WASHINGTON -- Don't hold your breath waiting for Bill Gates to iterate a vision that will realign the security market. According to research firm Gartner Inc., conflicting business interests will undoubtedly prevent Microsoft from putting itself out of business with credibility.
"There's a smelly water analogy I like to use," said Gartner analyst Neal MacDonald. "A company has all this smelly water over here and makes a fortune selling filters. Then someone says 'Eureka! I've fixed the smelly water!' And someone over here says 'No, no. We have a great business model with all these filters.
But all is not gloom and doom and potshots at Redmond coming out of last week's Gartner IT Security Summit. Security managers have noticed and applauded the progress made by the Trustworthy Computing initiative. Since Gates' famous 2002 memo that put a halt to development and product churn in favor of re-schooling programmers on secure coding and internal processes, Microsoft has been able to credibly market its security victories.
"They seem to be more interested in quality, and take more responsibility for their products' security," said Paul Scheib, CISO at Children's Hospital Boston. "When they moved to a predictable release of security patches, it made our patching much easier to manage. We have gotten good at the patch process and our security has improved."
Microsoft instituted the Secure Development Lifecycle in March 2005, a cultural and developmental change that demanded applications be put through mandatory code reviews using automated proprietary code scanners called PREfix and PREfast, along with network penetration testing and protocol fuzzing.
MacDonald said the mandatory reviews are something that Oracle Corp., Sun Microsystems Inc., SAP AG. and CA Inc. have yet to match. The results were palpable: Windows Server 2003 was the first product under the SDL, and it was widely considered much more secure than the 2001 release of Windows 2000 in terms of patches and critical vulnerabilities. The same goes for XP SP2, the first desktop product run through the SDL.
Windows Vista, Microsoft's next OS, has been delayed several times and is currently scheduled for wide release in January 2007. XP SP2 and Windows Server 2003 missed their original ship dates as well.
"We value product stability more than new features," Scheib said, adding he has not beta-tested Vista and would not deploy it before the first service pack becomes available. "I don't think the slowdown in [Microsoft's] development has impacted us too greatly. Upgrading Windows across our environment is a large effort. We have plenty of other projects to get done."
Vista's selling point is security, and many expect Microsoft to heavily market the OS's bidirectional firewall offering, safer browser (IE7), Windows Services Hardening (WSH), Bitlocker encryption, USB device control, integrated Windows Defender (antispyware) and client protection. MacDonald cautions: the bidirectional firewall still lacks deep-packet inspection; WSH secures only Windows services, unlike Cisco Security Agent (Okena technology), which protects third-party apps and processes; Bitlocker requires companies also purchase Microsoft's Software Assurance maintenance program and support and plan for key management; USB protection is fine, but what about other removable media protection?
"Microsoft has to decide. Does it want to be Symantec or CA, or does it want to be a 'me-too vendor' who has good-enough products for the mid-market?" MacDonald said.
There are other technology gaps Microsoft must fill in order to be an enterprise security player. MacDonald said Microsoft must recognize enterprise heterogeneity and partner with someone who'll support Linux, Mac OS X and other platforms. It's still offering little for its mobile OS, Windows CE; there's very little behavioral protection, content filtering and monitoring. Desktop hot-patching would be appreciated, he said, as would compliance risk analysis capabilities and event monitoring and correlation.