In spite of all its rhetoric and impressive-sounding initiatives, Microsoft doesn't really seem to get what enterprise security is all about. When I step back and look at Redmond's response to security concerns, I too often see that Microsoft seems to view security exposures more as a marketing tool than as a product defect.
Microsoft's much-ballyhooed Trustworthy Computing initiative and Palladium both fall into the security-by-marketing category. Neither initiative addresses the pressing needs of current customers. To receive the vital security benefits that these schemes promise, you must abandon products you've already invested in and come up with more money to spend on the next big thing down the road.
This security-by-marketing mindset doesn't sit well with customers, but Microsoft appears to be blind to the problem. Microsoft's all-too-common response to a defect in a product is, "We know about that, and we're fixing it in \[fill in the follow-on product's name\]." But as the ship date approaches and the new product inevitably falls behind schedule, many of the promised features drop off like leaves from trees in autumn.
Band-Aids Are Not Enough
As evidenced by the ongoing flood of hotfixes and security patches, Microsoft takes a Band-Aid approach to its security strategy for current customers. Although the company responds to known security exposures, its patch-and-fix solution results in a maintenance nightmare for systems administrators and adds to Sun Microsystems and other enterprise competitors' skepticism about Microsoft security. Patch management has become one of the toughest jobs of Windows systems administrators. Just to keep their heads above water, administrators who deal with the onslaught of security fixes for Windows and components such as Microsoft Outlook and Microsoft Internet Explorer (IE) must find time for daily maintenance and invest in third-party management and deployment tools.
To its credit, Microsoft took a step in the right direction in early 2002 by briefly stopping new development to concentrate on internal security training and code review. Unfortunately, the company cut short this effort. Instead of culminating in a set of comprehensive security fixes for all major enterprise products, the moratorium surrendered its aspirations to Trustworthy Computing and Palladium. From the customer's standpoint, this turn of events is another example of Microsoft saying that fixing current products isn't a worthwhile endeavor and that selling fixes as part of a future product is easier and more profitable. That attitude doesn't constitute trustworthy computing.
What Really Constitutes Trustworthy Computing
If Microsoft wants to enjoy the same respect in the enterprise arena that enterprise-centric competitors such as Sun, IBM, and Oracle do, Redmond must get serious about security. Having spent 9 years in a large IBM mainframe and midrange shop, I can attest that marketing important security fixes as a part of the next release is a foreign mindset to IBM. We expected better, and we got better.
If Microsoft wants to succeed in this market, it needs to stop trying to sell security as a feature of an upcoming product and instead take responsibility to fix its current products. Microsoft needs to do a real security analysis and update all its current enterprise product lines—even if doing so requires time, money, or a product redesign. Then, Microsoft needs to make the fixes freely available to current customers—not just to the customers of a future release.
Imagine being able to count on Microsoft to make good on its promises for the products that you've already purchased. Now, that's trustworthy computing!