Business Ready Security

Microsoft CorporationJuly 2010

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This whitepaper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

©2010 Microsoft Corporation. All rights reserved.

Microsoft and the Microsoft logo are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Microsoft Corporation One Microsoft Way Redmond, WA 98052-6399 USA

This document contains information of a proprietary nature. All information contained herein shall be kept in confidence and shall be for the original recipient’s use only. Any unauthorized reproduction by any other party shall constitute an infringement of copyright.

Business Ready Security2

CONTENTSOverview...............................................................................4Core IO..................................................................................5Business Challenges..............................................................6The Microsoft Response: Business Ready Security................8Protect Everywhere, Access Anywhere..................................9Integrate and Extend Security across the Enterprise...........11Simplify the Security Experience, Manage Compliance.......14Business Ready Security Solutions......................................16Simplify Your Security Purchase..........................................19Business Ready Security Customer Case Study...................20Microsoft Security Solutions: Gaining Momentum................21Additional Resources...........................................................22Microsoft Services: Security and Identity Offerings..............22Conclusion...........................................................................23

Business Ready Security3

OVERVIEWAny organization, whether a for-profit business, a government agency, or an educational institution, needs to provide the key services that will enable its customers, constituents, employees, and partners to increase productivity and achieve its business objectives. Providing these services can be challenging, particularly with an ever-growing threat landscape. For example, as reported in the Microsoft® Security Intelligence Report, more than 126 million malicious samples were detected in 2009.1 Organizations cannot afford to overlook the security of their data and infrastructure.

In addition to simple volume increases, today’s threats also show greater sophistication and are often profit motivated. Increased collaboration among workers both inside and outside of the organization multiplies the risks of sensitive data being lost or stolen. The risks of not doing anything are material. One security breach of end-customer data, one piece of sensitive organizational information that lands in the wrong hands, or one infection that shuts down production can cost an organization millions of dollars in revenue, recovery costs, and lost reputation. For instance, in a recent study sponsored by Microsoft2, Forrester identified the average cost per type of security breach as follows:

Type of Incident Cost per Incident

A rogue employee stole sensitive company documents

$362,572

An outside business partner lost a laptop containing sensitive information

$340,571

An outside attacker compromised a server and stole data

$295,994

An information technology (IT) administrator abused privileges and stole data

$452,238

To combat this growing security threat, Microsoft introduced the Trustworthy Computing Initiative in 2001 in order to change the way both Microsoft software and the industry think about and address security issues. The Trustworthy Computing Initiative led to a framework that encompasses security, reliability, privacy, and business practices. Additionally, security has become an integral part the Microsoft development lifecycle, incorporating security by design in each Microsoft product.

1 Microsoft Security Intelligence Report Volume 8. “Key Findings Summary.” Microsoft Security, December 2009. http://www.microsoft.com/security/about/sir.aspx 2 Forrester. “The Value Of Corporate Secrets: How Compliance And Collaboration Affect Enterprise Perceptions Of Risk.” March 2010.

Business Ready Security4

Microsoft offers security features and capabilities through its award-winning Microsoft Forefront® suite of protection, access, and management products. However, security is also natively built into all Microsoft products—like the Windows Server® 2008 R2 operating system, the Windows® 7 operating system, Microsoft Exchange Server, Microsoft SharePoint® Server, and the Microsoft System Center suite of management products.

In addition to building security into products, Microsoft provides prescriptive guidance through security tools and papers, security readiness assessments, and education and training. Microsoft also works with non-governmental organizations, other technology companies, and governments around the world to help develop security programs, policies, and standards that will ultimately benefit its customers.

Microsoft believes that security should be a means to a business end. It is working to deliver “Business Ready Security” that helps organizations achieve their business goals while managing risk and helping ensure that the right people always have access to the right information to get their jobs done. In fact, security is a key component of the Microsoft Core Infrastructure Optimization (IO) model—a proven framework for evolving an organization’s IT infrastructure toward better security, reduced IT costs, and greater business results.

