Microsoft, the security company?

The June launch of a new initiative dubbed Palladium underscored Microsoft's security ambitions. Palladium is supposed to be a "trusted" computing system. Translation? An operating system that, unlike Windows, is designed from the ground up to enhance security and prevent hack attacks.

As Gates and his CEO, Steve Ballmer, continue to throw resources behind the security effort, an increasing number of software analysts and industry figures believe Redmond may want to do more than simply make its own software more secure. They think Microsoft may also have its sights set on grabbing a share of a global market for security software hardware, services, and business continuity valued at $66 billion.

New gorilla?
At a minimum, it's going to crash the party--largely by default. With each new upgrade, Microsoft wraps more pieces of traditional security applications into its base-level operating systems and server products. Witness the personal firewall and enhanced encryption capabilities in the desktop version of Microsoft's latest operating system, Windows XP, as well as the virtual private network (VPN) and encryption capabilities built into Windows servers.

The upshot? The lucrative security sector could soon see a new 800-pound gorilla. And even if Microsoft doesn't sell directly against security pure plays, it could heighten the competition by including more security functions in its software.

Those who think Microsoft plans a separate line of security products point to several bits of evidence. Redmond named up-and-comer Michael Nash as the corporate vice-president in charge of its newly formed Security Business Unit in February 2002. Nash's mandate is to make existing products more secure--and to direct the Palladium, or "Trustworthy Computing" initiative, Microsoft's all-hands effort to make present and future products bug-free and impervious to attempts by unauthorized users to control or alter computer systems. "Nash has a reputation for getting things done," says Michael Cherry, an analyst with tech consultancy Directions on Microsoft.

Control and commmand
Nash will be aided by plenty of new hires familiar with security issues. In July, Microsoft signed on Kirill Tatarinov to run its Management Business Systems group. The former chief technology officer of BMC Software is an expert in access-control technology, which allows systems administrators to keep track more easily of who is doing what on their networks.

U.S. Bancorp Piper Jaffray analyst Gene Munster also points to the Security Business Unit's recent addition of several senior executive positions, including five program managers and two group program managers. "These are control and command positions, and not just a bunch of software geeks. They want to grow revenues," says Munster. A telltale indicator: One of those group program managers is focused on new-product development. And Microsoft Group Vice-President Jim Allchin, who moved Nash to his new spot, has publicly stated he thinks the company should sell a lot more security products.

Says Nash: "We have gotten some feedback that once that work [of securing the core operating system and software] is done, there would be opportunities for us to invest in technologies beyond the core product."

Watch out, Cisco
In fact, improving the core product could give Microsoft the code it needs to build a new generation of security applications. It has assembled many of the necessary pieces, most of which, like VPN functionality, already are wrapped into existing operating system software.

The VPN feature lets Windows users connect to corporate networks from remote machines via encrypted "tunnels" that are impervious to eavesdroppers. Microsoft has even built in a router-to-router VPN capability that lets administrators create secure links between sensitive systems inside a corporate network. This type of VPN setup is something Cisco Systems, Check Point, Sonic Wall, and a number of other security companies charge plenty for.

Microsoft has "a lot of components that are not included in the revenue stream because they're built into the operating systems," says Charles Kolodgy, a research manager with tech consultancy IDC. "This shows that Microsoft can expand its offerings along many lines."

For fee or free?
Ultimately, the question for Redmond may be whether it charges for security or gives it away. Thus far, it hasn't charged for security features save for a software firewall called ISA Server, which has received tepid market acceptance. "It's definitely second-tier. It's really only a factor in the small-business market," says John Pescatore, a Gartner security analyst, who notes that the trend in firewalls is toward dedicated appliances rather than pure software that a company must load and configure itself.

Still, selling security products separately might be a natural move for Redmond as it earmarks more research money for making its own code more secure and building Palladium. And security products would augment Microsoft's ongoing transition from a company that makes a desktop operating system to one that gets an increasing percentage of its sales from software that runs corporate networks.

Piper Jaffray's Munster suspects that Redmond could break into any number of security markets, including antivirus software, firewalls, intrusion-detection systems, and automated vulnerability-assement tools. "This is a growth market they haven't really stepped into," says Munster. "An interesting conversation is, do they want to sell only servers, or do they also want to sell stand-alone products? I think they want to sell stand-alone products."

Embedded Windows?
That might not happen until 2004. But signs indicate that Microsoft is laying the groundwork. The September 2002, introduction of a high-speed router with an advanced firewall for MSN broadband consumer and small-business customers marked Microsoft's first hardware product with a security focus in recent memory.

Cherry speculates that the system might be a byproduct of ongoing research into embedding Windows into hardware devices--and possibly a precursor of using this hybrid version of Microsoft code for other security devices aimed at big corporate customers. That would be in keeping with Microsoft's tradition of starting with the small customers and swimming steadily upstream.

With a reputation for sieve-like security, however, Microsoft probably has a tough row to hoe if it wants to crack the protection racket. At the least, it'll have to persuade folks like Jim Kirby, who oversees network security for Wells Dairy of Le Mars, Iowa, the largest family-owned dairy processing company in the county. Kirby manages thousands of desktops and laptops, and says he wouldn't use Microsoft security software as a stand-alone product.

Slow pace
"I don't believe in bundling security software into the operating system--and Microsoft's track record is shoddy," says Kirby. That viewpoint is precisely why potential competitors seem unperturbed. "The first priority for Microsoft is making its own applications secure. And it has a lot of work to do there. So its pace of innovation will naturally be a little slower than for companies that are very focused on" security products, says John DeSantis, the CEO of Sygate, an Oakland, Calif., company that sells personal firewalls to big corporations.

Of course, Microsoft also has a track record of making persistent improvements in products until they become viable, as was the case with its SQL database software and many others. While Redmond clearly faces an uphill push on security, it wouldn't be the first time Gates & Co. has glommed onto a business that others are confident they own.

Microsoft Muscling In on the Market?
First published on November 19, 2002.
By Alex Salkever

Do you think Microsoft could be the 800-pound gorilla in the security market? TalkBack below or e-mail us with your thoughts.