Blasting Bill Gates' RSA Keynote

Bill Gates of Microsoft kicked off the festivities at RSA yesterday with his seemingly annual keynote. At times Microsoft announces new stuff and puts other vendors on notice that the "Redmondsters" are coming for them.

The hope was that Bill Gates would say something of substance. Basically give customers hope that their lives would get better. That the "new" standards friendly Microsoft would not continue to focus on locking customers into a homogenous Windows environment. That Microsoft could evangelize a convincing and achievable security framework for how all the pieces fit together, including legacy (and non-Microsoft) platforms.

I'm sure customers were disappointed by what they saw. I know I was. I thought the keynote sucked.

OK, I said it. Bill was not on his game. The demos were simplistic and not compelling. Their strategy depends on WIDESPREAD, actually UBIQUITOUS adoption of Microsoft's technology on both client and server. Everything was based on Vista, and customers won't be able to get Vista until the end of this year. Deployment won't start in earnest until mid-07 and be sufficiently pervasive (for security to work anyway) for years after that. The really interesting stuff (like Network Access Protection - NAP) won't be available until Longhorn Server, which is mid-2007 best case.

There was also no mention of how Microsoft's stuff is supposed to work with the network. If I totally adopt Microsoft's stuff, do I get to throw out my firewalls? 

Microsoft basically said customers are on their own unless they can fully adopt Vista and Longhorn Server. That's disappointing. So customers, hunker down and make sure your patch process is strong, because you'll be using it for the next 4-5 years. Don't throw out your firewalls yet.

On the positive side, NAP looked pretty cool, but it was also not clear what kind of overhead is involved in setting up access policies for the network. Microsoft's focus on Identity is also good and sorely needed. Their work to harden the Windows platform is positive, as well as upgrading development tools to be more secure.

That's good stuff, but will take years to take root. I remember a quote from Bill himself about how we overestimate the amount of progress in 2-3 years, but underestimate the progress made in a decade. That's absolutely true. But Bill must have forgotten based on another "projection" he made.

"Passwords should be gone in 3-4 years."

You figure he would have learned something from the RSA spam debacle two years ago... But I guess not. Seems that Bill's new pet project is smart cards (since the SecurID didn't work for that purpose), so he envisions a world without passwords. It's not going to happen. Not anytime soon anyway. Here are a couple of reasons why:

1. Adoption timeframe - It takes customers 3-4 years to decide to upgrade to a new Microsoft operation system. Some of the technology requires new products, or at least the latest current version of Windows Server.
   
   
2. Federation must happen - Sure, large companies are already working on it, but in order to move away from passwords, every company must jump on board. And there are still competing standards (WS-* and SAML 2.0), though most products will support both, the presence of both complicates things.
   
   
3. Passwords are good enough - If I'm transferring a million dollars, I probably want stronger authentication. To log into my network, a password is fine. And will remain fine. Reduced sign-on can make passwords easier to deal with, but to think everything will move to a new smart card based reality is plain delusional.
   

Ultimately, I get that Microsoft needs to have a good reason for customers to upgrade to the new platforms (to keep growth going) and maybe trying to vilify passwords is a way to stimulate action. But I don't think so. There are places for stronger authentication and places where it's not worth the effort.

I hope John Chambers of Cisco does better tomorrow.