Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Microsoft Legal Spotlight Presented by LawNet and Microsoft Alan Hakimi US Lead Architect for Security Microsoft Services Scott D.

Similar presentations


Presentation on theme: "Information Security Microsoft Legal Spotlight Presented by LawNet and Microsoft Alan Hakimi US Lead Architect for Security Microsoft Services Scott D."— Presentation transcript:

1 Information Security Microsoft Legal Spotlight Presented by LawNet and Microsoft Alan Hakimi US Lead Architect for Security Microsoft Services Scott D. Gilgallon Legal Vertical Manager, San Francisco Microsoft Corporation

2 Legal Disclaimers I am not a lawyer, nor do I intend to be one I do not provide legal advice, I try to provide information security advice I recommend seeking legal counsel, so seek yourselves and your colleagues I also recommend consulting your auditors The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication and is subject to change at any time without notice to you. This document and its contents are provided AS IS without warranty of any kind, and should not be interpreted as an offer or commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,IN THIS DOCUMENT. The descriptions of other companies products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers. This deliverable is provided AS IS without warranty of any kind and MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OTHERWISE. All trademarks are the property of their respective companies. ©2004 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

3 Agenda Information Security and Trustworthy Computing Security Objectives and Security Risk Management Developing Secure Solutions Public Key Infrastructures Microsoft Product Suite Questions

4 Poll

5 Information Security The defined set of organizational policies, procedures, practices, and technology which protect information assets with a reasonable assurance of safety Note: It is imperative for organizations to document this defined set

6 Information Security Compliance The measurement of effectiveness of the defined set of organizational policies, procedures, practices, and technology which protect information assets with a reasonable assurance of safety based on regulatory statutes and accepted standard practices. Safe from whom? Who and what requires safety? Which regulatory statutes apply? What are accepted standard practices? What is reasonable? How does one measure effectiveness? How do I create the defined set?

7 Individual control of personal data Products, online services adhere to fair information principles Protects individuals right to be left alone Resilient to attack Protects confidentiality, integrity, availability of data and systems Engineering Excellence Dependable, performs at expected levels Available when needed Open, transparent interaction with customers Address issues with products and services Help customers find appropriate solutions Microsoft Initiative

8 Basic Security Objectives Confidentiality. The concealment of information or information assets Integrity. Protection of the content of information and the source of data Availability. Ability to use the information asset

9 The Business Case Organizations are adopting a zero- tolerance for security breaches Organizations reputation and fiscal health are at stake Organizations must meet the legal standard of reasonable care Organizations must protect privileged or personal information

10 Security Enabled Business Reduce Security Risk Assess the environment Improve isolation and resiliency Develop and implement controls Risk Level Impact to Business Probability of Attack ROI Connected Productive Increase Business Value Connect with customers Integrate with partners Empower employees

11 Security Risk Management Addresses the safety element of information security What is the threat to your organization? What information assets require protection in your organization? Which assets are vulnerable?

12 Security Risk Management Protect information assets ConfidentialityIntegrityAvailability Threat Assessment Human Non Human Vulnerability Analysis TechnologyPeopleProcess

13 Threat: Attackers Attackers want to disrupt the information services from running Attacker wish to view, modify, steal data from the information service Attackers are motivated by religious beliefs, political views, ethnic backgrounds, nationality, reputation, and wealth

14 Threat: Other Lawyers Lawyers take legal action against individuals or organizations May be on behalf of employees, customers, or other organization The risk stems from: Failure to protect data Illegal, irresponsible, fraudulent, ignorant or unethical behavior

15 Legalese and Threat Mitigation Tort is a wrong that are civil in nature that violate someones right or duty. A right is a legal claim as to not have others interfere with a protected interest including property and privacy A duty is a legal obligation not to interfere with protected interest Negligence (negligent tort) it some conduct that creates and unreasonable risk of harm, or that fails to protect against harm

16 Risk Management & Decision Support Unacceptable Risk Acceptable Risk Information security defines probability Probability of threat/exploit Impact of vulnerability to business LowHigh High Business defines impact Risk management drives risk to an acceptable level

