'Trustworthy' plan plods uphill

Computerworld - Wednesday will mark the one-year anniversary of the day that Bill Gates decreed, via a companywide memo, that "Trustworthy Computing" would be the highest priority for all the work Microsoft Corp. employees do (see story).

Plenty of hurdles still lie ahead for Microsoft as it tries to strike the proper balance between ensuring the security of its software and pushing out the sort of innovative, increasingly scalable and more complex products it needs to keep its business thriving.

"There is always a trade-off between new functionality and security exposures, and a perfect example of that is BSD," said Andre Mendes, chief technology integration officer at the Public Broadcasting Service, referring to the BSD Unix operating system. "It is fairly secure, but it is also fairly devoid of any but the simplest of operating system functionality."

Craig Mundie, chief technical officer of advanced strategies and policy at Microsoft, likened the technological challenge Microsoft faces to "chasing a rocket ship."

"We continue to scale up the capability of the systems. As they get bigger and bigger, complexity mounts, and to some extent, those things all work against the idea that, well, can we really get this thing stabilized and improved?" Mundie said. He said he worries about maintaining the balance "between having to make the product and the business go forward and trying to lock it all down."

"If things weren't moving, it would be easier," Mundie said. "But they have to keep moving, or there would be no business."

Looking at it from a business management standpoint, he noted the challenges the company faces in coming up with audit measurements to ensure that "the effort doesn't dissipate," especially since it could take 10 to 20 years to achieve technological success. Yet another problem is the testing issues the company confronts when it decides that it needs to make a security fix that will affect a system as large as Windows, Mundie said.

Several IT managers said they think Microsoft's Trustworthy Computing progress should be judged based on the number of vulnerabilities they see in future releases. But many customers may continue to use older products that haven't been the focal point of Microsoft's security push.

"In the short term, I'm resigned to an increasing cycle of patches and updates to existing systems that my already overwhelmed technicians have to implement," said Paul Lanham, senior vice president and chief technology officer at Jones Apparel Group Inc. in Bristol, Pa. "I'm hoping that the next generation of products from Microsoft addresses these issues so that there is a reasonable balance between the features that customers insist upon and basic security measures in the products offered."