Microsoft has taken a lot of heat in the media and from industry experts for leaving its coastline exposed, and has stepped up security efforts on several fronts. Some of those moves, such as its Trustworthy Computing initiative, date back several years and attempt to address flaws in several ways, including building better security into products, helping customers use them more securely, and communicating more openly about vulnerabilities.
Several key product lines, including the XP desktop operating system and Windows Server 2003, are due to get upgrades that include substantial security fixes, and its new Internet Security and Acceleration Server 2004 includes such security advances as deeper content inspection. At its Worldwide Partner conference in July, Microsoft said that more than 90 million computer devices are now getting automatic updates, up from 12 million to 18 million 10 months earlier. In the same period, the number of servers receiving Microsoft automated updates rose from 55,000 to 112,000.
"This shows our commitment [to better security]," says Gytis Barzdukas, director of product management for the Microsoft Security Business and Technology unit. "We've moved past the world where we leave customers to themselves, and are being much more responsive than in the past." As one measure of the company's success in this regard, Barzdukas points to the declining number of "critical" or "important" security bulletins issued. In the first year after the release of the Windows 2000 server, there were 42 such bulletins issued; in the year after releasing Windows Server 2003, Microsoft issued only 13 such updates.
Security entails more than plugging holes where hackers can get in, however. Microsoft says it is also addressing authentication and access control by enhancing password administration for its servers and supporting smart cards and public-key infrastructure. In the future, it will support biometric identification cards. The company is also educating customers about security risks through free training programs for IT professionals, teaming with antivirus software developers in security consortia, and working with law enforcement agencies to share information about vulnerabilities.
But are these efforts enough? Analysts and IT security managers are encouraged by the initiatives, but they aren't ready to declare that their concerns about the security of Microsoft products are over. "I look for Microsoft to show more leadership in making products" more secure and articulate a clear vision of how it will address enterprise security challenges, says Eric Ogren, senior analyst at The Yankee Group in Boston. "They are communicating updates in an open manner and being accountable. But when it comes to [new product development], I just don't see anything innovative."
Ogren would like to see Microsoft accelerate efforts to prevent such common security holes as buffer overflows and provide more "cleaning" services via the Internet for customers that have experienced virus or worm attacks. He believes joint efforts with security vendors may be a good way to achieve some of this.
At Manufacturers Life Insurance Co., Edward J. Liebig, assistant vice president of global IS security, says Microsoft has made notable improvements in releasing vulnerability data and securing products. Nevertheless, Manufacturers Life remains cautious. "We want everything field-tested first, and we don't want to be the ones doing it," says Liebig. "We'd rather let the products sit out there and have the first or second patch revisions [completed] before we adopt them. You've got to show us these products are secure."
Liebig also believes Microsoft needs to work closely with security vendors to thwart attacks. "Security vendors should get a good opportunity to review any new product to ensure integrity of the security safeguards. No one vendor can go it alone," he says. "You need specialty partnerships to do best-of-breed development work for security in different areas."
Howard Schmidt, former White House cybersecurity adviser and now vice president and chief information security officer at eBay Inc., is pleased by Microsoft's security efforts and says the company has been soliciting more feedback from corporate security executives.
Schmidt says he has met with Microsoft representatives about six times in the past four months to discuss security and new product development. "They're being very proactive in working with the people who are responsible for security," he says. Clearly, Microsoft hopes that Schmidt's views ripple through the corporate market. —Bob Violino
Reader Comments» Post a comment