17 Security Solutions Scope Provides a way to group threats and controls Spans people, process, and technology Defense in depth Network Host Application Data Physical Manage risk where IT assets are similar Define roles & accountability for each environment Create processes to assess, control, and measure each environment Common security environments Unmanaged Devices Managed Clients Managed Servers

18 Framework for a Security-Enabled Business Security Leadership & Culture Management commitment to proactive risk managementManagement commitment to proactive risk management Security defined in terms of value to the businessSecurity defined in terms of value to the business Clearly defined vision, mission, and scopeClearly defined vision, mission, and scope Well-defined roles and accountabilityWell-defined roles and accountability Risk Management & Decision Support Consistent and repeatable process to assess and prioritize riskConsistent and repeatable process to assess and prioritize risk Formal decision support process to identify the most effective solution based on a cost/benefit analysisFormal decision support process to identify the most effective solution based on a cost/benefit analysis Security Solutions Blueprint View of security solutions across enterprise IT assetsView of security solutions across enterprise IT assets Common approach and understanding of current investments and future needsCommon approach and understanding of current investments and future needs Measurement of resultsMeasurement of results

19 SecurityLeadership Security Leadership & Culture Business drivers Regulatory mandates Industry standards Customer confidence Security strategy ProactiveReactive SecurityPrinciplesBusinessDriversSecurityStrategy Roles

20 Security Dashboard Security Environments Unmanaged Devices Managed Clients Managed Servers PhysicalNetworkHost AppsData Defense in Depth

21 Assessing Risk Security Environments Unmanaged Devices Managed Clients Managed Servers PhysicalNetworkHost AppsData Defense in Depth Evaluate risk for each intersection Evaluate risk for each intersection Provides holistic view of information security Provides holistic view of information security Each intersection contains risk rating and mitigation strategy Each intersection contains risk rating and mitigation strategy Unacceptable Control in Progress Acceptable

22 Risk Assessment Results Security Environments Unmanaged Devices Managed Clients Managed Servers PhysicalNetworkHost AppsData Defense in Depth Unacceptable Control in Progress Acceptable

23 Commit to a Course of Action Evaluate available or new IT security control options Use cost/benefit analysis to identify which gaps represent the greatest relative risk Create a formal, repeatable decision support process to prioritize solutions

24 Security Environments Unmanaged Devices Managed Clients Managed Servers PhysicalNetworkHost AppsData Defense in Depth Implementing Solutions Solution

25 Measuring Results Security Environments Unmanaged Devices Managed Clients Managed Servers PhysicalNetworkHost AppsData Defense in Depth Unacceptable Control in Progress Acceptable

26 Taking the Next Steps Formalize your security strategy Refer to standards youve already identified and use our framework where you think its appropriate Execute risk management process Establish IT security objectives Inventory vulnerabilities and existing security controls Assess risk Commit to a course of action Implement security controls Measure results

27 Risks While the potential for damage from an attacker is more evident, an attacker does not file lawsuits for: Harassment or discrimination Privacy invasion Disclosure of confidential information Copyright infringement Investment fraud That may be your or your organizations job That may be your or your organizations job Therefore you must also mitigate the risk of another attorney filing a lawsuit against your organization.

28 Security Risk Management Microsoft advocates using a risk driven approach to help manage security risks within an organization This must have involvement of senior management, stakeholders IT staff must have business awareness to understand where security investments can have the best ROI Security depends on balancing cost and risk through the appropriate use of technology, policy, outsourcing, and insurance.

29 Security Risk Management Results Helps organization determine what are reasonable mitigation strategies to counteract threats and minimize vulnerabilities called countermeasures and safeguards. Some risks cannot be reasonably be mitigated against, therefore contingency plans can be created for the risk the organization wishes to own. Other risks can be transferred to third parties, accepted, etc. These mitigation strategies and contingency plan address the reasonable element of information security.

