Like Windows 7, Windows 8 will continue to raise the bar in terms of security capabilities of the base OS. Here’s a list I compiled of the new capabilities:

• Antimalware protection built into the OS – basically Microsoft’ Security Essentials (beyond just Windows Defender included with Windows 7)
• Earlier loading of security protection in the boot process to thwart rootkits and other boot-level malware
• File reputation services (SmartScreen) – was included with IE9, now expanded to protect the entire OS.
• Root of trust measurements of the OS based on UEFI – if we need this for hypervisors, why not all OSs? Microsoft has had something similar with BitLocker using TXT and has now extended this to all versions.
• Windows Refresh – to restore Windows back to a known good state, while preserving end user personalization, enabling Systematic Workload Reprovisioning.
• Windows now supports boot from USB – quite useful in specific scenarios. Combined with BitLocker and root of trust measurements, this becomes a way to place an unknown terminal device into a high assurance state.

For the new “Metro Style” side of Windows 8 (the WinRT side), it is clear that the security model of Apple and the iPhone/iPad has had an impact:

• Reduced rights and strengthening of mandatory integrity controls of the OS.
• Metro-style applications can only be delivered through the Microsoft application store which now includes security testing (a form of implicit whitelisting).
• Sensitive API access is proxied through a security policy enforcement mechanism which validates the application’s right to use them
• “Picture Password” as a touch-native way of authenticating yourself to Windows 8

Overall, Windows 8 provides evolutionary – not revolutionary — improvement in security capabilities and raise the bar in terms of what an OS should deliver in terms of security protection.

If you are licensed under Microsoft’s Core Client Access License program, it now includes CALs for Forefront Endpoint Protection. For many organizations that are already licensed under Core CAL, this means that FEP is essentially “free”.

I’ve been getting dozens of inquires from large and small organizations in the last 6 weeks on whether or not Forefront makes sense for them. However, “free” doesn’t mean no cost. First, you have to be licensed under Core CAL. Second, you have to consider the cost of deployment and testing as well as the cost of removing whatever you have in place. Also, Microsoft has no solution for non-Windows platforms (as you might expect) and many organizations will be forced to use another type of solution to protect these systems.

There are many other pros and cons which I go into detail for clients in this research note that I just published:

Microsoft’s Forefront Endpoint Protection: Good but not Great

For some organizations, FEP will be a good solution. For others, it will be a not be a good fit. Which are you?

From my perspective the announcement that will affect the most enterprises from a security perspective was a change in licensing related to Forefront. Some history — in 2010, Microsoft reorganized the Server and Tools Business Unit placing the Forefront Endpoint team with the System Center Configuration Manager team. In December 2010, Microsoft shipped the version of Forefront (Forefront Endpoint Protection) that uses System Center Configuration Manager as the backbone for the distribution and update of Forefront’s antimalware engine and signature updates.

Now to the significant licensing change. Previously, Microsoft customers licensed under its Enterprise Client Access License Program (ECAL) had rights to Forefront EndPoint Protection. Microsoft has lowered the bar and included rights to FEP with its Core CAL. These changes are detailed on Microsoft’s web site. This will change the competitive dynamics in the endpoint protection platform market.

Other observations from the event:

1) Brad Anderson was clear that Cloud is a computing model, not a location and that the attributes of Cloud computing are what really matter – scalability and elasticity, self service, shared, automated, etc. Organizations want this in their own data centers, thus a large part of his keynote talked about how Microsoft enables private clouds with “Concero” – a new web-based portal for self-service by application owners.

3) It was interesting that in the keynote demo of Concero, the presenter commented on the usability of the UI stating “working within a web browser doesn’t have to be clunky” which received applause from the audience. However, all of this was built on Silverlight, but no explicit mention of Silverlight  (see observation #7 in this post) was made on Monday or Tuesday.

4) Microsoft’s AVIcode acquisition provides Microsoft application performance visibility, including potential security-related issues (in addition to things like performance and connectivity).

