Ron Grattopp……most of you know one of my recurring themes is security, specifically the platform security that we provide that’s industry-leading. And it’s that industry-leading platform security that I regularly remind you should be a key selling factor in your customer conversations. But you also know that wasn’t always the case, in fact, back in the day (aka ‘90’s) it was popular (and not all that unreasonable IMHO) to call Microsoft security an oxymoron. But, of course, that has changed and we can trace the start of it to January 15th 2002, when BillG sent out his now famous “Trustworthy Computing” (TwC) memo, announcing a strategic change in direction for Microsoft platform development around the 3 key pillars of: Availability, Security, and Privacy. In that memo Bill stated: “Trustworthiness is a much broader concept than security, and winning our customers’ trust involves more than just fixing bugs and achieving “five-nines” availability. It’s a fundamental challenge that spans the entire computing ecosystem, from individual chips all the way to global Internet services. It’s about smart software, services and industry-wide cooperation…Going forward, we must develop technologies and policies that help businesses better manage ever larger networks of PCs, servers and other intelligent devices, knowing that their critical business systems are safe from harm. Systems will have to become self-managing and inherently resilient. We need to prepare now for the kind of software that will make this happen, and we must be the kind of company that people can rely on to deliver it.” – I call that vision. So essentially, TwC celebrates it’s first decade in a few days, and we (Microsoft) are now at a level of platform security that, as I mentioned above, is industry-leading. And, I believe, to a great extent, we are fulfilling Bill’s vision of providing “self-managing” and “inherently resilient” systems as well as being able to manage ever larger networks computing systems and intelligent devices especially as we continue to grow and lead in the cloud space.
One of the key foundations,or outcomes, of TwC was the implementation of the Secure Development Lifecycle (SDL) which put us on the track to making our products “secure by default” (which was one of the reasons Vista’s UAC was instituted – it was our first OS edition developed under the SDL paradigm). The SDL was instituted as a corporate-wide policy and there was a major, comprehensive code review and re-training of our in-house developers to focus on the trustworthy aspects of coding which from that point on took precedence over the previous paradigm of feature/functionality priority. The famous “Writing Secure Code” book was published to support that effort. It’s the SDL development paradigm that has shaped our technology ever since and is what gives us the edge from a secure platform perspective that I have mentioned in many past posts. We also implemented Strategic Technology Protection Program that helped us ensure we could continue to detect and prioritize fixing those things that were most important to maintaining a trustworthy computing environment. I would encourage you to read the BillG memo if you have a few minutes as well as this feature story on the Microsoft News Center. But I want to point you to the Trustworthy Computing portal (see screenshot below) where you can find more info on the History of Trustworthy Computing at Microsoft as well as key links to other related security content such as the Microsoft Security Intelligence Report, or MSIR, (which I’ve referred to previous posts) and TwC Next and something called the Microsoft Computing Safety Index. And finally, here’s a short post,Ten Year Anniversary of Trustworthy Computing and Privacy blog, that I think does a nice job of highlighting the importance and attention to “privacy” that is a key part of the TwC initiative.
So, happy birthday TwC, and may you live long and prosper as we move into the era of the cloud!!