30 Security Risk Management Guidance Security Risk Management Discipline http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/defa ult.mspx http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/defa ult.mspx Security Risk Management Guidance http://www.microsoft.com/technet/security/guidance/secrisk/default.mspx

31 Regulatory Factors Addresses the regulatory element of information security USA PATRIOT Act Department of Homeland Security (DHS) Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley (SOX) Computer Fraud and Abuse Act (CFAA) Digital Millennium Copyright Act (DMCA) Gramm-Leach-Bliley (GLB)

32 IT Security Solutions Building Systems with Security Assurance In order to meet the goals of information security, all IT solutions must address these five areas to meet the business objectives for security This is an attempt to address the accepted practices for information security Identity Management Assess Management Secure Data Management Audit Management Resiliency and Integrity Management

33 Identity Management The set of tools, policies, and practices that manage digital identities CredentialsPasswords Provisioning / Deprovisioning Attribute Synchronization Coverage Areas Directory Services Authentication

34 Access Management The set of tools, policies, and practices that controls access to information assets Entitlements Access Control Lists RolesGroups Coverage Areas Authorization

35 Audit Management The set of tools, policies, and practices that monitor and track the access to information assets EventsTrackingLoggingReportingAuditors Coverage Areas Event Management Event Aggregation Event Reporting Event Analysis - Forensics

36 Secure Data Management The set of tools, policies, and practices that secure data within information assets Data Storage Secured Transmission and Reception of Data across Communication Networks Coverage Areas CryptographyPrivacy Data Classification Schemes

37 Resiliency and Integrity Management The set of tools, policies, and practices that keep information assets healthy and functional Health Checking Availability Intrusion Detection Coverage Areas Malware Detection and Eradication Systems Management Operations Management

38 Information Security Compliance Recap Questions and Answers Safe from whom and who requires safety? Security Risk Management – Asset Identification, Threat Analysis, and Vulnerability Assessment Which regulatory statutes apply? Security Risk Management – Business Requirements for Definition of Reasonable Assurance What are standard practices? Defense in Depth for Deploying Countermeasures Use Five Security Areas for Building Secure Solutions What is reasonable? Security Risk Management – Risk Analysis How does one measure effectiveness? Security Risk Management – Risk Tracking and Reporting Use ISO 17799 and Common Criteria to measure trustworthiness effectiveness Use external audit procedures to measure effectiveness of regulatory controls as required by business How does one create the defined set? Security Risk Management – Countermeasure and Safeguard Development for Remediation Strategy Definition of Security Architecture

39 What does the law profession need? Confidential Communications Client – Attorney Privilege Secure Storage of Documents Legal Documents Privacy of Client Information Client Data Security Evidence of an Action Legal Binding Signatures Crime or Other Inappropriate Activity

40 Public Key Infrastructure Public Key Infrastructures are quickly becoming a security enabler for most organizations and eventually will be a must have Why?Encryption Digital Signatures Multi-Factor Authenication

41 Digital signature Encryption Digital Certificate Authentication Integrity Confidentiality Proof of transaction Confirmed in-house or by trusted organization Guarantee information has not been tampered with Encrypted messages to ensure secure trusted transactions; must be securely stored Assures originator cannot disavow transaction; enables use of trusted, binding transaction receipts based on identity and/or role Business drivers To provide authentication and trust

42 PKI value proposition Its all about the applications PKI is... Not a solution… Not an application… Not a solution to thwart hackers… A technology useful in some applications that provide a security solution

43 PKI value proposition PKI applicationscustomer demand Encrypting File System Protecting data on mobile stations Secure E-mail Protecting data collaboration between partners Smartcard logon Requiring stronger logon security SSL Protecting web server transactions Remote Access L2TP/IPSEC VPN solutions

44 PKI value proposition PKI applications Fastest emerging demand Wireless and 802.1x What is slow, but growing Digital signatures, signed transactions PKI enabled application logon Client side SSL logon to web sites Smartcards for consumers Where is the killer application?

45 What PKI is and isnt PKI is an enabling technology PKI is not a solution, in and of itself Some business uses for PKI Secure communications Data needs to be safe in transit Secure data Data needs to be safe in storage Establishing digital identity For people, systems, processes Secure transactions Same or better safeguards than the paper world

46 Recommended Reading American Bar Association Information Security committee has published PKI Assessment Guidelines (PAG) http://www.abanet.org/scitech/ec/isc/home.html

