how microsoft does end-to-end it security bruce cowper senior program manager, security initiative...
TRANSCRIPT
How Microsoft does How Microsoft does end-to-end IT end-to-end IT SecuritySecurity
How Microsoft does How Microsoft does end-to-end IT end-to-end IT SecuritySecurity
Bruce CowperBruce CowperSenior Program Manager, Security Senior Program Manager, Security InitiativeInitiativeMicrosoft CanadaMicrosoft Canada
AgendaAgenda
The Microsoft LandscapeThe Microsoft LandscapeIT EnvironmentIT Environment
Business ChallengesBusiness Challenges
““Chief” Concerns Chief” Concerns
Who We Are and What We DoWho We Are and What We DoThe Security LifecycleThe Security Lifecycle
Internal AlignmentInternal Alignment
Strategies and TacticsStrategies and Tactics
Information Security FuturesInformation Security Futures
340,000+ computers
121,000 end users
98 countries
441 buildings15,000 Vista clients25,000 Office 2007 clients5,700 Exchange 12 mailboxes31 Longhornservers
46,000,000+ remote connections per month
189,000+ SharePoint Sites
4 data centers
8,400 production servers
E-mails per day:3,000,000 internal10,000,000 inbound9,000,000 filtered out
33,000,000 IMs per month120,000+ e-mail server accounts
Microsoft IT EnvironmentMicrosoft IT Environment
Balancing Business Balancing Business ChallengesChallenges
• 30K partners with connectivity needs
• Corporate culture of agility and autonomy
• Large population of mobile clients
Beta environment
“First & Best Customer”
Secure Network+
Compliance
Software Dev business
requirements
Sophisticated CovertComplex
Network Attacks Are…
Microsoft CISO ConcernsMicrosoft CISO Concerns
Regulatory complianceRegulatory compliance
Mobility of dataMobility of data
Unauthorized access to dataUnauthorized access to data
Malicious softwareMalicious software
Supporting an evolving clientSupporting an evolving client
The Security LifecycleThe Security Lifecycle
Define
Assess
Design
Respond
Operate
Monitor“FAST. RELIABLE. PROTECTED.
SECURE BY DESIGN.”
How We How We AlignAlign
App Consulting & Engineering
• End-to-End App Assessment & Mitigation
• Application Threat Modeling
• External & Internal Training
Engineering & Engagement
• Engineering Lifecycle Process & Methods
• Secure Design Review
• Awareness & Communication
Network Security
• Monitor, Detect, Respond
• Attack & Penetration
• Technical Investigations
• IDS and A/V
Identity & Access Management
• IdM Security Architecture
• IdM Gov & Compliance
• IdM Eng Ops & Services
• IdM Accounts & Lifecycle
Assessment & Governance
• InfoSec Risk Assessment
• InfoSec Policy Management
• Security Architecture
• InfoSec Governance
Compliance
• Regulatory Compliance
• Vulnerability Scanning & Remediation
• Scorecarding
Define
Assess
Design
Respond
Operate
Monitor
Pursuing ExcellencePursuing Excellence
ConnectedCurrentLeveraged
Technology
GlobalStandardFollowed
Process &Policy
SkilledIntelligentInformed
People
Key Strategies and TacticsKey Strategies and Tactics Assessment of risk
Identification of potential threats
Mitigate risk through five key strategies
Identity & Access
Management
IP and Data Protection
Secure the Network
Enhanced Auditing & Monitoring
Awareness
Key Strategies and TacticsKey Strategies and Tactics
Secure Secure Extranet and Extranet and Partner Partner ConnectionsConnections
Secure Secure Remote Remote AccessAccess
Network Network SegmentatioSegmentationn
Network Network Intrusion Intrusion Detection Detection SystemsSystems
Hardening Hardening the Wireless the Wireless NetworkNetwork
Strong Strong PasswordsPasswords
Public Key Public Key InfrastructurInfrastructure: Certificate e: Certificate ServicesServices
E-Mail E-Mail Hygiene and Hygiene and Trustworthy Trustworthy MessagingMessaging
Least Least Privileged Privileged AccessAccess
Managed Managed Source CodeSource Code
Security Security Development Development Lifecycle - ITLifecycle - IT
Securing Securing Mobile Mobile DevicesDevices
Automated Automated Vulnerability Vulnerability ScansScans
Combating Combating MalwareMalware
Security Security Event Event Collection Collection
Information Information Security PoliciesSecurity Policies
Training and Training and CommunicationCommunicationss
Identity & Access
Management
IP and Data Protection
Secure the Network
Enhanced Auditing & Monitoring
Awareness
Futures
How Did We Approach How Did We Approach Security?Security?
