Microsoft

Part of me wonders whether Microsoft will ever be able to impress me with a keynote. Last year, I hated it because Bill Gates didn't really say anything. This year, he and Craig Mundie are sitting down and talking to us.

I don't like this either. Let's be clear, this is not Gartner's ITExpo. This format isn't working for me. Maybe I'm jaded by folks like Steve Jobs and John Chambers, who are great performers. Even when they say next to nothing, it feels substantive. Bill Gates is never going to present like Steve Jobs, so I should probably recalibrate my expectations.

I find this kind of boring. Too much set up. It took way too long for them to tell us that they are going to talk about 3 things: Networks, Protection and Identity.

Very little on actual products. No demo. That's very interesting. I think this is a lost opportunity. Microsoft is trying to push the conversation forward, but they aren't balancing that need with show customers what they can do today.

Jeez, I'm very surprised by this. I figured he'd just talk about how great and secure Vista is and talk up Forefront and how security is very important to Microsoft. Not much on that at all. Is this Microsoft?

Security feels like a feature in their view of how the infrastructure shakes out. This is counter-intuitive. When they weren't doing anything, they talked about all these products that were coming (but not for years). Now that they've actually done something, they aren't talking about it. Go figure.

Customers can't wait until 2009 or 2010 for Microsoft to help them out. They talked about evolution (not revolution), but didn't lay out a plan for customers. So that is disappointing.

I do like the fact they are focused on setting the agenda, but there is no meat behind the story. It's not clear whether it's chicken, fish, beef or lamb. I don't know how this is going to look, and I probably won't know for 2 or 3 years. I'm an impatient guy and you probably are too.

WHERE'S THE BEEF?!?!?!?

Below are my raw notes and thoughts tapped out during the presentation, check them out if stream of consciousness is interesting.

At first they are focusing on the network, something near and dear to my heart. It needs to evolve. Right on. No one is going to rip and replace (except maybe for a greenfield location). The slide talks about a "trusted zone" and an "untrusted zone." IPSec is the technology they'll use. Seems very 2004 to me, especially since Microsoft themselves announced a new SSL VPN product last week.

"Policy, not topology." Hmmm. That's interesting, especially given mobility and the fact that most companies can't assume they control the networks that their users will connect over. Mundie now talks about Microsoft's own internal challenges. They are a big, global company. How are they eating their own dog food?

They use IPv6, IPSec, and store everything in Active Directory. Individual policies based on USER, not where the user is. Given that Microsoft controls most of the users out there, it's pretty logical that they would be looking at building an overlay. Allows them to poke Cisco in the eye - marginalize the network in the enforcement of security.

Now Gates starts talking about "health checks." They are talking about NAC (or what they call NAP). They spoke about NAP last year. What's new? Nothing, except that it's again a USER-centric model, which makes sense for Microsoft. But this requires Longhorn Server. Chalk it up for 2008, maybe.

Using their own environment as a case study to make the points is pretty effective.

Now he's talking about applying a default deny approach for information access. Don't let folks just get to anything once they connect to the network. Network Access Control (as opposed to pre-admission control), that's novel, eh? I wonder if that will show up as a default with Longhorn. That would be a lot of long term gain, but significant short term pain.

They are moving to talking about "protection." Which is basically information security. Hmm. Their architecture aligns pretty closely with the Pragmatic Security Architecture that I wrote about this time last year. Coincidence? Yep, pretty much.

Securing data at rest and motion. How? Rights management. Arghhh. The world is not ubiquitously Microsoft, so how does their flavor of rights management help me with that? Applications are also part of the equation. NSS (No Shit Sherlock). They "trust" the program and application? I don't buy it. Applications can be broken, trojans and rootkits installed at the hardware level to complicate things. I don't know I trust it.

Now "identity," which is the biggest issue. Again Gates is railing on passwords. Didn't he do that last year? Did they make any progress in deploying smart cards (and certificates). This is a broken record. Passwords are not dead. Not by a long shot.

Microsoft's directory is the key to their identity strategy. Managing certificates. This is a load of hogwash. Passwords aren't the problem. CardSpace is kind of interesting. Not enough to get me to upgrade to Vista right now, but I do look forward to kicking the tires on that.

