In-Depth

How Vista’s Arrival Will Affect the Security Market

Vista’s arrival will shake up the $3.6 billion Windows security market. Here are the implications for IT managers.

• By Mathew Schwartz
• 06/06/2006

Microsoft promises its next-generation operating system (OS), Vista, due to ship to enterprises in November, will be the most secure version of Windows ever.

Microsoft has already detailed Vista’s major new security features, which include least-privileged access, a more secure registry, hardened network services, an Internet Explorer sandbox and an anti-phishing filter, integrated anti-spyware, a two-way firewall, boot integrity, disk encryption, and compatibility with its Network Access Protection (NAP) protocol.

With more security built into Vista, many enterprises will jettison at least some of the third-party Windows security products they use, to save money and management time. That’s why Vista will “dramatically affect the $3.6 billion aftermarket for Windows security products,” predicts Andrew Jaquith, an analyst at Boston-based Yankee Group Research Inc.

Don’t expect Vista’s arrival to create any immediate security market turmoil, however. In fact, many enterprises won’t realize Vista-related security benefits for years. “Vista’s security enhancements will immediately reduce security issues for customers—but only for those intrepid few willing to upgrade PCs, migrate users, and endure some initial pains,” he says.

One especial challenge for early adopters will be grappling with least-privileged access, since organizations will have to specify such access levels from scratch. Furthermore, some current applications won’t function with least-privileged access, necessitating vendors rewrite the applications, all of which may slow early Vista rollouts.

That’s why, unless you’re already planning to upgrade to Vista as soon as it’s released, the Yankee Group recommends delaying implementation—until 2008. By then, Vista’s management tools in particular should have matured, making for much faster and easier Vista implementations.

Vista’s Careful Security Capabilities

What types of security software will Vista ultimately displace? For hints, look to Microsoft’s many security acquisitions in the past few years: GeCAD (an antivirus vendor), GIANT (an anti-spyware vendor), Sybari (server and gateway antivirus), and FrontBridge Technologies (anti-spam). The GeCAD technology has already been used to develop Microsoft’s own antivirus and anti-malware software. Microsoft also retooled the GIANT anti-spyware as Windows AntiSpyware, now rebranded as Windows Defender, with a new version set to ship as part of Vista.

In related moves, in June 2005 Microsoft launched OneCare Live, a managed antivirus and anti-spyware service for consumers. Then, in October 2005, it announced Client Protection, a similar, managed service—including anti-malware software and Active Directory—aimed at businesses.

Yet while there are a number of security capabilities Microsoft could simply build into Vista, it appears to be treading carefully, and notably isn’t including antivirus out of the box. “Introducing antivirus features into Windows would only further antagonize its security partners—and invite unwanted scrutiny from regulators,” says Jaquith. “Instead, Microsoft will market its own aftermarket antivirus/anti-spyware products,” namely OneCare Live and Client Protection.

So which security vendors will feel Microsoft’s cold shoulder? He says vendors of anti-spyware software and host-based firewalls will get squeezed immediately. To a lesser extent, vendors offering bad-behavior blocking (a kind of intrusion prevention), disk encryption, and device control (such as USB-port blocking) software will also be affected. Put another way, of course, enterprises will have the opportunity to save money, since these features will be available in Vista, or at least Vista Service Pack 1.

Vista’s Endpoint Security: Too Little, Too Late?

As part of Vista, Microsoft will also release the Network Access Protection (NAP) protocol for securing endpoints. NAP’s goal is to tie various products and technologies together—antivirus, anti-spyware, personal firewalls, and so on—to allow companies to assess whether a PC requesting network access is running required software, and has appropriate updates installed, before granting it network access.

Even so, “we believe NAP is dead on arrival,” says Jaquith. For starters, to realize NAP’s benefits, an organization would have to upgrade all of its PCs to Vista, which realistically will take years for many organizations. Furthermore, NAP requires encrypted network traffic, something many enterprises don’t like, since it complicates network monitoring.

Yet endpoint security solutions without such constraints are already available, plus they’re “cheaper to deploy and provide equivalent benefits” to NAP, notes Jaquith. In fact, that goes for many of Vista’s new security features: such capabilities are already available from third-party vendors, or by practicing disciplined configuration management. “Rather than exhaust capital budgets on ‘big bang’ platform rollouts, enterprises should incrementally roll out the security features they need.”

Related Articles:

• Active Directory in Vista: Same Name, Substantial Changes
• More Vista Security Details Emerge, But Will Enterprises Bite?