Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Security Securing Your IT Infrastructure Kim Mikkelsen Senior Technology Specialist Enterprise & Partner Group Microsoft Denmark.

Published byRandolf Rich Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Security Securing Your IT Infrastructure Kim Mikkelsen Senior Technology Specialist Enterprise & Partner Group Microsoft Denmark."— Presentation transcript:

1

2 Security Security Securing Your IT Infrastructure Kim Mikkelsen Senior Technology Specialist Enterprise & Partner Group Microsoft Denmark

3 Agenda The challenge of security The challenge of security People, process and technology People, process and technology Organizational security risk Organizational security risk Strategic Technology Protection Program (STPP) Strategic Technology Protection Program (STPP) The Secure Infrastructure The Secure Infrastructure Trustworthy Computing Trustworthy Computing Next steps Next steps

4 The Challenge of Security Internet-enabled businesses face challenges ensuring their technologies for computing and information assets are secure, fast and easy to interact with. The right access to the right content by the right people by the right people

5 Microsoft’s Commitment to Customers : To do everything possible to enable every customer to work, communicate, and transact securely over the Internet

6 People, Process, Technology People, Process, Technology What are the industry challenges? Products lack security features Products lack security features Products have bugs Products have bugs Many issues are not addressed by technical standards Many issues are not addressed by technical standards Too hard to stay Too hard to stayup-to-date Design for security Design for security Roles and responsibilities Roles and responsibilities Audit, track, follow-up Audit, track, follow-up Calamity plans Calamity plans Stay up-to-date with security development Stay up-to-date with security development Lack of knowledge Lack of knowledge Lack of commitment Lack of commitment Human error Human error People Technology Process

7 Organizational Security Risk Estimating the cost of security Low Organizational Security Profile Less Secure Observed Security Profile More Secure Cost of Failure IT Security Budget Time Cost of Maintaining Security Each layer of the organization: Each layer of the organization:  Has its own security requirements  Sets its own security profile The perceived cost of failure is an estimate of losses from inability to operate The perceived cost of failure is an estimate of losses from inability to operate  Security spending is driven by the perceived cost of failure Components of the organizational security profile: Components of the organizational security profile:  People  Security team  Security awareness  Process  Security policy  Reducing the attack surface  Incident response  Change management  Patch management  Technology  Defense In Depth  Intrusion detection High

8 Organizational Security Risk The impact of failure with a reactive approach Reactive approach: Increases overall security cost as a result of: Increases overall security cost as a result of:  Lost productivity  Loss of investor confidence  User apathy  Loss of management support Low Organizational Security Profile Less Secure Observed Security Profile More Secure Cost of Failure Temporary change in security profile IT Security Budget Time Cost of Maintaining Security Nimda Virus Response Cost High

9 Organizational Security Risk The impact of failure with a proactive approach Proactive approach: Organizational security profile better suited for future incidents Organizational security profile better suited for future incidents  Lower cost over time  Reduced attack surface  Detection and early identification  Reaction and effective incident response Low Organizational Security Profile Less Secure Observed Security Profile More Secure Cost of Failure Incident Response with Proactive approach IT Security Budget Time Cost of Maintaining Security Future Virus Response Cost High

10 Business Impact According to the Computer Crime and Security Survey 2002, by the Computer Security Institute (CSI) and the FBI: According to the Computer Crime and Security Survey 2002, by the Computer Security Institute (CSI) and the FBI:  90% detected computer security breaches  80% acknowledged financial losses due to computer breaches  40% of respondents quantified financial losses at $456 million, or $2 million per respondent  40% detected system penetration from the outside; up from 25% in 2000  85% detected computer viruses InformationWeek estimates: InformationWeek estimates:  Security breaches cost businesses $1.4 trillion worldwide this year  2/3 of companies have experienced viruses, worms, or Trojan Horses  15% have experienced Denial of Service attacks Security Breaches Have Real Costs Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2002 Source: InformationWeek.com, 10/15/01

11 Security Areas Physical Security Physical Security Logical Security Logical Security Telecommunication Security Telecommunication Security Operating System Security Operating System Security Application Security Application Security Organizational Security Organizational Security

12 Microsoft Operational Framework (MOF): Risk Modeling and Mitigation Understanding Risks Risk Statement Retire Risks Identify and manage risks throughout all phases of the project Identify Corporate Learning About Risks Track Plan Analyze Control Risk Assessment Document Top Risks 1.2. 4. 5.3.

