REDMOND, Wash., Feb. 9, 2001 — In an economy where crucial business-to-business and business-to-customer relationships are moving to the Internet, the need for new resources to protect information systems has never been greater.
To help its customers deal with security issues in their own systems and across the Internet, Microsoft this month launched its new Microsoft Security Services Partners Program. The program provides customers with a direct connection to highly qualified security consultants who can help them deal with security concerns.
"More than anything else it is a community focused on security," said Jason Matusow, a product manager with the Microsoft Security Response Center. "As the global business community moves to a more connected world, security is becoming a top priority."
The program gives Microsofts customers a searchable Web site database of 44 security consulting companies in 16 countries. The listing is composed mostly of organizations based in North and South America and in Europe, but also contains a few security consultants located in Asia, Australia and New Zealand. The directory is organized into three tiers of participation: partners, specialists and members.
Matusow said "member" companies provide many technology services -- among them, a security consulting practice. The "specialist" companies are focused exclusively on security consulting. They may employ as few as 20 people, but as Matusow said, these are "20 highly qualified security consultants." "Partners," the top level, are very large organizations with more than 500 employees that have significant security consulting practices. "The partners may well employ over 10,000 people. Their strength lies in providing security consulting on a global scale to help multinational organizations," Matusow said.
Microsofts customers who use the directory will be able to find experts who can provide immediate help for their security problems or questions. A speedy response is vital because security issues tend to move quickly, and as situations change, the Security Services Partners Program will help customers keep up.
"We are hoping to help our customers secure their environments by having access to a community of companies educated in the theory and practice of security," Matusow said. "Microsoft offers a great deal of technology to assist with security, but security features are only as good as the people who implement them."
Microsofts customers will also benefit from the security consulting communitys close ties to the company and the more qualified consulting services that result.
In explaining how the program can work, Matusow cited the example of a small healthcare clinic with 10 locations in town. The clinic needs to make sure that all digital communication among locations are secret, that the clinics Web site is secure and that patient information is kept private. "They might bring in one of the members to make sure they do an analysis of their security, and lock their systems down," Matusow said.
A large bank may use the directory to engage a specialist company to secure online services for its customers. The specialist would provide the security architecture, planning and management for the project. They will also be able to provide proactive vulnerability testing to audit the quality of the implementation.
A partner-level company would be able to provide the same kind of service to all of a multinational corporations locations around the globe. "They have people with the same qualifications as the specialist company, but its a matter of the scale of services they can provide," Matusow explained.
Interviews with some of the consultants listed in the directory indicate a preference for holistic approaches. For example, that means protecting information systems both internally and externally, and taking into account both technology and policy. The consultants also expressed an eagerness to share ideas.
"The number one thing were battling is complexity," said Dean Iacovelli, a security expert with Corbett Technologies, a specialist in the security partner program. "Complexity is often the enemy of security -- its easy to secure something you understand really well. This program is giving us access to information we need to keep up with the complexity."
Based in Alexandria, Va., Corbett Technologies focuses entirely on information systems security -- in both government and commercial markets. Corbett re-emphasized the well-known principal that only 20 percent of the threat against information systems comes from outside sources. The rest, said Corbett CEO Barry Stauffer, are inside jobs. "A hacker who has access from the inside poses a more serious threat," he said.
"The Microsoft partner program couldnt have started a day too soon, Stauffer said." Securitys importance is increasing day-by-day; the public is more aware of security issues, as are executives, " he said.
Mark Wallinger, a security expert with Aelita Software Corp., based in Powell, Ohio, also welcomes the program. "Everybody thinks they have security until they find out they dont," said Wallinger, whose company will participate at the member level in the new program. " Aelita is offering a more holistic IT Intelligence Center concept, because monitoring hackers is just a tip of the iceberg. We are moving past reactive security and into the proactive."
Wallinger said education is key for his company. Being part of the Microsoft partner program is giving them access to the information and resources at Microsoft that they need to better help customers.
Corbetts Stauffer said its important for everyone who works with Microsofts products to " understand the complexity of those products. They need to have everyone who works with their products fully cognizant of security.
"By supporting Microsoft and providing them good support, were able to leverage our sales capability and grow our own business," Stauffer said. "As a security partner, were able to stay abreast of all the technological issues and trends. Yesterday, we were on a conference call with Microsoft and partners from all around the world -- we received technical information from Microsoft, and they listened to us."
Iacovelli, the security expert at Corbett, agreed that the Microsoft Security Services Partnership Program is a helpful step toward addressing security issues. "It would be impossible to make Internet-wide improvements in security without Microsoft," he said. "Everything has to start at the operating system level. End-to-end security is the only solution that works with the increasing interconnectiveness of systems."