News

Mundie Plugs Trustworthy Computing

• By Scott Bekker
• November 18, 2002

The focus of Microsoft's "Trustworthy Computing" initiative will move from security to areas such as privacy, reliability and Microsoft brand integrity in its second year, according to Microsoft's chief diplomat.

Craig Mundie, senior vice president and chief technology officer for advanced strategies and policy at Microsoft, provided an update on Trustworthy Computing in a speech in San Francisco last week.

Mundie first publicly introduced the concept of Trustworthy Computing a year ago, although it became a household word in IT circles in January after Microsoft chairman and chief software architect Bill Gates wrote a company memo about the initiative.

Trustworthy Computing involves Microsoft's efforts to improve the security, privacy, reliability and business integrity, or brand integrity, of its software and services. During the first year of Trustworthy Computing, Microsoft largely focused on security issues, with the developer training and code review surrounding Windows .NET Server 2003 being the highest profile project.

Going forward, Mundie predicted Microsoft would make "continuing progress in security" but that the company would have other areas of focus as well. "We'll continue to make progress in the privacy area with more and more of both the services and systems being very transparent with respect to the person identifiable information and how it's gathered and administered," he said. More lists and materials will probably move to opt-in defaults, Mundie said.

Microsoft's Trustworthy Computing initiative will also concentrate on making it easier for customers to comply with new regulations. "There will be continued work to try to find ways to be compliant with the emerging regulations like HIPAA and Gramm-Leach-Bliley and even the Sarbanes-Oxley stuff that just happened," Mundie said.

Reliability will be another key area for Trustworthy Computing, with an emphasis on the feedback loop that automatically generates error reports during application failures that users can elect to send back to Microsoft. "As more of ... the third-party software vendors ... instrument their apps in a way that they can take advantage of that closed loop thing, and we come up with better ways to distribute more than just Windows and Office on an automated update basis, all of these things will basically ratchet overall system and application reliability up another level in the next 12 to 24 months," Mundie said.

As for business integrity, Mundie said, Microsoft will scrutinize more closely whether Microsoft is writing contracts or using support mechanisms that inspire trust in the company and the brand. That extends into providing better uptime for commercial services that Microsoft offers, Mundie said.

In addition to the forward-looking view of Trustworthy Computing, Mundie provided a look back at the security efforts. In addition to the developer training and product code reviews, Mundie highlighted:

Configuration changes in Windows XP Service Pack 1 to prevent the system from automatically joining an insecure wireless local area network.

Setting changes in Service Pack 1 for Windows XP Home Edition that enables the Personal Firewall by default.

The source-code licensing program to encourage university and research organizations to examine Microsoft code for security vulnerabilities.

Free hotfix and configuration management tools that have been made available for download over the last year.

Ongoing security commitments. "We didn't fall off the turnip truck just a year ago and decide we should think about these things," Mundie quipped. He pointed to the three-year process to earn the Common Criteria security evaluation for Windows 2000 as an example of Microsoft's ongoing commitment to security.