Bad things happen to good software. In particular, security transgressionshappen to very popular software, more because it presents a big target thanbecause of an inherently frail constitution. Such is the case with Microsoft’s widely installed enterprise e-mail solutions, Exchange and Outlook.
Both Exchange on the back end and Outlook as the front-end client are exposed to a slew of Microsoft-targeted viruses and worms. The cost of downtime as a result of this malware plague is measured in dollars, lost productivity, disrupted communications, and massive doses of aspirin to treat IT administrators’ headaches.
Is the pain harsh enough that IT administrators are ready to dump Outlook and Exchange? And would doing so be a wise move?
Microsoft’s New Outlook
Every IT manager is familiar with the weighing of features, reliability and cost-effectiveness that goes into every software purchase decision. When considering the Exchange/Outlook quandary, it is important to remember two things.
First, Outlook is just a front end that can be used with other server engines besides Exchange. Attacks are sometimes directed specifically at the Outlook client, but other security issues can be traced to operating system and framework problems, especially in systems that are cobbled together from components acquired at different times. In other words, not every security threat spreads via Microsoft’s enterprise e-mail products.
Second, Microsoft itself is hardly content with its mixed reputation, and is doing its part to address security concerns while continuing to develop its feature set. The company’s “Trustworthy Computing” initiative involves extensive security reviews of its enterprise (and consumer) software, and results have been substantial. As Mark Levitt, vice president for collaborative computing at IDC, told the E-Commerce Times, it is “disproportionate targeting” of Microsoft that makes such tightening necessary in the first place. “Outlook doesn’t deserve the bad reputation it has,” he said.
Regrouping in Redmond
Aberdeen Group research director Dana Gardner concurred, invoking a Spy-vs.-Spy scenario in which Microsoft battles hackers, staying barely a step ahead. He also told the E-Commerce Times that Outlook-related security issues have not been as severe lately as in the past.
And with Exchange Server 2003 (formerly and evocatively code-named Titanium) coming down the pike in mid-2003, Microsoft is promising greater cost-effectiveness andserver consolidation. That is a significant potential benefit, since the ability to run enterprise communications using fewer machines is a core value of network administration. In its own internal migration to Exchange 2003, for example, Microsoft intends to reduce the number of e-mail servers in its U.S. network from 70 to 20.
Also, in recent press releases, Microsoft has emphasized the ease of upgrading to Exchange 2003 — not a trivial benefit for time-pressed IT administrators, if it proves to be the case.
The Price of Change
Does all of this mean it is not worthwhile to migrate from Outlook/Exchange to an alternate solution? The answer depends on several factors. True, software migration is painful for administrators, business departments, technicians and end users, but in some cases, the results are worth the pain.
The decision to abandon Microsoft e-mail solutions seems unthinkably futile to some — but other experts say the expense of migration and retraining is a necessary cost of correcting a mistake that never should have been made.
Judson Whiting, formerly an IT manager at SBC Communications and now asystems consultant who has managed back-end conversions for Aetna andUnisys, is in the latter camp. He told the E-Commerce Times that he prefers safer alternatives to Microsoft. Whiting emphasized the damage of service disruption and said he takes the long view of cost-effectiveness. “What’s the cost incurred in a day-long interruption?” he said. “And over the course of time, what pays out better?”
Levitt, on the other hand, said dumping Outlook solely because of hackers would be short-sighted. He stressed that Outlook is the most feature-rich client that can be paired with Exchange, and that replacing just one end of the equation (either Exchange on the back end or Outlook on the front end) will not necessarily solve security problems.
If an IT manager does make the choice to switch, what options are available?
Whiting, who by his own description “was never an Exchange man,” said he likesNovell GroupWise, which supports the Outlook interface for administratorswho do not wish to foist a new client on end users. GroupWise alsoimplements instant messaging and a Web interface.
Meanwhile, Samsung is trying to crack the Exchange market with its Contact product,built on the OpenMail standard the company acquired from Hewlett-Packard.Adoption of Contact is furthered by OpenMail’s large installed base, which, as of October 2002, was estimated by Aberdeen Group to be 60 percentof Fortune 1000 companies, translating to about 5 million end users.
IBM’s Lotus Notes is another player in the communication and collaboration sector. The software, which operates atop the Domino server platform, is a soup-to-nuts alternative to Exchange and Outlook.
And the Oracle Collaboration Suite, due in mid-2003, combines a suite ofunification features including e-mail, calendaring, conferencing, voice mail,instant messaging and an online whiteboard.
The Bottom Line
In the end, when it comes to Microsoft’s enterprise e-mail products, administrators must balance the expected cost of migration and retraining against the cost of probable downtime if a switch is not made — all the while considering the familiar feature set that Redmond brings to the table.
An analytical white paper by Aberdeen Group identified several corevalues of a high-quality messaging and e-mail product:
Of course, it would help if the system were not the target of every softwareworm breeder attempting to disrupt electronic communications. As Aberdeen’s Gardner said, “Security is always at the top of the list of concerns.” But it is not the only concern, and IT managers would do well to take all factors into account before making their decision.
The problem I have with this story is the characterization of Outlook as good software. No *good* software would execute code of any kind in a message attachment without express permission by the user. Not even HTML code. At the very least, such ‘features’ should be turned OFF by default. To have them ON by default is an open invitation to every piece of malicious code in the world. MS has known this for years… still they do nothing about it. Trusted computing? I don’t think so.
I agree that those options should be off by default and the settings should be obvious (it isn’t obvious where or how to disable these things).
That said, Outlook is great software – the Groupwise client has only at version 6.5 finally implemented something like a semi-decent interface – clearly someone over at Novell finally took a look at Outlook; still a lot of work to do though, especially adding much-needed features like being able to choose to move your mail off the server onto a local machine.
This article implies that Outlook can be successfully used as a client for a Groupwise server – my experience is that this only sort of works. I’m still looking for a good client that will pull the mail off the server so I can replace the idiot Groupwise client.
I along with all my fellow employees used Outlook as our client in conjunction with a POP3 server for over 6 years and we did not suffer a virus/trojan infection even once. And that with Outlook simply installed, no tweaking for security. Now we’re stuck with Groupwise which is a pain each and every day.
I AM AM azed at the lack of research that was put into this article. The #1 mail server as of October 2002 by Gartner standards is SunONE Message server, and it isn’t even mentioned. It allows you to use a Lotus, Eudora, Outlook, etc client. Our company switched over two years ago to a SunONE solution after inferior Microsoft products disrupted our business for 5 days. It wasn’t the first time; it was the last.
We have run on
a single UNIX server with 100% uptime for over 5000 users. We no longer have 7 people running the mail department. When a new employee is hired the HR department sets up their email account through a delegated administrated window and we are automating that with another new product from Sun. Try and do that with Microsoft. The main problem is that IT departments are still trying to control turfs and won’t step out of their comfort zone.
What kind of world is it going to be if Microsoft is the defacto standard; we have no choice and we shouldn’t consider switching? We should wait until Microsoft fixes their security? And oh, by the way, it’s okay that ATM financial networks were brought down this weekend. Give me a break.
Most of our employees started out using the Outlook client because it was familiar to them and now, 2 years later,
75% of our users just use the webmail interface from Sun because they get their Voice Mail, email, and Faxes in one spot
and can log in from anywhere in the world. Their comments on the features of microsoft are that "they don’t need them" and do
not have the time to learn them. Our users do not want continuous upgrades. They want something that they can learn and
stick with. We are finally free from Microsoft.
Large corporations should not trust the kingdom to MS Software! If companies are serious about so-called "24×7" availability, then MS has got to go – across the board!