I was fortunate today to attend a Microsoft security day. Yes, I know it sounds like an oxymoron, but there’s a lot of good security stuff going on in Redmond these days. And it’s all in the right direction, with developments such as security in the system development lifecycle, laptop encryption, federated identity management, secure unified communications and various other security solutions.
This particular session was arranged by the ISSA. It’s an excellent institution, which is building an impressive UK base, around a thousand members. If you’re not a member, I’d recommend you join because this is without doubt the best value security club. It has quality members, impressive influence and has sensibly sought to exploit vendor sponsorship to keep down the costs of membership. They’re also offering a free trial membership at present. I shall certainly be joining.
Several things caught my eye at Microsoft. For example, I’m very interested in Microsoft’s internal security. They are the most attacked organisation on the planet, yet they survive with no special technology. If nothing else, this demonstrates that we’re certainly not short of adequate solutions. They claim to have no special “magic wall”. That demonstrates that today’s technology is still fit for purpose.
What’s also interesting is that Microsoft has elected to be early adopters of their own emerging technologies. Of course that’s something that all vendors should do. I’m especially interested in voice and data convergence, for example. And I’m impressed that Microsoft seem to have implemented this without any significant, reported problems. They do of course invest quite heavily in internal security, much more than the average organisation, and definitely at the high end of any benchmark, though they will argue that the free software makes it all seem relatively cheap.
I’m also interested in laptop encryption, which is vastly more complex than appears at first sight. There is no single solution. It depends on the level of risk. I like the fact that you can select one of several levels of security by combining features.
Building security in the system development lifecycle is also extremely important, and I’m pleased to see that Microsoft are not only addressing this issue themselves but also providing the benefit of their experience to a wider community. It’s one area that would deliver massive benefits if we could achieve a collective upgrade in our approach to system development. However, we have to work on convincing our business customers that security is equally important as development speed and agility.
But one thing that particularly caught my eye was the fact that Microsoft offer free support to people who experience cyber attacks. If you’re attacked and compromised then you get a completely free support service. That’s something you rarely see in today’s cash-strapped business world.
There are, of course, still many things that are far from ideal about Microsoft security. But you certainly can’t fault them for trying.