Although not directly related to self-managing software, Microsoft's Trustworthy computing initiative is worth a review in terms of its scope and potential for creating reliable systems. However, on closer analysis, the Trustworthy Computing initiative does have similar functionality to autonomic computing. In January 2002, Bill Gates issued a call to action challenging all of Microsoft's 50,000 employees to build a Trustworthy Computing environment for customers that is as reliable as the electricity that powers homes and businesses today. Software security is an ongoing challenge. Viruses, worms, trap doors, and other security problems are experienced throughout the industry on a daily basis. To address these facts, Microsoft has made Trustworthy computing a key initiative for all its products. Trustworthy Computing is a framework for developing devices powered by computers and software that are as secure and trustworthy as the everyday devices and appliances in use at home such as water, electricity, and the telephone. The basic redesign of Microsoft's products is a step toward making this vision a reality. Resilient technology is crucial to building secure computing environments, but technology alone cannot completely answer the threats as they evolve. Well-designed products, established and effective processes, and knowledgeable, well-trained operational teams are all required to build and operate an environment that provides high levels of security and functionality. The Think Tank Microsoft management and leading academic security and privacy research scientists from around the world have established a Trustworthy Computing Academic Advisory Board. The board was formed to advise the company on security, privacy, and reliability enhancements in its products and technologies, so that Microsoft can obtain feedback on product and policy issues related to its Trustworthy Computing initiative. The board is composed of leading research scientists and privacy policy experts, each with a significant track record in his or her field of expertise, who meet regularly to review progress and set objectives. Goals for Trustworthy The four goals defined by Microsoft are straightforward and direct, as shown in Table 14.1. Microsoft has created a framework to track and measure its progress in meeting the goals and objectives of Trustworthy Computing: such as secure by design, secure by default, secure in deployment, and communications. Table 14.2 summaries the scope and progress of this initiative so far. The goal of secure by design is to eliminate all security vulnerabilities before product ships and to add features that enhance product security. Secure by design requires: -
Building a secure architectureBank buildings are designed around security requirements. Their architecture is a direct consequence of the need for a bank vault and other ancillary security features. Software can be designed for security in the same manner. Microsoft is now designing and building products around security from the start. Table 14.1. The Four Goals for Trustworthy Computing Goals | The Basis for a Customer's Decision to Trust a System | Security | The customer can expect that systems are resilient to attack, and that the confidentiality, integrity, and availability of the system and its data are protected | Privacy | The customer is able to control data about themselves, and those using such data adhere to fair information principles | Reliability | The customer can depend on the product to fulfill its functions when required to do so | Business integrity | The vendor of a product behaves in a responsive and responsible manner | Table 14.2. A Summary of the Trustworthy Computing Initiative and the Progress Made So Far SD Communications | What Does It Mean? | Progress to Date | Security by design | | | Secure by default | -
Reduce surface attack area -
Unused features turned off by default -
Only require minimum privileges | -
Office XP SP1: VBScript off by default -
No sample code installed by default -
IIS off by defaul in Visual Studio Net | Secure in deployment | -
Protect, detect, defend, recover -
Manage -
Process: how-to's, architectural guides -
People training | -
Deployment tools (MBSA, IIS Lockdown) -
Created STPP to respond to customers -
PAG for Windows 2000 security | Communications | -
Clear security commitments -
Full member of the security community -
Microsoft Security Response Center | | -
Adding security featuresMicrosoft is extending product feature sets to enable new security capabilities. -
Reducing the number of vulnerabilities in new and existing codeMicrosoft is improving its internal development process to make developers more conscious of security issues while designing and developing software. This includes training and peer review of code. The key approach of secure by default is for Microsoft and other software vendors to ship products that are more secure by turning off services that are not required in many customer scenarios and by reducing the permissions that are granted automatically. These efforts minimize the "surface area" available for attack. Making a conscious decision to invoke these services increases the likelihood of their being appropriately managed and monitored. Secure by design and secure by default are very important, but they apply only when products are being created. Secure in deployment is equally, or even more, critical because the operation of computers and network systems is an ongoing activity. Therefore, Microsoft is stepping up support for customers to help them with these five distinct, but closely related activities: -
Protecting systems by ensuring that the right people, processes, and technologies are in place to help ensure that data is accessible only to trusted users, and that systems are configured properly and updated as needed to assist in keeping unauthorized users out. Network protection is like locking the doors of your home to keep out intruders. -
Detecting attempted intrusions, violations of security, operational problems, unexpected behavior, or prefailure indications. Detection is analogous to arming your home alarm so you're alerted to potential danger. -
Defending systems by taking automatic corrective action when a security violation occurs or is suspected. Defense is like calling in the police during an attack. This is the same objective as autonomic computing -
Recovering computers that have been compromised, are suspect, or have failed depends on having the right systems and processes in place to restore a machine and its data to a last known good state while minimizing its downtime. Recovery is like calling the insurance company to take care of damage after a break-in. In IT, this means having backup systems in place that enable quick restoration of infected systems to a previously known good state. Communications are also important: Vendors should clearly and often communicate their objectives, progress, and long-term strategy so that customers are aware of the issues and plans. In addition, there are other communications practices that can be implemented quickly and easily, such as: -
Getting accurate information and software patches distributed quickly when vulnerabilities are discovered. -
Helping customers understand how to enhance system security with tools and prescriptive guides. -
Being constantly vigilant and providing warning of new attacks and new best practices that evolve in response to threats and changes in technology. Trustworthy Summary Trustworthy Computing is a bold initiative on Microsoft's part. It is inherent to autonomic computing, and several objectives overlap. The concept of providing computing that is as trusted and reliable as the utility industries, such as electricity, gas and, the telephone, is indeed praiseworthy, necessary, and attainable. Achieving these high standards will not be easy and, like autonomic computing, is another grand challenge that the entire industry must embrace. |