The Insecurity in Microsoft's Security News.
Last month's JupiterResearch report, “Microsoft's 2006 Product Strategy: What It Means for Partners and Competitors,”
explains how the company is competing more with partners and offers
dire predictions for suppliers of security software. Microsoft's
overnight security announcements accentuate the partner threat
identified in the report.
Recap of the announcements: Microsoft unveiled a new corporate
security product, Client Protection; Microsoft Antigen, based on
technologies from its Sybari acquisition, will ship in first half of 2006; a new Microsoft-established industry consortium, Secure!T Alliance, will seek to create opportunities for existing to (quoting the press release) “to more effectively and efficiently build and integrate their products for the Microsoft platform.”
My problems with Microsoft's security announcements are numerous, so
I'll take them one by one. Each is my observation; Microsoft didn't
discuss the announcements with me beforehand.
Partner Competition. I see the new Client Protection software
as directly competing with many security products already available
from loyal Microsoft partners. As I blogged yesterday, Microsoft can't
work with its partners and consume their markets, too. I question the benefits of deep integration into Microsoft technologies, such as Active Directory, but I don't question the likely negative impact on loyal partners.
In January, I suggested to Microsoft:
“Windows is the largest software distribution system on the planet. You
have built automatic updating into the operating system and product
activation. Rather than distribute your own security products, why not
enable your partners to do a better job? Use the infrastructure, which
I'm sure would need some retooling, to help partners distribute
security products. That would be a better long-term strategy than
competing with the partners.”
Band-aid Approach. Microsoft is approaching security problems
in much the wrong way. The company has been buying up security
companies and preparing new security products, when real problems are
elsewhere. My contention: Microsoft needs to fundamentally fix certain
problems with the Windows architecture. One problem, rights management,
is supposed to get fixed with Windows Vista, but that won't address
issues for the millions of Windows XP systems. Additionally, there are
other architectural issues that potentially increase Windows' security
vulnerabilities. My longstanding contention has been that, from a
security perspective, integrating Internet Explorer into Windows wasn't a good decision.
I'd like to see Microsoft fix more fundamentals, rather than release
security products that compete with partners. Windows XP Service Pack 2
was a good start.
Misplaced Security Focus. JupiterResearch surveys reveal that
medium-and-large business IT managers favorably rank Microsoft security
compared to other vendors, such as IBM and Oracle. These customers are
reasonably satisfied with Microsoft, and they have plenty of very good
security software products to choose from. The real security problem lies elsewhere. Looks like infected consumer PCs create the greatest potential threat to business systems. For example, Remote Access Trojans, or RATs, account for about a third of spam, according to a CNET News.com story. I don't see that Microsoft has adequately addressed the larger consumer security problem.
Sales Pull. Microsoft has embarked on an aggress cross-integration strategy
that will come together with late 2005 and 2006 product releases.
Integration can create sales pull among products, because businesses
need to buy Products B and C to get the most out of Product A. If
successful, the approach could help pull more Office and Windows
upgrades, which Microsoft will badly need when Windows Vista and Office
12 presumably ship late next year. By releasing security products that
integrate deeply into Windows and Windows Server, Microsoft
simultaneously can generate some upgrades for its products and create
sales pull away from competing platforms among heterogeneous businesses
(i.e., mixed shops). I would advise security software companies with
strong cross-platform products to leverage the differentiation from
Microsoft's only-Windows approach.
Not another platform. Microsoft's creation of the
Secure!T Alliance is really the company's way of simultaneously
throwing a bone to existing security partners and elevating security to
the level of a platform technology. My report, “Microsoft 2005: Uncovering Partner and Competitor Opportunities,”
looks at Microsoft's multi-platform strategy. If Microsoft takes
similar approach to its other newer platforms, security development
partners would be relegated to building on top of what Microsoft is
integrating into its core platforms. That could lead to dramatic
changes for the security companies not displaced by Microsoft's
entrance into the security software market [Microsoft Monitor]