Presentation is loading. Please wait.

Presentation is loading. Please wait.

How Microsoft does end-to-end IT Security Bruce Cowper Senior Program Manager, Security Initiative Microsoft Canada.

Similar presentations


Presentation on theme: "How Microsoft does end-to-end IT Security Bruce Cowper Senior Program Manager, Security Initiative Microsoft Canada."— Presentation transcript:

1 How Microsoft does end-to-end IT Security Bruce Cowper Senior Program Manager, Security Initiative Microsoft Canada

2 Agenda The Microsoft Landscape IT Environment Business Challenges Chief Concerns Who We Are and What We Do The Security Lifecycle Internal Alignment Strategies and Tactics Information Security Futures

3 340,000+ computers 121,000 end users 98 countries 441 buildings 15,000 Vista clients 25,000 Office 2007 clients 5,700 Exchange 12 mailboxes 31 Longhorn servers 46,000,000+ remote connections per month 189,000+ SharePoint Sites 4 data centers 8,400 production servers s per day: 3,000,000 internal 10,000,000 inbound 9,000,000 filtered out 33,000,000 IMs per month 120,000+ server accounts Microsoft IT Environment

4 Balancing Business Challenges 30K partners with connectivity needs Corporate culture of agility and autonomy Large population of mobile clients Beta environment First & Best Customer Secure Network + Compliance Software Dev business requirements SophisticatedCovert Complex Network Attacks Are…

5 Microsoft CISO Concerns Regulatory compliance Mobility of data Unauthorized access to data Malicious software Supporting an evolving client

6 The Security Lifecycle Define Assess DesignOperate Monitor Respond F AST. R ELIABLE. P ROTECTED. S ECURE B Y D ESIGN.

7 How We Align App Consulting & Engineering End-to-End App Assessment & Mitigation Application Threat Modeling External & Internal Training Engineering & Engagement Engineering Lifecycle Process & Methods Secure Design Review Awareness & Communication Network Security Monitor, Detect, Respond Attack & Penetration Technical Investigations IDS and A/V Identity & Access Management IdM Security Architecture IdM Gov & Compliance IdM Eng Ops & Services IdM Accounts & Lifecycle Assessment & Governance InfoSec Risk Assessment InfoSec Policy Management Security Architecture InfoSec Governance Compliance Regulatory Compliance Vulnerability Scanning & Remediation Scorecarding Define Assess DesignOperate Monitor Respond

8 Pursuing Excellence Connected Current Leveraged Technology Global Standard Followed Process & Policy Skilled Intelligent Informed People

9 Key Strategies and Tactics Assessment of risk Identification of potential threats Mitigate risk through five key strategies Identity & Access Management IP and Data Protection Secure the Network Enhanced Auditing & Monitoring Awareness

10 Key Strategies and Tactics Secure Extranet and Partner Connections Secure Remote Access Network Segmentation Network Intrusion Detection Systems Hardening the Wireless Network Strong Passwords Public Key Infrastructure: Certificate Services Hygiene and Trustworthy Messaging Least Privileged Access Managed Source Code Security Development Lifecycle - IT Securing Mobile Devices Automated Vulnerability Scans Combating Malware Security Event Collection Information Security Policies Training and Communications Identity & Access Management IP and Data Protection Secure the Network Enhanced Auditing & Monitoring Awareness Futures

11 How Did We Approach Security?

12 Viruses, Spyware and Worms Botnets and Rootkits Phishing and Fraud Deploying Security Updates System Identification and Configuration Security Policy Enforcement Identity Management and Access Control Managing Access in the Extended Enterprise Security Risk of Unmanaged PCs Regulatory Compliance Develop and Implement of Security Policies Reporting and Accountability Virus & Malware Prevention Business Practices Implementing Defense in Depth Security Management

13 Secure against attacks Protects confidentiality, integrity and availability of data and systems Manageable Protects from unwanted communication Controls for informational privacy Products, online services adhere to fair information principles Predictable, consistent, responsive service Maintainable, easy to configure and manage Resilient, works despite changes Recoverable, easily restored Proven, ready to operate Commitment to customer-centric Interoperability Recognized industry leader, world-class partner Open, transparent

14 Fundamentally secure platforms enhanced by security products, services and guidance to help keep customers safe Excellence in fundamentals Security innovations Best practices, whitepapers and tools Authoritative incident response Security awareness and education through partnerships and collaboration Information sharing on threat landscape