13 Defense In Depth Industry-wide security design methodology of layering defenses: Industry-wide security design methodology of layering defenses:  Perimeter defenses  Network defenses  Host defenses  Application defenses  Data and resources Provides a method and framework for designing security into infrastructure Provides a method and framework for designing security into infrastructure Prescriptive guidance and detail included in Microsoft Internet Data Center design guide Prescriptive guidance and detail included in Microsoft Internet Data Center design guide

14 Microsoft Internet Data Center Guide: Security Examples of topics included in Internet Data Center guide: Examples of topics included in Internet Data Center guide:  Defense In Depth strategy  Common hacker methods and prevention  Best practices for security IIS  Windows 2000 Active Directory design and security policies  Best practices for application security  Authentication

15 Microsoft Security Process Guidance Based on British Standard 7799, included in Internet Data Center guide, a 4-phase process: Based on British Standard 7799, included in Internet Data Center guide, a 4-phase process: Assess Assess  Define security requirements  Perform analysis of current and desired states Design Design  Develop security solution  Utilize Defense In Depth framework Deploy Deploy  Test and implement  Define and document policies, standards, procedures Manage Manage  Operational management  Review and reassess on a regular basis

16 Strategic Technology Protection Program Get Secure! Stay Secure! PeopleProcessTechnology

17 Security Management and Operations Security through people, process and technology MCS Security assessment service offering Prescriptive guidance for building and managing security Pre-tested and certified configurations Microsoft Operations Framework Industry leading security response and support Free PSS virus related support at +45 4489 0111 World-class security training Gold certified security partner program Security roll-up packages Microsoft Baseline Security Analyzer Windows Update Microsoft Software Update Service People Process Technology

18 STPP: “Get Secure” Enterprise Security  Server security configuration scanner  SMS security patch rollout tool  Windows Update Auto-update client (Group Policy-enabled) Microsoft.com/security  Server oriented security resources for server admins  New security tools and updates,  Security Notification Service Microsoft Consulting Services  Security Assessment  Security Quick Start Programs  ISA Quick Start Program Product Support Services (PSS)  1-866-PCSAFETY – Free virus related support  Security News Groups – Microsoft.com/security People People Process Technology Process Technology Process

19 STPP: “Stay Secure” Enhanced Product Security  Provide greater security enhancements in the releases of all new products, including the Windows.NET Server family Microsoft Software Update Service (SUS)  Allows enterprise to host and select Windows Update content Windows 2000 Service Pack (SP3)  Provide ability to install SP3 + security rollup with a single reboot Windows 2000 Security Rollup Patches  Bundle all security fixes in single patches  Reduces reboots and administrator burden Technology Process Technology Process People Technology Process People Technology Process

20 The Secure Infrastructure Comprehensive Security Management and Operations Secure Network Connectivity Integrated Solution for Identity Management  Directory Services (AD & MMS)  Authentication (PKI, Kerberos, Passport)  Authorization (ACLs, Roles, Federation)  Policy-based management (GP, and GPMC)  Secure Internet connectivity (MSA & ISA)  Secure remote access (VPN, IAS)  Secure wireless networks (PKI + 802.1x)  Tools (MBSA, MSUS)  Guidance (MOC, PAGs, Security Best Practices)  Services (MSQS, PSS, & professional services)  Products (SMS, MOM)

