Vista threatens Windows app security market

Vista’s arrival will shake up the $3.6 billion Windows security market, according to Yankee Group. With more security built into Microsoft’s next operating system, many enterprises will jettison at least some of the third-party Windows security products they use, to save money and management time. What are the implications for IT managers?

“Vista’s security enhancements will immediately reduce security issues for customers—but only for those intrepid few willing to upgrade PCs, migrate users, and endure some initial pains,” says Andrew Jaquith, Yankee Group analyst.

According to Microsoft, Vista’s security features will include least-privileged access, a more secure registry, hardened network services, an Internet Explorer sandbox and an antiphishing filter, integrated antispyware, a two-way firewall, boot integrity, disk encryption, and compatibility with Network Access Protection protocol.

One challenge for early adopters will be grappling with least-privileged access because orgs will have to specify access levels from scratch. Some apps won’t function with least-privileged access, necessitating rewrites, which may slow Vista rollouts.

That’s why, unless enterprises plan to upgrade to Vista as soon as it’s released, Yankee Group recommends delaying implementation—until 2008. By then, Vista’s management tools will have matured, making implementation faster and easier.

What types of security software will Vista ultimately displace? For hints, look to Microsoft’s security acquisitions in the past few years: GeCAD (antivirus software), GIANT (antispyware), Sybari (server and gateway antivirus software), and FrontBridge Technologies (antispam software). The GeCAD technology is the basis of Microsoft’s antivirus and antimalware software. Microsoft retooled GIANT’s technology, now rebranded as Windows Defender, with a new version set to ship as part of Vista.

Last June Microsoft launched OneCare Live, a managed antivirus and antispyware service for consumers. In October, Microsoft announced Client Protection, a managed service—including antimalware software and Active Directory—aimed at businesses.

Yet while there are a number of security capabilities Microsoft could simply build into Vista, the software giant appears to be treading carefully, and notably isn’t including antivirus out of the box. “Introducing antivirus features into Windows would only further antagonize its security partners—and invite unwanted scrutiny from regulators,” says Jaquith. “Instead, Microsoft will market its own aftermarket antivirus/antispyware products.”

Vendors of antispyware software and host-based firewalls will get squeezed immediately. To a lesser extent, vendors offering bad-behavior blocking (a kind of intrusion prevention), disk encryption, and device control (such as USB-port blocking) software will also be affected. Enterprises, on the other hand, may ultimately save money because these features will be available in Vista, or at least Vista Service Pack 1.

As part of Vista, Microsoft will release the NAP protocol for securing endpoints. NAP’s goal is to tie various products and technologies together—antivirus, antispyware, personal firewalls, and so on—to allow companies to assess whether a PC requesting network access is running required software, and has appropriate updates installed, before granting it network access.

To realize NAP’s benefits, an org must upgrade all of its PCs to Vista, which may take years for many enterprises. NAP also requires encrypted network traffic, something many IT managers don’t like because it complicates network monitoring. “We believe NAP is dead on arrival,” says Jaquith.

Endpoint security solutions without such constraints are already available, plus they’re “cheaper to deploy and provide equivalent benefits” to NAP, he says. In fact, that goes for many of Vista’s new security features: such capabilities are already available from third-party vendors, or by practicing disciplined configuration management. “Rather than exhaust capital budgets on ‘big bang’ platform rollouts, enterprises should incrementally roll out the security features they need,” he advises.