Viruses, Spyware and WormsViruses, Spyware and WormsBotnets and RootkitsBotnets and RootkitsPhishing and FraudPhishing and Fraud
Deploying Security UpdatesDeploying Security UpdatesSystem Identification and ConfigurationSystem Identification and ConfigurationSecurity Policy EnforcementSecurity Policy Enforcement
Identity Management and Access ControlIdentity Management and Access ControlManaging Access in the Extended EnterpriseManaging Access in the Extended EnterpriseSecurity Risk of Unmanaged PCsSecurity Risk of Unmanaged PCs
Regulatory ComplianceRegulatory ComplianceDevelop and Implement of Security PoliciesDevelop and Implement of Security PoliciesReporting and AccountabilityReporting and Accountability
Virus & Malware
Prevention
Business
Practices
Implementing
Defense in Depth
Security
Management
SecureSecure against against attacksattacks
Protects Protects confidentialityconfidentiality, , integrityintegrity and and availabilityavailability of of data and systemsdata and systems
ManageableManageable
ProtectsProtects from from unwanted unwanted communication communication
ControlsControls for for informational informational privacyprivacy
Products, online Products, online services adhere to services adhere to fair information fair information principlesprinciples
PredictablePredictable, , consistent, consistent, responsive serviceresponsive service
MaintainableMaintainable, , easy to configure easy to configure and manage and manage
ResilientResilient, works , works despite changesdespite changes
RecoverableRecoverable, , easily restoredeasily restored
ProvenProven, ready to , ready to operateoperate
Commitment to Commitment to customer-centric customer-centric InteroperabilityInteroperability
Recognized Recognized industry industry leaderleader, , world-class world-class partnerpartner
Open, Open, transparenttransparent
Fundamentally secure platforms enhanced by security products, services Fundamentally secure platforms enhanced by security products, services and guidance to help keep customers safeand guidance to help keep customers safe
Excellence in Excellence in fundamentalsfundamentals
Security Security innovationsinnovations
Best practices, Best practices, whitepapers and toolswhitepapers and tools
Authoritative incident Authoritative incident responseresponse
Security awareness Security awareness and education and education through partnerships through partnerships and collaborationand collaboration
Information sharing Information sharing on threat landscapeon threat landscape
More than 292 More than 292 million copies million copies distributed (as of distributed (as of June)June)
Significantly less Significantly less likely to be infected likely to be infected by malwareby malware
Service Pack 2 Service Pack 1
More than 4.7 million More than 4.7 million downloads (as of downloads (as of May)May)
More secure by More secure by design; more secure design; more secure by defaultby default
Helps protect against Helps protect against spyware; Included in spyware; Included in Windows Vista and as Windows Vista and as free downloadfree download
Most popular Most popular download in Microsoft download in Microsoft history with over 40M history with over 40M downloadsdownloads
4.5B total 4.5B total executions; 24.5M executions; 24.5M disinfections off of disinfections off of 9.6M unique 9.6M unique computerscomputers
Dramatically reduced Dramatically reduced the number the number of Bot infectionsof Bot infections
As of October 2006As of October 2006
Microsoft’s Security Development LifecycleMicrosoft’s Security Development LifecycleCorporate process and standard for security in engineeringCorporate process and standard for security in engineering
Evangelized internally through trainingEvangelized internally through training
Verified through pre-ship auditVerified through pre-ship audit
The Security Development LifecycleThe Security Development Lifecycle book book
Shared with ISV and IT development partnersShared with ISV and IT development partnersDocumentation and training Documentation and training
Learning Paths for SecurityLearning Paths for Security
Active community involvementActive community involvement
Automated with tools in Visual StudioAutomated with tools in Visual StudioPREPREffastast
FxCop FxCop
Guidance
Developer Tools
SystemsManagementActive Directory Active Directory
Federation Services Federation Services (ADFS)(ADFS)
Identity Management
Services
Information Protection
Encrypting File System (EFS)
Encrypting File System (EFS)
BitLocker™
BitLocker™
Network Access Protection (NAP)
Client and Server OS
Server Applications
Edge
Infrastructure Optimization Infrastructure Optimization Model Model
Cost Center Cost Center
Uncoordinated, Uncoordinated, manualmanual
infrastructure infrastructure
More Efficient More Efficient Cost CenterCost Center
Managed IT Managed IT infrastructure infrastructure
with limitedwith limited automationautomation
Managed and Managed and consolidated ITconsolidated IT infrastructureinfrastructure
with maximum with maximum automationautomation
Fully automated Fully automated management, management,
dynamic resource dynamic resource usage, business usage, business
linked Service Level linked Service Level Agreements (SLA)Agreements (SLA)
Business Business EnablerEnabler
Strategic Strategic AssetAsset
* Based on the Gartner IT Maturity Model
Infrastructure OptimizationInfrastructure Optimization
● IT staff taxed by operational challenges
● Users come up with their own IT solutions
● IT Staff trained in best practices such as Managed Object Format (MOF), IT Infrastructure Library (ITIL), etc.
