Length: 10.22 minutes; File Type: Windows Media Video; File size: 17.5 MB
Hello and welcome to a new edition of Voices. I’m Joaquim Menezes, Web Editor at IT World Canada, and our “Voice” today is John Weigelt, chief security advisor and privacy compliance officer at Microsoft Canada. I interviewed John at the 15th World Conference on Disaster Management held recently in Toronto. John was a speaker at the conference.
John you play a dual role at Microsoft with responsibilities that relate to security as well as privacy compliance. Do you see your two roles as complementary? And what are some of the differences?
Well I think privacy and security are very complimentary. Certainly when we look at trust and systems, people consider privacy and security on the same continuum. Is my information safeguarded, is my personal data protected? And so, when you bring those together people will mesh them for their trust decision. It’s important to recognize the differences between the two. You certainly can have security without privacy, but you can’t have privacy without security. And so you need to rationalize that within your own mind when you go into providing solutions and services for your customers.
Attacks on enterprise systems often succeed because malicious users find vulnerabilities in the software before companies discover it themselves. What are you’ll doing at Microsoft to enhance the security and trustworthiness of your offerings across the board?
Sure. So at Microsoft we have a number of very bright people that understand how we have developed our code and understand the programs that we built. And after we ship a product many of these people are actually paid to go in and try to beat up on our software. So they will go, day after day, trying to find vulnerabilities in that software. And we are finding that 90 per cent of those vulnerabilities that are disclosed to the public are from our internal teams. There is still that 10 per cent found by bright people in the community, and we are encouraging that community to responsibly disclose that information to us. So share that information with us first, so that we can properly fix the problem if a problem indeed exists, or investigate that problem, and then provide that update to our clients, so that they are safeguarded when that vulnerability is disclosed.
But John, as you pointed out yourself at a previous conference, malicious users often reverse engineer some of the updates that Microsoft has been doing. How would you deal with such a situation, how do you stay ahead of the curve?
So there is something that you can do immediately today to stay ahead of the malicious users. You’re right: The time of the malicious user reverse engineering the code to find the vulnerability and create an exploit is reducing, and so turning on automatic updates — or if you are an organization having an update strategy where you can rapidly deploy updates — will safeguard you in the first instance. But malicious users are continually innovating and so we need to innovate as well. And so, we at Microsoft are looking at our entire product suite and trying to find ways where we can obsolete whole classes or whole categories of vulnerabilities. Things like buffer overflows. Can we architect our systems so that our buffer overflows are a thing of the past? And by putting these “isolation” and “resilience” technologies into our platform we hope to make some of those common exploits today a thing of the past and prevent that escalating arms race, let’s call it, or that race to exploit.
Security is sometimes seen as an impediment to business – something that has to be done, but is really a headache or a hindrance. So how does one go about explaining to skeptics that security can actually play a positive role in business?
It’s a big challenge to try to get the business manager engaged with that security discussion. And typically, what I found is in engaging that business decision maker, the gloom and doom scenario only has a limited lifecycle. And certainly it accelerates when something happens to an organization. So something will happen; the business decision-maker may be upset about that, will invest and then move on from there. But it doesn’t allow for that systematic approach. I think when you start looking at today’s technologies and today’s innovations, things like wireless access, the mobile worker environment, voice over IP, Internet commerce, the ability to take devices into crises areas…In Indonesia, for example, wireless access points were airlifted into the site and used for disaster recovery efforts; without the security technologies to bolster that infrastructure, those technologies would not have been as useful as they are. And so it is coming to the business decision maker and challenging them to dream about that next level…that next step. And showing how security is that foundation to grow that solution on really helps move that forward.
You once referred to a saying that you heard in your previous life in government that the CIO has his foot on the gas and the CSO on the brake. How may this so-called conflict between these two important executives be resolved in such as way that they play a complementary rather than a contradictory role?
Right. CSOs and CIOs often have disagreements about what level of security you need, what level of assurance you need. And it really gets down to organizational governance. So how do you govern your business? And I have been a strong proponent for having the business management owner, the business process owner own security and privacy for their business process because there is a great challenge when you deliver services across multiple channels. And so once the business manager is accountable for the security, privacy and availability of the solutions, the CSO and the CIO become very complimentary of supporting that business customer.
John you’ve spent many years in government before joining Microsoft. I’d like your take on the Canadian government’s security policy.
Well, Canada leads the world having defined a government security policy. And a security policy that cuts across – I would argue – all the elements of security – personal security, physical security, IT security, procurement security and contracts. So the GSP, the Government Security Policy, provides a great foundation from which to build your security processes or activities. The Government of Canada has gone one step further with the Management of IT Security standard, where they have tried to provide additional detail on what that policy means. Because policy tends to be very high level. Measurement of IT security standard provides more granular advice and guidance, and that will then stem more standards.
Microsoft offers quite a few tools, built into your systems, for securing the environment such as encrypting file systems, access control lists and so on…Yet anecdotal evidence suggests that many people don’t use these features. What’s the reason for that and how do you go about educating people that this is important?
For the most part, people will keep to those functions that they absolutely require for their job function. And they won’t often stray outside of that known set of functionality. And that’s where things like encrypting file systems…it’s a shame that not more people know about that…So what we’ve done in our trustworthy computing initiative is we’ve taken a look at that guidance and advice that we give