Bill Gates will use his stage time today at the RSA conference in San Francisco to explain how Redmond has raised the bar on security. As examples he'll likely mention SP2, the malware-removal tool, AntiSpyware in beta and plans to acquire Sybari Software Inc., which specializes in protecting enterprise messaging servers from malware.
The Microsoft chairman is also expected to unveil an enterprise version of the ISA Server 2004 firewall. Rumor has it he'll even announce that a standalone antivirus product is coming.
But while they think the software giant has advanced security this past year, several enterprise users said the company still seems to be missing the big picture.
"I do feel Microsoft has made improvements over the past year, with the release of XP SP2, buying Giant and Sybari, and educating both developers and corporations," said Wayne Pierce, a Boston-based IT security consultant. "Opening the source code for organizations and developers to inspect was also a good move."
But, he added, "The problem I have with MSFT's security initiatives is that they seem to be driven by fear of loosing market share or wanting to gain more control over a system or network." He said the company doesn't seem to act until its back is against the wall. "Where this gets to be a problem is in how their security initiatives are designed and implemented."
In many ways, he said, "security is tied directly to knowledge. The more you know about a system the better you can secure it. However, the more complex a system is, the harder it is to truly understand that system. MSFT mastered the art of complexity a long time ago. They may have valid business reasons to make systems complex, but it is a security trade off."
If he had to grade Microsoft, Joshua Lutz would give the software giant a C-plus. Lutz, network analyst for Boston-based law firm Goodwin Procter LLP, said grading Microsoft on security over the past year is difficult at best, given the size and breadth of its software offerings.
"Take the release of Windows XP SP2 as an example," he said. "They made a good effort to promote and deliver on the promise of enhanced security. The extension of the Windows XP firewall to allow more granular configuration was a much-needed feature set that was lacking in the Windows XP product line. But the features provided by SP2 were tempered by Microsoft enabling the firewall by default and not providing an interface to disable it as part of the install. In the business world, the security improvements SP2 provided are often left unimplemented due to fear of breaking applications."
Lutz said Microsoft's new strategy for patch distribution and management has improved significantly. "In the old model, with exploit patches being distributed on an as-developed/as-discovered basis, there were fundamental problems related to quality control and administrative burden," he said. "By switching to a timed and ordered release, Microsoft is better able to serve the Windows administrators by taking the time to perform more diligent quality control and letting the administrators get back to managing the day-to-day issues of their infrastructure and thereby limiting patch deployment to, at best, a monthly event."
But while Redmond has raised the bar, Lutz said there are still issues to address with things like Windows Update and the SP2 firewall. "I think Microsoft would have had a much better response to SP2 if they had provided a home user version of SP2 with the firewall on and a corporate version of SP2 with the firewall turned off. It would seem an easy thing to do to and it might have eased the trepidation of many an administrator."
Brad Dinerman, technical operations manager for Newton, Mass.-based IT management firm MIS Alliance Corp., said the problem with Microsoft is that it's always playing catch-up.
"Why has it taken them so long, for example, to bring an antispyware product to market?" Dinerman asked. "Spyware has been a growing problem for years now, and Microsoft has missed the boat on that effort. The shame of it is that they had to acquire another company's product in order to enter this market. They just re-branded a pre-existing product, and suddenly everyone's proclaiming that Microsoft is tough on spyware? Is this what's going to also happen with their acquisition of Sybari?"
He said Microsoft has to stop following others and lead. "They're not 'raising the bar,'" he said. "Someone else is raising the bar and forcing them to jump into this market."
Note: Interviews for this story were conducted by both e-mail and telephone.