How Microsoft does

end-to-end IT
Security
Bruce Cowper
Senior Program Manager, Security
Initiative
Microsoft Canada

Agenda
The Microsoft Landscape
IT Environment
Business Challenges
Chief Concerns

Who We Are and What We Do

The Security Lifecycle
Internal Alignment

Strategies and Tactics

Information Security Futures

Microsoft IT Environment
340,000+
computers
121,000
endusers
98 countries
441
buildings
15,000 Vista
clients
25,000 Office
2007 clients
5,700
Exchange 12
mailboxes
31 Longhorn
servers

46,000,000+
remote
connections
permonth
189,000+
SharePoint
Sites
4 data centers
8,400
production
servers

E-mails per
day:
3,000,000 internal
10,000,000 inbound
9,000,000 filtered
out

33,000,000 IMs
per month
120,000+ email
serveraccounts

Balancing Business
Challenges
Network Attacks Are

Sophisticated

Complex

Covert

First & Best

Customer

Software Dev
business
requirements

30K partners with

connectivity
needs

Beta
environment

Corporate culture
of
agility and
autonomy
Large population
of
mobile clients

Secure Network
+
Compliance

Microsoft CISO Concerns

Regulatory compliance
Mobility of data
Unauthorized access to data
Malicious software
Supporting an evolving client

The Security Lifecycle

Respond

Define

FAST. RELIABLE. PROTECTED.

Monitor
Assess
SECURE BY DESIGN.

Operate

Design

How We
Align

Network Security
Monitor, Detect, Respond
Attack & Penetration
Technical Investigations
IDS and A/V

Compliance

Assessment & Governance

Regulatory
Compliance

InfoSec Risk Assessment

Respond

Vulnerability
Scanning &
Remediation

InfoSec Policy Management

Define

Security Architecture
InfoSec Governance

Scorecarding

Assess

Monitor

Identity & Access Management

IdM Security Architecture
IdM Gov & Compliance

Operate

Design

IdM Eng Ops & Services

IdM Accounts & Lifecycle

App Consulting &

Engineering
End-to-End App
Assessment
& Mitigation

Engineering & Engagement

Application Threat
Modeling

Engineering Lifecycle
Process & Methods

External & Internal

Training

Secure Design Review

Awareness &
Communication

Pursuing Excellence
Skilled
Intelligent
Informed
Connected
Current
Leveraged

Peopl
e

Technolog
y

Global
Standard
Followed

Process &
Policy

Key Strategies and Tactics

Assessment of risk
Identification of potential threats
Mitigate risk through five key strategies

Secure the
Network

Identity &
Access
Management

IP and Data
Protection

Enhanced
Auditing &
Monitoring

Awareness

Key Strategies and Tactics

Secure the
Network

Secure
Extranet and
Partner
Connections
Secure
Remote
Access
Network
Segmentatio
n
Network
Intrusion
Detection
Systems
Hardening
the Wireless
Network

Identity &
Access
Management

Strong
Passwords
Public Key
Infrastructur
e: Certificate
Services
E-Mail
Hygiene and
Trustworthy
Messaging

IP and Data
Protection

Enhanced
Auditing &
Monitoring

Least
Privileged
Access

Automated
Vulnerability
Scans

Managed
Source Code

Combating
Malware

Security
Development
Lifecycle - IT

Security
Event
Collection

Securing
Mobile
Devices

Futures

Awareness

Information
Security Policies
Training and
Communication
s

How Did We Approach

Security?

Virus & Malware

Prevention

Business
Practices
Implementing
Defense in Depth

Security
Management

Viruses, Spyware and Worms

Botnets and Rootkits
Phishing and Fraud
Regulatory Compliance
Develop and Implement of Security Policies
Reporting and Accountability
Identity Management and Access Control
Managing Access in the Extended Enterprise
Security Risk of Unmanaged PCs
Deploying Security Updates
System Identification and Configuration
Security Policy Enforcement

Secure against
attacks
Protects
confidentiality,
confidentiality,
integrity and
availability of
data and systems
Manageable

Protects from
unwanted
communication

Predictable,
Predictable,
consistent,
responsive service

Commitment to
customer-centric
Interoperability

Controls for
informational
privacy

Maintainable,
Maintainable,
easy to configure
and manage

Recognized
industry leader,
leader,
world-class partner

Products, online
services adhere to
fair information
principles

Resilient,
Resilient, works
despite changes

Open, transparent

Recoverable,
Recoverable,
easily restored
Proven,
Proven, ready to
operate

Fundamentally secure platforms enhanced by security products, services

and guidance to help keep customers safe

Excellence in
fundamentals

Best practices,
whitepapers and tools

Security
innovations

Authoritative incident
response

Security awareness
and education
through partnerships
and collaboration
Information sharing
on threat landscape

