Microsoft's Forefront group eying compliance market

Security vendors Symantec Corp. and McAfee Inc. may soon find Microsoft Corp. competing with them in a new market.

Microsoft has developed network-scanning technology, internally known as Spider, that scans PCs for security vulnerabilities, ensures that the latest patches are installed, and that PCs have the required software to put them in compliance with corporate IT policy.

The software was developed by Microsoft's IT group to clamp down on security problems within Microsoft's own network, but the company is now looking at adapting it for its Forefront line of security products, said Mark Estberg, a director with Microsoft Information Security, speaking at the SecureWorld Expo Thursday.

Some customers can already get access to the Spider technology through Microsoft's services group, he said. "The goal is to get this software written into products that go out to customers, but as a near-term step, through services, you can get this software now," he said.

Estberg said the software has been a success at Microsoft, although his team received some "incredibly articulate hate mail," in the early days, after instituting a policy of cutting off Microsoft users whose PCs were not in compliance. "It's really, really painful ... but it made a big impact," he said.

The software can scale to a large number of machines and is used to scan Microsoft's corporate network several times per day, Estberg said. It is "agentless," requiring no additional software be installed on the client, he added.

As Microsoft's entrance into the security market has begun to threaten their core antivirus product offerings, vendors like McAfee and Symantec have been increasingly focused on developing products that can be used to enforce IT compliance.

McAfee, in particular, has been on a shopping spree in this area. It recently purchased Onigma, an Israeli vendor of data-leak prevention software, and Preventsys, a provider of risk management and compliance reporting software. McAfee is also in the process of closing its US$60 million acquisition of compliance vendor Citadel Software Inc.

Microsoft is in a position to simplify security for its customers by giving them one point of contact, said one show attendee, a San Francisco area IT risk manager who asked not to be identified. But that convenience could come at a price, he said: a lack of accountability and competition in the security space. "It boils down to the question, who's checking the checker."

Clearly, compliance is a growth area for the security industry, but with tensions already high between Microsoft and its security partners, it is unclear how quickly the company will move into this new market, said Andrew Jaquith, program manager with Yankee Group’s Security Solutions & Services Decision Service. "The question is exactly how much more do you want to antagonize them?" he said.