“Microsoft Security”. Since the advent of the Windows OS, this term has been as much of an oxymoron as “jumbo shrimp”, “profitable startup” and “political ethics”. All kidding aside, Microsoft has had more than its share of challenges in securing its operating system and application environments, announcing new exploits and/or vulnerabilities with such frequency as to create the “patch of the week” club.

In his now famous “Trustworthy Computing” memo in January 2002, Bill Gates proclaimed the importance of security to Microsoft and called employees to action in establishing a security culture, both in terms of development and supplementary services. While many in the industry dismissed the seemingly academic statement, Microsoft is spending considerable time and money in driving this initiative forward - and not a moment too soon. A series of recent catastrophic viruses, including SQL Slammer and MS Blaster, as well as a Windows vulnerability so severe that it elicited two stern warnings from the US Department of Homeland
Security, has called even more attention to Microsoft’s security issues.

Over the past 18 months, MS has bought, developed, updated and patched new and existing platforms in a series of security initiatives. And, while it may seem a bit late, they are driving forward in earnest. Bottom line: Microsoft will be a major player in the network and application security industry.

Platforms, Products and Processes

Microsoft’s Trustworthy Computing push is extremely broad, encompassing security, privacy and overall stability/availability of Microsoft products. Some of these initiatives include new products or significantly overhauled platforms, while others are more subtle changes to the .NET framework and OS/applications. One of the key products in Microsoft’s security transition is its Internet Security & Acceleration (ISA) Server. Based on the now discontinued Proxy Server platform, ISA 2000 (the current shipping edition) is a softwarebased combination firewall, web cache and proxy server. VPN functionality is also provided, though this is a component of the underlying Windows Server platform, not ISA, and must be managed separately. Microsoft
has seen limited success with ISA as a security platform, as it is used largely for its caching and proxy functionality. However, with its forthcoming release of ISA 2004, codenamed “Stingray”, it is positioning the platform as a robust, full-featured security solution. Stingray is billed as an application layer firewall, not just performing the standard packet filtering and stateful inspection expected of firewalls, but also scanning payloads to identify and block attacks disguised as known-port traffic (such as port 80 web traffic), an increasingly popular method of attack. In short, what once was designed primarily as a solution to protect Microsoft Exchange is being built up into an integrated perimeter security platform.

Microsoft is also diving aggressively into the desktop security business. In addition to planning to enable its fairly rudimentary Internet Connection Firewall (ICF) and automatic update features by default in future releases of Windows XP, Microsoft has also acquired GeCAD Software (Bucharest, Romania) and Pelican Security, two little-known antivirus Independent Software Vendors (ISVs). Though there have been no announcements regarding Microsoft´s intentions for these products, it´s safe to say these applications will turn up in the next major versioning of the Windows/.NET/Office platforms, codenamed ?¬¢‚Äö?ᬮ??¨Longhorn?¬¢‚Äö?ᬮ¬¨?? (expected in 2005-2006), or perhaps in nearer-term updates to the XP product family.

Even more interesting than these acquisitions has been Microsoft´s release of a desktop security beta product, PC Satisfaction. This suite of desktop security features is intended to protect against vulnerabilities in the Windows XP OS, several (10+) of which have been identified this year. The PC Satisfaction beta includes antivirus, an auto-updating firewall, scheduled data backup and Windows Update. Microsoft has not announced any plans to commercialize the product, nor has it discussed integrating the features into the Windows XP codebase. What is really interesting here is that Microsoft has licensed the underlying applications for PC Satisfaction from several small, unknown ISVs including Command Software, Tiny Software and Authenium.

This flies in the face of some very high-profile ISV partnerships in this space ?¬¢‚Äö?ᬮ‚Äö?Ñ?? namely Symantec and McAfee ?¬¢‚Äö?ᬮ‚Äö?Ñ?? who are no doubt expecting Microsoft to be infringing on their markets in the very near future. Some of Microsoft´s initiatives are so broad and sweeping as to leave one wondering if it is attempting to establish a secure computing environment or a further monopoly in the industry. One such example is the Next- Generation Secure Computing Base (NGSCB), codenamed ?¬¢‚Äö?ᬮ??¨Palladium?¬¢‚Äö?ᬮ¬¨??. Palladium encompasses hardware, OS and application resources, segmenting portions of system memory for specific uses and processes ?¬¢‚Äö?ᬮ‚Äö?Ñ?? with these ?¬¢‚Äö?ᬮ??¨secure spaces?¬¢‚Äö?ᬮ¬¨?? independent of Windows. This solution will also allow users to create documents that expire after specified time periods, and also incorporates some of Microsoft´s digital rights management (DRM) capabilities for protection of audio and video files. In short, Palladium will greatly impact a user´s ability to control access to his/her PC-based data ?¬¢‚Äö?ᬮ‚Äö?Ñ?? and force them to adopt, embrace and conform to Palladium´s procedures and requirements.

What Does It All Mean?

Microsoft’s activities in the security space have multiple implications, both for the enterprise and for other enterprise security vendors. For enterprises, this represents both opportunity and challenge. On the dark side, it further locks the enterprise into dependency on Microsoft, as it steps further into the infrastructure arena - essentially, driving more convergence between IS and IT. It also may have usability implications on several Microsoft applications - restricting features and functionality users have become accustomed to in the name of security. Additionally, by looking to Microsoft for security solutions, enterprise managers will inevitably start to turn their attention away from the typical security vulnerabilities inherent in Microsoft platforms and focus more on purchasing their incremental security products to close them - the ultimate revenue-generating bait-andswitch.

And, of course, there’s that eerie feeling that “big brother” is creeping deeper into the enterprise. Microsoft’s Trustworthy Computing initiative is far from all bad for the enterprise. First and foremost, Microsoft is working on addressing and rectifying vulnerabilities in platforms that have already been deployed. This focus should mean more secure and reliable updates (proactive updates, even) for existing OS and application suites. Secondly, Microsoft has done a good job in developing a common management environment, Microsoft Management Console (MMC), for most of its applications, as well as snap-ins for numerous third-party products. Furthermore, Microsoft’s security applications propose to deliver high performance on common-off-the-shelf
(COTS) Intel-based server platforms, reducing the requirement to subsidize expensive appliance-based solution hardware, increasing flexibility, and enabling multi-tasking for hardware platforms. Perhaps the greater implications of Microsoft entering the security space in earnest apply to the networking industry at large. Microsoft’s software-based solutions, with their close ties to the application and operation environments, take enterprise security down a layer, focusing on granular user and application policy and protection instead of the more coarse network and node-based security that has traditionally been deployed.

While this does not eliminate the requirement for traditional network security infrastructure, it does raise questions regarding redundant functionality and best practices for concentration of security efforts (focusing on network security versus application and data security). Furthermore, significant movements by Microsoft in the security space threaten an entire segment of enterprise security vendors that have been created primarily to address the insecurity of Microsoft environments.

One thing is certain - Cisco, Symantec and Checkpoint had best take notice: Mr. Bill has entered the building.

Posted 25 September 2003 at 7:22 pm under Lippis Report. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.