In Search of Trust

Microsoft's end-to-end trust initiative is long on vision, but short on developer details.

When Microsoft's Chief Research and Strategy Officer Craig Mundie addressed the annual 2008 RSA Security Conference in San Francisco last month, he took Microsoft back over some well-trod ground, in a very big way.

Craig Mundie, Chief Research and Strategy Officer, MicrosoftMundie used the high-profile confab to unveil Microsoft's "end-to-end trust vision," which takes aim at the growing array of threats and vulnerabilities that plague every connected device, service and piece of software. Mundie argued that these threats target everything from the operating system running the machine to the user punching the keys, and that the industry must enable what he called a "trusted stack." This stack would span the gamut of hardware, OS, application and service layers.

The proposal has its roots in an earlier Microsoft initiative, the Trustworthy Computing effort launched in January 2002. That push is widely credited with improving Microsoft's abysmal software security record and helping make products like SQL Server and Windows Server appropriate for high-stakes enterprise deployments.

"Having gotten -- I'll call it the core stuff -- in place, we now look at the next requirements being sort of a trusted stack of software," Mundie said in his keynote.

Critics contend that the end-to-end trust effort is too ambitious for Microsoft to execute, and is both heavy on platitudes and short on deliverables. Many question how Microsoft will equip developers to achieve its goals.

"It sounds nice on paper, but I don't think even Microsoft can pull that off," argues Gary McGraw, CTO of Cigital Inc., a Dulles, Va.-based provider of software quality and security solutions, and author of numerous books including "Software Security: Building Security In" (Addison-Wesley Professional, 2006).

"If we really want to have trust from end-to-end, that means the end will have to be owned by the people who want the trust," McGraw says of Mundie's pitch. "So who's the trust for? The user? Microsoft? Intel? We're pretty quickly going to be getting into issues of individual computational liberty versus some amount of security goodness."

The call for building an ecosystem based on a trusted infrastructure comes as some at RSA warn of increasing threats to the security and reliability of government and commercial computer systems.

"The potential consequences of a cyber attack are very real and every bit as concerning as the potential of a physical attack on the order of what we saw on Sept. 11," said Homeland Security Secretary Michael Chertoff, who also addressed the RSA conference. "Managing the risk of a cyber attack is not quite the same as managing the risk to our airline system or our transit systems or our borders," he continued.

Developer Questions
McGraw praises Microsoft's effort to address evolving threats that target the digital economy, but he says any effort Microsoft hopes to lead will have to directly target and engage developers.

"By and large, developers want to do the right thing," he says. "If you tell them what the right thing is, they'll more than likely do it. Microsoft has done a pretty decent job of telling them, and I think that's more important than focusing attention on this end-to-end stuff."

McGraw points out that the application layer has emerged as the area most vulnerable to attack. He says that in the Web-facing world, attackers often gain access by leveraging the functionality of an application, rather than defeating some security mechanism.

Analyst Neil Macehiter of U.K.-based Macehiter Ward-Dutton cites this dynamic application environment in applauding Microsoft's vision.

"Developers should be focusing on the business logic, not the security implementation," Macehiter says. "They should be in a position where they can declare what they need and a set of identity and security services delivers it for them -- [for example,] 'I want this request to be authenticated using a digital certificate' -- rather than implementing low-level security code," Macehiter says.

For .NET-aligned shops, the evolution and ubiquity of Windows Communication Foundation (WCF) and Windows CardSpace may prove to be pivotal in making that business logic more secure.

Microsoft's latest effort toward that end centers around plans to integrate the U-Prove technology of Credentica Inc., a company it acquired in March, into WCF and CardSpace. Ted Ritter, analyst at the Nemertes Research Group Inc., says that successful integration of U-Prove into WCF could bolster identity management within the framework.

U-Prove is an encryption and authentication system designed to allow users to conduct secure digital transactions while revealing as little about themselves as possible -- what Credentica calls "minimal disclosure."

Tooling Trials
If Microsoft expects developers to produce "trusted" applications, it needs to provide them with the tools to do it.

"The phrasing 'trusted applications' leads you to believe that there will be continued investments in the Visual Studio product line to help developers to write more secure code," says Gartner Inc. analyst Neil MacDonald. "There better be."

Steve Lipner, senior director of security engineering strategy in Microsoft's Trustworthy Computing Group, says Redmond is investing in security underpinnings for the .NET Framework. "Microsoft has invested in making .NET a platform that offers great support to help developers efficiently create trustworthy applications," Lipner says in an e-mail. "As additional industry standards and technologies come together as needed to realize the end-to-end trust vision, Microsoft will continue to ensure that .NET application developers can effectively support [that vision]."

Lipner points developers to Microsoft's Security Development Lifecycle and the published Privacy Guidelines for Developing Software Products and Services, which can be found here.

On the tools front, Microsoft plans to integrate a new set of testing tools into the next release of Visual Studio Team System (VSTS) -- code-named "Rosario" -- according to Stephanie Saad, a group manager for VSTS at Microsoft. The company has yet to commit to the types of testing technologies it plans to add to the VSTS toolbox, but if end-to-end trust is the company's goal, MacDonald says it must go beyond operational, stress and performance testing to include security testing capabilities "right up there as a peer."

"Not only are the tools for performing security testing different," he says, "but the mindset you must have to operate those tools is different, too. When you perform security tests, you're trying to get the application to do things it wasn't designed to do, and to break in unexpected ways. There's a real difference in the tools and the approach."

