Is Microsoft Missing A Cloud Security Trick?

Microsoft’s Worldwide Partner Conference last week was a big event, with comprehensive coverage of all the software giant’s activiities. But why was there so little mention of security?

Over three days, nine Microsoft executives including CEO Steve Ballmer, COO Kevin Turner, and new channel chief Jon Roskill delivered 10 keynote addresses that comprised, in total, more than 62,000 words. That’s roughly the size of an average business book.

“The Cloud” was the confab’s theme, so it should come as no surprise that cloud, web and Internet were cited 406 times. Microsoft is pushing its cloud-based development and hosting platform, so it’s no surprise that Windows Azure got 134 mentions. The cloud needs an interface, so PC was noted 138 times and Windows 7 92 times. And because the world is increasingly mobile, Microsoft suits dropped terms such as smartphone or Windows Phone 7 147 times.

But what about security? Microsoft executives for the first time in years gave security short shrift; they only used the word 12 times in their collective keynotes.

Security played down

But more than just the number of times the word was used, it was how it was used. While Microsoft executives waxed passionately about the opportunities in the cloud, the superiority of Windows Azure, their intent to compete for mobility with Windows Phone 7, and the robustness of Office 2010, security was relegated to passing references such as “done securely”.

Security didn’t fare much better at the conference beyond the keynotes. Signage hanging from the ceilings and adorning the escalators of the Washington Convention Center had branding for nearly everything in the Microsoft portfolio except Forefront, Microsoft’s network and endpoint security solutions. The conference agenda was practically devoid of any security sessions. And the Forefront team was stuck way at the back of the exhibit hall in a relatively low traffic section.

For a company that has battled the security demon for the last decade and used WPC as a pulpit to reinforce its commitment to secure software and products, the virtual absence of security seemed odd. I spoke with several Microsoft executives about the muted security messaging at WPC this year. Three things are going on. First, Microsoft had to make choices since there’s only so much time and space, and cloud computing was this year’s priority. Second, there are no new Forefront products being released at this time. And third, Microsoft believes it’s got its security house in order (pause here for laughter).

Let’s break each of these points down.

Limited Time: Cloud – and Windows Phone 7 – were the big stories at WPC, and Microsoft didn’t hold back on those messages. Every track, every keynote, every party, and every exhibition booth practically dripped with something about cloud computing. As Roskill told me in a one-on-one meeting, “Sometimes you have to swing the pendulum to get things to where they need to be.”

No New Products: Microsoft isn’t releasing a new version of Forefront until later this year, so they thought it better not to talk about something they didn’t have available. This is slightly disingenuous. Microsoft talked about several products in development, such as Windows Phone 7 and cloud-versions of its existing software products.

Microsoft did debut one new security-ish product: Windows Intune, an endpoint management tool for managed service providers. While Intune has several security features and functions, Microsoft predominantly positioned it as a management tool. Even in the session, “Winning the Secure and Well-Managed Desktop,” the presenters had exactly one slide about security.

Security Under Control: During his keynote, Kevin Turner said that Apple and Oracle, respectively, top the list for having the most insecure software. Microsoft has gotten significantly better in regards to the security of its code and applications, and it’s got a well-oiled machine for dealing with security issues. And perhaps that’s the reason Microsoft thought it could ease off security messaging.

Ross Brown, Microsoft’s vice president of solution partners, explained to me that Microsoft looks at security as a part of the management of its products and the IT infrastructure. What customers want, he says, is a reliable and stable platform; and that’s delivered through a management framework that includes security as a core function. Microsoft’s philosophy is reflected in its merging the management and security groups several months ago; security now essentially falls under the Systems Center team.

Racing for the cloud

While there’s logic behind why Microsoft toned down its security messaging at this year’s partner conference, the lack of security messaging left several partners wondering whether Microsoft is forgetting its security woes of the past decade as it races into the cloud. I, for one, believe they missed an opportunity to make security a stronger pillar of their cloud, virtualisation and mobility strategies.