Microsoft Trying To Change Its Security Identity

Microsoft is trying to earn respect as a security applications vendor, a difficult proposition for a company best known among IT administrators and security experts as the company that gets around to patching vulnerabilities in its software on the second Tuesday of every month.

Microsoft is making several security-related product announcements ahead of the RSA security conference opening next week. The annual conference held by RSA -- now the security division of storage and enterprise applications vendor EMC -- has been a venue for security vendors of all stripes to show off their wares and display their grasp of emerging security threats. But in recent years, a growing number of enterprise software and hardware vendors have begun developing their own security products in response to growing threats from viruses and other destructive software.

Among vendors trying their hand at security is Microsoft, although by no means is this its first hoe-down. But Microsoft's past efforts have been spotty and disorganized. I discovered this first-hand during a visit to Redmond in 2007, when I learned that the Windows Vista group hadn't integrated any technology developed by Microsoft's Forefront security group. Last summer, Microsoft finally addressed this internal chaos, uniting its security product efforts under the umbrella of the Identity and Security Business Group.

JG Chirapurath, director of the identity and security business group, said the first order of business has been to create a commonly-used protocol to ensure that products on the edge of a corporate network, such as Brocade switches, can share security threat information with products deeper inside the network, like Microsoft's Exchange email server. Chirapurath said Microsoft has formed a consortium of vendors, including security vendors RSA, Kaspersky Labs and Guardium, and networking vendors Brocade and Juniper, to promote the use of this interface. Chirapurath told me that the protocol, which was developed by Microsoft, is open to all vendors, including those, like Cisco and IBM, which are conspicuously absent from Microsoft's consortium.

Microsoft is also using identity-management technology to manage how users access parts of the enterprise network. Chirapurath argued that identity management is the only way to ensure security while allowing users unfettered access to the network, as well as to applications and data served through the Internet (aka the cloud). "Security has to be tied to access privileges that are already in place. Unless you solve the identity management issue, cloud services are not fully safe," he told me.

One alternative to identity management is known as "default0-deny," which, as its name implies, configures networks to refuse access to any unrecognized software. Melih Abdulhayoglu, CEO of security vendor Comodo, told me this approach safeguarded all his firm's customers from the recently notorious Conficker virus. Abdulhayoglu said traditional anti-virus software vendors rely on sending alerts to customers once they've identified a new threat, by which time many systems have already been infected.

However, Chirapurath argues that "default deny" isn't acceptable to customers because "it gets in the way of business" by blocking legitimate applications needed by end users. In response, Abdulhayoglu told me Comodo maintains a "huge white-listing database" that allows most applications to get past the gatekeeper.

This is the kind of religious argument you hear in break-out sessions at conferences like RSA. Large vendors like Microsoft usually don't deign to participate in such public give-and-take, but it's precisely those types of discussions, in exactly this kind of forum, in which Microsoft needs to take part if it wants to be taken seriously by the security community.