Remarks by Mike Nash, Corporate Vice President, Security Business and Technology Unit, Microsoft Corporation
Worldwide Partner Conference 2004
Toronto, Ontario, Canada
July 13, 2004
ALLISON WATSON: I just had to watch that one more time from the audience on this fabulous screen. All right, thanks. We are absolutely committed to your feedback and absolutely committed to making this the best place to partner in the industry.
All right, now we’re going to get back to the serious agenda, betting your business on Microsoft today. I hope we’ve shaped a compelling argument for you today, that if you’re thinking about investing more money or going into new businesses or coming up with new ways to grow and reach out, that we’ve convinced you why you should bet your business on Microsoft.
I’m pleased today to have Mike Nash and Steve Ballmer on stage with me to make sure that if there are any open questions in your mind that we address them here and now. When we met in New Orleans nine months ago, one of the big questions we were facing was security. Mike and Steve talked to you at that point about our commitment and what we’re prepared to do. I’ve asked Mike Nash, corporate vice president in the Security Business Unit to join me this morning to tell you where we are and where we remain committed to take it up a level further. Mike? (Applause.)
MIKE NASH: Allison, how are you?
ALLISON WATSON: I’m pretty good, Mike. I think it’s been a little bit of a busy year for you.
MIKE NASH: It has been a busy year for our partners, too and I want to thank them for all their hard work around helping our mutual customers be more secure.
For me, though, I’ve been on the road a lot.
ALLISON WATSON: I imagine.
MIKE NASH: Talking to a lot of customers, getting a lot of feedback and actually after one of my business trips I decided to take a couple days off and go see my grandmother, figuring I’d get a little bit of time away from security, but no such luck. My grandmother is 90-years-old, she uses Windows XP, and I went down there, showed her some pictures of the grandchildren and she said, “You know, if we don’t go into the computer room now, you might miss your flight” — not, “I need you to do this work or you won’t have time to do it,” but “you’ll miss your flight.”
So I went in and spent some time on her PC, realized that she had really quite a bit of malware on her PC, had never installed a security update from Microsoft, didn’t really have any antivirus software, and I was going to bring my grandmother’s PC back to Microsoft or bring my grandmother back to Microsoft. But instead I decided to do a video of my grandmother and I actually shot this one myself.
ALLISON WATSON: So it’s going to be “must see TV.”
MIKE NASH: Must see TV, my grandmother, Estelle Heller. Let’s roll the tape.
ALLISON WATSON: All right, let’s see it.
MIKE NASH: So a couple things about my grandmother: Sometimes she gets the TV and the computer mixed up. (Laughter.) She doesn’t run Quicken, she runs Microsoft Money but she calls it Quicken, I don’t know why. (Laughter, applause.) I personally bought her Microsoft Money at the company store. And she now runs Windows XP Service Pack 2, so she can go out there and take online surveys and not worry about what’s happening to her PC.
I think really while my grandmother is clearly a consumer in this space, many of the issues we have heard about from customers and from partners like you really show that there’s a lot of work we need to do and we’ve made a lot of progress around making it easier to run environments based on Microsoft technology.
Last year Steve outlined a set of initiatives we were taking around security, and I wanted to give you a bit of an update on where we are on some of those commitments.
First, around isolation and resiliency, I think really — and Will talked about this yesterday — but the chief thing we’ve done here really is the focus on Windows XP Service Pack 2, making sure that we could not only address core vulnerabilities in our products but more importantly to build resiliency into the system, so even if there are new vulnerabilities or perhaps exploits against things that aren’t even a vulnerability in Microsoft software, that customers that use the latest service pack of Windows can be protected from those kinds of illegal, malicious attacks.
We also worked hard on making sure we could provide a product to provide protection at the edge with ISA Server 2000.
Last year Steve asked about Software Update Service. We talked about this technology used for deploying updates automatically in the enterprise, and we asked the room how many of you were using Software Update Services. I’m going to ask the room again, raise your hand if you are using Software Update Services with your customers. A very different response from last year. I think it’s reflected in the numbers; we know off Microsoft.com that 150,000 unique servers come to Microsoft.com to get updates for enterprises, we know that a lot of it is a result of the great work you’ve done to help customers automate patching, so I really want to thank you for that.
