace Swerling, security practice
director at Avanade, a technology consulting firm
partly owned by both Accenture and Microsoft.
Both Oracle and Sun Microsystems also have products
that allow companies to manage their workers' identities
inside the corporation.
Microsoft also announced that Windows CardSpace,
the identity management software that shipped with
the new Windows Vista computer operating system last
week, will soon work with the OpenID identity standard.
CardSpace is software that allows people to use a
small number of virtual "cards" to securely
identify themselves to several Web sites, instead
of remembering a long list of usernames and passwords.
Gates said that passwords "might be the weakest
of all the weak links" in security. "People
use the same passwords on consumer things they sign
up for that they use in the corporation. So passwords
are not only weak, passwords have a huge problem in
that if you get more and more of them, the worse it
is," Gates said.
Last week, Cupertino security software maker Symantec
unveiled Norton Identity Client, which will validate
a consumer's identity to online stores and sites.
Symantec said it hopes to support both CardSpace and
OpenID.
