Rich Kaplan, corporate VP of security business and technology marketing, said Microsoft is focusing on four general areas: reducing the impact of malicious software on company networks, improving system and application access control, developing more secure and reliable software products, and providing better guidance to customers on how to plug security holes. But as with all security-related issues, Kaplan provided a disclaimer--namely that so long as companies run networks in which systems and apps talk to each other, and that connect to the outside world, no security approach will be bulletproof. "This isn't just about securing everything," Kaplan said. "You can secure everything easily if you don't connect it to anything else."
Microsoft itself certainly doesn't have that luxury, as new CIO Ron Markezich pointed out. With 300,000 devices on its network (more than five for every employee), 403 buildings, and 7 million remote connections each month, Markezich has his work cut out for him. And the potential sources of security threats keep multiplying, Markezich said. Instant messaging is picking up steam, yet E-mail traffic is unaffected by that growth--and of the 8 million external E-mails that enter Microsoft's network each day, 7 million are deleted as spam, he said. Microsoft maintains an extranet for enabling collaboration with external business partners, and the company's always-expanding base of source code is an intellectual-property asset whose protection is one of the IT department's top priorities.
As a result, Markezich and his staff serve as the ideal test bed for ensuring that the steps Microsoft is taking on the security front are effective. "You can think of my network as a large lab," he said. In terms of perimeter defense, Microsoft has begun using smart cards to control remote access to its network and also uses a tool called Connection Manager to prevent the introduction of malicious software. In the network's interior, patch deployment is key, as is the use of a technology called IPSec, which prevents untrusted devices from connecting with trusted ones, for protecting the valuable source code.
But it's the XP Service Pack, a security update to Windows XP that's slated for release by the end of September, that has been the focus of customers waiting for relief from the seemingly endless parade of patches. Kaplan gave those in attendance at Thursday's presentation a glimpse of the software, showing how it will better protect Web browsers and more-effectively secure network resources and critical applications such as E-mail. On the browser side, Kaplan demonstrated the service pack's ability to block pop-up windows and the installation of ActiveX controls, which not only slow performance but often are used to download malicious software to a PC. "It puts the user back in control," he said. He also showed a new security-center icon in the system tray that will keep users informed on the status of firewall protection, system updates, and antivirus protection.
Kaplan also said Microsoft is working on giving companies tools to provide "health checkups" that would check the status of updates and antivirus software each time a device connects to the network, and it's developing technology that would examine laptops before allowing them access to the general network after remote use. "Things that travel inside and outside your network are the biggest threat," he said. Additionally, he detailed efforts to reduce the complexity of updating systems by combining the multitude of updates issued today with a unified update via the Microsoft Update Service, the new name for the patch-management software that had been referred to as Windows Update Services.
Microsoft is making progress on rolling out more-secure products, Kaplan said, adding that Windows 2003, the first edition of its server software that was subjected to its Trustworthy Computing program, yielded only 13 critical or important security bulletins in its first year, compared with 42 such bulletins during Windows 2000's first year. Still, he stressed that technology is only one part of a security equation. "We're in a situation today where you absolutely have to constantly review your environment," he said.
Markezich said establishing policies--and enforcing them--is key to any security strategy. "I have yet to deploy a policy that's followed without enforcement."