The Security Paradox
Though many experts credit Microsoft with making great strides on security, many customers still aren't satisfied. But how much of the problem is really Microsoft's fault?
- By Rich Freeman
- January 01, 2006
Consider these facts:
- Microsoft data shows half as many critical security vulnerabilities
occurring in Windows XP Service Pack 2 (SP2) as in the previous
version of Windows XP. In addition, Microsoft says it now issues
online guidance and alerts within two hours of discovering a new
vulnerability, versus 24 hours in 2003.
- Stamford, Conn.-based analyst firm Gartner Inc., says that security
shouldn't be a deciding factor for businesses choosing between
Windows Server 2003 and Unix or Linux.
- Forrester Research Inc. reports that Microsoft was the only
one of five vendors surveyed that corrected 100 percent of reported
operating system flaws over a 12-month period.
- A Redmond Channel Partner survey (see "Taking the
Partner Pulse," September 2005) cites "security is lacking"
as one of the top three complaints about Microsoft that partners
hear from customers.
If you're puzzled by the apparent disconnect between that final
item and its predecessors, you're not alone. Yet a variety of partners
and security experts confirm that while Microsoft is making serious
headway on security, customer unhappiness persists.
What appears paradoxical at first, however, turns out to be less
so upon closer inspection. Though Microsoft now ships dramatically
more secure products, analysts say many customers still run older,
less hardened releases. Patching those systems is easier than it
used to be, but partners say their customers still find the task
onerous. Small wonder that their frustration endures.
Still, many partners believe that customers are misdirecting some
of their ire. They say that while Microsoft bears much of the blame
for the ongoing security woes, oftentimes the party most at fault
is staring back at customers from their own mirrors.
A Big Leap Forward
It's been four years since Microsoft Chairman Bill Gates, responding
to a devastating series of viruses that left customers furious about
their vulnerability to attack, wrote his famous "Trustworthy
Computing" memo, ordering that security become the company's
top priority. Since then, the software giant has been a blur of
security-related activity. Microsoft says it has trained 15,000
employees on the new Security Development Lifecycle, a rigorous
methodology for producing more secure code. To provide defense-in-depth
from malware, the company has introduced a slew of new protection
technologies, including its Windows Defender anti- spyware tool
and products from acquired security firms Sybari Software and FrontBridge
Technologies, among others.
In addition, Microsoft has adopted a new monthly threat reporting
and patching schedule, rolled out tools, webcasts and events offering
prescriptive security guidance, collaborated with industry bodies
on issues such as phishing and spam, and worked with law enforcement
agencies to bring cyber-criminals to justice.
approach to security has markedly improved in recent
years," says Yankee Group research fellow Laura
DiDio: "It's like the fat kid who goes to Marine
boot camp. They've gotten very fit and very responsive."
Those efforts have been making converts out of some critics, including
David Maynor, a widely respected research engineer at Atlanta-based
solution provider and Microsoft Gold Certified Partner Internet
Security Systems Inc. (ISS). "To be honest, until recently,
I wasn't a big fan of the improvements they've made," says
Maynor, who was among an elite group of security experts invited
to meet with Microsoft executives and developers in October 2005.
What he learned about Microsoft's scrupulous new development practices
convinced him that the company has come far in addressing the problem.
Many analysts too now sing Microsoft's praises. Until recently,
the company was "getting a lot of black eyes" on security
-- and deservedly so, says Laura DiDio, a research fellow with Boston-based
consulting firm Yankee Group Research Inc. Since then, however Microsoft's
security strategy has markedly improved, she says: "It's like
the fat kid who goes to Marine boot camp. They've gotten very fit
and very responsive." Gartner analyst John Pescatore predicts
that just as Windows Server 2003 leveled the security playing field
for Microsoft in the back office, Windows Vista will do the same
for the company on the desktop. "Based on the betas, we're
pretty positive," he says. "It will remove security as
Maynor goes even further. "I think coming up, with the processes
they have in place, security will be a plus for Microsoft,"
he says. "People will realize Microsoft has much better security
than some of its competitors."
Microsoft's security turnaround has earned high marks from many
partners as well. "If you look at what Microsoft has done in
the last two years in terms of security, it's turned like 180 degrees,"
says Charlie Haney, a regional vice president at Englewood, Colo.-based
Interlink Group Inc., a technology services company and Microsoft
Gold Certified Partner. Among other things, Haney lauds Microsoft
for disabling features in its new releases by default if they pose
a safety risk. Greg Pearson, vice president for sales and marketing
at KiZAN Technologies LLC of Cincinnati, a Microsoft Gold Certified
Partner specializing in advanced enterprise solutions, commends
Microsoft for adding controls against executable attachments to
its messaging platform. "Our customers who are implementing
new products from Microsoft are on balance better off than they
were before," says Pearson. "There's no doubt about it."
