380 likes | 658 Views
Required Slide. SESSION CODE: SIA317. Securing the Microsoft Cloud with Microsoft System Center and Microsoft Forefront Families of Products. Mark Estberg , John Howie Senior Directors Microsoft Corporation. Session Overview. Overview of GFS, Cloud Challenges and Control Framework
E N D
Required Slide SESSION CODE: SIA317 Securing the Microsoft Cloud with Microsoft System Center and Microsoft Forefront Families of Products Mark Estberg, John Howie Senior Directors Microsoft Corporation
Session Overview • Overview of GFS, Cloud Challenges and Control Framework • Solutions • Identity and Access Management • Data Governance • Configuration Management • Software Updates and Technical Compliance • Operations and Security Monitoring • Event Log Management • Anti-Virus • Conclusion
Trustworthy Computing Microsoft’s Cloud Environment Consumer and Small Business Services Enterprise Services Third-Party Hosted Services • Compute Runtimes • Identity and Directory Stores • And Others Cloud Platform Services • Physical Infrastructure • Logical Infrastructure Cloud Infrastructure Global Foundation Services
Trustworthy Computing Cloud Security Challenges Growing Interdependence Amongst Public and Private Sector With these new dependencies come mutual expectations that platform services and hosted applications be secure and available. Evolving Technologies, Changing Business Models, Dynamic Hosting Environment Keeping pace with growth and anticipating future needs is essential to running an effective security program. Cloud Challenges Complex, Global Regulatory Requirements and Industry Standards Each country may pass their own laws that govern the provision and use of online environments. Increasing Sophistication of Attacks Malicious activity focuses on infiltrating and disrupting online service offerings.
Trustworthy Computing Comprehensive Compliance Framework Industry Standards and Regulations • Media Ratings Council • Sarbanes-Oxley , etc. • Payment Card Industry Data Security Standard • Health Insurance Portability and Accountability Act Controls Framework Predictable Audit Schedule • Identify and integrate: • Regulatory requirements • Customer requirements • Assess and remediate: • Eliminate or mitigate gaps in control design • Test effectiveness and assess risk • Attain certifications and attestations • Improve and optimize: • Examine root cause of non-compliance • Track until fully remediated Certification and Attestations • ISO/IEC 27001:2005 certification • Statement of Auditing Standard 70 Type I and Type II attestations
Identity and Access Management • Production forests are separate from Corporate Forests • Both logically and physically • Strictly controlled gateways between two environments • Only users with legitimate business purpose granted accounts in Production Forests • User must have valid HR record • Access must be approved by manager and asset owner • Access restricted to assets belonging to asset owner
Identity and Access Management (continued) • Access to forests is reviewed regularly • Managers and asset owners must affirm continued access by users • Accounts are disabled automatically based on several triggers • Change in status in HR database • Paternity Leave, Short or Long Term Disability, FMLA or sabbatical • Promotion, conversion to FTE, or change of job title or Cost Center • Resignation or termination of employment • Account inactivity • Failure to change password in n days after expiration
Identity and Access Management with FIM 2010 • A self-service system to manage user and service accounts, and security groups • Forefront Identity Manager 2010 customized to meet requirements • Management Agents • Workflow • User Interface
IAM Project Experiences and Future Direction • We underestimated work required to customize FIM 2010 UI • A major new feature in FIM 2010 • Project re-scoped to deliver using out of box UI • Had to make some concessions with workflow • Will tackle customized UI in future phase of project • Next major iteration of work will incorporate new statutory and regulatory compliance requirements, integration with ADFS, and provide support for third-party OS • Major advantage of using FIM 2010 versus all-custom code solution is flexibility
Data Governance • Data quality issues are a major concern • Data can be inaccurate or incomplete • Complicates: • Asset management • Incident response • Accounting • Forecasting (Supply Chain, Power Consumption, etc.) • Several projects launched to address problem • Data dictionary to address taxonomy and lexicon • Data validation and cleanup • Ongoing validation of contact and team data
Data Governance with FIM 2010 • Data quality problems can introduce or exacerbate risk • We are transitioning to a new CMDB • Data owners are lax at keeping data accurate in old CMDB • FIM 2010 used to address Data Governance issues • Detect invalid contact and team data • Build a clean CMDB • From old and new CMDB • Provides single dataset to applications
DG Project Experience and Future Directions • Much of traditional lifecycle management of identity can be leveraged to manage contacts and teams in CMDB • We eventually integrated IDA and DG projects to realize project savings and remove need for duplicate deployments of FIM 2010 • Next iteration of project will use FIM 2010 to validate and synchronize asset data • Not a stretch as computer objects in AD already in-scope in IDA project (computers can be members of groups)
Configuration Management • Several asset deployment mechanisms in use today • Some COTS, some built in-house • All use standard images at deployment time • Over time assets fall out of configuration compliance • Usually due to updates in secure configured baselines • AV, patches/updates, Registry and filesystem configuration, and local SAM • There are two major problems: • Validating configuration • Making changes to configuration
