During a keynote address to the RSA audience in San Francisco, Charney, the Corporate VP of Microsoft’s Trustworthy Computing Group, recounted numerous adverse headlines about major internet and data security incidents over the last several years – only then to pivot in a more positive direction.
“Looking back, there is a case for optimism”, he told the audience. “We all know the internet was built without security in mind”, which – in Charney’s assessment – has led to a continuous struggle for security professionals.
“I’m an optimist. You can be an optimist because you are delusional, or you can be an optimist for a reason”, he jokingly commented.
“The last year or so, the world has changed dramatically, as we have moved from a fixed model…to a somewhat more complicated model”, referring to trends including cloud computing, mobile devices, the increasing need for professional certifications, and compliance requirements.
Not surprisingly, Charney asserted that trust was the key for security professionals’ ability to combat new threats and do their part to maintain a healthy, secure computing ecosystem. In this new world, he continued, “trust in the middle – that trusted stack – is still absolutely critical. Rooting trust in hardware; having more secure applications and operating systems; having identity systems that work, so that on the internet we can robustly identify the right people at the right times, but also ensure that there is anonymity for those who want free speech to say controversial things.”
So why is Charney so optimistic about the future of data and internet security? His reflections on what those in the industry have done already provided him with the necessary confidence.
Among the major recent security advances Charney cited, which have laid the foundation for a more secure future: UEFI (unified extensible firmware interface) to replace BIOS for device boot, the security development lifecycle (SDL) to build secure operating systems and applications, and Trusted Platform Modules (TPM) for device identity verification.
“Organizations are adopting SDL practices, and producing more secure software”, Charney added. “In addition, we now see standardization – ISO 27034, the standard for secure development”, noting that standardization was vital because attackers seek the weakest link in any system, and the entire hardware and software development community must raise its game in unison to combat this reality.
Not surprisingly, Microsoft was at the forefront in its advocacy for all these security advances Charney used in supporting his argument that the future was a bit brighter than some would profess.
While increased use of the secure development lifecycle gives the Microfoft VP cause for optimism, one area he sees as the next step in promoting trust centers around identity of the individual. “To some extent, it has always been a challenge to get people to accept identity management systems”, Charney continued. “Particularly in the consumer space, it’s hard to convince consumers that they should go somewhere and get an e-ID card”, he remarked, noting the chicken-and-egg conundrum e-ID programs present.
“No merchant and no government is asking them to ever produce it, and it’s hard to get governments and merchants to demand the production of an e-ID card when no consumer has it.” He listed Germany, Singapore, and Japan as leaders in this next phase to promote online trust, and the NSTIC pilot program in the US that is now exploring e-ID projects.
To combat the skepticism some have regarding government control of an identity management system, Charney believes that the current model – which requires the alignment of multiple parties to verify identity – would benefit tremendously through simplification if it comprised solely the government and its citizens. It’s a model that already exists, if one thinks of it in the context of motor vehicle agencies issuing licenses, and therefore identity credentials. “Familiarity”, he contented, “will ensure trust by citizens in e-ID systems”.
“In this context, both the government and the citizen want robust identity” management, Charey asserted, concluding that if we “take out the difficulties in the situation, [we] can make more progress”.