Posted by: Steve Coplan | May 18, 2006

Misadventures in product marketing

Microsoft lands a big fish. Of course, the Whale is actually a mammal. You could have read all about it here….

Impact Report

Will acquisitions figure in Microsoft's security plans?

Analyst: Steve Coplan
Sector: Networks & Media »»
Date: 6 Dec 2002
Email This Report: to colleagues »» / to yourself »»

Security, as one of the major elements of its trustworthy computing initiative, is taking center stage at Microsoft. The company is actually better known for creating security vulnerabilities with its software than for solving them, so it now faces the choice of developing security platforms internally or using its colossal cash pile to acquire smaller players or even some public companies, such as SonicWall or Network Associates. Technology integration issues could, however, put a damper on some acquisition activity. Either way, much of the software giant's attention will be focused on application layer security, an increasingly crucial element in Web services development.

Impact assessment

The message
Security is only one element of its trusted computing initiative, Microsoft argues, but it's a crucial one given both its enterprise and Web services ambitions. A memo from Bill Gates to Microsoft employees issued in mid-January classified the initiative as a strategic thrust on the same level as the company's Internet campaign launched by his infamous 1995 memo.
Competitive landscape
In the firewall market, Microsoft's competitors include CheckPoint (although Microsoft doesn't license its software), Symantec and SonicWall.
The 451 Assessment
Microsoft has the benefit of enough resources to throw at internal developments, partnerships and acquisitions. Security is clearly more of a strategic imperative, and the company has to plug holes in its operating system and applications. Also shifting the balance in favor of acquisitions and a more speedy time to market is the growing realization of how fundamental application layer security will be to Web services.


The vulnerability of Microsoft's software is legendary. Some wags within the security industry joke about the company keeping them in business. But it isn't exactly without a presence in the security space. Its Internet Security and Acceleration (ISA) Server – basically an IPSec firewall – generated sales of $84m last year, industry analysts estimate, and will probably see revenues hold steady or even increase this year. Since Microsoft already has a firewall appliance, any development efforts or acquisitions in the near term would focus on the complementary area of secure socket layer (SSL) processing to counter hacker susceptibilities in its Internet Explorer or ensure secure remote access to Exchange servers. The company relies on partners for functionality like intrusion detection systems, antivirus and secure socket layer processing, which are gaining prominence.


Microsoft, of course, has the resources to develop those capabilities internally, but may opt for an acquisition to cut out the time spent on development and get to market earlier. Partnerships are another option, but Microsoft's record with partnerships may prove a deterrent. In addition, Microsoft doesn't run the same level of risk of being penalized by the market for making an acquisition based solely on technology, nor of being penalized for any earnings dilution, as Brocade has witnessed with its Rhapsody purchase. The software giant doesn't have to buy customers – although it could be interested in gaining exposure to particular verticals – or have to worry about sales channels.

The areas that Microsoft is believed to be exploring include security appliances, configuration management, distributed firewall and VPN appliances, host-based intrusion detection and vulnerability assessment.


While the number of companies with technologies for application layer security is expanding, few of the appliances run on the Windows operating system, However, one reason why Microsoft has chosen to partner with a few startups in the market for secure remote access to Exchange servers – apart from the fact that it hasn't yet developed a suitable product – is that it recognizes that enterprises would prefer to buy their security infrastructure from a vendor other than their computing software vendor. Offsetting that concern is a growing realization of the need for application layer security if Web services are to take hold.

Few security appliances are based on Windows for a number of reasons. For one thing, Windows is prone to security vulnerabilities, a condition heightened by the sheer volume of source code. Second, the operating system is expensive in comparison with Linux, the open source operating system preferred by many of the security appliance vendors. Sun recently licensed software from CheckPoint to run on its Linux-based VPN appliance. Lastly, the trend in the security world is toward hardware-based platforms, few of which run on Intel chips, and those that do use the chipmaker's network processors.


Candidates for acquisition would naturally be drawn from its pool of partners. The company has partnered with Finjan, Trend Micro and Symantec for content security, and with AEP Systems and nCipher for secure socket layer acceleration. The privately held companies – Finjan and AEP Systems – are probably stronger candidates for acquisition than larger companies such as fileserver antivirus vendor Trend Micro.

NCipher is an interesting case, because the company is sitting on about $150m in cash, but sales are limping along at about $10m a year, with operating losses at about half of that. Dublin-based AEP in September acquired Baltimore Technologies' security hardware business, and recently inked a partnership with F5 to integrate its SSL accelerator card, which downloads much of the SSL processing off the CPU, into F5's blade server.


One area Microsoft is sure to explore is SSL VPN devices. It already has a partnership with Whale Communications for secure access to Exchange servers, and Neoteris, backed by Jim Clark, may attract its attention for other reasons. Multifunction devices from companies such as NetScaler, Array and Redline, which integrate load balancing and security features, could provide a basis for a security appliance. But this would involve a foray into networking, where Microsoft has not had much presence. Sanctum may be an interesting target on account of its vulnerability assessment tool.

Could a large public company figure in Microsoft's plans? The embedded personal firewall in Windows XP makes Microsoft either a competitor or a stronger partner for Symantec or Network Associates, particularly for antivirus. In terms of shrink-wrapped software, both companies are close on the heels of Microsoft itself. Microsoft could conceivably acquire either to take out a desktop firewall competitor and integrate desktop antivirus capabilities.

In terms of appliances, there are plenty of targets, depending on how far up the networking stack Microsoft wants to go. One prime candidate is SonicWall, which we wrote about on October 18. SonicWall's primary attraction is its appliance platform, targeted mostly at the low end of the VPN and remote-access market. The company is trading at a discount to cash, but is still wrestling with its channel strategy. Microsoft could solve that problem fairly easily, while adding an important element in its VPN strategy without having to invest in R&D or strike several technology partnerships.

SWOT analysis

Strengths Weaknesses
Microsoft after all is Microsoft, and its ISA firewall has generated decent sales. With $40bn in cash and an attractive currency in its stock, the software giant has plenty of options for both acquisitions and heavy R&D investment. The security pitfalls of Microsoft's software are well documented. The need to develop path and configuration management software hints at the instability of its underlying code.
Opportunities Threats
Could security prove to be a significant area of growth for Microsoft? The establishment of its Security Business Unit may serve as some indication of Microsoft's own intentions, but could just as well be based on strategic concerns. Microsoft treads a fine line, and could easily end up promising too much. Equally, it could find its efforts spread across too wide an area.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: