Report card: MS Trustworthy Computing

Most administrators are familiar with the Bill Gates e-mail distributed in January that outlined Microsoft's new strategy for better securing its software. The initiative was labeled "Trustworthy Computing."

Now that eight months have passed, it seems fitting to grade Microsoft on its progress toward providing a Trustworthy Computing environment.

Call to arms
On January 15, 2002, at 2:22 p.m., Gates sent an e-mail with the subject, Trustworthy Computing, to Microsoft's 50,000 employees. Gates is not known for distributing companywide e-mail messages, so this one got a lot of notice.

In the e-mail, Gates called for Microsoft's designers, programmers, and testers to place a higher priority on developing secure and reliable systems than on building enhancements and adding features.

"Trustworthy Computing is the highest priority for all the work we are doing," Gates wrote as he outlined the new company focus on availability, security, and privacy.

Over the past eight months, Microsoft reportedly has spent more than $100 million enforcing its Trustworthy Computing policy. This is a significant investment, even for a company that reportedly has more than $30 billion in cash reserves.

Microsoft used the money to conduct an extensive security review of many Microsoft products, even going so far as to halt development work by more than 8,500 Microsoft engineers to facilitate an intensive vulnerabilities analysis of millions of lines of Windows source code. Of course, the work has really just begun, especially when you consider that Craig Mundie, Microsoft's senior vice president and CTO of advanced strategies, recently stated, "It may take us 10 to 15 years to get there, both as an industry and as a society."

The categories and definitions that I'm going to use to grade Microsoft on its Trustworthy Computing progress come directly from its own Trustworthy Computing White Paper, published in May 2002. The following eight categories are outlined in the white paper:

• Security. Steps have been taken to protect the confidentiality, integrity, and availability of data and systems.
• Privacy. End-user data is never collected and shared with people or organizations without the consent of the individual. Privacy is respected when information is collected, stored, and used consistent with Fair Information Practices.
• Availability. The system is present and ready for use as required.
• Manageability. The system is easy to install and manage, relative to its size and complexity. (Scalability, efficiency, and cost-effectiveness are considered to be part of manageability.)
• Accuracy. The system performs its functions correctly. Results of calculations are free from error, and data is protected from loss or corruption.
• Usability. The software is easy to use and suitable to the user's needs.
• Responsiveness. The company accepts responsibility for problems and takes action to correct them. Help is provided to customers in planning for, installing, and operating the product.
• Transparency. The company is open in its dealings with customers. Its motives are clear, it keeps its word, and customers know where they stand in a transaction or interaction with the company.

Of course, to get an accurate picture of how Microsoft has progressed in recent months, it's important to look at how the company was doing prior to the new initiative. The table below provides a report card on where Microsoft was in December 2001 and where it is in October 2002.

The December 2001 report card paints a less than satisfactory picture of Microsoft's overall security record, which shouldn't surprise anyone. After all, security had to be a huge issue with Microsoft products to prompt the company's leadership to make such a bold move.

Our current report card shows that Microsoft has made modest improvements in the categories of security, availability, and manageability. These improvements manifest themselves as deployments of Windows 2000 and Office XP continue to increase. Security and availability gains also are a direct result of Microsoft's Windows Update service improvements.

Areas that failed to show improvement included privacy, usability, and transparency. These grades were largely dictated by Microsoft's questionable use of its Passport user registration data, an increase in dubiously named "helpful wizards," and continued litigation concerning the business's competitive business practices.

Noticeably missing from Microsoft's report card is an "A." Microsoft still has major improvements to make in relation to its Trustworthy Computing standards before it earns the highest marks of excellence.

Room to improve
Eight months after Bill Gates announced the company's Trustworthy Computing initiative, the grades are in. Overall, they reveal that Microsoft has made progress in certain areas, while some areas still have room for major improvement.

How much do you think Microsoft's Trustworthy Computing campaign has improved the security of its products? TalkBack below or e-mail us with your thoughts.