Microsoft exec outlines Windows 7 security

>> So what have we been doing? The first thing of course is we're starting to use the TPM hardware based encryption to do security. In Vista of course we had Bit Locker which is full volume encryption and in Widows 7 there's also Bit Locker to go which doesn't rely on the TPM but takes your portable removable devices and makes them secure when you pull them out. The other thing that we're doing is what's called app locker. One of the key points I made earlier is you need to know the source of the applications you're running. In Windows 7 app locker allows a system administrator, a group policy to require code signing before things are installed in client machines. As a result of that it gives you the ability to block unsigned code or code from organizations that you don't trust or for other reasons just don't want running on your internal network. The other important thing that we talked about earlier in arts key note is this idea of a security ecosystem. In Microsoft products for some time we've had information rights management which has been very helpful. We basically create a mail, attach a document, click a button and by clicking that button you ensure that the mail does not proliferate across your organization because you can set permissions for the recipient of that mail so they can only read it for example without forwarding or printing it. One of the challenges with IRN though has been that is works great within an organization but not across organizational boundaries. This is a classic case where we are better together when we partner with others then we can be alone and by doing this partnership with EMC we take the capabilities of IRM and go cross boundary. It goes to the concept that we heard about earlier that we have to be more information centric. You all know the rumor death of the firewall right that we were gonna eventually go to an environment where we weren't basically having walled gardens but focusing more on individual devices as well as pieces, discrete pieces of information. It's very important to understand that some of that comes true in something called Direct Access in Windows 7. I'm going to explain kind of how this approach came about. I've been using Direct Access now for quite some time. It is a huge productivity gain. Here's what happened. It used to be in the old days if you were remote from work you would razz in and you would go through this kind of laborious razon assumed spelling process and then you'd connect to the corporate network and you'd have access to the entire network. It turns out most people who were razing in just wanted email and calendar. So by using RCP over HTTP in Outlook we created an environment where you could just load Outlook connect to your mail and your calendar and get that stuff without going through the razon process. The challenge was when you got a mail that asked you to prove an expense report you'd click on approve and of course it would say server not found because you didn't razz into the corporate network. In Direct Access we have a different model. It uses IP sec over IPV6 and when you're connecting to your mail and you click on the expense link your machine, your client goes out and makes a pure to pure connection with the expense server and you approve the expense report. The fact is where ever I am whether it's in this hotel next door at the W in this conference center wherever I am at home it's like being in the office. And the interesting thing from a security prospective is it means that your machine, your box, your client becomes all that more important because it has credentials that give you access to your network in this model. So one of the things we require is 2 factor log on to the client. Whenever you close the lid, whenever you boot it up you've got to do 2 factor. I tell this story because we've always had the ability to enforce 2 factor for years but customers didn't want it. Users at Microsoft didn't want to have to pull out a smart card or a USB dongle assumed spelling with a smart card in it so that they could just connect to their client. Suddenly though when you say you're willing to do that you get this productivity gain, suddenly their all over it. It really goes back to the model that security is for securities sake does it work well? You really need to think about how to encourage people to embrace and adopt new technology by giving them a productivity gain or features that makes the security tax if there is one worth paying.

==== Transcribed by Automatic Sync Techologies ====