Newsmaker: Microsoft security chief looks beyond Vista

(continued from previous page)

Q: So the Vista delivery is Nash's responsibility and you're looking more into the future?
Absolutely, and that's why this was a natural point in time for us to transition.

Q: Is there's anything that you can tell us about what's on the horizon when it comes to security at Microsoft.
We are concentrating on what Bill Gates talked about in February at the RSA Conference. There are four areas to our security vision: a trust ecosystem; engineering for security; simplicity; and fundamentally secure platforms. We have done a lot of investments in all of those areas, and I'm going to continue those investments.

Look at, for example, the trust ecosystem, the first step in that was delivering Active Directory Federation Services in Window Server 2003 R2. The next step, and we've done some of this in Vista, is adding things like certificate lifecycle management, so enterprises can manage digital certificates. InfoCard is also an example.

In terms of engineering for security, that's all about the Security Development Lifecycle. It applies to all of our products, not just Windows, obviously. But what we're finding is that we need to make the SDL (Security Development Lifecycle) more agile with things like MSN and Windows Live having very short development cycles and needing quick updating.

We're also looking at productizing the SDL. I don't mean selling it. But we have a book that's coming out toward the end of the year (Editor's note: "The Security Development Lifecycle" came out June 1) and we've integrated some of the SDL features into Visual Studio. So...it's not just about Microsoft. It's about third parties also using it to improve the quality and security of their products.

Simplicity obviously includes the work we've done in the platform....Windows Live OneCare and Microsoft Client Protection are about security, but realistically they are about manageability; they are about services to improve the simplicity of managing your system, whether it's your home system or enterprise security.

Finally, a fundamentally secured platform, that's the part I feel I will be reviewed on. It is about taking a lot of our investments in the platform itself and Windows and improving them.

Q: About Vista, one criticism we have heard based on early releases is that security is going to be annoying and disruptive, not simple. That goes against one of your four tenets.
Absolutely. A lot of those comments come from the December community technology preview build of Vista, which had a lot of disruptive dialogues and pop ups. We've spent a huge amount of time removing as many of those dialogues as possible, so we've significantly reduced the amount of annoyance. Between Beta 2 and RTM, we're going to continue doing that.

Q: There have been a number of acquisitions, most recently of SSL VPN provider Whale Communications, to help Microsoft become a security provider, selling security products. With your engineering background, do you see Microsoft developing more security products itself, rather than purchasing external technology?
You're going to see some of each. Three years ago we were coming into the security business and adding security to our products. We wanted to get a quick headstart. We're going to look and see if there are any innovative ideas from start-ups or from others that we can use to augment what we're doing, but we also continue to build in-house.  

More Newsmakers