They are announcing support of OpenID 2.0 within CardSpace. That's the only product announcement they are talking about. Again, I think this is a lost opportunity.

They are wrapping up with a discussion on interoperability. But it's not with other OS or other ecosystem players, it's about drivers that plug into the PC's. Actually it's not. Heterogenous to them seems to mean Windows everywhere, but on different computers.

Big partner slide. Hundreds of little logos. Like someone wouldn't get involved in Microsoft's partner program.

This will be Bill's last appearance at RSA, since he's got a lot of money to give away. Passing the torch to Mundie. At least he combs his hair.

This is it. The last Report Card. Overall, not bad for my first year back in the game. But not good either. So I'll be working to make my Incites even more "inciteful" next year. Keep on the lookout, as the new batch of Incite will arrive on January 10 and will kick off even more Days of Incite.

Incite #12 - Battle of the Titans

The big will continue to get bigger in 2006, as frenetic consolidation continues as product line breadth outweighs actual functionality. By the end of 2006, it becomes apparent that the real battle is between Cisco and Microsoft to control the architecture of networks and applications moving forward. As with other huge marketectures, users are caught in the crossfire, but 2007 will see enough additional functionality for those embracing homogeneity to see a wave of infrastructure upgrades. Vendors not strongly aligned with one of the two titans face irrelevance by 2009.

Grade: B

Incite Redux post: here

The big continued to get bigger in 2006, boy did they ever! Some of the super big technology players bought big security vendors (EMC/RSA, IBM/ISS) to remake the face of the security market. Even the biggest of the big security vendors (Symantec, McAfee, Check Point) were the subject of acquisition rumors throughout the year.

Just goes to show that “big is the new small” and will remain that way for a long time to come in our space.

But what about this Cisco/Microsoft battle I speak of in the Incite? If anything, the two technology super-powers are looking more for détente than World War III. What fun is that? Between NAC interoperability and lots of other joint initiatives, it seems that Ballmer and Chambers are singing kumbaya around the campfire.

Don’t believe it. Right now these announcements are all about maintaining thought leadership around security infrastructure until both of these vendors can deliver on their promises. Microsoft has much more to lose since they are still 18 months (optimistic case) from delivering on their next generation security architecture, which revolves around Vista and Longhorn.

Cisco is a bit closer, but they’ve still got a lot of work to do to upgrade customer networks, so all of those fancy new security capabilities will be useful. They also need another 12-18 months of upgrades and refreshes to bundle in a MARS box to drive a lot of the security intelligence that drives Cisco’s plan.

And what about everyone else? Well two of the busiest partner programs are Cisco’s and Microsoft’s, so even if it’s just to put the partner seal on their marketing collateral – pretty much every smaller company makes the pilgrimage and writes the checks to be involved in both partner programs. So everyone is aligned with everyone at this point, which means that it’s all a load of crap.

For those vendors that aren’t Cisco or Microsoft, the biggest business over the next two years will be helping customers position their networks with “tactical” technology to solve today’s problems (like visitor access and leak prevention), while providing a migration path to either Cisco’s and/or Microsoft’s architectures in a couple of years. It’s amazing, but once again we will see a lot of tactical products become strategic. Haven’t we seen this movie before?

So Apple ships some iPods with malware. As George Ou points out here, Apple then displays "arrogance and insincerity" in blaming Microsoft. George is absolutely right, Apple's display was disgusting and offensive to those of us that would like companies to accept responsibility when they screw something up.

But what George is missing is that what Apple did is good marketing. Dare I say it, maybe even great marketing. Huh? Did I say good/great marketing? With the blogosphere in an uproar? With everyone questions the legitimacy of Apple's security posture? Absolutely, this is classic example of why Apple is by far the best marketing organization in technology.

Why? Because their target market is not us. We'll buy their stuff anyway because we KNOW it's more secure. We can get pissed off and blow off steam and call them names. But what are you going to do, buy a new XP machine in protest? Not likely. Or maybe you are a Windows bigot (yes, they exist) - you aren't going to buy a Mac anyway - so they aren't talking to you either.

