My last job at Microsoft was as the “Chief Architect” of the Identity and Security Division (and briefly its successor organization, DAIP) and General Manager for Forefront UAG, Forefront TMG, Rights Management Services, Certificate Services, Windows NAP, and some other odds and ends. The odds and ends are always amusing. Project Sydney reported to me for a short time. And after RMS started working for me I was shocked to discover I was now responsible for the aging software and infrastructure used for Microsoft Reader DRM. Funny how no one mentioned that before I took the job! There has been a lot of news about all these items over the last year, but this posting is specifically about Forefront.
As you may know this week Microsoft killed off the Forefront brand, killed some of the Forefront products, and renamed others to reflect their real strategic alignment. This is the natural outcome of a process that started about four years ago, and most specifically two and half years ago, as the economic downturn and resulting budget cuts at Microsoft collided with its ambitions in the security products space.
In the early years of the last decade (2000-2002) two factors came together at Microsoft that would lead it into the security products business. The first was the recognition that the Internet had changed the game in terms of the security required of Microsoft’s software and ecosystem (and that Microsoft was failing miserably at it), and second was a search for new revenue streams to complement the maturing Windows business. The former people are quite familiar with as Microsoft pursued Trustworthy Computing, took a hiatus from development on many of its products to do a security cleanup, created the security development life-cycle, replaced manual updates with automatic updates across its product lines, etc. But what of its ambitions for a new revenue stream?
Step back to the 2000-2002 period and look at the really strong IT growth businesses and you find Storage Management and Security at the top of the list. In 2004 Symantec would go as far as to combine these two by acquiring Veritas for $13.5 Billion (which is what Symantec’s market cap is today, hmmmm)! Microsoft created two new businesses pursue these markets, a Storage Management business under Bob Muglia and a Security Business under Mike Nash. Neither worked out as expected, though the Security Business came close.
The problem for Microsoft in the early days of its security products business was where to prioritize protecting the Windows ecosystem from malicious activity and where to seek revenue. In one of the earliest moves they made (and I was not an employee at the time, so only have second or third-hand knowledge of what was happening) they introduced a free Anti-Spyware offering called Windows Defender. At the time the Anti-Virus business was well established but mainstream vendors such as Symantec had not yet addressed the growing category of Spyware. A complicating factor for Microsoft was its (then very active) anti-trust issues, where introducing anything free (or worse, packaged with Windows,) was a lightning rod for regulators. So while to those of us on the outside it seems like introducing a free anti-virus product would have made sense, Microsoft instead chose to introduce the paid OneCare service (of which anti-virus was one component). I don’t know how much of this decision was due to its revenue ambitions and how much was due to its anti-trust concerns, but nonetheless the Windows ecosystem did not gain the protection it really deserved. Later, as third parties such as Avast! had success with free anti-virus offerings, Microsoft would introduce the free Microsoft Security Essentials. And with Windows 8 it would (finally!) upgrade the built-in Windows Defender to have full anti-malware capability.
But the real story here is, of course, products for enterprises. Enterprise security products is where the real money is. There is also less conflict with the notion of ecosystem protection versus selling products because enterprises want far more than the basic protection capabilities. No medium to large enterprise is likely to rely on Windows Defender (or Microsoft Security Essentials), not because of any perceived lack of protection but because they don’t offer the centralized reporting and control that enterprises require. Likewise edge protection, that is protecting the corporate network, is something that enterprises have extensive control and reporting requirements on. So this is where Microsoft’s product business focus went, leading to the Forefront brand and products.
Creating Forefront initially is a typical story of pulling together unrelated, even competing, products and acquisitions. For example, Microsoft made three attempts at addressing the SPAM problem. First, the Exchange team took the Microsoft Research developed SmartScreen technology and incorporated it into Exchange as the Intelligent Message Filter. This was a very basic capability that was heavily used by smaller Exchange installations, but was inadequate for larger enterprises. Meanwhile the Exchange team was looking for a solution to high availability and archival requirements and acquired Frontbridge. Frontbridge also offered anti-SPAM as part of its service. At the same time the security business acquired Sybari so that it could offer an anti-SPAM product. This became Forefront Protection for Exchange (FPE). Eventually Frontbridge would be split in two, with the archival offering moving to the storage management business and the anti-SPAM service moving to the security business and becoming Forefront Online Protection for Exchange (FOPE).
Anyway, Microsoft ends up with a bunch of security products for the enterprise. Its ambition is to be a full-line security products vendor and build another $Billion business. A major project is initiated to re-engineer the entire product family and integrate it under a truly unified management umbrella. The group, at this point the Identity and Security Division (ISD), hires a lot of people and embarks on this major undertaking. It turns out to be an over-reach that is very late and is perceived by some to be both lost in the woods and to have made some poor technology choices. A new management team is brought in to get ISD on track.
At the same time this is happening Microsoft’s first set of budget cuts and large-scale layoffs hits, and ISD is hit hard. Two more rounds of cuts would occur over the following 18 months. The first round didn’t really change ISD’s ambitions, it just added to the need to do a reset on the Forefront product plans and re-think tactics and priorities for addressing the market. The second round lead to a re-think about competing across the security product space and to a few areas being declared non-strategic with dramatically pared investment levels. The third round put back into play the question of what’s important, having a security products business per se or having security products that support the needs of other strategic Microsoft initiatives.
External observers saw the first results of our decision in a reorganization about two and half years ago. ISD was dissolved with some products moved to the groups they aligned with and the remained becoming a new Directory, Access, and Information Protection (DAIP) division. In particular end-point security, as well as the general protection technology responsibility, was moved into the management division and the email (and related) filtering technologies were moved to the Office Server organization. Forefront retained a business organization and umbrella, but with the products split over three Microsoft divisions and two Presidents it is no wonder that the other shoe dropped this week.
Forefront as a business is gone. The offerings within Forefront have either been absorbed into the Microsoft offerings they were aligned with, into the businesses they were aligned with, or where neither made sense been declared end-of-life.
Forefront TMG (previously known as ISA) was one of the casualties. This one strikes close to home because it was one of “mine”. TMG was victim to a changing landscape in which the vast majority of the network edge security business had moved to network appliances. And so TMG was the leading product in the software-only category, but it had become an insignificant factor in the overall market. In addition, the general view was that the network boundary was going to disappear as the trends toward BYOD, IPv6, and IPsec accelerated. As such TMG had lost its strategic value before TMG 2010 (which was the major revamp and rename from ISA) even shipped. It’s demise was inevitable, and I knew it couldn’t be far off when I saw an article in which Microsoft made available a SNORT rule that Microsoft IT had created. That meant Microsoft IT had abandoned TMG in favor of a SNORT-based solution.
While Microsoft’s moves with Forefront over the last few years will no doubt cause many customers pain, one has to ask if in the end customers will be better off for them. I think so. Security is being better built into Microsoft’s products and management of security is more fully integrated into Microsoft’s overall management tool set. The focus is on “your email is protected”, “your computer is protected”, “you can centrally manage the security of all your systems” and less on “how do we compete with security vendor X”. I’m actually quite pleased with where things are ending up.
There is a lot more that can be said about why an effort like Forefront was so difficult to pursue inside Microsoft. Comments I’ve made in other blog postings about Microsoft’s sales model apply, for example. But I’ll stop here. Forefront is gone. Hopefully it won’t be missed.