Neil MacDonaldWhat seems like a yes or no question is not quite so straightforward. There are at least 5 levels to this discussion.
1. Secure coding. Yup. No doubt, Microsoft should produce secure code. We should demand this from all of our software providers.
2. Security functionality in the platform at no cost. Yup. Absolutely. We should demand that our IT platform providers include basic security functionality out of the box. All software platforms (even our virtualization platforms) should include authentication and authorization capabilities as well as threat facing capabilities like firewalling and encryption. For example, Windows has multiple capabilities such as EFS, DEP and a basic firewall. Windows Vista adds BitLocker and signature-based antispyware in the form of Windows Defender. Microsoft SQL Server has built in database encryption. Microsoft is a bit different in that it can’t just include any security functionality into any platform without being concerned about regulatory implications, especially for its Windows OS. However, these might be provided as a separate download or separate SKU at no cost.
These first two are straightforward and I don’t think a lot of you will disagree that Microsoft should at least do those two things. Beyond this, we enter the twilight zone. This is where clients I speak with start to have mixed feelings.
3. Add-on security products at a fee. These could be identity and access management related add-ons like Microsoft’s ILM or threat facing add-ons like Forefront Security for SharePoint or Forefront Client Security. In either case, Microsoft could charge for a product that’s easier to use or less expensive than competing products. However, this is where the potential conflict of interest comes in. Do you really want your platform vendors selling add-on products to protect you from something that should have been avoided if the software was built securely (#1) or shouldn’t have cost extra because the feature was already included (#2). Here’s the rub: if an add-on business becomes large enough, there is a potential conflict of interest if something in bucket #3 generates so much revenue that Microsoft isn’t motivated to go back and address the root cause (#1) or add these capabilities into the platform at no extra cost (#2).
4. Cloud-based security services at a fee. This is really an extension of #3. If Microsoft has a security product, why not make this available as a service as part of its Cloud-based Azure services strategy? Microsoft already has some offerings here like Exchange Hosted Filtering services (from the acquisition of FrontBridge). Others, like Microsoft Federation Gateway services were announced at Microsoft’s professional developer conference last fall.
5. Security signature subscription business from Microsoft-funded threat labs. For threat-facing capabilities in #2, #3 and #4 above that are based on blacklisting, you need an ongoing set of signatures and filters typically paid for as a subscription service. For example, AV signatures that feed Forefront Client Security. However, not all signature feeds necessarily require a subscription fee – e.g. the antispyware in Vista’s Windows Defender receives updated signatures at no additional fee. In terms of the labs, Microsoft’s investments here as well as its visibility into malware across its consumer and enterprise customers has closed the gap with competitor’s security research labs – for the Windows platform.
As you can see, it is not a simple yes/no answer. At this point, Microsoft has efforts in all of these areas. One thing is clear. Microsoft has drawn the line at protecting only its platforms, including the signature feeds from #5. For many organizations, that may be enough to look elsewhere.
Where do you think Microsoft should draw the line? Do you have concerns about buying a security add-on product or service from Microsoft?
Comments Off
Category: Microsoft Security Tags: Microsoft