CORE IOWith the Core IO model as a foundation, Microsoft can help organizations maximize their security and increase the value of IT with an integrated set of solutions designed to move IT services from being viewed as a cost center to a strategic asset for the organization.

Each optimization model includes specific technical capabilities that provide a comprehensive set of solutions to help advance a customer’s optimization levels. In July 2010, the Core IO model was updated based on the latest research and Microsoft experience with enterprise organizations. The new model is comprised of the following four capabilities:

• Datacenter Services: This capability focuses on those services provided to the organization from datacenters and includes Datacenter Management and Virtualization, Networking, Storage, and Server Security.

• Client Services: This capability focuses on desktops, laptops, and devices for end users within organizations. It includes Client Management and Virtualization and Client Security.

• Identity and Security Services: These services focus on protecting data and managing the identities of

Business Ready Security5

employees, customers, and partners. It includes Identity and Access and Information Protection and Control.

• IT Process and Compliance: This capability focuses on IT best practices, especially the IT Infrastructure Library (ITIL) and the Microsoft Operations Framework (MOF).

Optimization identifies a maturity level for each of the four IT capabilities based on an organization’s current technologies and processes. It can also help identify and prioritize improvement efforts. The Core IO levels of maturity can assist in advancing an organization toward a state of dynamic IT, no matter on which IT capabilities an organization chooses to focus.

“Workloads” are the projects that help an organization mature from one level in the Core IO model to the next. Each workload maps to one of the four Core IO model capabilities. The four security workloads are Server Security, Client Security, Identity and Access, and Information Protection. These will be addressed more fully later in this white paper.

BUSINESS CHALLENGESAs organizations work to address the strategic and tactical issues that drive Core IO maturity (from basic to dynamic), they face a mix of security challenges, ranging from a changing threat landscape to inadequacies of existing security solutions. The current business climate has compelled many organizations to explore new ways to drive growth and collaboration. As a result, these organizations seek to increase secure access to confidential resources and information across a diverse set of constituents, including remote employees, partners, and customers. In fact, IDC has predicted that within four years, 70 percent of the entire workforce will connect to corporate networks via mobile devices.3 In this new world of blurring organizational boundaries, organizations will need protection and access that can be delivered within the context of user identities.

Compounding these problems is new wave of technologies and devices from which organizations can choose to meet their business goals. For instance, virtualization and cloud computing offer viable alternatives and complements to existing on-premises solutions. And the range of potential mobile devices that enterprise workers can use to connect has never been more diverse.

3 IDC. “IDC Top 10 Predictions–WW Security 2009 Top 10 Predictions: Security Trends.” December 2008

Business Ready Security6

Such trends force organizations to balance the need for increased collaboration and access to corporate information and resources with the need for strong IT security.

This tension is further strained by the current threat landscape. Threats now use more complex schemes, including multiple attack vectors and application-specific targeting to achieve their objectives. Furthermore, malware has evolved from a cottage industry to a full-fledged fraud economy supported by a growing ecosystem, with producers, distributers and users who collaborate in and across their local geographies, and have adopted business and software development lifecycle practices similar to legitimate software organizations.

Beyond external attacks, organizations also have to protect information and applications from internal attacks. Organizations require protection and access within the context of user identities to ensure that only the right people have access to the right information.

Adding complexity to these issues, many current security solutions do not lend themselves to supporting business objectives. The proliferation of ”best of breed” vendors providing niche point products limits security coverage to a subset of the software stack and can reduce IT’s ability to enable collaboration and access to information. Implementation of many point products results in no central policy across products, making security difficult to coordinate and manage. Lack of visibility results in organizations not knowing if they are in compliance with regulations (like Sarbanes Oxley Act [SOX] and Health Insurance Portability and Accountability Act [HIPAA]) and often requires IT to manually coordinate information, especially where integration doesn’t exist or can’t be achieved. These and other factors often force organizations to try to integrate solutions on their own, which drives up maintenance costs.

