Steve Ballmer: Microsoft Security & Management Seminar

STEVE BALLMER: It’s my honor to have a chance to be here with you today. I’m going to try to give you kind of a high-level set of what some of the issues are, and challenges we think we’re hearing from you, the folks who actually have to deploy and manage and operate IT systems in companies, in partners, et cetera. And then talk some about particularly from a security and management perspective what we’re trying to do to improve the situation in that ilk.

I thought maybe what I would do is start with some big industry trends that I think everybody will find easy to agree with. Number one is the kind of constant push on this notion of IT being able to, as we like to say in our marketing sometimes, do more with less. The request from business people is not that IT accomplish less things, but there’s constant pressure to be able to implement more applications, new applications, but at lower and lower cost. The tools that we have, or the issues that we have, first and foremost, is industry standards computing. The move of IT increasingly to Intel architecture platforms running operating systems like Windows is a constant tool to help take costs out of IT. Still the largest, most complex systems, many of them are mainframe, proprietary UNIX systems, and any time we can work with people in IT to move those successfully to an Intel architecture machine, and all that implies in terms of lower cost of hardware, software, operation, that’s a very powerful move.

Second industry trend is the trend towards virtualization. This is inevitable, and we start now to see hardware capabilities coming from both Intel and AMD that actually make it more and more possible to do rich virtualization at the software level. Virtualization, as everybody in this room knows, has many benefits. It lets us isolate systems from one another. It gives us the ability to run multiple incompatible things, if you will, on a compatible platform. So it gives us kind of a literal virtualization as well as an applications separation benefit that we can all build from and work from.

Number three is the convergence that we’re seeing in systems, storage, in security design. If you think about this, at least at current state of nature, in our world is that you tend to get different tools with different approaches for systems management, for storage management, for security management, and all of those things are now beginning to converge, and integrate much better together, which gives us the possibility of being able to do more with less.

There’s certainly additional burden being placed on IT departments, particularly in the area of compliance and regulatory issues. The number of issues on this side will not decrease, and the importance of being able to verify that regulatory and other compliance requirements are being met through the information systems is growing, which implies more pressure on you, and more of an obligation on Microsoft and other vendors to really step forward with tools that reduce the cost and complexity of regulatory compliance.

And last, but certainly not least, I think we all have to recognize that we do live and we will continue to live in a world of very diverse IT architectures, whether that’s multiple platforms, multiple applications.

I’ve been in this business now 27 years, and I’ve never had a year where I wasn’t talking to IT people who need to reduce their applications portfolio. It’s amazing. We’ve been reducing application portfolios for 27 years, and yet they continue to expand. And that’s because the number of things people are trying to get done in business continues to increase.

There has been some rationalization and stabilization in the number of computing platforms that people use. I think with the move to industry standard computing, whether it’s Linux, hopefully for all of you it’s Windows, but those two options have emerged as really sort of central options on industry standard platforms. And we are delighted today that well over two-thirds of people who are picking server platforms pick Windows versus Linux or other alternatives.

So we have in some senses less diversity than we have ever had, and yet the need for companies like ours and other companies to focus on interoperability, and a heterogeneous world has, nonetheless, never been higher, and you’ve seen us do more and more work on interoperability, whether it’s interoperability with the UNIX world, interoperability with the legacy mainframe world, with the SAP world, with the Oracle world, with the Linux world, a lot of work with the Open Office world, a lot of work focused in on standards and interoperability.

These are the big trends, and it’s in a sense, in this environment, that we have to formulate our key innovation agenda and bring it to market. And we like to refer to these as our promises. What are the areas in which we are innovating, so we can improve our ability to serve the needs of our IT partners. We put them in four buckets, each of these areas we find is very important relative to our overall mission of enabling businesses to be People-Ready businesses. A People-Ready business is one that puts the employee, the user base, at the center, and IT can really drive valuable information to be available to employees to create business value.

So number one, we have to give you the tools to help you amplify the impact your people can make, how can they get access to the information they need to do their jobs, how do they communicate and collaborate with others in your organization, how do they do analysis, how do they derive insights. We’re not going to talk much about that today, but if you look at the central innovations behind [the 2007] Office [System] and Windows Vista, a lot of that focuses in on helping you amplify the impact of your people.

