Microsoft is looking to tackle the security vulnerabilities of its products through a mix of reseller campaigns, free patch management tools and a focus on security during future product development.
Microsoft Australia has appointed Ben English to manage the vendor’s local “security mobilisation” strategy in tune with its activities overseas. “Internally we are galvanising our resources into security,” he said. “It is a tactical response to the issues of the last 12 months.”
Microsoft had a three-step strategy to addressing its security issues, English said.
The first phase will see the vendor engaging in partner and customer education programs during the next 6–12 months.
English said Microsoft would use this opportunity to both educate and listen to the security-related concerns of its dealer and user community. He was running campaigns focused on depth (channel partners with security skills) and breadth (the wider Microsoft channel).
The vendor was in the process of identifying those of its channel partners that had a security skill-set, English said. Twenty local resellers had already been chosen to attend specialist security training sessions in Sydney and present their wares at customer road shows.
“We need to work with partners as many have already got the skills and knowledge level that has more credibility in the market,” he said. “We want to publicise these partners to customers that need to address security concerns.”
For the wider Microsoft channel, the vendor has already started distributing a free tool to resellers called the Microsoft Baseline Security Analyser, which is a low-level patch management service aimed at assessing the vulnerabilities of Microsoft systems.
Resellers are being asked to offer customers a free assessment of their systems.
The reseller is goaled by a Business Benefits Program through which they redeem reward points for free Microsoft training, software or licensing every time a customer sends an acknowledgment that a reseller has completed an assessment of its organisation.
This program would run through to April, English said.
“We need to raise the general level of awareness among resellers that do not focus on security,” English said. “About 95 per cent of security problems can be solved on the spot with this tool. More importantly, it sets up our partners in the role of a trusted advisor to the customer.”
The second phase of Microsoft’s strategy would be to launch new products to assist its partner and user community to battle security issues on the vendor’s current platform.
Currently in beta and due for release in June is the Windows XP Service Pack 2 (SP2), which aims to address security concerns in Microsoft’s current operating system by embedding firewall and other security functionality into the code.
The distribution of this service pack will coincide with the first service pack for Windows Server 2003.
Microsoft is also releasing Software Update Services, a patch management tool that is available as a free download. The tool is essentially a stripped-down version of Microsoft’s commercial product, Systems Management Server, a product which combines patch management with other application management services for large enterprise products.
“Patch management is a critical customer concern these days,” English said. “We want to make it as painless as possible.”
The third phase of the vendor’s Security Mobilisation strategy is the development of the next generation Microsoft platform, which English said would tie hardware and software together to create a secure computing base.
“These are the building blocks to making security a competitive advantage for Microsoft,” he said. “It could be said that we are at the opposite of that right now.”
English didn’t apologise for the length of time Microsoft needed to solve its security issues.
He said Microsoft’s history of security vulnerabilities was a legacy of a functionality first philosophy which had only changed in the past five years.
“Today, the financial losses from security breaks are measurable,” he said. “Today, there is no stronger priority at Microsoft than security. We have implemented a strong internal program to make our code more secure. This is going to be a long pro-cess over several product releases.
“Security is complicated. We are never going to get to a state of zero vulnerability in our code, but we need to get as close to that as possible.”