BOSTON—Microsofts transformation from pariah to trendsetter in the information security sector is slowly beginning to sink in, but users are mixed about hopping on the bandwagon.
At the TechEd 2006 conference here, the software maker worked overtime to convince the world that security is really its No. 1 priority.
So far, with a few rare exceptions, customers and developers are buying it, but it remains to be seen if Microsoft can win the security game.
In the meantime, Microsoft is working diligently to be seen as a security player. On the TechEd show floor, Vistas security goodies were front and center with booths showcasing UAC (User Account Controls), a key operating system tweak aimed at countering the malware epidemic; BitLocker, a hard drive encryption tool; and new technologies for network access protection and smart card deployments.
Microsoft also introduced its Ben Fathi as its new security czar and expanded its evangelism of the SDL (Security Development Lifecycle), a collection of high-level security principles and procedures covering every stage of software creation.
And the software giant is even making friends with the hacker community. It announced it would showcase Vista at the annual Black Hat hacker conference.
Toss in internal Blue Hat hacker meetings and a wide range of top-level changes to its incident response mechanism and Microsoft is boasting about its Trustworthy Computing initiative.
Customers have noticed. “Im very impressed with everything Ive seen and heard, and Im convinced its not just lip service,” said Colin Johnson, a microcomputer network administrator at Northeastern University.
“Im now convinced theyre the best game in town when it comes to being upfront and straightforward about how they are dealing with security.”
While Johnson, who manages the universitys Computer & Information Science College network in Boston, said he acknowledges Microsofts strides, he said he has concerns that security will always be a lose-lose scenario for the worlds largest software maker.
“Theyre fighting against a moving target, and all the while, they are becoming a bigger sitting target [for attackers]. Just like XP SP2 made things more secure, Vista will make things more secure. But that doesnt mean people wont be throwing stones,” Johnson said.
“Two years from now, we could well be back at TechEd hearing the same message that Microsoft is prioritizing around security. Thats just the way the industry works these days,” Johnson added.
Johnson wasnt alone with his qualified praise.
Most attendees interviewed by eWEEK acknowledged Microsofts progress to beef up Windows security since the release of Windows XP SP 2 (Service Pack 2).
“At first, I thought they were just working on their image, but XP SP2 turned out to be a big deal. Yes, theres still a malware problem, but compared to 2003, were in a better place,” said Steve Scerpa, an AJAX developer for a small Minnesota-based IT shop.
Scerpa, who spent at least two hours at the TechEd hands-on labs examining Vistas security upgrades, says UAC will significantly move the goalposts in the fight against virus, spyware and rootkit infections.
“When the concept of a standard user becomes universal, it will blunt the attacks were seeing today. Yes, the attackers will eventually shift course, but for whats out there today, UAC is a game-changer,” he added.
Microsofts security: Too hard?
Another unresolved issue is how Microsofts new security efforts will impact day-to-day work, said Roy Zamora, a software engineer with New York-based digital image specialists WireImage.
Zamora said hes been “very impressed” with Microsofts work in Vista and SharePoint server.
“It should be very interesting to see what they can do with Web 2.0, Atlas and AJAX,” Zamora said.
“I think theres a real technology evolution going on with SDL, and were doing the same things with our own products.”
However, Zamora said he remains somewhat “skeptical” about features like UAC and how that change might affect his ability to get work done.
He expects there will be an extended period of time needed to familiarize workers with the additions.
Phil Nash, an applications analyst with Federal Home Loan Bank of Boston, said his company is only now upgrading to Windows XP-based because of some of the security concerns around Microsofts products.
He remains unconvinced that Microsoft will truly be able to improve the security of its products or deliver on its promise of providing malware-fighting technology on par with products made by third-party applications makers.
Based on the early feedback, Nash said he believes that users will be forced to disable some of the new security features in Vista, when possible, in order to continue to work in the ways to which they are already accustomed.
“Microsoft is making things more secure, but there will always be back doors left open, and people will find away around the security features as they always do,” said Nash.
“They claim that they will have better malware fighting tools than what is out there today, but all they have done is buy some other technologies and integrate them; well still need third-party applications to fill the gaps.”
Other show attendees said they agreed that Microsoft has improved its overall security via SDL and with Vista, but said they remain unsure as to whether they completely trust the software maker to protect their IT operations.
“I hope they do as good of a job as they have promised, and we will probably use all the tools if they work, but you still wonder if they can do as good a job at protecting Windows as outsiders have done in attacking it,” said Jan Videran, a network administrator with the Swedish Institute of Computer Science, based in Kista, Sweden. “I think we will still always look for third-party applications as well.”
A developer for chip giant Intel, who requested anonymity, said that one of the advantages Microsoft may have over its rivals in responding to evolving security threats will be its massive channel of partners who can help distribute updates to customers and aid those companies in solving problems.
“Even compared to some of the larger security vendors, Microsofts channel is extremely broad and experienced,” he said.
“At the end of the day its those partners who will interact directly with the customers; if Microsoft can do a good job to that end, I think they can compete with the established security players.”
Microsofts efforts to bring hackers to its side are also questionable, said customers.
Aneel Gupta, a software engineer visiting from India, said he likes the idea of embracing security researchers in the hacking community to help make the industry more secure.
But, he said he worries that Microsoft is expending too much energy on making friends in a community of “distrustful people.”
“Even after all this Blue Hat and Black Hat participation, the [security] mailing lists are full of exploits and irresponsible disclosure. Sometimes, I wonder if the hacking community can be true partners,” he said.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.