Not so long ago, Microsoft had a terrible reputation when it came to security. Then something happened. In the early 2000s, the company started to get serious about security. In response to all the complaints and concerns and the ever-increasing incidence and severity of the threat landscape, Craig Mundie set forth a framework for an initiative called Trustworthy Computing, the first pillar of which was defined as security. This was the point at which Microsoft officially declared security a top priority. And over the years, they delivered on that commitment.
Security on the upswing
Following the release of Mundie’s white paper introducing the trustworthy computing concept, Service Pack 2 for Windows XP was released in 2004, and it was all about security. It added support for WPA encryption, a big reworking of the Internet Firewall, which was renamed as Windows Firewall (and which was enabled by default), blocking of “drive-by downloads” in IE, blocking of unsafe attachments in Outlook Express and Messenger, support for DEP, and the addition of the Windows Security Center.
Meanwhile, the Windows Server teams were likewise busily adding new security options and controls in each subsequent version of the OS. The first new version following the commitment to Trustworthy Computing was Windows Server 2003, and it broke new ground by coming out of the box with most services disabled by default. This was a big change from the “everything on” default configuration that Windows administrators were used to seeing in NT and Windows 2000 Server.
Did the love affair with security reach a peak?
Server 2008 R2 was built on the same code as Windows 7 and added some security-related features (such as DirectAccess and DNSSEC support), but the focus seemed to be moving away from security toward improvements to virtualization technologies such as cluster shared volumes, live migration, failover clustering, and so on. It’s not that security didn’t keep improving, it’s just that new security technologies didn’t seem to be as big of a deal as in previous versions.
Maybe that was inevitable. Maybe it means the OS has now reached a state that’s “secure enough.” Maybe it’s just that security is no longer the “hot new thing” — that position seems to have been captured by the cloud (which I’ll talk more about later). Maybe it’s like any love affair — it can’t burn hot forever.
I know that just because there doesn’t seem to be quite the excitement about security anymore, it doesn’t mean the company is abandoning its commitment to making Windows more secure. Commitment and focus are two different things; you can be committed to something without having that as your primary focus, right? (I’m sure many workaholic spouses will assure me that is the truth.)
Is the honeymoon over?
All I know is that it’s beginning to feel as if the romance has gone out of the relationship. Maybe I’m more acutely aware of it because I’m a Security MVP. A few years back, our group was one of the biggest, and at MVP events we were treated as if we were something special. We got the prime meeting rooms at the Summit, we got the off-campus dinners, we got the best speakers, we got our own special parties, and we got the best MVP gifts. The last few years, we have not been so well treated.
Sure, I know Microsoft has cut the MVP budgets for everyone, but there’s just not that aura of being a security specialist. The security-related products such as TMG and UAG seem to be falling by the wayside, with Forefront MVPs noting the lack of a product roadmap and other issues that I discussed in a previous column.
Perhaps even more troubling, some employees within the company who were focused on security, such as Steve Riley, have been laid off and their positions eliminated. Sure, people come and go, but when you look at the bigger picture, it just seems like part of an overall move away from security as the number-one top priority that it once enjoyed.
Is it about the cloud?
We all know that today’s darling can easily be pushed into the background when something new comes along. And Microsoft has made no secret about what they’re focused on and committed to today: the cloud. Maybe the idea is that security — or at least client-side security — won’t matter as much when everything is in the cloud. That’s something that will be taken care of by your cloud provider, and you won’t have to worry about your computers being compromised because they’ll just be semi-dumb terminals anyway. Your precious data won’t reside on them; it’ll be locked up, safe and sound, in some data warehouse somewhere halfway around the world.
Is Microsoft’s love affair with security really over? Is that because of the cloud? I hope not. I hope it has just settled into a less high-intensity, more comfortable relationship that will continue to grow, both in the cloud (public and private) and on the local machine, whatever type of device that may be. However, maybe it’s time to renew those vows.