Microsoft is proposing a new Internet-wide security model, based on the concepts of public health, that is designed to address the problem of how to prevent infected machines from affecting the security and performance of PCs elsewhere on the Web. The model would require each PC to present a “health certificate” that outlines its security posture before it could connect to the Internet.
The new plan, outlined by Scott Charney, the company’s corporate vice president of Trustworthy Computing, is a long-term vision for helping to reduce the overall risk that compromised machines pose to other users on the Internet. The centerpiece of the plan is the concept of a health certificate, an attestation that a given PC would need to provide to an ISP or other authority in order to connect to the Internet. The certificate could include data on the overall health of the machine, such as infections by known malware and whether a firewall and antimalware software are installed. Charney discussed the plan in a speech at the International Security Solutions Europe conference Tuesday in Berlin.
The plan is a bit like NAC on a grand scale.
“Just as when an individual who is not vaccinated puts others’ health at
risk, computers that are not protected or have been compromised with a
bot put others at risk and pose a greater threat to society. In the
physical world, international, national, and local health organizations
identify, track and control the spread of disease which can include,
where necessary, quarantining people to avoid the infection of others,” Charney wrote in a blog post explaining the proposal. “Simply put, we need to improve and maintain the health of consumer
devices connected to the Internet in order to avoid greater societal
risk. To realize this vision, there are steps that can be taken by
governments, the IT industry, Internet access providers, users and
others to evaluate the health of consumer devices before granting them
unfettered access to the Internet or other critical resources.”
The proposal from Microsoft is loosely based on elements of programs already in place in countries such as Japan, France and others that warn consumers about malware infections on their machines or malicious messages or packets coming from their PCs. In order to implement such a plan, ISPs and other authorities would need some mechanism for asking machines for a health certificate. And the PCs on the other end would, in turn, need a piece of of software that is not only capable of inspecting the machine for patch levels, installed security software and other requirements, but also is trusted by the ISP not to produce forged or altered certificates.
In a position paper that further details Microsoft’s proposal, Charney writes that this could be accomplished through the combination of a software hypervisor and trusted hardware components such as TPMs (Trusted Platform Modules). The idea there is that this trusted stack of software and hardware could produce a health certificate that could be verified as being unaltered.
As part of the program, ISPs or other entities that request health certificates, such as banks or health-care organizations, could provide users with remediation advice if their PCs are found to be infected with malware or missing some piece of security software.
The Microsoft proposal raises a number of privacy concerns for consumers, especially in the area of how much information about the user and his PC the health certificate will carry. If it simply carries the state of the machine and its IP address, that’s one thing. But including additional data such as geographic location or information about the machine’s owner is much more problematic. Charney acknowledged these concerns in the position paper, saying that any final proposal must address the issue of privacy head on.
“Ensuring users have control over health certificates and the way they can be used—and that users understand the implications of refusing to attest to good health—is an important first step in ensuring appropriate user engagement. It is important to decide, too, whether health certificates will reveal simply the state of the machine, or more about the identity of the device and, potentially, its user. Certainly, a machine could be denied unfettered access to the Internet based upon certain health attributes without determining more about the machine or its user,” Charney wrote. “On the other hand, there may be value in uniquely identifying devices, as when a device may be infected on a home network. It may also be possible, of course, to combine device information with other information to identify a user (much like cell phones may have unique identifiers and can be tied to particular account holders).
“To what extent a health system should allow specific devices and their users to be identified cannot be resolved here, but it is important to note that a carefully architected system that embraces privacy by design, along with carefully constructed threat models that contemplate potential abuses of the health system, can help ensure the right technical and non-technical controls are in place to mitigate potential social harms and ensure the appropriate balancing of interests,” Charney writes.
The public-health model for Internet security has been approached in different ways in the past, but this is the first such proposal from a major technology vendor that contemplates building it out on a global scale. One of the major challenges the proposal will face is the differences in Internet access around the world, especially in countries where access is controlled by the government. Charney acknowledges that challenge in his paper, and says that Microsoft’s proposal can’t take in every possible eventuality but should be seen as a starting point.
“To build on the current national and industry efforts, we can identify what is working and what is not, and document both to enable more individual action and community building. We can also begin to work through international bodies to standardize what types of information on machine health should be shared and how to exchange it with appropriate security and privacy protections. As more efforts advance, we can create guidelines to catalyze further action,” Charney writes.