21 Products to Help Manage Your IT Security Use Systems Management Server (SMS) 2.0 Use Systems Management Server (SMS) 2.0  Collect software/hardware inventory information  Deploy the HFNetChk tool, collect results and report on findings  Distribute Microsoft Security Tool Kit fixes to Windows desktops and servers  Receive status reports on the success of distribution Use Microsoft Operations Manager (MOM) 2000 Use Microsoft Operations Manager (MOM) 2000  Proactively manage the OS and applications through built-in security-related alerts and scripts  Continuously monitor Windows servers for possible attacks  Receive immediate alerts of possible security breaches  Produce reports that can showcase service levels are being met

22 Microsoft Baseline Security Analyzer Part of STPP Part of STPP Uses a version of HFNetChk to scan for missing hotfixes and service packs for Windows, IIS, and SQL. Uses a version of HFNetChk to scan for missing hotfixes and service packs for Windows, IIS, and SQL. Includes a graphical and command line interface that can perform local or remote scans of Windows systems Includes a graphical and command line interface that can perform local or remote scans of Windows systems Scan for missing hotfixes and vulnerabilities in the following products: Windows NT 4.0, Windows 2000, Windows XP, Internet Information Server (IIS) 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and 2002 Scan for missing hotfixes and vulnerabilities in the following products: Windows NT 4.0, Windows 2000, Windows XP, Internet Information Server (IIS) 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and 2002

23 Software Update Services Solution Automatic Update (AU) client Automatic Update (AU) client  Automatically download and install critical updates  Security patches, high impact bug fixes and new drivers when no driver is installed for a device  Checks Windows Update service or Corporate Update server once a day  New! Install at scheduled time after automatic downloads  Administrator control of configuration via registry-based policy  Support for Windows.NET Server, Windows XP and Windows 2000 Software Update Services Software Update Services  Corporate hosted server supports download and install of critical updates through Automatic Update client  Server synchronizes with the public Windows Update service  Simple administrative model via IE  Updates are not made available to clients until the administrator approves them  Runs on Windows.NET Server and Windows 2000 Server

24 Trustworthy Computing The Big Picture Availability Functionality there when needed Suitability Features fit function Privacy User in control of their data Integrity Against data loss or alteration Reputation System and provider brand Policy Guidelines, standards, norms Dev Practices Methods, philosophy Ops Practices Guidelines and benchmarks Business Practices Business model Security Resists unauthorized access Quality Usability, reliability, performance Intent Management assertions Risks What undermines intent, causes liability Implementation Steps to deliver intent Evidence Audit mechanisms GoalsMeansExecution

25 Bringing It All Together… UNIXApplication Exchange Web Applications File Sharing SQL Server Active Directory Non-AD Non-ADDirectory Lower Cost of Security   Integrated infrastructure solution   Centralized management of network resources   Fewer identities and directories to manage   Interoperability with other platforms Reduced Security Risk   Prescriptive guidance   Internet protection via firewall and content filtering   Security tools and services   Security patch management infrastructure LAN Wireless LAN VPNGateway

26 All-Time Favorite Security Goals Defense in depth The defense in depth rule states that not just one security solution should be implemented but that different solutions should be combined into one solution framework. In other words, information security is not a question of this OR that but rather of this AND that. This approach has the additional advantage that the different solutions can supplement each other. Ease of use Ease of use assures that a security system is used when appropriate and that its use doesn’t depend on the complexity of its implementation. If a user encounters too many difficulties while working with a security system, he or she could prefer to do the same job without the security system. A way to provide ease of use is to centralize all security administration tasks and to make the application of security measures transparent to the user. This principle is used in Windows 2000 Group Policy Objects (GPO’s). Performance As with ease of use, performance also assures that a security system is used when appropriate. It guarantees that a security system’s use doesn’t depend on its execution speed. If it takes you several minutes to send one secured mail, you might consider sending the mail without security (or upgrading the machine). Availability Availability protects against interruption. It guarantees that the security system and the information protected by the security system are available at all time. Excellent examples of security solutions providing availability are backup software and fault-tolerant solutions, such as hardware clustering or RAID. Cost This is a key factor that is often forgotten. In many organizations it’s the decisive parameter when choosing the final security solution.

