At the moment I am travelling through the Gulf in order to launch the Security Intelligence Report v5 with local data. During one of the discussions today, a question was raised which I was thinking about quite some while (but – honestly - do not have an answer yet): How do you manage the risks in your supply chain? I am not talking about the risks of a supplier not delivering on time. I am talking about the trustworthiness of your hardware and software vendors. There are different things that happened recently that started to raise this question – let me just pick two of them to illustrate what I mean:
I guess if we would think about it in depth, there would be quite some additional areas you would come up with. One of the questions you will definitely put into the comments is: How are we sue Microsoft does not build in some backdoors either? At least here I can give you an answer: We have a shared source program where governments around the world can look at our source code – and they do and governments like Russia certify our products as backdoor free.
But I am more interested to hear whether you manage these risks and how?
Interesting to hear about Russia certifying Windows is backdoor free. Can you provide a link to back that up? When you say "our products" do you mean the zune, Server 2008, xbox, the microsoft mouse? or have ALL Microsoft branded products been reviewed by 3rd party countries and validated?
no, it is not all Microsoft product. Basically if the Russia government certifies the products, it is to give their green light for governmental use, which mainly means: no backdoors. So, from our side there is not too much interest to certify XBox then ;-)
There is a page showing all the products which are certified. However, the page is in Russian but the product names are in English: http://www.microsoft.com/Rus/Security/Certificate/Default.mspx. It is quite a long list in the meantime
When you want to manage security risks in the complete supply chain, you have to concentrate on end-to-end information security in addition to managing the security and integrity of the system software and equipment. An operational research system which manages end-to-end information security with optionally group privacy by information-theoretic provable security using true quantum randomness can be found when you visit http://www.swissitpro.ch and search for the keyword "quantum"