mise en œuvre de la sécurité par l'informatique interne de microsoft (msit)
DESCRIPTION
TRANSCRIPT
We are like other large companies IT departments
Common infrastructure for business units
• Security, Cost Reduction, Compliance
and Privacy are our Top Priorities
• Reactive and Lacks Agility
• Ubiquitous Environments
• The Challenge of Consumerization of
IT
• The Cloud Imperative
• BI & Analytics Rule the Day
• Vendor Consolidation
• IT Simplification and Optimization
• IT Talent Retention and Attraction
• IT Business Alignment, Prioritization
and Partnership
• Innovation that Drives Productivity
• Being Microsoft’s First and Best
Customer
• Perpetual Software Deployments
• CIO-Led Revenue Growth & Customer
Engagement
• Running an Enterprise on Beta
Release Software
• A Company of 95,000 CIO’s
• Biggest Target for Security Attacks
• Moving from a Code Centric to a Data
Centric Organization
• Moving from Functional Based Org to
a Process Centric Org Model
• Self Service Model
• Cloud
• Consumerization of IT
• Data Explosion
• Social Media
• Regulatory Compliance
• Security Threat Growth
IT of the Future : Evolution of MS IT
6
FY05Business Unit IT
FY07Centralized IT
FY10Standardized IT
FY12+Process-Centric IT
“Virtually everything in
business today is an
undifferentiated
commodity, except how a
company manages its
information. How you
manage information
determines whether you
win or lose.”– Bill Gates
invest
men
t
Industry Trends
Cost Reduction & Operational Efficiency
Risk Management & Compliance
Competitive Differentiation
Business Growth & Sales Performance
Business Process Simplification
Big Data
Business Intelligence & Analytics
Security
Risk Management
Mobility & Consumerization of IT
Social Media and Computing
Cloud Computing
Virtualization
ERP & CRM
Business Process Management & Alignment
Business scorecard
Overall user satisfaction (NSAT) Metric sustained at 135 but missed target mainly due to limited Direct Access deployment with Win 8 release
Identified programs/projects follow key ITLC controls: Q2 measure = 99%; recovering trend from get to green program
First and Best plan of record (+28% from FY13 Q1) - FY13 Q2 Dynamics CRM Next CRM online not released to MSIT; data sync issues from Microsoft AD and MS online services;
% Shared goals met (3 red programs, Azure, Dynamics CRM Next, Office 365 SharePoint online; one yellow, Internet Explorer 10)
Security Health Index BitLocker compliance
FY13 H1 misses
Scorecard
Top programs
SharePoint solution and collaboration platform
Q1 Q2 H1Baseline H1 Target Stretch Owner
Value Value Value
CIO scorecard
Strengthen partnerships
Business value realization (BVR) 37% 55% 55% -- 25% 25% Jim DuBois
Overall user experience (NSAT) -- -- 135 135 133 139 144 Walter Puschner
% of LOB QBRs utilizing key artifacts: (COS, ProForma, SoaP) -- -- 90% 90% 84% 85% 90% Shahla Aly
MS first and best (partnership health) -- -- -- -- Annual -- 74% 75% 77% Jim DuBois
Business partner satisfaction -- -- -- -- Annual -- 151 154 158 Walter Puschner
Enable revenue
MS first and best (plan of record) 64% 92% 92% 100% 100% 100% Jim DuBois
Aggregate revenue value addressed by MSIT engagements $401.9M $1,389M $1,389M N/A $1,290M $1,419M Walter Puschner
Deliver quality
Risk management (# of past due items) 0 0 0 0 0 0 Bret Arsenault
Identified programs/projects follow key ITLC controls 87% 99% 93% 89% 95% 97% Kurt Samuelson
Digitize process
Application reduction 1,080 1,065 1,065 1,093 1,073 1,065 Jacky Wright
Business processes base-lined 100% 100% 100% 95% 95% 100% Jacky Wright
Data models defined and implemented 100% 100% 100% N/A 95% 100% Jacky Wright
End-to-end user scenarios defined 100% 100% 100% N/A 95% 100% Kurt Samuelson
Lead with innovation
% Shared goals met 87% 87% 87% 90% 90% 92% Jim DuBois
Optimize IT
Program delivery on-time (BL-SL) 88% 94% 91% 89% 90% 92% Kurt Samuelson
Fiscal responsibility (QTD variance to budget) 1.0% 0.9% 0.9% -2.5% 3% 0% Matt Kellerhals
