Transcript IT Showcase: Information Security at Microsoft: Overview Technical

How Microsoft does
end-to-end IT Security
Bruce Cowper
Senior Program Manager, Security Initiative
Microsoft Canada
Agenda
The Microsoft Landscape
IT Environment
Business Challenges
“Chief” Concerns
Who We Are and What We Do
The Security Lifecycle
Internal Alignment
Strategies and Tactics
Information Security Futures
Microsoft IT Environment
340,000+
computers
121,000
end users
98 countries
441 buildings
15,000 Vista
clients
25,000 Office
2007 clients
5,700 Exchange
12 mailboxes
31 Longhorn
servers
46,000,000+
remote
connections
per month
189,000+
SharePoint Sites
4 data centers
8,400 production
servers
E-mails per day:
3,000,000 internal
10,000,000 inbound
9,000,000 filtered out
33,000,000 IMs
per month
120,000+ e-mail
server accounts
Balancing Business Challenges
Network Attacks Are…
Complex
Sophisticated
Covert
Software Dev
business
requirements
“First & Best
Customer”
• 30K partners with
connectivity needs
• Corporate culture of
agility and autonomy
Beta
environment
• Large population of
mobile clients
Secure Network
+
Compliance
Microsoft CISO Concerns
Regulatory compliance
Mobility of data
Unauthorized access to data
Malicious software
Supporting an evolving client
The Security Lifecycle
Respond
Monitor
Define
“FAST. RELIABLE. PROTECTED.
SECURE BY DESIGN.”
Operate
Design
Assess
How We
Align
Network Security
• Monitor, Detect, Respond
• Attack & Penetration
• Technical Investigations
• IDS and A/V
Compliance
Assessment & Governance
• Regulatory Compliance
• Vulnerability Scanning &
Remediation
• InfoSec Risk Assessment
Respond
• InfoSec Policy Management
Define
• Security Architecture
• Scorecarding
• InfoSec Governance
Assess
Monitor
Identity & Access Management
• IdM Security Architecture
• IdM Gov & Compliance
App Consulting & Engineering
Operate
Design
• End-to-End App Assessment
& Mitigation
• IdM Eng Ops & Services
• Application Threat Modeling
• IdM Accounts & Lifecycle
• External & Internal Training
Engineering & Engagement
• Engineering Lifecycle
Process & Methods
• Secure Design Review
• Awareness &
Communication
Pursuing Excellence
Skilled
Intelligent
Informed
Connected
Current
Leveraged
People
Technology
Global
Standard
Followed
Process &
Policy
Key Strategies and Tactics
Assessment of risk
Identification of potential threats
Mitigate risk through five key strategies
Secure the
Network
Identity &
Access
Management
IP and Data
Protection
Enhanced
Auditing &
Monitoring
Awareness
Key Strategies and Tactics
Secure the
Network
Secure
Extranet and
Partner
Connections
Secure
Remote
Access
Network
Segmentation
Network
Intrusion
Detection
Systems
Hardening the
Wireless
Network
Identity &
Access
Management
IP and Data
Protection
Strong
Passwords
Least Privileged
Access
Public Key
Infrastructure:
Certificate
Services
Managed
Source Code
E-Mail
Hygiene and
Trustworthy
Messaging
Security
Development
Lifecycle - IT
Enhanced
Auditing &
Monitoring
Automated
Vulnerability
Scans
Combating
Malware
Security Event
Collection
Securing Mobile
Devices
Futures
Awareness
Information
Security Policies
Training and
Communications
How Did We Approach
Security?
