Palladium’s Glacial Approach

Microsoft has spent much of the past year explaining—again and again—that, yes, the company understands security. Redmond made a big security splash earlier this year with the Trustworthy Computing initiative—a laudable, months-long effort to reexamine the source code in its existing core products for security vulnerabilities.

The Trustworthy Computing initiative has already provided many benefits, some of which showed up in Windows .NET Server (Win.NET Server), which will ship later this year; Windows XP Service Pack 1 (SP1); and Windows 2000 SP3. But this code review is only a Band-Aid because Microsoft didn't use modern security techniques to design its existing technologies. A more interesting proposal is Microsoft's midyear revelation that it plans to redesign its core products from the ground up—under the aegis of a new security platform code-named Palladium.

Security for a New Millennium?
Microsoft has always walked a fine line between touting current features (which would presumably bolster sales today) and future products (which might cause customers to delay purchases until a later date). With revelations about Palladium and its glacial 2-year to 3-year development time now publicly available, Microsoft's current crop of products suddenly looks awfully stale. Is this news important enough for companies to halt deployments and reevaluate their plans? No, I don't think so.

Palladium is based on the theory that software alone can't adequately protect users and data in our connected world. Microsoft is working with major hardware partners, such as Intel and AMD, to create a new PC platform that includes Digital Rights Management (DRM) technology in silicon. According to Microsoft, Palladium will do almost everything but balance your checkbook: It will stop viruses, worms, and spam; it will understand who you are and prevent malicious users from accessing information you intend to send to certain individuals; it will safeguard your privacy; and so on. For more information about Palladium, see "Microsoft to Revamp Entire Product Line with Palladium," http://www.winnetmag.com, InstantDoc ID 25789.

If Palladium sounds a little far-reaching, you understand the problems inherent in implementing such technology. And yet Microsoft maintains that Palladium will be ready for implementation in the next Windows version, code-named Longhorn—a suddenly important release that's now purportedly scheduled for 2005. Future Palladium versions will work on the Palm OS, smart phones, wristwatches, and other computing platforms and devices. And Microsoft plans to release at least part of the Palladium source code—the security-centric stuff—to ensure that it's as secure as possible.

Back to Reality
Palladium sounds nice, if vaguely Orwellian. If it solves problems such as security vulnerabilities, spam, and online privacy invasion, I'm all for it. However, I'm also excited about teleportation devices and personal space travel, and neither of those will happen any time soon. When it comes to security, the most important initiative is the one you take now to secure your existing systems and plan appropriately for the future—in other words, working with the tools you have today.

Implementing security today in a Microsoft environment requires education, research, planning, and work. I hope to report in early 2003 that the Trustworthy Computing initiative had its desired effect and helped Microsoft lock down its core products, thereby reducing vulnerabilities and successful high-profile attacks. Although Microsoft's security updates are a confusing patchwork, they're available today, along with best-practices guides, helpful information about securing your networks and servers, and other important tools. Also, Windows & .NET Magazine provides several security-oriented publications and services; the best place to start is our Security Administrator Web site (http://www.secadministrator.com).