Program delivery (on budget) -- -- 47% 47% 44% 40% 42% Matt Kellerhals
Hard benefits and cost avoidance $14.8M $27.8M $27.8M $57M $20M $26M Jacky Wright
Application availability 99.97% 99.97% 99.97% 99.93% 99.90% 99.95% Jacky Wright
Stay current - OS 94% 95% 95% 92% 80% 85% Walter Puschner
Security health index 96% 92% 94% 97% 95% 100% Bret Arsenault
Windows Server 2012 adoption 1% 3% 3% N/A 15% 17% Walter Puschner
Invest in our people
IT WHI -- -- -- -- Annual -- 74% 76% 77% John Williams
Top programs for FY13 Overall Scope Schedule Budget Adoption
BI business self service
DAX phase 1
Enterprise job automation
Enterprise security platform
Enterprise service bus
Incentive compensation – ENTICE next gen platform
Laminar
Lotus – phase 1
MS Cloud
MS Sales
MSCOM analytics and reporting
OA 3.0 – Windows client – quarterly release
One plan – Channel Incentives
Project Tiger
SharePoint solution and collaboration platform
Updated EA
6
107Countries
586 Buildings
94kMobiles Sync
2,400
1,300
17,000
Wireless
access points
Low bandwidth Internet
Connected Office (ICO2)
Corp Net Connected via
tunnel
Products file share only
Mix of Wired and Wireless
Native Connection
When Mobile – DA and
VPN
Good bandwidth
Internet or ICO1
Products file share only
Mix of Wired and Wireless
Native Connection
Always Mobile - DA and
VPN
Metered Networks -
possible poor bandwidth
Internet or ICO1
Products file share only
Mix of Wired and Wireless
Native Connection
Always Mobile - VPN to
control network usage
Good bandwidth
Corp Net Connected
WDS, OSD, and Products
file share
Mix of Wired (WDS &
OSD) and Wireless
(Products file share)
Native Connection
When Mobile - DA
preferred solution
56% a monthMisplace a Device
1 in 30 minsiPhone is lost
Secu
rity
of
Dig
ita
l Ass
ets
Time
Anywhere Access
• Full Network access,
requires Strong
AuthNIdentity
Device
Location
Data /
Application
0 – 100%
• Live ID vs. Active Directory
• Strong Auth vs. Username/
Password
0 – 100%
• Approved / Authenticated
• Managed, Self-Managed,
unmanaged
0 – 100%
• IPv4 vs. US
• Internal vs. External
• Country Location
LBI/MBI/
HBI
• LBI, MBI, HBI Data
• Applications (Corporate,
Consumer, Signed)
FactorsAssurance
Level Examples Variable User Experience (VUE)
• Full access , but no
local data, Strong
Auth required
• Linked Network,
Web Apps, simple
AuthN
• No Access, Guest
Internet
Co
mp
ute
d
Access
Secure the Network Perimeter
Secure the Network Interior
Secure Key Assets
Monitor and Audit
HBI
MBI
LBI
IPSec Boundary
Domain joined systems
(Secure Net)
Remote access
clients/dial-up
Non-Corp
domain
machines Labs
~70.000
All Devices
~800,000Domain
Joined
Devices
~320,000
Devices managed
through Config Mgr:
~330,000
Datacenter : ~31,500
Separate
Config Mgr
Hierarchies
Cooperative computer management modelMSIT & users working together
10 languages support for patching
Completely Centralized Administration
IPSec
Microsoft IT EnvironmentManaging Everything that Should be Managed
Strong
Password
Requirements
Passwords expire every 70 days
Administrator-level passwords are 15 alphanumeric
characters in length
User passwords are at least eight alphanumeric
characters in length
Passwords contain uppercase and lowercase
characters, digits, and punctuation
Passwords do not contain slang, dialect, or jargon in
any language, or are not based on personal
information such as family names
New passwords vary significantly from prior
passwords
DA / VPN
EASOWA
Smart Cards for
RAS
CARD
MANAGEMENTCard Issuance
Cert approvals
Distribution & Support
Policy & Exception
Management
DELEGATES
Submits Certificate
requests on user’s
behalf
Distribution
USERS
PIN resets
Certificate renewal
•
•
• Seamless connectivity experience across a plethora of devices
• TPM chip
• Smart card with a valid certificate and a smart card reader
Transistion Services
ISATAP, NAP-PT, Teredo, 6to4
2 Factor Authentication (2FA)
IPSec encryption & authentication
GPO for Client configuration
Network Access Protection (IPSec-WSHA) for Security.
