In-Depth

In Search of Trust

Microsoft's end-to-end trust initiative is long on vision, but short on developer details.

• By John K. Waters
• 05/01/2008

When Microsoft's Chief Research and Strategy Officer Craig Mundie addressed the annual 2008 RSA Security Conference in San Francisco last month, he took Microsoft back over some well-trod ground, in a very big way.

Mundie used the high-profile confab to unveil Microsoft's "end-to-end trust vision," which takes aim at the growing array of threats and vulnerabilities that plague every connected device, service and piece of software. Mundie argued that these threats target everything from the operating system running the machine to the user punching the keys, and that the industry must enable what he called a "trusted stack." This stack would span the gamut of hardware, OS, application and service layers.

The proposal has its roots in an earlier Microsoft initiative, the Trustworthy Computing effort launched in January 2002. That push is widely credited with improving Microsoft's abysmal software security record and helping make products like SQL Server and Windows Server appropriate for high-stakes enterprise deployments.

"Having gotten -- I'll call it the core stuff -- in place, we now look at the next requirements being sort of a trusted stack of software," Mundie said in his keynote.

Critics contend that the end-to-end trust effort is too ambitious for Microsoft to execute, and is both heavy on platitudes and short on deliverables. Many question how Microsoft will equip developers to achieve its goals.

"It sounds nice on paper, but I don't think even Microsoft can pull that off," argues Gary McGraw, CTO of Cigital Inc., a Dulles, Va.-based provider of software quality and security solutions, and author of numerous books including "Software Security: Building Security In" (Addison-Wesley Professional, 2006).

"If we really want to have trust from end-to-end, that means the end will have to be owned by the people who want the trust," McGraw says of Mundie's pitch. "So who's the trust for? The user? Microsoft? Intel? We're pretty quickly going to be getting into issues of individual computational liberty versus some amount of security goodness."

The call for building an ecosystem based on a trusted infrastructure comes as some at RSA warn of increasing threats to the security and reliability of government and commercial computer systems.

"The potential consequences of a cyber attack are very real and every bit as concerning as the potential of a physical attack on the order of what we saw on Sept. 11," said Homeland Security Secretary Michael Chertoff, who also addressed the RSA conference. "Managing the risk of a cyber attack is not quite the same as managing the risk to our airline system or our transit systems or our borders," he continued.

Developer Questions
McGraw praises Microsoft's effort to address evolving threats that target the digital economy, but he says any effort Microsoft hopes to lead will have to directly target and engage developers.

"By and large, developers want to do the right thing," he says. "If you tell them what the right thing is, they'll more than likely do it. Microsoft has done a pretty decent job of telling them, and I think that's more important than focusing attention on this end-to-end stuff."

McGraw points out that the application layer has emerged as the area most vulnerable to attack. He says that in the Web-facing world, attackers often gain access by leveraging the functionality of an application, rather than defeating some security mechanism.

Analyst Neil Macehiter of U.K.-based Macehiter Ward-Dutton cites this dynamic application environment in applauding Microsoft's vision.

"Developers should be focusing on the business logic, not the security implementation," Macehiter says. "They should be in a position where they can declare what they need and a set of identity and security services delivers it for them -- [for example,] 'I want this request to be authenticated using a digital certificate' -- rather than implementing low-level security code," Macehiter says.

For .NET-aligned shops, the evolution and ubiquity of Windows Communication Foundation (WCF) and Windows CardSpace may prove to be pivotal in making that business logic more secure.

Microsoft's latest effort toward that end centers around plans to integrate the U-Prove technology of Credentica Inc., a company it acquired in March, into WCF and CardSpace. Ted Ritter, analyst at the Nemertes Research Group Inc., says that successful integration of U-Prove into WCF could bolster identity management within the framework.

U-Prove is an encryption and authentication system designed to allow users to conduct secure digital transactions while revealing as little about themselves as possible -- what Credentica calls "minimal disclosure."

Tooling Trials
If Microsoft expects developers to produce "trusted" applications, it needs to provide them with the tools to do it.

"The phrasing 'trusted applications' leads you to believe that there will be continued investments in the Visual Studio product line to help developers to write more secure code," says Gartner Inc. analyst Neil MacDonald. "There better be."

