In-Depth

The Security Paradox

Though many experts credit Microsoft with making great strides on security, many customers still aren't satisfied. But how much of the problem is really Microsoft's fault?

• By Rich Freeman
• January 01, 2006

• Microsoft data shows half as many critical security vulnerabilities occurring in Windows XP Service Pack 2 (SP2) as in the previous version of Windows XP. In addition, Microsoft says it now issues online guidance and alerts within two hours of discovering a new vulnerability, versus 24 hours in 2003.
• Stamford, Conn.-based analyst firm Gartner Inc., says that security shouldn't be a deciding factor for businesses choosing between Windows Server 2003 and Unix or Linux.
• Forrester Research Inc. reports that Microsoft was the only one of five vendors surveyed that corrected 100 percent of reported operating system flaws over a 12-month period.
• A Redmond Channel Partner survey (see "Taking the Partner Pulse," September 2005) cites "security is lacking" as one of the top three complaints about Microsoft that partners hear from customers.

If you're puzzled by the apparent disconnect between that final item and its predecessors, you're not alone. Yet a variety of partners and security experts confirm that while Microsoft is making serious headway on security, customer unhappiness persists.

What appears paradoxical at first, however, turns out to be less so upon closer inspection. Though Microsoft now ships dramatically more secure products, analysts say many customers still run older, less hardened releases. Patching those systems is easier than it used to be, but partners say their customers still find the task onerous. Small wonder that their frustration endures.

Still, many partners believe that customers are misdirecting some of their ire. They say that while Microsoft bears much of the blame for the ongoing security woes, oftentimes the party most at fault is staring back at customers from their own mirrors.

A Big Leap Forward
It's been four years since Microsoft Chairman Bill Gates, responding to a devastating series of viruses that left customers furious about their vulnerability to attack, wrote his famous "Trustworthy Computing" memo, ordering that security become the company's top priority. Since then, the software giant has been a blur of security-related activity. Microsoft says it has trained 15,000 employees on the new Security Development Lifecycle, a rigorous methodology for producing more secure code. To provide defense-in-depth from malware, the company has introduced a slew of new protection technologies, including its Windows Defender anti- spyware tool and products from acquired security firms Sybari Software and FrontBridge Technologies, among others.

In addition, Microsoft has adopted a new monthly threat reporting and patching schedule, rolled out tools, webcasts and events offering prescriptive security guidance, collaborated with industry bodies on issues such as phishing and spam, and worked with law enforcement agencies to bring cyber-criminals to justice.

Those efforts have been making converts out of some critics, including David Maynor, a widely respected research engineer at Atlanta-based solution provider and Microsoft Gold Certified Partner Internet Security Systems Inc. (ISS). "To be honest, until recently, I wasn't a big fan of the improvements they've made," says Maynor, who was among an elite group of security experts invited to meet with Microsoft executives and developers in October 2005. What he learned about Microsoft's scrupulous new development practices convinced him that the company has come far in addressing the problem.

Many analysts too now sing Microsoft's praises. Until recently, the company was "getting a lot of black eyes" on security -- and deservedly so, says Laura DiDio, a research fellow with Boston-based consulting firm Yankee Group Research Inc. Since then, however Microsoft's security strategy has markedly improved, she says: "It's like the fat kid who goes to Marine boot camp. They've gotten very fit and very responsive." Gartner analyst John Pescatore predicts that just as Windows Server 2003 leveled the security playing field for Microsoft in the back office, Windows Vista will do the same for the company on the desktop. "Based on the betas, we're pretty positive," he says. "It will remove security as a differentiator."

Maynor goes even further. "I think coming up, with the processes they have in place, security will be a plus for Microsoft," he says. "People will realize Microsoft has much better security than some of its competitors."

Microsoft's security turnaround has earned high marks from many partners as well. "If you look at what Microsoft has done in the last two years in terms of security, it's turned like 180 degrees," says Charlie Haney, a regional vice president at Englewood, Colo.-based Interlink Group Inc., a technology services company and Microsoft Gold Certified Partner. Among other things, Haney lauds Microsoft for disabling features in its new releases by default if they pose a safety risk. Greg Pearson, vice president for sales and marketing at KiZAN Technologies LLC of Cincinnati, a Microsoft Gold Certified Partner specializing in advanced enterprise solutions, commends Microsoft for adding controls against executable attachments to its messaging platform. "Our customers who are implementing new products from Microsoft are on balance better off than they were before," says Pearson. "There's no doubt about it."