SCCM Deployment Facts • Microsoft runs the largest deployment of SCCM with Windows Server as client computers • More than twice the size of the next largest known deployment • Currently running 17 SCCM Sites • 1 Central Site and 16 Primary Sites • Spread across data centers and colos world-wide • Installation spans multiple forests • SCCM not used throughout for update management • Some internal customers simply reimage machines
Technical Compliance Management with SCCM • Secure configured baselines address statutory and regulatory compliance requirements • Evidence of adherence to SCBs required to demonstrate compliance • SCCM with Desired Configuration Monitoring allows us to validate assets are adhering to SCB • Long-term goal is to integrate SCCM into dashboard systems using SDK • Come back next year for an project update (and maybe even a demo)
Technical Compliance Management Workflow 5. Enforce Compliance Start here Monitoring Infrastructure CMDB 1. Identify and Categorize Assets 4. Measure Compliance 2. Establish Asset Ownership Policies Standards & Requirements Risk & Asset Management Programs 3. Define Baseline Requirements
CM Experiences and Future Directions • Concerns that widespread use of SCCM would consume too much network bandwidth and CPU resources were unfounded • SCCM does not conflict with COTS OS deployment tools, and integrates well • Need to be careful not to remove decision about whether or not to update and reboot from asset owners • You do not want to inadvertently reboot Bing or Hotmail! • SCCM API will be used to integrate with other management systems
Operations and Security Monitoring • All servers are monitored 24x7 using System Center Operations Manager • Due to size of environment multiple SCOM deployments are leveraged • All SCOM deployments are integrated with centralized COTS ticketing system • When Alert fires on a SCOM instance a corresponding ticket is cut • Ticketing system pulls up pertinent system information from CMDB and sends ticket to SOC / MOC • SOC / MOC reviews ticket, reviews associated SOP (called a TSG), and closes, acts upon or routes ticket as appropriate
System Center Operations Manager 2007 Architecture • Multiple SCOM deployments used to provide 100% coverage • All are tied into ticketing system • SOC / MOC responds to tickets, not SCOM alerts • SCOM is used in response • Some Windows Servers have multi-homed SCOM agents • Allows asset owners, security, etc., to more effectively manage servers
Management Packs • Online Services Security & Compliance (OSSC) team owns Management Packs which are deployed to systems • Security MP used to monitor activity of interest on high risk and critical infrastructure systems • Logon activity when privileged accounts are used • Anti Virus software events of interest • PCI MP is used to monitor for changes to PCI DSS in-scope systems • Asset owners can also deploy specific Management Packs • Most simply rely on SOC / MOC
Event Log Management and Storage • Most compliance obligations mandate storage of pertinent log data • A comprehensive log management and storage solution can be used for other purposes than simply being compliant • Can be integrated with a SIEM • As a detective control • In incident investigation • In addition to other solutions, we use Audit Collection Services
Audit Collection Services Implementation Details • ACS Collectors are not installed on every Windows Server • Limited to high risk assets and critical infrastructure only to avoid tipping over ACS Collectors and databases • WQL is used to tailor what events are stored • Keeps log data to a minimum to save storage and processing • ACS database server stores logs for at least 90 days • Logs older than 90 days are written to filesystem storage • Logs are kept for at least one year • Logs are batched up, encrypted and signed
Anti-Malware Protection • Some compliance obligations require the use of AV/AM • Debate about usefulness or applicability is moot • Currently using third-party AV software and Forefront Endpoint Protection Beta • Most third-party AV software is deployed as unmanaged agents • FEP Beta is currently deployed in a non-standard fashion • Planned FEP integration with SCOM will help make it datacenter ready
AM Project Experiences and Future Directions • Selection, deployment and configuration of AV solution driven wholly by compliance requirements • If requirements are added to or change your AV deployment might be impacted • We plan to deploy FEP throughout when released • Due to environment size and complexity it is unlikely we will be able to perform a standard deployment for all but a small pool of high-risk assets
Conclusion • We have been successful at using Forefront and System Center products to secure the Microsoft cloud • Lessons learned are being shared with the Product Groups • MCS are involved in much of what we do, and can replicate it at customer sites • We will be releasing White Papers and Case Studies in the coming months
Track Resources Learn more about our solutions: http://www.microsoft.com/forefront Try our products: http://www.microsoft.com/forefront/trial
Required Slide Resources Learning • Sessions On-Demand & Community • Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn
Required Slide Complete an evaluation on CommNet and enter to win!
Sign up for Tech·Ed 2011 and save $500 starting June 8 – June 31st http://northamerica.msteched.com/registration You can also register at the North America 2011 kiosk located at registrationJoin us in Atlanta next year
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.