Gates Focuses on Security Fundamentals at RSA
At their keynote address to the RSA conference yesterday, Bill Gates and Craig Mundie made a number of points that are welcome and long awaited.
First, the recently released Vista and MS Office 2007 were built from the start using the company’s security-conscious software development methodology. This is important because security is a function of the structure of a system, not a feature that can be added on later anymore than you can provide structural integrity to a building by adding a room.
Second, there was a recognition of the demise of the network perimeter as the dividing line between "us" and "them." Remote users, business partners, and customers outside the firewall now need as much access to IT assets as those inside the perimeter. The new solution is security by policy not topology according to Gates. Agreed.
Next, IPSec and OpenID are part of Microsoft's long term strategy. The good news here is that the company is not trying to go its own way with proprietary standards. The days of days of MS setting the agenda and others following are over.
Gates and Mundie recognize there are still plenty of challenges ahead. There was a lot of talk about object-based security. For example, a document should have embedded authorizations that allow and disallow functions according to policies defined by the owner, not based on where it sits on the network server.
This model works with fairly course grained objects, like documents and media files but not others. The amount of data in fine-grained objects, like a transaction in a database can be many times smaller than the authorization data needed to protect it. Encryption and host security is still the best protection for these fine-grained objects. Perhaps we'll see a lightweight mechanism for storing minimal authorization information developed for database transactions.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