We also know that in the consumer space we’ve seen a tremendous increase in the number of users doing automatic updates off Microsoft.com with Windows Update, about a 400 percent increase on this since a year ago.
We also heard that there were key scenarios that required more authentication, authorization and access control, and we worked hard to make sure that the PKI in Windows Server 2003 actually was approved and certified by the Federal Bridge Certificate Authority, which I know is very critical for key government accounts that many of you are working on.
We also announced Rights Management Server, which I know has been a great opportunity to help customers to protect their content but also for you to be in there as a way to both sell Rights Management Services but also to drive some great new features in Office 2003.
Engineering excellence has been obviously a very key focus for us, since we’ve been working on the Trustworthy Computing initiative for about two and a half years. And the focus on building better software with fewer vulnerabilities is really best exemplified by Windows Server 2003. The product has now been out for over a year. We have a year of data to compare Windows Server 2003, which went through this new engineering process, to Windows Server 2000 and the results are very stunning: In the first year only 13 critical or important vulnerabilities versus 42 for the same period when we first shipped Windows 2000. We know we have more work to do, but we know that customers that use Windows Server 2003 are much more secure than customers that use Windows 2000.
We also have done a lot of work to make sure that when there is a vulnerability we’re responding more quickly, and Forrester recently issued a report comparing the number of days that a customer is at risk with Microsoft software versus Open Source, and as a result of the great relationship that we’ve built with researchers out there, we know that we hear about things under nondisclosure responsibly and then work with those researchers to get a fix out for you and for your customers very quickly.
Lastly and probably the area that’s probably most important, we heard the most direct feedback here, is the need for more guidance and tools. In the past the feedback we got was, you know, Microsoft, you guys do a great job of explaining every crazy feature you have in your products, but you’re not doing enough to help me actually solve the problems that I have from a security point of view. We used to have about five big documents about security and they were 500 pages long. We’ve now got over 150 documents that are focused not on big descriptions of features but really focused on specific issues that you’ve told us you need us to address.
In fact, as part of this we’ve been doing these monthly webcasts that we host every month, and one of the pieces of feedback I got there was from a customer who said, “You know, I love the wireless deployment guide you guys have created and if I had 50,000 employees in my environment I’d follow that thing to the letter. But I don’t have 50,000; it’s me and five other guys in a garage. Where is the guide for me?” Which really was very good input to us, and we now have guides focusing not just on how you can help your enterprise customers but also guides focused on small and medium business.
Also a critical part of this for us is being there in the case of an event. We certainly don’t look forward to those events, but when they do happen we want to make sure that in the likes of a MyDoom or a Sasser, Microsoft is there for you to help your customers with content in a way that’s timely, accurate and authoritative but also increasingly with cleaner tools, and I’m actually very happy about the work we’ve done to help customers to know that they’re free of viruses, to make sure that if there is an infection we can remove it, and I’m proud today to announce that as of today we’ll have a cleaner tool available for download to detect and remove any infections from the various download exploits. (Applause.)
I think all up, though, very much the focus here is on making sure we’re doing the things that you told us were most important and we certainly know we have a lot more work to do.
I mentioned ISA Server 2004. I’m also very proud today to announce that ISA Server 2004 standard edition is now available for customers for you to be using with your customers. And the critical thing here is really a lot of changes we made in very much direct feedback from those of you that used the product in the past; first and foremost, focusing on making sure we can safeguard Microsoft systems and applications from malicious attack at the edge by building filters to block malicious attacks against Outlook, against Exchange, against other applications, to make sure we’re doing that using content inspection at the edge.
We’ve also done a lot of great work with partners, especially in the hardware space, and we’re very proud to have announced that we’re going to also be creating ISA-based hardware appliances that really provide a much easier deployment and set-up opportunity for you to do with your customers. I’m very proud of the work that’s been done by Hewlett-Packard and others to build these solutions that will be available later on this quarter of the year.
We’ve also spent a lot of time working to make sure that we look at ISA Server, not just as a security solution on its own, but also as a platform for partners to innovate and provide a higher level of security. MacAfee, for example has extended their antivirus capabilities to run on the ISA platform. SurfControl has the ability to provide blacklisting to stop access to sites with known malicious content, which we’re very excited about. And finally RSA Security has integrated their Secure ID technology so it’s very easy to set up token-based authentication for people that want to provide access to Web-based applications published out to the Internet using ISA Server. So I want to thank these partners for this great work. (Applause.)
