Analyst firm criticises Microsoft security strategy

23 Feb 2005

Analyst firm Gartner has strongly criticised Microsoft’s security plans, following news that the software maker intends to launch its own antivirus and anti-spyware products. According to Gartner Research analyst Neil MacDonald, “these announcements do not add up to a strategy for protecting Microsoft’s products and customers”.

“Microsoft has missed an opportunity to clarify its strategy for the security market,” MacDonald said in a briefing note. His withering analysis came on the back of several Microsoft announcements that were intended to enhance its security software offering.

MacDonald said it would be better for Microsoft to eliminate the need for antivirus and anti-spyware tools, instead of simply supplying “lookalike products at lower prices”.

Microsoft intends to provide anti-spyware functionality free to licensed Windows users for personal and home use by the end of next year. However, enterprises will have to pay for this additional capability. It also plans a consumer antivirus service to market within a similar timeframe, although no details of pricing, bundling or enterprise-class offerings were revealed.

At last week’s RSA security conference in California, Microsoft chairman Bill Gates spoke of plans to introduce version 7.0 of Internet Explorer with specific security enhancements, although the browser will only be available for Windows XP Service Pack 2.

MacDonald took the software giant to task for this latter decision, claiming it suggests that Microsoft wants to force users of older platforms to upgrade if they want improved security. “If Microsoft wishes to be seen as a responsible industry leader in maintaining security for its products and its customers, it should provide IE 7.0 for Windows 2000 users,” he said. “Furthermore, instead of making more evolutionary security improvements to IE, Microsoft should announce that it will fundamentally re-architect IE with security in mind.”

Microsoft responded to Gartner’s analysis by saying that the recent announcements were only part of the strategy and did not constitute its entire plan for security. “IT security is such a complex area that no one company has all the answers,” said Mike Hughes, security and platform strategy manager with Microsoft Ireland.

Hughes outlined four key parts to Microsoft’s security strategy. These are: isolation and resiliency features built into software that stops typical exploits from occurring. The updates element of its plan covers the regular issuing of patches for software vulnerabilities. The third part involving security is accorded high priority at all stages of the software development cycle. Lastly, Microsoft is working on building default security systems into its products based on stronger authentication than traditional passwords.

Hughes also acknowledged that Microsoft’s “primary focus” was on Windows XP SP2 for security. “It’s not a matter of asking customers to upgrade for the sake of it,” he claimed. “If you want to have the most secure desktop operating system, then we recommend moving to XP SP2.”

Gartner tempered its criticism by observing that the announcements “do fill in more pieces of Microsoft’s emerging security strategy” and noted unsurprisingly that they would result in significant changes to the security market. “Gartner believes Microsoft will deliver a combination AV and AS detection and removal product for Windows desktops in 2005, competing directly with other AV and AS detection and removal products and services,” said MacDonald, who delivered a warning to Microsoft’s potential rivals in the security space. “This move will challenge AV vendors that depend heavily on revenue from consumers, such as Symantec, and vendors that derive substantial revenue from upselling enterprises to AV product suites that include desktops and servers, such as McAfee and Computer Associates International.”

By Gordon Smith