Similarly, down in the lower right hand of the slide we talk about advancing the business with IT solutions. This talks to the development tools, the line-of-business applications that we deliver under our Microsoft Dynamics product line, applications you may choose to buy from others, but we’ve done a lot of work to continue to push Windows, .NET, Visual Studio into more and more mission-critical applications. Again, I’m not going to spend most of my time in this area, but it is very important as a part of our overall promise, commitment and focus with IT.

The two I do want to spend a lot of time on are, number one, this notion of what does it take for us to give you the tools to help you control access, and protect the information in your organization, and number two, what tools do we give you manage complexity and achieve the kind of agility that you want to achieve in your operation. If you’re going to be a People-Ready business you’re going to have to move with great speed. It is hard, we all know it is hard to evolve complex IT systems at a rapid rate. Yet, that will be the expectation set that business leaders in all of your companies face, and that we and you need to rise to that challenge together, to help allow you to move with speed, and yet manage effectively, with reliability, the complexity in these organizations.

I want to start with a discussion of where we think we are and where we’re going on the security front, or this notion of protecting information and controlling access. And I thought I’d tell you a little bit about, if you will, the journey we’ve been on. About five years ago we got a real wake up call. Security issues really started to accelerate on the Internet and in our products. Remember, we had built products and designed them initially in a world pre the Internet, and all of a sudden we started to see an increase in the number of security issues.

The first thing that we did was committed ourselves to help improve the reliability and security of our core products. We called that our Trustworthy Computing initiative. We started that in 2002. Bill Gates sent a memo to all of our employees really making Trustworthy Computing our top priority. And we invented and implemented something we call SDL, or a new development process Secure Design Lifecycle, that really changed our development processes in a way to accelerate and dramatically refocus us on some things that would help us improve reliability and improve security.

Windows Server 2003 was the first product shipped with that new development model. We shipped Windows XP SP2 also on that model. And at the same time we launched the second major initiative, our so-called Dynamic Systems initiative, which was really focused in on this notion of designing software and applications from the get go to be more agilely and easily managed.

The products that have come out since, SQL Server, Visual Studio, Windows Server updates, Windows itself, Windows Vista, Office 2007, and now our new Forefront line of security products and System Center line of management products, really form the core of how we think we can help you move forward on the security front, and on the management front.

We did make a decision in around 2004-2005 that not only would we work hard on the core reliability and security of our products, but we would actually introduce a line of value-added products to help you manage and protect information and control access. That is, we were going to be in the security business, so to speak, in addition to just being in the operating-system business. I have to say, some of our customers viewed this a little controversially, in the sense that if we could solve all these problems at the root, why is there a need for extra products.

But we do live in a world in which the bad guys, so to speak, are also getting smarter all the time, and it is important to be able to lock the core infrastructure, and then protect around it in a way that is a bit more dynamic. So we are, with our Forefront line of products, entering the security business, but we’re going to continue, as you’ll see when I talk about our next release of Windows Server, still code-named “Longhorn,” we are continuing to work at the core manageability and security of the operating systems as you get them inside the box.

The one other thing I would add there is, despite our entry into the security business and the management business, we continue to work very well with companies like Symantec, and McAfee and HP and Computer Associates and IBM that have their own line of security and management products. We’re going to be the best, but we’re going to earn it, and many of you are also going to, for a variety of reasons, want to have a more heterogeneous environment, and we’re going to work very well with those other vendors.

Nobody in this room is surprised by the fact that in a sense security is an increasingly challenging problem. The problems of securing these networks aren’t getting simpler, they’re getting more complicated. There are actually less famous public viruses today, this year, than there were two or three years ago, but the problem is the hackers have changed focus. They’re not focused on famous anymore. They’re actually focused in on profit and making money. They’re not just attacking operating systems, they’re attacking applications. When we talk about what’s going on with spyware, what’s going on with the various identity theft strategies, et cetera, we are really focusing on people who have a much more serious profit motivation than the original round of hackers. They’re more advanced, and that puts more burden on you and us to move things forward.

