Last week, the Chief Security Strategist for Microsoft, Mr. Douglas Cavit, presented a webcast to the Information Systems Security Association titled “End-to-end Trust: Creating a more trusted Internet”. The presentation was a highlight of the Microsoft strategy found on their end2end website. Although the audience and speaker were security focused, it is interesting how slanted the presentation was towards privacy considerations. Creating an end-to-end trust implies having some knowledge of who you’re speaking with and how much you may rely on what they are saying.
History & Rationale
Mr. Cavit explained the new push behind the End-to-end trust initiative. The Internet empowers the end user, providing instant access to worldwide information and a freedom of expression capable of eliminating waste, eliciting transparency from governments and toppling dictatorial regimes. ”Blogging is the new town square,” he said during the presentation. For all of it’s benefits, however, the ‘Net’s threats originally prompted Microsoft’s Security Development Lifecycle (SDL) initiative. At the beginning the SDL centered on viruses crashing computers and the bad reputation Windows developed from poor coding practices. More recently though, the SDL and SD3 (Secure: by Design, by Default, in Deployment) work formed the basis in Microsoft’s view of how to tackle such issues as ID theft, child safety and combating zombies and botnets used in nation state attacks. Microsoft formed a strategy that all of these types of networked issues come down to trust, or the lack thereof, and the successful processes and procedures developed for dealing with security internally at Microsoft should be shared in the name of the greater good of the community.
Reputation in the Wild, Wild West
The parallel Mr. Cavit drew compared the current state of the Internet and the Wild, Wild West. It was easy in the mid to late 1800′s for an adversary to simply relocate to a different area, blend in and go unrecognized for the rest of their lives. This anonymity faded away over the next hundred years, with discoveries and wide range use of everything from photographs and fingerprints to car license tags and convenience store videos. With each passing decade, reputation grew in importance. A citizen’s fingerprint doesn’t typically show up in databases until after a crime or government service. A car’s license tag remains unremarkable and a driver may enter another area without real fear of tracking. However, once the vehicle becomes of interest because of say an Amber Alert, the plates proffer accountability and allow officials fast identification.
Basis for trust
What is the basis of trust? What cues define an entity that deserves respect? Those are two questions posed during the briefing. In a face-to-face meeting, people use all five senses in evaluating others. Visual clues such as excessive perspiration or an audible uneasiness in a speaker’s voice are tell tale reliability metrics in a physical meeting. There are simply no comparable attributes available in digital transactions. In the physical world, once someone establishes a reputation, it’s relatively static, following the individual in future job prospects, social circles and housing efforts. In a digital world, trust decisions are very dynamic and may be complete, limited, or untrusted. Online trust is also quite often unreliable.
Mr. Cavit suggests how to create trustworthiness online, with a basis that “must start with a strong root”. In Microsoft’s interpretation, that implies hardware, amounting to something such as the Trusted Platform Module, commonly referred to as the TPM chip. Microsoft calls this layering a trusted stack, and already touts the 64 bit version of Windows Vista as capable of securing up through the trusted applications layer. The next version of Windows (7) will include something called AppLocker. Similar to BitLocker, AppLocker controls what software may run in user mode, effectively creating application white lists.
Trusted data and trusted people comprise similar verification systems. To become a trusted person, one must apply in person, providing physical credentials expected to authenticate the individual. This would be similar to submitting your driver’s license or passport to a Public Notary for practically any legal document. Trusted applications writing data will access the trusted person’s digital credentials, verify the certificates and read and write digitally signed, thereby trusted, data. (I’m sure there are several caveats to these scenarios from a security and privacy standpoint, such as an illegitimate in-person verification either due to identity theft or maybe a bribed employee, compromised locally cached credentials or a newly discovered cryptographic algorithm flaw.) The trusted stack does serve as an academic starting point.
