November 13, 2002
Long Road Ahead
1. Has invested heavily in touting the product security.
2. Still needs to make massive investments to convince the marketplace
- It's Microsoft.
Convincing the Issue Elites*, that your products are secure takes far more than a couple of well placed marketing campaigns. Microsoft not only needs to examine 80 million+ lines of code, but also needs to revise training programs for internal and external developers, examine the core architecture of how the OS interacts with applications, and then connvince a group of professionally paranoid engineers that progress has been made.
Selected Allchin/Forbes security bits and more in the full entry. Thanks to Scott Loftesness for bringing this chat session to my attention.
* Market research parlance for the people who are the trusted sources of information on particular issues - in this case security professionals.
EndoLast: What effect on business do you see from the drive to create uniform security standards for government IT systems?
JALLCHIN: Governments have some specific needs that businesses might not, but that depends on the government agency. The whole industry needs to improve related to security. We are committed to be a leader in this space. There is still a lot for everyone to learn in the security space. CC win for W2K is a step. CC will happen for XP shortly. Both are good steps, but much more is needed. I believe investments we are doing in things like Pallidium will give businesses a lot of control and a NEW level of security not achieved before.
Interesting - "a new level of security" Pallidium is a mechanism for content owners to CONTROL content. It does nothing to improve reliability. However, it could potentially help with larger authenication and authorization issues.
EndoLast: Could you elaborate on what you mean by a lot to learn in the security space?
JALLCHIN: Long answer... here it comes...
1. Can't the OS be made more security from viruses? Technically, it would seem to me that behavior blocking is a much better technique that Anti-virus approaches today. AV is after the fact. I want to find a way to stop it without loading a signature (which has to be created AFTER the outbreak).
Try separating the OS from applications that communicate with other computers - email and brower apps would be a great place to start.
2. PKI vs. private key.
3. Federation between companies with different models
Clearly one of the harder questions of the day. This forces security to be addressed in the application architecture and major standards like SOAP and XML.
4. role of biometrics, and on and on....
The roll of biometrics?? Biometrics have error rates. My money says no biometric company breaks the $150 million mark in the next 5 years. (Revenues from physical access control systems don't count)Posted by Abner on November 13, 2002 03:38 PM | TrackBack