Vista threatens Windows app security market
- By Mathew Schwartz
Vista’s arrival will shake up the $3.6 billion Windows security market,
according to Yankee Group. With more security built into Microsoft’s next
operating system, many enterprises will jettison at least some of the third-party
Windows security products they use, to save money and management time. What are
the implications for IT managers?
“Vista’s security enhancements will immediately reduce security
issues for customers—but only for those intrepid few willing to upgrade
PCs, migrate users, and endure some initial pains,” says Andrew Jaquith,
Yankee Group analyst.
According to Microsoft, Vista’s security features will include least-privileged
access, a more secure registry, hardened network services, an Internet Explorer
sandbox and an antiphishing filter, integrated antispyware, a two-way firewall,
boot integrity, disk encryption, and compatibility with Network Access Protection
One challenge for early adopters will be grappling with least-privileged access
because orgs will have to specify access levels from scratch. Some apps won’t
function with least-privileged access, necessitating rewrites, which may slow
That’s why, unless enterprises plan to upgrade to Vista as soon as it’s
released, Yankee Group recommends delaying implementation—until 2008.
By then, Vista’s management tools will have matured, making implementation
faster and easier.
What types of security software will Vista ultimately displace? For hints, look
to Microsoft’s security acquisitions in the past few years: GeCAD (antivirus
software), GIANT (antispyware), Sybari (server and gateway antivirus software),
and FrontBridge Technologies (antispam software). The GeCAD technology is the
basis of Microsoft’s antivirus and antimalware software. Microsoft retooled
GIANT’s technology, now rebranded as Windows Defender, with a new version
set to ship as part of Vista.
Last June Microsoft launched OneCare Live, a managed antivirus and antispyware
service for consumers. In October, Microsoft announced Client Protection, a
managed service—including antimalware software and Active Directory—aimed
Yet while there are a number of security capabilities Microsoft could simply
build into Vista, the software giant appears to be treading carefully, and notably
isn’t including antivirus out of the box. “Introducing antivirus
features into Windows would only further antagonize its security partners—and
invite unwanted scrutiny from regulators,” says Jaquith. “Instead,
Microsoft will market its own aftermarket antivirus/antispyware products.”
Vendors of antispyware software and host-based firewalls will get squeezed immediately.
To a lesser extent, vendors offering bad-behavior blocking (a kind of intrusion
prevention), disk encryption, and device control (such as USB-port blocking)
software will also be affected. Enterprises, on the other hand, may ultimately
save money because these features will be available in Vista, or at least Vista
Service Pack 1.
As part of Vista, Microsoft will release the NAP protocol for securing endpoints.
NAP’s goal is to tie various products and technologies together—antivirus,
antispyware, personal firewalls, and so on—to allow companies to assess
whether a PC requesting network access is running required software, and has
appropriate updates installed, before granting it network access.
To realize NAP’s benefits, an org must upgrade all of its PCs to Vista,
which may take years for many enterprises. NAP also requires encrypted network
traffic, something many IT managers don’t like because it complicates
network monitoring. “We believe NAP is dead on arrival,” says Jaquith.
Endpoint security solutions without such constraints are already available,
plus they’re “cheaper to deploy and provide equivalent benefits”
to NAP, he says. In fact, that goes for many of Vista’s new security features:
such capabilities are already available from third-party vendors, or by practicing
disciplined configuration management. “Rather than exhaust capital budgets
on ‘big bang’ platform rollouts, enterprises should incrementally
roll out the security features they need,” he advises.