The biggest stumbling block and loudest opposition to the end-to-end sorts of activities described come from the loss of anonymity highlighted by privacy pundits. Mr. Cavit acknowledges the possibility for privacy protections exist, without delving much into too many details during the one hour presentation. The one area that he did cover surrounded identity federation, where a user has multiple credentials appropriate to separate tasks they’d like to accomplish online. One example presented was a bowling league card, a driver’s license and an over 18 validation marker on a driver’s license. Each of these ID’s are appropriate for completing specific tasks. Your league card probably won’t do much good if you’re stopped by a police officer, whereas your drivers license won’t necessarily show you paid the $50 bowling membership fee.
A federated identification system presents the correct credentials without exposing impertinent or inappropriate information, choosing the bowling league card at the lanes and the video rental card for the DVDs. The over 18 marker is of interest as Equifax apparently offers an I-card credentialing program to prove adult status without exposing any other personally identifying details to the requesting web site. Federated ID also avoids creating huge personally identifiable information (PII) databases. Cavit highlights a successful implementation of a federated credentialing pilot program at the Lake Washington School System.
Mr. Cavit echoed several of the discussion points found on the end-to-end website, where Microsoft further addresses “Anonymity and User Control”:
First, there is concern about how we protect anonymity (and the values that anonymity supports, such as free speech) in a more highly authenticated Internet. Most have addressed this issue by noting the importance of allowing users to control what they disclose and when, a very important privacy principle (i.e., user control). One commentator noted, for example, that “I imagine this won’t be perfect for a long time, but the last things I would want to see from these changes are lost privacies, and loss of control. The ultimate control should remain in the end-user’s hands.” Similarly, another commentator noted that people have the right to “own and control their identity” and “be anonymous while controlling their identity at the same time.”
Another sticking point with privacy advocates lies in auditing. In a trusted environment, every action must be attributable to someone. That attribution involves the who, what, when and where, which flies smack in the face of anonymity. Mr. Cavit proclaims that much of this information may be anonymized away for privacy protection, but still accessible later for investigations and prosecution. Challenges exist as there are no industry standard tools, collection processes or data formats. Lacking common policies, sharing audit information between multiple companies, or even sectors within a company, also presents liabilities as yet to be determined.
Risks and Rationale
Mr. Cavit described the risks associated with the Internet’s lawlessness. People are thinking twice about expanding presence or making futher Internet based decisions for risk of reputation problems. Teenagers are putting personal information on social sites without regard to the persistence of the Internet. Cavit specifically cited dating and feuds where teens want to highlight their perspective on a situation before someone else posts something slanted negatively. Botnets continute growing, and spam overloads 90% of the total mail traffic on the web. The presentation ended with Mr. Cavit’s ‘One Key Question’:
As we become increasingly dependent on the Internet for all our daily activities, can we maintain a globally-connected, anonymous, untraceable Internet and rely on devices that run arbitrary code of unknown provenance?
We now know the rationale/strategy behind Microsoft’s response. Mr. Cavit admitted that, essentially some anonymity must be relinquished for higher levels of trust, equating this fact several times to drivers licenses, automobile tags and video surveillance in today’s society. Cavit said, “Free speech is not the ultimate objective” of the End-to-End Trust inititiative. Rather, the objective should be allowing users the ability to balance anonymity with trust, to accept communications from unknown senders with full knowledge of the consequences. Microsoft hopes to “[e]nable law enforcement to find more criminals and thus increase deterrence,” with the “want to be able to prosecute” people who act maliciously on the Internet.
The 46 attendees asked Cavit several questions at the end of the presentation surrounding practicality, implementation, other participants in the trust initiative and the progress surrounding the federated anonymization. Currently there are 3 different bills in Congress discussing cyber defense and security, and most of the technology already exists and is implemented today. Identity metasystems already exist on Windows since Card Space shipped with XP sp3, and Geneva provides a back end development interface for single sign on and cloud computing authentication. As with the federated identification, Cavit points out you want the concept, not a standard. The biggest hurdle surrounds the in-person proofing from multiple sources and what sorts of reputation go along with those credentials.