In-Depth
Partners in Security
Microsoft hasn't always had a great reputation for keeping things safe.
The company hopes to change that impression and its partner relationships
with a serious move into the enterprise security market.
- By Lee Pender
- November 01, 2006
Microsoft and security.
The two words appear together all the time, but mostly in a negative
context. Read the IT industry news on almost any given day, and you're
likely to see stories about Microsoft's security struggles: vulnerabilities
in Windows and other applications, virus attacks, patches -- and sometimes
even patches for patches.
Microsoft has worked for years to improve security for its own operating
system and applications and has made significant progress in that area.
But many business users and IT professionals remain skeptical about how
secure the company's products really are. And now, against the backdrop
of this still-questionable reputation for securing its products, Microsoft
is making the bold move of selling a full suite of security applications
for the enterprise.
With its Forefront line of security applications for businesses, officially
introduced in June, the company is starting an effort to establish itself
as a key vendor in a market that it has previously been happy to turn
over to Independent Software Vendor (ISV) partners. Those partner-turned-competitor
ISVs will have to respond to Microsoft's challenge, just as other partners
will need to manage relationships both with current ISV security partners
and with Microsoft in order to fully exploit the opportunities that Forefront
creates.
Changing Perceptions
Partners say that they still struggle with Microsoft's spotty reputation
for security. "It's something that gets brought up at every sales
call," says Hugh Kelly, vice president of marketing at Network Engines
Inc., a Canton, Mass.-based Gold Certified Partner and provider of appliances
for mission-critical software applications. In fact, poor perceptions
about Microsoft security have become so common that a lot of customers
respond negatively without really knowing why.
On
the Forefront |
Microsoft Forefront represents the company's first
move into the enterprise security market with a single-brand
strategy and comprehensive suite of applications. Microsoft
is doing away with the Antigen name it bought with its
acquisition of Sybari Software Inc. in 2005 and folding
its Antigen product line into the larger Forefront suite.
Following is Microsoft's Forefront product roadmap:
Available now, Microsoft Internet Security and
Acceleration (ISA) Server 2006 is a gateway server
designed to protect a network from Internet-based threats
and give users remote access to applications, the company's
literature says. Microsoft's Steve Brown says the company
expects to release a new Forefront version of ISA with
the release of Longhorn server in late 2007.
The other components of the Forefront suite are scheduled
for general release in the first half of 2007, Brown
says. They include three applications for server security:
- Microsoft Forefront Security for Exchange Server
(currently called Microsoft Antigen for Exchange)
- Microsoft Forefront Security for SharePoint
(currently called Antigen for SharePoint)
- Microsoft Forefront Security for Office Communications
Server (currently called Antigen for Instant Messaging)
The suite also includes Microsoft Forefront Client
Security (formerly called Microsoft Client Protection)
for client and server operating system protection. --
L.P.
|
|
|
"That's more of an emotional or visceral reaction," says Neil
Rosenberg, president and CEO of Quality Technology Solutions Inc. (QTS),
a network integrator and Gold Certified Partner based in Morris Plains,
N.J. "It's almost instinctive or knee-jerk: 'Microsoft security --
I need to say something sarcastic about that.'"
In fact, Microsoft has improved its security infrastructure over the
last several years, particularly with the recent release of its network
security gateway, Internet Security and Acceleration (ISA) Server, says
Rand Morimoto, president and CEO of Oakland, Calif.-based Convergent Computing,
a network consulting and design specialist and Gold Certified Partner.
"We've crossed that bridge already over the last couple of years
with the ISA product," Morimoto says. "Time has proven that
Microsoft's product has proven not to be full of holes."
Not surprisingly, Microsoft officials also say that they've made progress,
particularly since the inception of the Security Development Lifecycle,
the company's development methodology aimed at minimizing security bugs.
