Interview

Microsoft has high hopes for Vista security

SearchSecurity.com Staff

Ben Fathi is the vice president of the Security Technology Unit at Microsoft and is responsible for the overall security of Microsoft's products as well as the development process known as the Secure Development Lifecycle. He took a few minutes recently to talk about the security features in Windows Vista and how Microsoft's security play will affect third-party vendors.

 

RSA Conference 2007

Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest

Requires Free Membership to View

RSA Conference 2007 news and updates.

What are the early returns like from customers on the new security features in Vista?

Fathi: The feedback has been almost universally positive. We've had a huge number of beta customers, something over a million of them, running the earlier versions of Vista, so we've received a lot of security, performance and reliability feedback from them. There are a number of utilities in Vista that can send data back to us automatically whenever something hangs or crashes and we can collect and analyze that and look for spikes that indicate problems. Talking to customers, the security aspects of Vista get a lot of mentions. We've spent a lot of time improving the usability of the security controls like User Account Control to reduce the number of pop-ups customers get.

 

"Obviously zero vulnerabilities would be great...I'm hoping for a reduction of at least 50 percent over XP."
Ben Fathi,
vice president of the Security Technology Unit at Microsoft

If we have another conversation in six months, what kind of security performance would you like to see from Vista at that point?

Fathi: Obviously zero vulnerabilities would be great. I'd be dancing in the streets with that. But the number should be very small. I'm hoping for a reduction of at least 50 percent over XP. One thing that happens when a new OS comes out is that the research community shifts its attention to the new version. But because of the defense in depth approach that we've taken, it improves the end-user experience so that if there is a vulnerability, they're protected.

With big vendors such as Microsoft and Cisco building more security into their products, does that reduce the opportunity for independent security vendors over time?

Fathi: I hope and believe that there's plenty of opportunity for them to innovate and add protections both on top of and underneath the system. There are a lot of categories that we're not going to get into. But as we improve the security of the base product, some of the other vendors' products may not be as interesting as they once were.

<< Return to our special coverage of RSA Conference 2007