• Save
II Security At Microsoft
Upcoming SlideShare
Loading in...5
×
 

II Security At Microsoft

on

  • 1,620 views

IT Security at Microsoft

IT Security at Microsoft

Statistics

Views

Total Views
1,620
Views on SlideShare
1,618
Embed Views
2

Actions

Likes
2
Downloads
0
Comments
0

2 Embeds 2

http://www.slideshare.net 1
http://www.slideee.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    II Security At Microsoft II Security At Microsoft Presentation Transcript

    • IT Security at Microsoft Overview Published: April 2004
    • Agenda
      • Microsoft environment
      • Security strategy
        • Mission and vision
        • Security principles
        • Risk-based decision model
        • Tactical prioritization
      • Organization chart
      • Representative risks and tactics
      • Security principles—detailed view
    • Sydney Chofu & Otemachi Les Ulis Thames Valley Park Dublin Benelux Madrid Dubai Singapore Johannesburg Sao Paulo
      • 90,000 mailboxes
      Microsoft IT Environment Canyon Park, Redmond Las Colinas Charlotte Chicago Milan Stockholm Munich
      • 400+ supported Microsoft sites worldwide
      • 6-7M e-mail messages per day
      • 300,000+ network devices
      • 6,000 data-center servers
      • 110 Exchange servers/36 mailbox servers
      Silicon Valley
      • 400 primary LOB applications
      • 26 million voice calls per month
      • 55,000 employees
    • Microsoft Security Environment
      • Environment
        • More than 300,000 network-joined devices
        • 30,000 business partners with connectivity needs
        • Frequent target of attack
          • 100,000+ intrusion attempts/probes/scans per month
          • 5M filtered emails/day (spam and anti-virus)
      • Challenges
        • Culture based on autonomy and agility
        • Large population of mobile clients
        • Unique business requirements to support software development
        • Running the business on N+1 platform as "first and best" customer
    • Security Strategy Corporate Security Mission and Vision Security Operating Principles Risk-Based Decision Model Tactical Prioritization
    • Mission Assess Risk Define Policy Monitor Audit Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization Prevent malicious or unauthorized use that results in the loss of Microsoft intellectual property or productivity by systematically assessing, communicating, and mitigating risks to digital assets
    • Vision
      • Five Trustworthy Assurances
        • My identity is not compromised
        • Resources are secure and available
        • Data and communications are private
        • Roles and accountability are clearly defined
        • There is a timely response to risks and threats
      An IT environment comprised of services, applications, and infrastructure that implicitly provides availability, privacy, and security to any client Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization
    • Operating Principles
      • Management commitment
        • Manage risk according to business objectives
        • Define organizational roles and responsibilities
      • Users and data
        • Manage to practice of least privilege
        • Strictly enforce privacy and privacy rules
      • Application and system development
        • Build security into development life cycle
        • Create layered defense and reduce attack surface
      • Operations and maintenance
        • Integrate security into operations framework
        • Align monitor, audit, and response functions to operational functions
      Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization
    • Enterprise Risk Model High Low High Impact to Business (Defined by Business Owner) Low Acceptable Risk Unacceptable Risk Probability of Exploit (Defined by Corporate Security) Risk assessment drives to acceptable risk Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization
    • Risk Analysis by Asset Class Exploit of misconfiguration, buffer overflows, open shares, NetBIOS attacks Host Unauthenticated access to applications, unchecked memory allocations Application Compromise of integrity or privacy of accounts Account Unmanaged trusts enable movement among environments Trust Data sniffing on the wire, network fingerprinting Network Assets Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization
    • Components of Risk Assessment Asset Threat Impact Vulnerability Mitigation Probability + = What are you trying to assess? What are you afraid of happening? What is the impact to the business? How could the threat occur? What is currently reducing the risk? How likely is the threat given the controls? Current Level of Risk What is the probability that the threat will overcome controls to successfully exploit the vulnerability and affect the asset? Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization
    • Risk Management Process and Roles Cross-IT Teams Corporate Security Tactical Prioritization Security Solutions & Initiatives Sustained Operations Prioritize Risks Security Policy Compliance 1 Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization 2 5 3 4
    • Tactical Prioritization by Environment Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization Prioritized Risks Data Center Client Unmanaged Client Remote Access Mobile Policies and mitigation tactics appropriate for each environment
    • Representative Risks and Tactics Enterprise Risks Unpatched Devices Unmanaged Devices Remote and Mobile Users Single-Factor Authentication Focus Controls Across Key Assets Tactical Solutions Secure Environmental Remediation Network Segmentation Through IPSec Secure Remote User Two-Factor for Remote Access and Administrators Managed Source Initiatives Embody Trustworthy Computing
    • Corporate Security Group Organization Corporate Security Group Threat, Risk Analysis, and Policy Assessment and Compliance Monitoring, Intrusion Detection, and Incident Response Shared Services Operations Threat and Risk Analysis Policy Development Product Evaluation Design Review Structure Standards Security Management Security Assessment Compliance and Remediation Monitoring and Intrusion Detection Rapid Response and Resolution Forensics Physical and Remote Access Certificate Administration Security Tools Initiative Management IT Investigations
    • Security Principles—Detailed View
      • Plan for system maintenance
      • Enforce security configuration and hardening
      • Monitor and audit
      • Practice incident response
      • Verify disaster recovery
      • Build security into the life cycle
      • Design defense in depth
      • Reduce attack surface
      • Keep it simple
      • Manage to practice of least privilege
      • Base decision on data classification and fair use
      • Enforce privacy and privacy rules
      • Ensure data integrity
      • Monitor identity assurance
      • Build in availability
      • Manage risk according to business objectives
      • Define organizational roles and responsibilities
      • Invest in secure design
      • Commit to secure operations
      Operations and maintenance: people, processes, and technology to build, maintain, and operate secure systems Application and system development: dedicated to the design and development of secure systems Users and data: includes authentication, user privacy, and data authorization Organizational: directed to management’s commitment to risk management and security awareness Category Security Principle
    • For More Information
      • Additional content on Microsoft IT deployments and best practices can be found on http://www.microsoft.com
        • Microsoft TechNet http://www.microsoft.com/technet/itshowcase
        • Microsoft Case Study Resources http://www.microsoft.com/resources/casestudies
      • E-mail IT Showcase [email_address]
    • This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.