Scott Charney Corporate Vice President, Trustworthy Computing Microsoft Corporation Social: Enabling a global village Economic: Easier, faster, cheaper commerce Political: Freer exchange of ideas

Loss of data subject control over information Rise in identity theft Targeted attacks against businesses & governments Increases in other types of online and tech-facilitated crimes

Users must be empowered to make informed trust decisions (including accepting the risks of anonymity) Strong identity claims and reputation must be available to enhance security, privacy, and trust Better accountability must be created to deter crime and facilitate responses

© 2008 Microsoft Corporation Exponential Growth of IDs Increasingly Sophisticated Malware Identity and access management challenging Anti-malware alone is not sufficient

B2C Number of variants from over B2E B2B 7,000 malware families (1H07) mobility

Internet Number of DigitalIDs Number Number of DigitalIDs Number client/server mainframe

Pre-1980s 1980s 1990s 2000s Source: Microsoft Security Intelligence Report (January – June 2007) Crime On The Rise Attacks Getting More Sophisticated Traditional defenses are inadequate Largest segment by $ spent on defense National Interest Spy Largest area by User $ lost Examples Fastest GUI Personal Gain Thief • Spyware growing Applications Spyware segment • Rootkits Drivers Trespasser • Application attacks Personal Fame Application attacks Personal Fame O/S • Phishing/Social Largest engineering Vandal Author Hardware area by Curiosity volume Physical

Script-Kiddy Amateur Expert Specialist

© 2008 Microsoft Corporation TrustworthyTrustworthy ComputingComputing

Business Security Privacy Reliability Practices

Secure Protects from Dependable, Available Commitment to against attacks unwanted Predictable, customer-centric Protects communication consistent Interoperability confidentiality, Controls for responsive service Recognized integrity & informational privacy Maintainable industry leader, availability of data & Products, online world-class partner systems Resilient, works services adhere to fair despite changes Open, transparent Manageable information principles Recoverable, easily restored Proven, ready

© 2008 Microsoft Corporation Security Development Malware Example Microsoft Security Response Lifecycle process Center (MSRC) Consumer Education • Engineered for security Microsoft Malware • Design threat modeling Laws Protection Center (MMPC) SD3: Firewalls Windows Live OneCare and • Secure by Design Antivirus Products Forefront Client Security, • Secure by Default powered by the Microsoft Antispyware Products Malware Protection Center • Secure In Deployment Malicious Software SPAM (Sender ID, Phishing • Automated patching and Removal Tool Filters) update services Memory Management Network Access Protection (ASLR) (NAP/NAC) Law Enforcement

© 2008 Microsoft Corporation Identity Claims Core Security Authentication Components Authorization “I+4A” Access Control Mechanisms Audit

Trusted Data

Trusted Trusted People Stack Trusted Software

Trusted Hardware

Integrated Protection Secure SDL and Defense Threat Foundation SD3 in Depth Mitigation

© 2008 Microsoft Corporation Reduce types and severity of threats (e.g., de-value PII and reduce ID Theft) Create accountability for online crime Enable greater, safer personal Internet usage Enter new markets, expand Internet presence, and collaborate with partners and customers while reducing costs and risks Improve public safety and national security efforts, including disaster response (e.g., priority routing)

© 2008 Microsoft Corporation Successful end-to-end trust needs solutions aligned with Societal values Market forces Regulatory environment These ideas, raised by many before, have not been implemented, in part because of misalignment We must come together to change the status quo, and find ways to address international barriers to implementation

© 2008 Microsoft Corporation Economic Forces

Core Identity Claims Authentication Security Authorization Components Access Control Mechanisms “I+4A” Audit Social Political/ Requirements Legislative Trusted Stack

Integrated Protection Secure Foundation SDL and Defense Threat SD3 in Depth Mitigation

© 2008 Microsoft Corporation www.microsoft.com/endtoendtrustwww.microsoft.com/endtoendtrust

WeWe needneed aa broadbroad dialoguedialogue onon TechnologyTechnology InnovationsInnovations EconomicEconomic ForcesForces PoliticalPolitical StandardsStandards SocialSocial ChangeChange

© 2008 Microsoft Corporation © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

© 2008 Microsoft Corporation