Mark Shavlik is less impressed. The president and CEO of Roseville, Minn.-based security ISV Shavlik Technologies LLC, a Microsoft Gold Certified Partner whose products face potential competition from some of Microsoft's latest security offerings, applauds Microsoft's intentions, but says the company doesn't seem to have fixed much. In even the newest releases, he contends, "the basic architecture is not there from a security perspective."

At least some evidence suggests many businesses agree. In a survey of 1,354 subscribers conducted by Network Computing magazine in April 2005, 53 percent of respondents said that while Microsoft is taking proper steps to secure its applications and operating systems, those products "aren't there yet."

So why the disparity between how customers rate Microsoft on security and how experts and partners do? One theory is that all the bad press Microsoft receives on security distorts customer perceptions. "Very few of our clients have actually had an issue, but they do read the trade magazines and hear about viruses and worms going around," says Chris McGinness, director of engineering at Genex, a Los Angeles, Calif.-based provider of Internet solutions and a Microsoft Gold Certified Partner. Security flaws in Windows always make a bigger splash in the media than issues affecting other platforms because they impact so many people, says ISS's Maynor. As a result, people hear more about vulnerabilities in Windows than in other products.

More significantly, Microsoft has only recently begun bringing more secure versions of its products to market. "The development cycles are actually kind of long, so we're really just starting to see the effects of things that happened two years ago," Maynor says. Meanwhile, while Microsoft's latest releases require less patching, many organizations haven't deployed them yet. Indeed, in a May 2005 study, Forrester Research found that 42 percent of the servers at the 512 North American enterprises surveyed were running Windows Server 2000 -- and that an additional 10 percent were still on Windows NT.

For companies running older products, Microsoft's seemingly endless series of updates is a potent source of dissatisfaction. DiDio says that businesses are spending 50 percent to 80 percent less time applying patches now that Microsoft ships them in regular monthly batches. Yet even so, patching remains a burdensome chore. For example, according to a Microsoft case study, Microsoft's monthly updates have enabled Garanti Technology, a Turkish IT services company, to slash the time needed for updating its 13,000 systems by 65 percent -- but it still takes six people 15 to 20 hours every month to complete the process.

Swallowing the Bitter Pill
Many partners find that simply bringing customers up to speed on Microsoft's latest security efforts goes a long way toward quelling their discontent. "There are a lot of features in [Windows XP] SP2 that people donÕt know about," says Maynor, and educating people about them helps change opinions. For example, the Windows Security Center provides at-a-glance information on the status of firewalls, antivirus protection and automatic updating. Haney says many of Interlink Group's customers aren't even aware that Microsoft has a security home page (located at Microsoft.com/security). Once they explore the site a little, he says, customers start asking "Why aren't we doing some of this stuff? Maybe it's not the vendor -- it's the organization."

Guiding clients to that epiphany is the real key to overcoming security complaints, partners say. The ugly truth is that some of the headaches customers blame on Microsoft stem from their own flawed security practices. "Even if Microsoft products were still wide open, a well-managed infrastructure is unlikely to get attacked," observes Pearson. "That's a bitter pill for an IT team to swallow, because they all think they're doing a damn good job."

Evidence suggests that many are not. For instance, a study by Forrester analyst Laura Koetzle reports that relevant Microsoft patches were available an average of 305 days in advance of the nine biggest Windows virus outbreaks before March 2003. Most companies simply never installed them, Koetzle says. Pearson still gets calls from people contending with Slammer, a virus that first struck in January 2003.

Partners can play an important role in encouraging clients to forego the finger-pointing and instead answer some cold, hard questions about their security processes. Among them, says Haney: "What are your policies and procedures? How are you defending at the edge of your enterprise? How are you defending your wireless network?" Organizations without a comprehensive security strategy are vulnerable to attack no matter how Microsoft designs its operating systems. Likewise, Maynor's colleague Scott Paisley, director of technologies for the Americas at ISS, encourages clients to take a more holistic approach to their security needs. "It's very easy for a customer to come to the conclusion it's the operating system's fault," he says. "What we tend to do is [ask customers] 'How can we wrap our arms around the whole security piece?'" Wrestling with that question often leads people to the realization that some of the anger they've been directing at Microsoft may be misplaced.