Commentary: Can Microsoft be secure?

By Laura Koetzle, Analyst

Microsoft's security is better than you think--really.

However, to improve the security of the Windows platform, we need a new partnership among Microsoft, software companies that write the applications for Microsoft's platforms, and end user customers.

Customers worry about Microsoft's security: Seventy-seven percent of respondents to a Forrester survey cited security as their top concern about deploying Windows. Despite those concerns, 89 percent of users are still deploying sensitive applications like financial transaction systems and medical records databases on Windows. Furthermore, 40 percent of users have no plans to make any security improvements to their Windows installations themselves--they're waiting for Microsoft to fix everything for them.

So whose problem is Microsoft's security? It's everyone's. Microsoft deserves more credit than it receives for its security efforts. For example, the company released patches an average of 305 days before the last nine high-profile incidents that exploited Windows vulnerabilities. Too few customers deployed the patches, not because their system administrators are lazy, but because today's patching processes are manual, error-prone and likely to bring down critical production systems.

Taking Windows security to the next level requires a three-way security partnership among Microsoft, other software makers, and end-user customers. What will this partnership look like?

Microsoft must lead. With security, it has been the victim of its own success. Because Microsoft's platform is the most accessible and popular, it attracts large numbers of both skilled hackers and inexperienced system administrators--a lethal combination. Thus, the onus is on Microsoft to make patch

		Related story Flaw leaves Windows open to Java attack Microsoft warns of three software flaws, including one that could let attackers gain full control of a PC using Java applets.

Easy as it would be to let Microsoft take all the heat for security incidents, other software companies must cease to be silent partners in security. Why? Because applications running on top of Microsoft's platforms often create or exacerbate security problems, and customers know it. Software makers must commit to concrete schedules for certifying Microsoft's critical security fixes for their products. Key companies like Oracle, SAP and Siebel Systems must work with Microsoft to develop blueprints for securely deploying their applications on Windows.

Finally, end user customers must standardize their Windows deployment processes. Today, many companies have nearly as many Windows server configurations as they have servers, making it impossible for them to determine whether a critical security patch is compatible with their Windows infrastructure. Thus, end users must select four standard security-validated Windows configurations.

Users should use tools from vendors like Veritas or BladeLogic to automate the provisioning of those standard configurations and to easily build test environments for critical security patches. Finally, end users without the resources or desire to establish, provision and patch standard Windows images should subscribe to patch management services from vendors like TruSecure or the Veridian/SecureInfo partnership.

© 2003, Forrester Research, Inc. All rights reserved. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.