Microsoft can shore up its software with patches or it can offer strategies for users that emphasize protection of the enterprise perimeter. But IT executives must realize that security is a matter of risk management, and risks can never reduced to zero, experts said.
This week at its Worldwide Partner Conference in New Orleans, the software vendor is expected to advance the discussion on just what IT administrators need to do to secure their data. So far, Microsoft has emphasized patch management and user tools, such as the Microsoft Baseline Security Analyzer. The company is also expected to emphasize the need to fortify customer sites at the firewall, and it will likely tell customers it plans to speed up its service pack schedule.
"Microsoft is trying to prepare for the day, and they know it is coming, when some virus will go around that they didn't have the time to build a patch for," said Mike Cherry, an analyst at Directions on Microsoft, a Kirkland, Wash., consulting firm. "I think they are trying to develop a pragmatic way to deal with the eventuality when no one has time to put a fix on."
Until now, Microsoft's security strategy has focused on reducing the attack surface of its software. Windows Server 2003 shipped in April with most of its services disabled, thereby reducing its exposure to the Internet.
Customers can consider securing their perimeters with firewalls, but the fact is there is only so much that users can do because the perimeter of the enterprise is becoming more porous every day, experts said.
As enterprise customers establish their Web-based relationships with other vendors, suppliers and customers -- who all must connect somehow with internal databases -- there will be more opportunities to create a risk of intrusion. "This is the convenience for being able to work with a partner," said Fred Cohen, a principal analyst at the Burton Group, a Midvale, Utah-based consulting firm.
Cohen said there is a large aftermarket in security products related to Microsoft's offerings, and Redmond does not want to kill the aftermarket, he said. Also, if the company built software that didn't break, it couldn't sell upgrades. But the company does not want to appear in a negative light, and it must somehow meet its level of responsibility without destroying the aftermarket.
"I'm sure [Microsoft] wants to improve quality and security, but they are not highly motivated to improve, no matter what they say," he said.
Microsoft is currently facing the prospect of fighting a customer lawsuit, filed in Los Angeles Superior Court, alleging that flaws in Microsoft software led to criminal activity.
Microsoft has publicly stated that the lawsuit misses the point by targeting Microsoft instead of the virus writers. Regardless of who is at fault, all customers must come to grips with the fact that they will never find bug-free software, said technology expert Tom Nolle, president of CIMI Corp., Vorhees, N.J.
"The issue here is whether Microsoft writes software using practices that are so flawed that it constitutes depraved indifference, and that's asinine," he said.
FOR MORE INFORMATION:
Expert advice: Submit a question to security expert Roberta Bragg