Developers need more than just tooling -- they need visibility into the dev stack, says Howard A. Schmidt. The president of R&H Security Consulting LLC, Schmidt served as Microsoft's first chief security officer and was the founder of the Trustworthy Computing initiative in 2001. He says the company's Feb. 21 interoperability pledge, which has produced tens of thousands of pages of published documentation on Microsoft APIs, protocols and interfaces, is a major step forward in the effort.

"When you start looking at one of the complaints that people had over the years, [it was] the inability to write security-related APIs because they didn't know what it was going to do with the other [components]," Schmidt says. "I think the classic example we see is when we're rolling out new update patches from whatever vendor it may be. The concern is always: Is it going to break some security that you've got already built into something?"

React and Recruit
Reaction to Mundie's presentation among RSA conference goers was mixed, but enthusiasm was in short supply. One attendee, an independent software developer who asked not to be identified, summed up a prevailing sentiment: "Wasn't that the keynote from 1985? There was nothing new here."

But industry analyst Rob Enderle says that that attitude, which he also observed, misses the point. "This was a call for some help," Enderle suggests. "Microsoft was largely trying to point out the problem and argue that there needed to be a solution, while giving the solution some boundaries. Because asking for help is atypical of Microsoft, I don't think a lot of folks got that."

Macehiter agrees: "The company is setting out with this ambitious strategy to join up the historically fragmented approach to security and identity management," he says. "This is not for some technology purist reason, but because many of the challenges organizations face today from an IT and business perspective -- everything from service-orientation to inter-enterprise collaboration and compliance -- stretch and break current approaches to security ... There are few vendors out there with the breadth of capability to actually address this sort of challenge. Who else has articulated such a vision?"

That's a question Microsoft itself left open, says MacDonald, when it failed to bring anyone else onstage for the Mundie keynote.

"They would have been much better served if they had had other people up on stage with them," MacDonald suggests, "even potential enemies like Google and Amazon. They needed other organizations standing up and saying, 'Yes, end-to-end trust is needed and we're going to get past our competitive issues and work together in the better interest of consumers and the Internet as a whole.' When you have only Microsoft people stand up and talk about it, the message loses some of its credibility. This can't be a Microsoft-only vision."

In the end, end-to-end trust might not be the right term for what Microsoft is really talking about here, observes MacDonald.

"I give them credit for calling much-needed attention to the problem of trust on the Internet," he says, "but Microsoft is saying that the way you do this is with trusted platforms. Focusing on the platform makes this message too Microsoft-centric. I think it also ignores that what we want to achieve at the end of the day is trusted transactions, interactions and relationships. That's the big picture, but they seem to be focusing on the parts."

Maybe what Microsoft needs to do, says McGraw, is focus more closely on developers. "Developers like to be able to write and run all over the place," he says, "so this end-to-end trust thing would present them with constraints they'd have to learn to deal with. And I'd expect Microsoft to provide the support and tools they needed to do that. Whether or not developers should be constrained is a topic worthy of debate."

The Road to Trust

When Microsoft Chief Research and Strategy Officer Craig Mundie presented the end-to-end trust vision in his RSA Security Conference keynote, he made a point to link it directly to Microsoft's Trustworthy Computing initiative, which was publicly launched in January 2002. It's clear that this effort will be at a much greater scale than the 2002 program, which is widely regarded as a success.

"Today, I think we're in a transitional situation -- at least at Microsoft -- where we're focused on moving beyond what we did in our first generation of trust," Mundie said. "You can't just look at any one piece. You can't say, 'OK, the operating system is pretty hardened; the applications may or may not be.' We really need to stitch these things together in some complete way."

Microsoft's white paper, "Creating a More Trusted Internet," written by Scott Charney, vice president of Microsoft's Trustworthy Computing Group, lists three key elements to the end-to-end trust model:

  • A "trusted stack" in which each stratum can be authenticated and declared trustworthy -- from the hardware all the way up to the application layer.
  • The technology components required for managing identity claims, authentication, authorization policy, access controls and auditing. Microsoft calls this combo "I+4A."
  • An alignment of technological, social, economic and political forces that enable what Mundie calls "real progress."
"Part of the problem," Charney writes, "is that the security solutions employed to date are primarily defensive technical measures that, while effective in mitigating particular avenues of attack, do not address an adversary who is adaptive and creative and will rapidly shift tactics. Thus, for example, hardening of the operating system caused attackers to move 'up the stack' and attack applications, as well as refine social engineering techniques that technology today is ill-equipped to help prevent."

Trustworthy Beginnings
Microsoft's Trustworthy Computing initiative is credited with producing quantifiable improvements in software quality. The Security Development Lifecycle and other best practices have served to drive down the frequency and scope of exploits against Microsoft software.

Now Microsoft must find a way to extend that rigor beyond the Redmond stack. During the keynote, Mundie said that the trusted stack must be able to know which apps and services are "certified or attested relative to the practices that have been brought to bear on their construction, just like we do today for the operating system."

But Mundie insisted that though Microsoft may be the initial driver behind the end-to-end trust model, this is anything but a solo act.

"We can't do this by ourselves," he said. "Even if we did it just for our products, that would be fine, but it wouldn't work in the world that you work in every single day, and we need to get ahead of the power curve in thinking about how we bring these things together, what protocols and formats are going to be required to ensure interoperability, and what regulatory environment we want to wrap around that and how we deal with that on an international basis. So, I guess the call to action today is: Get good at operating what you have, and help us think about going to the future."

-- J.K.W.

Senior Editor Kathleen Richards contributed to this report.