Why Is Microsoft's Cyber Security Leader So Optimistic?
When Scott Charney spoke at last week's annual RSA Conference in San Francisco, he expressed optimism about the future of IT security despite a new onslaught of attacks and threats facing consumers, businesses and the nation's critical infrastructure.
I initially wondered why Charney, the Microsoft corporate VP for Trustworthy Computing was so upbeat? After all, we're under siege purportedly by the Chinese, Iranian and Russian governments. Organizations including the Federal Reserve Bank, The New York Times, NBC News, Apple, Facebook, Twitter, heck even Microsoft itself, have all recently sustained cyber-attacks.
When President Obama last month issued his Executive Order directing immediate information sharing between the Federal government and the private sector, notably operators of critical infrastructure, he painted a bleak picture of the looming threats in his State of the Union Address. Many in IT were already aware of the problems the President raised but nevertheless he amplified the issue.
On deeper reflection however it bears noting that the President appointed Charney to the President's National Security Telecommunications Committee (NSTAC) in 2011 and presumably he has Obama's ear. Charney described in a blog post the President's order, called Presidential Policy Directive 21, as a key step forward:
When reviewing the key definitions, approaches and activities outlined in the Executive Order, it is fairly well aligned with a set of global principles essential for enhancing cyber security. More specifically, it recognizes the principles of active collaboration and coordination with infrastructure owners and operators, outlines a risk-based approach for enhancing cyber security, and focuses on enabling the sharing of timely and actionable information to support risk management efforts.
It is important to see these principles reflected in the Executive Order for three reasons. First, it is the private sector that designs, deploys and maintains most critical infrastructure; therefore, industry must be part of any meaningful attempt to secure it. Second, both information sharing and the implementation of sound risk management principles is the only way to manage complex risks. Finally, while critical infrastructure protection is important, it cannot be the only objective of governmental policy; privacy and continued innovation are also critical concerns.
Microsoft itself has come a long way in improving the security of all its products, as noted in last year's Redmond magazine cover story "10 Years of Trustworthy Computing." Charney used last week's RSA keynote to re-iterate the security improvements introduced in Windows 8, such as the Unified Extensible Firmware Interface (UEFI) specification which enables new users to securely boot their systems.
Charney also has played a key role in fostering cloud security. Jim Reavis, executive director of the Cloud Security Alliance last week told me why the group gave Charney its industry leadership award this year.
"Microsoft was the first major provider to support our STAR registry by being very transparent," Reavis said. "They've also created vendor neutral tools to help assess their own readiness based on the cloud industry's best practices. He's that rare individual that not only does the right thing with their company but with his competitors and the industry at large. Scott is the epitome taking on that shared responsibility."
The latest cyber-attacks are also putting the spotlight on public cloud computing. Already security remains the biggest inhibitor to cloud computing. I was at IBM's Pulse Conference in Las Vegas earlier this week and the security fears surrounding cloud were not lost on Big Blue as it talked up its cloud portfolio and launched its open standards-based initiative for cloud computing.
Kris Lovejoy, IBM's general manager for security services and the company's former chief security officer, believes the move to cloud computing will actually provide enterprises with more secure IT than their existing infrastructures.
"Cloud is fundamentally more secure or inherently more securable than traditional infrastructure environments because of the way it's designed and because of the way you can replicate security controls on top of cloud environments," she said during a panel discussion for media and analysts Tuesday at Pulse. "One of the biggest challenges we have in traditional infrastructure is complexity -- too many pieces of technology. In a cloud environment everything can be standardized so we can be secure."
Do you feel your systems are on the road to becoming more secure despite a new crop of sophisticated and persistent threats including the risk of cyber terrorism? Or are you of the mind that for every step forward IT security takes, these new risks are taking us a step or two back? Drop me a line at email@example.com.
Posted by Jeffrey Schwartz on 03/06/2013 at 9:57 AM