Microsoft: Still more to do on security

Though Microsoft has made leaps in security over the years, even more challenges lie ahead as additional devices go online, company executives said Tuesday.

Only last week, Microsoft released Windows Vista and Office 2007, promoted as the most secure versions of the operating system and productivity products yet. And it has been nearly five years since company chairman Bill Gates sent out his "Trustworthy Computing" memo, which said the software maker was turning its focus to security. But that doesn't mean Microsoft products are now watertight, said Craig Mundie, chief research and strategy officer at the company.

"This won't make (the products) perfect," Mundie said in a joint keynote speech with Gates at the RSA Conference in San Francisco. "The challenges we face in building our products, and the challenges everybody faces in administering and using them, is that humans are humans and they make mistakes."

As more devices connect to the Internet, and as people demand access to data from anywhere, the security job will only get bigger and more complex. "This challenge is going to get a lot tougher," Mundie said.

Not all the pieces are in place yet for people to be able to freely and securely tap into online data while on the move, he said. But solutions to the challenges are beginning to emerge, both on the side of Internet infrastructure -- in servers, routers and switches, for instance -- and in individual devices.

"We will build this model of seamless, easy access across all these devices. But we're not really there yet. We're on the path to this future world," Mundie told the audience at the security conference.

Microsoft is pitching IP version 6, the next generation of the Internet Protocol, and IPSec, a suite of protocols for securing IP communications, as part of the solution. Windows Vista has IPv6 built in, as does the upcoming Windows Server Longhorn release, which also supports IPSec.

IPv6 is designed to support a broader range of IP addresses, as the IP version 4 addresses currently in use are becoming scarce. The new protocol will not only let more devices connect, it will also allow the use of fine-tuned security controls, since each device will have its own address, Mundie said. He said that features in Windows XP and Vista will help people move to IPv6.

"There really isn't a challenge, in our view, in moving to the IPv6 infrastructure," Mundie said. "You don't have to contemplate some gargantuan infrastructure change."

Securing the actual data is another important piece in the puzzle, Gates added. He pitched BitLocker, a disk drive encryption feature in the higher-end version of Vista, as a way to lock down the data on a PC.

In addition, for businesses, rights management systems can help control the flow of confidential data, he said. For example, companies can use such rights settings to limit who can forward or open certain e-mail messages, reducing the risk of data loss, Gates said.

Then came a familiar message from Microsoft: eliminate the weakest link in the computer security chain by getting rid of passwords. Gates told the RSA crowd that he now has the right weapons to supplant the password as a means of verifying who is who on computers and over the Internet.

"Passwords are not only weak; passwords have the huge problem that if you get more and more of them, the worse it is," Gates said.

In Vista, Microsoft introduced Windows CardSpace for consumers to use instead of passwords. CardSpace is an application designed to represent an individual's wallet, holding different cards to use for identification in online transactions.

"That is one of the things that is in the Vista system," Mundie said. "I think people are going to have to acclimate to it."

For authentication in businesses, the software maker is promoting products such as its Identity Lifecycle Manager 2007, set for release in May. "We think this is the milestone where enterprises should start the migration from passwords to smart cards," Gates said.