THE MICROSOFT RESPONSE: BUSINESS READY SECURITYIn response to these business challenges, Microsoft is taking a fundamentally different approach to security called Business Ready Security. It is an approach based on the premise that security is a means to a business end. Microsoft wants security to help organizations achieve their business goals while managing risk and helping to ensure that the right people always have access to the information they need to get their jobs done. Business Ready Security encompasses a broad view of security including protection, access, and management, all built around user identity and integrated with a highly secure, interoperable platform. This concept of integrated, identity-

Business Ready Security7

aware security is unique and central to the efforts of Microsoft. It helps deliver a more contextual and user-centric security solution aligned to the needs of today’s businesses.

Microsoft is working to achieve the goal of Business Ready Security based on three fundamental tenets:

1. Protect Everywhere, Access Anywhere: This includes providing protection across multiple layers and enabling secure remote access to an increasingly distributed workforce and business ecosystem. Protection and access need to be delivered within the context of a user’s identity and scale seamlessly across an ever-changing technology landscape, such as the increasing adoption of virtualization and cloud-based environments.

2. Integrate and Extend Security across the Enterprise: Security needs to be built in (not just bolted on) to the infrastructure and work across multiple platforms and environments.

3. Simplify the Security Experience, Manage Compliance: This simplification needs to extend to all individuals that interact with an organization, and it should help manage costs, complexity, and compliance.

These three fundamental tenets should apply across on-premises and cloud-based infrastructures.

A Business Ready Security approach fundamentally changes the security conversation. Microsoft wants security to enable, not block, business and collaboration. Similarly, Microsoft believes that security needs to evolve from an IT cost center to a strategic value center in an enterprise. The current fragmented approach to enterprise security needs to evolve to a more seamless experience.

Business Ready Security8

In the next few pages, we will take a deeper look into how Microsoft is working to deliver security within the context of the three Business Ready Security tenets.

PROTECT EVERYWHERE, ACCESS ANYWHEREMicrosoft delivers a comprehensive, user-centric approach to protection and access that helps organizations protect virtually everywhere by providing defense in depth across multiple layers. Microsoft also helps businesses provide highly secure identity-based access virtually anywhere for the mobile workforce. Business Ready Security brings together a portfolio of user-centric protection and access products and technologies to help solve organizations’ information-sharing security problems while working to protect infrastructure.

Protection across Multiple Layers to Help Protect Everywhere

Microsoft delivers leading malware protection solutions across the following layers:

Endpoints with Forefront Endpoint Protection 2010. Messaging and Collaboration Application Servers

with Forefront Protection 2010 for Exchange Server, Forefront Protection 2010 for SharePoint, and Forefront Security for Office Communications Server.

The Network with Forefront Threat Management Gateway.

Microsoft also provides protection for information, regardless of whether that information is being used inside or outside of the organization, through Windows Server Active Directory® Rights Management Services.

Help Businesses Enable Highly Secure Access Virtually Anywhere

Through the Microsoft access platform and complementary solutions, businesses can readily enable secure access to corporate resources and information for employees and partners. For example, DirectAccess, a new feature available through Windows Server 2008 R2 and Windows 7, securely connects mobile devices to corporate resources without the need for a virtual private network (VPN). And Forefront Unified Access Gateway (UAG) not only enhances the flexibility of end-user access to resources through a secure-socket-layer (SSL) VPN, but also enables IT administrators to easily configure and manage Windows DirectAccess so that customers get a

Business Ready Security9

complete, end-to-end, secure access solution based on Internet Protocol version 6 (IPv6).

Identity-aware Protection

As Microsoft solutions for protection and access evolve, user identity will take a prominent role at the heart of its offerings. Identity awareness will help businesses implement more contextual protection of, and access to, information and infrastructure. This will help improve productivity and compliance to corporate policies. Today, Microsoft combines the power of Active Directory with value-added solutions to enable identity-based access and protection for customers. Organizations can easily use Active Directory with other identity-based access technologies and solutions (like Rights Management Services, the Network Access Protection platform, DirectAccess, Forefront Threat Management Gateway (TMG) to easily set policy to control various levels of access to internal applications, devices, or information based on the user’s identity and appropriate device health.

