Microsoft's 'chain of trust'
Craig Mundie's recent keynote speech on End to End Trust demonstrates a new focus for the company, says analyst Jon Oltsik.
It's been a few weeks since the RSA Conference 2008 and I'm now preparing for Interop. Nevertheless, I wanted to get in my two cents worth regarding Craig Mundie's RSA keynote address on what Microsoft is calling "End to End Trust."
End to End Trust? What about the often-discussed Trustworthy Computing initiative that Microsoft introduced in 2001? It's still around but Microsoft realized that Trustworthy Computing alone may not be enough. So what else is needed? Craig Mundie mentioned:
• 1. A chain of trust. As the old security saying goes, "the security chain is only as strong as its weakest link." Microsoft has done a good job making Windows more secure with each iteration but it really doesn't matter if the bad guys compromise your data by hacking in at the application layer. Microsoft is suggesting a model where the entire technology stack must adhere to a trust relationship (i.e., each piece is authenticated and validated and all changes must be approved) where every component relies on the others.
• 2. A new identity model. Identity is no longer about user name and password alone. In today's computing environment, you also have to consider device type (i.e., am I communicating via my PC, cell phone, or PDA?), location, and the user's work and personal profile. Yes, this complicates things but there is no getting around the fact that I use the same laptop to do my job during the day and then bid on vintage Gretsch guitars at night.
• 3. Industry participation. Microsoft readily admits that it can't establish end-to-end trust on its own. Of course, Microsoft won't be shy about suggesting technologies for connectivity and standardization, but it really does need help here. It's time that the security industry stop its outright mistrust of Microsoft and extend an olive branch.
In my view, Mundie's keynote was effective in that it really got the industry's attention. Many security professionals and vendors recognize the need for this End to End Trust model while organizations like the Computer Security Institute (CSI), the National Institute of Standards (NIST), and the Trusted Computing Group (TCG) are already working on similar efforts.
In past years, Microsoft keynotes were full of product demonstrations and funny video montages. Its End to End Trust discussions demonstrate a new Microsoft focus--and the remaining problems associated with information security.