Rich Kaplan, corporate VP of security business and technology marketing, said Microsoft is focused on four areas: reducing the impact of malicious software on corporate networks, improving system and application access control, developing more secure and reliable software products, and providing better guidance to customers on how to plug security holes. But as with all issues around security, Kaplan provided a disclaimer: as long as companies run networks in which systems and apps talk to each other, and that connect to the outside world, no security approach is bullet-proof. "This isn't just about securing everything," Kaplan said. "You can secure everything easily if you don't connect it to anything else."
As a business Microsoft doesn't have that luxury, said Microsoft CIO Ron Markezich. With 300,000 devices on its network (more than five for every employee), 403 buildings, and 7 million remote connections each month, Markezich has his work cut out for him. And the potential sources of security threats keep multiplying, Markezich said. Instant messaging use is picking up steam, yet E-mail traffic is unaffected by that growth. Of the 8 million external E-mails that enter Microsoft's network each day, 7 million are deleted as spam, he said. Microsoft maintains an extranet for enabling collaboration with external business partners, and the company's always-expanding base of source code is an intellectual-property asset whose protection is one of the IT department's top priorities.
As a result, Markezich said his department serves as the ideal testbed for ensuring that the steps Microsoft is taking on the security front for customers are effective. "You can think of my network as a large lab," he said. For perimeter defense, Microsoft has begun using smart cards to control remote access to its network, and is also using a tool called Connection Manager to prevent the introduction of malicious software. In the network's interior, patch deployment is key, as is the use of a technology called IP Sec, which prevents untrusted devices from connecting with trusted ones.
But it's the XP Service Pack, a security update to Windows XP that's slated for release by the end of September, that's been the focus of customers waiting for relief from the relentless parade of patches they're having to deploy. Kaplan gave those in attendance at Thursday's presentation a glimpse of the new software, showing how it will better protect Web browsers and more effectively secure network resources and mission critical applications such as E-mail. On the browser side, Kaplan demonstrated the service pack's ability to block pop-up windows and the installation of ActiveX controls—which not only slow performance but often are used to download malicious software to a PC. "It puts the user back in control," he said. He also showed a new security center icon in the system tray that will keep users informed on the status of firewall protection, system updates and anti-virus protection.
Kaplan also said Microsoft is working on giving companies tools to provide "health check-ups" that would check the status of updates and anti-virus software each time a device connects to the network, and is developing technology that would examine laptops before allowing them access to the general network after remote use. "Things that travel inside and outside your network are the biggest threat, " he said. Additionally, he detailed efforts to reduce the complexity of updating systems by combining the multitude of updates issued today with a unified update via the Microsoft Update Service, the new name for the patch-management software that had been referred to as Windows Update Services.
Microsoft is making progress on rolling out more secure products, Kaplan said, adding that Windows 2003, the first edition of its server software that was subjected to its Trustworthy Computing program, yielded only 13 critical or important security bulletins in its first year, compared with 42 such bulletins during Windows 2000's first year. Still, he stressed that technology is only one part of a security equation. "We're in a situation today where you absolutely have to constantly review your environment," he said.
Markezich said establishing policies—and enforcing them—is key to any security strategy. "I have yet to deploy a policy that's followed without enforcement."