Virus & Malware
Prevention
Business
Practices
Implementing
Defense in Depth
Security
Management
Viruses, Spyware and Worms
Botnets and Rootkits
Phishing and Fraud
Regulatory Compliance
Develop and Implement of Security Policies
Reporting and Accountability
Identity Management and Access Control
Managing Access in the Extended Enterprise
Security Risk of Unmanaged PCs
Deploying Security Updates
System Identification and Configuration
Security Policy Enforcement
Secure against
attacks
Protects
confidentiality,
integrity and
availability of
data and systems
Manageable
Protects from
unwanted
communication
Predictable,
consistent,
responsive service
Commitment to
customer-centric
Interoperability
Controls for
informational
privacy
Maintainable,
easy to configure
and manage
Recognized
industry leader,
world-class partner
Products, online
services adhere to
fair information
principles
Resilient, works
despite changes
Open, transparent
Recoverable,
easily restored
Proven, ready to
operate
Fundamentally secure platforms enhanced by security products, services
and guidance to help keep customers safe
Excellence in
fundamentals
Best practices,
whitepapers and tools
Security
innovations
Authoritative incident
response
Security awareness
and education
through partnerships
and collaboration
Information sharing
on threat landscape
Service Pack 2
More than 292
million copies
distributed (as of
June)
Significantly less
likely to be infected
by malware
Service Pack 1
More than 4.7 million
downloads (as of
May)
More secure by
design; more secure
by default
Helps protect against
spyware; Included in
Windows Vista and as
free download
4.5B total executions;
24.5M disinfections
off of 9.6M unique
computers
Most popular
download in Microsoft
history with over 40M
downloads
Dramatically reduced
the number
of Bot infections
As of October 2006
Microsoft’s Security Development Lifecycle
Corporate process and standard for security in engineering
Evangelized internally through training
Verified through pre-ship audit
The Security Development Lifecycle book
Shared with ISV and IT development partners
Documentation and training
Learning Paths for Security
Active community involvement
Automated with tools in Visual Studio
PREfast
FxCop
Service
s
Edge
Server
Applications
Information
Protection
Client and
Server OS
Identity
Management
Systems
Management
Active Directory
Federation Services
(ADFS)
Guidance
Developer
Tools
Infrastructure Optimization Model
Uncoordinated,
manual
infrastructure
Managed IT
infrastructure
with limited
automation
Managed and
consolidated IT
infrastructure
with maximum
automation
Fully automated
management,
dynamic resource
usage, business
linked Service Level
Agreements (SLA)
Cost Center
More Efficient
Cost Center
Business
Enabler
Strategic
Asset
* Based on the Gartner IT Maturity Model
Infrastructure Optimization
●
●
IT staff taxed by
operational challenges
Users come up with
their own IT solutions
●
●
●
●
●
●
IT processes undefined
High complexity due to
localized processes &
minimal central control
●
Patch status of
desktops is unknown
No unified directory for
access management
●
●
●
IT Staff trained in best
practices such as
Managed Object Format
(MOF), IT Infrastructure
Library (ITIL), etc.
Users expect basic
services from IT
●
Central Admin &
configuration of
security
Standard desktop
images defined,
not adopted
company-wide
●
Multiple directories for
authentication
Limited automated
software distribution
●
●
●
●
IT Staff manages an
efficient, controlled
environment
Users have tools they
need, high availability, &
access to information
●
SLAs are linked to
business objectives
Clearly defined and
enforced images,
security, best practices
(MOF, ITIL)
●
Automate identity and
access management
Automated system
management
●
●
●
IT is a strategic asset
Users look to IT as a
valued partner to enable
new business initiatives
Self assessing &
continuous
improvement
Information easily &
securely accessed from
anywhere on Internet
Self provisioning and
quarantine capable
systems ensure
compliance & high
availability
IO at Microsoft: a Work in Progress
●
IT Staff trained in best
practices such as MOF,
ITIL, etc.
●
Users have access to
information though
OWA, Intranet, Mobile
Devices
●
Microsoft IT is seen by
customers and
developers as a critical
testing ground for new
products
●
Central Admin &
configuration of
security through
network access
protection (NAP), IP
Security (IPSec), smart
cards
●
Industry leadership in
security, best practices
(MOF, ITIL)
Users have SLA of
99.99%
●
Information easily &
securely accessed from
anywhere on Internet
through Remote Access
Server (RAS) Access &
OWA
●
●
●
●
Leading Security
response (MSRC)
Centralized directory
Update management
through Systems
Management Server
(SMS)
One Benefit: Desktop Cost Savings
Hardware / Software
$1,406
$1,366
$1,258
Operations
$734
16%
$617
36%
$394
Administration
$428
Total Direct Costs
$2,568
$373
8%
$2,356
$366
14%
$2,017
End User Productivity
& Downtime
$2,952
Total TCO
$5,520
$1,306
$2,450
13%
$4,806
31%
$3,323
Examples of IO Benefits at
Microsoft
Security
 47% reduction: critical update
SMS: Patch/Update
Management
Operations
Sever Consolidation
& Operational Efficiencies
deployment time
 93% reduction: number of Exchange





Productivity
Improved connectivity
through IM, SPS, Remote
Mail, Smart Phones
sites
30% reduction in infrastructure servers
Improved SLA to 99.99%
200% increase in storage capability
Reduced support costs $3 million
Reduced internet costs $6.5 million
 60,000 new Outlook Web Access
(OWA) users
 180,000 SharePoint® Team Sites
 Mobility client satisfaction improved
18%
Key Capabilities
Identity & Access Management
Desktop, Server, & Device Management
Security & Networking
Data Protection & Recovery
Communications & Collaboration
Mediums
Technology
Futures
Participation in Security-101
Back to All Tactics
Information Security Futures
Vista: User Account Protection
Vista: Next-Generation Secure
Computing Base
Vista: Interactive Logon Pilot
Vista: Credential Roaming
Longhorn Public Key Infrastructure
Network Access Protection
Back to All Tactics