Microsoft is also enabling protection and access to be scaled broadly across an organization’s physical and virtual infrastructure how, where, and when it’s needed. For example, select Forefront solutions can be used across physical devices and virtual machines, building on the capabilities of Windows Server with Hyper-V™ virtualization technology and Active Directory. Microsoft is working to deliver on-premises and cloud-based identity and security solutions across workloads to provide greater choice and more flexibility to today’s businesses.

Example: Protect Messages from Malware

Forefront Protection 2010 for Exchange Server is the only leading e-mail protection product that offers multiple scanning engines in a single solution. Multiple scanning engines are a critical component in protecting against viruses and other malware. Most scanning-engine vendors can’t release antivirus signatures quickly enough to detect new threats—in some cases it can take days or even weeks.  

In a study conducted by AV-Test, the engine set for Forefront Protection 2010 for Exchange Server detected new threats up to 38 times faster than single-engine solutions tested.4 This is because the product obtains virus signatures from five different companies with different response teams, dramatically decreasing the time it takes to get signatures.

4 www.AV-Test.org

Business Ready Security10

IT administrators can run up to five scanning engines simultaneously and in different combinations at edge, hub, and mailbox servers. By running multiple scanning engines simultaneously, Forefront Protection 2010 for Exchange Server can more effectively protect against a single point of failure. It also manages these engines so that if one engine fails or goes offline to update, other engines continue to protect the IT environment without slowing mail delivery. 

INTEGRATE AND EXTEND SECURITY ACROSS THE ENTERPRISEAs stated in the second tenant, the Microsoft Business Ready Security solutions integrate across the software stack and are extensible across the enterprise.

Integrate across the Software Stack

Microsoft security technologies are designed to integrate across the software stack, including the platform, key applications and workloads, and management. Integration across the software stack helps organizations enhance value from investments they’ve already made by broadening how those investments can be used to meet business objectives.

For example, Forefront Identity Manager 2010 enables management across the entire lifecycle of user identities and respective credentials. It builds on Active Directory, the core Windows identity platform, and works with applications such as Microsoft Office Outlook, to enable end users to easily perform self-service tasks such as group and distribution-list management, saving IT time and resources.

Business Ready Security11

Integration is core to the Microsoft approach, and Microsoft will continue to develop deep integration across new technologies and environments, including virtualization and cloud computing.

Extensible across the Enterprise

Microsoft also provides ways to extend the reach of security across the enterprise through the following:

Microsoft is driving broad partner engagements with the industry to build an ecosystem of vendors that can work together to optimize protection for businesses and organizations. For example, Microsoft has formed an information protection partnership with EMC through which Microsoft will build RSA Data Loss Prevention (DLP) classification technology into the Microsoft platform and future information protection products.

The Microsoft identity and security platform also enables Business Ready Security to be extended beyond the on-premises infrastructure to cloud-based solutions. For example, the Microsoft open-claims-based identity-federation platform provides an open platform for simplified user access and single sign-on to resources on premises and in the cloud.

Microsoft also enables support for heterogeneous environments in which many organizations operate. For example, UAG integrates with a range of third-party client-side products, including antivirus, firewall, and other technologies, to support end-point security and policy enforcement capabilities.

The Microsoft identity and security platform is also based on open standards and protocols to empower developers to build on and add further value for their organizations. The Microsoft claims-based identity federation, for example, allows developers to use pre-built identity logic that supports industry standards like Web Service protocols (WS-*) and the Security Assertion Mark-up Language (SAML), enabling seamless interoperability between systems.

