Evaluating Desktop Software From A Security Perspective

Saturday, 31 July 2010

Technology

22 February 2010

Citizens have high expectations for their governments to secure their financial data and confidential records. This is especially true in today’s ICT environments where there are many reports of increasingly coordinated attacks by hackers for the purpose of obtaining sensitive information and achieving financial gain.

Photos

View photos

Related Categories

From this Section

SPOTLIGHT

To address security threats, comprehensive defence measures need to be applied to all layers of an IT infrastructure, including physical, hardware, network, operating system, application and data. From the customer’s point of view, responsibility involves creating and adhering to an updated and effective plan which outlines practices, processes and polices relating to securing the IT environment. On the vendors’ side, there is an expectation by customers that IT vendors’ products are consistently engineered to conform to rigorous security standards, that when vulnerabilities are discovered the patches are issued rapidly, and there is an easy and seamless method of patch distribution to customers.

One of the recent trends seen throughout 2009, is a shift of focus towards clientside penetrations, where an increasing attack vector is now the desktop applications rather than just the operating system. A primary consideration is to select secure desktop software. Furthermore, among the common strategies used to minimise security risk at the desktop level are: ensuring that security updates are applied promptly, implementing configuration settings to combat common attack vectors, ensuring a measure of control over the users’ desktop environment, restricting unnecessary user access to sensitive information, auditing, and so forth.

Evaluating the Choices
An area of IT which governments constantly evaluate as either a whole or via separate agencies, is their desktop infrastructure. There are numerous instances from around the world which demonstrate that when the wrong IT approach is taken, it has resulted in a huge cost to a government and their taxpaying citizens. The downside of a poor decision can be either significant costs of implementation, or even worse, the catastrophic costs associated with loss of confidential/financial data. For governments currently evaluating a desktop solution, the three most common options available to them are: Microsoft, Open Source software (such as OpenOffice. org) and public cloud services.

While some areas of Public Sector – Education, for instance – are increasingly looking into cloud offerings from all vendors, including Microsoft, at this time they are not considered a viable option for most scenarios due to the infancy of the technology to meet the majority of government security requirements and the legal ramifications of hosting citizen data in a public cloud, particularly one which may be outside their country borders.

Security considerations associated with OpenOffice.org relate to the products design and mechanism of providing security updates to its users. In 2007, Eric Filiol, a French Army Colonel and distinguished cryptographer representing the French Ministry of Defence published a study on the security of OpenOffice.org, highlighting that the software suite was completely flawed from a security standpoint. In 2009, the Colonel published another study and presented his findings at an eminent Security Conference (BlackHat Europe), stating:“At the present time, the use of OpenOffice documents for official use or critical use should be postponed until the suite manages security in a more acceptable way.”

A further concern is that unlike other software applications, OpenOffice.org does not provide incremental security patches, and only provides updates in the next release of the product. The implication is that users of the product may have to wait up to 6 months or so for a security update, if received at all. The other negative impact relates to the significant cost and disruption to the environment of uninstalling and reinstalling the product to apply security patches, with every new release of the product. As a simple example, for a customer who had installed OpenOffice.org back in January 2008, adherence to good security practices of promptly applying security updates, would have required uninstalling and reinstalling the product at least 5 times after the initial install in less than 2 years. For any reasonable sized deployment, the costs associated with OpenOffice become extremely high.

Enhanced Security
While security is an Industrywide concern in which all software vendors continue to strive to provide better protection from malicious threats, Microsoft is now recognized as a leader in meeting the ongoing challenges. Since embarking upon the Trustworthy Computing (TWC) initiative back in 2002, Microsoft fundamentally changed the way in which it designed and developed software. Data from independent 3rd party security associations which track information about vulnerabilities in software (e.g. US National Vulnerabilities Database1) illustrate this point. When historically comparing the security of Microsoft Client and Server products in terms of the number of vulnerabilities, together with the time it takes for a patch of a known vulnerability to be available to users of that software, as well as the severity of the vulnerabilities versus alternative software, as a general rule, Microsoft has shown to be more secure.

Beyond writing secure code, another way in which Microsoft is furthering the charge against security breaches is through support of Active Directory and Group Policies on non-Microsoft platforms. AD and GP can provide a comprehensive and centralised security management framework for the network, O/S, application and data layers of an IT environment, and extending to non-Microsoft platforms allows the benefits to be realized by other technologies such as Linux and Unix. Additional examples of methods in which Microsoft help protect our customers, include: ensuring security updates are automatically available through monthly schedules via Microsoft Update; having a Security Response Centre (MSRC) to immediately investigate any reported vulnerability and to swiftly build and disseminate security fixes to our customers; and providing security recommendations to customers based upon information they tell us about their heterogeneous environments through our Security Guidance Centres (SGC).

As IT Decision Makers, it is important to ground ourselves in the recognition that Security is an Industry-wide concern; on-going efforts are required by all stakeholders. To this end, Microsoft is ensuring that it continues to collaborate with customers, partners and competitors to address the evolving challenges.

For more information on the Microsoft Security Cooperation Program, please contact your local Microsoft office.