"We've made significant investments over the last three to five
years in particular," says Paul Bryan, director of product management
for Forefront Security Products at Microsoft. "We took a large part
of the resources of Microsoft and applied them [to security for] the operating
system. We certainly take our lumps, and a lot of times unfairly so, but
that's the responsibility we have given the size and impact we have on
the industry. As far as messaging that we're conveying to everybody, it
is that we continue to make those investments and make things more secure
from the base level."
Natalie Lambert, security analyst at Forrester Research Inc., in Cambridge,
Mass., says the company's message is working. "Although many experts
view Microsoft's Security Development Lifecycle ... as mere table stakes,
Microsoft is committed to improving its software development and has seen
results from this effort," she wrote in a May report on Microsoft's
move into the security market.
But, despite notable progress, there's still plenty of doubt about Microsoft
security, and it will take time for Microsoft to build positive perceptions
where negative ones have existed for so long, says Dennis Szerszen, vice
president of marketing and corporate strategy at SecureWave SA, a Luxembourg-based
Gold Certified Partner with U.S. headquarters in Herndon, Va.
"It takes a long time to establish a reputation of trust and security,"
says Szerszen, whose company specializes in endpoint security solutions.
"It just takes nanoseconds to ruin it. As long as there are going
to be hacks and cracks and major vulnerabilities, it's going to be hard
[for Microsoft] to establish credibility."
Moving into the Market
Establishing credibility is exactly what Microsoft wants and needs
to do with Forefront, components of which the company will be rolling
out and upgrading over the next 12 to 18 months. Microsoft introduced
the Forefront name and marketing strategy at its Tech Ed conference in
Boston in June.
"We focused a lot in the past on improving the core security in
our products," Microsoft CEO Steve Ballmer told a keynote audience
at the company's Worldwide Partner Conference in July. "Really this
year we will enter the security market in full force ... And while there's
going to be very healthy competition in the security business, I think
having a rich and complete security offer from Microsoft will provide
incredible value to our customers and give you incredible new alternatives
to build business."
A mix of acquired technologies and in-house development (see "How
Forefront Came to Be," this page), the suite goes beyond built-in
operating system security measures and anti-virus protection and offers
a central point of management for network security. The applications are
designed primarily for integration into a Microsoft technology stack.
How
Forefront Came To Be |
A string of acquisitions by Microsoft laid the groundwork
for Forefront:
2003: GeCAD Software, Romania (anti-virus)
2004: GIANT Company Software Inc., New York
(anti-spyware)
2005: Sybari Software Inc., Northport, N.Y.
(message scanning)
2005: FrontBridge Technologies, Los Angeles
(hosted-message scanning)
-- L.P.
|
|
|
Some observers wonder why Microsoft isn't building Forefront functionality
into the stack from the start. Neil MacDonald, vice president and distinguished
analyst at Gartner Inc. in Stamford, Conn., says the company should explain
that its security products should eventually disappear from the market.
"They are selling products that help to protect from vulnerabilities
that they created," he says. "There will always be suspicions
as to Microsoft's intention in the security market. Microsoft should preface
any security discussion by saying that their goal is to eliminate the
need for these products altogether. They should say that it's going to
take years. They need to start by saying their goal is ultimately to put
themselves out of [the security] business."
For his part, Microsoft's Bryan says that partners should make it clear
to potentially confused customers that Forefront provides a suite of applications
designed to protect an entire network at levels that can't be built into
an operating system or existing application. "There's still a need
for securing an enterprise and enabling that central management control,"
he says. "That goes beyond anything that can be placed into the operating
system because you're talking about a network of machines."
In addition, Forrester's Lambert says that Microsoft's security efforts
aren't just focused on the company's own technologies. "Viruses and
vulnerabilities are an industry problem in terms of all software,"
she says. "(Microsoft is) focusing on the bigger problems. They're
protecting themselves more because people will target them more."
