Insecurity Marks Security Forum

Opinion: Frets emerge at RSA over Microsoft's growing presence in the security realm.

There was a palpable sense of anxiety among attendees and exhibitors at the RSA Conference earlier this month, and not just because the show was in the fun-free zone that is San Jose, Calif., instead of San Francisco this year.

The real source of the concerns was Microsoft, a company that has worried security experts for years, but usually because of the vulnerabilities in its software.

Now, the fretting centers on all the moves that Microsoft is making to build security into Windows and its other products.

Critics have been pushing the company to do that for years, but there is a very real sentiment in the industry that Microsoft may eventually push more than a few security vendors out of the market.

The theory holds that once Microsoft integrates protections such as anti-spyware, anti-virus, identity management and others into Windows Vista, those technologies will quickly become commodities.

And that translates into a quick and painful death for companies trying to make a business out of selling said commodities.

This then leads to fewer choices for users, which is bad for everyone. Except Microsoft. Or so the theory goes.

Could this happen? Sure. But it seems unlikely, for a number of reasons.

The most obvious problem with this thinking is that the security features that Microsoft is putting into Vista will be great for consumers, but they wont be nearly strong enough to displace existing solutions in the enterprise.

/zimages/5/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Most IT managers arent going to suddenly rip out their Norton or McAfee anti-virus software just because Windows has an integrated anti-virus program.

And even if Microsoft does make some headway with getting its anti-virus capabilities on the desktop, enterprises are always going to have to run gateway scanners, too.

The same goes for the anti-spyware capabilities in Vista. Nice for consumers, not enough for enterprises.

The one area where Microsoft will likely have a large advantage with the integrated security in Vista and "Longhorn" is the NAP (Network Access Protection) technology.

There are several companies—including McAfee and Cisco Systems—already in the market with NAP-like offerings. But none of those offerings has gotten very much attention in the enterprise yet, so Microsoft will not be very far behind when Vista hits the shelves next year.

I heard a lot of brave talk from NAC (Network Admission Control), anti-spyware and anti-virus vendors at RSA about how Microsoft getting into these markets validates them and just makes potential customers more aware of other solutions.

This has always been a specious argument, and thats especially true when were talking about Microsoft, a company that has the money, people and resourcefulness to do pretty much anything Bill Gates wants it to do.

Go ask the folks at Netscape how validated they felt by their experience competing against Microsoft.

The other main problem with the Microsoft-will-eat-the-security-industry theory is that some of these technologies are already commodities, or close to it, and there are still a lot of companies making money selling them.

There are a number of perfectly usable and efficient anti-spyware and anti-virus tools that can be had for free, but Symantec, McAfee and Trend Micro still sell millions of copies of their anti-virus products every year.

So while its doubtful that the dawn of Vista will also be the death knell for a large number of security vendors, the reality is that it will likely make things tough on many of them.

Microsoft has a long history of not getting things right until the third or fourth version of a new product. But once it does get it right, it usually finds a way to make a lot of money.

News Editor Dennis Fisher can be reached at

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.