|
Gates Makes Case for 'Trust Ecosystem'
Published: February 15, 2006
by Alex Woodie
The community of IT developers and users needs to come together as part of a "trust ecosystem" if digital collaboration is going to make the next leap forward, Microsoft chairman and chief software architect Bill Gates said in a keynote speech at the RSA Security conference in Silicon Valley yesterday. As part of this trust ecosystem, Gates called for the creation of a technological framework to identify people, devices, and code.
There is no doubt that security is on the minds of many IT professionals as we start 2006. A quick glance back at the headlines of 2005 shows one security breakdown after another. Hackers infiltrating file servers, lost backup tapes and laptops, worms that spread with no user input, and an increase in zero-day exploits have led computer users of all skill levels to question whether computer security is broken, and rightly so.
This isn't a theoretical problem--people are being hurt by bad security. Consider that, in the last 12 months, more than 52 million individuals in the U.S. have had their personal information compromised by lapses in computer security, such as network breaches or lost backup tapes, according to the Privacy Rights Clearinghouse, a non-profit San Diego-based group dedicated to raising awareness about how technology can compromise people's identities.
These are the types of statistics that keep IT professionals up at night, as they should. Gates, who holds simultaneously the titles of IT visionary and IT robber baron, has both the technological abilities and the financial incentive to do something about it. And judging from his yesterday speech and Microsoft's announcements, the folks up in Redmond realize that IT pros need to step it up a notch in the security department.
Ecosystems of Trust
While Microsoft has been pushing its "Trustworthy Computing" initiative for years, its results still leave something to be desired. In fact, total security is something that can never be truly attained, especially in today's environment where new threats are constantly evolving. Gates undoubtedly realizes this, but says huge steps forward can be made toward building confidence in Internet security by developing a trust ecosystem.
What is a trust ecosystem? According to Gates, it's the interrelationship of three components: code, devices, and people. "What we need here is an ability to track those trust relationships, to be able to grant permissions, and to be able to revoke those trust relationships, to develop reputations over time," Gates said during his keynote address. "If a piece of code is not behaving appropriately, it should be marked that way and therefore blocked from being used on different systems."
There is currently a no-trust ecosystem in place, Gates says, and people either accept the risks inherent in sharing information across the Internet, or they don't share any info at all. That has to change, and is starting to change, he says. "There's been a lot of great work on this trust ecosystem around the Web services protocols in the trust area, and so I really think we are laying the foundation for what we need here," he says.
In a short interview conducted by Mike Nash, the head of security at Microsoft, Gates says that federated identity management frameworks aren't yet widespread, but momentum for them is building. What's needed now is something that will bump interest in federated identity management to achieve critical mass, Gates says.
While there are many aspects to Gates' idea of the trust ecosystem (who you add to your buddy list in an instant messenger applications is one example, and helping developers to write tighter, cleaner code through WinFX is another), Microsoft has specific products in the works that will go directly toward fulfilling Gates' idea of the trust ecosystem.
Much of Gates' talk about a trust ecosystem appears to be pointing toward InfoCards, a new identity management technology that will use Web services standards and Kerberos authentication, and which will debut later this year with Windows Vista. In his speech, Gates used InfoCards and the term "smart cards" almost interchangeably, and described their function as "this new way of showing who you are and only revealing what you want to reveal."
Smart cards will gradually replace passwords, Gates says. "A key use of [the trust ecosystem] will be about people and the need to manage certificates," he says. "We have a Certificate Lifecycle Manager, so if somebody comes in that doesn't have their smart card, they can get that renewed very easily. Having the revocation and issuance work as easily as passwords do today is a critical element here, and I don't pretend we're going to move away from passwords overnight, but over, say, a three- or four-year period for corporate systems, this change should take place and can take place, and there's no need to give up simplicity as we do that." (Let's just hope Gates is more accurate in his prediction over the demise of passwords as he was in his prediction two years ago that we'd have the spam problem licked by now.)
The Certificate Lifecycle Manager that Gates mentioned appears to be a component of the InfoCards technology being built into Vista. In any event, it was released in beta form yesterday, said Howard Ting, who works in the Windows Server group, and participated with Gates in yesterday's keynote address at the RSA Conference.
In conclusion, Gates called on IT professionals in attendance at RSA to work harder to make their systems more secure, which will foster the idea of the trust ecosystem. "We're really just at the beginning of the trust ecosystem," Gates says. "We've all got a common challenge here, and yet an amazing opportunity to let these digital systems be used in the broadest way."
|
