Microsoft Monitor Weblog A Jupiter Research Business Weblog
 
Jupiter's Microsoft Monitor Research Service helps vendors prepare for market opportunities created by new Microsoft initiatives. In addition, Microsoft Monitor helps business and enterprise users discover which strategies are most successful in dealing with Microsoft and how to best exploit the customer relationship. The Microsoft Monitor Weblog is a companion to Jupiter's Microsoft Monitor Research Service and provides additional news, analysis and insight relevant to the areas most important for Microsoft's growth in both the business and consumer marketplaces. The content on this Weblog is often based on late-breaking events whose sources are deemed to be reliable. The insight and recommendations represent Jupiter's initial analysis. As a result, our positions are subject to refinements or major changes as Jupiter analysts gather more information and perform further analysis. Feedback is welcome at mm@jupitermedia.com.

Contact Us
More information about Jupiter's Microsoft Monitor Research service is available by contacting Kieran Kelly at researchsales@jupitermedia.com or by telephone at 1-800-481-1212

Blogroll
David Card
Michael Gartenberg
Alan Meckler
David Schatsky

September 2005
Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  
Archives
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003

Recent Entries
My PDC Post Morteum
Microsoft Office, the Server Edition, Part Two
Windows Workflow Foundation and Expression
PDC: The Big Day
Windows Vista Sleeper Announcements

September 26, 2003
Good Security is About Making Smart Choices

I’ve delayed for two days blogging on what I would consider a controversial report about Microsoft security. It’s a thorny subject, and one that tends to polarize people either for or against Microsoft’s approach to security; there’s not much room for middle ground. Except, the middle ground is exactly the position I find myself on Microsoft security, so I wanted to let the report pass without much comment. But, increased press coverage about the report makes it just too hard to ignore.

So…the way the Computer & Communications Industry Association, or CCIA, tells it, Microsoft’s Windows dominance is a threat to national security. The group, which is heavily backed by Microsoft competitors and viciously attacked the company during more than four years of antitrust proceedings, released on Wednesday the 25-page report making this claim. The report is available here.

CCIA couldn’t have released the report at a worse time for Microsoft. A series of recent, nasty viruses or security glitches are dogging Microsoft products. CCIA’s timing doesn’t necessarily make the organization right, and the distributor is somewhat questionable here. (It should be noted that principal author Daniel Geer, who was let go from @Stake following the report's release, said that CCIA did not commission the report. His comments can be found in this internetnews.com story.)

That said, the report’s authors make some very compelling arguments about Microsoft’s monopoly power and the impact of a virus rapidly spreading across a "monoculture" infrastructure. But, the arguments ignore fundamental market dynamics. Microsoft acquired its monopoly through competition, meaning consumers and businesses chose the company’s products. Sure, Microsoft uses technology and business means to ensure customers won’t easily switch to other products. But that’s something almost any competitor would do, too.

If people choose to use Microsoft products, it’s not necessarily the company’s fault many customers potentially have increased their security risk by mainly using one supplier’s software. As general good security practice, every business should minimize risk by using products from more than one developer, particularly on the server. Standardization doesn’t necessarily mean buying one kind of server software and putting it everywhere. Particularly as Web services standards expand what businesses can do around existing standards and protocols, there is plenty of opportunity to standardize back-end operations without using one single product. If companies like IBM or Microsoft are doing their development job right, any enterprise should be able to run Exchange Server for one site and Lotus Notes/Domino in another.

The same argument applies to the desktop, but granted, with greater difficulty. That’s because so many businesses run Windows. One Windows security breach can easily magnify across all operations. That said, businesses are choosing Windows. It’s not like Microsoft is forcing anyone to use the software. There are market and technological dynamics that may make Windows seem like the only choice, but there are alternatives. The increased interest in Linux or the availability of Mac OS X or Unix for desktop computers shows there are choices.

The report's authors argue that tight ties between Microsoft OS and desktop applications software create customer "lock-in." I would argue that Microsoft's integration approach really takes advantage of human foibles. Because switching to non-Mirosoft products can be difficult or costly, businesses simply don't do it. Integration might add to the complexity of switching--and so increase inertia to stay put---but it doesn't necessarily lock customers in.

As good security practice, it’s not a bad idea for businesses to spread different OSes around their desktops; the report's authors make a similar recommendation. The CCIA report makes a compelling argument, using potato farming as an example, about the spread of viruses along one crop or OS. Multiple OSes can help reduce security risks, but not necessarily eliminate them. That’s because some of the worst security holes have appeared around technology standards or protocols used by many operating systems. And Windows, by no means, is alone suffering repeated security glitches. Linux and other OSes have had their share of problems, too.

Still, Microsoft could do more to resolve its security problems. Because the company’s products are so widely used--so any breach’s impact is all the greater--Microsoft really needs to do more than any of its competitors. I’m by no means a software developer, but I still know enough to question whether Microsoft has a basic architectural problem. The company is doing a commendable job improving its coding and adopting better security practices.

Yet something about the effort, particularly the ongoing security patches that give some network administrators ulcers, seems futile. How many times must a building be patched with boards or shored up with poles before the owner recognizes the structure needs to be replaced? I would encourage Microsoft to seriously ask this question as it looks ahead to next-version-of-Windows Longhorn.

Posted by Joe Wilcox at September 26, 2003 09:19 AM
Copyright 2004 Jupitermedia Corporation. All Rights Reserved.
Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.