Pressure Builds To Fix Security Flaws
As corporate vice president for the security business unit at the Redmond, Wash., software giant, Nash is responsible for executing his bosses' multipronged offensive against security assaults on Microsoft's software products. So far, the hackers who disrupted corporate networks the world over last year with the Blaster and SoBig worms have had the upper hand. Their ongoing exploits of Microsoft vulnerabilities continue to embarrass the company. But pressure to perform is also coming internally, especially from CEO Steve Ballmer, who says security is the company's No. 1 priority. Ballmer has outlined a raft of initiatives--including new products, patch schedules and processes, training and perimeter technologies--to buttress Microsoft's Trustworthy Computing initiative and help partners and customers thwart malicious attacks. Recently, Nash sat down with VARBusiness senior writer Carolyn A. April to discuss his role in the pressure cooker.
VARBusiness: Is it safe to say you have reached a point with this year's spate of worms and viruses that if you don't do something soon, security problems could have a bottom-line impact on Microsoft's business?
Nash: Rather than think of the impact on our business, I think of this from a customer-satisfaction aspect. And in that respect, we have done some tremendous things around the Trustworthy Computing [initiative]. We have trained all of our development staff [around security], and we have changed the way we release products. If you look at the data related to Windows 2000 vs. Windows Server 2003, we had 17 critical patches in the first 100 days of Windows 2000, and we had four for Windows Server 2003. You go [from] 17 to four, and you think, "Wow, that's great progress." But the fact that there were still four says it is not good enough. Clearly, we have to do more to make sure [vulnerabilities don't get exploited]. Quality is a good thing to focus on, and we're not going to stop. We're going to get smarter around that. But as the threat is changing, so must the response.
VB: What do you mean by that?
Nash: I think nonpatch technologies are a big part of it, but the reality is that it's never any one thing. It's a combination of things: What we do to make sure that our software is hard-balled; what we do to make sure that the patch is easier to deploy, more predictable, and we are not driving people crazy with patches. It's what we do to teach people how to run a Microsoft environment more securely. And that comes in guidance, training and online community.
And it's also what we do to make sure that even if there's a vulnerability in the software, whether there's a patch or not, [the vulnerability does not get exploited]. We are asking ourselves what other things, such as [Microsoft's] Internet Connection Firewall (ICF), we can create to go point-to-point against the kinds of exploits that are happening. At Microsoft, for example, if you want to use a Windows XP machine at home to connect into our network, if ICF is not turned on, you can't get in.
And we are looking at other vectors for attack: port scanning, which the firewall protects against; e-mail with malicious attachments; malicious downloads; and buffer overruns. In each area, we are making sure we are developing safety technologies that go after those things on a point-by-point basis, so you can tell the difference between good e-mail and bad e-mail, for example. We want to make sure from a Web perspective that you separate code that runs on the Net from code that can run locally and could, perhaps, exploit a vulnerability in your software. And with buffer overruns, it's about making sure we can protect against the execution of data.
VB: What is your partners' role in all of this?
Nash: Very clearly, Microsoft has an ability to solve many of these [security] issues, but there is no way we think we can solve all of the issues on our own. Our partners have the ability to build add-ons that can be developed and delivered with greater frequency and more responsively than we can. Antivirus is an area, for example.
But look, the key thing is that if the customer has a bad experience around security, they end up on my phone, and we talk about things we can do and work with them to build a security plan to audit their environment. Then they call back a month later and say, "You guys know a lot about security. We had no idea." A lot of this is that they now had a promise and a plan in place. It's about planning for the bad situation before the bad situation happens versus dealing with it while it's happening.
If we can have partners and customers focused on what they can do from an investment perspective to build strategies to implement an environment [and] to make them safer, then the security issues and outbreaks may not exist. In other words, what can we do to help get customers to a place where they solve the problem before it happens? [That] is why we are investing so much in guidance and best practices to be used for a security-assessment plan. If you go on the Web, you can see our structure around securing the network, perimeter, e-mail, remote access, wireless. We are going to train half a million people in the next few months on how to run a secure Microsoft environment.
VB: How much is Microsoft investing in security, and do you plan to acquire any companies to help in this effort?
Nash: It's hard to quantify what we are spending. It's not a real figure that I can give you. We did recently buy Pelican Software, which builds a behavior-blocking technology that we wanted. We also bought G-CAD's assets for antivirus technology, and we are looking at maybe spinning them into a product or incorporating them into our products. We are trying to get ahead of the curve and stay ahead of the curve. It's about improving quality, but also [about] mitigation of risk, and innovation.