How Microsoft does How Microsoft does end-to-end IT end-to-end IT SecuritySecurity

How Microsoft does How Microsoft does end-to-end IT end-to-end IT SecuritySecurity

Bruce CowperBruce CowperSenior Program Manager, Security Senior Program Manager, Security InitiativeInitiativeMicrosoft CanadaMicrosoft Canada

AgendaAgenda

The Microsoft LandscapeThe Microsoft LandscapeIT EnvironmentIT Environment

Business ChallengesBusiness Challenges

““Chief” Concerns Chief” Concerns

Who We Are and What We DoWho We Are and What We DoThe Security LifecycleThe Security Lifecycle

Internal AlignmentInternal Alignment

Strategies and TacticsStrategies and Tactics

Information Security FuturesInformation Security Futures

340,000+ computers

121,000 end users

98 countries

441 buildings15,000 Vista clients25,000 Office 2007 clients5,700 Exchange 12 mailboxes31 Longhornservers

46,000,000+ remote connections per month

189,000+ SharePoint Sites

4 data centers

8,400 production servers

E-mails per day:3,000,000 internal10,000,000 inbound9,000,000 filtered out

33,000,000 IMs per month120,000+ e-mail server accounts

Microsoft IT EnvironmentMicrosoft IT Environment

Balancing Business Balancing Business ChallengesChallenges

• 30K partners with connectivity needs

• Corporate culture of agility and autonomy

• Large population of mobile clients

Beta environment

“First & Best Customer”

Secure Network+

Compliance

Software Dev business

requirements

Sophisticated CovertComplex

Network Attacks Are…

Microsoft CISO ConcernsMicrosoft CISO Concerns

Regulatory complianceRegulatory compliance

Mobility of dataMobility of data

Unauthorized access to dataUnauthorized access to data

Malicious softwareMalicious software

Supporting an evolving clientSupporting an evolving client

The Security LifecycleThe Security Lifecycle

Define

Assess

Design

Respond

Operate

Monitor“FAST. RELIABLE. PROTECTED.

SECURE BY DESIGN.”

How We How We AlignAlign

App Consulting & Engineering

• End-to-End App Assessment & Mitigation

• Application Threat Modeling

• External & Internal Training

Engineering & Engagement

• Engineering Lifecycle Process & Methods

• Secure Design Review

• Awareness & Communication

Network Security

• Monitor, Detect, Respond

• Attack & Penetration

• Technical Investigations

• IDS and A/V

Identity & Access Management

• IdM Security Architecture

• IdM Gov & Compliance

• IdM Eng Ops & Services

• IdM Accounts & Lifecycle

Assessment & Governance

• InfoSec Risk Assessment

• InfoSec Policy Management

• Security Architecture

• InfoSec Governance

Compliance

• Regulatory Compliance

• Vulnerability Scanning & Remediation

• Scorecarding

Define

Assess

Design

Respond

Operate

Monitor

Pursuing ExcellencePursuing Excellence

ConnectedCurrentLeveraged

Technology

GlobalStandardFollowed

Process &Policy

SkilledIntelligentInformed

People

Key Strategies and TacticsKey Strategies and Tactics Assessment of risk

Identification of potential threats

Mitigate risk through five key strategies

Identity & Access

Management

IP and Data Protection

Secure the Network

Enhanced Auditing & Monitoring

Awareness

Key Strategies and TacticsKey Strategies and Tactics

Secure Secure Extranet and Extranet and Partner Partner ConnectionsConnections

Secure Secure Remote Remote AccessAccess

Network Network SegmentatioSegmentationn

Network Network Intrusion Intrusion Detection Detection SystemsSystems

Hardening Hardening the Wireless the Wireless NetworkNetwork

Strong Strong PasswordsPasswords

Public Key Public Key InfrastructurInfrastructure: Certificate e: Certificate ServicesServices

E-Mail E-Mail Hygiene and Hygiene and Trustworthy Trustworthy MessagingMessaging

Least Least Privileged Privileged AccessAccess

Managed Managed Source CodeSource Code

Security Security Development Development Lifecycle - ITLifecycle - IT

Securing Securing Mobile Mobile DevicesDevices

Automated Automated Vulnerability Vulnerability ScansScans

Combating Combating MalwareMalware

Security Security Event Event Collection Collection

Information Information Security PoliciesSecurity Policies

Training and Training and CommunicationCommunicationss

Identity & Access

Management

IP and Data Protection

Secure the Network

Enhanced Auditing & Monitoring

Awareness

Futures

How Did We Approach How Did We Approach Security?Security?

