Microsoft security chief looks beyond Vista
Ben Fathi expects his engineering expertise to have a positive influence on security at the software giant.
Ben Fathi, a software engineer by trade, took over from Mike Nash as corporate vice president of Microsoft's Security Technology Unit on June 1. Nash is on sabbatical.
The change is part of a recent shakeup in Microsoft's executive ranks, which also put someone new in charge of Windows.
Iranian-born Fathi is a tech geek who spent the last eight years in the shadows at Microsoft working on file systems. Now he's in the spotlight--in arguably the most thankless job in Redmond. Fathi is responsible for security features in Windows and other Microsoft products.
Nash liked to be the public face of Microsoft security, hosting regular "Security360" Web casts, blogging and speaking in public. That's new territory for Fathi, who delivered the first speech in his new role on Monday at Microsoft's TechEd event in Boston.
Fathi, an amateur photographer, is back fresh from a three-month sabbatical. Poster-size pictures of the trip to Africa, Europe, India and Nepal are still littered around his office.
When he's on the job, however, he's a workaholic--up all hours of the night. His wife and daughter don't expect to see much of him, now that he has taken on this new post, he acknowledged.
For Fathi, the changing of the guard is a perfect time to start looking beyond Windows Vista, the yet-to-be-released successor to Windows XP. He sat down with CNET News.com to discuss his new role at Microsoft and his expectation that his engineering background brings in leadership at a more technical level.
Q: What has prepared you for this new job, possibly the most thankless one at Microsoft and one that lunges you into the spotlight.
Fathi: I've heard that. I am very well aware that I'm taking on a huge challenge. I've been around in the industry for about 25 years now and worked in all kinds of positions. I'm a developer by training and I've worked on and built a lot of complex, high-end systems. Security is a complex problem. What I bring to the job is that experience, and knowing how to manage large organizations, how to build high-quality products, how to build components, and work with partners both internally and externally.
Q: Where do you think you and your predecessor, Mike Nash, differ?
He is much more externally focused and involved in delivering Microsoft's security message to partners and customers. I'm lot more engineering-focused, so that's an area that I need to improve in, become more externally focused.
Q: Is your engineering background one of the reasons you were put in this chair, to add a security focus on a more technical level?
I think that's one of the reasons. I'm going to continue the road that Mike and the team had started on and improve our security post-Vista, but that's the easy part for me. The team has done a great job and they'll continue to do that.
Q: What's been your first act of office?
I spent a lot of time doing deep dives on our technologies, learning about the projects and what's going into Vista and what some of the projects are we're looking at, post-Vista.
Q: What will change now that Nash has left the office?
The team has been heads down on Vista, basically adding features, fixing bugs, and improving the security and quality. One of the first things I did is say, "Great, we're almost done with Vista. There isn't a whole lot I can do personally to add to that process. we're done basically."
So I spent two days at an offsite with my direct reports and key partners in the company looking at post-Vista. I see that as the kickoff: We're done with Vista. Let's look at what areas we're going to bet on as a company and also as a team post-Vista. Mike has been involved, but I own that process.
Q: So the Vista delivery is Nash's responsibility and you're looking more into the future?Absolutely, and that's why this was a natural point in time for us to transition.
Q: Is there's anything that you can tell us about what's on the horizon when it comes to security at Microsoft.
We are concentrating on what Bill Gates talked about in February at the RSA Conference. There are four areas to our security vision: a trust ecosystem; engineering for security; simplicity; and fundamentally secure platforms. We have done a lot of investments in all of those areas, and I'm going to continue those investments.
Look at, for example, the trust ecosystem, the first step in that was delivering Active Directory Federation Services in Window Server 2003 R2. The next step, and we've done some of this in Vista, is adding things like certificate lifecycle management, so enterprises can manage digital certificates. InfoCard is also an example.
In terms of engineering for security, that's all about the Security Development Lifecycle. It applies to all of our products, not just Windows, obviously. But what we're finding is that we need to make the SDL (Security Development Lifecycle) more agile with things like MSN and Windows Live having very short development cycles and needing quick updating.
We're also looking at productizing the SDL. I don't mean selling it. But we have a book that's coming out toward the end of the year (Editor's note: "The Security Development Lifecycle" came out June 1) and we've integrated some of the SDL features into Visual Studio. So...it's not just about Microsoft. It's about third parties also using it to improve the quality and security of their products.
Simplicity obviously includes the work we've done in the platform....Windows Live OneCare and Microsoft Client Protection are about security, but realistically they are about manageability; they are about services to improve the simplicity of managing your system, whether it's your home system or enterprise security.
Finally, a fundamentally secured platform, that's the part I feel I will be reviewed on. It is about taking a lot of our investments in the platform itself and Windows and improving them.
Q: About Vista, one criticism we have heard based on early releases is that security is going to be annoying and disruptive, not simple. That goes against one of your four tenets.
Absolutely. A lot of those comments come from the December community technology preview build of Vista, which had a lot of disruptive dialogues and pop ups. We've spent a huge amount of time removing as many of those dialogues as possible, so we've significantly reduced the amount of annoyance. Between Beta 2 and RTM, we're going to continue doing that.
Q: There have been a number of acquisitions, most recently of SSL VPN provider Whale Communications, to help Microsoft become a security provider, selling security products. With your engineering background, do you see Microsoft developing more security products itself, rather than purchasing external technology?
You're going to see some of each. Three years ago we were coming into the security business and adding security to our products. We wanted to get a quick headstart. We're going to look and see if there are any innovative ideas from start-ups or from others that we can use to augment what we're doing, but we also continue to build in-house.