Number two, in a sense managing security is harder the more fragmentation you get in the tools that you are using. It is harder and harder to train your people to be experts in these tools when there are so many little tools, each of which behaves in an independent and different way. We certainly see that at Microsoft as an opportunity, an opportunity to reduce the total number of consoles that you use, to help you correlate a much broader set of events, and to help you generally do a much lower cost job of managing the security of your environment. So, as we were thinking through what would be key to our line of security products, this notion of simplicity, common, if you will, user interface and user model, integration, but nonetheless a comprehensive suite of products that really helps with security at the client, at the server, and at the edges of your network.

And so we are introducing our Forefront line of products. Some of these products we’ve had in market for a while, some were developed at Microsoft, some came to us through acquisition, but it really is for business customers a comprehensive line of products to help you protect information, and secure access to your networks. Our client product is just shipping here in the next month or so, and it really does do hygiene, security, anti-virus all the way down to the client level.

Earlier this year, we shipped product under the Forefront banner to help you protect the security of your Exchange servers, your SharePoint servers, your Office Communications and instant messaging servers, those things must be kept clean and free of virus and other attack for your world to truly be secure. These join our so-called ISA or Internet Security and Acceleration product line which we’ve had in market for a while, but we actually have very robust plans to continue to enhance and update. We’ve got a product that helps, if you will, provide firewall services at the application level, and a second product that helps to provide both acceleration, caching as well as security services, at the edge of your network. This is a major investment for us, it’s a very serious investment for us. We know that if you choose to adopt these products, they instantaneously become mission critical in your environment. So we’re very focused on doing a very good job not only in launching these products, but in providing you the appropriate service so that you can be successful with them.

That’s security. That’s this notion of protecting information and securing access. I want to turn now to one of the other major promises, which is really about management of complexity and achieving agility. And I want to put that in the context of this thing that we’ve announced called our Dynamics Systems initiative. As I said, about three, four years ago, we said, what will it take to really make systems more manageable? And one of the most important things is, we have to make it easier for all of us, Microsoft, third-party software companies, those of you who write code, we have to make it easier for all of us to design management and manageability instrumentation into the applications that we write.

So we started in the middle here with this notion of design for operations. How do we capture what the programmer knows about his or her code to make that easier to manage? So that really started not with a management product, it started with Visual Studio so that you can write and design more manageable applications, and it started with the management instrumentation that we provide in SQL Server, in Windows, in our other building-block products. With the advent of virtualization, we’ve been very, very focused in on that topic. We introduced two key products, our virtual server product, which brings virtualization and a layer of virtualization to Windows Server, and a product that we acquired and are now putting into our broad product line called SoftGrid, which does client and server level application virtualization, and in a sense allows you to wrap and manage applications as a set of virtual packages that you can distribute around the network, and have those run in a much simpler and straight-forward way, all managed and administered centrally.

The other area on which we’ve been focused is really providing the tools for the people who you have who deploy, who manage, who operate these systems to get the information they need to really manage them very, very well. We talk about allowing businesses to be People-Ready businesses. The first thing you’d think we all should do is make sure that everybody that works in information technology can be empowered with the information you need to do your jobs, and that’s been a key focus for us.

I write down here, System Center and Office. Well, System Center is our management product, why did I put down Office, because when it comes time for the ad-hoc analysis and exploration, and some of the more advanced business intelligence that we might want to do against our IT infrastructure, people in IT want to have that same access to standard business capabilities to drive IT as a business process as anybody else in the organization might want to have.

So let me talk a little bit about our System Center product line. We broke it into two pieces, System Center for the Enterprise and System Center for the mid-market. How do you know if you’re a mid-market customer or an enterprise customer? Basically, you decide what toolset. The System Center Essentials product for the mid-market is designed to have a little less capability, a lot more ease of use, and a little lower price. So for people who don’t need as fine-grained control of their environment, but still need to manage, and may have perhaps a much smaller IT organization, I think the tool on the right will be fantastic. For people who are dealing in more complex enterprises, you’ll be looking for all of the kinds of capability that we allow for on the left, service monitor, change and configuration management, backup and recovery, virtual machine management.

