In-Depth

Partners in Security

Microsoft hasn't always had a great reputation for keeping things safe. The company hopes to change that impression and its partner relationships with a serious move into the enterprise security market.

• By Lee Pender
• November 01, 2006

The two words appear together all the time, but mostly in a negative context. Read the IT industry news on almost any given day, and you're likely to see stories about Microsoft's security struggles: vulnerabilities in Windows and other applications, virus attacks, patches -- and sometimes even patches for patches.

Microsoft has worked for years to improve security for its own operating system and applications and has made significant progress in that area. But many business users and IT professionals remain skeptical about how secure the company's products really are. And now, against the backdrop of this still-questionable reputation for securing its products, Microsoft is making the bold move of selling a full suite of security applications for the enterprise.

With its Forefront line of security applications for businesses, officially introduced in June, the company is starting an effort to establish itself as a key vendor in a market that it has previously been happy to turn over to Independent Software Vendor (ISV) partners. Those partner-turned-competitor ISVs will have to respond to Microsoft's challenge, just as other partners will need to manage relationships both with current ISV security partners and with Microsoft in order to fully exploit the opportunities that Forefront creates.

Changing Perceptions
Partners say that they still struggle with Microsoft's spotty reputation for security. "It's something that gets brought up at every sales call," says Hugh Kelly, vice president of marketing at Network Engines Inc., a Canton, Mass.-based Gold Certified Partner and provider of appliances for mission-critical software applications. In fact, poor perceptions about Microsoft security have become so common that a lot of customers respond negatively without really knowing why.

"That's more of an emotional or visceral reaction," says Neil Rosenberg, president and CEO of Quality Technology Solutions Inc. (QTS), a network integrator and Gold Certified Partner based in Morris Plains, N.J. "It's almost instinctive or knee-jerk: 'Microsoft security -- I need to say something sarcastic about that.'"

In fact, Microsoft has improved its security infrastructure over the last several years, particularly with the recent release of its network security gateway, Internet Security and Acceleration (ISA) Server, says Rand Morimoto, president and CEO of Oakland, Calif.-based Convergent Computing, a network consulting and design specialist and Gold Certified Partner. "We've crossed that bridge already over the last couple of years with the ISA product," Morimoto says. "Time has proven that Microsoft's product has proven not to be full of holes."

Not surprisingly, Microsoft officials also say that they've made progress, particularly since the inception of the Security Development Lifecycle, the company's development methodology aimed at minimizing security bugs.

"We've made significant investments over the last three to five years in particular," says Paul Bryan, director of product management for Forefront Security Products at Microsoft. "We took a large part of the resources of Microsoft and applied them [to security for] the operating system. We certainly take our lumps, and a lot of times unfairly so, but that's the responsibility we have given the size and impact we have on the industry. As far as messaging that we're conveying to everybody, it is that we continue to make those investments and make things more secure from the base level."

Natalie Lambert, security analyst at Forrester Research Inc., in Cambridge, Mass., says the company's message is working. "Although many experts view Microsoft's Security Development Lifecycle ... as mere table stakes, Microsoft is committed to improving its software development and has seen results from this effort," she wrote in a May report on Microsoft's move into the security market.

But, despite notable progress, there's still plenty of doubt about Microsoft security, and it will take time for Microsoft to build positive perceptions where negative ones have existed for so long, says Dennis Szerszen, vice president of marketing and corporate strategy at SecureWave SA, a Luxembourg-based Gold Certified Partner with U.S. headquarters in Herndon, Va.

"It takes a long time to establish a reputation of trust and security," says Szerszen, whose company specializes in endpoint security solutions. "It just takes nanoseconds to ruin it. As long as there are going to be hacks and cracks and major vulnerabilities, it's going to be hard [for Microsoft] to establish credibility."

Moving into the Market
Establishing credibility is exactly what Microsoft wants and needs to do with Forefront, components of which the company will be rolling out and upgrading over the next 12 to 18 months. Microsoft introduced the Forefront name and marketing strategy at its Tech Ed conference in Boston in June.

