Microsoft security chief backs users on need to 'deperimeterise' network security

Microsoft is responding to demands from users to move security away from protecting the perimeter of IT systems to protecting...

Microsoft is responding to demands from users to move security away from protecting the perimeter of IT systems to protecting individual components of the corporate IT infrastructure.

Detlef Eckert, Microsoft's chief security adviser for Europe, last week echoed demands from high-level user group the Jericho Forum for "security deperimiterisation". He said Microsoft would focus on security features that would allow organisations to extend their networks securely.

Microsoft needed to respond to a new "network paradigm" in which technology such as instant messaging and virtual private networks blurred the boundaries of company networks, Eckert said.

"We see the need for defence in depth, looking at data and the network," he said.

In the past, application security meant isolating one application from another, but the increasing need for applications to communicate presented new security challenges, said Eckert.

Responding to claims by some users that Microsoft products contain too many vulnerabilities, Eckert said the company faced a harder struggle than other suppliers because it had to secure platforms rather than standalone applications.

"The challenge for Microsoft to produce defences to attacks is higher than for other suppliers," he said. "It is not only about operating systems or Internet Explorer. Most Microsoft products are not self-contained."

Despite this, Microsoft has reduced the number of vulnerabilities in new products by between three and four times by investing heavily in security, said Eckert.

As part of its Trustworthy Computing initiative, the company has changed the way it develops software, with developers producing security risk assessments at the time they come up with new ideas, rather than afterwards.

Microsoft now places the importance of improving security features in its products ahead of backwards compatibility, said Eckert. "In the past, the company was religious about backwards compatibility. In the past, you had to make trade-offs, which meant backwards compatibility was a barrier to better security," he said.

Windows XP Service Pack 2 came with a new design of Internet Explorer and the firewall turned on by default, even though this might cause some temporary compatibility issues for some users.

Microsoft has also simplified its patching procedures by reducing the number of update engines from eight to two, said Eckert.

Microsoft's improving record

Windows 2000 Server had 64 vulnerabilities two years after shipping, but this number had fallen to 27 vulnerabilities for Windows 2003 Server. Microsoft's latest web server, ISS 6, had virtually no serious errors two years after its release, the company said.

Read more on IT risk management