One of the first keys to good marketing is to stay on message. Apple certainly does that. It's all about the "Windows virus" and how Microsoft's OS should be more "hardy" and resistant to malware - like a Mac. Consumers eat this stuff up. And I suspect quite a few (who love their iPods) will certainly consider buying a Mac when their current machine blows up. If they had a Mac, they wouldn't have this problem.

Of course, it's ridiculous given that Apple created the problem. But the mass market is not comprised of the sharpest tools in the shed.

Another key to good marketing is to speak to your target customer. Apple's customers just want things to work (like their iPod) and because this virus only compromised Windows machines, it's another opportunity to poke Microsoft in the eye. Like they did in the original no virus ad here. See, they always stay on message and they never miss an opportunity to make the competition look bad.

So as much as I'm with George in being disgusted by Apple's actions, sometimes the best marketing makes you want to puke. And this is one of those times.

 

The folks at TechTarget were kind enough to let me republish my posts at the Expert Answer Center here. This post first appeared on July 7. Link here.

On my Security Incite blog, I've made no bones about how sick I am of Patch Tuesday (here and here). Thankfully the preamble to July's festivities happens during a holiday week, so many of the beat reporters that need this stuff for content are MIA. That's a good thing in my book. But it got me thinking, why does Microsoft pre-announce what they are going to fix anyway?

I checked out Microsoft's web site and saw the following explanation:

 

As part of the monthly security bulletin release cycle, Microsoft provides advance notification to our customers on the number of new security updates being released, the products affected, the aggregate maximum severity and information about detection tools relevant to the update. This is intended to help our customers plan for the deployment of these security updates more effectively.

The cynical and devious bastard in me thinks Microsoft is opening holes by pointing out exposures that folks may not have known about. So now the bad guys have roughly six days to get an exploit out there and do some damage.

It's kind of like a bank saying, "We're fortifying the sub-basement under our vault next Tuesday." If you are a bank robber, you know your timetable and where the exposure is. Of course, there is still a lot of work to get in, but you've got a lot more information than you did before. You probably assumed the sub-basement was already fortified, no?

Alas, I also see the other point of view, which is that enterprises (both small and large) need to plan. If Microsoft drops a bomb on Tuesday with a very high profile patch that requires immediate attention, administrators get really pissed. They like to know exactly what is happening and why, even though many of them use automated patching products to "set it and forget it" once it's QA'd by the patch vendor.

The conclusion I come to is that Microsoft is dealing in numbers that mere mortals could only dream about. When they patch something it goes out in volumes of HUNDREDS of millions, not like 10 or 15 or even 1000. They've honed in on a patching process that is far from perfect, but works pretty good over a long period of time. To my knowledge, no one has taken a pre-announced patch and exploited it in the window of opportunity. So they have their bases covered.

There is also a halo effect with most customers about coming clean with issues. Everyone knows that every piece of software has vulnerabilities. Sure Microsoft's software has a lot (relatively more than others), but they acknowledge it and are moving to fix the systemic root causes of the problems.

One man's opinion is that Oracle and Apple should communicate a bit more about things they find. Apple just fixes things, but their software makes the updates relatively transparent and their lack of presence in the data center makes this a non-issue for most enterprises. Oracle, on the other hand, patches once a quarter and doesn't even get to everything. So it's hard to point to Microsoft as a security innovator, but they are eons ahead of the other folks relative to patching problems they created.

As I mentioned in this morning's TDI, Dark Reading put a stake in the ground by defining the "Top 10 Myths of IT Security." The link to the entire article is here. Having no pride, I figure I may as well jump on their coattails, add my two sense, and initiate some good discussion about some topics that I'm sure will create some passionate discourse. So without further ado, let's jump right in:

Myth #1: Epidemic Data Losses (link here)

"Let's all take a breath together: There is no data loss epidemic."

So the Dark Reading guys start off with a bang, that's for sure. They make this statement and then go on to reference the CSI/FBI survey to validate that security risks are going down. WRONG! Let me say that again WRONG!

Attacks are more targeted, so we are seeing less of the massive outbreaks, but I posit that more attacks are successful. We just don't know about most of them. And let's debunk the debunking of this myth: THERE IS A DATA LOSS ISSUE. The fact that is isn't a major, catastrophic issue is just by pure luck.

