1 / 24

Trustworthy Computing – One year on

Trustworthy Computing – One year on Stuart Okin Chief Security Officer – Microsoft UK Agenda Reminder – Set the scene & What is Trustworthy Computing? What have we done? What are we planning Call to Action Questions? Leaving Messages

albert
Télécharger la présentation

Trustworthy Computing – One year on

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trustworthy Computing – One year on Stuart Okin Chief Security Officer – Microsoft UK

  2. Agenda • Reminder – Set the scene & What is Trustworthy Computing? • What have we done? • What are we planning • Call to Action • Questions?

  3. Leaving Messages • Microsoft is as committed to Trustworthy Computing = Security, Privacy, Reliability & Business Integrity • Trustworthy computing can only be achieved through partnership & teamwork • Trustworthy Computing is a journey, with a long term vision with highlights and obstacles along the road

  4. Setting the scene

  5. Computer Crime and Security Survey 2002 CERT Threat Remains Real • 90% detected computer security breaches • 40% detected system penetration from the outside; up from 25% in 2000 • 85% detected computer viruses • 95% of all breaches due to misconfiguration Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2002 Source: CERT, 2002

  6. An Industry-Wide Problem • Why are Security breaches common? • Microsoft - Windows UPnP • Oracle – Oracle 9i Buffer Overrun • AOL AIM • CDE/Solaris • Apache – Open SSL Buffer • Viruses, Worms • Nimda, Code Red • Slapper • People will have to believe the in technologies, companies and services

  7. What is Trustworthy Computing?

  8. Vision • “Computers as Trusted as a Utility” • Trust is not just security, as it involves perception and environment • Telephones - almost always there when we need them, do what we need them to do, work as advertised, and are reliably available. • A combination of engineering, business practice, and regulation • Computers generally do not engender trust

  9. Resilient to attack Protects confidentiality, integrity, availability and data Trustworthy ComputingCore Tenets Security • Individuals control personal data • Products and Online Services adhere to fair information principles Privacy • Dependable • Available when needed • Performs at expected levels Reliability • Help customers find appropriate solutions • Address issues with products and services • Open interaction with customers Business Integrity

  10. What have we done?

  11. Trustworthy Computing Security

  12. SD3 + Communications • Security training for 11,000 engineers • Security code reviews of old source • Threat modeling • “Blackhat” test coverage • Buffer overrun detection in compile process Secure by Design • Office XP: Macros off by default • No sample code installed by default • IIS and SQL Server off by default in Visual Studio.NET Secure by Default • Deployment tools: MBSA, IIS Lockdown, SUS, WU, SMS Value Pack • Created STPP to respond to customers • PAG for Windows 2000 Security Ops Secure in Deployment • TAMs call Premier Customers proactively • MSRC severity rating system • Free virus hotline • MSDN security guidance for developers • www.microsoft.com/technet/security Communications Progress To Date

  13. Trustworthy Computing Reliability

  14. Critical Incident Mgmt High Availability “Contract” (SLA) 24x7, Onsite, Escalation MOF/ITIL Consulting Security Consulting Tools Consulting Development Consulting Platform Consulting Dedicated Support Engineering Incident Prevention Services Microsoft Services - Overview Service Management Problem & Incident Management (MS reactive) Release Mgmt W2K Config Mgmt NT4 PREMIER Performance Change Mgmt Backup/ Restore “Critical Systems” Service Packages Security Business Continuity Capacity Planning Applications Privacy Legal Monitoring Virus Tools e.g. MOM Application Monitoring Firewalls Deploy Access Server SW Test Server mgmt Build Server build Design Others Operating System Messaging OS Mgmt SQL OS Build DataCentre Adv Svr Windows Fault Tolerant Servers Hardware (Network) Hardware Mgmt tools Trusted Storage Clusters Performance Time/Cost

  15. Trustworthy Computing Privacy Business Integrity

  16. What Will It Take To Address The Business Integrity Goal? • Privacy, for example: • In product design • XP activation anonymous, no PII data collected • P3P in Internet Explorer • P3P support on all major web properties • Conspicuous privacy notices in products • With affiliations, sponsorships • TrustE, BBBOnline – no comparable bodies in Europe yet • Computers, Freedom and Privacy 2002 • By third party audits • Through organizational practices • Adopted Fair Information Practices, GLB compliant in 1997 • European Safe Harbour Agreement on data worldwide • Privacy training, Assessment and Health Index for all divisions

