New Microsoft program: 'You patch, we pay'

Under a new program, Microsoft  is paying for security assessments of its customers' networks to help improve policies in areas such as software patch management and assuage fears about the security risks posed by Microsoft products.

The Microsoft Patch Assurance Security Service was started in late 2003. As part of the program, Microsoft is offering free security audits to all of its enterprise customers and paying for the services of third party security consultants, including Internet Security Systems Inc., to do the audits, according to interviews with those involved in the program.

In many cases, Microsoft's patch management products and services, including Systems Management Server (SMS) and Software Update Services (SUS), are recommended to customers as part of the audit, interviewees said.

Figures on the total cost of the Patch Assurance Security Service were not available, but it is an extensive program to reach out to Microsoft's entire enterprise customer base, defined as customers with 500 or more Windows desktops, said Peter Noelle, a partner account manager at Microsoft in Atlanta.

Microsoft has contacted around 75 percent of the 200 enterprise customers in the district that includes Atlanta regarding the program and the "vast majority," more than 90 percent of those companies, have signed up for the free service. The company hopes to contact all its enterprise customers by the end of its fiscal year in June 2004, he said.

Microsoft is offering the same service in each of 17 regional districts in the U.S., using local and national consulting partners to perform the assessments, he said.

In the southeast district, Microsoft is working through Blackstone & Cullen Inc., an Atlanta IT consulting company and Microsoft Gold Certified Partner, said David Sie, security practice manager and Blackstone & Cullen.

"We're an extension of Microsoft. Microsoft lets us know which of their customers they'd like us to help them perform the services...then they decide what the priority (of the customer) and the scope (of the security assessment) is for the customer," he said.

In turn, Blackstone & Cullen has contracted with Internet Security Systems, Inc. (ISS), also of Atlanta, to conduct vulnerability assessments for the Microsoft customers, Sie said.

Microsoft pays for the services of both companies on behalf of its customers, which are typically Microsoft-centric organizations using a "significant amount" of Microsoft technology, Sie said.

The purpose of the program is to reduce the number of Microsoft customers who do not apply software updates from the Redmond, Washington company by promoting patch management best practices. Secondarily, Microsoft is hoping to boost its credibility in the enterprise space on issues of security, Noelle said.

Assessments can last from days to weeks and range from "best practices" cases where few recommendations are needed to "dark pictures" where a "very significant" amount of work is required, he said.

Typically, the assessment concludes with a set of recommendations and "actionable steps" that companies should take to improve their patch management processes, Noelle and Sie said.