Keeping computer systems out of locked rooms

Remove all the wires from the company’s computers so employees can’t access the Internet, and keep the systems in a locked room. That is the ultimate in computer security, said Peter Biddle, technical evangelist at Microsoft Corp.

But because this is not a workable solution, Biddle outlined a complete Windows-based computer security and content protection architecture at the recent Windows Hardware Engineering Conference and Exhibition (WinHEC) 99 in Los Angeles.

“If you look at the current climate of the way things are going in the PC industry today around trust, around how many people trust the Internet, how they trust e-commerce, how they trust their devices and how they trust corporations – it’s very murky,” he said. “Obviously there’s a need for some technology here to address the problem of privacy.”

According to Biddle, trust comes in two flavours – software-based and hardware-based.

“The traditional way of looking at things is that hardware automatically gets you better security. Obviously that’s wrong,” Biddle said. “Properly implemented hardware can get you better security but it’s not a guarantee.”

Software also plays a key role in security, he added, and for this reason, Microsoft is hoping to work with many other companies, particularly major OEMs, hardware manufacturers, software makers, content providers and privacy advocates, in order to build secure systems.

Such collaboration, according to Microsoft, will allow companies to offer their customers functionality that isn’t possible today, from trusted anonymous transactions to Web-purchasing to authentication of systems that can’t otherwise be known to be completely trustworthy. System administrators will start locking down networks in ways that aren’t possible today, while end users can shop with improved privacy.

Terence Spies, software design engineer in the Windows 2000 group at Microsoft, spoke of how the upcoming OS will allow other vendors to integrate their products to ensure higher levels of security. For example, he pointed to the Windows 2000 Public Key Infrastructure (PKI).

“This system for adding public key certificate and security for Windows we have through certification services, through enterprise control of policy on client machines and then throughout the entire systems, supports the public key security protocol,” he said. “The public key certificate allows you to prove your identity in such a way that just with a piece of data a server can say, yes, that’s the person I’m actually talking to.

“The PKI system allows machines to prove their identify, allows users to prove their identity,” he said. “It enables hardware-based security so the easiest way to do this…when Windows 2000 is deployed is through smart cards,” he said.

“As well, the Windows 2000 PKI is entirely centre-based throughout, which means rather than building a closed system which allows us to have this high degree of security within a Microsoft system, we’ve instead built a system so that third-party PKIs can be integrated so the system really plays well on the Internet,” he said.

But whether Microsoft’s approach to other vendors is a good move depends upon the perspective of the user, according to Richard Morochove, president of Morochove & Associates Inc. in Toronto.

“Right now if someone wants to access a secure database on another system, the most common security method is password control,” he said. “You have your end-user ID password and if it’s correct you’re in. That doesn’t necessarily prove that it’s you because if the hacker has stolen your user name/password combination, that hacker could be thousands of miles away on the Internet and logging in on your ID.”

But if passwords are integrated with a hardware security system, users have to provide user names and proper passwords, plus they have to be coming from a particular piece of hardware that has been identified, Morochove said.

“That way the hacker not only has to know your name and your password, but also has to be at your machine, which is a lot harder,” he said.

So what should be done to address this increasing computer security problem? Morochove offers this advice: “From the developer perspective, realize that security is more than just a software issue – it’s becoming a hardware issue,” he said. “And it’s important to keep up to date, not only with what Microsoft is doing with Windows 2000, but also with what Intel and other vendors are doing on the hardware side to make a holistically secure system.”