Microsoft continues to reveal its security ambitions in very obvious ways. Its $75 million acquisition of SSL VPN vendor Whale Communications last week shows just how deep it wants to go against the established leaders of various security technologies.
Once upon a time, Whale swam in a sea of SSL VPN vendors—Neoteris, URoam, SafeWeb, enKoo, Aventail, Permeo, Twingo Systems, Net6 and many more. The technology was never intended to be a standalone solution; SSL VPN is a feature set of a much larger security system. This is why it made sense when NetScreen, F5 Networks, Symantec, Citrix, Cisco Systems, Check Point and all of the other perimeter security hardware vendors snapped up the SSL VPN start-ups to incorporate the technology alongside IPSec VPNs.
But Microsoft getting into the SSL VPN game? To what end? Windows already has native LT2P and PPTP security remote connectivity. And most of the major VPN software packages run on Windows. Ah, but Microsoft has a firewall, of sorts, in the Internet Security Acceleration (ISA) Server. If Microsoft's intention is to incorporate SSL VPN into ISA—which it seems clear to do—it can only mean that Microsoft's security strategy is to go beyond the application sets of the desktop and into a full suite of network-based security products.
Already in Microsoft's security sights are the antivirus and antispyware vendors. Since buying European antispyware vendor Giant Company Software and antivirus vendor Sybari, it was pretty clear that Microsoft intended to get into the malware protection market. Symantec, McAfee and Trend Micro seemed to be the clearest targets, but so are Sophos, CA, F-Secure and scores more smaller vendors.
What Whale gives Microsoft is more than just SSL VPN technology, but hardware capacity. Microsoft partners with Network Engines and Celestix for its hardware ISA hardware form-factor. Whale's appliances give Microsoft a new medium for pushing its expanded ISA Server as a plug-n-play device. If Microsoft intends to get into the perimeter security game, its first target will be the SMB market, where it can leverage the full might of its marketing power against some vulnerable competitors—Check Point, Blue Coat, Websense, SonicWall and WatchGuard. As it builds the product and experience to produce enterprise-class security products, the targets will shift to Cisco, Juniper and Check Point.
When Microsoft launched its Trustworthy Computing Initiative in 2002, its stated goal was to clean up the Windows code base and eliminate the vulnerabilities that made it susceptible to attack. Within a year, Microsoft formed the Security Business Unit, which oversaw Trustworthy Computing and the buildout of Microsoft security products. Four years later, we're beginning to see the end game of the revenue side of Microsoft's security equation.
So, now let's play the acquisition game. If Microsoft intends to build or acquire products that deliver security from the host to the cloud, what does it need next? Intrusion prevention, end point compliance checking, a stateful-inspection firewall and identity management. If I were a betting man—and sometimes I am—I would put my money on Internet Security Systems and RSA Security. Both are midtier vendors that haven't found a way to break out into the major leagues, but are leaders in their technology space. ISS would give Microsoft a solid IPS hardware solution, while RSA would give it encryption and identity management.
No matter which move Microsoft makes, it's good news for Microsoft partners. They will have new toys to bring to their customers, and they'll have integrated software and hardware packages to sell. It will take years for Microsoft to threaten established security vendors with its newfound technologies, but the day is coming when we may be saying "Secured By Microsoft."