This article can also be found in the Premium Editorial Download "Information Security magazine: Identity crisis solved: Tips from a top identity management expert."
Download it now to read this article plus other related content.
Microsoft has acquired five companies and one technology since the launch of its Trustworthy Computing Initiative. Here is how the technology has been integrated into Microsoft's product offerings:
There will always be the belief that Linux, by virtue of its Unix roots, has been designed bottom-up to be more secure. But a vast majority of organizations, certainly at the enterprise level and within medium-sized companies, recognize that the issue is irrespective of whether the OS is designed or engineered with security in mind.
"Most issues come down to the skill of the administrator, how often patches are installed and the overall security of the network," Macehiter Ward-Dutton's Macehiter says. "Windows and NT have been used in mission-critical environments. These organizations go through a risk management process, and the risks are independent of the underlying OS."
But by now, everyone realizes that Microsoft, being the dominant OS platform, is the number one target for malicious attacks. "It's always easy to bash them, but they are the big boys. That's who everyone is gunning for," says Paul Edwards, a senior system engineer at fleet management company PHH Arval.
In the past few years, IT experts have focused on securing Windows by securing what's around Windows--it's more realistic than expecting Microsoft to excel in all things related to security.
"I rely more on Cisco [Systems] and Symantec as my first line of defense," says Gary Boy, manager of IT operations at Installed Building Products, a construction company.
"I would rather the OS be the OS. I don't expect it to be the all-in-one answer."
Boy says it's good for innovation, competition and pricing if he sticks to using third-party products for features like Web blocking, monitoring and other features Microsoft has or is building into the OS.
'I'm Tired of Patching'
One improvement to its overall security processes that customers frequently cite is the creation of Patch Tuesday, a single day every month when patches are released. Though this has helped bring order to what was once chaos, it does not make the patching process less laborious in shops with a lot of servers to reboot.
"Having a monthly patch release is great, but it's every month," says Alan Thomas, a senior technical consultant at National Gypsum, a manufacturer of building materials. "I'm tired of patching. Maybe it would be okay if it were only a few times a year."
The patch cycle is sometimes interrupted by a serious vulnerability. When that happens, the conspiracy theories kick in about whether Microsoft is acting in everyone's best interest. In late December 2005, there was concern that Microsoft might be sitting on a patch to fix the Windows Meta File zero-day bug. Third-party vendors rushed to provide a patch for the flaw; Microsoft eventually issued one out of schedule in early January. There were IT managers wondering why it took as long as it did to issue the patch; others thought perhaps Microsoft reacted as fast as it did because a third party was about to release one.
Microsoft puts its patches through a lot of testing. Mike Nash, outgoing corporate vice president of Microsoft's security technology unit, says the company released the patch only when it had achieved Microsoft's quality goals. He spelled out the thinking Jan. 5 on the Microsoft Security Response Center blog: "The goal has always been to have software more secure and trustworthy, and the way we are talking about security is transparent and honest to be worthy of trust. The way we do it is as important as what we do."
This was first published in May 2006