The Microsoft Windows security dilemma has plagued users for years. In 2001, the Nimda worm spread worldwide in 30 minutes. The Klez virus last year cost businesses $9 billion worldwide in lost productivity. “Can Microsoft Be Secure?” is a new report from Forrester Research, Inc. (Nasdaq: FORR) that examines Windows¿ security issues and makes recommendations to Microsoft, users, and independent software vendors (ISVs) for improving Windows security.
Windows security has long been a main concern for IT professionals and users. Forrester surveyed 35 IT security experts at $1 billion-plus firms to better understand these concerns. Seventy-seven percent of respondents cited security as their top concern when deploying Windows applications. The same percentage had experienced Windows security problems in the past year. Users blame Microsoft for its Windows security incidents, although it has been doing a much better job at security than it has received credit for. Microsoft’s patches for the last nine high-profile Windows security incidents predated the attacks by an average of 305 days.
If Microsoft is not solely to blame, where does the problem lie? According to Forrester, the solution to seamless Windows security involves three parties. The answer is to build a partnership that connects Microsoft, ISVs, and users throughout the development, deployment, and operations phases of the platform life cycle. Despite the fact that 89 percent of the survey respondents run sensitive applications, such as financial transaction systems and medical records systems, firms do not deploy security patches. Firms lack the time and resources to apply security patches, and they worry that implementing them will destabilize production systems.
“Microsoft is doing a good job tackling security issues, but it needs to do more. Together, ISVs, Microsoft, and end users must work to establish a process that guarantees that security efforts will pay off,” says Forrester Research Analyst Laura Koetzle. “We will not see a change in the Windows security landscape unless these three groups work together to establish standard practices.”
In addition to outlining the role that Microsoft, ISVs, and end users should play, the report offers specific detailed suggestions for all three groups. The key to successful platform security involves simple, consistent patch-management tools from Microsoft. ISVs need to validate their applications against patched platforms to ensure that their users will not lose application support. Finally, end users must use server provisioning and virtualization software to test and deploy security patches systematically.