RealTime IT News

Mike Nash, Microsoft's Security Technology unit

Mike Nash

Microsoft is rubbing elbows with partners in newfangled ways, especially as it prepares to roll out security and anti-virus services that compete with the likes of Symantec and McAfee.

Mike Nash is also about to embark on a new adventure in the Microsoft world.

The head of the company's security tech unit, who shepherded many new security features into Windows XP with the big SP2 upgrade last summer, isn't quite sure what that new role will be. Or, at least he's not saying yet.

As of June, he'll be wrapping that gig and preparing for his next Microsoftian challenge in September. He recently sat down with internetnews.com to chat up the Vista picture. Following are excerpts of the interview.

Q: Can you talk about the decision by Microsoft to not support RSA's SecureID authentication tokens in Vista?

I think this sort of came across as a bigger deal than maybe it was. The simple answer is Microsoft certainly believes strongly in strong authentication and two-factor is certainly a key part of that strategy. What we've said is that, overall, there's a lot of work we want to do to make sure that smart cards are well integrated into the platform. And frankly, there's some places where Windows is just kind of funny about smart cards.

I think there are parts of the OS that in the XP version don't know about Kerberos.   And when you don't know about Kerberos [an authentication system designed to enable two parties to exchange private information across an otherwise open network], and you log on with a smart card, Windows will say 'hey what's your password?'

So our focus is on making sure we do a much better job of doing certificate-based logon in particular with smart cards. There's a combination of what we're doing on the OS [operating system] and with our acquisition of Alacris regarding certificate lifecycle management and functionality.

We are committed to working with partners in two spaces. One is the token space and I think RSA is certainly an important partner for us in the token space. But also biometrics. In both cases, we'll work to help third parties to do those extensions.

Q: Yankee Group recently predicted that security features in Vista would "significantly" shrink the aftermarket for anti-spyware and desktop firewalls. What's your take?

My take is that I think overall, our primary focus is to help customers. There are a lot of opportunities for Microsoft to innovate and for partners to innovate.

Q: But reports like that shouldn't come as a surprise to you, given that everyone's moving to add more value to their stacks.

It's certainly a dynamic environment for PC clients and servers and the fact that the security of that is a dynamic market shouldn't be a surprise to anyone.

I think the real question is if you said: 'what's the next point of innovation? What has to happen there?' When Microsoft announced pricing for its forthcoming consumer client software (Microsoft WindowsOne Care Live), there was some talk of what it meant for the market. What it meant for the market was that, about four seconds later, Symantec announced their plans for a new product they code-named Genesis.

So if anything, Microsoft's participation in that business is driving more competition, and more choices and more innovation that I think benefits consumers.

Q: The Yankee group report also said Vista would reduce the need for disk encryption, device control and certain types of host intrusion and prevention software.

Our partners are incredibly important. Over time, there's going to be an evolution of the kind of protection they provide and that's going to be changing as the environment is changing.

In 2001 a lot of people said 'hey, it's fine that you have a firewall in Windows, but don't turn it because we already have a firewall.' That was really good advice if you're a customer that had a firewall and really lousy advice if you didn't.

Our strategy now is to put in there and make sure the customers that don't think about a firewall or are happy without a firewall are protected. And if a customer wants to use somebody else's firewall, that's their choice.

Q: What about the Network Access Protocol chatter? We've got Microsoft's Network Access Protection (NAP) on one side, and Cisco's Cisco's Network Access Control (NAC) methodology on the other. It's unclear if they will be integrated in Vista. Can you address that?

I think people are looking for more controversy than is there. There are many customers who use Microsoft software that use Cisco's software. The notion of making sure these two technologies complement each other is a goal.

There are certain aspects I think Cisco has expertise around in terms of network management. There are certain things we have expertise around in terms of desktop configuration management. I think together we have an opportunity to have a lot more collaboration. It's fair to say we probably have more work to do to explain the details of that than we've done.

Q: Forrester has said Microsoft will become as large a player as Cisco as it standardizes endpoint security. What do you say to that?

NAP is an important feature. The key thing is to get that done in Longhorn Server. That will hopefully address the customers' needs. To me, it's less about who owns 802.1x blah blah blah and more about how Microsoft is doing an effective job of working with our partners to make sure the network administrator controls the health of a PC that gets on the network, both remotely and locally.

Microsoft has a unique capability. We understand the desktop. At the same time, Cisco has a lot of networking gear. So it's a good opportunity for them to be a key partner.

Q: Has Microsoft considered a later release for Windows Vista than October 2006 or January for consumers? Gartner has said it doesn't think Vista will be ready to ship before the second quarter of 2007.

We're feeling good about our schedule. We said we'd have product in October [2006]. We're on that path. The two products [consumer and enterprise] will release at the same time, we're just going to launch them at different times [in October and January of 2007]. But it's funny how that got kind of confused.

Q: A lot of folks pointed to the Vista delays as examples of why software-as-a-service (SaaS) is changing computing as we know it, because of the ease of pushing out updates compared to legacy issues that bog down traditional software development cycles. What do you say?

I think in order to be able to ship, we need to get a certain quality and feature set. I don't see a major difference between SaaS versus this approach. I will say having a clear picture of feature sets and milestones in terms of quality has got to apply across all the paradigms. I don't think the Vista schedule favors or is against SaaS. It is what it is.