260 likes | 481 Views
How Microsoft does end-to-end IT Security. Bruce Cowper Senior Program Manager, Security Initiative Microsoft Canada. Agenda. The Microsoft Landscape IT Environment Business Challenges “Chief” Concerns Who We Are and What We Do The Security Lifecycle Internal Alignment
E N D
How Microsoft does end-to-end IT Security Bruce Cowper Senior Program Manager, Security Initiative Microsoft Canada
Agenda • The Microsoft Landscape • IT Environment • Business Challenges • “Chief” Concerns • Who We Are and What We Do • The Security Lifecycle • Internal Alignment • Strategies and Tactics • Information Security Futures
Microsoft IT Environment 340,000+ computers 121,000 end users 98 countries 441 buildings 15,000 Vista clients 25,000 Office 2007 clients 5,700 Exchange 12 mailboxes 31 Longhornservers 46,000,000+ remote connections per month 189,000+ SharePoint Sites 4 data centers 8,400 production servers E-mails per day: 3,000,000 internal10,000,000 inbound9,000,000 filtered out 33,000,000 IMs per month 120,000+ e-mail server accounts
Network Attacks Are… Complex Sophisticated Covert Balancing Business Challenges Software Dev business requirements “First & Best Customer” • 30K partners with • connectivity needs • Corporate culture of • agility and autonomy • Large population of • mobile clients Secure Network + Compliance Beta environment
Microsoft CISO Concerns • Regulatory compliance • Mobility of data • Unauthorized access to data • Malicious software • Supporting an evolving client
The Security Lifecycle “FAST. RELIABLE. PROTECTED. SECURE BY DESIGN.”
Compliance • Regulatory Compliance • Vulnerability Scanning & • Remediation • Scorecarding • Network Security • Monitor, Detect, Respond • Attack & Penetration • Technical Investigations • IDS and A/V • Assessment & Governance • InfoSec Risk Assessment • InfoSec Policy Management • Security Architecture • InfoSec Governance • Identity & Access Management • IdM Security Architecture • IdM Gov & Compliance • IdM Eng Ops & Services • IdM Accounts & Lifecycle • App Consulting & Engineering • End-to-End App Assessment • & Mitigation • Application Threat Modeling • External & Internal Training • Engineering & Engagement • Engineering Lifecycle • Process & Methods • Secure Design Review • Awareness & Communication How We Align
Skilled • Intelligent • Informed • Connected • Current • Leveraged People Technology Pursuing Excellence • Global • Standard • Followed Process & Policy
Assessment of risk • Identification of potential threats • Mitigate risk through five key strategies Secure the Network Identity & Access Management IP and Data Protection Enhanced Auditing & Monitoring Awareness Key Strategies and Tactics
Secure the Network Identity & Access Management IP and Data Protection Enhanced Auditing & Monitoring Awareness Futures Key Strategies and Tactics Secure Extranet and Partner Connections Secure Remote Access Network Segmentation Network Intrusion Detection Systems Hardening the Wireless Network Strong Passwords Public Key Infrastructure: Certificate Services E-Mail Hygiene and Trustworthy Messaging Least Privileged Access Managed Source Code Security Development Lifecycle - IT Securing Mobile Devices Automated Vulnerability Scans Combating Malware Security Event Collection Information Security Policies Training and Communications
Viruses, Spyware and Worms Botnets and Rootkits Phishing and Fraud Virus & Malware Prevention Regulatory Compliance Develop and Implement of Security Policies Reporting and Accountability Business Practices Identity Management and Access Control Managing Access in the Extended Enterprise Security Risk of Unmanaged PCs Implementing Defense in Depth Deploying Security Updates System Identification and Configuration Security Policy Enforcement Security Management
Secure against attacks Protects confidentiality, integrity and availability of data and systems Manageable Protects from unwanted communication Controls for informational privacy Products, online services adhere to fair information principles Predictable, consistent, responsive service Maintainable, easy to configure and manage Resilient, works despite changes Recoverable, easily restored Proven, ready to operate Commitment to customer-centric Interoperability Recognized industry leader, world-class partner Open, transparent
Fundamentally secure platforms enhanced by security products, services and guidance to help keep customers safe • Security awareness and education through partnerships and collaboration • Information sharing on threat landscape • Best practices, whitepapers and tools • Authoritative incident response • Excellence in fundamentals • Security innovations
Service Pack 2 Service Pack 1 • More than 292 million copies distributed (as of June) • Significantly less likely to be infected by malware • More than 4.7 million downloads (as of May) • More secure by design; more secure by default • Helps protect against spyware; Included in Windows Vista and as free download • Most popular download in Microsoft history with over 40M downloads • 4.5B total executions; 24.5M disinfections off of 9.6M unique computers • Dramatically reduced the number of Bot infections As of October 2006
Microsoft’s Security Development Lifecycle • Corporate process and standard for security in engineering • Evangelized internally through training • Verified through pre-ship audit • The Security Development Lifecycle book • Shared with ISV and IT development partners • Documentation and training • Learning Paths for Security • Active community involvement • Automated with tools in Visual Studio • PREfast • FxCop
Services Edge Server Applications Encrypting File System (EFS) BitLocker™ Network Access Protection (NAP) Information Protection Client and Server OS Identity Management SystemsManagement Active Directory Federation Services (ADFS) Guidance Developer Tools
Infrastructure Optimization Model Managed and consolidated IT infrastructure with maximum automation Fully automated management, dynamic resource usage, business linked Service Level Agreements (SLA) Managed IT infrastructure with limited automation Uncoordinated, manual infrastructure Strategic Asset More Efficient Cost Center Business Enabler Cost Center * Based on the Gartner IT Maturity Model
Hardware / Software Operations Administration One Benefit: Desktop Cost Savings $1,258 $1,406 $1,366 36% 16% $394 $734 $617 $428 $373 $366 14% 8% $2,356 $2,568 $2,017 Total Direct Costs End User Productivity & Downtime $2,450 $2,952 $1,306 31% 13% $3,323 Total TCO $4,806 $5,520
Security Operations Examples of IO Benefits at Microsoft • 47% reduction: critical update deployment time SMS: Patch/Update Management • 93% reduction: number of Exchange sites • 30% reduction in infrastructure servers • Improved SLA to 99.99% • 200% increase in storage capability • Reduced support costs $3 million • Reduced internet costs $6.5 million Sever Consolidation& Operational Efficiencies Productivity • 60,000 new Outlook Web Access (OWA) users • 180,000 SharePoint® Team Sites • Mobility client satisfaction improved 18% Improved connectivity through IM, SPS, Remote Mail, Smart Phones
Identity & Access Management Desktop, Server, & Device Management Security & Networking Data Protection & Recovery Communications & Collaboration Key Capabilities
Technology Futures Participation in Security-101 Mediums Back to All Tactics
Information Security Futures • Vista: User Account Protection • Vista: Next-Generation Secure Computing Base • Vista: Interactive Logon Pilot • Vista: Credential Roaming • Longhorn Public Key Infrastructure • Network Access Protection Back to All Tactics