A New Approach to Enterprise Security

REDMOND, Wash. — April 16, 2009 — Security continues to be a top challenge for enterprises – especially with shrinking IT budgets. Many companies struggle to balance their business objectives with the need to protect and comply. PressPass spoke with Douglas Leland, general manager of Microsoft Corp.’s Identity and Security Business Group, about the company’s strategy to help provide “Business Ready Security.”

PressPass: What is happening in the enterprise security market these days?

Leland: The conversations I have with customers tell me enterprise IT leaders face a real and growing tension. On the one hand, they are being pushed to deliver more business value. They need to make information and applications more easily accessible and enable collaboration across company boundaries. On the other hand, they are being asked to protect information from increasingly sophisticated threats and to comply with regulatory requirements.

To me, security officers and IT leaders are the unsung heroes in their organization. They accomplish amazing things by integrating multiple solutions and securing their environments. But vendors generally haven’t done enough to make this easier. Tight budgets in the current economic environment exacerbate this tension, though security remains a top area of investment. Forrester predicts that companies will devote 12.6 percent of IT budgets to security in 2009, up from 7.2 percent in 2007.*

PressPass: So, what is needed to change this dynamic?

Leland: Security managers are telling us they want to be more responsive to the needs of their business. They want the solutions and guidance to protect their organizations and manage compliance, but also to empower their information workers. Perhaps most important, they want to make the most of their current IT investments and the infrastructure they have today. All of this signals the need for a shift to what we think of as “Business Ready Security.”

PressPass: What is Microsoft doing to enable Business Ready Security?

Leland: Business Ready Security is both a destination for customers and our long-term strategy to help them get there. The ultimate goal is to help companies manage risk while achieving their business objectives. We are focusing our efforts in three areas.

One, we are providing protection that spans the breadth of a company’s systems and data while allowing access for employees, based on their identity, from virtually anywhere.

For example, today we are introducing Forefront Online Security for Exchange, a Microsoft Online Service, which protects e-mail from spam and malware. This is the first of our Forefront Online services to complement our software-based Forefront offerings. Note that we have expanded the Forefront brand to cover our portfolio of identity and security solutions. For example, our Identity Lifecycle Manager product is now officially named Forefront Identity Manager. We see the Forefront brand as synonymous with Business Ready Security.

Another important solution in this area is Microsoft code-named “Geneva,” a new set of technologies that make it dramatically easier for customers to build security-enhanced access into software and hosted services.

Two, we are making security experiences and compliance management much simpler and cost-effective for both IT and businesspeople. In support of this, today we are announcing a new, public test version of Forefront, code-named “Stirling.” “Stirling” is an integrated security suite that coordinates protection and visibility across desktops, servers, applications and the network edge.

Three, we want to help customers extend security across the entirety of their enterprises. That means continuing to build security features into Windows and our IT software solutions. It also means interoperating with non-Windows environments through partnerships and open standards.

PressPass: How is this strategy different?

Leland: I view our approach as a real departure from the status quo. We have a much broader definition of security that includes protection, access, management and user identity.

Central to our efforts is bringing identity and security together. By considering identity and security as two sides of the same coin we are aligned with how customers think about the problem. This is in genuine contrast with other companies, which are generally in either the security or the identity business.

Another distinction is our deep integration with Microsoft infrastructure software, which means customers can more easily realize return on their previous investments. The Server and Tools Business at Microsoft is growing rapidly. Customers are buying into our IT offerings and like how our security solutions integrate with them.

Also, our strategy is a core part of companywide efforts like in-depth security research and response and the Security Development Lifecycle, which is used in the creation of all of our products. Extensive work with partners and standard bodies contribute to our strengths over other vendors, too.

PressPass: Does your strategy involve the rest of the identity and security industry?

Leland: Absolutely, and that speaks to our commitment to integrate and extend security across the enterprise and beyond. We know we can’t help customers achieve Business Ready Security on our own. We’re working with partners of all kinds across the industry. In fact, this year Microsoft is investing $75 million in our partner ecosystem.

For example, we have a strategic partnership with RSA, the Security Division of EMC, to help companies better protect sensitive information and share it in a more secure manner.

Today we are also announcing a broad group of companies supporting and extending the capabilities of Forefront “Stirling,” including Brocade, Guardium, Imperva, Juniper Networks, Kaspersky, Q1 Labs, StillSecure, Sourcefire Inc., Tipping Point and RSA.

PressPass: In conclusion, do you feel customers view Microsoft as an enterprise security vendor with whom they should work?

Leland: I do. I think customers recognize the depth and breadth of our commitment in this area. There are some great examples of customers betting on Microsoft’s Business Ready Security strategy today.

A company called Exostar uses our solutions to allow global aerospace companies, such as BAE Systems, Boeing, Lockheed Martin, Raytheon and Rolls-Royce, to collaborate more securely on complex, multienterprise projects via hosted Microsoft Office SharePoint Server 2007. Exostar’s ForumPass solution uses Active Directory Federation Services and Forefront products to serve a growing community of 8,500 users across 170 organizations. BAE Systems saved $237,000 on one project alone, and improved its compliance.

In another case, NuStar Energy is a company that counts on very lean, automated IT to help it absorb a rapid succession of acquisitions. The company uses our identity and security technology, for example, to quickly bring on new employees that manage 8,491 miles of pipeline with a combined throughput capacity of 104,000 barrels a day.

* “The State of Enterprise IT Security 2008–2009,” Forrester Research Inc., December 2008