47 Windows Platform Security Solutions ScenarioRisksSolutions Mobile Users Encrypted File System (EFS) Encrypted File System (EFS) IPSEC, L2TP IPSEC, L2TP Lost/Stolen LaptopLost/Stolen Laptop Dial-up AttacksDial-up Attacks E-commerce False Identity/ImpostorFalse Identity/Impostor Theft data/moneyTheft data/money Transaction modificationTransaction modification Public Key Infrastructure (PKI) Public Key Infrastructure (PKI) Integrated Certificate Authority Integrated Certificate Authority SSL/TLS SSL/TLS Home Office IPSEC, L2TP IPSEC, L2TP Kerberos and PKIKerberos and PKI SSL/TLS, S/MIME SSL/TLS, S/MIME On-wire Internet AttacksOn-wire Internet Attacks Dial-up AttacksDial-up Attacks False Identity/ImpostorFalse Identity/Impostor LAN / WAN False Identity/ImpostorFalse Identity/Impostor Password Sharing/GuessingPassword Sharing/Guessing Adds/Moves/ChangesAdds/Moves/Changes Kerberos and PKI Kerberos and PKI Smart Cards, Biometrics Smart Cards, Biometrics Group Policy, Delegated Admin Group Policy, Delegated Admin Applications False Identity/ImpostorFalse Identity/Impostor Password passingPassword passing Path of least resistance codingPath of least resistance coding Malicious Code (Trojan horse)Malicious Code (Trojan horse) Kerberos, NTLMv2, Smart Cards Kerberos, NTLMv2, Smart Cards Impersonation, Auditing Impersonation, Auditing SSPI, CryptoAPI SSPI, CryptoAPI Code Signing and Policy Code Signing and Policy Public Key Infrastructure (PKI)Public Key Infrastructure (PKI) Integrated CAIntegrated CA IPSEC, L2TP, SSL/TSL, S/MIMEIPSEC, L2TP, SSL/TSL, S/MIME Extranets False Identity/ImpostorFalse Identity/Impostor Data TheftData Theft On-wire Internet AttacksOn-wire Internet Attacks Active Directory Integration Active Directory Integration Delegated Administration Delegated Administration Auditing Improvements Auditing Improvements Security Templates Security Templates Management Too many places to secureToo many places to secure Unfamiliar with employee rolesUnfamiliar with employee roles Dont Know who did whatDont Know who did what Configuration and DriftConfiguration and Drift

48 Microsoft Product Portfolio Identity Management Windows Server 2003 – Active Directory Windows Server 2003 – Certificate Services Windows – Active Directory Application Mode Microsoft Identity Integration Server 2003 Access Management Windows Server 2003 Windows – Authorization Manager Windows Rights Management Server Secure Data Management Windows Server 2003 – Certificate Services Internet Acceleration Server 2004 – Firewall and Proxy Services Windows – Encryption File Service Audit Management Microsoft Audit Collection System Microsoft Windows Microsoft Operations Manager Resiliency and Integrity Management Windows XP – SP2 Firewall Windows Server 2003 – Network Load balancing, Clustering Systems Management Server 2003 – Patch and Update Management Microsoft Operations Manager – Systems Health Management

49 Microsoft Product Portfolio Coming Attractions Active Directory Federation Services Active Protection Technology Network Access Protection

50 How we can help…. Microsoft Services US Center of Excellence for Security Security Risk Management Engagement Security Remediation Engagement Security Architectural Engagement Security Solution Deployment Engagement Security Operations Engagement PKI Architecture and Implementation is one of our most common engagements in the security space

51 Questions Microsoft Services Alan Hakimi alanhak@microsoft.com Microsoft Legal Vertical Manager Scott D. Gilgallon scottgil@microsoft.com

52 Resources Microsoft Services http://www.microsoft.com/services/microsoftservices/default.mspx http://www.microsoft.com/services/microsoftservices/default.mspx Microsoft Security http://www.microsoft.com/security http://www.microsoft.com/security Security Guidance Center http://www.microsoft.com/security/guidance How Microsoft IT Secures Microsoft http://www.microsoft.com/technet/itsolutions/msit E-Learning Clinics https://www.microsoftelearning.com/security Events and Webcasts http://www.microsoft.com/seminar/events/security.mspx American Bar Association – Information Security Committee http://www.abanet.org/scitech/ec/isc/home.html

53 © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.


Download ppt "Information Security Microsoft Legal Spotlight Presented by LawNet and Microsoft Alan Hakimi US Lead Architect for Security Microsoft Services Scott D."

Similar presentations


Ads by Google