Microsoft Ties Security to VeriSign, Certifications

[R. A. Hettinga]

<http://www.internetnews.com/ent-news/print.php/2216571>

www.internetnews.com/ent-news/article.php/2216571


Back to Article 

Microsoft Ties Security to VeriSign, Certifications 
By
Thor Olavsrud and Mark Berniker 
June 3, 2003 


Microsoft ( Quote ,Company
Info ) moved to bolster its code-securing effort called Trustworthy
Computing Initiative by announcing two security initiatives Tuesday.


Microsoft and VeriSign said they would jointly develop improved solutions
for authentication security, digital rights management (DRM) and other
online security enhancements. Financial terms of the deal were not
disclosed. 

The new security products from Microsoft-VeriSign are aimed at
achieving improvements in existing software, while providing automated
renewal of digital certificates, secure e-mail and digital signatures. The
alliance also plans to help improve network security with reliable access
to wireless LANs or virtual private networks .

The two partners also said
they plan to help customers embed PKI (public key infrastructure) security
into desktop and networked applications. 

Microsoft also announced the
availability of a new security certification program for system
administrators and systems engineers: MCSA: Security and MCSE: Security.
These programs will give IT professionals training to improve enterprise
security. 

"By introducing these new certifications, we're supporting the
"Secure in Deployment" tenet of the company's Trustworthy Computing
Initiative," said Lutz Ziob, general manager for Microsoft's Training and
Certification group. "This tenet speaks to an organization's ability to
apply recognized and established best practices around security, so that
Microsoft products and technologies are rolled out in the most secure way
possible. We've taken those best practices and developed prescriptive
certification tracks to help IT professionals demonstrate their acumen in
designing and implementing a secure computing environment. We've also
included CompTIA's Security+ credential in these tracks to extend the
certifications to include cross-platform skills as well." 

"Microsoft is
beginning to make real progress in Trustworthy Computing on behalf of our
customers and partners, particularly in the way we think about, design and
develop our products and services to be more secure, reliable and
privacy-compliant from the start," Scott Charney, chief trustworthy
computing strategist at Microsoft, said during his Tech Ed 2003 keynote in
Dallas Tuesday. 

"Although much work remains to be done, we are delivering
tools and resources so customers and partners can successfully manage their
networks for optimum security in deployment." 

Still, critics of
Microsoft's security strategy have had a lot of fodder with the recent
discovery of security holes in its Passport personal information storage
service, which were later patched, and other questionable levels of
security for critical applications for businesses, governments and
individuals. 

But the Trustworthy Computing Initiative is trying to change
that, and Charney, together with Nico Popp, vice president of product
development in the Security Services Division at VeriSign ( Quote ,Company
Info ), said new efforts will see the two partners developing several
security initiatives for enterprise customers, including PKI auto
enrollment of VeriSign certificates, interoperability of certificate
authorities, and secure mobile access. The initiatives will be built on the
Windows Server 2003 PKI platform. 

The pact is expected to improve upon
existing security use of digital signatures for Microsoft's Windows Server
2003. Digital signatures provide some authentication security, but with the
recent security problems associated with Microsoft's Passport product, the
company is moving to improve security software within its products. 

The
deal aims to provide improved online security, especially for remote
access. The two companies will build the security solutions into not only
Microsoft's Windows Server 2003, but also VeriSign's Managed PKI (public
key infrastructure) Services. 

VeriSign specializes in making server
software that is able to handle a large number of digital signatures, and
is expected to launch a service later this year that will be closely tied
to the new features inside Microsoft's Windows Server 2003. 

Improvements
in digital signatures could be helpful in the exchange of contracts and
proposals sent over networks. In addition, corporate partners could send
documents that would include a digital rights management tag along with an
e-mail, which would enhance document security for both parties. 

The two
companies said they would market the new solutions to enterprise users
aiming to provide secure online information and digital identity management
systems. 

Developing reliable and secure PKI authentication systems has
proven to be complicated and difficult, as many companies have been slow to
install the servers and software to support the technology. 

VeriSign's
deal with Microsoft for authentication security and digital rights
management is not exclusive, and the company is expected to strike similar
deals with a variety of other software vendors. 

Microsoft said that
CompTIA Security+ supports the industry-wide objectives of the two new
certifications. Candidates will have a choice between Security+ and the
Microsoft Internet Security and Acceleration (ISA) Server 2000 exam to
satisfy one of the specialization requirements for the MCSA: Security and
MCSE: Security certifications, CompTIA added in a statement. 

Both the
MCSA: Security and MCSE: Security certifications are specific to Windows
2000 and immediately available. Microsoft said certifications for the
Windows Server 2003 platform will be available later in the year. To earn
the certifications, Microsoft said candidates will have to pass core exams
for either the MCSE or MCSA credentials, and then pass a number of security
specialization exams to demonstrate ability in areas like security
foundations, security implementation and security design. 

"While the core
MCSA and MCSE certifications validate the ability to implement baseline
security measures, the new MCSA: Security and MCSE: Security designations
go beyond that baseline and look specifically at things like managing and
troubleshooting service packs and security updates, and being able to
implement and troubleshoot secure communications channels," Ziob said.
"This might include the implementation of IPSec or the wireless encryption
protocol, or the configuration of remote access security, so that people
can engage remotely using a virtual private network, or VPN. It might also
include Smart Card or biometric authentication methods, as well as advanced
security procedures, such as implementing a public key infrastructure, or
PKI." 


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com