27 Next Steps Microsoft Security Quick Start (MSQS) Microsoft Security Quick Start (MSQS)  Short, fixed cost programs designed to help you get secure and stay secure  MSQS for Planning Secure Systems  MSQS for Operating Secure Systems Build security into the development process Build security into the development process  SMI – engineering for security  New processes and tools for development and testing  Mobilization of resources to make it happen Deploy a secure infrastructure Deploy a secure infrastructure  Windows 2000 Servers and ISA today  Windows.NET build on Windows 2000 security infrastructure  Best path to federation Utilize security training available from Microsoft Utilize security training available from Microsoft Certified Partner Program Certified Partner Program

28 Security Resources (1/3) To locate a partner who can help with Microsoft security solutions: Microsoft Certified Providers Directory http://mcspreferral.microsoft.com/ http://mcspreferral.microsoft.com/ Microsoft Consulting Services www.microsoft.com/BUSINESS/services/mcs.asp www.microsoft.com/BUSINESS/services/mcs.asp For technical information: White Paper: Microsoft Security Response Center Security Bulletin Severity Rating System www.microsoft.com/technet/security/ www.microsoft.com/technet/security/ topics/rating.asp CSI/FBI Computer Crimes and Security Survey 2002, Computer Security Institute: www.gocsi.com/ www.gocsi.com/ ISA Server information: www.microsoft.com/isa Hacking Exposed – Network Security Secrets & Solutions, 3 rd Edition; Joel Scambray, Stuart McClure, George Kurtz For training and certification questions: Microsoft Training and Certification www.microsoft.com/training www.microsoft.com/training For information about Microsoft security strategies and solutions: Primary resource: www.microsoft.com/security www.microsoft.com/security White Papers: Best Practices for Enterprise Security www.microsoft.com/technet/security/ bpentsec.asp www.microsoft.com/technet/security/ bpentsec.asp www.microsoft.com/technet/security/ bpentsec.asp It’s Time to End Information Anarchy www.microsoft.com/technet/columns/security /noarch.asp www.microsoft.com/technet/columns/security /noarch.asp www.microsoft.com/technet/columns/security /noarch.asp The 10 Immutable Laws of Security www.microsoft.com/TechNet/security/ 10imlaws.asp www.microsoft.com/TechNet/security/ 10imlaws.asp www.microsoft.com/TechNet/security/ 10imlaws.asp

29 Security Resources (2/3) Security Services: Microsoft Security Services Directory http://www.microsoft.com/security/overview/services.asp http://www.microsoft.com/security/overview/services.asp Microsoft TechNet Security http://www.microsoft.com/technet/treeview/default.asp?url=/ technet/security/default.asp http://www.microsoft.com/technet/treeview/default.asp?url=/ technet/security/default.asp http://www.microsoft.com/technet/treeview/default.asp?url=/ technet/security/default.asp For technical information: White Papers: Security Operations Guide for Windows 2000 Server http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ security/prodtech/windows/windows2000/staysecure/default.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ security/prodtech/windows/windows2000/staysecure/default.asp Security Operations Guide for Exchange 2000 Server http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ security/prodtech/mailexch/opsguide/default.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ security/prodtech/mailexch/opsguide/default.asp Internet Data Center Guide Documentation: http://www.microsoft.com/downloads/release.asp?releaseID=35479 Security Tools: Microsoft Security Tools http://www.microsoft.com/technet/treeview/default.asp?url=/ technet/security/default.asp http://www.microsoft.com/technet/treeview/default.asp?url=/ technet/security/default.asp http://www.microsoft.com/technet/treeview/default.asp?url=/ technet/security/default.asp Microsoft Baseline Security Analyzer http://www.microsoft.com/technet/treeview/default.asp?url=/technet/se curity/tools/Tools/MBSAhome.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/se curity/tools/Tools/MBSAhome.asp For information about Microsoft security strategies and solutions: Primary resource: www.microsoft.com/security www.microsoft.com/security Trustworthy Computing http://www.microsoft.com/enterprise/articles/security.asp http://www.microsoft.com/enterprise/articles/security.asp Strategic Technology Protection Program http://www.microsoft.com/security/mstpp.asp http://www.microsoft.com/security/mstpp.asp Product Security Notification http://www.microsoft.com/technet/treeview/?url=/technet/securit y/bulletin/notify.asp http://www.microsoft.com/technet/treeview/?url=/technet/securit y/bulletin/notify.asp http://www.microsoft.com/technet/treeview/?url=/technet/securit y/bulletin/notify.asp Security Best Practices: http://www.microsoft.com/technet/treeview/?url=/technet/securit y/bulletin/notify.asp http://www.microsoft.com/technet/treeview/?url=/technet/securit y/bulletin/notify.asp http://www.microsoft.com/technet/treeview/?url=/technet/securit y/bulletin/notify.asp

