Microsofts Fathi Responds to Vista Security Concerns

Q&A: The company's top security guru responds to complaints from EU regulators and several longtime ISV partners, including anti-virus market leaders Symantec and McAfee, over Microsoft's push into the security space.

As concerns mount over Microsofts move into the hotly contested security sector, Ben Fathi, corporate vice president of the companys Security Technology Unit, in Redmond, Wash., finds himself caught in the middle of the debate over his companys broader intentions.

At the center of the growing controversy are two technological innovations being included by Microsoft in its next-generation Vista operating system that security vendors and longtime Microsoft partners Symantec and McAfee maintain will make their own software products less effective. At the same time, antitrust regulators in the European Union have said they will watch the entire situation very closely to ensure that Microsoft is not abusing its monopoly status in the operating system market to grab a significant share of the security sector.

In an effort to clarify the companys goals in adding the controversial PatchGuard and Windows Security Center features to Vista, eWEEK Senior Writer Matt Hines interviewed Fathi to see how the software giants leading security guru is working to defuse such concerns.

There appears to be growing concern over Microsofts work to build more security features into Vista, compared with previous generations of Windows. How would you respond to some of the criticisms being leveled at Microsoft by longtime partners such as Symantec and McAfee, and by regulators in the EU?

First of all, I believe strongly that people should be listening to all of Microsofts partners, large and small, because I think were hearing a lot of comments that are only coming from one or two vendors. Some other reports weve seen have talked to smaller ISVs, even in Europe, such as Sophos, and detailed how weve been working with them over the last couple of years, and given them unprecedented access to our products.

I think its very important not to just look at the top couple vendors and balance their beliefs with customers needs for security; people need to look at all the other ISVs that work on Windows, many of whom are very pleased with the access weve provided. Look at the fact that Trend Micro has a Vista anti-virus release ready while the product is still [being beta tested]; for them to have the ability to do that before the final product even launches shows how weve given unprecedented technical assistance and access to our partners.

So, clearly you would dispute the notion on the part of some vendors that a technology like PatchGuard, which denies security software makers the same level of kernel access theyve enjoyed in the past, is truly limiting innovation or the efficacy of their future products, while giving a boost to Microsofts internal security efforts?

If you look at forums such as the MSRA (Microsoft Security Response Alliance), or our work with the SecureIT Alliance—we have over 150 partners in each of those programs, which provide equal access to our development teams for all developers—you get an idea of how weve been working with ISVs.

/zimages/1/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Internally, our Windows Live OneCare security teams dont work any more closely [with] the Windows team than any other ISV teams. We have had representatives from every major Windows ISV in our buildings and they have same access that our own developers have to security experts on our team.

Right now were working with partners to get solutions to market in the next several weeks that will provide anti-virus protection for Vista supported on the current Release Client 1 version of the software.

Through all that work, it sounds like you feel that Microsoft has actually gone above and beyond the needs of its security developer partners in getting ready for Vista.

Yes, and its not just about security. We have companies including CA, Citrix and Qwest Software all working closely with us, and dozens of other partners. Some security vendors have said they didnt have the APIs they need to build their products, and thats simply not the case.

In fact, we set an e-mail out to all the members of the SecureIT Alliance in mid-September based on the feedback wed been getting from customers and partners, including those companies currently doing the complaining, to help meet their requests. Some of our partners told us that they wanted a programmatic way to disable the Windows Defender security application, and we added that in the RC1 release of Vista. We feel that weve been very responsive to their needs.

/zimages/1/28571.gifClick here to read more about antitrust concerns over Microsofts Vista security moves.

Based on all those efforts, does it surprise you that were now hearing these complaints that seem to accuse Microsoft of unfairly restricting access to Vista, and the kernel specifically?

Actually, its not a surprise. We have been talking to these companies about these issues for close to two years. The [thing that is] not coming across from their end is that features such as Windows Security Center and PatchGuard are not new in Vista. PatchGuard has already been shipping for two years on the 64-bit version of Windows XP and Windows 2000 Version 3.

Id really like people to think about the motives of these companies that are only now making a big fuss over something thats already being shipped to customers. We put these features in the products because customers asked us to secure the platform. Weve been working very hard to improve the security of all our products, and to provide a baseline of security within the platform, and making it an open platform for all companies to develop their products on.

So what is these companies motive when they say that were blocking them from competing with our technology? I fundamentally believe that we cannot do this work all alone, but we can build all the security technologies for the OS. These guys need to improve their products and solutions and we need to work with them to do that. Theyre asking us to ship a less secure operating system to keep the patients sick so they can keep serving up the medicine; but instead of doing that they need to innovate just like we have.

What about the general public? What are you hearing from users about all of this?

Were hearing a lot of good things. If you look at the [online message boards], whether people are generally pro-Microsoft or anti-Microsoft, their comments about Microsofts work to improve security in its products are very positive. These users are applauding us and truly want us to improve security in Windows. And thats what weve done.

Weve provided a safety net to ensure that our customers have adequate security, even if they dont choose to install third-party solutions; but we also recognize there are plenty of users who do want to use those tools and were supporting that as well.

Do you think its unfair that people are already speaking in terms of antitrust efforts based on the security work being done in Vista? Does Microsofts status in the operating system market put it in a impossible position in terms of moving further into new markets like security?

Its a hard position that weve been put in, but if you look at our prior efforts, we always have to choose the customer first. We must provide a baseline of security to the customer first, but that still leaves plenty of space for security partners to innovate.

What we havent heard is how those companies that are complaining will do that themselves, and raise bar to improve their own products. Basically they are saying they have had this market and their products, and that they want all that to stay the same. Im sorry, but the world has moved on and we now have a more secure platform; thats the way the computing world works.

/zimages/1/28571.gifCheck out eWEEK.coms for Microsoft and Windows news, views and analysis.