Millions of customers have had enough information compromised to be potential victims of Identity Theft. Has it happened yet? I don't know. Lots of folks have an issue, but it's hard to point back to one lost laptop, so to speak. And the idea that we've been losing stuff for years and now it's an issue because the Feds make us report it is just asinine. Because the status quo is to screw up doesn't mean we can/should accept it.

So, I give their first myth-buster an C. They are wrong, but the impact has not been felt or correlated back to these data losses.

Myth #2: Anything but Microsoft (link here)

"Nothing is bulletproof these days."

This one is better. Clearly Microsoft is a much bigger target, but that doesn't mean you should just buy a Mac (or use Linux) and not worry about anything. You still have other devices (servers, etc.) and data that can be compromised. Yes, I use a Mac when traveling. I think it is safer and definitely easier to use. It also gives me street cred with the Gen X crowd. OK, not so much. But what it isn't is bulletproof. Everyone should think layers and ensure that your network security posture is strong.

This one is better. B+

I'll be back next week to address a couple more of the myth-busters.

In today's TDI, I mentioned a different perspective - offered by Dave Goldsmith of Matasano - showing a positive view of the Symantec study of Vista's network attack surface (link here). Sure enough Dave's colleague Thomas weighed in to clarify some stuff. It because a pretty interesting interchange between the two of us and one that warrants a deeper discussion. Since many of you don't get access to the comments via RSS, I thought I'd cut and paste a bit to keep you clued in. I did edit Thomas' comments a bit because this is a family blog. HA!

The Symantec Study

Submitted by Thomas Ptacek (not verified) on Thu, 2006-07-20 10:15.

The mistake you're making with the Symantec report is believing that the work was driven by top-down strategy inside the company. It isn't.

I've known Oliver Friedrichs, the manager of what SYMC calls "Advanced Threat Research", since 1995. I worked directly alongside him at Secure Networks, where he co-founded the industry's first professional vulnerability research lab, along with Tim Newsham, Dave Sacerdote, and Ivan Arce.

Oliver Friedrichs is not f***ing [MSR edit] around. SYMC has the resources and the talent to build a top-calibre security research team. If there's any top-down decision-making at SYMC, I'm sure it's simply to go do that. "Oliver, kick Cisco and ISS's ass and seize the mindshare around research that Symantec has ceded over the past 6 years".

Once you get to that point, the Vista study is pretty obvious. You've got access to some of the best vulnerability research talent in the industry. What are you going to aim it at? I don't think the board, John Thompson, or even Oliver's immediate manager had to be involved in the decision to spend some resources poking the Vista TCP/IP stack.

I don't mind the accusation that you're leveling at Symantec. They're in business to win and they're not all nice people. But I don't think you make yourself look more credible when you cast Oliver's group in this light; people who know vuln research will scratch their heads at your assertion.

Thanks for noticing us, though! =)

For a change, the Matasano guys adding value to the discussion. Here is my response:

How much they publicize it is a corporate decision

Submitted by Mike Rothman on Thu, 2006-07-20 10:26.

Thomas,
I hear your point and that's more good perspective. But I also don't think that Oliver was out there humping his work in the press this week. That would be uncharacteristic given what I know about "most" vulnerability researchers. It's plausible that Oliver has free reign over what gets researched, but I highly doubt he has much to say about what Symantec's PR machine decides to push.

If their objective is to regain lost ground on the research side, your friend Oliver is going to find himself a pawn in a very high profile game. Maybe he knows this, maybe he doesn't. Since I don't know him I can't say. But when his group finds something of interest (like they did this week), the Big Yellow PR machine will try to bend it to their own devices.

I'm not doubting that the research was genuine. But I'm very comfortable in my assessment of what their PR aims were.

And this is where it gets interesting. Clearly there is something here and now we need to figure it out. Thomas weighs in a final time:

SYMC's Vulnerability Strategy

Submitted by Thomas Ptacek (not verified) on Thu, 2006-07-20 10:59.

You say, "If their objective is to regain lost ground on the research side, your friend Oliver is going to find himself a pawn in a very high profile game". I say, THAT's the interesting discussion to have about this.

Write something explaining the point you're making; I want to hear more about it. What's the "high profile game" around vulnerability research?

