It's hard to imagine that cars used to come without safety belts. Over the past 40 years, consumers and the automobile industry have defined and refined safety requirements, and some safety features are now mandated as standard equipment, whereas others are available as optional add-ons. Like consumers in the 1960s, when Ralph Nader began his campaign for automobile safety, the IT industry is trying to sort out what security technology Microsoft is obliged to supply as standard equipment for its OSs and applications and what security technologies customers should be able to purchase from either the manufacturer or after-market suppliers. To me, it makes sense to consider some protections (e.g., locking down the kernel) as "standard equipment," but what are the optional add-ons?
Recently, Senior Product Managers Josue Fontanez and Peter Eicher briefed me on Forefront Client Security and Forefront Security for Exchange Server, Microsoft's anti-malware solutions. The Forefront Client product addresses "emerging threats," including spyware, rootkits, viruses, worms, and Trojan horses. The Exchange product combats viruses, worms, and spam and lets you choose as many as five of the scan engines that are available with the product.
I was considering how these products would fit into my idea of standard equipment vs. options when Josue mentioned the term "securability." Thinking of security as an "ability" made security seem to be a fundamental OS expectation (i.e., standard equipment) like reliability or scalability. But Josue said, "The threat landscape is changing constantly. By providing an additional layer of security on Vista, Exchange, and SharePoint, Forefront will protect deployed infrastructure against the latest threats." Apparently, because anti-malware addresses ever-evolving external threats, malware protection seems to be an optional add-on—albeit one that everybody needs. (Of course, there would also be legal implications associated with Microsoft's making such technology "standard equipment," but I won't go into that question here.)
Security and Everyday Operations
So, something that seemingly distinguishes Microsoft's security options from standard equipment is that the optional products are related to day-to-day security maintenance. Josue said, "We want security to become much more of an operational aspect of a customer's IT infrastructure, rather than a reactive aspect." In line with this aspiration, Forefront has three goals: comprehensive protection, integration, and simplification.
Comprehensive protection. Malware requires a solution that extends "from your network edge to the server applications in your environment, and at the client." Josue emphasized, "A key portion of our protection is backing our product up with a leading security-response organization."
Integration. "Most customers already have update and policy infrastructure," Josue pointed out. "Because we don't want to replicate infrastructure our customers already have, Forefront integrates with AD, the System Center suite, WSUS, SMS, MOM, and SQL Server."
Simplification. "Many security solutions provide a lot of customizations," Josue allowed, "but they make configuration hard and most people are not security experts. We don't want to sacrifice simplicity for a ton of different protection capabilities."
I don't think our industry has clear concepts yet about what kinds of security functionality should be standard equipment and what should be optional add-ons. And I don't claim to know where to draw that line, but I think our expectations will continue to evolve—just as our expectation for standard equipment in 2006 is that cars must have antilock brakes and air bags. I'd love to hear your thoughts about Microsoft's security products and strategy.
Your Security Expertise
These Forefront products are just two examples of Microsoft's ever-growing number of free and not-free security offerings. You certainly can't say that Microsoft isn't actively working on its security reputation.
An example of a different type of security effort is Microsoft's Learning Paths for Security (www.microsoft.com/technet/security/learning). Shawn Tng, who leads Microsoft's IT pro marketing, wants IT pros to become comfortable with security concepts and technologies. He told me, "The primary goal of the Learning Paths for Security is to help educate and raise awareness around security in the IT Pro community by leveraging the knowledge and expertise of the members of the community." To encourage you to share your security knowledge, we're running the "Know Your IT Security" contest, and Shawn is providing Zune media players as prizes for the 13 best entries. Hurry and send us your tips and best practices. The contest ends December 13.