Microsoft’s TwC Trustworthy Computing Turns 10

January 12, 2012

Ten years ago this week, during a time when security problems were threatening trust in software products, Bill Gates sent an email to all Microsoft full-time employees announcing the creation of the Trustworthy Computing (TwC) initiative. A pivotal moment in the company’s history, Gates defined the key aspects of Trustworthy Computing, stating the company must make this initiative the highest priority.

Gates’ memo called upon employees across the company to fundamentally rethink their approach to product development and strive to deliver products that are “as available, reliable and secure as standard services such as electricity, water services and telephony.”

The timeline above traces the progression of Microsoft's Trustworthy Computing initiative along with some of the major threats computer users faced over the last 10 years.

Fundamental to that decision was the understanding that a company’s greatest asset is customer trust. This remains true today. Microsoft has maintained its dedication to the vision of Trustworthy Computing. Focusing on difficult security and privacy issues facing the software industry led to new security methodologies, tools and training, and transformed Microsoft’s engineering culture to one that prioritizes built-in security and privacy for Microsoft software and services.

“In Bill’s original email, he identified three core attributes – security, privacy and reliability – that we had to develop in our software and services,” said Scott Charney, corporate vice president, Microsoft Trustworthy Computing. “In the memo, Bill said that technology was going to be integrated in our lives in a far more rich way and would impact everything we do. That was one of the reasons it was so critical to get these three attributes right.”

One of the most well-known outcomes of Trustworthy Computing is the Microsoft Security Development Lifecycle (SDL), which also incorporates privacy development practices. Embracing industry best practices and lessons learned from Microsoft’s earlier security push, the SDL was instituted as a company-wide, mandatory policy. Microsoft products developed under the SDL have delivered more secure and private computing experiences for customers. Software mitigations and protections also raised the bar for potential attackers.

“Building on our internal changes, we realized collaboration with the industry was core to helping businesses, governments and citizens realize safer computing experiences within a dynamic, changing and increasingly complex threat landscape. No one company, individual or technology can drive this change alone,” said Charney.

Microsoft has been a strong proponent of industry efforts to improve security and privacy through the adoption and secure software development processes across the IT ecosystem. Companies including Adobe and Cisco have adopted security development lifecycles modeled after Microsoft’s SDL.

“Microsoft put a lot of investment into building the Security Development Lifecycle and learned many lessons along the way on what worked well,” said Brad Arkin, senior director, security, Adobe products and services. “In formalizing our own secure product lifecycle, we were eager to tap into that knowledge instead of reinventing the wheel. This allowed us to spend more time on the actual implementation across all of our product teams.”

Microsoft has delivered progress in reliability and privacy as well. Better instrumentation such as Windows Error Reporting has led to fewer system crashes, increasing productivity and alleviating user frustration. In the area of privacy, Microsoft was one of the first companies to publish privacy standards for developers and to provide consumers with layered privacy notices.

“We have a privacy notice that’s very short and concise. If you want to see all that text, you can by clicking on the links, but you can read the short version and get a good understanding of how we are using your data,” said Charney.

“Microsoft has put into place over time an incredible privacy program and has contributed to the global debate and discussion on privacy. Working in support of initiatives like the Asia Pacific Economic Cooperation Forum’s privacy framework and the European Union’s Data Directive, Microsoft has made meaningful contributions to the advancement of data privacy practices around the world,” said Malcolm Crompton, managing director, Information Integrity Solutions and former privacy commissioner of Australia.

Computing in today’s PC-plus era features cloud computing as the connection between computing devices in many different form factors that help people stay in touch with friends, work and society. People are learning about the potential of computing and companies are racing to provide new features and deliver on that excitement – much like the excitement caused by personal computers, broadband and the Web a decade ago.

“It turns out when you look at the cloud, Bill Gates couldn’t have been more prescient in the original memo. The reality is that we’re connected all the time through multiple devices. While computers were originally embraced by governments and businesses to promote commerce, now, with the consumerization of IT and social networking, all these devices and services constitute the social fabric of our lives,” said Charney.

Over the next decade, cloud computing and our connected society will create vast amounts of data, which creates new challenges. One will be how we continue to protect people’s privacy, even as “big data” and global data flows strain information principles that rely heavily on “notice and consent.”

The threat landscape also continues to evolve, growing more sophisticated and increasingly complex. Opportunistic threats have been supplemented by attacks that are more persistent and, in many cases, far more worrisome. While some of these attacks are sophisticated, many are not; the attacks are often traditional and unsophisticated: unpatched vulnerabilities, misconfigurations and social engineering. This underscores not only the importance of continued security protection innovation, but also the need for even greater security and privacy awareness among the general public.

In marking the 10-year milestone of the original Trustworthy Computing memo today, Microsoft recognizes that Trustworthy Computing has never been more important. “TwC Next,” the ensuing decade-plus of Trustworthy Computing, will focus on the PC-plus era, the new world of devices and cloud computing, and the role of governments in computing. Security, privacy and reliability strategies must evolve to remain potent. There is still much work that our industry must do to make computing more trustworthy. Everyone at Microsoft and the entire computing ecosystem has a role to play.