Your point about PR vs. research calendar is well taken. I can split the difference. Oliver's group owns their calendar, bottom-up. SYMC PR is probably top-down.

So let's dig a bit deeper here. What is the value of vulnerability research? Clearly in the early stages it was mostly for PR purposes. Folks like RipTech (which was subsequently bought by Symantec) had reams of data and they did some interesting analysis on it. Their real innovation was packaging it up in a report and starting the media frenzy about the increasing vulnerability landscape. They got very broad media coverage for the report and it really put RipTech on the map.

But now it seems that every vendor has it's own version of the report. Every big one anyway. ISS and VRSN have gotten their research groups a lot of ink driven by these quarterly reports. So it's not really differentiating anymore, is it?

At the same time, you see security vendors being attacked and vulnerabilities in their code being disclosed pretty regularly. Some patch things and forget to tell folks (ahem, McAfee) and it seems every month or so you hear about Symantec and Cisco patching things as well. So now the cottage industry seems to be finding the holes in other folks stuff.

This is both a PR strategy - pioneered very effectively by eEye (3rd party patching anyone) and new entrants like Mu Security that have boxes that are designed to find holes - as well as a competitive lever. Security is about credibility at the end of the day. If you have really smart guys that can find stuff broken in other people's software - then they must do a good job of protecting their own, no?

Well, not exactly. But close enough - especially to a customer that is looking at 3 products that are totally undifferentiated. I'm talking about pretty much every security market, by the way. Who do they pick? Maybe the one from the guys that seem the smartest. That's one plausible scenario anyway.

But, back to the topic. As Thomas speculates above, it's unlikely that anyone in Symantec specifically told their vulnerability research team to go find something broken in Vista. It could have happened, but I agree with Thomas - it's more likely bottoms-up. But once they found that data, I believe the Big Yellow PR team smelled a big opportunity to poke Microsoft in the eye. And they took it. And many of us bit. At least I can say I questioned their motives, as opposed to questioning their findings. Again, kudos to Dave G for doing the derivative analysis.

So what? Basically, I figure we are going to see vulnerability researchers let loose on competitor's security software. The Symantec-Microsoft deal may have been bottoms-up, but in a market this competitive, with folks looking for literally ANY advantage - it's just a matter of time before this becomes a big part of competitive analysis moving forward. And the PR teams will be orchestrating, on one hand working to seem on the up and up - just doing a service to the community - don't cha know. But on the other hand trying to stick it to the competition when they can. That's a high wire act for sure.

But it puts the researcher in the precarious position of trying to do the right thing, but more often than not becoming the finger poking some competitor. As I mentioned in my response, some will be cool with that and others...not so much. Interesting times to be a vulnerability researcher, that's for sure.

So it looks like Eric Ogren wants to dance a bit, which is fine. If old friends can't give each other a hard time, who can?

In his response to my poke in Tuesday's Daily Incite (http://esgblogs.typepad.com/erics_blog/2006/06/microsoft_foref.html), Eric mentions chapter and verse about how Microsoft typically takes enterprise class products down market (SQL*Server, Exchange, Dynamics), but doesn't go into saturated markets without something new and different.

As Jim Cramer would say, "WRONG!"

EO, remember little products called cc*Mail or QMail? Everyone thinks that Exchange really killed Notes, but that isn't the case. It really killed things like cc*Mail and QMail that pretty much went away. I followed the email market in the mid-90's and Exchange just chewed up these first generation mail servers. Notes grew in lock-step with Exchange for many years, until it got lost in the morass of IBM.

What about Microsoft Money? I seem to recall a product called Quicken that pretty much owned the retail channel and Money added absolutely nothing novel in that business. But Microsoft pressed forward anyway because they wanted a piece of the market. Same deal for Small Business Accounting, that is still trounced in every way by QuickBooks.

Dynamics is another example of this you say? Not even close. Dynamics began life as a product called Great Plains, so Microsoft didn't bring ERP to the mid-market. They just acquired the leading player after the market was well established. 

But the real kicker here is to look back to the biggest Daddy of them all, Microsoft Office. The only innovation that Microsoft brought to office productivity was to bundle it all together and cut the price dramatically. WordPerfect and Lotus 1-2-3 were much better products. But they weren't bundled and they held onto a premium price point for WAY TOO LONG. You're a Boston guy, you should remember the rise and fall of Lotus.