5) In competing with VMware, Microsoft made the following points multiple times in the keynotes to reinforce the areas which it believes are significant differentiators:

• Microsoft has in-depth knowledge and context (Brad Anderson used the word “wisdom”) of the OS
• With AVIcode instrumentation, Microsoft’s tools will have in depth knowledge and context of .NET applications (it’s all about the applications – they can’t be treated as black boxes)
• Microsoft’s management tools span Hyper-V, XenServer and VMware hypervisor based environments

Tomorrow’s keynotes are all about the client side manageability and the impact of consumerization. I won’t be there, but there will be security implications to many of these announcements as well.

Microsoft, like any other software vendor, has vulnerabilities in its operating system and applications. In sheer quantity, Apple has had more vulnerabilities than Microsoft recently as shown in data from Secunia, IBM X-Force Labs and others: For example, this chart comes from Secunia’s Half Year Report 2010

However, in addition to the number of vulnerabilities, the severity of the vulnerabilities must also be considered. Here’s where the lab data shows an interesting trend. In 2010, Microsoft has a far larger percentage of vulnerabilities rated “critical” or “high” than any of the other vendors in its operating system software. This chart comes from IBM’s X-Force 2010 Mid-Year Trend and Risk Report

With Microsoft’s Secure Development Lifecycle in place and continuing to be refined over the past 7 years, why does the OS software being produced by Microsoft contain a significantly larger percentage of security vulnerabilities rated critical or high while other OSs are decreasing?

Here are some possibilities:

• The bad guys are getting better at finding more serious vulnerabilities on Windows. It’s possible, but wouldn’t they be getting better equally across all OS platforms? With its dominant market share, Windows is clearly a favorite target, Perhaps the bad guys are getting the upper hand
• The SDL is losing its effectiveness in finding the really difficult bugs. As the bad guys continue to evolve their abilities, the tools that enterprises use to detect vulnerabilities in code must also continually evolve.Vendors of commercial solutions such as HP Fortify, IBM, Veracode, Cenzic and others invest a significant amount of money evolving their tools. Many of the tools that Microsoft uses internally to detect vulnerable code are ‘home grown’.
• Diminishing returns from developers. Microsoft was an early SDL adopter, Even augmented with tools, it is possible that there is only so much that can be caught by developers before diminishing returns set in.
• Less emphasis on the SDL. I haven’t seen any evidence of this, but it is possible that Microsoft’s need to innovate quickly against Apple, Google and others has taken priority.
• Microsoft shipped a lot of new products in the late 2009/2010 timeframe so more critical vulnerabilities are expected: Windows 7, Windows Server 2008 R2, Office 2010, Exchange 2010, SharePoint 2010 and so on. Note that the data in the second figure is for the OS only. Windows 7 wasn’t entirely  new – it was a facelift on Windows Vista with minimal kernel-level changes. Why would such a large percentage of critical and high vulnerabilities appear on an existing code base?
• IE 8 was introduced and is a “part of the OS”. Since IE 8 is treated as a part of the Windows OS and since IE 8 was new and included with Windows 7, this could skew the results as compared to other OSs where the browser is not counted as a part of the OS. Still, the percentages should help to compensate for volume.

I’m sure there are other possibilities. I’d be interested in what others believe might be the cause of this.

One of the challenges to both of these actions is getting a handle on the number of browsers in use and the plugins in use in your organization. For example, even though your policy might state that Internet Explorer is the only supported browser the reality is that many browsers may be installed without the official support of enterprise IT.

The same is true of plugins (toolbars, browser helper objects, ActiveX controls and browser extensions). IT may officially support a core set of these (Flash, PDF, Webex, and so on) but aren’t aware of the rest.

Allowing users to choose alternative browsers and customize their work environment isn’t inherently bad. In fact, I coauthored this research note for clients explaining Gartner’s official position that organizations shouldn’t standardize on a single browser and lays out a strategy for this. The risk is that this expanded set of browsers and plugins aren’t kept up to date from a security perspective and present hackers with opportunities to target your users.