15 More than 292 million copies distributed (as of June) Significantly less likely to be infected by malware Service Pack 2Service Pack 1 More than 4.7 million downloads (as of May) More secure by design; more secure by default Helps protect against spyware; Included in Windows Vista and as free download Most popular download in Microsoft history with over 40M downloads 4.5B total executions; 24.5M disinfections off of 9.6M unique computers Dramatically reduced the number of Bot infections As of October 2006

16 Microsofts Security Development Lifecycle Corporate process and standard for security in engineering Evangelized internally through training Verified through pre-ship audit The Security Development Lifecycle book Shared with ISV and IT development partners Documentation and training Learning Paths for Security Active community involvement Automated with tools in Visual Studio PREfast FxCop

17 Guidance Developer Tools Systems Management Active Directory Federation Services (ADFS) Identity Management Service s Information Protection Encrypting File System (EFS) BitLocker Network Access Protection (NAP) Client and Server OS Server Applications Edge

18 Infrastructure Optimization Model Cost Center Uncoordinated, manual infrastructure More Efficient Cost Center Managed IT infrastructure with limited automation automation Managed and consolidated IT infrastructure infrastructure with maximum automation Fully automated management, dynamic resource usage, business linked Service Level Agreements (SLA) Business Enabler Strategic Asset * Based on the Gartner IT Maturity Model

19 Infrastructure Optimization IT staff taxed by operational challenges Users come up with their own IT solutions IT Staff trained in best practices such as Managed Object Format (MOF), IT Infrastructure Library (ITIL), etc. Users expect basic services from IT IT Staff manages an efficient, controlled environment Users have tools they need, high availability, & access to information IT is a strategic asset Users look to IT as a valued partner to enable new business initiatives IT processes undefined High complexity due to localized processes & minimal central control Central Admin & configuration of security Standard desktop images defined, not adopted company-wide SLAs are linked to business objectives Clearly defined and enforced images, security, best practices (MOF, ITIL) Self assessing & continuous improvement Information easily & securely accessed from anywhere on Internet Patch status of desktops is unknown No unified directory for access management Multiple directories for authentication Limited automated software distribution Automate identity and access management Automated system management Self provisioning and quarantine capable systems ensure compliance & high availability

20 IO at Microsoft: a Work in Progress IT Staff trained in best practices such as MOF, ITIL, etc. Users have access to information though OWA, Intranet, Mobile Devices Microsoft IT is seen by customers and developers as a critical testing ground for new products Central Admin & configuration of security through network access protection (NAP), IP Security (IPSec), smart cards Industry leadership in security, best practices (MOF, ITIL) Users have SLA of 99.99% Information easily & securely accessed from anywhere on Internet through Remote Access Server (RAS) Access & OWA Leading Security response (MSRC) Centralized directory Update management through Systems Management Server (SMS)

21 Hardware / Software Total Direct Costs Total Direct Costs End User Productivity & Downtime Total TCO Administration Operations$1,258 $394 $366 $2,017 $1,306 $3,323 $1,406 $734 $428 $2,568 $2,952 $5,520 $1,366 $617 $373 $2,356 $2,450 $4,806 16% 36% 13% 31% 8% 14% One Benefit: Desktop Cost Savings

22 SecurityProductivityOperations 47% reduction: critical update deployment time 47% reduction: critical update deployment time Examples of IO Benefits at Microsoft SMS: Patch/Update Management 93% reduction: number of Exchange sites 93% reduction: number of Exchange sites 30% reduction in infrastructure servers 30% reduction in infrastructure servers Improved SLA to 99.99% Improved SLA to 99.99% 200% increase in storage capability 200% increase in storage capability Reduced support costs $3 million Reduced support costs $3 million Reduced internet costs $6.5 million Reduced internet costs $6.5 million Sever Consolidation & Operational Efficiencies Improved connectivity through IM, SPS, Remote Mail, Smart Phones 60,000 new Outlook Web Access (OWA) users 60,000 new Outlook Web Access (OWA) users 180,000 SharePoint ® Team Sites 180,000 SharePoint ® Team Sites Mobility client satisfaction improved 18% Mobility client satisfaction improved 18%

23 Key Capabilities Identity & Access Management Desktop, Server, & Device Management Security & Networking Data Protection & Recovery Communications & Collaboration

24 MediumsTechnologyFutures Participation in Security-101 Back to All Tactics

25 Information Security Futures Vista: User Account Protection Vista: Next-Generation Secure Computing Base Vista: Interactive Logon Pilot Vista: Credential Roaming Longhorn Public Key Infrastructure Network Access Protection Back to All Tactics

26


Download ppt "How Microsoft does end-to-end IT Security Bruce Cowper Senior Program Manager, Security Initiative Microsoft Canada."

Similar presentations


Ads by Google