Windows Security: 20 Years After Bill Gates’ Trustworthy Computing Memo, How Much Has Changed?



It has been almost 20 years since Microsoft CEO Bill Gates wrote his famous Trustworthy Computing memo urging the company to produce more secure software.

“Ultimately, our software should be so fundamentally safe that customers don’t even have to worry about it,” wrote Gates. It’s a big goal, and despite years of work, no software has really succeeded. And even as engineers try to improve their products, a new wave of security threats has emerged.

“I don’t think it was hard for anyone back then – even in Bill Gates’ grand vision – to see that we had sophisticated, government sponsored hackers cracking those SWIFT banking system codes, people throttling oil production by erasing hard drives . The threat landscape exceeds any science fiction novel or what John le Carré could predict, “said Dave Weston, Microsoft’s director of Enterprise and Windows Security.

SEE: Windows 11 upgrade: five questions to ask first

He admits that as a “hardened industry professional” he is today surprised by the sophistication of the attacks.

“The breadth and sophistication [of these attacks] is what still makes this job interesting. It never gets boring here, ”he says.

“Fifteen years ago, we basically thought of these attackers as script kiddies – people who sit in their parents’ basement on weekends doing things for mischievous reasons. That was the archetype 15 years ago. The archetype is now someone who works in the military. “-Industrial complex who works in an office.” That’s a pretty stark contrast, Weston points out.

“If we’re against it, are we in a better position? I would say clearly, yes. Twenty years ago the price of an exploit was cheap. Now if you’re talking about Windows 10 or 11 or browsers.” “You’re talking millions of dollars to get an exploit.”

The difference between these two points is the operating system’s level of defense, he argues. “The reality is that fewer people can attack a Windows PC today than there were 10 or 15 years ago, and I think that’s a triumph in itself.”

This increasing level of threat is an issue while the goals of technical security themselves have changed rapidly.

When Gates wrote his memo in 2002, the focus of security was on software: he didn’t even mention hardware or CPUs. Today, with an increase in zero-day exploits, CPU attacks like Meltdown / Specter, and more, Windows security is much more concerned with hardware.

For example, Microsoft introduced Control Enforcement Technology (CET) in Windows 10 and Windows 11, a security weakening it developed together with Intel. CET is an on-chip technology that targets some of the most common attack vectors, such as return-oriented programming, Weston says. It is available on 11th generation Intel CPUs or AMD Zen 3 CPUs.

Virtualization-based security, called VBS in Redmond, limits techniques used in the WannaCry ransomware attack by hardening the Windows kernel.

Windows 11 also promises to facilitate the goal of “Zero Trust” – the concept of limitless networking that is driving the Biden White House – by reducing the amount of configuration required for Windows endpoints.

But, as Weston points out, companies need to run some numbers to figure out whether they need to update hardware and migrate to Windows 11 or reconfigure PCs and servers that are only suitable for Windows 10. On Windows 11, administrators don’t have to do much to configure this security; With Windows 10 you can create the same level of security – but with a little more effort.

Organizations using Zero Trust assume that their perimeter has already been breached. It also recognizes the need to protect data inside and outside the network on corporate and employee-owned devices. Zero Trust has gained relevance after the pandemic forced many more people to work remotely.

However, Weston claims that Windows 11 makes it easier for businesses, provided they have new hardware that can do it.

“Where the hardware fits, we’ve worked to ensure that things can be turned on by default if you meet the hardware baseline. We expect some level of performance and reliability from the latest drivers and hardware parts by default, turn on more with confidence. Here the hardware matches Zero Trust, “he says.

But will customers fall by the wayside because of the hardware?

“The answer is clearly ‘no’,” Weston insists.

SEE: Microsoft’s Windows 11: How To Get It Now (or Later)

Even if businesses want to stick with Windows 10, many of those features like Windows Hello, Virtualization Based Security, and Secure Boot are still available, he says – all you have to do is turn it on and evaluate your own environment.

“If you have the hardware, you can install Windows 11. Things are simple. If you don’t have that hardware, or if you plan to do so in the future, you can still participate in all of these security principles by using our free security baseline and apply these to Windows 10-level hardware. You may need to do an initial analysis of the performance tradeoffs, which makes it a little more difficult, but you can definitely get it. “

Microsoft has set the end of Windows 10 patches for October 14, 2025. Weston believes you can still configure Windows 10 to meet Windows 11 standards, and he’s optimistic that most organizations should have updated most of their hardware by 2025.

“By 2025, when the vast majority of organizations have completed the update cycle, you will have more reasons to move to Windows 11, as two or three security updates have been added by then. that we believe will offer significant value proposition, “he says.

“My advice would be, if you have to stick to Windows 10 for hardware reasons, great. Follow our security advisories from 11 and apply them to 10. Plan your update cycles and security budget to get the right hardware for 11 because, if you stick to 10 for too long we will start introducing things that are 11 specific – believe me, we have many on the way now – and we want as many customers as possible to get that value the transition that we’ve gone through from Windows 7 to 10: There are security benefits in getting there. ”



About Author

Leave A Reply