Microsoft Ties Security to VeriSign, Certifications

Microsoft moved to bolster its code-securing effort called Trustworthy Computing Initiative by announcing two security initiatives Tuesday.

Microsoft and VeriSign said they would jointly develop improved solutions for authentication security, digital rights management (DRM) and other online security enhancements. Financial terms of the deal were not disclosed.

The new security products from Microsoft-VeriSign are aimed at achieving improvements in existing software, while providing automated renewal of digital certificates, secure e-mail and digital signatures. The alliance also plans to help improve network security with reliable access to wireless LANs or virtual private networks.

The two partners also said they plan to help customers embed PKI (public key infrastructure) security into desktop and networked applications.

Microsoft also announced the availability of a new security certification program for system administrators and systems engineers: MCSA: Security and MCSE: Security. These programs will give IT professionals training to improve enterprise security.

“Microsoft is beginning to make real progress in Trustworthy Computing on behalf of our customers and partners, particularly in the way we think about, design and develop our products and services to be more secure, reliable and privacy-compliant from the start,” Scott Charney, chief trustworthy computing strategist at Microsoft, said during his Tech Ed 2003 keynote in Dallas Tuesday.

Still, critics of Microsoft’s security strategy have had a lot of fodder with the recent discovery of security holes in its Passport personal information storage service, which were later patched, and other questionable levels of security for critical applications for businesses, governments and individuals.

But the Trustworthy Computing Initiative is trying to change that, and Charney, together with Nico Popp, vice president of product development in the Security Services Division at VeriSign, said new efforts will see the two partners developing several security initiatives for enterprise customers, including PKI auto enrollment of VeriSign certificates, interoperability of certificate authorities, and secure mobile access. The initiatives will be built on the Windows Server 2003 PKI platform.

The pact is expected to improve upon existing security use of digital signatures for Microsoft’s Windows Server 2003. Digital signatures provide some authentication security, but with the recent security problems associated with Microsoft’s Passport product, the company is moving to improve security software within its products.

The deal aims to provide improved online security, especially for remote access. The two companies will build the security solutions into not only Microsoft’s Windows Server 2003, but also VeriSign’s Managed PKI Services.

VeriSign specializes in making server software that is able to handle a large number of digital signatures, and is expected to launch a service later this year that will be closely tied to the new features inside Microsoft’s Windows Server 2003.

Improvements in digital signatures could be helpful in the exchange of contracts and proposals sent over networks. In addition, corporate partners could send documents that would include a digital rights management tag along with an e-mail, which would enhance document security for both parties.

The two companies said they would market the new solutions to enterprise users aiming to provide secure online information and digital identity management systems.

Developing reliable and secure PKI authentication systems has proven to be complicated and difficult, as many companies have been slow to install the servers and software to support the technology.

VeriSign’s deal with Microsoft for authentication security and digital rights management is not exclusive, and the company is expected to strike similar deals with a variety of other software vendors.

Microsoft said that CompTIA Security+ supports the industry-wide objectives of the two new certifications. Candidates will have a choice between Security+ and the Microsoft Internet Security and Acceleration (ISA) Server 2000 exam to satisfy one of the specialization requirements for the MCSA: Security and MCSE: Security certifications, CompTIA added in a statement.

Both the MCSA: Security and MCSE: Security certifications are specific to Windows 2000 and immediately available. Microsoft said certifications for the Windows Server 2003 platform will be available later in the year. To earn the certifications, Microsoft said candidates will have to pass core exams for either the MCSE or MCSA credentials, and then pass a number of security specialization exams to demonstrate ability in areas like security foundations, security implementation and security design.