Sold as a separate product, Forefront's broad-based enterprise offering
puts Microsoft into competition with a bevy of partners and other competitors
offering similar solutions, and analysts and partners agree that Redmond's
offerings won't necessarily be the best on the market. "It's hard
to say that Microsoft products are better," Morimoto says. "They're
as good as what exists out there."
"They're not best of breed, but I believe they're good enough,"
MacDonald says. "All of (Forefront's) components are solid."
A Classic Case for Integration
So, without a best-of-breed product, how can partners approach
customers with Forefront? By pushing that most common and effective of
Microsoft messages -- that the solution offers product integration and
ease of administration within a Microsoft environment. The hard sell is
Microsoft's classic "better together" pitch: Deploy a homogeneous
Microsoft environment, and avoid hassles with product integration and
licensing. That message should resonate with resource-strapped IT departments,
says Steve Brown, director of product management for Microsoft's Security
Business and Technology Unit. "They don't want to have to be deep
security experts," he says.
Partners and analysts say that simplicity of implementation and management
will be a key Forefront marketing point. "When you're going through
to do patches, the more homogenous the environment is, the easier it is
to license, support and update," Morimoto says. "When you sit
back and say, 'I have my choice of deploying this product or that product
and this product will patch and maintain [the same way that] my Office
and Windows [do],' you say, 'That's a lot easier.'"
IT departments' need to reduce complexity, improve ease of use and ease
integration, combined with their desire to work with fewer vendors, will
all be advantages for Microsoft, MacDonald says. "We're seeing best
of need over best of breed," he says. "That plays to Microsoft's
strength. The fact that Microsoft is not best of breed for some companies
will not matter."
Lambert adds that Forefront's management capabilities and integration
into the Microsoft stack will be an attractive offer in a changing security
market. "If we think about this market, we are no longer looking
for security products," Lambert says. "We are looking for secure
infrastructures. Security is becoming management. If you can add anti-threat
technologies to the bigger configuration problem, you'll be a full step
up. That's something that security vendors are just trying to get into
now. Microsoft has management capabilities that security vendors don't
have."
No Easy Road Ahead
The integration story alone, though, won't be enough to guarantee
Microsoft success in the crowded and complex enterprise security market.
Vendors ranging from traditional security players such as Symantec Corp.,
McAfee Inc. and Trend Micro Inc. to networking vendors like Cisco Systems
Inc. and Citrix Systems Inc. all claim some territory in the space. And,
partners and analysts say, most companies already have some sort of security
infrastructure. Microsoft will, in many cases, have to unseat or at least
complement incumbent vendors at many companies in order to pick up market
share.
Microsoft can do that, in part, by undercutting prices competing vendors
charge for applications, MacDonald says, which should drive prices down
across the market. "Microsoft is a latecomer to markets that already
exist," MacDonald says. "There are incumbent vendors installed.
Microsoft has to come in and at least be cost neutral after you take into
consideration the switching costs." Nevertheless, MacDonald says
that Microsoft could own 40 percent of the enterprise security market
four to five years after the full suite ships.
|
MacDonald and Lambert agree that small and midsize businesses will be
the first to embrace Forefront and will present the best targets for partners
selling the applications. "I think [Forefront] will be more of an
SMB play than an enterprise play," Lambert says. "[SMBs are]
buying into the argument that they have to decrease the number of vendors
and manage everything centrally. SMBs are going to be much more likely
to buy the whole package because management is difficult for them."
She, too, predicts that Microsoft will eventually become a major player
in enterprise security, especially once its applications catch up with
those of its competitors in terms of functionality. And the bigger a player
Microsoft becomes, she says, the more other vendors will innovate in order
to compete.
Meanwhile, Morimoto sees a heated battle ahead. "Microsoft has to
rip and replace, and that's not going to be pretty," Morimoto says.
"They're going to be ripping out Symantec, and the Symantec people
aren't going to be happy."
