II Security At Microsoft

50 %
50 %
Information about II Security At Microsoft
Technology

Published on October 20, 2008

Author: mjf7419

Source: slideshare.net

Description

IT Security at Microsoft

IT Security at Microsoft Overview Published: April 2004

Agenda Microsoft environment Security strategy Mission and vision Security principles Risk-based decision model Tactical prioritization Organization chart Representative risks and tactics Security principles—detailed view

Microsoft environment

Security strategy

Mission and vision

Security principles

Risk-based decision model

Tactical prioritization

Organization chart

Representative risks and tactics

Security principles—detailed view

Sydney Chofu & Otemachi Les Ulis Thames Valley Park Dublin Benelux Madrid Dubai Singapore Johannesburg Sao Paulo 90,000 mailboxes Microsoft IT Environment Canyon Park, Redmond Las Colinas Charlotte Chicago Milan Stockholm Munich 400+ supported Microsoft sites worldwide 6-7M e-mail messages per day 300,000+ network devices 6,000 data-center servers 110 Exchange servers/36 mailbox servers Silicon Valley 400 primary LOB applications 26 million voice calls per month 55,000 employees

90,000 mailboxes

400+ supported Microsoft sites worldwide

6-7M e-mail messages per day

300,000+ network devices

6,000 data-center servers

110 Exchange servers/36 mailbox servers

400 primary LOB applications

26 million voice calls per month

55,000 employees

Microsoft Security Environment Environment More than 300,000 network-joined devices 30,000 business partners with connectivity needs Frequent target of attack 100,000+ intrusion attempts/probes/scans per month 5M filtered emails/day (spam and anti-virus) Challenges Culture based on autonomy and agility Large population of mobile clients Unique business requirements to support software development Running the business on N+1 platform as "first and best" customer

Environment

More than 300,000 network-joined devices

30,000 business partners with connectivity needs

Frequent target of attack

100,000+ intrusion attempts/probes/scans per month

5M filtered emails/day (spam and anti-virus)

Challenges

Culture based on autonomy and agility

Large population of mobile clients

Unique business requirements to support software development

Running the business on N+1 platform as "first and best" customer

Security Strategy Corporate Security Mission and Vision Security Operating Principles Risk-Based Decision Model Tactical Prioritization

Mission Assess Risk Define Policy Monitor Audit Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization Prevent malicious or unauthorized use that results in the loss of Microsoft intellectual property or productivity by systematically assessing, communicating, and mitigating risks to digital assets

Vision Five Trustworthy Assurances My identity is not compromised Resources are secure and available Data and communications are private Roles and accountability are clearly defined There is a timely response to risks and threats An IT environment comprised of services, applications, and infrastructure that implicitly provides availability, privacy, and security to any client Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization

Five Trustworthy Assurances

My identity is not compromised

Resources are secure and available

Data and communications are private

Roles and accountability are clearly defined

There is a timely response to risks and threats

Operating Principles Management commitment Manage risk according to business objectives Define organizational roles and responsibilities Users and data Manage to practice of least privilege Strictly enforce privacy and privacy rules Application and system development Build security into development life cycle Create layered defense and reduce attack surface Operations and maintenance Integrate security into operations framework Align monitor, audit, and response functions to operational functions Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization

Management commitment

Manage risk according to business objectives

Define organizational roles and responsibilities

Users and data

Manage to practice of least privilege

Strictly enforce privacy and privacy rules

Application and system development

Build security into development life cycle

Create layered defense and reduce attack surface

Operations and maintenance

Integrate security into operations framework

Align monitor, audit, and response functions to operational functions

Enterprise Risk Model High Low High Impact to Business (Defined by Business Owner) Low Acceptable Risk Unacceptable Risk Probability of Exploit (Defined by Corporate Security) Risk assessment drives to acceptable risk Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization

Risk Analysis by Asset Class Exploit of misconfiguration, buffer overflows, open shares, NetBIOS attacks Host Unauthenticated access to applications, unchecked memory allocations Application Compromise of integrity or privacy of accounts Account Unmanaged trusts enable movement among environments Trust Data sniffing on the wire, network fingerprinting Network Assets Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization

Components of Risk Assessment Asset Threat Impact Vulnerability Mitigation Probability + = What are you trying to assess? What are you afraid of happening? What is the impact to the business? How could the threat occur? What is currently reducing the risk? How likely is the threat given the controls? Current Level of Risk What is the probability that the threat will overcome controls to successfully exploit the vulnerability and affect the asset? Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization

Risk Management Process and Roles Cross-IT Teams Corporate Security Tactical Prioritization Security Solutions & Initiatives Sustained Operations Prioritize Risks Security Policy Compliance 1 Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization 2 5 3 4