Backed by Global Resources

Organizations need their security solutions to be backed by global resources that can address their needs on a constant basis. Microsoft delivers world-class malware protection technologies, research and response, support, and insights to customers through an integrated approach. For instance, malware protection technologies developed by the Microsoft Identity and Security division are used across Forefront solutions and the Windows platform to deliver defense in depth from the platform through solutions. These protection technologies are backed by the Microsoft Malware Protection Center, a global malware research and response organization that supplies core

Business Ready Security12

technology and signature updates for Microsoft security technologies.

Example: Extend Access across Organizations, Partners, and Customers

As previously mentioned, many organizations increasingly find the need to collaborate across organizational boundaries. Such collaboration requires establishing trust relationships between IT environments. In essence, if two organizations want to share sensitive information, then identities on one organization’s network need to be represented on the other’s network. In such a scenario, end users need consistent, persistent identity and credentials that can flow between organizations and eliminate the need for multiple user accounts, passwords, group memberships, and other IT overhead.

With Windows Server 2008 R2 Active Directory Federation Services 2.0, a single identity can be federated from one organization to the other, leveraging claims which describe identity attributes and can be used to drive application and other system behaviors. The end result is that a single user needs only a single account (in the parent organization) and password (or smartcard), and all other access and usage policies, like network log in and application rights, are assigned by IT. When the external organization configures the federation (or trust) with an organization, the partner can assign whatever access privileges are needed without having to create a whole new identity, password, and policy. The partner simply accepts the claim of the individual’s identity and allows access. And, of course, this works for both on-premises and cloud-based services, networks, and applications.

SIMPLIFY THE SECURITY EXPERIENCE, MANAGE COMPLIANCEBusiness Ready Security helps to simplify the security experience across different stakeholders, including IT

Business Ready Security13

professionals, business decision makers, developers, and end users.

IT Professionals

The Microsoft identity and security solutions are designed to help customers simplify deployment and management. For example, Forefront Online Protection for Exchange simplifies an IT environment by minimizing the need to deploy, configure, monitor, and update in-house e-mail security servers and applications. Forefront UAG provides IT professionals with flexible options for deployment, whether for software application, hardware appliance, or virtual machines. Forefront Protection Manager enables easy configuration of protection and multi-server management for Forefront Protection 2010 for Exchange Server, as well as Forefront Protection 2010 for SharePoint. It also enables real-time, in-depth reporting of threats, vulnerabilities, and configuration risks through a single dashboard.

Business Managers

Organizations can help reduce their upfront and ongoing identity and security costs while maintaining compliance with corporate policies and control over their environment. For instance, Forefront Identity Manager improves security and compliance by enforcing and tracking identities across the enterprise. Forefront Identity Manager also provides policy management features and reports that enable system auditing and compliance.

Developers

Microsoft supports open standards and protocols to enable developers to easily build on top of the Microsoft identity and security platform to address customer needs. Additionally, Microsoft provides prescriptive guidance to developers with processes such as the Microsoft industry-leading Security Development Lifecycle (SDL). Microsoft claims-based identity federation support for WS-* and SAML was mentioned previously. In addition, developers can integrate with Active Directory. The Active Directory Rights Management Services Software Development Kit (SDK) can be used by independent software vendors (ISVs) to rights-enable their applications. This means organizations can make the applications they’ve already invested in compatible with Active Directory Rights Management Services.

End-users

Microsoft helps to enhance end-user productivity by enabling protection virtually everywhere and facilitating access to

Business Ready Security14

information from virtually anywhere. For instance, Forefront UAG enables secure anywhere access to information and applications. In addition, Business Ready Security helps to empower users through self-service capabilities while managing systems, protecting data, and controlling access so that interruptions can be avoided. Organizations can achieve this using Forefront Identity Manager, which provides end users with self-help tools to manage routine tasks, such as changing passwords or resetting smartcard PINs.

