Microsoft Pushes Back

Microsoft Corp. (Nasdaq: MSFT) is answering an analyst report critizing the security in its new direct push email system for Windows.

Redmond tells Unstrung that its email system already offers security levels sufficient for enterprise users and that it is working on updates.

The rebuttal was sparked by a report issued last week by Jack Gold at J.Gold Associates contending that the way Microsoft sends mobile email could leave data on the device insecure. (See Microsoft's Push Security Problems.)

"There are a lot of things that he missed," says John Starkweather, group product manager for Windows Mobile.

Gold said that data is left unencrypted on the device, which presents a security risk. Starkweather says that there is a good reason for not encrypting data on the device, and that Microsoft has instead built in other safeguards.

"The problem with that is that it's a feature that hardly anybody uses because it slows down the device so much," Starkweather says.

Instead, Microsoft's OS has a feature that wipes out Microsoft data (Outlook and other attachments) if the device is lost or stolen or if the password is entered incorrectly too many times. Redmond has also opened up the API [programming hooks] so that third parties can take advantage of the same feature.

Starkweather also says that the SSL link that Microsoft uses to transmit email data is secure enough for enterprise use. "It's the same connection mechanism that a business would use for a PC," he notes.

In general, Starkweather says that companies have not yet grasped the full importance of securing sensitive data on mobile devices, and that more work needs to be done on user education. "I think that the biggest challenge for the industry is educating users," he says.

The next major round of security updates will come with the next version of Windows Mobile, codenamed "Crossbow," which Starkweather says should be available on handsets in the second half of 2007.

— Dan Jones, Site Editor, Unstrung

jackgold 12/5/2012 | 3:35:32 AM
re: Microsoft Pushes Back First, we did say in the report that the SSL link was secure and good enough for virtually all users and we had no problem with that. Second, while encryption/decryption does slow things down G㢠the fact is that with all the horsepower now on smart phones (300MHz-600MHz processors, lots of memory), this is a trivial issue (unless the device is brain dead, which most current devices are not, and WM ONLY runs on current high powered devices). Both Blackberry and Good provide data encryption capability and their users donGăÍt seem to be complaining about the delays on the BBs or Treos. Third, while device kill is important and MSFT began supporting this in the last update, it is not sufficient in our opinion (BTW, the other vendors have had device kill for quite some time). It is quite possible that a device could be lost for hours, days or even longer before anyone discovers it is missing and the kill message is sent, giving anyone finding it a chance to pick it up and recover data. And, the current system does not force users to deploy password protection, unless that policy is specifically set by the company policy manager, which may or may not happen (the kill function also has to be specifically set up as a policy) G㢠but in fairness, the same is true on Blackberry and Good as well. Finally, we do agree with John Starkweather's comments on the fact that most companies and users do not have a good handle on what is needed for adequate levels of mobile security, and that it is the interest of everyone G㢠analysts, vendors, publications, and especially enterprises G㢠to raise that level of awareness. But saying we donGăÍt have it so they donGăÍt need it is not the answer. Ask a government agency and see if they need encrypted data on a device (or health care providers, or financial institutions). These guys are all looking for FIPS certification. Can MSFT get FIPS certified with their current design?

By raising this issue, I would hope the next version of WM makes encryption and enhanced security a priority (some times promoting visibility of deficiencies helps get those deficiencies corrected quicklyGă¬. If so, IGăÍd be the first to congratulate MSFT on a job well done. Honestly, I would expect MSFT to be a leader in security, not a market follower playing catch-up.

Jack Gold
Founder and Principal Analyst
J.Gold Associates
frnkblk 12/5/2012 | 3:35:31 AM
re: Microsoft Pushes Back It's that whole "data in transit" versus "data at rest" categorization. A product, application, or solution that wants to be secure needs to address both.

Microsoft took care of one, but ignored the other.

Sign In