Viruses, Spyware and WormsViruses, Spyware and WormsBotnets and RootkitsBotnets and RootkitsPhishing and FraudPhishing and Fraud

Deploying Security UpdatesDeploying Security UpdatesSystem Identification and ConfigurationSystem Identification and ConfigurationSecurity Policy EnforcementSecurity Policy Enforcement

Identity Management and Access ControlIdentity Management and Access ControlManaging Access in the Extended EnterpriseManaging Access in the Extended EnterpriseSecurity Risk of Unmanaged PCsSecurity Risk of Unmanaged PCs

Regulatory ComplianceRegulatory ComplianceDevelop and Implement of Security PoliciesDevelop and Implement of Security PoliciesReporting and AccountabilityReporting and Accountability

Virus & Malware

Prevention

Business

Practices

Implementing

Defense in Depth

Security

Management

SecureSecure against against attacksattacks

Protects Protects confidentialityconfidentiality, , integrityintegrity and and availabilityavailability of of data and systemsdata and systems

ManageableManageable

ProtectsProtects from from unwanted unwanted communication communication

ControlsControls for for informational informational privacyprivacy

Products, online Products, online services adhere to services adhere to fair information fair information principlesprinciples

PredictablePredictable, , consistent, consistent, responsive serviceresponsive service

MaintainableMaintainable, , easy to configure easy to configure and manage and manage

ResilientResilient, works , works despite changesdespite changes

RecoverableRecoverable, , easily restoredeasily restored

ProvenProven, ready to , ready to operateoperate

Commitment to Commitment to customer-centric customer-centric InteroperabilityInteroperability

Recognized Recognized industry industry leaderleader, , world-class world-class partnerpartner

Open, Open, transparenttransparent

Fundamentally secure platforms enhanced by security products, services Fundamentally secure platforms enhanced by security products, services and guidance to help keep customers safeand guidance to help keep customers safe

Excellence in Excellence in fundamentalsfundamentals

Security Security innovationsinnovations

Best practices, Best practices, whitepapers and toolswhitepapers and tools

Authoritative incident Authoritative incident responseresponse

Security awareness Security awareness and education and education through partnerships through partnerships and collaborationand collaboration

Information sharing Information sharing on threat landscapeon threat landscape

More than 292 More than 292 million copies million copies distributed (as of distributed (as of June)June)

Significantly less Significantly less likely to be infected likely to be infected by malwareby malware

Service Pack 2 Service Pack 1

More than 4.7 million More than 4.7 million downloads (as of downloads (as of May)May)

More secure by More secure by design; more secure design; more secure by defaultby default

Helps protect against Helps protect against spyware; Included in spyware; Included in Windows Vista and as Windows Vista and as free downloadfree download

Most popular Most popular download in Microsoft download in Microsoft history with over 40M history with over 40M downloadsdownloads

4.5B total 4.5B total executions; 24.5M executions; 24.5M disinfections off of disinfections off of 9.6M unique 9.6M unique computerscomputers

Dramatically reduced Dramatically reduced the number the number of Bot infectionsof Bot infections

As of October 2006As of October 2006

Microsoft’s Security Development LifecycleMicrosoft’s Security Development LifecycleCorporate process and standard for security in engineeringCorporate process and standard for security in engineering

Evangelized internally through trainingEvangelized internally through training

Verified through pre-ship auditVerified through pre-ship audit

The Security Development LifecycleThe Security Development Lifecycle book book

Shared with ISV and IT development partnersShared with ISV and IT development partnersDocumentation and training Documentation and training

Learning Paths for SecurityLearning Paths for Security

Active community involvementActive community involvement

Automated with tools in Visual StudioAutomated with tools in Visual StudioPREPREffastast

FxCop FxCop

Guidance

Developer Tools

SystemsManagementActive Directory Active Directory

Federation Services Federation Services (ADFS)(ADFS)

Identity Management

Services

Information Protection

Encrypting File System (EFS)

Encrypting File System (EFS)

BitLocker™

BitLocker™

Network Access Protection (NAP)

Client and Server OS

Server Applications

Edge

Infrastructure Optimization Infrastructure Optimization Model Model

Cost Center Cost Center

Uncoordinated, Uncoordinated, manualmanual

infrastructure infrastructure

More Efficient More Efficient Cost CenterCost Center

Managed IT Managed IT infrastructure infrastructure

with limitedwith limited automationautomation

Managed and Managed and consolidated ITconsolidated IT infrastructureinfrastructure

with maximum with maximum automationautomation

Fully automated Fully automated management, management,

dynamic resource dynamic resource usage, business usage, business

linked Service Level linked Service Level Agreements (SLA)Agreements (SLA)

Business Business EnablerEnabler

Strategic Strategic AssetAsset

* Based on the Gartner IT Maturity Model

Infrastructure OptimizationInfrastructure Optimization

● IT staff taxed by operational challenges

● Users come up with their own IT solutions

● IT Staff trained in best practices such as Managed Object Format (MOF), IT Infrastructure Library (ITIL), etc.

