Microsoft's Forefront group eying compliance market

Microsoft has developed vulnerability assessment and compliance software that it hopes to roll into its Forefront product line.

Security vendors, Symantec and McAfee, may soon find Microsoft competing with them in a new market.

Microsoft has developed network-scanning technology, internally known as Spider, that scans PCs for security vulnerabilities, ensures that the latest patches are installed and that PCs have the required software to put them in compliance with corporate IT policy.

The software was developed by Microsoft's IT group to clamp down on security problems within Microsoft's own network, but the company is now looking at adapting it for its Forefront line of security products, a director with Microsoft Information Security, Mark Estberg, said at the SecureWorld Expo.

Some customers can already get access to the Spider technology through Microsoft's services group, he said.

"The goal is to get this software written into products that go out to customers, but as a near-term step, through services, you can get this software now," Estberg said.

The software had been a success at Microsoft, although his team received some "incredibly articulate hate mail" in the early days, after instituting a policy of cutting off Microsoft users whose PCs were not in compliance, he said.

"It's really, really painful ... but it made a big impact," Estberg said.

The software could scale to a large number of machines and was used to scan Microsoft's corporate network several times per day, Estberg said. It was agentless, requiring no additional software be installed on the client.

As Microsoft's entrance into the security market has begun to threaten their core antivirus product offerings, vendors such as McAfee and Symantec have been increasingly focused on developing products that can be used to enforce IT compliance.

McAfee, in particular, has been on a shopping spree in this area. It recently purchased Onigma, an Israeli vendor of data-leak prevention software, and Preventsys, a provider of risk management and compliance reporting software. McAfee is also in the process of closing its $US60 million acquisition of compliance vendor, Citadel Software.

Microsoft is in a position to simplify security for its customers by giving them one point of contact, said one show attendee, a San Francisco area IT risk manager who asked not to be identified. But that convenience could come at a price, he said: a lack of accountability and competition in the security space. "It boils down to the question, who's checking the checker."

Clearly, compliance is a growth area for the security industry, but with tensions already high between Microsoft and its security partners, it was unclear how quickly the company will move into this new market, program manager with Yankee Group's Security Solutions & Services Decision Service, Andrew Jaquith, said.

"The question is exactly how much more do you want to antagonise them?" he said.