"We focused a lot in the past on improving the core security in our products," Microsoft CEO Steve Ballmer told a keynote audience at the company's Worldwide Partner Conference in July. "Really this year we will enter the security market in full force ... And while there's going to be very healthy competition in the security business, I think having a rich and complete security offer from Microsoft will provide incredible value to our customers and give you incredible new alternatives to build business."

A mix of acquired technologies and in-house development (see "How Forefront Came to Be," this page), the suite goes beyond built-in operating system security measures and anti-virus protection and offers a central point of management for network security. The applications are designed primarily for integration into a Microsoft technology stack.

Some observers wonder why Microsoft isn't building Forefront functionality into the stack from the start. Neil MacDonald, vice president and distinguished analyst at Gartner Inc. in Stamford, Conn., says the company should explain that its security products should eventually disappear from the market. "They are selling products that help to protect from vulnerabilities that they created," he says. "There will always be suspicions as to Microsoft's intention in the security market. Microsoft should preface any security discussion by saying that their goal is to eliminate the need for these products altogether. They should say that it's going to take years. They need to start by saying their goal is ultimately to put themselves out of [the security] business."

For his part, Microsoft's Bryan says that partners should make it clear to potentially confused customers that Forefront provides a suite of applications designed to protect an entire network at levels that can't be built into an operating system or existing application. "There's still a need for securing an enterprise and enabling that central management control," he says. "That goes beyond anything that can be placed into the operating system because you're talking about a network of machines."

In addition, Forrester's Lambert says that Microsoft's security efforts aren't just focused on the company's own technologies. "Viruses and vulnerabilities are an industry problem in terms of all software," she says. "(Microsoft is) focusing on the bigger problems. They're protecting themselves more because people will target them more."

Sold as a separate product, Forefront's broad-based enterprise offering puts Microsoft into competition with a bevy of partners and other competitors offering similar solutions, and analysts and partners agree that Redmond's offerings won't necessarily be the best on the market. "It's hard to say that Microsoft products are better," Morimoto says. "They're as good as what exists out there."

"They're not best of breed, but I believe they're good enough," MacDonald says. "All of (Forefront's) components are solid."

A Classic Case for Integration
So, without a best-of-breed product, how can partners approach customers with Forefront? By pushing that most common and effective of Microsoft messages -- that the solution offers product integration and ease of administration within a Microsoft environment. The hard sell is Microsoft's classic "better together" pitch: Deploy a homogeneous Microsoft environment, and avoid hassles with product integration and licensing. That message should resonate with resource-strapped IT departments, says Steve Brown, director of product management for Microsoft's Security Business and Technology Unit. "They don't want to have to be deep security experts," he says.

Partners and analysts say that simplicity of implementation and management will be a key Forefront marketing point. "When you're going through to do patches, the more homogenous the environment is, the easier it is to license, support and update," Morimoto says. "When you sit back and say, 'I have my choice of deploying this product or that product and this product will patch and maintain [the same way that] my Office and Windows [do],' you say, 'That's a lot easier.'"

IT departments' need to reduce complexity, improve ease of use and ease integration, combined with their desire to work with fewer vendors, will all be advantages for Microsoft, MacDonald says. "We're seeing best of need over best of breed," he says. "That plays to Microsoft's strength. The fact that Microsoft is not best of breed for some companies will not matter."

Lambert adds that Forefront's management capabilities and integration into the Microsoft stack will be an attractive offer in a changing security market. "If we think about this market, we are no longer looking for security products," Lambert says. "We are looking for secure infrastructures. Security is becoming management. If you can add anti-threat technologies to the bigger configuration problem, you'll be a full step up. That's something that security vendors are just trying to get into now. Microsoft has management capabilities that security vendors don't have."

No Easy Road Ahead
The integration story alone, though, won't be enough to guarantee Microsoft success in the crowded and complex enterprise security market. Vendors ranging from traditional security players such as Symantec Corp., McAfee Inc. and Trend Micro Inc. to networking vendors like Cisco Systems Inc. and Citrix Systems Inc. all claim some territory in the space. And, partners and analysts say, most companies already have some sort of security infrastructure. Microsoft will, in many cases, have to unseat or at least complement incumbent vendors at many companies in order to pick up market share.

