Q&A: Moving towards "end to end trust:" A collaborative effort
Q&A: Moving towards "end to end trust:" A collaborative effort

Scott Charney, corporate vice president, Trustworthy Computing (TwC) at Microsoft

Q: Let's face it – Microsoft is ubiquitous. What can its customers expect this year in the way of the company's continuing efforts to strengthen information security for its products and customers?
 
A: Every time Microsoft ships a product, I think we improve information security for our customers.  Our commitment to the Security Development Lifecycle (SDL) and our constant focus on building defense-in-depth into our products and services ensures each release is better than the last.  Not perfect, but better. We continue to be laser-focused on doing the fundamentals right, investing in new security technologies (innovation), providing prescriptive guidance to customers, and working with partners in the public and private sectors to build a more secure computing ecosystem. This year we will focus on end-to-end trust and address the importance of authentication and audit. Our end goal is to make sure our customers have trust in PC computing, whether they are at home, in the office, or using a mobile device.  It is going to take a very long time to build an ecosystem that enables this type of trust in computing, but Craig Mundie (Microsoft's Chief Research and Strategy Officer) will talk more about his vision for that during his keynote at RSA.
 
Q: What are the emerging threats about which CSOs and their bosses should be most worried this year?
 
A: Over the last five years or so, we have done a pretty good job as a company, and the industry has as well, of reducing vulnerabilities in operating systems and putting protections in place to help mitigate some of the risks that remain. No software is 100 percent secure, of course, but we have been making progress. The problem is that cybercriminals are adaptive and creative, and thus the threat model is evolving. Whereas it used to be young people hacking into systems for exploratory purposes, today hackers may be funded by organized crime groups, may be government personnel or just two-bit scam artists targeting rich data stores for financial or political gain.  In short, many of the attacks are now targeted and sophisticated as opposed to opportunistic and rudimentary.
 
The other big trend we see is that attackers are changing their tactics because of the security gains industry has made. For example, attacks are moving up the stack to the application layer because, in part, operating systems are getting more secure. They are also moving up the stack because it is the application layer that may contain the information the bad guys want. This raises huge challenges for the IT ecosystem because it is not just a question of getting OS companies to improve, but improving the code quality produced by all application providers, even those working in very small companies without a lot of internal training resources and tools.  Finally, social engineering is becoming much more sophisticated.  Indeed, in our most recent Microsoft Security Intelligence Report, we noted a 150 percent increase in phishing attacks during the first half of 2007 compared to the previous six months. This highlights the need for CSOs to take the social engineering trend very seriously and strike the right balance between deploying technical solutions and educating employees about combating cybercrime.
 
 
Q: Considering the number of data exposures we've seen, such as TJX, where are companies making the biggest mistakes in protecting customers' personal data?
 
A: The protection of personal and financial data is becoming a huge priority for organizations because of some of these high profile data breaches, and data must be managed properly to maintain trust online. A recent study we commissioned with the Ponemon Institute found that greater collaboration between security, privacy and marketing professionals in organizations can reduce the risk of data breaches. Indeed, organizations with poor collaboration were more than twice as likely to have suffered a data breach in the past two years as organizations with good collaboration. This really hammers home the need to continue adapting processes and technologies to effectively manage data protection as the security and privacy worlds converge.
 
In addition to closer collaboration among different functions, Microsoft also encourages companies to develop multifaceted approaches to data protection and governance that focus on technology, people and processes.  There is no doubt that technology can help organizations enable effective processes, implement policies, and comply with desired business practices and regulations. So, along those lines, we have identified five elements that constitute an effective technology-based framework necessary to responsibly protect and manage personal information, mitigate risk, achieve compliance, and promote trust and accountability. The elements include: secure infrastructure, identity and access control, data encryption, document protection, and auditing and reporting. Microsoft has released a white paper outlining this guidance in more detail that is available online
 
Q: Are companies better off relying on point security solutions for the layered security approach or going with unified security appliances and suites (of which there seem to be more and more given the many mergers and acquisitions over the last year or two)?
 
A: There is not a one-size-fits-all answer to this question. It is critically important that a company have a documented information security program that identifies key assets and services, catalogs and prioritizes the threats to those assets, mitigates those threats, tests the mitigations, and puts into place an incident response program for the day those protections fail. Then, if business models change or an incident occurs, the process should be re-evaluated. In the course of this process, the company will identify the products needed to help mitigate risk.  Whether the right solution will consist of a combination of individual products or a suite of products offered together must be determined on a case-by-case basis.
 
Q: What's your silver-bullet solution – a blue-sky security tool that corporate CISOs and executive leaders would buy up to solve their most pressing security issue?
 
A:  Unfortunately, there is no silver bullet for security.  To reduce your risk, there are some basic steps we think most people are or should be taking.  In addition to having a documented information security program as described above, users should use the latest technology as it tends to be more secure, configure that technology carefully to balance functionality and security, stay current with security updates, and educate users on cybercrime threats and how to avoid becoming a victim. As it is often said, security is a journey and not a destination, and handling security well requires companies to think about people, process, and technology.
 
Q: When it comes to conforming to regulatory mandates, companies have their share. How can organizations ensure they're meeting current mandates?

A: Applying the guidance in the data governance framework described in the white paper that I mentioned earlier and developing a holistic data protection strategy will help. While complying with regulations is an important reason for developing such a strategy, there are many other benefits for companies that adopt such an approach. Effective data governance enables greater operational efficiency and optimizes data quality and utility, enhances trust with stakeholders and helps protect a company's reputation. 
 
Q: Do you expect to see a national data breach notification law this year?  Would this help organizations trying to meet so many different state mandates?
 
A: It is difficult to predict if and when federal legislation will be enacted. But we do believe federal legislation is necessary to put consumers in charge of the collection, use, and disclosure of their personal information and to give them comfort about transacting both online and off. This is necessary to avoid a patchwork of inconsistent state laws and to provide clarity to businesses and consumers about the standards for soliciting and handling personal information. This will benefit consumers and allow commerce to flourish.