Our System Center product line now has five members, System Center Operations Manager, formerly known as Microsoft MOM, this is the product that really provides real-time information about what’s happening in a process, brings that information to a console, and lets you work with it. We have written agents for the console that work with a variety of these different products and, of course, with what we’re doing with Visual Studio, you can now write applications which are very easy to instrument for System Center Operations Manager.

System Center Configuration Manager, which we used to call SMS, some of you I’m sure use that product, it really helps now with the whole end-to-end change management, and configuration management process.

System Center Data Protection Manager, which essentially is a backup and recovery tool, backing up and recovering from disk though, not from tape. It’s now provable that it’s actually cheaper to try to do backup and recovery in general to disk than it is to tape, and we provide tools that help you manage that process.

Our so-called System Center Virtual Machine Manager, which will ship later this year. We are building into the next version of Windows Server, we will build in the virtualization layer. You will not pay extra for a virtual server, but we will have advanced management tools for virtual machines, which you will be able to get separately.

And lastly, a product that’s probably still about nine months or more away, the System Center Service Manager, which is a help desk product, and which we think will be attractive to many of you because of its ease of use, et cetera.

We will continue to extend our management product line, but we really have, again, tried to focus on being simple, integrated, and comprehensive all at the same time. Both of these product lines, Forefront and System Center, have received very positive reaction from industry analysts and from customers. On Forefront you can see a quote here from an analyst, “Microsoft is one of the few vendors that can truly go end-to-end, cloud-to-edge, server-to-client, to make businesses more secure.” Ninety percent of the people who have tried the beta are converting to actually use these products. Gartner e-mail and security analysts put it in their so-called MQ, or Magic Quadrant, when it comes to VPN access, SSL-based VPN access to corporate applications, same thing, a very positive review from Forrester.

On System Center you can see the analyst quote there, “Microsoft’s presence in this market sector is sure to shake up the current market leaders.” We have the fastest growing portfolio according to IDC. We’re already deployed in over 50 percent of large enterprises and, again, in the Magic Quadrant with this so-called Configuration Manager for PC lifecycle management.

So these products, some of which have been in the market for a few years, some of which are being introduced now, but the customer reception, the adoption, the interest, I have to say we have rarely brought to market products that have been as welcomed by the beta customers that we have had as these products have.

Later this year, we’ll ship the next version of Windows Server. This is the one that is based on the technology and code, if you will, that’s built into Windows Vista. This product will have innovations in three buckets. Number one, were trying to automate more IT tasks. We’ve built in enhanced scripting and task automation. We’ve also enabled role-based installation of the server. So if you want a server to be a print server, you just tell us, and we take care of the rest of the configuration. This is one of the complexities and opportunity for failure in today’s systems that we try to shrink and automate.

Number two, increase protection, particularly when it comes to network access. How do we make sure somebody proves they have no virus before we allow them to participate in the corporate network, how do we verify that? There’s a whole set of technologies to help keep the network, if you will, clean of viruses and other forms of attack.

And last, but not least, we’re trying to make the system more and more flexible. We have better tools for helping you do centralized application and access management, and with this release, as I said, we will build virtualization directly into the Windows Server product.

We talk about our business at Microsoft as enabling people and businesses throughout the world to realize their full potential. We don’t say anything about technology. We don’t say anything about software. But at the end of the day, our core competence is software. Software is a grand enabler of human capability, human potential, human productivity. What we’re trying to do with these two product lines is apply that same philosophy of empowerment, enablement, efficiency, productivity gain to the world of IT, the world of compliance, the world of security, the world of management, the world of operations that we’re applying to the world of information workers or software developers or other.

I hope many of you have had the experience of working with some of the released products. I hope all of you will take advantage of the opportunity to engage with our technical professionals here in The Netherlands to really learn about the new product, and hopefully you’ll share the enthusiasm that our lead customers have for some of these innovations. It’s been my pleasure to have a chance to make these remarks to you today.