Torn Between Two (or More) Partners
For the channel, that conflict could cause some confusion. Partners
that deal with both Microsoft and competitors like Symantec could find
two of their major sources of revenue coming into conflict. And Microsoft,
once happy to turn security over to its ISV partners, is now offering
incentives to court security partners of its own. (See "SSA's Sweet
Deal," this page.)
SSA's
Sweet Deal |
Microsoft hopes to bring multiple vendors' security
partners into the Forefront fold and entice its current
partners to the new suite with its Security Software
Advisor (SSA) program, an incentive program it launched
in July.
According to Microsoft's Steve Brown, partners that
take part in the SSA program will receive referral fees
for sales of Antigen and Forefront applications -- 20
percent of the sales price of the product, and 30 percent
with a special deal Microsoft is offering through February.
That's on top of the original partner margin for the
sale. VARs can also get a 5 percent fee on renewals
of existing products on top of normal margins.
In order to participate in the SSA program, partners
must be at least Registered Members of the Microsoft
Partner Program. Then, they must either be members of
the Security Solutions Competency or have passed the
exams to meet requirements for the competency, or be
Sybari partners, or be top-tier members of another security
vendor's program.
-- L.P.
|
|
|
Partners who work with multiple security vendors say that Microsoft is,
not surprisingly, stepping up efforts to have them promote its products
to their clients. And, although they say they're not feeling pressure
to push Forefront at the expense of other options, they are getting the
message that Redmond considers the suite important. "I'm not sure
whether 'pressure' is a good political term," says Morimoto, who
works with multiple security vendors. "Microsoft is ensuring that
we keep Microsoft solutions in mind. You don't bite the hand that feeds
you."
"I shouldn't say it's pressure as much as an expectation," says
Rosenberg, who also works heavily with Symantec. "The expectation
is that we're going to convey the new messaging as much as we've conveyed
the old messaging. The pressure will notch up when the products are actually
shipping."
He adds that competing vendors, including Microsoft, don't always overlap
in terms of functionality. It's possible to continue to work with a range
of partners and to deploy hybrid security infrastructures. "There
are complementary offerings to the extent that Microsoft doesn't delve
into certain fields" such as e-mail archiving and management, he
says. "I've been able to grow Symantec business based on Microsoft
business." QTS, Rosenberg's company, has held joint security seminars
with Microsoft, Symantec and Citrix to discuss how the vendors' solutions
can complement each other, he says.
And partners-turned-competitors aren't ready to cede their market share
to Microsoft, either. "We want to compete with Microsoft in the marketplace
based on the merits of the technology," says Julie Parrish, vice
president of the Global Channel Office at Cupertino, Calif.-based security
giant Symantec, a Gold Certified Partner. "Our belief is that partners
invest in a vendor based on the core competency of that vendor, which,
in Symantec's case, is absolutely security. We're not looking at this
in terms of a new revenue stream. It's a core business."
Parrish is confident that partners will stick with Symantec despite
strong incentives from Microsoft to sell Forefront. She says that Symantec
isn't offering new incentives to partners to counter Microsoft. "Trying
to over-incent the partners to do something which is not necessarily in
concert with where the end customers are does not work very well,"
Parrish says. Symantec's message to its partners, Parrish says, is to
"stay the course -- focus on the vendors that are offering you that
choice and that core technology that your customers want."
Get the Word Out
For those partners who do choose to adopt Forefront, Rosenberg
says, the main challenge isn't managing relationships with multiple partners
but spreading the news about Forefront to potential clients. "There
are a lot of people who don't know half the products Microsoft offers,"
he says. "Most people are trying to keep their networks running.
They don't have time to read [Microsoft] press releases about the new
stuff."
And, despite the challenges both Microsoft and partners face with Redmond's
entry into a new and complex market, Morimoto sees an upside. "There's
an opportunity for Microsoft to take advantage of their relationships
with their customers," he says. "It means more integration consulting
business for us as a partner. It has the potential to be good."