A good PC lifecycle management tool should provide the detailed inventory information you are looking for. However, some clients have indicated to me that they were having difficulty identifying plugins.

Last week, Microsoft updated its free Microsoft Assessment and Planning Toolkit. By using credentialed access (thus it doesn’t require an agent), the tool is able to query each machine and obtain inventory information including the browsers in use and the versions (including non-Microsoft browsers):

And, for Internet Explorer, the toolkit identifies all of the plugins:

Part of managing risk is understanding where risk resides.

I was talking to a client yesterday and used this analogy: It’s like when you know you have skeletons in the closet but you don’t quite know how many — so you get a stronger flashlight.

More visibility leads to more informed decision making.

In the interview, John and I stated that Windows was losing market share in the enterprise, Steve emphatically stated that it was not.

What does Gartner research show?

In this full market analysis available to Gartner clients, you can get the complete breakdown. Here’s just a portion (I’ve combined all of the variants of Windows together – the report has this broken out by OS).

For non-consumer usage worldwide, all variants of Windows combined held a 95.2% market share at YE2009 (this number includes the entire installed base of machines, not just the percentage of new PCs shipped where the market share of Windows is actually lower). Not only is this projected to drop in 2010, but it also drops every year to a projected 94.4% at YE2014.

For just the consumer installed base, the adoption of non-Windows PCs and laptops is even higher. All variants of Windows combined drop to a projected 92.8% market share by 2014.

Sure – in absolute numbers, Microsoft is clearly selling more copies of Windows as the number of PC users in the world continues to increase. But when looking at market share, Windows is losing market share. The drop in market share may seem small, but when you are talking about hundreds of millions of machines installed worldwide, every tenth of a point of market percentage drop is a large number.

I’m sure that Microsoft could show numbers that indicate otherwise, so let’s set the numbers argument aside. The pain you are feeling is real.

The reality is that nearly every one of your enterprises has more non-Windows devices coming in the door (usually Macs). Sometimes employees bring them, sometimes they demand them and IT procures them. Sometimes its the CXO level of the organization and you can’t say “no”. We don’t have a choice. I see this everyday in discussion with clients asking for the best practices and advice for securing and managing these devices.

What Microsoft really needs to do is acknowledge that the issue and pain you are feeling is real and start providing solutions that help you manage and secure an environment that isn’t 100% Windows. That’s how Microsoft could really help

Last week, Ray Ozzie announced he was leaving Microsoft. Yesterday, Ray’s last memo to the Microsoft staff was released.

Ray doesn’t expand oh his motivations for leaving Microsoft, but he does state that despite all that Microsoft had accomplished in the cloud, part of his vision was still unfulfilled:

Yet, for all our great progress, some of the opportunities I laid out in my memo five years ago remain elusive and are yet to be realized.

In the memo, Ray talks extensively about the “post-PC” era and the need for Microsoft to remain relevant in a world of continuous services and connected devices. He hints that Microsoft’s greatest strength in its PC ecosystem and breadth of legacy application support within Windows has become a liability, stating:

But so long as customer or competitive requirements drive teams to build layers of new function on top of a complex core, ultimately a limit will be reached.  Fragility can grow to constrain agility.  Some deep architectural strengths can become irrelevant – or worse, can become hindrances

Ray states that the future lies in simpler, appliance-like devices – pretty much the antithesis of Windows in its current form. My favorite section was this one (which Ray has stated before, but it always rings true to me):

Complexity kills. Complexity sucks the life out of users, developers and IT.  Complexity makes products difficult to plan, build, test and use.  Complexity introduces security challenges.  Complexity causes administrator frustration.

In my opinion, instead of a “PC on every desktop”, Microsoft’s replacement vision should be “A Microsoft experience on every device” – a vision which must include rich services and experiences for heterogeneous mobile devices (which may or may not include a PC or Windows).