Example: User Provisioning

With automated user provisioning through Forefront Identity Manager, IT administrators can automatically give and update rights to resources and business applications through the user’s profile. Organizations using Forefront Identity Manager can define policies that automatically create user accounts, mail boxes, and group memberships in real time so that new employees are productive as soon as they start. When a user changes roles within an organization, Forefront Identity Manager automatically makes the necessary changes in heterogeneous target systems to add and remove access rights.

For example, if a user moves from a role in sales to a role in marketing, Forefront Identity Manager can remove that user from sales-specific groups and add the user to marketing-specific groups to deliver appropriate access permissions to perform the new job function.

BUSINESS READY SECURITY SOLUTIONSAs part of the Business Ready Security strategy, Microsoft Forefront security products are made available through a comprehensive set of six solutions: Secure Datacenter, Secure Messaging, Secure Collaboration, Secure Desktop, Information Protection, and Identity and Access Management. These

Business Ready Security15

solutions align strongly with customer needs to secure key workloads and infrastructure deployments while enhancing the value of current and planned IT investments and helping to maximize return on investment.

To help customers plan and implement these security solutions, Microsoft has mapped them to the infrastructure optimization models that have been developed to guide organizations in ensuring that as they evolve their IT infrastructure, they do so in a way that increases IT value from being perceived as a reactive cost center (the Basic maturity level) to a strategic asset (the Dynamic maturity level) that helps drive the organization to success.

Business Ready Security Solutions Map to the Core IO Model

The Core IO model includes four levels of optimization maturity, Basic, Standardized, Rationalized, and Dynamic, and defines four capabilities extending across those maturity levels: Datacenter Services, Client Services, Identity and Security Services, and IT Processes.

Each capability is comprised of a number workloads (or projects) that help an organization mature from one level in the Core IO model to the next. There are four Business Ready Security workloads that map to Core IO capabilities. Within each workload the Business Ready Security solution is represented in the table below:

Core IO Capabilit

y

Business Ready

Security Workload

Business Ready

Security Solution

Business Ready Security Solution

Description

Datacenter Services

Server Security

Secure Datacenter

Protects servers, applications, and the network from malware and other malicious threats, is integrated

Business Ready Security16

with perimeter protection and secure remote access, and enables data classification and recovery.

Client Services

Client Security

Secure Desktop

Protects client and server operating systems from emerging threats and information loss, while enabling more secure access from virtually anywhere.

Identity and Security Services

Identity and Access

Identity and Access Management

Enables more secure, identity-based access to applications, data, and services on-premises and in the cloud from virtually any location or device.

Identity and Security Services

Information Protection and Control

Information Protection

Discovers, protects, and manages confidential data throughout a business with a comprehensive solution integrated with the computing platform and applications.

Business Ready Security Solutions Map to the Business Productivity IO Model

In addition to the Core IO Model, Microsoft has also created a Business Productivity IO model to help streamline the management and control of content, data, and processes across all areas of an organization. As with the Core IO model, security is built into the Business Productivity IO model, emphasizing how Microsoft sees security as integral to all aspects of infrastructure optimization.

The Business Productivity IO model helps simplify how people communicate and share expertise, helps make processes and content management more efficient, and helps improve the quality of business insight while enabling IT departments to increase responsiveness, have a strategic impact on the business, and amplify the impact of organizational workers. Like the Core IO model, the Business Productivity IO model includes specific technical capabilities (with respective workloads) that provide a comprehensive set of solutions to help advance a

Business Ready Security17

customer’s infrastructure optimization levels. The five Business Productivity IO model capabilities are Unified Communications, Collaboration, Enterprise Content Management, Enterprise Search, and Business Intelligence.

Two of the six Business Ready Security solutions—Secure Collaboration and Secure Messaging—map to the Business Productivity IO model as follows:

Business Productivity IO Capability

Business Ready

Security Workload(s)

Business Ready

Security Solution

Business Ready Security

Solution Description

Unified Communication

MessagingandInstant Messaging and Presence

Secure Messaging

Enables more secure business communication from virtually anywhere and on virtually any device, while preventing unauthorized use of confidential information.