30 Security Resources (3/3) Other useful resources: Other useful resources: MBSA Whitepaper: http://www.microsoft.com/technet/security/tools/tools/mbsawp.asp MBSA Download: http://download.microsoft.com/download/win2000platform/Install/1.0/NT5XP/EN- US/mbsasetup.msi http://download.microsoft.com/download/win2000platform/Install/1.0/NT5XP/EN- US/mbsasetup.msi SUS Info and Download: http://www.microsoft.com/windows2000/windowsupdate/sus/ SMS Valuepack online presentation: http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc081402/wcblur b081402.asp http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc081402/wcblur b081402.asp http://support.microsoft.com/default.aspx?scid=/servicedesks/webcasts/wc081402/wcblur b081402.asp MMS Information: http://www.microsoft.com/windows2000/technologies/directory/MMS/default.asp http://www.microsoft.com/windows2000/technologies/directory/MMS/default.asphttp://www.microsoft.com/windows2000/technologies/directory/MMS/default.asp SfU Information: http://www.microsoft.com/windows/sfu/default.asp SfN Information: http://www.microsoft.com/windows2000/sfn/default.asp HIS Information: http://www.microsoft.com/hiserver/default.asp Active Directory Information: http://www.microsoft.com/windows2000/technologies/directory/AD/default.asp http://www.microsoft.com/windows2000/technologies/directory/AD/default.asp

31

Download ppt "Security Security Securing Your IT Infrastructure Kim Mikkelsen Senior Technology Specialist Enterprise & Partner Group Microsoft Denmark."

Similar presentations

Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.

Introduction to Systems Management Server 2003 Tyler S. Farmer Sr. Technology Specialist II Education Solutions Group Microsoft Corporation.
(n)Code Solutions Presentation on the importance of a Secure Technology Infrastructure.

(n)Code Solutions Presentation on the importance of a Secure Technology Infrastructure.
PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.

PETs and ID Management Privacy & Security Workshop JC Cannon Privacy Strategist Corporate Privacy Group Microsoft Corporation.
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.

A Technical Overview of Microsoft Forefront Client Security (FCS) Howard Chow Microsoft MVP.
Security Controls – What Works

Security Controls – What Works
SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.

SAGE-AU Adelaide Windows Update Services Michael Kleef IT Pro Evangelist Microsoft Corporation Level 200.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
1 Secure Your Business PATCH MANAGEMENT STRATEGY.

1 Secure Your Business PATCH MANAGEMENT STRATEGY.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.

Small Business Security By Donatas Sumyla. Content Introduction Tools Symantec Corp. Company Overview Symantec.com Microsoft Company Overview Small Business.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)

Windows XP Professional Deployment and Support Microsoft IT Shares Its Experiences Published: May 2002 (Revised October 2004)
Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Kaspersky Open Space Security: Release 2 World-class security solution for your business.
Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK.

Cliff Evans Security and Privacy Lead Trustworthy Computing Group Microsoft UK.

Similar presentations

Ads by Google