Even Microsoft‘s IT department has struggled to keep corporate data secure, executives admitted at the RSA Conference in San Francisco this week.
Speaking via Webcast at the annual gathering of security professionals, Microsoft chairman Bill Gates and chief research and strategy officer Craig Mundie discussed how changes in its upcoming server product, along with the industry’s gradual move to Internet Protocol version 6 (IPv6) will address some of the difficulty enterprises face in locking down their IT systems.
Gates described the traditional corporate data centre as a “glass house” that was treated as an isolated area to be protected. That approach no longer works, he said.
“We used to say, ‘Let’s have one boundary and perimeter and use that (as our focus for security),’” he said. “If we look at what goes on, though, you have consultants come into your company or employees not on site but who still need access to the information.”
Mundie said companies have traditionally viewed security as a way of keeping some people out and letting others in. Enterprises are asking for much more granular control than that, he said.
“We need to create a way of describing security by policy, not topology,” he said. “Can I get at this segment, this IP address, that IP address? The demands are really for a lot more flexibility, not just in the parts of the network you control but the parts you can’t.”
Microsoft has tried to use IPsec, a set of protocols for authenticating and encrypting each IP packet in a data stream, to secure its own internal IT systems, but configuring those protocols according to policies required coding in more than 4,000 rules, Mundie said.
“The poor IT guys came back and said, ‘Hey, this is technically possible, but it’s damn near impossible to keep up with,” he said. “Given that people will make mistakes, it’s got to get a lot simpler.”
When Microsoft releases its next server product later this year, it will collapse the number of rules to govern the IPsec mechanism down to 40, which should save enterprises some time, Gates said. In the meantime, the Intelligent Application Gateway Microsoft gained through its acquisition of Whale last year would be a “tool to walk down this path,” Mundie said.
The two men also said IPv6, which has been primarily touted as a way of increasing the number of addresses for devices to connect to a network, will provide more capabilities to establish point-to-point management of information security. Microsoft started building in support for IPv6 back in 2001 when it launched Windows XP, Mundie said, and its latest products have been adjusted to work not only in a hybrid environment of IPv4 and IPv6, but also a native IPv6 environment for those in “extreme need” of the security and addressability features.
“Enterprises won’t have to contemplate some gargantuan change,” Mundie said.
Marc Blancet, principal of a research firm specializing in IPv6 called Viagenie in Quebec City, said migration to IPv6 has been slow in part because companies have not recognized its advantages. That said, he did not see it as the core foundation for a more secure enterprise.
“It’s not a pancea, it’s not a revolution, but it’s an enhancement,” he said. “A lot of people look at it as, ‘IPv6 is not my problem, it’s the community or the Internet at large’s problem.’”
Gates and Mundie also said Microsoft is working on a proof-of-concept that integrates Windows CardSpace — formerly InfoCard — with the OpenID open source identity management framework in order to better protect Web 2.0 environments.
RSA Conference 2007 continues on Wednesday.