Mark Shavlik is less impressed. The president and CEO of Roseville,
Minn.-based security ISV Shavlik Technologies LLC, a Microsoft Gold
Certified Partner whose products face potential competition from
some of Microsoft's latest security offerings, applauds Microsoft's
intentions, but says the company doesn't seem to have fixed much.
In even the newest releases, he contends, "the basic architecture
is not there from a security perspective."
At least some evidence suggests many businesses agree. In a survey
of 1,354 subscribers conducted by Network Computing magazine in
April 2005, 53 percent of respondents said that while Microsoft
is taking proper steps to secure its applications and operating
systems, those products "aren't there yet."
So why the disparity between how customers rate Microsoft on security
and how experts and partners do? One theory is that all the bad
press Microsoft receives on security distorts customer perceptions.
"Very few of our clients have actually had an issue, but they
do read the trade magazines and hear about viruses and worms going
around," says Chris McGinness, director of engineering at Genex,
a Los Angeles, Calif.-based provider of Internet solutions and a
Microsoft Gold Certified Partner. Security flaws in Windows always
make a bigger splash in the media than issues affecting other platforms
because they impact so many people, says ISS's Maynor. As a result,
people hear more about vulnerabilities in Windows than in other
More significantly, Microsoft has only recently begun bringing
more secure versions of its products to market. "The development
cycles are actually kind of long, so we're really just starting
to see the effects of things that happened two years ago,"
Maynor says. Meanwhile, while Microsoft's latest releases require
less patching, many organizations haven't deployed them yet. Indeed,
in a May 2005 study, Forrester Research found that 42 percent of
the servers at the 512 North American enterprises surveyed were
running Windows Server 2000 -- and that an additional 10 percent
were still on Windows NT.
For companies running older products, Microsoft's seemingly endless
series of updates is a potent source of dissatisfaction. DiDio says
that businesses are spending 50 percent to 80 percent less time
applying patches now that Microsoft ships them in regular monthly
batches. Yet even so, patching remains a burdensome chore. For example,
according to a Microsoft case study, Microsoft's monthly updates
have enabled Garanti Technology, a Turkish IT services company,
to slash the time needed for updating its 13,000 systems by 65 percent
-- but it still takes six people 15 to 20 hours every month to complete
Swallowing the Bitter Pill
Many partners find that simply bringing customers up to
speed on Microsoft's latest security efforts goes a long way toward
quelling their discontent. "There are a lot of features in
[Windows XP] SP2 that people donÕt know about," says Maynor,
and educating people about them helps change opinions. For example,
the Windows Security Center provides at-a-glance information on
the status of firewalls, antivirus protection and automatic updating.
Haney says many of Interlink Group's customers aren't even aware
that Microsoft has a security home page (located at Microsoft.com/security).
Once they explore the site a little, he says, customers start asking
"Why aren't we doing some of this stuff? Maybe it's not the
vendor -- it's the organization."
Guiding clients to that epiphany is the real key to overcoming
security complaints, partners say. The ugly truth is that some of
the headaches customers blame on Microsoft stem from their own flawed
security practices. "Even if Microsoft products were still
wide open, a well-managed infrastructure is unlikely to get attacked,"
observes Pearson. "That's a bitter pill for an IT team to swallow,
because they all think they're doing a damn good job."
Evidence suggests that many are not. For instance, a study by Forrester
analyst Laura Koetzle reports that relevant Microsoft patches were
available an average of 305 days in advance of the nine biggest
Windows virus outbreaks before March 2003. Most companies simply
never installed them, Koetzle says. Pearson still gets calls from
people contending with Slammer, a virus that first struck in January
Partners can play an important role in encouraging clients to forego
the finger-pointing and instead answer some cold, hard questions
about their security processes. Among them, says Haney: "What
are your policies and procedures? How are you defending at the edge
of your enterprise? How are you defending your wireless network?"
Organizations without a comprehensive security strategy are vulnerable
to attack no matter how Microsoft designs its operating systems.
Likewise, Maynor's colleague Scott Paisley, director of technologies
for the Americas at ISS, encourages clients to take a more holistic
approach to their security needs. "It's very easy for a customer
to come to the conclusion it's the operating system's fault,"
he says. "What we tend to do is [ask customers] 'How can we
wrap our arms around the whole security piece?'" Wrestling
with that question often leads people to the realization that some
of the anger they've been directing at Microsoft may be misplaced.
More InformationMicrosoft-Related Security Resources
- A white paper detailing Microsoft’s security strategy and investments
can be found here.
- Studies from Yankee Group and Forrester discussing Microsoft’s progress
on security are available here.
- Security resources on the Microsoft Partner Portal are located here.