[LACNIC/Seguridad] Microsoft's love affair with security has lost its passion

Fernando Gont fgont en si6networks.com
Mar Nov 1 07:51:21 BRST 2011



Microsoft's love affair with security has lost its passion
By Debra Littlejohn Shinder
September 20, 2011, 1:09 PM PDT

Takeaway: Debra Littlejohn Shinder is beginning to feel as if the
romance has gone out of Microsoft’s love affair with security.

Not so long ago, Microsoft had a terrible reputation when it came to
security. Then something happened. In the early 2000s, the company
started to get serious about security. In response to all the complaints
and concerns and the ever-increasing incidence and severity of the
threat landscape, Craig Mundie set forth a framework for an initiative
called Trustworthy Computing, the first pillar of which was defined as
security. This was the point at which Microsoft officially declared
security a top priority. And over the years, they delivered on that

Security on the upswing

Following the release of Mundie’s white paper introducing the
trustworthy computing concept, Service Pack 2 for Windows XP was
released in 2004, and it was all about security. It added support for
WPA encryption, a big reworking of the Internet Firewall, which was
renamed as Windows Firewall (and which was enabled by default), blocking
of “drive-by downloads” in IE, blocking of unsafe attachments in Outlook
Express and Messenger, support for DEP, and the addition of the Windows
Security Center.

Meanwhile, the Windows Server teams were likewise busily adding new
security options and controls in each subsequent version of the OS. The
first new version following the commitment to Trustworthy Computing was
Windows Server 2003, and it broke new ground by coming out of the box
with most services disabled by default. This was a big change from the
“everything on” default configuration that Windows administrators were
used to seeing in NT and Windows 2000 Server.

Did the love affair with security reach a peak?

Server 2008 R2 was built on the same code as Windows 7 and added some
security-related features (such as DirectAccess and DNSSEC support), but
the focus seemed to be moving away from security toward improvements to
virtualization technologies such as cluster shared volumes, live
migration, failover clustering, and so on. It’s not that security didn’t
keep improving, it’s just that new security technologies didn’t seem to
be as big of a deal as in previous versions.

Maybe that was inevitable. Maybe it means the OS has now reached a state
that’s “secure enough.” Maybe it’s just that security is no longer the
“hot new thing” — that position seems to have been captured by the cloud
(which I’ll talk more about later). Maybe it’s like any love affair — it
can’t burn hot forever.

I know that just because there doesn’t seem to be quite the excitement
about security anymore, it doesn’t mean the company is abandoning its
commitment to making Windows more secure. Commitment and focus are two
different things; you can be committed to something without having that
as your primary focus, right? (I’m sure many workaholic spouses will
assure me that is the truth.)

Is the honeymoon over?

All I know is that it’s beginning to feel as if the romance has gone out
of the relationship. Maybe I’m more acutely aware of it because I’m a
Security MVP. A few years back, our group was one of the biggest, and at
MVP events we were treated as if we were something special. We got the
prime meeting rooms at the Summit, we got the off-campus dinners, we got
the best speakers, we got our own special parties, and we got the best
MVP gifts. The last few years, we have not been so well treated.

Sure, I know Microsoft has cut the MVP budgets for everyone, but there’s
just not that aura of being a security specialist. The security-related
products such as TMG and UAG seem to be falling by the wayside, with
Forefront MVPs noting the lack of a product roadmap and other issues
that I discussed in a previous column.

Perhaps even more troubling, some employees within the company who were
focused on security, such as Steve Riley, have been laid off and their
positions eliminated. Sure, people come and go, but when you look at the
bigger picture, it just seems like part of an overall move away from
security as the number-one top priority that it once enjoyed.
Is it about the cloud?

We all know that today’s darling can easily be pushed into the
background when something new comes along. And Microsoft has made no
secret about what they’re focused on and committed to today: the cloud.
Maybe the idea is that security — or at least client-side security —
won’t matter as much when everything is in the cloud. That’s something
that will be taken care of by your cloud provider, and you won’t have to
worry about your computers being compromised because they’ll just be
semi-dumb terminals anyway. Your precious data won’t reside on them;
it’ll be locked up, safe and sound, in some data warehouse somewhere
halfway around the world.

Is Microsoft’s love affair with security really over? Is that because of
the cloud? I hope not. I hope it has just settled into a less
high-intensity, more comfortable relationship that will continue to
grow, both in the cloud (public and private) and on the local machine,
whatever type of device that may be. However, maybe it’s time to renew
those vows.
Fernando Gont
SI6 Networks
e-mail: fgont en si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

Más información sobre la lista de distribución Seguridad