In 2002, Bill Gates wrote an email to all Microsoft employees that made trustworthy computing – including security, privacy and reliability – the top priority for the company. Ten years on, Microsoft continues its dedication to these objectives, which we refer to as the Trustworthy Computing initiative.
The objective is to improve our products and processes, and to provide transparency about what we do. It’s not about marketing assurances or slogans. It’s about our culture as an organisation, and allowing people to make informed decisions about trust as it relates to their own individual context.
Security Development Lifecycle
One of the best-known outcomes of the trustworthy computing culture at Microsoft has been the implementation and publication of the Security Development Lifecycle, which incorporates privacy by design. It is a company-wide, mandatory continuous improvement policy. As well as being used within Microsoft, it is openly available for analysis, constructive criticism, and industry adoption.
There is strong evidence that the Security Development Lifecycle has made a difference. Products developed using this methodology have delivered more secure and private computing experiences. For example, in 2002 Microsoft had the highest total of security vulnerability disclosures across its product portfolio. But in recent years the company has moved down the list even while the product portfolio has grown. This is illustrated on the chart below, and further details are available on the Microsoft Security Blog should you be interested.
Security Intelligence Report
A fundamental part of the Trustworthy Computing vision is that it would involve collaboration between businesses, governments and individuals to achieve safer computing experiences within a dynamic, changing and increasingly complex threat landscape. This requires sharing of information about security threats and vulnerabilities. As part of this dialogue, Microsoft publishes a Security Intelligence Report to publicly share experience and aggregated data from 600 million computers around the world, twice a year. The analysis by operating system versions continues to indicate that the malware infection rate on Windows 7 SP1 PCs is less than half that on Windows XP SP3 PCs, which could be attributable at least in part to security improvements over time.
The report also includes a breakdown of computer security trends in NZ. New Zealand continues the trend of less malware on computers than the global average, with the data showing a malware detection rate of 0.4% for Windows PCs, compared to a worldwide average of 0.7%. That is a good result, but there is still room for improvement – the nations with the lowest infection rates continue to report roughly 50% to 75% fewer infections per computer than NZ.
Trust relating to cloud services
As organisations consider cloud computing to simplify and save costs, they want to know what it means for security and privacy. Microsoft has applied the Security Development Lifecycle to our cloud services, and we provide transparency to help people make reliable comparisons. Microsoft has attained certification to the ISO27001 security standard for the Office 365, Windows Azure core, and Dynamics CRM Online cloud services, and we have publicly disclosed detailed information about the security controls used in these services through the Cloud Security Alliance’s STAR registry.
The Office 365 service has been granted an Authority to Operate under FISMA, and Microsoft signs European Union Model Clauses and Data Processing Agreement for data protection and HIPAA Business Associate Agreement for health information to meet customer requirements for that service.
Protecting consumers is a critical part of the Trustworthy Computing vision. As well as hardening software and services against direct attacks, Microsoft is also working to raise awareness about the importance of keeping all software up to date with security patches as they are released, and to reduce the impact of scams that lead to people compromising their own safety. We’re proud to work with Netsafe who are a fantastic advocate for these issues in NZ. Public awareness of these last two aspects could prevent the vast majority of today’s malware infections, so everyone has a role to play to help keep their friends, family, colleagues, and clients a little safer online.
As part of protecting individuals from software scams, Microsoft released an anti-malware product for Windows known as Microsoft Security Essentials which is free for households and small businesses (up to 10 PCs).
With Internet Explorer 9, the SmartScreen website reputation filter was extended to also check the reputation of downloaded programs. The warnings only pop up when there’s a significant risk. SmartScreen is now preventing more than 20 million malware infections worldwide per month for people using Internet Explorer 9.
Microsoft is continuing its commitment to Trustworthy Computing and we hope to see broad adoption of this approach across the industry over time.
Article by Waldo Kuipers, Corporate Affairs Manager, Microsoft New Zealand Limited