Split-Tunnel Configuration (less traffic on proxy servers)
Remediation Servers
Authentication on- Identity
- Group and role
- Across perimeter, internal
network, host
Governance and risk
management- Central policy defines
‘healthy’
- Compliance reported,
tracked
- Compliance used for
authorization
On Premises
On Cloud
Extranet
CorpNet
Web Role
Worker
Role
Azure Storage
App Fabric
Transport Connectivity
(Ex. Azure Connect, Custom Plug-In/extension)
Data Connectivity(Ex. Azure Data Sync, Custom
Plug-In/Extension)
ClientSQL
Server
Web ServicesCorp STS
ADFS
SQL Azure
Web Role
App Monitoring
Keynote (monitoring)
System Monitoring
Accesses Control Service
Cache
Service BusEmployees
Partners
Customers
Azu
re C
DN
IdentityProviders
ExternalPartners
WindowsLive ID
Org ID
20%
30%
% Vulnerable Clients
48hrs 5 Days – SMS Forced patching begins for normal cycle 24 Days
2%
HighClient Impact
LowClient Impact
Current days to exploit = 3 days
24 days average to 98% secured
24hrs
5%
7 Days – Port shutdowns begin
3%
Microsoft Update; E-mail & ITWeb Notification (Optional)
SCCM Updates Management (Voluntary > Forced)
SER Scanning & Scripted Updating
Port Shutdowns
Users can install and run non-standard applications
Even standard users can install some types of software
Unauthorized applications may:
Introduce malware
Increase helpdesk calls
Reduce user productivity
Undermine compliance efforts
Block unauthorized P2P applications
Easily create and manage flexible rules using Group Policy
Built-in feature of Windows 7 and Windows Server 2008 R2
Improved system management
Improved legal compliance
Reduced support costs
Microsoft IT awareness campaign
Open Methodology based on MS Culture.
1.5 % Exception request
Build an isolated reference machine when deploying AppLocker
Using Audit-only mode to test enforcement settings
Exported the GPO from reference machine
Protection of intellectual
property
Greater sharing of sensitive
information
Simple tools for users
using any RMS-enabled
application
Verification of usage
policies is transparent to
users
Powerful document
protection features
Persistent file-level
protection extends and
enhances security efforts
Ease of implementation for IT
Domain Joined Non Domain Joined
MSIT Standards PC with TPM PC w/o TPM PC MS Phone Non-PC Device
MSIT StandardsEnterprise Class
PCs with TPMConsumer PCs MSIT Standards Windows Mobile Windows 8 RT
Sony, ASUS…Acer
Enterprise Class
and Consumer
PCs
Android and
Future Chrome
OS devices
Apple Mac with
Bootcamp
Apple Mac with
Bootcamp
Apple Mac with
Mac OS X
iPhone & iPad
MSIT Services
Helpdesk Hardware Support Yes Best Effort Best Effort Maybe No No
Helpdesk Software Support Yes Yes Yes Yes Yes
LOB Applications Yes Yes Yes Yes Yes No
Patching Yes Yes Yes No No No
Driver support in MSIT
ImagesYes No No Maybe No No
Bit-Locker+ TPM Yes Manually No * No No No *
UEFI BIOS Pending Pending Pending Pending No No
Direct Access Yes Probably No No No No
VPN with Smartcard Yes Yes Yes Yes No No
WIFI Yes Yes Yes Yes Yes No-Android
Exchange Yes Yes Yes Yes Yes Limited
Corporate Access Yes Yes Yes Limited Limited Limited
Lync / UC Yes Yes Yes Yes Yes No
* Concerns with PII / HBI data loss