The software maker said it was making security its top priority when it three years ago. Since then, it has overhauled its in-house development to bolster security and has put its $38 billion war chest to work. It has been buying antivirus and anti-spyware companies and other security assets--acquisitions that have been closely watched.
"While there is a great deal of hoopla around the acquisitions, what is more important is to see what they make of them," said Michael Cherry, a lead analyst at Directions on Microsoft in Kirkland, Wash. "I don't think that the past acquisitions have shown a tremendous payback yet."
While Microsoft's latest deals show it's committed to building its security muscle, some analysts say the company needs to focus on a clearer and more productive strategy.
It's about time that Microsoft turned the technologies it has picked up into actual products that customers can use, analysts said.
It's about time that Microsoft turned the technologies it has picked up in its scattershot buys into actual products that customers can use, analysts said.
The company announced its takeover of FrontBridge Technologies, a hosted e-mail security provider, on Wednesday, the same day it said it had taken a minority stake in Finjan Software and licensed some of the security appliance maker's patents on behavior-based intrusion detection technologies.
These moves follow the acquisitions of Romaniantwo years ago, desktop in late 2004, and corporate earlier this year. Sybari software can use multiple engines to scan e-mail and instant messages for viruses and spam.
The takeovers seem random, said Pete Lindstrom, a research director at Spire Security. "I think it is a reactive approach. They are picking up security products that they think are important to customers," he said. "It doesn't strike me that there is an obvious strategy to this."
Every product group is involved in Microsoft's companywide commitment to providing users with a secure computing experience, Amy Roberts, a director in Microsoft's security business and technology unit, said in an e-mailed statement. "Microsoft's recent acquisitions in the area of security represent continued investments in innovation, customer guidance and industry partnerships," she said.
Microsoft first took on the safety of its own products with its Trustworthy Computing push. With the acquisitions, the software maker attempted to move itself into a position to become a player in the security market and offer additional products to protect both consumers and business users. The ultimate goal is to counteract the perception of Microsoft as provider of insecure software, Cherry suggested, "to make it such that customers have no doubt that they are purchasing a secure system when they choose Windows," he said.
It is evident from the purchasing campaign that security continues to be important to the Redmond, Wash., company, analysts said.
But the series of takeovers may also signal that Microsoft's own development efforts are falling short, suggested David Schatsky, a senior vice president at Jupiter Research.
"They have been focusing a lot on internal development as well as these acquisitions, which signify that they are probably not satisfied with the pace at which they have been able to build up their security capabilities," Schatsky said.
"Security is a top priority for Microsoft," Roberts said. "Innovation is constant at Microsoft."
Since launching its Trustworthy Computing Initiative, Microsoft has changed the way it develops software in order to make its technology more secure. The "security development lifecycle process" is aimed at vetting code before pushing out products. Also, Microsoft does have protective programs that it built itself, such as the Windows Firewall for PCs and the ISA Server firewall for server computers.
This internal development and the outside acquisitions have left Microsoft holding a range of technologies. The question is how the company will tie all these together and how they can work with its lineup. "It is not the purchase that is important; it is how well Microsoft can integrate the purchase into its existing products and services," Directions on Microsoft's Cherry said.
Signed and sealed
Microsoft has bought up key companies and intellectual property rights with an eye to offering security add-ons for Windows systems and company networks.
- Company: Based in Marina del Rey, Calif. Privately held
- Products: Hosted e-mail and messaging security and compliance services
- Deal: Acquisition expected to close before the end of the third quarter pending routine regulatory review
- Date: July 2005
- Plans: Offer Exchange users a hosted service for security and compliance
- Company: Based in San Jose, Calif. Privately held
- Products: Appliances for behavior-based protection against unknown security threats
- Deal: Minority investment, patent licensing
- Date: July 2005
- Plans: Microsoft has not said how it will use Finjan's ideas in products
- Company: Based in East Northport, N.Y. Privately held
- Products: Software to filter viruses and spam on networks. Antivirus engine not included
- Deal: Acquisition, now a subsidiary
- Date: February 2005
- Plans: Antivirus and antispam tool for e-mail and collaboration servers
- Company: Based in New York. Privately owned
- Products: Software to combat spyware, pop-ups and spam
- Deal: Acquisition, now a subsidiary
- Date: December 2004
- Plans: Anti-spyware product for Windows (in beta for consumers), enterprise version also planned
- Company: Based in Bucharest, Romania. Privately held
- Products: RAV antivirus engine
- Deal: Sale of technology and intellectual property
- Date: June 2003
- Plans: Paid antivirus add-on for Windows; to integrate with Sybari software. Also used in Windows Malicious Software Removal Tool and OneCare consumer security product
And that is where the company has not delivered, Cherry said. The software maker bought GeCad in 2003, but the antivirus technology has yet to surface in a Microsoft product. Yes, in its security patches Microsoft offers a tool to detect malicious code, but it is not "obvious that they have capitalized on the GeCad purchase," Cherry said.
Also, while the Giant anti-spyware product was turned into a Windows AntiSpyware beta release within a month, it still is in its first beta seven months later, and there is no word on when a final version might be delivered, Cherry said.
Integration of acquired technologies takes awhile, Microsoft's Roberts said. "Like most investments, technology investments often require time to mature in order to realize their full potential to customers," she said.
Microsoft appears to be busy working on its product portfolio. Selected testers recently got their hands on Windows OneCare, a subscription antivirus and anti-spyware service for consumers. OneCare marks Microsoft's entry into the antivirus space--until now the domain of specialized vendors such as Symantec, McAfee and Trend Micro.
As with Windows AntiSpyware, however, Microsoft has not committed to a delivery date for the final OneCare product. A broad public beta is planned in the United States later this year, Microsoft has said.
Microsoft completed the acquisition of Sybari last month. The company continues to offer a range of Sybari products for Windows. Microsoft has also said that it will support the Sybari lineup predating the buy, but that it plans to stop selling tools for Unix and Linux.
Jupiter Research's Schatsky predicts that Microsoft will slow the pace of acquisitions over the coming year.
"At the same time, the pace of integrations may increase, as they have obtained a lot of new technology that now needs to be integrated into their products," he said.
Over the next months, a sense of Microsoft's grand plan for security may well emerge. But for now, some industry insiders are left scratching their heads, given the pattern of acquisitions. Microsoft's latest security buy, that of hosted e-mail security services provider FrontBridge, has Dean Drako, CEO of e-mail security appliance maker Barracuda Networks, wondering what the company is up to.
"Microsoft has traditionally been more of a software company than a service company," Drako said. "I am not sure what is going on."