Because Microsoft has been under attack from various quarters for the perceived lack of security in its products, the company is close to announcing a strategy shift in its Trustworthy Computing initiative. According to Microsoft executives, the company's short-term strategy will shift from patch management to what it calls "securing the perimeter." But long term, other problems exist: For many IT shops, the cost of dropping today's insecure products and moving to the more secure platforms of the future could hinder Microsoft's efforts to deliver on its security promises. Companies simply aren't willing to spend the necessary money simply to get better security, making it difficult for Microsoft to justify the cost of developing more secure products.
"It is difficult to see a return on investment on security," said Scott Charney, Microsoft's chief security strategist. "Good security is about risk management. There is little point in breaking the bank." The problem, he said, is that companies don't budget for the cost of security vulnerabilities, and simply adopting better security standards and upgrading to more secure products would, in the end, actually cost less.
Short term, Charney admits that Microsoft needs better patch-management installation and distribution processes. To combat its patch-management problems, the company is moving to a "securing the perimeter" strategy in which it will partner with various firewall companies to ensure that electronic attacks don't reach their intended targets but are instead thwarted at the edge of the network--or what network specialists call the perimeter. Microsoft CEO Steve Ballmer first revealed Microsoft's security shift in mid-September during a speech, when he said, "The most important technology area we are focused on is shield technology. We know bad guys keep writing viruses. The goal is to block them before they get on PCs."
Long term, however, Microsoft believes that perimeter security isn't enough, and the company is working with its partners and customers to communicate its concerns and make sure that they understand how the platform needs to evolve to ensure that users, companies, and their data are secure. Currently, Charney said, the company is about one-third of the way to its goals for Trustworthy Computing. But that progress isn't good enough, he said, to prevent a massive worm or virus attack that could be far more devastating than the MSBlaster and SoBig.F attacks that so thoroughly rattled IT shops and individuals around the world this summer.