  17. January February March Bill Gate's memo 11000 trained. Code reviews & stand down in Windows Released “Security Operations Guide for Windows 2000 Server” Guide Bill Gate's memo 11000 trained Security Guides Release intention to Federate Passport - Trustbridge Responsible Vulnerability Disclosure Process draft (placed on IETF) Release “Exchange 2000 Server Security Features” & “A/V Features and Strategies for Protecting your Exchange Environment” whitepapers MSN announces participation in a beta test of the first e-mail certification and seal program MS & IBM announce WS-I Set up the Security Business Unit. Set up local security offices. Setup EMEA Office PSS Security Formed PSS Security formed .Net Framework released January 2002 to March 2003

  18. April May June Announce WS-Secure initiative (OASIS Specs for June) Securing the Internet Data Centre workshop complete Palladium Announced (Next Generation Secure Computing Base) Release MBSA Palladium Commonwealth Games IDC Workshops Microsoft Baseline Security Analyzer (MBSA) v1.0 releases Join ETSI/CEN Working Party Release Software Update Services Detailed Privacy Handbook distributed company wide, serves as basis for Privacy Health Index Release Prescriptive Architecture Guide for “.Net Web Applications” Windows security-push stand down ends UK Security assessment and implementation for Manchester 2002 Scott Charney hired MS announces support of SAML (July) April 2002 to June 2002

  19. July August September SQL Server, Exchange, Office complete security pushes Notification process launched by Steve B & BillG The Trustworthy Computing Academic Advisory Board is chartered to review Microsoft product and policy issues OIS formed MCSE Training Push complete OTG Showcase Updated Trustworthy Computing White Paper and Bill G mail to Executives UK Train 7 partners in Security Assessment Services Windows XP SP1 releases Computer Security Resource Centre release draft - "System Admin Guidance for Windows 2000" - MS Showcase on: Smartcards, Secure wireless and ISA business case and deployments MSN 8 launches with new advanced parental and spam control. MSN awarded Truste privacy policy cert from EU A series of new training courses available SQL Hardening training workshop complete Windows Media Player 9 Series beta releases with new privacy and security Draft NSA Windows XP Guide New EFS whitepaper released MS acquires XDegrees, a maker of security software Release of “Pocket PC Security" Whitepaper MOF Operation Assessment v2 released Organisation for Internet Safety Formed July 2002 to Sept 2002

  20. October November December Announce RSA partnership System Management Server (SMS) Feature Packs Microsoft Baseline Security Analyzer (MBSA) v1.1 releases Support IAAC delivery of Benchmarking Information Assurance Severity rating system changed "Writing Secure Code" Second Edition publishes CPE Phase 1 CC approval HA Launch Support ISF in review of Windows 2000, .Net security guidelines for members (industry) Distributed over 4800 security tool kits to small business Microsoft Solution Management Service Offering released Windows 2000 reaches Common Criteria HP & Microsoft UK launch HA services WS-I releases WS-Security Security Resource Toolkit version 2 released MSA EDC v1.5 provides guidance for designing Enterprise DataCentre environments MS Showcase Case Study: Securing Remote Users Microsoft Audit Collection System Beta released Release of “Building Secure ASP.NET Applications” Guide Complete first phase of 4E – CPE UK Program Oct 2002 to Dec 2002

  21. January February March ISA Feature Pack released Announcing Windows Right Management Showcase on Technet Release of “Operating .NET-Based Applications” guide Microsoft Home User – Support Magasine CD Microsoft System Centre announced CISO Council Leeds Course Windows RMS Microsoft completes OpenHack 4 Competition Release of the Secure Windows 2000 Server Solution Guide MOM 2004 announced Government Security Program (Russia, NATO) – UK Sign Government Security Program – China Sign SANs Award: Automatic updates, Training, Vulnerability testing Release of “Using Windows XP Professional with Service Pack 1 in a Managed Environment” Microsoft Convenes Trustworthy Computing Academic Advisory Board MS, IBM, BEA & Tibco: WS-ReliableMessaging SQL Slammer Microsoft completes PKI challenge Security Bulletin Notification System For Home Users Join Information Assurance Advisory Council Announcement of MS Reliability Service CISO US, CISO Finance, CISO UK councils Jan 2003 to Mar 2003

  22. Where are we planning? • Short to Medium Term • Improve Patch Management • Quality • Reduce Installers • Single Microsoft Update Service • Security Push / Engineering techniques “in a box” • Windows 2003 Server (Secure by default) • Longer term • Integration of Security Products (inc ISVs) into system • Next Generation Secure Computing Base • Self Healing & attack sensitive systems • Move applications to .Net Framework

  23. Leaving Messages • Microsoft is as committed to Trustworthy Computing = Security, Privacy, Reliability & Business Integrity • Trustworthy computing can only be achieved through partnership & teamwork • Trustworthy Computing is a journey, with a long term vision with highlights and obstacles along the road

  24. Trustworthy Computing Stuart Okin Chief Security Officer – Microsoft UK

More Related