Microsoft can do that, in part, by undercutting prices competing vendors charge for applications, MacDonald says, which should drive prices down across the market. "Microsoft is a latecomer to markets that already exist," MacDonald says. "There are incumbent vendors installed. Microsoft has to come in and at least be cost neutral after you take into consideration the switching costs." Nevertheless, MacDonald says that Microsoft could own 40 percent of the enterprise security market four to five years after the full suite ships.

MacDonald and Lambert agree that small and midsize businesses will be the first to embrace Forefront and will present the best targets for partners selling the applications. "I think [Forefront] will be more of an SMB play than an enterprise play," Lambert says. "[SMBs are] buying into the argument that they have to decrease the number of vendors and manage everything centrally. SMBs are going to be much more likely to buy the whole package because management is difficult for them." She, too, predicts that Microsoft will eventually become a major player in enterprise security, especially once its applications catch up with those of its competitors in terms of functionality. And the bigger a player Microsoft becomes, she says, the more other vendors will innovate in order to compete.

Meanwhile, Morimoto sees a heated battle ahead. "Microsoft has to rip and replace, and that's not going to be pretty," Morimoto says. "They're going to be ripping out Symantec, and the Symantec people aren't going to be happy."

Torn Between Two (or More) Partners
For the channel, that conflict could cause some confusion. Partners that deal with both Microsoft and competitors like Symantec could find two of their major sources of revenue coming into conflict. And Microsoft, once happy to turn security over to its ISV partners, is now offering incentives to court security partners of its own. (See "SSA's Sweet Deal," this page.)

Partners who work with multiple security vendors say that Microsoft is, not surprisingly, stepping up efforts to have them promote its products to their clients. And, although they say they're not feeling pressure to push Forefront at the expense of other options, they are getting the message that Redmond considers the suite important. "I'm not sure whether 'pressure' is a good political term," says Morimoto, who works with multiple security vendors. "Microsoft is ensuring that we keep Microsoft solutions in mind. You don't bite the hand that feeds you."

"I shouldn't say it's pressure as much as an expectation," says Rosenberg, who also works heavily with Symantec. "The expectation is that we're going to convey the new messaging as much as we've conveyed the old messaging. The pressure will notch up when the products are actually shipping."

He adds that competing vendors, including Microsoft, don't always overlap in terms of functionality. It's possible to continue to work with a range of partners and to deploy hybrid security infrastructures. "There are complementary offerings to the extent that Microsoft doesn't delve into certain fields" such as e-mail archiving and management, he says. "I've been able to grow Symantec business based on Microsoft business." QTS, Rosenberg's company, has held joint security seminars with Microsoft, Symantec and Citrix to discuss how the vendors' solutions can complement each other, he says.

And partners-turned-competitors aren't ready to cede their market share to Microsoft, either. "We want to compete with Microsoft in the marketplace based on the merits of the technology," says Julie Parrish, vice president of the Global Channel Office at Cupertino, Calif.-based security giant Symantec, a Gold Certified Partner. "Our belief is that partners invest in a vendor based on the core competency of that vendor, which, in Symantec's case, is absolutely security. We're not looking at this in terms of a new revenue stream. It's a core business."

Parrish is confident that partners will stick with Symantec despite strong incentives from Microsoft to sell Forefront. She says that Symantec isn't offering new incentives to partners to counter Microsoft. "Trying to over-incent the partners to do something which is not necessarily in concert with where the end customers are does not work very well," Parrish says. Symantec's message to its partners, Parrish says, is to "stay the course -- focus on the vendors that are offering you that choice and that core technology that your customers want."

Get the Word Out
For those partners who do choose to adopt Forefront, Rosenberg says, the main challenge isn't managing relationships with multiple partners but spreading the news about Forefront to potential clients. "There are a lot of people who don't know half the products Microsoft offers," he says. "Most people are trying to keep their networks running. They don't have time to read [Microsoft] press releases about the new stuff."

And, despite the challenges both Microsoft and partners face with Redmond's entry into a new and complex market, Morimoto sees an upside. "There's an opportunity for Microsoft to take advantage of their relationships with their customers," he says. "It means more integration consulting business for us as a partner. It has the potential to be good."