“While the cloud is certainly the buzz at the moment, there are still a lot of people running the box model across the world dealing with the multiple threats. We need to continue to deal with defence in depth and threat mitigation”, said Charney.
Overhyping information security threats – or indeed underestimating threats – is a big problem, said Charney. “People fail to understand what the threats are”. He explained why people find it so hard to understand the threat landscape by categorising the issues into five groups:
- Bad actors: There are so many different types of attackers
- Multiple motives: There are so many traditional and sophisticated motives, from economic to military espionage,
- Attacks can look the same: It’s hard to respond to a threat when you don’t know what it is
- Integrated domains: So many things can go wrong.
- Worst case scenarios are scary
In light of these issues, Charney explained Microsoft’s progress towards a claims-based identity metasystem, and called for public and private organizations to collaborate to prevent and disrupt cybercrime.
A trustworthy cloud?
Microsoft’sCharney raised a few concerns regarding securing the cloud. “How are we going to do forensics investigations in the cloud?”, he asked, “Audit trails are critical for getting trust in a cloud environment. It’s critically important that companies produce technologies that help us better protect our identity”.
"Data can go anywhere in the cloud. If the vision is right, absolutely everything will go to the cloud. As we move more data to the cloud, governments can get our data without coming to the citizen. Is that the place we want to be?” Chaney asked, reminding his audience that with data centres all across the world, different governments could access data from other governments.
“End to End Trust is our vision for realising a safer, more trusted internet”, said Charney. “To enable trust inside and outside of cloud computing environments will require security and privacy fundamentals, technology innovations, and social, economic, political and IT alignment.”
Microsoft’s Charney stated that while focussing on security and privacy fundamentals and threat mitigation remains necessary, the industry needs to be more aggressive in blunting the impact of cybercriminals. “[Microsoft] are committed to collaborating with industry and governments worldwide to realise a safer, more trusted internet through the creative disruption and prevention of cybercrime”, Charney said.
Identity solutions
Microsoft’s Charney explained that identity solutions that provide more secure and private access to both on-site and cloud applications are key to enabling a safer, more trusted enterprise and internet.
Microsoft today released a community technology preview of the U-Prove technology, which enables online providers to better protect privacy and enhance security through the minimal disclosure of information in online transactions.
To encourage broad community evaluation and input, Microsoft announced it is providing core portions of the U-Prove intellectual property under the Open Specification Promise, as well as releasing open source software development kits in C# and Java editions.
Charney also announced a new partnership with the Fraunhofer Institute for Open Communication Systems in Berlin. The prototype project integrates U-Prove and the Microsoft identity platform with the German government’s future use of electronic identity cards.
Finally, Microsoft also announced the release of Forefront Identity Manager 2010, a part of its Business Ready Security strategy. Forefront Identity Manager enables policy-based identity management across diverse environments, empowers business customers with self-service capabilities, and provides IT professionals with rich administrative tools.