Two years into Microsoft's Trustworthy Computing Initiative, and Microsoft security is still an oxymoron.
It's not that Microsoft isn't trying to improve the security of Windows and its other products; it has an impressive -- albeit, not always obvious -- laundry list of security achievements.
Nevertheless, Microsoft is still losing the battle for security in the here and now, and for good reason: The end-user community's expectations are simply too high. Microsoft says Trustworthy Computing will produce gradual security improvements over the next 10 years. But users want those improvements today.
Microsoft is quick to say it's always cared about the security of its operating systems and applications. Prior to 1998, Windows was no more or less secure than other platforms, since it was designed as a client-only application. Flaws and vulnerabilities only became glaringly evident when Windows was exposed to network environments and the Internet.
The user community bemoaned the problems but never revolted. During the dot-com and Internet heydays, they asked Redmond for flashy features and new applications -- security was barely a secondary consideration. These demands weren't exclusive to Microsoft products. Most applications and IT project followed the same paradigm -- develop, deploy, then secure when necessary. Security was seen as an inhibitor and not an enabler.
Microsoft is like any commercial enterprise: It responds to market forces and customer demands. You want a user-friendly operating system? Bam! You get GUI-rich Windows. You want Internet access? Bam! You get Internet Explorer. You want easy interoperability? Bam! You get probably the best integrated suite of home and business applications on the market.
The problem is users didn't understand what they were asking for. Microsoft simply responded to their desires and only their desires. They didn't ask for strong security, quality code and patchless systems, so they didn't get them. What they got was fast-to-market applications that provided more functionality than users could ever hope to utilize.
Critics say Microsoft is doing too little, too late to improve its security. It was only after Nimda shocked our systems following the September 11 that enterprises told Redmond if security didn't improve they would start shopping for alternatives.
How did Microsoft respond? It developed the Trustworthy Computing Initiative.
Commercial enterprises will provide customers with what they want, and Microsoft did that with the first iteration of Windows Server 2003. The new OS shipped with most of its most vulnerable services turned off. This was a huge change, since it cut down on user-friendliness to make the OS more secure.
Unfortunately, turning off these services broke some apps. Some users asked Microsoft to create a button that turned all the features on for convenience sake. Microsoft correctly refused.
Part of Microsoft's security strategy is providing more information to users and enterprises on how to make their systems more secure. Following last summer's Blaster outbreak, Microsoft went on a media blitz to tell users how to better secure their systems against infections. Many users interpreted this as Microsoft trying to place blame for Blaster on them.
It's Microsoft's fault for allowing the user community to become jaded, since it only started paying attention to security when users started screaming. The user community needs to cut Microsoft some slack. As Microsoft repeatedly says, it will take years to clean up its code, and more secure systems will only come through generational changes.
It's likely Windows 2014 will be a far more secure OS than Windows 2003 or XP. Over the next decade, Microsoft will likely make significant reductions in the number of vulnerabilities and flaws in Exchange, IIS, IE, etc. We'll likely be more concerned about the protection of transient data from Web services and grid computing, and unforeseen security challenges. Can we wait 10 years? Most say no, and continue to jab at Microsoft for coming late to the security table. It's time users take some of the responsibility and accept they were late in asking for secure systems.
This was first published in January 2004