Microsoft Beckons to Early Adopters

It's decision time, and we're not referring to Election Day.

With Microsoft's security-heavy Vista operating system due November 30, and its Forefront Client Security available for open beta sometime this quarter, you may still be agonizing over whether to stick with your existing host-based security tools or to cast your vote with Microsoft. (See The Vista-Forefront Security Two-Step.)

If you entrust everything to Microsoft, will you lose some features or functions? Where will you need to fill in with third-party tools? And the big question keeping most IT security folks awake at night, of course, is whether it's actually safer or riskier to rely on Microsoft to secure its own software.

You can continue to go with what you know -- incumbent McAfee, Symantec, or Trend Micro, for instance -- but what if your third-party antivirus/host intrusion protection vendor or its product eventually becomes obsolete in the wake of Microsoft's big security play?

There are perils with both courses. And since few organizations ever jump on the first release of any software product, most enterprises are likely to do a little of both, at least initially. The first release of Forefront will be about two years behind other host-based security companies functionality-wise, notes John Pescatore, a vice president at Gartner. Forefront so far doesn't include the intrusion prevention system features to detect unknown threats, which McAfee and Symantec provide today in their products.

"There would have to be a good reason for most enterprises to switch to Forefront" now, says Pescatore. "And large enterprises don't use the first version of anything, let alone the first version of a security product." (See Not Your Grandpa's Microsoft.)

Microsoft's initial push is more on the consumer side with Windows Live OneCare, its host-based security package for consumers, security analysts say. And price-conscious small businesses that typically follow Microsoft's lead will likely be the first to adopt its security software. Microsoft will later pump out more features for its enterprise Forefront line, analysts say.

Pescatore says some small and even medium-sized companies that basically live off Microsoft's Small Business CD-ROM, would be likely adopters because they are already so tied to Microsoft. Even so, these organizations may still need to add a third-party security tool to thwart the ever-increasing volume of new threats, he says, since AV only targets known ones.

It's a different story if you're a large organization with a mix of OSes and threats, and most large Microsoft customers are well aware of the tradeoffs of putting all of their host security into Microsoft's hands with Vista security and Forefront. "You are relying on a company that does not specialize in security to make sure you are bringing your endpoint security up to par with your network security," says William Bell, director of security for CWIE.

Bell says he'll evaluate Forefront from both the security and fiscal perspective, but he's skeptical that Microsoft is the answer for security. "I am more inclined to trust a proven security vendor over Microsoft any day."

It may feel safer with Microsoft's brand behind its own products, but that also can breed a false sense of security.

"I've always believed a vendor should own the security over their own product. That way, they are motivated to lower support costs and provide adequate security but are not motivated to break the product to sell more security software," says Rob Enderle, principal with the Enderle Group. "The risk is will a vendor disclose the [security] problems with their own products that you need to know about?"

But if you forgo Forefront and some of Vista's built-in security features and retain your current AV/IPS package, the main tradeoff is you'll have yet another management console with Vista alongside, say, Symantec. "If you're using Symantec today, you've bought into their console for managing, auditing, and reporting on all desktop security," Gartner's Pescatore says. That raises the cost of ownership and the chances you'll miss a threat while juggling consoles.

Plus it will cost you a little more since Microsoft's security play is expected to drive down the cost of AV tools and eliminate the need for extra anti-spyware (now part of the OS in Vista, as well as a firewall and disk encryption).

Meanwhile, even with the brouhaha over Microsoft securing its kernel and effectively shutting out some third-party AV tool features that require modifications to the kernel, experts say most AV tools still will run on Vista.

"If you choose to go with a third party, Microsoft is not going to do anything that says [for example] 'JP Morgan, your 100,000 Symantec desktops aren't going to work with this anymore,'" Pescatore says. "Microsoft is not in the business of making their enterprise customers insecure."

Microsoft has basically said so itself when it comes to application programming interfaces it will provide AV vendors for Vista. "The design of the APIs will take into account their misuse and will work to minimize any impact to the customer," a Microsoft spokesperson says. (See Symantec Spurns Microsoft’s Vista Security Proposal.)

CWIE's Bell says he's not worried about the ramifications of going with third-party security vendors instead of Microsoft. "Although Microsoft will take over the current functions security vendors have been marketing for years, innovation will still come from these companies and they will continue to bring new security products to market that the public wants or they will go out of business."

Security experts don't expect Microsoft to drive security innovation, rather its general adoption and awareness, especially among smaller organizations and consumers. "A lot of businesses have inadequate security, and as you start to buy new computers that have some security baked in that you didn't have before, that will help [security] overall," says Richard Stiennon, president of IT-Harvest.

Still, no one knows for sure whether Microsoft will stick it out in the security space long-term, Gartner's Pescatore says. He points to the recent high-level management shakeups in the security side of the software giant's business. "It doesn't look like one of those places at Microsoft where someone wants to stay and become a star."

It wouldn't be the first time Microsoft has steamrolled its way into a market and then quietly fizzled out: Microsoft's foray into systems management with SMS and Microsoft Operations Manager (MOM) didn't exactly capture the hearts and budgets of enterprises, notes Pescatore.

"Three years from now, if Microsoft is still in the security business -- and there's no guarantee it will be -- then it will [target] larger enterprises."

— Kelly Jackson Higgins, Senior Editor, Dark Reading