1 / 26

How Microsoft does end-to-end IT Security

How Microsoft does end-to-end IT Security. Bruce Cowper Senior Program Manager, Security Initiative Microsoft Canada. Agenda. The Microsoft Landscape IT Environment Business Challenges “Chief” Concerns Who We Are and What We Do The Security Lifecycle Internal Alignment

winfred
Télécharger la présentation

How Microsoft does end-to-end IT Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How Microsoft does end-to-end IT Security Bruce Cowper Senior Program Manager, Security Initiative Microsoft Canada

  2. Agenda • The Microsoft Landscape • IT Environment • Business Challenges • “Chief” Concerns • Who We Are and What We Do • The Security Lifecycle • Internal Alignment • Strategies and Tactics • Information Security Futures

  3. Microsoft IT Environment 340,000+ computers 121,000 end users 98 countries 441 buildings 15,000 Vista clients 25,000 Office 2007 clients 5,700 Exchange 12 mailboxes 31 Longhornservers 46,000,000+ remote connections per month 189,000+ SharePoint Sites 4 data centers 8,400 production servers E-mails per day: 3,000,000 internal10,000,000 inbound9,000,000 filtered out 33,000,000 IMs per month 120,000+ e-mail server accounts

  4. Network Attacks Are… Complex Sophisticated Covert Balancing Business Challenges Software Dev business requirements “First & Best Customer” • 30K partners with • connectivity needs • Corporate culture of • agility and autonomy • Large population of • mobile clients Secure Network + Compliance Beta environment

  5. Microsoft CISO Concerns • Regulatory compliance • Mobility of data • Unauthorized access to data • Malicious software • Supporting an evolving client

  6. The Security Lifecycle “FAST. RELIABLE. PROTECTED. SECURE BY DESIGN.”

  7. Compliance • Regulatory Compliance • Vulnerability Scanning & • Remediation • Scorecarding • Network Security • Monitor, Detect, Respond • Attack & Penetration • Technical Investigations • IDS and A/V • Assessment & Governance • InfoSec Risk Assessment • InfoSec Policy Management • Security Architecture • InfoSec Governance • Identity & Access Management • IdM Security Architecture • IdM Gov & Compliance • IdM Eng Ops & Services • IdM Accounts & Lifecycle • App Consulting & Engineering • End-to-End App Assessment • & Mitigation • Application Threat Modeling • External & Internal Training • Engineering & Engagement • Engineering Lifecycle • Process & Methods • Secure Design Review • Awareness & Communication How We Align

  8. Skilled • Intelligent • Informed • Connected • Current • Leveraged People Technology Pursuing Excellence • Global • Standard • Followed Process & Policy

  9. Assessment of risk • Identification of potential threats • Mitigate risk through five key strategies Secure the Network Identity & Access Management IP and Data Protection Enhanced Auditing & Monitoring Awareness Key Strategies and Tactics

  10. Secure the Network Identity & Access Management IP and Data Protection Enhanced Auditing & Monitoring Awareness Futures Key Strategies and Tactics Secure Extranet and Partner Connections Secure Remote Access Network Segmentation Network Intrusion Detection Systems Hardening the Wireless Network Strong Passwords Public Key Infrastructure: Certificate Services E-Mail Hygiene and Trustworthy Messaging Least Privileged Access Managed Source Code Security Development Lifecycle - IT Securing Mobile Devices Automated Vulnerability Scans Combating Malware Security Event Collection Information Security Policies Training and Communications

  11. How Did We Approach Security?

  12. Viruses, Spyware and Worms Botnets and Rootkits Phishing and Fraud Virus & Malware Prevention Regulatory Compliance Develop and Implement of Security Policies Reporting and Accountability Business Practices Identity Management and Access Control Managing Access in the Extended Enterprise Security Risk of Unmanaged PCs Implementing Defense in Depth Deploying Security Updates System Identification and Configuration Security Policy Enforcement Security Management

  13. Secure against attacks Protects confidentiality, integrity and availability of data and systems Manageable Protects from unwanted communication Controls for informational privacy Products, online services adhere to fair information principles Predictable, consistent, responsive service Maintainable, easy to configure and manage Resilient, works despite changes Recoverable, easily restored Proven, ready to operate Commitment to customer-centric Interoperability Recognized industry leader, world-class partner Open, transparent

  14. Fundamentally secure platforms enhanced by security products, services and guidance to help keep customers safe • Security awareness and education through partnerships and collaboration • Information sharing on threat landscape • Best practices, whitepapers and tools • Authoritative incident response • Excellence in fundamentals • Security innovations

  15. Service Pack 2 Service Pack 1 • More than 292 million copies distributed (as of June) • Significantly less likely to be infected by malware • More than 4.7 million downloads (as of May) • More secure by design; more secure by default • Helps protect against spyware; Included in Windows Vista and as free download • Most popular download in Microsoft history with over 40M downloads • 4.5B total executions; 24.5M disinfections off of 9.6M unique computers • Dramatically reduced the number of Bot infections As of October 2006

  16. Microsoft’s Security Development Lifecycle • Corporate process and standard for security in engineering • Evangelized internally through training • Verified through pre-ship audit • The Security Development Lifecycle book • Shared with ISV and IT development partners • Documentation and training • Learning Paths for Security • Active community involvement • Automated with tools in Visual Studio • PREfast • FxCop

  17. Services Edge Server Applications Encrypting File System (EFS) BitLocker™ Network Access Protection (NAP) Information Protection Client and Server OS Identity Management SystemsManagement Active Directory Federation Services (ADFS) Guidance Developer Tools

  18. Infrastructure Optimization Model Managed and consolidated IT infrastructure with maximum automation Fully automated management, dynamic resource usage, business linked Service Level Agreements (SLA) Managed IT infrastructure with limited automation Uncoordinated, manual infrastructure Strategic Asset More Efficient Cost Center Business Enabler Cost Center * Based on the Gartner IT Maturity Model

  19. Infrastructure Optimization

  20. IO at Microsoft: a Work in Progress

  21. Hardware / Software Operations Administration One Benefit: Desktop Cost Savings $1,258 $1,406 $1,366 36% 16% $394 $734 $617 $428 $373 $366 14% 8% $2,356 $2,568 $2,017 Total Direct Costs End User Productivity & Downtime $2,450 $2,952 $1,306 31% 13% $3,323 Total TCO $4,806 $5,520

  22. Security Operations Examples of IO Benefits at Microsoft • 47% reduction: critical update deployment time SMS: Patch/Update Management • 93% reduction: number of Exchange sites • 30% reduction in infrastructure servers • Improved SLA to 99.99% • 200% increase in storage capability • Reduced support costs $3 million • Reduced internet costs $6.5 million Sever Consolidation& Operational Efficiencies Productivity • 60,000 new Outlook Web Access (OWA) users • 180,000 SharePoint® Team Sites • Mobility client satisfaction improved 18% Improved connectivity through IM, SPS, Remote Mail, Smart Phones

  23. Identity & Access Management Desktop, Server, & Device Management Security & Networking Data Protection & Recovery Communications & Collaboration Key Capabilities

  24. Technology Futures Participation in Security-101 Mediums Back to All Tactics

  25. Information Security Futures • Vista: User Account Protection • Vista: Next-Generation Secure Computing Base • Vista: Interactive Logon Pilot • Vista: Credential Roaming • Longhorn Public Key Infrastructure • Network Access Protection Back to All Tactics

More Related