Vista security - Microsoft's created a Hummer
If Microsoft was a car manufacturer, a few years ago it would have been hit with a whole bunch of complaints about how its vehicles failed to meet safety requirements, particularly with the trend towards off-road driving. It’s not our fault, they said, our cars were never designed to be off-road and besides, have you seen how badly you drive? The debate has raged, the company has been castigated and, as a result, has stepped up to the plate with admirable resolve, with the result that (in the shape of Windows Vista) the company does appear to have addressed the central issue: to produce a car that can be driven within acceptable bounds of safety. Or, in other words, to produce an operating system that can withstand the pressures of being network-connected.
I’m saying this to work through why, when attending a recent event concerning the new security features of Vista, I felt strangely, even guiltily nonplussed. Guilty because, after all, Microsoft has put in a great deal of effort into hardening Windows Vista, pitching its l’il (ahem) operating system against an increasingly diverse set of threats and doing its very best to address the perceived security issues and poor reputation that kicked off its whole “trustworthy computing” initiative a few years ago. Hurrah... but what do we have as a result? Does it mean that companies, or their data and applications, will actually be more secure? I don’t believe so. Windows Vista may not be perfect, but it should probably be judged as adequate – essentially Microsoft will be able to confirm they have done their bit. Indeed, perhaps Microsoft has done more than enough – in attempting to silence its critics, Microsoft may well have created a Hummer. Whatever it has done, it is now time for Microsoft to move on.
I’m not sure the next “place” for Microsoft is about focusing on a risk management approach to security (though this is important), nor should it be about treating security as a business enabler (though this is to be hoped). Instead I think Microsoft’s focus should be on using its security capabilities as a security enabler – rather than putting all of its energies into emphasising the security proof points around the Vista platform, Microsoft should emphasise and strengthen the tools it has for reviewing the wider security measures in place in customer IT environments, and then reporting on what’s there and what can be done to improve things. Security of IT has similar properties to water finding a way through rock – all vendors need to assure the security of their own products, but security issues have a habit of worming their way through the cracks.
Of course, Microsoft cannot do this on its own. This suggests an opportunity for the company to partner with other strategic vendors (Cisco and SAP, for example) that also have a vested interest in raising the security bar for their customers, and to offer its wares as part of a security ecosystem. Not only would this serve to move the focus away from Windows and toward the infrastructure as a whole (a good thing for Microsoft’s image perhaps, but more importantly for companies that actually want to deploy secure environments), but also it would then enable more attention to be paid to the operational processes around security.
When Microsoft first announced trustworthy computing, it was accused (by me, among many others) of being both hypocritical and patronising as it took an evangelical, “we know best” approach, and of course its own chequered past undermined its fragile credibility. Equally, it was, and is still not possible for Microsoft to cover security in its entirety – it is bounded by its own technologies, skills and areas of coverage. A combination of good review tools and appropriate partnerships, coupled with the proscriptive best practice that was supported by both, would give Microsoft the wherewithal to achieve what this was all supposed to be about in the first place – help companies reduce the risks caused by the use of IT.
Adopting a review-based, partner-led approach would enable Microsoft to evangelise good practice without being patronising, an approach that can be further helped when rolled out to its wider partner base of solution vendors and systems integrators. Rather than “we know what’s best,” Microsoft could then offer review tools from the perspective of “helping you to decide what is best”; if such tools were provided as part of Vista it might also offer the company another way to approach the “why Vista” question, offering the new operating system as a part of a general evolution towards better practices with tools to support them.
As a conclusion, then – from a security perspective, Microsoft products in isolation make little difference other than giving the company the ability to say, "I'm alright, Jack." Microsoft working with partners to deliver an improved infrastructure, with Vista as a catalyst, now that is starting to be interesting. Vista may be roadworthy, or even off-roadworthy, but now Microsoft needs to ensure that the corners are banked and fundamentally, that the drivers know how to drive.