So in all seriousness Eric, Microsoft's new security offerings (ForeFront and OneCare) are much closer analogies to Office, than to SQL*Server. Microsoft has once again innovated on the packaging and dropped the pricing, and THAT is the "big" idea. And to see Symantec and McAfee fall into line so soon with their own service-based bundles and corrected pricing means maybe they have paid closer attention to what happened to WordPerfect and Lotus than you have.

Make that a Heineken Light buddy! And if we can get Symantec to pay for it before they become WordPerfect 2.0, all the better. 

 

Given my limited opportunities to rant while I'm on vacation, I'll need to make this short. I just read Alex Eckelberry's piece (link here) lambasting Microsoft's security product pricing (for OneCare and Antigen) and I need to call bunk on this. This feels like more of a marketing stunt than a legitimate discussion.

To be clear, I am no Microsoft lover. With the exception of Office, I run away from Microsoft software as a matter of course. I'd throw out my desktop PC if I hadn't bought it a year ago. They've boned security since they started trying to be a player. But Microsoft is in every technology market, so I'm perplexed that smart, experienced folks like Alex would expect Microsoft to not try to be a player in security. He also ends the piece by intimating Microsoft owning the security market could be a threat to national security. I think he's been watching a bit too much "24" lately. Give me a friggin' break.

Alex believes that pricing will make Microsoft the security leader and that they are going to "kill their competition" by pricing lower than the other guys. I don't buy it. Customers (even small customers) do not buy crappy security produts. If the product doesn't work, then the market will not buy. It's as simple as that. SO if Microsoft doesn't have a product as good (or better) as the other guys, I contend that customers will not migrate. In this space, Symantec is the incumbent and you need to knock the incumbent on its ass to displace a customer.

I also want to point out that Symantec and McAfee's current pricing levels are a result of them systematically raising prices over the past 5 years. To my knowledge, AV is the only technology market where prices have consistently gone UP over time. The Big Yellow and McAfee have had customers over a barrel for the past 5 years, and now Alex is shedding a tear because someone that could possibly compete and do the right thing for customers (which is to add functionality for a lower price) is going to hurt McAfee and Symantec. Sorry, but I'll keep the Kleenex in my pocket.

Innovation drives technology markets and candidly, neither Symantec nor McAfee has done much innovating in the AV suite for a long time. They added anti-spyware because they had to, Webroot (and even SunBelt) was poking them in the eye. McAfee adding SiteAdvisor was the first innovative thing I've seen in years out of these folks. As I mentioned quite a while ago (read the Genesis post here), shame on Symantec for letting Microsoft redefine the desktop security market as a service including backup. Symantec should have done this long ago. But they were too busy milking their cash cow.

Don't feel bad for these guys. Seriously. Darwin is alive and well, and if you don't innovate - you go away. Yes it's brutal, but it's the reality of commodity markets. And prices go down in commodity technology markets, whether Alex likes that answer or not.

Finally, Alex finishes with no suggestions for how to derail Microsoft's march on the security market. This is a cop out. I'll point to an example in the retail space. Smaller, local retailers that couldn't compete got slaughtered when Wal-Mart came to town. Others tried to stop progress through legislation (not allowing Wal-Mart to build). That is a short term solution and doesn't fix the root cause of the problem - a distinct lack of innovation and inability to add value. Retailers that either had better service or a unique value proposition welcomed Wal-Mart because it made their uniqueness that much more apparent.

I have a suggestion for everyone out there. Take the lead of folks like Intuit, Oracle and now Google, who have beaten Microsoft back as a matter of course for years and years. Get off your ass and solve some customer problems, as opposed to crying about big bad Microsoft coming to your town.

In a deal announced yesterday, Microsoft acquired Whale Communications for an undisclosed sum. Whale gives Microsoft a legitimate SSL VPN option as they continue their march to become more of a player in security. Whale was a second tier (at best) SSL VPN player, but they did have the presence of mind to buddy up to Microsoft last year and provide an integrated SSL VPN and ISA server combo that provides a one-box solution for the mid-market.

