Q&A: Microsoft Security VP Mike Nash
VARBusiness
VB: Given what we heard from Steve Ballmer at this conference, would you say that security is the No. 1 priority at Microsoft?
Nash: I'd say that it is. It doesn't mean we are doing nothing else, but when we have to do trade-offs, we favor security. And we are doing that because our customers have said that it is their top priority.
VB: Is it also safe to say that you have reached a point with this year's spate of worms and viruses that if you don't do something soon, security problems could have a bottom line impact on Microsoft's business?
Nash: Rather than think of the impact on our business, I think of this from a customer-satisfaction aspect. And in that respect, we have done some tremendous things around the Trustworthy Computing [initiative]. We have trained all of our development staff [around security], and we have changed the way we release products. If you look at the data [Ballmer] showed [here] related to Windows 2000 vs. Windows Server 2003, we had 17 critical patches in first 100 days of Windows 2000, and we had four for Windows Server 2003. You go 17 to four, and you think, "Wow, that's great progress." But the fact that there were still four says it is not good enough. Clearly, we have to do more to make sure issues around being exploited, issues around vulnerabilities, go away. Quality is a good thing to focus on, and we're not going to stop. We're gong to get smarter around that. But as the threat is changing, so must the response.
VB: What do you mean by that?
Nash: I think non-patch technologies are a big part of it, but the reality is that it's never any one thing. It's a combination of things: What do we do to make sure that our software is hard-balled? What do we to make sure that when you have to do the patch, it is easier to deploy, more predictable, and we are not driving people crazy with patches? It's what do we do to teach people how to run a Microsoft environment more securely? And that comes in guidance, training and online community.
And it's also what do we do to make sure that, even if there's a vulnerability in software, whether there's patch or not, to make it so the exploit never gets to the vulnerability? If the exploit can't get to vulnerability, then who cares about the vulnerability? We are asking ourselves what other things, such as [Microsoft's] Internet Connection Firewall (ICF), we can create to go point to point against the kinds of exploits that are happening. At Microsoft, for example, if you want to use a Windows XP machine at home to connect into our network, if ICF is not turned on you can't get in.
And we are looking at other vectors for attack: port scanning, which the firewall protects against; e-mail with malicious attachments; malicious downloads and buffer overruns. In each area, we are making sure that we are developing safety technologies that go after those things on a point-by-point basis, so you can tell the difference between good e-mail and bad e-mail, for example. We want to make sure from a Web perspective that you separate code that runs on the Net from code that can run locally and could perhaps exploit a vulnerability in your software. And with buffer overruns, it's about making sure that we can protect against the execution of data.
VB: What is your partners role in all of this?
Nash: Very clearly, Microsoft has an ability to solve many of these [security] issues, but there is no way we think we can solve all the issues on our own. Our partners have the ability to build add-ons that can be developed and delivered with greater frequency and more responsively than we can. Antivirus is an area, for example.
But look, the key thing that I find is that [when] the customer has a bad experience around security, they end up on my phone, and we talk about things that we can do and work with them to build a security plan to audit their environment. Then I get a call back a month later, and they say, "You guys know a lot about security. We had no idea." A lot of this is that they now had a promise and a plan in place. It's about planning for the bad situation before the bad situation happens vs. dealing with it while it's happening.
If we can have partners and customers focused on what they can do from an investment perspective, to build plans and strategies to implement an environment to make them more safe, then the security issues and outbreaks may not exist. In other words, what can we do to help get customers to a place where they solve the problem before it happens, which is why we are investing so much in guidance and best practices to be used for an security assessment plan. If you go on the Web, you can see our structure around securing the network, perimeter, e-mail, remote access, wireless. We are making sure that on a topic-by-topic basis, we are giving good guidance to show partners and customers how to do it. We are going to train half a million people in the next few months on how to run a secure Microsoft environment.
VB: In terms of Microsoft's resources and investment in this area, are you essentially getting into the security business?
Nash: I think there's a difference between being in the security business and making sure we are addressing customers' security needs. It's one of the things my group spends lots of time balancing. There are a lot of things we are doing to make software more resilient, stable and able to survive an attack of malicious code. And there are some cases where Microsoft has products that are about security. One example is ISA Server, our application-level firewall. That product sells for a price.
VB: How much is Microsoft investing in security, and are you planning to acquire any companies to help in this effort?
Nash: It's hard to quantify what we are spending. It's not a real figure that I can give you. We did recently buy Pelican Software, which builds a behavior-blocking technology that we wanted. We also bought G-CAD's assets for antivirus technology, and we are looking at maybe spinning them into a product or incorporating into our products. We are trying to get ahead of the curve and stay ahead of the curve. It's about improving quality, but also mitigation of risk and innovation.