Microsoft – "an insider's view"CISO Council 2008Asif JinnahMicrosoft IT – United Kingdom

Security Challenges in an ever changing landscape

Evolution of Security Controls: Microsoft’s Secure Anywhere Access Concepts & Solutions

Infrastructure Solutions to safeguard Microsoft's flexible workforce

Objectives and Agenda

The Microsoft Environment

129,000 e-mail accounts9.5 million remote connections/month

5+ million internal e-mails daily

3,000 internal applications

6 billion IMs per month

435 million unique users

29 billion e-mails sent per day

Leading Edge Technology on an Enterprise Scale

280 billion page views per day

• Others may manage your network and data centers

• Software plus Services [SaaS] augmenting traditional IT – data and applications hosted remotely

• Increasingly complex granular partner access controls

• Traditional Perimeter security is not sufficient alone

• Emergence of new technology enablers

• Always remote employees• Flexible definition of the

“office”• Corpnet access from customer

sites

• Data is walking out the front door• Laptops, USB drives, cellular

network cards, Smart Phones/PDAs

• Malware and spyware for everyone

Information Security Landscape

Mobile Workforce

Mobile Technology

Globalization &

Outsourcing

Reperimeterization of the network

...the visible and the invisible

Con

trol

Evolu

tion

Evolution Of Security Controls

TransportEnable deep inspected

transport as needed

NetworkProvide connectivity and WAN

optimization

ApplicationEnsure application integrity

HostProtect hosts from malware

and attacks

DataProtect data in storage,

transit, and use

Many are protecting their hosts and data here

We should be protecting our hosts here

And protecting our data here

Protecting Host And Data Now A Reality

ApplicationsandData

X

XXTrusted, compliant machine; with

malware

Trusted, compliant, healthy machine

Untrusted machine

Trusted, non-compliant machine

Compliant but Untrusted machine

SSL VPN

– Gra

nular A

cces

s

Access to data and applications is restored

once NAP remediates the client

Corporate Network

Business Partner

Behind customer firewall

Layer 7 VPN Gateway

Compliant Client

Compliant Client

IPsec/IPv6

IPsec/I

Pv6

Down-level Client

SSL-VPN

SSL-VPN

SSL-VPN

All Corpnet ResourcesDual Protocol (IPv6/IPv4)

Non-Compliant

Clients

Office PC

VPN w

ith

Mobile

Device

User with mobile device

Internet

Security for a flexible workforce

Degrees of Client Management

IPsec boundaryCreates Secure Net environment

Remote access clients/dial-up

Workgroups

Labs

All Devices

~330,000

Unique management challenges

Secure Net Devices

~270,000

Devices managed through SMS/SCCM~265,000

~16,000 servers

IPsec

9

The Security Life-CycleNetwork Security

• Monitor, Detect, Respond• Attack & Penetration• Technical Investigations• IDS and A/V

Assessment & Governance• InfoSec Risk Assessment• InfoSec Policy

Management• Security Architecture• InfoSec Governance

App Consulting & Engineering• End-to-End App

Assessment & Mitigation• Application Threat

Modelling• External & Internal

TrainingEngineering & Engagement• Engineering Lifecycle• Process & Methods• Secure Design Review• Awareness &

Communication

Identity & Access Management• IdM Security Architecture• IdM Gov & Compliance• IdM Eng Ops & Services• IdM Accounts & Lifecycle

Compliance• Regulatory Compliance• Vulnerability Scanning &

Remediation• Scorecarding

Respond Define

Assess

DesignOperate

Monitor

Secure & Easy Anywhere Access Vision

“Security is the fundamental challenge that will determine whether we can successfully create a new generation of connected experiences that enable people to have anywhere access to communications, content and information”

- Bill Gates

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

James Burns – No Slides

Paul MacKinnon - Slides to be emailed post event