Lastly, really a focus here on the great partner opportunities, and there’s a great Web site up on Microsoft.com really focused on helping you to use ISA Server to help your customers solve security issues in their environments. We know that a defense in-depth approach is really the right way to go. Many customers already have a firewall but ISA Server used in conjunction with those firewalls provides a higher level of protection and the ability to make sure that customers are proactively being safe and secure on the Internet.
I’m also very proud to announce work we’re doing around Network Access Protection. Last fall Steve talked a bit about something called Client Inspection. The idea here is to provide the ability for a network administrator to know the state of all the machines connecting to their network, and we’ve really thought through this architecture and build this strategy that we’re calling Network Access Protection. The idea here is to provide the ability to do a compliance check to make sure that the state of a Windows machine is correct or antivirus is on it, is the security software configured properly, and in the case that it’s not, to put those systems on a special network to make sure they get those updates appropriately.
The key thing we’ve done here is to make sure that we’ve designed this architecture to work with the environment customers have today. We’ve heard very clearly from you and from customers directly that working with the security software that’s already being used is essential if you use a particular VPN, if you use a particular kind of antivirus software.
I’m also very proud to announce the support of more than 25 industry partners so if you use a Nortel VPN, they’re doing work to make sure it integrated with Network Access Protection. If you use Symantec, Trend, McAfee or Computer Associates antivirus, those products will work well with the Network Access Protection.
This technology will be shipping as part of the R2 release of Windows Server 2003, which you heard from Paul Flessner will be shipping next year, but the critical thing here is it will work with the infrastructure that’s already in place today.
From a timeline perspective, I think, first I want to thank you all for the feedback you’ve given us on prioritization and really focusing on making sure that we’re doing the right things with our products, making sure that our tools like Microsoft Baseline Security Analyzer are doing the right things to address those needs, also the focus we’ve had on content to make sure that the information you need to be successful is there.
In the second half of 2004, as I mentioned, we’ll be shipping ISA Server 2004 Standard Edition. Probably the big event for this period will be Windows XP Service Pack 2. If you’re not evaluating it you ought to be. If you’re not helping your customers think about it in their environment, I really want to impress on you the importance of doing this.
Later on this year, we’ll also have the enterprise edition of ISA Server. Early in 2005 we’ll have Windows Update Services, which is really the version of Software Update Services designed to extend beyond just Windows. I know a lot of people want that product as soon as we can get it done, understand that we had to really get the foundational work done in Windows XP Service Pack 2 with the new version of Windows Update Services, Windows Update version 5 that we’ll use to deploy Windows XP Service Pack 2, and that team is going to go right on and build on that foundation to get Windows Update Services done as quickly as possible.
One of the questions I get a lot from partners and from customers is, what would I do if I was in your job, knowing what I know as the VP of security at Microsoft? I think the first thing is I would make sure that my staff and my customers were educated on security. We heard very clear feedback last year that education wasn’t helpful and I think over the last year, based on that feedback and a lot of feedback that we got in real time, we’ve made that content and that education much more actionable. So I really encourage you to go back, if you haven’t already, to get a sense of what that is and get your staff trained on security.
I also think it’s important to spend time with your customers doing a security assessment. There’s really nothing more important than thinking about the problem holistically, and I’m still surprised by the number of customers I’ve talked to that really haven’t thought about the key issues of risk and the key concerns that are appropriate for their environment and built a plan to address those needs. I think it’s certainly a much easier thing to do proactively than it is reactively.
I also encourage you to get your customers upgraded to the latest versions of Windows technology. I know that it’s not going to be realistic for every desktop system to run Windows XP Service Pack 2 or for ever server to run Windows Server 2003, but, for the servers that face the Internet, I highly recommend that you begin those evaluations if you’re not already deploying them. And for machines that are mobile or laptops, having those machines on Windows XP Service Pack 2 is essential.
Lastly, making sure that you’re thinking about the security competency, really making sure you can distinguish your organization from other partner organizations with the ability to do a great job around security, because together this is how we’re going to win.
If you want more information, there is some great content up on Microsoft.com/partner/security.
Again, I want to thank you for your hard work and also for your feedback to help make us together successful with our customers’ security. Thanks very much. (Applause.)
2004 Microsoft Corporation. All rights reserved.