Service Pack 2

More than 292

million copies
distributed (as of
June)
Significantly less
likely to be infected
by malware

Service Pack 1

More than 4.7 million

downloads (as of
May)
More secure by
design; more secure
by default

Helps protect against

spyware; Included in
Windows Vista and as
free download
Most popular
download in Microsoft
history with over 40M
downloads

4.5B total
executions; 24.5M
disinfections off of
9.6M unique
computers
Dramatically reduced
the number
of Bot infections

As of October 2006

Microsofts Security Development Lifecycle

Corporate process and standard for security in engineering
Evangelized internally through training
Verified through pre-ship audit
The Security Development Lifecycle book

Shared with ISV and IT development partners

Documentation and training
Learning Paths for Security
Active community involvement

Automated with tools in Visual Studio

PREfast
FxCop

Servic
es
Edge
Ne

tw
o

rk

Ac
c

Server
Applicatio
ns
es

Pr
o

te
c

tio

Enc
rypt
ing
File
Sys
BitL
tem
ock
(EF
er
S)

Informatio
n
Client and Protection
Server OS

(N
AP
)

Identity
Management

Active Directory
Federation Services
(ADFS)

Systems
Management

Guidance
Developer
Tools

Infrastructure Optimization
Model

Uncoordinated,
manual
infrastructure

Cost Center

Managed IT
infrastructure
with limited
automation

Managed and
consolidated IT
infrastructure
with maximum
automation

Fully automated
management,
dynamic resource
usage, business
linked Service Level
Agreements (SLA)

More Efficient
Cost Center

Business
Enabler

Strategic
Asset

* Based on the Gartner IT Maturity Model

Infrastructure Optimization

IT staff taxed by
operational challenges
Users come up with
their own IT solutions

IT processes undefined
High complexity due to
localized processes &
minimal central control

Patch status of
desktops is unknown
No unified directory for
access management

IT Staff trained in best

practices such as
Managed Object Format
(MOF), IT Infrastructure
Library (ITIL), etc.
Users expect basic
services from IT

Central Admin &

configuration of
security
Standard desktop
images defined,
not adopted
company-wide

Multiple directories for

authentication
Limited automated
software distribution

IT Staff manages an
efficient, controlled
environment
Users have tools they
need, high availability, &
access to information

SLAs are linked to

business objectives
Clearly defined and
enforced images,
security, best practices
(MOF, ITIL)

Automate identity and

access management
Automated system
management

IT is a strategic asset
Users look to IT as a
valued partner to enable
new business initiatives

Self assessing &

continuous
improvement
Information easily &
securely accessed from
anywhere on Internet

Self provisioning and

quarantine capable
systems ensure
compliance & high
availability

IO at Microsoft: a Work in
Progress

IT Staff trained in best

practices such as MOF,
ITIL, etc.

Users have access to

information though
OWA, Intranet, Mobile
Devices

Microsoft IT is seen by
customers and
developers as a critical
testing ground for new
products

Central Admin &

configuration of
security through
network access
protection (NAP), IP
Security (IPSec), smart
cards

Industry leadership in
security, best practices
(MOF, ITIL)
Users have SLA of
99.99%

Information easily &

securely accessed from
anywhere on Internet
through Remote Access
Server (RAS) Access &
OWA

Leading Security
response (MSRC)
Centralized directory
Update management
through Systems
Management Server
(SMS)

One Benefit: Desktop Cost

Savings
$1,258
$1,406
$1,366
Hardware / Software

Operations

$734

16%

$617

36%

$394

Administration

$428
Total Direct Costs

$2,568

$373

8%

$2,356

$366

14%

$2,017

End User Productivity

& Downtime

$2,450

$2,952
Total TCO

$5,520

13%

$4,806

$1,306

31%

$3,323

Examples of IO Benefits at
Microsoft
Security

SMS: Patch/Update
Management

Operations
Sever Consolidation
& Operational Efficiencies

47% reduction: critical update

deployment time

93% reduction: number of Exchange

Productivity

Improved connectivity
through IM, SPS, Remote
Mail, Smart Phones

sites
30% reduction in infrastructure servers
Improved SLA to 99.99%
200% increase in storage capability
Reduced support costs $3 million
Reduced internet costs $6.5 million

60,000 new Outlook Web Access

(OWA) users
180,000 SharePoint Team Sites
Mobility client satisfaction improved
18%

Key Capabilities
Identity & Access Management
Desktop, Server, & Device Management
Security & Networking
Data Protection & Recovery
Communications & Collaboration

Mediums

Technology

Futures
Participation in
Security-101

Back to All Tactics

Information Security
Futures

Vista: User Account Protection

Vista: Next-Generation Secure
Computing Base
Vista: Interactive Logon Pilot
Vista: Credential Roaming
Longhorn Public Key
Infrastructure
Network Access Protection

Back to All Tactics