Gates: Security challenges to grow despite Vista

Though Microsoft has made leaps in security over the years, even more challenges lie ahead as additional devices go online, company executives said yesterday.

Only last week, Microsoft released Windows Vista and Office 2007, promoted as the most secure versions of the operating system and productivity products yet. And it has been nearly five years since company chairman Bill Gates sent out his "Trustworthy Computing" memo, which said the software maker was turning its focus to security. But that doesn't mean Microsoft products are now watertight, said Craig Mundie, chief research and strategy officer at the company.

Speaking at the RSA Conference in San Francisco, Mundie said in a joint keynote speech with Gates: "This won't make [the products] perfect. The challenges we face in building our products, and the challenges everybody faces in administering and using them, is that humans are humans and they make mistakes."

As more devices connect to the internet, and as people demand access to data from anywhere, the security job will only get bigger and more complex, said Mundie. "This challenge is going to get a lot tougher," he said.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

Not all the pieces are in place yet for people to be able to freely and securely tap into online data while on the move, said Mundie. But solutions to the challenges are beginning to emerge, both on the side of internet infrastructure - in servers, routers and switches, for instance - and in individual devices.

He told the audience at the security conference: "We will build this model of seamless, easy access across all these devices. But we're not really there yet. We're on the path to this future world."

Microsoft is pitching IP version 6, the next generation of the internet protocol, and IPSec, a suite of protocols for securing IP communications, as part of the solution. Windows Vista has IPv6 built in, as does the upcoming Windows Server Longhorn release, which also supports IPSec.

IPv6 is designed to support a broader range of IP addresses, as the IP version 4 addresses currently in use are becoming scarce. The new protocol will not only let more devices connect, it will also allow the use of fine-tuned security controls, since each device will have its own address, Mundie said. He said that features in Windows XP and Vista will help people move to IPv6.

Mundie said: "There really isn't a challenge, in our view, in moving to the IPv6 infrastructure. You don't have to contemplate some gargantuan infrastructure change."

Securing the actual data is another important piece in the puzzle, Gates added. He pitched BitLocker, a disk drive encryption feature in the higher-end version of Vista, as a way to lock down the data on a PC.

In addition, for businesses, rights management systems can help control the flow of confidential data, he said. For example, companies can use such rights settings to limit who can forward or open certain email messages, reducing the risk of data loss, Gates said.

Then came a familiar message from Microsoft: eliminate the weakest link in the computer security chain by getting rid of passwords. Gates told the RSA crowd that he now has the right weapons to supplant the password as a means of verifying who is who on computers and over the internet.

He said: "Passwords are not only weak - passwords have the huge problem that if you get more and more of them, the worse it is."

In Vista, Microsoft introduced Windows CardSpace for consumers to use instead of passwords. CardSpace is an application designed to represent an individual's wallet, holding different cards to use for identification in online transactions.

Mundie said: "That is one of the things that is in the Vista system. I think people are going to have to acclimatise to it."

For authentication in businesses, the software maker is promoting products such as its Identity Lifecycle Manager 2007, set for release in May. Gates said: "We think this is the milestone where enterprises should start the migration from passwords to smartcards."

Joris Evers writes for CNET News.com