So why does Microsoft do a deal like this? Increasingly Microsoft is realizing they need to have stand-alone security technology for two reasons. First security remains hot and Cisco is enamored with security. Obviously Microsoft can't cede the high ground to Cisco on anything. Second, by having stand-alone products they stay out of the cross-hairs of the anti-trust folks - who continue to scrutinize Microsoft.

Is Microsoft a risk to the SSL VPN players like Cisco, Juniper/Neoteris, Aventail, Citrix and F5? Not yet, but the SSL VPN functionality wars are plateauing and the next battlefront is integrating the SSL VPN with emerging NAC infrastructures. Joining Cisco and Juniper in being able to deliver both perimeter and internal network access control, there is no question Microsoft wants a seat at the table.

Will enterprise customers take Microsoft seriously? A resounding no. First, Microsoft gains its true leverage when everything is Windows-centric. How many larger enterprises have no Linux or Oracle? Not too many, and Microsoft doesn't do multi-platform too well. Although Microsoft clearly has improved from a patching and security thinking standpoint - they are nowhere near their "trustworthy computing" vision. If enterprises are going to bet the ranch on a strategic security vendor - it ain't Microsoft.

But what about the mid-market? A totally different story. The mid-market needs integrated solutions. They don't have time to integrate disparate technology. The ability to procure a bundled solution that provides pretty much all the perimeter security they need (especially if they route email through Microsoft's FrontBridge service) is very compelling.

I like the deal, and I'm sure Microsoft didn't pay a lot. Once they ramp up their increasingly security-aware channel, Microsoft is going to have an impact at the low end. Citrix is most exposed, since their mid-market customer base overlaps the most with Microsoft.

 

Seems the folks over at Yankee Group are making some waves today by hypothesizing that the emergence of Vista will "dramatically" affect the Windows security product market. CNET's coverage is here. I will admit to being the master of the obvious at times, but I want to remind everyone that regardless of whether this projection is right or wrong - YOU DON'T CARE.

We all know that nothing happens overnight in this business. Vista will be out at some point (you don't care about that either) and it will have some embedded security capabilities that will overlap with some commercial products. So what? Are you going to shut off all the ZoneAlarm, Webroot, and Safeboot stuff you've been buying? Of course not, you are at risk TODAY and Vista is not going to be there for another 300-450 tomorrows (depending on your threshold for pain). So you better keep on keeping on. That's the only choice you have.

Let's look at the situation from a historical perspective because we've seen this moving before. Windows XP SP2 was supposed to kill the personal firewall market. I actually thought the timing was interesting that Check Point had acquired Zone Labs about 2 weeks before Microsoft announced they were bundling the XP firewall for free. Did that kill the personal FW market? A resounding NO.

Actually some of the personal firewall markets got a bit enterprising (like Sygate) and started morphing their "endpoint" security capabilities into a piece of a larger Network Access Control environment. Senforce is moving towards this vision as well, integrating StillSecure's NAC technology in. Microsoft did that too, right? Isn't that what NAP is about? Well, if you get in your time machine and step out in 2008 when Longhorn is there too, then the answer would be yes. But not today.

We'll see similar evolution in spyware and full disk encryption. Microsoft will offer a lowest common denominator and existing vendors better have a very clean, very crisp value proposition on top of that. If they don't, then these 3rd party vendors deserve to get steamrolled by the Vista juggernaut.

I also take issue with some of Yankee's comments about when to deploy Vista. They seem to think that because the user experience is different and the additional security may cause some users to get grumpy, it's OK to wait until 2008 to upgrade. My opinion is that it's OK to wait until 2008, but do it because you aren't refreshing your PC's until then or you've got other priorities, NOT because you don't want to impact the user experience. That's a stupid reason to do nothing.

Windows XP SP2 is not secure enough. We are reminded of this every day. If you are committed to Windows (like 80% of the world), then you'll want to upgrade to Vista when practical. As a security administrator, you have a choice - spend some time training your users about Vista's user account protection or continue cleaning up the mess of Windows XP.

So I applaud the Yankee Group's PR savvy, since I saw a lot of pick-up for this story today, but feel compelled to remind folks that Vista is still practically a year away and you've got a lot of work to do between now and then.