Redmond, Wash., April 9, 2001 — On the eve of this weeks RSA Conference, the technology industrys largest annual gathering for security professionals, PressPass spoke to executives of two of the industrys top companies: George Kurtz, CEO of Foundstone and Dan McCall, executive vice president and co-founder of Guardent. Both firms have won designation as Specialists in the Microsoft Security Services Partners Program, unveiled in February, which helps customers deal with security issues — in their own systems and across the Internet. More than 50 Microsoft partners, in 16 countries, now participate in the program, which includes two key elements: a Web-based directory on the Microsoft Security Web site that gives customers access to information on these security providers, and a continuing program of training and knowledge-transfer that ensures partners are fully equipped to respond to customer concerns about security for their Microsoft-based systems.
PressPass: Computer security covers everything from viruses to hackers to disgruntled employees. What are the biggest threats facing your customers?
Kurtz: With the continued rise of e-commerce sites, among the biggest risks we see are at the Web server- and e-commerce application level. Because of the detailed interaction customers need to have with corporate or organizational databases, firewall protection isnt enough. Organizations must address the challenge of providing rich — but secure — access to their information. Related to that, its not enough to implement a security solution, it must be continually updated. Weve found that most of our clients dont correctly implement updates throughout their enterprise, gradually opening up cracks of risk in what was originally a secure system. Its never been tougher to keep the bad guys out.
McCall: Id agree that vulnerabilities from the Internet are the greatest challenge. In addition to the issues that George has raised, viruses are still a fairly important issue. Its tough to protect completely against viruses, especially e-mail viruses or others with high rates of distribution. And customer maintenance of the security solution is indeed a problem. As security issues and solutions become more complex, maintaining those solutions properly is becoming more complex for customers. Whats making the maintenance issue worse is that companies have this large and growing challenge at the same time that their IT staffs are shrinking due to budgetary constraints. It puts more pressure on companies to outsource their security solution and its ongoing maintenance.
PressPass: How does the Microsoft Security Services Partners Program help you and your customers to address these problems?
Kurtz: Heres one example. A large financial services company needed a security assessment of a new online application it was ready to go live with. They were looking for a top security assessor they could trust. They found us through Microsoft. Being a leading security assessor and a premier partner of the Microsoft Security Services Partner program made that connection possible. Another key way the program helps is by giving us access to the information we need to provide superb security solutions for existing Windows customers, particularly customers on the Windows 2000 platform. The program is essential to providing the level of security that those customers expect to support their solutions across the Internet.
McCall: Thats right. Microsoft keeps its security partners in the loop — at the head of the line, if you will — on security information. We get periodic phone briefings and e-mails, and emergency briefings whenever needed, 24 x 7, 365 days a year.
PressPass: What does the program let you do for your customers that you couldnt do, or do as well, before?
Kurtz: Our direct connection to the Microsoft Security Response Center, to get immediate briefings from the center or to contact it when we have issues with our customers, means that we can identify risk issues, assess the extent of the risk for each of our clients, and disseminate information and solutions to them more quickly than before. With the Microsoft Security Services Partners program, this process can take just a few hours. Thats a tremendous benefit for customers.
PressPass: How unusual is the Microsoft Security Services Partners Program, and what does the program say about Microsofts commitment to security?
Kurtz: This is one of the first offerings Ive seen from a product vendor to align with the worlds leading security providers. Its very important that Microsoft has done this, because its a convincing demonstration that Microsoft understands the importance of security to the growth of e-commerce and all other aspects of technology. Its also a demonstration of how important security is to Microsoft as a key driver of its continued growth. This sends a very important message to the rest of the industry, helping to raise awareness of security issues with customers of all sizes — all of whom need comprehensive and up-to-date security solutions.
McCall: I think its important to note that this isnt just a paper program or paper relationship. Weve found Microsoft to be a fantastic partner when it comes to giving us full and timely access to the information we need to do our jobs. We get early previews of Microsoft technology, and briefings on its security implications. When Microsoft finds vulnerabilities in its products, we hear about it right away and we hear about the fixes to those problems as soon as possible. With other vendors, getting this information can be like pulling teeth. The result is that our customers get better products and services from Microsoft and from us.
PressPass: Is there an example of this type of communication from Microsoft?
McCall: Sure. When the recent issue came up regarding fraudulent VeriSign certificates, Microsoft was on the phone to the security partners, including Guardent, right away. We received an in-depth briefing on the problem and its origin. And we received recommendations for corrective action, including an update for the operating system that provides revocation service on client platforms, so clients arent exposed to fraudulent code from that forged key. Our clients, like users everywhere, did have their confidence in certificates a bit shaken. It was very important that Microsoft enabled us to immediately respond with a range of options — for example, to revoke VeriSign as the route certificate authenticator or to take less intrusive action, based on the clients situation and inclination.
PressPass: How does the program complement your companies own offerings in the security arena?
Kurtz: At RSA 2001, Foundstone is announcing the FoundScan managed security service for the Microsoft Windows platform. Its a subscription service that provides year-round intrusion prevention for Windows 2000 networks. Our Active Assessment technology analyzes the customers environment, and uses the captured data to probe for vulnerabilities. Its the first offering were aware of that blends security assessment with 24 x 7 service. The close and continuous relationship we have with Microsoft as a result of our participation in the security services program is a key to providing the fastest possible response to Windows 2000 security issues as they arise.
McCall: Were also making an announcement at the show. Were introducing the Guardent managed enterprise firewall service for Microsoft Internet Security and Acceleration (ISA) Server. We provide a fully managed firewall plus intrusion detection solution for customers based on ISA Server. We manage the solution 24 x 7 from our site, freeing the customer of the need to intervene to keep the solution running. The timely, solid information we get from Microsoft is important in helping us to develop solutions like this.
PressPass: What issues should customers be aware of in the months ahead?
McCall: A year ago, many companies — particularly in financial services — told us that they would only manage security solutions in-house. As I mentioned earlier, IT departments are being crunched while more business is moving to the Internet, so those same companies are interested in an outsourced solution. This is only going to become more of an issue in the months to come. I think customers should re-evaluate the cost benefit of in-house, versus outsourced, security solutions, because in many cases theyll find solutions outside that they couldnt afford to build and maintain themselves.
Kurtz: Were seeing that same phenomenon. Another key issue is that, as Microsoft technology becomes more central to the enterprise, security solutions for the Microsoft platform will be increasingly important and must be figured into the overall security infrastructure. Also, companies have to understand that theres no
“silver bullet”
for these issues. The solution is an ongoing management solution combining processes and procedures that are maintained over time. The good news is that customers that are diligent in this area, and that work with security partners to ensure a continually updated solution, can get the high degree of security they need to maximize the potential of the Internet for their businesses.