Collaboration Portals Secure Collaboration

Enables more secure business collaboration from virtually anywhere and across devices, while preventing unauthorized use of confidential information.

SIMPLIFY YOUR SECURITY PURCHASENo matter what type of solution an organization is looking to deploy, simplicity will reduce acquisition costs, deployment costs, and ongoing management costs, while delivering a better support experience. With competing vendors, no single company can offer the full breadth of solution components necessary to deliver a unified user and IT experience. Pulling together individual products and technologies from various vendors and bolting them together significantly adds to the total cost.

In contrast, Microsoft Enterprise Client Access License (CAL) agreements offer the following benefits:

1. One simple CAL for all core, business productivity, and security infrastructure needs.

Business Ready Security18

2. A 50 percent discount over individual Microsoft CALs, substantially discounted over a multi-vendor approach.

3. Reduced total cost of ownership with training, deployment, operations, and support in one comprehensive agreement.

The Microsoft Enterprise CAL Suite brings together 11 of the latest Microsoft products that provide the newest innovations in compliance, real-time collaboration, security, communication, desktop management, and more.

The Microsoft Forefront Protection Suite offers a powerful combination of on-premises and hosted security solutions that provide comprehensive, simplified protection of an enterprise’s IT infrastructure. The suite includes Forefront Endpoint Protection 2010, Forefront Protection 2010 for SharePoint, Forefront Protection 2010 for Exchange Server, Forefront Protection for Office Communications Server, and Forefront Online Protection for Exchange.

BUSINESS READY SECURITY CUSTOMER CASE STUDYExostar was established in 2000 by five of the world’s largest aerospace and defense companies (BAE Systems, Boeing, Lockheed Martin, Raytheon, and Rolls Royce) as a central hub for collaboration and sharing information. Exostar provides on-demand identity management, collaboration, and supply chain software solutions to the aerospace and defense industries.

Problem

Exostar was looking to upgrade its secure collaboration tool called ForumPass to meet changing business demands. The new solution needed to provide customers with:

Greater collaboration and easier access to information Better capabilities to meet the changing regulatory

requirements in the defense and aerospace industry, particularly those requirements defined by the US Department of Defense

Protection of confidential information, both in terms of protection from threats and protection from out-of-policy content

Lower costs and the ability to provide more flexible implementations

Solution

Exostar overhauled ForumPass using Active Directory Federation Services (ADFS), Microsoft Office SharePoint Server 2007, and Microsoft Forefront Security for SharePoint. The net result was an integrated solution that better enables business collaboration

Business Ready Security19

by providing multiple levels of secure access to information based on three authentication protocols:

Core: Users require only a user name and password to authenticate and check files in and out of the site.

Sensitive: Users need a username, password, and a basic assurance certificate to authenticate and check out files. Files are encrypted while at rest.

Restricted: Users require a user name, password, high-assurance public-key certificate, and higher-level network security to check out files. Files are encrypted while at rest.

Information is protected from malware and out-of-policy content, and sites are easily customizable, allowing the system to meet a broad range of customer needs. While ADFS enables Exostar to deliver ForumPass as a cloud service, Exostar was also able to extend the core capabilities of Microsoft products through an identity-provider cloud service that it developed.

Benefit

With the new ForumPass, Exostar customers have increased their information sharing, improved regulatory compliance, and accelerated project completion. Using Microsoft technologies, Exostar released its solution to market in just nine months and reduced development costs by 50 percent. Key to this solution is how Exostar has used Microsoft identity and security technologies to enable its business and its customers’ businesses by balancing the need for security with the need for information access in a way that manages risk and meets the regulatory requirements of the aerospace and defense industries.

