30 Minute Interview

“Our goal is to make security a positive and enabling technology”

Microsoft has lined up a set of security-related initiatives. Ben Fathi, corporate vice president, Security Technology Unit, Microsoft Corporation talks about the company's plans in this regard with Abhinav Singh.

Ben Fathi

Can you tell us about how your server based security offerings differ from those of your competitors?

Forefront Security is Microsoft’s new suite of products that includes Forefront Security for Exchange Server, for SharePoint Server and for Collaboration Server. There is also Forefront ISA, which is Internet Security and Acceleration Server, which has been in the market for quite a while and now has been integrated with Forefront technology. All these products are available in the market. The Forefront Client Security products, which are Anti-Virus and Anti-Spyware solutions, are currently available in Beta but will be made available in the market in early 2007. We are also working on other products and have acquired Whale Communications that has products in the VPN security space—these will help us in entering the VPN security space. In terms of client security we are new to the market and face competition from Symantec, McAfee who have been in this space for quite some time. The value proposition we bring is in terms of simpler manageability, integration with active directory and that all the tools and infrastructure that we offer integrate with Microsoft Operations Manager.

Our strategy revolves around defence in depth. We do a huge amount of work on securing the platform itself. For instance we have worked to secure BizTalk and it integrates seamlessly with our layers of defence and depth such as IPSec VPN and firewall. Broadly we aim at a secure platform that integrates with the customer’s layers of defence. In case a customer also wants the products from other security vendors our products can integrate very well with them too. Our goal is making security a more positive and enabling technology for our customers. Our products integrate with the platforms that we offer and it clearly differentiates us from other vendors.

While DOS 6 had a bundled anti-virus application, the recent release of One Care is your entry into the client security software space. What prompted you to enter this market segment?

We are entering the PC security market with Windows Live OneCare. The product suite is extremely important for us and it has a number of features including Anti-Virus, Anti-Spyware, Firewall and it also automates the backup, performance tuning and patch updates of machines. Broadly speaking our product suite manages the health of a PC while at the same time providing a host of security features. This differentiates us from other vendors and they do not have such a value proposition as it not just security but also the complete health management of a PC besides security.

Sometime back Microsoft introduced a Security Development Lifecycle (SDL), which I believe is how to secure the product right from the design stages even before people start writing code. How does it help Microsoft?

We have been working on SDL for the past two to three years and it has helped secure products. Basically it is a lifecycle process as we start at the basic stage of product development before anyone has written a single line of code. We have security experts that work with the development team and check for vulnerabilities and security gaps at every stage of product development. They also study the kinds of attacks that can be launched against the particular product and then work with the team to incorporate the requisite security functionality to stop these attacks into that particular product. After that when code is written we have a number of tools that help us to study the security vulnerabilities in it. The tools look at the source code and the security issues. We also have code testers who create tests and check for security vulnerabilities. After this when the product is ready for release we hire external hackers to attack the system. This helps us study the vulnerabilities further. Finally we have our security experts who finally check the security aspects of the product, in case there are vulnerabilities then the whole process is repeated. Then there is also the final security review of the product. SDL applies to all our products today.

What steps Microsoft has taken to tackle security issue at the OS level in Window Vista?

We have introduced numerous features to tackle security issues at the OS level in Windows Vista. Foremost amongst them is the User Account Control (UAC) that lets you run as a standard user. One of the big problems we have had with Windows is that everybody runs as an administrator. The problem in this approach is that while running as administrator when a virus attacks a machine it gets complete control as it has administrative privileges. Through UAC one can run as a standard user and when people log in they do not have administrative privileges and it controls security parameters on the machine, as even if there is a virus on your machine it cannot damage your system, as it does not have the administrative privileges. There will also be Kernel Patch Protection, which is the software we have in the Kernel level that blocks root kits. BitLocker is another security feature of Vista. It encrypts the entire hard drive of a notebook PC. One of the big problems which our customers have is that when their notebook gets stolen, people can steal their data. With BitLocker everything on the hard drive is encrypted automatically so that even if the hard disk is taken out of a machine it cannot be decrypted.