I'm not a Microsoft hater. The company's "design features" have had many issues, but I believe the buyer should beware when making purchasing decisions.
Clearly strides are being made at Microsoft. Due to those strides, the overall message of a somewhat recent Microsoft presentation was that Microsoft software is strong and getting stronger. I can agree with that. By the time Longhorn and TCPA (Trusted Computing Platform Architecture) are available, there can be a revolutionary leap in security. However, I had a couple of concerns in the tone of the message that I'd like Microsoft to reconsider.
Unfortunately, Microsoft [during a presentation I attended] suggested that improvements in its security should prompt people to run out and upgrade their software. I would prefer to see Microsoft keep its head and its focus in the real world. There are few individuals and almost no organizations that I know of that actually upgrade an operating system on PCs. Sometimes there is the exception for production servers; however, even that is extremely rare.
On the PC side, computer hardware is rarely robust enough to support operating system upgrades. Operating systems usually make the best use of the hardware that is available when the operating system is first released. A system that competently runs Windows NT or 2000 may not have the base hardware requirements for XP or Longhorn. Even if it did, the performance would likely be abysmal. On top of that, there is the potential for incompatibilities in software. I had to change ISPs on my personal account when I bought a newer computer running XP, because the ISP would not support XP on the type of service I had to that point.
While you would normally want servers to be more secure than PCs, the functionality that the servers support could be jeopardized by changing the operating system. Servers have a more unique configurations, which makes upgrades that much more difficult, and sometimes impossible, to implement.
And, the cost of purchasing an operating system upgrade can cost as much as a new computer. Unless someone gets a huge price break, it is not cost effective to purchase the software -- not to mention the time and people required to actually test and implement an operating system rollover.
Changes in operating systems generally take place when people and organizations physically change computers because of the reasons I mention above. While security is a growing concern, it is just not a good business practice to change operating systems for the sake of security, unless current security is fundamentally unacceptable -- which I doubt even the strongest Microsoft Longhorn proponent would agree with.
The argument from the Microsoft presenter -- that older versions of Microsoft have security issues, so you should upgrade to newer versions -- is basically asking us to reward them for previous failings. Frankly, even if Microsoft was to give away Longhorn upgrades for free, it is impractical for the average person or organization to accept the offer.
This argument shows that Microsoft isn't attuned to the business reality that its clients face. Microsoft security advocates telling us to upgrade now is completely unacceptable in so many different ways. Whether it is good, bad or indifferent, the fact is that 80% of the time when a person or company buys a new computer, they will be buying whatever Microsoft has to offer at that time; security or no security.
The underlying principle is that the primary purpose of a computer is to provide information and services; hopefully securely. Security is irrelevant if a computer cannot perform its assigned functions.
Every practitioner needs to know Microsoft's future plans for security. We will be dealing with it, no matter what. But when it comes to what steps can we take now, we need the recommendations based in the reality in which we live.
About the author
Ira Winkler, CISSP, CISM, has almost 20 years of experience in the intelligence and security fields and has consulted to many of the largest corporations in the world. He is also author of the forthcoming book, Spies Among Us.