
Security thinking, Gates alleged, has largely failed to adept to the internet age in which devices from both inside and outside a company attach to company networks. Networks are no longer isolated 'glass houses' where defending the perimeter suffices.
"We can't think of that glass house as the way that we do this isolation. We have to define what can connect to what. We need a more powerful paradigm," Gates told delegates.
Instead security needs to cope with the fact that users bring portable systems such as mobile phones, notebook computers and USB storage keys inside corporate networks. Partners and customers meanwhile expect to connect to services through the internet. These trends require that security moves from a perimeter level to an application level, argued Craig Mundie, Microsoft's chief research and strategy officer.
"Programs are becoming proxies for people. We need to be able to say: 'Give this program access,'" Mundie said.
Gates and Mundie touted open standard such as IP-Sec, IPv6 and WS-Trust as a way to provide application level security. Gates also unveiled that the software developer will collaborate with the OpenID 2.0 specification, an open digital identity framework. The collaboration will ensure that Microsoft's CardSpace service works well with OpenID services.
CardSpace is a service inside the Windows Vista operating system that allows users to create digital identity cards for online services. Among things, it is expected to limit the risk of phishing attacks and replace authentication that is based on user names and passwords.
Gates described passwords as the "weakest link" as users continue to use weak passwords and companies pay large sums to reset lost passwords. The Microsoft chairman over the past years has repeatedly predicted that smartcards and digital certificates will replace the current password structure.
But digital certificates and application based security programs won't work without the proper management tools, Mundie cautioned. Microsoft plans to better support security management in the forthcoming version of its Windows Server operating system codenamed Longhorn. The company at RSA Conference also unveiled its Identity Lifecycle Manager 2007. Slated for general availability by May, the software promises to manage user identities through certificates and smart cards.
"What we have to do better is think about what the boundaries are. This is something that Microsoft do not do well in our early days," Mundie conceded.
"We never did a lot of thinking about where to create boundaries and interoperability and hook ups, to create an intrinsic security of our system."