It’s always easy and fashionable to knock big vendors, especially when there are vested interests at stake. So it’s not surprising to see one or two negative press comments on the release of Microsoft’s new operating system. But it’s hard for anyone to deny that Vista is a most welcome arrival because it does represent the launch of a new era for enterprise and desktop security in many organisations.
Like everybody else, I’ve always been concerned about the large number of security flaws in previous releases and the need to install additional point solutions to achieve a decent level of enterprise security. These problems are not confined to Microsoft. Very little shrink-wrapped software is designed with good security in mind. There are simply not enough security-trained programmers out there. And there are very few systems development life-cycle methodologies that contain sufficient security checks, such as the need for a security risk assessment, for security architecture, for secure coding standards and for scans of source code for security flaws. Microsoft has addressed these points, whilst others have not. But you can’t change everything overnight. It will take many years to correct the imperfect practices of the last two decades.
And the stakes are high. The consequences of not addressing the insecurities in our operating systems are enormous. The security of Microsoft products is fundamental to safeguard our critical national infrastructure and business services, and to help check the current escalation in organised criminal activity. So it’s reassuring to see Microsoft responding to these problems with a serious change programme, rather than a few cosmetic security features. Ed Gibson, Microsoft’s Chief Security Advisor and former FBI agent assures me that Microsoft is fully committed to building a safer computing environment. And I know Ed would not put his reputation on the line if this were not true.
Vista offers much greater potential for organizations to achieve industrial strength desktop security. It introduces major new features such as full disk encryption, better user account control, better network access protection and the potential for easier incorporation of strong authentication devices. The software itself has been designed using a superior security development lifecycle. So hopefully we may see fewer security vulnerabilities in the future. Of course the jury will still be out on the effectiveness of some built-in features, such as the anti-malware system. Only time will tell if this will be as effective as alternative options. But Vista represents a firm step in the right direction, so we should all celebrate its arrival.