Steve Lipner, senior director of security engineering strategy in Microsoft's Trustworthy Computing Group, says Redmond is investing in security underpinnings for the .NET Framework. "Microsoft has invested in making .NET a platform that offers great support to help developers efficiently create trustworthy applications," Lipner says in an e-mail. "As additional industry standards and technologies come together as needed to realize the end-to-end trust vision, Microsoft will continue to ensure that .NET application developers can effectively support [that vision]."

Lipner points developers to Microsoft's Security Development Lifecycle and the published Privacy Guidelines for Developing Software Products and Services, which can be found here.

On the tools front, Microsoft plans to integrate a new set of testing tools into the next release of Visual Studio Team System (VSTS) -- code-named "Rosario" -- according to Stephanie Saad, a group manager for VSTS at Microsoft. The company has yet to commit to the types of testing technologies it plans to add to the VSTS toolbox, but if end-to-end trust is the company's goal, MacDonald says it must go beyond operational, stress and performance testing to include security testing capabilities "right up there as a peer."

"Not only are the tools for performing security testing different," he says, "but the mindset you must have to operate those tools is different, too. When you perform security tests, you're trying to get the application to do things it wasn't designed to do, and to break in unexpected ways. There's a real difference in the tools and the approach."

Developers need more than just tooling -- they need visibility into the dev stack, says Howard A. Schmidt. The president of R&H Security Consulting LLC, Schmidt served as Microsoft's first chief security officer and was the founder of the Trustworthy Computing initiative in 2001. He says the company's Feb. 21 interoperability pledge, which has produced tens of thousands of pages of published documentation on Microsoft APIs, protocols and interfaces, is a major step forward in the effort.

"When you start looking at one of the complaints that people had over the years, [it was] the inability to write security-related APIs because they didn't know what it was going to do with the other [components]," Schmidt says. "I think the classic example we see is when we're rolling out new update patches from whatever vendor it may be. The concern is always: Is it going to break some security that you've got already built into something?"

React and Recruit
Reaction to Mundie's presentation among RSA conference goers was mixed, but enthusiasm was in short supply. One attendee, an independent software developer who asked not to be identified, summed up a prevailing sentiment: "Wasn't that the keynote from 1985? There was nothing new here."

But industry analyst Rob Enderle says that that attitude, which he also observed, misses the point. "This was a call for some help," Enderle suggests. "Microsoft was largely trying to point out the problem and argue that there needed to be a solution, while giving the solution some boundaries. Because asking for help is atypical of Microsoft, I don't think a lot of folks got that."

Macehiter agrees: "The company is setting out with this ambitious strategy to join up the historically fragmented approach to security and identity management," he says. "This is not for some technology purist reason, but because many of the challenges organizations face today from an IT and business perspective -- everything from service-orientation to inter-enterprise collaboration and compliance -- stretch and break current approaches to security ... There are few vendors out there with the breadth of capability to actually address this sort of challenge. Who else has articulated such a vision?"

That's a question Microsoft itself left open, says MacDonald, when it failed to bring anyone else onstage for the Mundie keynote.

"They would have been much better served if they had had other people up on stage with them," MacDonald suggests, "even potential enemies like Google and Amazon. They needed other organizations standing up and saying, 'Yes, end-to-end trust is needed and we're going to get past our competitive issues and work together in the better interest of consumers and the Internet as a whole.' When you have only Microsoft people stand up and talk about it, the message loses some of its credibility. This can't be a Microsoft-only vision."

In the end, end-to-end trust might not be the right term for what Microsoft is really talking about here, observes MacDonald.

"I give them credit for calling much-needed attention to the problem of trust on the Internet," he says, "but Microsoft is saying that the way you do this is with trusted platforms. Focusing on the platform makes this message too Microsoft-centric. I think it also ignores that what we want to achieve at the end of the day is trusted transactions, interactions and relationships. That's the big picture, but they seem to be focusing on the parts."

Maybe what Microsoft needs to do, says McGraw, is focus more closely on developers. "Developers like to be able to write and run all over the place," he says, "so this end-to-end trust thing would present them with constraints they'd have to learn to deal with. And I'd expect Microsoft to provide the support and tools they needed to do that. Whether or not developers should be constrained is a topic worthy of debate."

Senior Editor Kathleen Richards contributed to this report.