Mobile Office and Live Messenger on Android? Sure, why not?

And, instead of a “one size fits all” approach for Windows, the next version Windows becomes much more modular based on a lightweight common mirokernel which could be adapted to the function desired – including serving as the foundation for the next generation of a Windows Phone.

We asked Steve Ballmer about the impact of Ray Ozzie’s departure on Microsoft’s Cloud strategy in our interview (unfortunately, the clip doesn’t include the question on Ray) on the main stage of Symposium last week. Steve reiterated that Microsoft was “all in” with the Cloud and that Ray’s vision was now embedded within every manager within the Microsoft organization and had moved beyond a single individual. That’s true, but who within Microsoft is looking at what’s next with Cloud? Call it “Cloud 2.0” if you will. Who will fill this visionary role?

Overall, the memo is upbeat and ends on an inspirational note:

And so, as Microsoft has done so successfully over the course of the company’s history, let’s mark this five-year milestone by once again fearlessly embracing that which is technologically inevitable – clearing a path to the extraordinary opportunity that lies ahead for us, for the industry, and for our customers.

I highly recommend you take a read of the entire text.

You can catch a clip of the interview here.

One of of questions we asked concerned a version of Microsoft’s “tablet” form factor that Steve had indicated that such a device would be available “very soon” during Microsoft’s financial analyst meeting in July. During our interview on Thursday, Steve was quite careful to not limit a tablet-like form factor to only the full Windows OS. Many folks in the audience also observed this. Steve was also careful not to use the word “tablet” too loosely in describing what would be available for the holiday 2010 season.

The next day (Friday 22 October), HP released its Slate 500, available immediately.

Based on the HP device, it is clear to me why Steve was careful in his wording. Is this device a tablet-like form factor? Yes, but it is probably better described as a slate-like form factor to avoid setting any expectation that this is a consumer-oriented tablet offering. This device is clearly an offering designed for the enterprise (available on the enterprise section of HP’s website). The word “tablet” has become synonymous with the iPad and brings with it expectations of battery life and a price point that this enterprise device doesn’t have.

People expecting an “iPad-killer” in this slate device miss the point. This device is designed for enterprise users.

This tension of Microsoft trying to simultaneously serve the needs of enterprise users and the needs of trendy consumers was a key thread throughout our Thursday interview with Steve. Microsoft tries to be all things to all people, but can it really serve these two masters equally well?

During the interview we asked about the possibility of a future iPad-like tablet device running on Windows Phone 7. Steve wouldn’t predisclose – saying only that it would run “Windows too” – leaving the possibility of a Windows Phone 7-based device open. But you can bet that somebody within Microsoft is looking at the feasibility of a consumer-oriented tablet offering running the Windows Phone 7 multi-touch user interface as an alternative to a Windows 7-based consumer offering.

However, I don’t expect to see this in 2010.

Microsoft’s future is a bit of a conundrum. One one hand, Microsoft is having success with newer versions of its established offerings such as Windows 7, SharePoint 2010, Exchange 2010, Windows Server 2008 R2 and others.

But what about new growth opportunities in the mobile space and in Cloud computing?

I will join my colleague, John Pescatore, in interviewing Steve Ballmer live on the main stage on Thursday morning, October 21st at Gartner’s upcoming US Symposium conference in Orlando.

So, what would you ask Steve Ballmer?

Do you believe Microsoft has lost its relevance in a world of mobile devices connected by Cloud-based services?

Microsoft provides free guidance based on its own internal experiences on its Secure Development Lifecycle website.

IBM provides a similar document based on its development practices – “The IBM Secure Engineering Framework”

and, I’ve written previously on the good work coming out of OWASP and the work done by the Build Security In Maturity Model team.

Technology alone cannot solve what fundamentally is a process problem. Use these resources to learn best practices in building a workable software assurance program that addresses people, process and technology.