● Users expect basic services from IT
● IT Staff manages an efficient, controlled environment
● Users have tools they need, high availability, & access to information
● IT is a strategic asset● Users look to IT as a
valued partner to enable new business initiatives
● IT processes undefined● High complexity due to
localized processes & minimal central control
● Central Admin & configuration of security
● Standard desktop images defined, not adopted company-wide
● SLAs are linked to business objectives
● Clearly defined and enforced images, security, best practices (MOF, ITIL)
● Self assessing & continuous improvement
● Information easily & securely accessed from anywhere on Internet
● Patch status of desktops is unknown
● No unified directory for access management
● Multiple directories for authentication
● Limited automated software distribution
● Automate identity and access management
● Automated system management
● Self provisioning and quarantine capable systems ensure compliance & high availability
IO at Microsoft: a Work in IO at Microsoft: a Work in ProgressProgress
● IT Staff trained in best practices such as MOF, ITIL, etc.
● Users have access to information though OWA, Intranet, Mobile Devices
● Microsoft IT is seen by customers and developers as a critical testing ground for new products
● Central Admin & configuration of security through network access protection (NAP), IP Security (IPSec), smart cards
● Industry leadership in security, best practices (MOF, ITIL)
● Users have SLA of 99.99%
● Information easily & securely accessed from anywhere on Internet through Remote Access Server (RAS) Access & OWA
● Leading Security response (MSRC)
● Centralized directory● Update management
through Systems Management Server (SMS)
Hardware / SoftwareHardware / Software
Total Direct CostsTotal Direct Costs
End User ProductivityEnd User Productivity & Downtime & Downtime
Total TCOTotal TCO
AdministrationAdministration
OperationsOperations
$1,258$1,258
$394$394
$366$366
$2,017$2,017
$1,306$1,306
$3,323$3,323
$1,406$1,406
$734$734
$428$428
$2,568$2,568
$2,952$2,952
$5,520$5,520
$1,366$1,366
$617$617
$373$373
$2,356$2,356
$2,450$2,450
$4,806$4,806
16% 36%
13% 31%
8% 14%
One Benefit: Desktop Cost One Benefit: Desktop Cost SavingsSavings
SecuritySecurity
ProductivityProductivity
OperationsOperations
47% reduction: critical update 47% reduction: critical update deployment timedeployment time
Examples of IO Benefits at Examples of IO Benefits at MicrosoftMicrosoft
SMS: Patch/Update Management
93% reduction: number of Exchange 93% reduction: number of Exchange sitessites
30% reduction in infrastructure servers30% reduction in infrastructure servers Improved SLA to 99.99%Improved SLA to 99.99% 200% increase in storage capability200% increase in storage capability Reduced support costs $3 millionReduced support costs $3 million Reduced internet costs $6.5 millionReduced internet costs $6.5 million
Sever Consolidation& Operational Efficiencies
Improved connectivity through IM, SPS, Remote Mail, Smart Phones
60,000 new Outlook Web Access 60,000 new Outlook Web Access (OWA) users(OWA) users
180,000 SharePoint180,000 SharePoint®® Team Sites Team Sites Mobility client satisfaction improved Mobility client satisfaction improved
18%18%
Key CapabilitiesKey Capabilities
Identity & Access ManagementIdentity & Access Management
Desktop, Server, & Device ManagementDesktop, Server, & Device Management
Security & NetworkingSecurity & Networking
Data Protection & RecoveryData Protection & Recovery
Communications & Collaboration Communications & Collaboration
Mediums Technology Futures
Participation in Security-101
Back to All Tactics
Information Security Information Security FuturesFutures
Vista: User Account Protection Vista: User Account Protection
Vista: Next-Generation Secure Vista: Next-Generation Secure Computing BaseComputing Base
Vista: Interactive Logon PilotVista: Interactive Logon Pilot
Vista: Credential RoamingVista: Credential Roaming
Longhorn Public Key Longhorn Public Key Infrastructure Infrastructure
Network Access ProtectionNetwork Access Protection
Back to All Tactics