Windows Server 2008 and other Microsoft releases are benefiting from Microsoft's Trustworthy Computing initiative, with more emphasis placed on security and testing at every stage in its development lifecycle, delegates at the RSA Conference Europe event heard this week.
Ben Fathi, corporate vice president of development for Windows at Microsoft, said that over the past five to six years, there had been a “major cultural shift at Microsoft” as Trustworthy Computing practices had become established.
He told delegates: "The single biggest thing that has changed at Microsoft is the security development lifecycle, how to develop secure software, every single product goes through this cycle."
The cycle has six stages – requirements, design, implementation, verification, release, response – and security is part of every stage. Ethical – or white hat – hackers are even used to try and break into the products.
These efforts have caused product delays, Fathi said.
"Last year we pulled three launches back because we weren't happy with the security of the product," he said. “These products were sent back to the products teams. This affected the release cycle but it was the right thing to do for our customers.”
Windows Vista had “lived up to promises” of Trustworthy Computing initiative as the operating system has recorded 60% less malware than Windows XP, Fathi said.
And Fathi talked up the key security features that will come bundled with Windows Server 2008. These include hypervisor virtualisation technology, which allows server virtualisation in a single machine but ensures each virtual machine is separate to reduce security risks. The technology competes with VMWare’s offering, Fathi said.
Encryption technology BitLocker, which was originally designed for laptop security, will also be included in the server operating system. Fathi said users had commented that the technology would also be useful for enterprises with branch offices as a way to protect servers.
Network Access Protection, a technology that restricts unpatched systems or those with out of date software from accessing network resources, will also feature in the software, said Fathi.
But such technologies were only one piece of the security puzzle, Fathi said.
“We always talk about technology, but there are three aspects to manage security – technology, people and processes. You have to have all thee working here together, otherwise businesses won’t address the data privacy needs of customers. And customers are going to vote with their feet. If a company abuses private information then customers won’t buy products from companies any more. Businesses must deal with data privacy in order to keep the customer happy.”
Last year Microsoft merged its security technology unit, previously headed up by Fathi, into the Trustworthy Computing initiative as part of a concerted effort to improve security processes.