Tactical Prioritization by Environment Mission and Vision Operating Principles Risk Based Decision Model Tactical Prioritization Prioritized Risks Data Center Client Unmanaged Client Remote Access Mobile Policies and mitigation tactics appropriate for each environment

Representative Risks and Tactics Enterprise Risks Unpatched Devices Unmanaged Devices Remote and Mobile Users Single-Factor Authentication Focus Controls Across Key Assets Tactical Solutions Secure Environmental Remediation Network Segmentation Through IPSec Secure Remote User Two-Factor for Remote Access and Administrators Managed Source Initiatives Embody Trustworthy Computing

Corporate Security Group Organization Corporate Security Group Threat, Risk Analysis, and Policy Assessment and Compliance Monitoring, Intrusion Detection, and Incident Response Shared Services Operations Threat and Risk Analysis Policy Development Product Evaluation Design Review Structure Standards Security Management Security Assessment Compliance and Remediation Monitoring and Intrusion Detection Rapid Response and Resolution Forensics Physical and Remote Access Certificate Administration Security Tools Initiative Management IT Investigations

Security Principles—Detailed View Plan for system maintenance Enforce security configuration and hardening Monitor and audit Practice incident response Verify disaster recovery Build security into the life cycle Design defense in depth Reduce attack surface Keep it simple Manage to practice of least privilege Base decision on data classification and fair use Enforce privacy and privacy rules Ensure data integrity Monitor identity assurance Build in availability Manage risk according to business objectives Define organizational roles and responsibilities Invest in secure design Commit to secure operations Operations and maintenance: people, processes, and technology to build, maintain, and operate secure systems Application and system development: dedicated to the design and development of secure systems Users and data: includes authentication, user privacy, and data authorization Organizational: directed to management’s commitment to risk management and security awareness Category Security Principle

Plan for system maintenance

Enforce security configuration and hardening

Monitor and audit

Practice incident response

Verify disaster recovery

Build security into the life cycle

Design defense in depth

Reduce attack surface

Keep it simple

Manage to practice of least privilege

Base decision on data classification and fair use

Enforce privacy and privacy rules

Ensure data integrity

Monitor identity assurance

Build in availability

Manage risk according to business objectives

Define organizational roles and responsibilities

Invest in secure design

Commit to secure operations

For More Information Additional content on Microsoft IT deployments and best practices can be found on http://www.microsoft.com Microsoft TechNet http://www.microsoft.com/technet/itshowcase Microsoft Case Study Resources http://www.microsoft.com/resources/casestudies E-mail IT Showcase [email_address]

Additional content on Microsoft IT deployments and best practices can be found on http://www.microsoft.com

Microsoft TechNet http://www.microsoft.com/technet/itshowcase

Microsoft Case Study Resources http://www.microsoft.com/resources/casestudies

E-mail IT Showcase [email_address]

This document is provided for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2004 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Microsoft Press, Visual Studio, Visual SourceSafe, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Add a comment

Related presentations

Related pages

Security | Microsoft

Enterprise security from Microsoft helps you protect and defend against cybersecurity threats in your apps, devices, and data.
Read more

Microsoft Security Essentials 2 » WinTotal.de

Microsoft Security Essentials 2 ist Freeware und läuft unter Windows XP mit SP2/SP3 (nur 32 Bit) sowie unter Windows Vista SP1/SP2 (32/64 Bit) ...
Read more

Microsoft Security Essentials - Download - CHIP

Microsoft Security Essentials 4.9 Deutsch: Mit den "Security Essentials" bietet Microsoft einen Gratis-Virenschutz für Windows zum Download an.
Read more

Security : The Official Microsoft IIS Site

Security Overview; Compatibility; Setup; How To; Configuration; Sample Code; Overview. The section group resides in the Read more

Security, Audits, and Certifications - microsoft.com

Security, Audits, and Certifications ... § SSAE16 SOC1 Type II § SOC2 Type II § FISMA. Microsoft ... computer security auditors at Microsoft selection ...
Read more

Gratistipp: Microsoft Security Essentials - Test ...

Eine Security-Suite bietet mehr Features als jeder Gratis-Scanner. Doch in den wichtigsten Disziplinen - Erkennung und Performance - kommen die Microsoft ...
Read more

Microsoft Support

Microsoft Edge. HoloLens. ... Support Support. ... Product support lifecycle; Security Security. Safety & Security Center; Download Security Essentials;
Read more

Security Essentials Download - support.microsoft.com

Microsoft Security Essentials helps guard your PC against viruses, spyware, and other malicious software
Read more

Security Compliance Manager (SCM) - technet.microsoft.com

Microsoft Security Compliance Manager 3.0. SCM 3.0 provides ready-to-deploy policies and DCM configuration packs that are tested and fully supported.
Read more