You patch, we pay, says Microsoft

Microsoft is paying for security assessments of its customers' networks to help improve policies in areas such as software patch...

Microsoft is paying for security assessments of its customers' networks to help improve policies in areas such as software patch management and assuage fears about potential security risks.

The Microsoft Patch Assurance Security Service was started in late 2003. As part of the programme, the company is offering free security audits to all of its enterprise customers and paying for the services of third-party security consultants, including Internet Security Systems, to do the audits.

In many cases, Microsoft's patch management products and services, including Systems Management Server (SMS) and Software Update Services (SUS), are recommended to customers as part of the audit.

Figures on the total cost of the Patch Assurance Security Service were not available, but it is an extensive programme to reach out to Microsoft's entire enterprise customer base, defined as customers with 500 or more Windows desktops, said Peter Noelle, a partner account manager at Microsoft in Atlanta.

Microsoft has contacted around 75% of the 200 enterprise customers in the district that includes Atlanta, and the "vast majority" of these - more than 90% - have signed up for the free service. The company hoped to contact all its enterprise customers by the end of its financial year in June.

Microsoft is offering the same service in each of 17 regional districts in the US, using local and national consulting partners to perform the assessments.

Microsoft pays for the services of both companies on behalf of its customers, which are typically Microsoft-centric organizations using a "significant amount" of Microsoft technology.

The purpose of the programme is to reduce the number of Microsoft customers who do not apply software updates, by promoting patch management best practices. Secondarily, Microsoft is hoping to boost its credibility in the enterprise space on issues of security.

Assessments can last from days to weeks and range from "best practices" cases where few recommendations are needed to "dark pictures" where a "very significant" amount of work is required.

Typically, the assessment concludes with a set of recommendations and "actionable steps" that companies should take to improve their patch management processes.

Microsoft's sales organisation follows up on the recommendations with the customer. In addition, Microsoft's partner companies often land contract work stemming from the assessments they perform.

Microsoft recommends the use of its SMS, but its up to the customer to decide.

That limited product focus could be a problem for Microsoft customers, said John Pescatore, vice president at Gartner. "The problem is that SMS is not a strong product...When people ask us about patch management, we talk about SMS but we don't consider it a leader."

Products from Novadigm, Altiris and others outperform SMS and an independent assessment would mention such products in its findings, he added.

Microsoft is not the only company hoping to cash in on the recommendations that follow the assessments. ISS will announce a range of security assessment, remediation and management services for Microsoft customers later today.

ISS will offer a programme to perform "deep assessments" of Microsoft customer networks with the goal of improving software patching processes and systems.

Paul Roberts writes for IDG News Service

Read more on Network software