Security needs to shift from the physical computer infrastructure to the end user, Microsoft chairman Bill Gates said in a keynote at the RSA Conference in San Francisco. 

Security thinking has largely failed to adapt to the internet age in which devices from inside and outside connect to the company network.

Gates maintained that networks are no longer isolated "glass houses" where defending the perimeter is enough.

"We cannot think of that glass house as the way that we create isolation. We have to define what can connect to what. We need a more powerful paradigm," Gates told delegates.

Security needs to cope with the fact that users bring portable systems such as mobile phones, notebook computers and USB storage keys inside corporate networks.

Partners and customers, meanwhile, expect to connect to services through the internet.

These trends require security to move from a perimeter level to an application level, argued Craig Mundie, Microsoft's chief research and strategy officer.

"Programs are becoming proxies for people. We need to be able to say: 'Give this program access,'" he said.

Gates and Mundie touted open standards such as IPsec, IPv6 and WS-Trust as ways to provide application level security.

Gates also revealed that Microsoft will collaborate with the OpenID 2.0 specification, an open digital identity framework, so that Microsoft's CardSpace service works well with OpenID services. 

CardSpace is a service inside Windows Vista that allows users to create digital identity cards for online services.

It is expected to limit the risk of phishing attacks and replace authentication that is based on user names and passwords.

Gates described passwords as the "weakest link" as users continue to use easily guessed words, and companies pay large sums to reset lost passwords.

The Microsoft chairman has repeatedly predicted that smartcards and digital certificates will replace the current password structure.

But Mundie warned that digital certificates and application-based security programs will not work without the proper management tools.

Microsoft plans to offer better support for security management in the forthcoming version of its Windows Server operating system codenamed Longhorn.

The company also unveiled its Identity Lifecycle Manager 2007 at the RSA Conference. Slated for general availability by May, the software promises to manage user identities through certificates and smartcards.

"What we have to do better is think about what the boundaries are. This is something that Microsoft did not do well in its early days," Mundie conceded.

"We never did a lot of thinking about where to create boundaries and interoperability and hook-ups to create intrinsic security for our system."