200 likes | 221 Views
Trustworthy Computing (TWC) -- Architect -- Insight Conference 22 – 23 March 2006. EDWARD P. GIBSON Chief Security Advisor (CSA) Microsoft Ltd UK EdGibson@Microsoft.com. Secure against attacks Protects confidentiality, integrity of data and systems Manageable.
E N D
Trustworthy Computing (TWC)-- Architect -- Insight Conference 22 – 23 March 2006 EDWARD P. GIBSON Chief Security Advisor (CSA) Microsoft Ltd UK EdGibson@Microsoft.com
Secure against attacks Protects confidentiality, integrity of data and systems Manageable Protects from unwanted communication Controls for informational privacy Products, online services adhere to fair information principles Predictable Maintainable Resilient Recoverable Proven Open, transparent interaction with customers Industry leadership Embracing of Open Standards
210 million copies distributed Application Compatibility Toolkit 4.0.1 Microsoft Solution Accelerator for BDD Windows XP Service Pack 2 Improved quality of updates; Split tree builds Single source for detection and update content Single detection and installation infrastructure Single update centre (Microsoft Update) Software Update Advancements Helped reduce number of PCs requiring flattening Over 635 million executions; 2.3 million disinfections 14 times less likely to be infected on SP2 Online crash analysis data help build better cleaner Malicious Software Removal Tool 17 million downloads 23 million spyware packages cleaned 6.5 million SpyNet participants Microsoft Windows AntiSpyware Beta Security Development Lifecycle >19K employees received security training >130 products completed Final Security Reviews 97% Final Security Review (FSR) pass rate
Final Security Review ( FSR ) Security Review threat models Response Feedback loop Penetration testing - Tools / Archiving of compliance info Processes Threat Modeling - Postmortems Models created Security Docs & - SRLs Mitigations in design Security Push Tools and functional specs Security push training Customer deliverables Design Review threat models for secure deployment Design guidelines applied Review code Security architecture Attack testing Security design review Review against new threats Ship criteria agreed upon Meet signoff criteria Requirements Design Implementation Verification Release Response Guidelines Best Practices & Coding standards Testing based on threat models Tool usage Product Inception Assign resource Security plan RTM & Deployment Signoff
8 5 68 Released28/09/2003 Released29/11/2000 Bulletins 653 Days After Product Release 40 2003 11 6 Released17/11/2003 Released31/05/2001 Released28/09/2003 Released29/11/2000 Bulletins 594 Days After Product Release 782 Days After Product Release – June 2005
Microsoft Baseline Security Analyser (MBSA) v2.0 Windows Server Update Services Microsoft Update Windows XP Professional SP2 Windows Server 2003 SP1 Windows Rights Management Services SP1 Internet Security and Acceleration (ISA) Server 2004 Standard Edition & Enterprise Edition Microsoft Operations Manager 2005 Systems Management Server 2003 SP1 Sybari Antigen product line Current Windows Server 2003 “R2” Windows Vista Beta 2 Visual Studio 2005 SQL Server 2005 Exchange 2003 SP 2 H2 05 Internet Explorer 7 Enterprise AntiSpyware Vulnerability Assessment and Remediation Windows Longhorn Server Microsoft Operations Manager v3 Rights Management 2.0 Future
Virus Information Alliance Global Infrastructure Alliance for Internet Safety Anti-Virus Rewards Program Anti-Phishing Working Group Organisation for Internet Safety Assistance to Law Enforcement Trustworthy Academic Advisory Board
Great Starting Point - http://www.microsoft.com/security/guidance/default.mspx • Security tools • Microsoft Baseline Security Analyser • http://www.microsoft.com/technet/Security/tools/default.mspx • Security Bulletin Search Tool • http://www.microsoft.com/technet/security/current.aspx • Guidance and training • Security guidance, tools, updates for the home • http://www.microsoft.com/athome/security/protect/default.mspx • Security Guidance Centre • http://www.microsoft.com/security/guidance/default.mspx • E-Learning Clinics • https://www.microsoftelearning.com/security/ • XP SP2 focus-https://www.microsoftelearning.com/xpsp2/ • Community engagement • Newsletters • http://www.microsoft.com/technet/security/secnews/newsletter.htm • Webcasts and chats • http://www.microsoft.com/seminar/events/security.mspx
The economics of computing make the collection, storage, analysis and dissemination of data cost effective (e.g., Spam, Total Information Awareness) • There continues to be tension between government needs, regulatory requirements, business strategies and citizen / customer expectations • What constitutes an ‘invasion of privacy’ may be unclear and may be dependent on local laws and customs
Anti-Spam and Anti-Spyware • Rights Management • Information Rights Management • Windows Rights Management • Smart Screen Filtering Technologies • Intelligent Message Filtering • Authentication Technologies • Sender ID • MSN • Family Safety Controls, Pop Up Blocker, Junk Email, etc.
Privacy tools • Removal tools for unwanted software • http://www.microsoft.com/athome/security/spyware/checkcomputer.mspx • Windows Rights Management (WRM) • http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx • Rights Management for IE • http://www.microsoft.com/windows/ie/downloads/addon/rm.mspx • Guidance and training • Privacy Source Guide • http://www.microsoft.com/mscorp/twc/privacy/default.mspx • IRM and WRM- working together • http://www.microsoft.com/technet/prodtechnol/office/office2003/operate/of03irm.mspx
Windows Server 2003 • Enhanced diagnosis and repair framework • Improved hardware compatibility testing • Exchange 2003 recovery guidance • Mailbox recovery centre for disaster recovery scenarios • Online administrator forums for questions • Engineering Excellence Centre • Microsoft Operations Framework • Customer feedback systems • Direct product-specific customer feedback • Secure website for software and hardware vendors to view error reports • Office 2003 improved document recovery features
Reliability tools • Removal tools for unwanted software • http://www.microsoft.com/athome/security/spyware/checkcomputer.mspx • Reliability Analyser tools • Windows Server • SQL Server • Exchange Server • Guidance and training • Microsoft Operations Framework (MOF) • http://www.microsoft.com/technet/itsolutions/cits/mo/mof/default.mspx • MOF Essentials • http://www.microsoft.com/learning/syllabi/en-us/1737bfinal.mspx • Enterprise Engineering Centre • http://www.microsoft.com/windowsserver2003/evaluation/news/bulletins/eec.mspx
Analysts believe that Business Integrity is, in the long term, our most important pillar • Without integrity, trust can never be achieved • Good things done can be undermined by distrust • Trust level of IT industry generally and Microsoft in particular, could be better • Industry: Race to ship; dot-com bust • Microsoft: Antitrust, FTC issues Trust has many components Legal/Regulatory Compliance Hiring Processes Asset Management/Protection Accountable Business Behaviours Responsible Innovation Microsoft InternalFocus Manage expectations w/honesty in communications and commitments Be transparent in our business practices Listen carefully – and close the loop When changes occur, proactively communicate these changes Stand behind our products With Our Customers
Expanding Industry Partnerships:Trustworthy Computing (sample) • Virus Information Alliance • Organisation for Internet Safety • International Information Integrity Institute • Information Security Systems Association • Trusted Computing Group, Industry Standards body • Business Software Alliance • Worldwide Web Consortium • Online Privacy Alliance • IBM Privacy Research Institute • International Association of Privacy Professionals • European Digital Rights Group • European Privacy Officers Network • Centre for Information Privacy Leadership • Privacy International • Sustainable Computing Consortium • Businesses for Social Responsibility • National Cyber-Forensics and Training Alliance
© 2005 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.