● Users expect basic services from IT

● IT Staff manages an efficient, controlled environment

● Users have tools they need, high availability, & access to information

● IT is a strategic asset● Users look to IT as a

valued partner to enable new business initiatives

● IT processes undefined● High complexity due to

localized processes & minimal central control

● Central Admin & configuration of security

● Standard desktop images defined, not adopted company-wide

● SLAs are linked to business objectives

● Clearly defined and enforced images, security, best practices (MOF, ITIL)

● Self assessing & continuous improvement

● Information easily & securely accessed from anywhere on Internet

● Patch status of desktops is unknown

● No unified directory for access management

● Multiple directories for authentication

● Limited automated software distribution

● Automate identity and access management

● Automated system management

● Self provisioning and quarantine capable systems ensure compliance & high availability

IO at Microsoft: a Work in IO at Microsoft: a Work in ProgressProgress

● IT Staff trained in best practices such as MOF, ITIL, etc.

● Users have access to information though OWA, Intranet, Mobile Devices

● Microsoft IT is seen by customers and developers as a critical testing ground for new products

● Central Admin & configuration of security through network access protection (NAP), IP Security (IPSec), smart cards

● Industry leadership in security, best practices (MOF, ITIL)

● Users have SLA of 99.99%

● Information easily & securely accessed from anywhere on Internet through Remote Access Server (RAS) Access & OWA

● Leading Security response (MSRC)

● Centralized directory● Update management

through Systems Management Server (SMS)

Hardware / SoftwareHardware / Software

Total Direct CostsTotal Direct Costs

End User ProductivityEnd User Productivity & Downtime & Downtime

Total TCOTotal TCO

AdministrationAdministration

OperationsOperations

$1,258$1,258

$394$394

$366$366

$2,017$2,017

$1,306$1,306

$3,323$3,323

$1,406$1,406

$734$734

$428$428

$2,568$2,568

$2,952$2,952

$5,520$5,520

$1,366$1,366

$617$617

$373$373

$2,356$2,356

$2,450$2,450

$4,806$4,806

16% 36%

13% 31%

8% 14%

One Benefit: Desktop Cost One Benefit: Desktop Cost SavingsSavings

SecuritySecurity

ProductivityProductivity

OperationsOperations

47% reduction: critical update 47% reduction: critical update deployment timedeployment time

Examples of IO Benefits at Examples of IO Benefits at MicrosoftMicrosoft

SMS: Patch/Update Management

93% reduction: number of Exchange 93% reduction: number of Exchange sitessites

30% reduction in infrastructure servers30% reduction in infrastructure servers Improved SLA to 99.99%Improved SLA to 99.99% 200% increase in storage capability200% increase in storage capability Reduced support costs $3 millionReduced support costs $3 million Reduced internet costs $6.5 millionReduced internet costs $6.5 million

Sever Consolidation& Operational Efficiencies

Improved connectivity through IM, SPS, Remote Mail, Smart Phones

60,000 new Outlook Web Access 60,000 new Outlook Web Access (OWA) users(OWA) users

180,000 SharePoint180,000 SharePoint®® Team Sites Team Sites Mobility client satisfaction improved Mobility client satisfaction improved

18%18%

Key CapabilitiesKey Capabilities

Identity & Access ManagementIdentity & Access Management

Desktop, Server, & Device ManagementDesktop, Server, & Device Management

Security & NetworkingSecurity & Networking

Data Protection & RecoveryData Protection & Recovery

Communications & Collaboration Communications & Collaboration

Mediums Technology Futures

Participation in Security-101

Back to All Tactics

Information Security Information Security FuturesFutures

Vista: User Account Protection Vista: User Account Protection

Vista: Next-Generation Secure Vista: Next-Generation Secure Computing BaseComputing Base

Vista: Interactive Logon PilotVista: Interactive Logon Pilot

Vista: Credential RoamingVista: Credential Roaming

Longhorn Public Key Longhorn Public Key Infrastructure Infrastructure

Network Access ProtectionNetwork Access Protection

Back to All Tactics