MICROSOFT SECURITY SOLUTIONS: GAINING MOMENTUMIn the past few years, Microsoft Business Ready Security solutions have received a substantial number of accolades and awards from the industry. The following are a few examples:

Product Excellence: • The Forefront Client Security recently received its

11th consecutive VB100 award in the December 2009 Edition of Virus Bulletin.5

• Forefront Threat Management Gateway has been awarded the 2010 Product Innovation Award for Anti-malware Solution from Network Products

5 Virus Bulletin, VB100 results summary, 2010. http://www.virusbtn.com/vb100/archive/results?display=summary

Business Ready Security20

Guide, an industry-leading technology research and advisory guide.6

Industry Endorsement: • Neil MacDonald of Gartner, Inc. said, “Information

security needs to move to integrated, identity-aware, adaptive security systems that support business initiatives instead of blocking them.”7

Customer Testimonials: • NuStar Energy is saving 450 hours annually of lost

productivity time due to blocked malware.8

• Tata Teleservices Limited is realizing the Microsoft Business Ready Security vision as their security solutions have changed the remote access of their employees into a key business enabler instead of an inhibitor.9

ADDITIONAL RESOURCESForefront Deployment Resources

http://www.microsoft.com/forefront/en/us/ deployment.aspx

Microsoft Assessment and Planning (MAP) Toolkit

http://technet.microsoft.com/en-us/solutionaccelerators/ dd537572.aspx

Microsoft Forefront Case Studies

http://www.microsoft.com/forefront/en/us/case- studies.aspx

Antivirus Defense-in-depth Guide Solution Accelerators

http://www.microsoft.com/downloads/details.aspx? FamilyID=f24a8ce3-63a4-45a1-97b6-3fef52f63abbanddisplaylang=en

http://technet.microsoft.com/en-us/library/cc162791.aspx

6 Networks Product Guide, Anti-Malware Solution, December 2009. http://www.networkproductsguide.com/innovations/2010/Microsoft-Corp.html7 From Microsoft press release, April 2009. http://www.microsoft.com/presspass/features/2009/apr09/04-16businessreadysecurity.mspx8 Microsoft Case Study on NuStar Energy, June 2009, http://www.microsoft.com/casestudies/Case_Study_Detail.aspx?casestudyid=4000004540 9 Microsoft Case Study on Tata Teleservices, Jan 2010, http://www.microsoft.com/casestudies/ServeFileResource.aspx?4000012716

Business Ready Security21

MICROSOFT SERVICES: SECURITY AND IDENTITY OFFERINGS Microsoft Services has taken the same business ready security approach to security through the Security, Identity, and Access Management (SIAM) offering portfolio. SIAM is a field-proven offering from Microsoft Services that provides an end-to-end solution which enables you to move toward a dynamic IT infrastructure by ensuring better security integration, manageability, and efficiency.

The SIAM offering portfolio was developed in conjunction with highly experienced Microsoft Services consultants, and then tested and refined through multiple, successful service engagements with large organizations.

Microsoft Services consultants offer the highest level of expertise in planning and deploying security solutions. With a deep understanding of Microsoft products, Microsoft Services consultants are uniquely qualified to provide this planning and deployment guidance, using the Microsoft Solutions Framework to ensure efficient delivery and best-practices deployment.

In addition, Microsoft Premier Support is an end-to-end support solution that helps customers maximize the value of their on-premises and cloud investments by reducing risks, improving system reliability, and increasing staff productivity.

CONCLUSIONIn response to the ever-increasing security threat landscape, Microsoft provides the Business Ready Security strategy, an approach targeted at helping organizations plan and implement security solutions in harmony with business ends. Microsoft wants to help organizations achieve their business goals while managing risk and helping to ensure that the right people always have access to the information they need to get their jobs done.

Business Ready Security encompasses a broad view of security in which security needs include protection, access, and management, all built around user identity and integrated with a highly secure, interoperable platform. This concept of integrated, identity-aware security helps Microsoft deliver a more contextual and user-centric security solution aligned to the needs of today’s businesses. Only Microsoft provides a solution comprehensive enough to help customers protect everywhere with access from anywhere, integrate and extend security across the enterprise, and simplify the security experience while successfully managing compliance.

Business Ready Security22