Q&A: Microsoft security chief talks up Vista changes

Ben Fathi talked about his view of a 'trust ecosystem'

Ben Fathi knows a thing or two about security. He spent the first half of his 24-year career working as an operating system developer, and he is now the head of Microsoft Corp.'s security group. His new job as corporate vice president of Microsoft's Security Technology Unit puts him in charge of the company's response to hacker threats. He must also lay out the overall security strategy as developers finalize the highly anticipated Vista and Windows Server "Longhorn" products. In one of his first interviews since beginning his new job this month, Fathi spoke about the wide range of issues before him as he works to keep Microsoft one step ahead of the bad guys. Following are excerpts from that interview:

What would you like to have achieved a year from now as head of the security group? One of the areas that I'm really passionate about in security is what we call a trust ecosystem. What I mean by that is taking security from where it is today, where it's viewed by a lot of customers as a defensive technology -- it's seen as a way of blocking bad things from happening on your machine -- and taking that and turning it around into a technology that really enables you to do things securely and seamlessly without having fear. So you can take things like documents and share them with your friends and family or with workers in other companies securely.

We've made a lot of investments in that space, such as ActiveDirectory Federation Services and Rights Management Services. We've made the first steps, but we need to take that a long way, both in the consumer space and in the enterprise space.

I don't know if we're going to have something a year from now. I think for the next six months or so we're going to be concentrating on Vista and then Longhorn server. But that's something that, as we look at post-Vista planning, I've been pushing the team to look at and invest in heavily.

Beta testers have complained that some of Vista's security features make it to too hard to use. How much of a hit will ease of use take because of security? A lot of the comments that you've seen in blogs and articles are centered around User Account Control [UAC], and we took a lot of those comments to heart. We have talked to enterprise customers, and we have talked to consumers. And for Beta 2, we've significantly reduced the number of dialogs. For RC1 and RTM, we've also continued to do that work. We've added instrumentation into the system so we can monitor the top 100 apps that are having dialogs and pop-ups happen so that we can work with those ISVs. And in some cases, we actually shim those apps internally. So you will see a large percentage of those problems go away as we get closer to RTM and as we get millions of people using the beta. [RC1 is Release Candidate 1, a follow-up test release of Vista expected later this year. RTM is Release to Manufacturers, the completed version that PC vendors install on their machines.]

We also did something that I just announced [Monday] night: the ActiveX installation service. This is something we've heard from our enterprise customers. They want to have the ability for an administrator to have an MMC [Microsoft Management Console] where they can approve internal Web sites or partner company Web sites and list the applications that can basically be white-listed. So standard users can install those. We have done that and that will be available in RC1.

The other issue that we have thought about for UAC is parental controls for the consumer space. That's also in Beta 2.

So I agree with you that there's a certain amount of annoyance, but you can expect that with any product that's in beta, and we are committed to significantly improving the usability of this.

Is client security something that Microsoft ultimately wants to be selling years from now, or do you want to get to the point where the operating system is just secure enough? If you look at OneCare, for example, OneCare is not just about security. It's about management; it's about taking over a consumer's machine and helping them in every way we can with everything from antivirus and antispyware to automatic backups, doing performance tuning, doing patch installation and simplifying the overall management of that system.

You're going to see complete management and simplification solutions from us, and one aspect of that is going to be security. Whether it's a big aspect or a small aspect is going to change over time. Some of those pieces of functionality will eventually make it into the OS, and we're going to look for other things we can do in a management solution to simplify people's lives.

Right, but on the corporate side you have Forefront Client Security, which doesn't do management. Either way, some of the things you talk about sound like features I would want in my operating system. Do you really think that it's going to be necessary to sell this type of product five years from now? I don't know. We'll let the customers decide. That's what it's all about. Let them have the choice and see what their feedback is, and continue to innovate in those spaces.

Copyright © 2006 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon