Gates RSA Keynote: Messaging Relevance

On February 5 in San Francisco, Bill Gates and Craig Mundie (Microsoft's Chief Research and Strategy Officer), gave the opening keynote at the RSA conference. They presented Microsoft's vision for computer security.

In summary:

  • Today's security is too much based on putting a fence around a corporate network. E.g. firewalls define what network segments or IP addresses can be used. That corresponds to the notion that users are mainly trustable, and they mainly work at the organization's offices. We have to migrate to a more flexible model, because today employees often work off-premises, and because customers, suppliers, and business partners need to have access to resources.
  • Today's security is about stopping people getting in. Instead, security needs to facilitate access.
  • Security has to provide easy granular access to applications and resources. E.g. if you want to allow a contractor to access a single document in read-only mode, that should be easily accomplished.
  • Security must be policy-based, rather than network topology based. Policies should be applicable not just to individuals, but to groups of things.
  • Microsoft sees three things as key to security:
    • The Network. IPv6 (expanded IP address space that makes NAT redundant) is important, to determine physical access. IPsec is important as a general-purpose vehicle ensuring privacy.
    • Digital Rights Management. We need control over what happens to electronic documents. E.g. we should be able to send emails and have them be destroyed after a set period of time.
    • Identities. We have to get away from passwords as a means of identifying ourselves. We'll make heavy use of certificates to identify people, programs, and machines. We'll all have multiple certificates, corresponding to various roles.
  • Open standards are critical for interoperability. IPsec and IPv6 are fundamental for Microsoft.

Comments:

  • All in all, we liked the presentation and found it persuasive. Many valid points were made, and the broad vision seems right. We do need to migrate from network-topology-based security, to policy-based security which encompasses application-level concepts.
  • Messaging and collaboration are just a small part of the computing venture. But interestingly, messaging issues were often cited. E.g. spam, virus, and phishing, and digital rights management for emails.
  • It's easy to say we need policy-based security, but the way there is unclear:
    • Policy-based management will have to become highly layered, like protocols. Otherwise, the policies will be too complex.
    • Today's tools to define policy are very crude. They are If-Then expressions, where the If-triggers are boolean functions of regular expressions. Try, for example, writing a policy that says "chuck out spam". Early attempts to do this were policy-based, using keyword and pattern-matching lookups. Such tactics were quickly abandoned.
  • True, we'll end up with electronic wallets with plenty of certificates. Validation and certificate revocation remain big problems.
  • It's interesting that digital rights management was given such prominence. We're inclined to think that DRM will become a major issue for messaging managers over the next five years. It would be a very good thing if Microsoft does in fact give this area plenty of attention. DRM is much needed.
  • Security will encompass much more than one major vendor, even Microsoft, can handle. E.g. it'll need to encompass TVs, mobile phones, analyst newsletters, vertical industry purchase transactions, reputation services. So open standards do seem of the essence.
  • We'd like more discussion about what standards are key. IPsec and IPv6 seem like tiny pieces of the puzzle -- strange they were singled out, especially because Microsoft's past implementations of IPsec have been limited.

PS. Your current interlocutor was in the front row. He hadn't been so close to Bill since he was dining with him in San Francisco restaurant, around 25 years ago. Sergio the owner asked them to leave because they weren't spending enough money. Bill's a bit richer now, Sergio's got a new car, and David still wonders what to do with his life.

... David Ferris

Post a comment

You must be logged in to post a comment. To comment, first join our community.