Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Enterprise Security Strategy Briefing

Information Security
Microsoft Legal Spotlight
Presented by LawNet and Microsoft
Alan Hakimi
US Lead Architect for
Security
Microsoft Services
Scott D. Gilgallon
Legal Vertical Manager, San Francisco
Microsoft Corporation
Legal Disclaimers
I am not a lawyer, nor do I intend to be one
I do not provide legal advice, I try to
provide information security advice
I recommend seeking legal counsel, so
seek yourselves and your colleagues
I also recommend consulting your auditors
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication and is subject to change at
any time without notice to you. This document and its contents are provided AS IS without warranty of any kind, and should not be interpreted as an offer or commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,IN
THIS DOCUMENT.
The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement
or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid
understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers.
This deliverable is provided AS IS without warranty of any kind and MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OTHERWISE.
All trademarks are the property of their respective companies.
©2004 Microsoft Corporation. All rights reserved.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Agenda
Information Security and Trustworthy
Computing
Security Objectives and Security Risk
Management
Developing Secure Solutions
Public Key Infrastructures
Microsoft Product Suite
Questions
Poll
Information Security
The defined set of organizational policies,
procedures, practices, and technology
which protect information assets with a
reasonable assurance of safety
Note: It is imperative for organizations to
document this defined set
Information Security Compliance
“The measurement of effectiveness of the defined
set of organizational policies, procedures,
practices, and technology which protect
information assets with a reasonable assurance
of safety based on regulatory statutes and
accepted standard practices.”
Safe from whom? Who and what requires
safety?
Which regulatory statutes apply?
What are accepted standard practices?
What is reasonable?
How does one measure effectiveness?
How do I create the defined set?
Microsoft Initiative
Resilient to
attack
Individual control of
personal data
Engineering
Excellence
Protects
confidentiality,
integrity, availability
of data and systems
Products, online
services adhere to
fair information
principles
Dependable,
performs at
expected levels
Protects individual’s
right to be left alone
Available when
needed
Open, transparent
interaction with
customers
Address issues with
products and services
Help customers find
appropriate solutions
Basic Security Objectives
Confidentiality. The concealment of
information or information assets
Integrity. Protection of the content of
information and the source of data
Availability. Ability to use the information
asset
The Business Case
Organizations are adopting a zerotolerance for security breaches
Organizations reputation and fiscal
health are at stake
Organizations must meet the legal
standard of reasonable care
Organizations must protect privileged
or personal information
Security Enabled Business
Impact to
Business
Probability
of Attack
Risk
Level
Reduce Security Risk
Assess the environment
Improve isolation and resiliency
Develop and implement controls
Increase Business Value
Connect with customers
Integrate with partners
Empower employees
ROI
Connected
Productive
Security Risk Management
Addresses the safety element of
information security
What is the threat to your organization?
What information assets require protection
in your organization?
Which assets are vulnerable?
Security Risk Management
Protect information assets
Confidentiality
Integrity
Availability
Threat Assessment
Human
Non Human
Vulnerability Analysis
Technology
People
Process
Threat: Attackers
Attackers want to disrupt the information
services from running
Attacker wish to view, modify, steal data
from the information service
Attackers are motivated by religious
beliefs, political views, ethnic backgrounds,
nationality, reputation, and wealth
Threat: Other Lawyers
Lawyers take legal action against
individuals or organizations
May be on behalf of employees,
customers, or other organization
The risk stems from:
Failure to protect data
Illegal, irresponsible, fraudulent, ignorant or
unethical behavior
Legalese and Threat Mitigation
Tort is “a wrong” that are civil in nature
that violate someone’s right or duty.
A right is a legal claim as to not have
others interfere with a protected interest
including property and privacy
A duty is a legal obligation not to interfere
with protected interest
Negligence (negligent tort) it some conduct
that creates and unreasonable risk of
harm, or that fails to protect against harm
Risk Management & Decision Support
Low
Impact of vulnerability to business
Business defines impact
High
Unacceptable Risk
Risk management
drives risk to an
acceptable level
Acceptable Risk
Probability of threat/exploit
Information security defines probability
High
Security Solutions Scope
Common security
environments
Manage risk
where IT assets are similar
Define roles & accountability for
each environment
Create processes to assess, control,
and measure each environment
Physical
Network
Host
Application
Data
Managed Servers
Managed Clients
Unmanaged Devices
Defense in depth
Provides a way to group threats and
controls
Spans people, process, and technology
Framework for a Security-Enabled Business
Security
Leadership &
Culture
Risk
Management
& Decision
Support
Security
Solutions
Blueprint
●
●
●
●
Management commitment to proactive risk management
Security defined in terms of value to the business
Clearly defined vision, mission, and scope
Well-defined roles and accountability
● Consistent and repeatable process to assess and prioritize risk
● Formal decision support process to identify the most effective
solution based on a cost/benefit analysis
● View of security solutions across enterprise IT assets
● Common approach and understanding of current investments
and future needs
● Measurement of results
Security Leadership & Culture
Security
Business
Security
Security
Drivers
Strategy
Principles
Leadership
Roles
Business drivers
Regulatory mandates
Industry standards
Customer confidence
Security strategy
Proactive
Reactive
Security Dashboard
Defense in Depth
Security
Environments
Managed Servers
Managed Clients
Unmanaged Devices
Physical
Network
Host
Apps
Data
Assessing Risk
Defense in Depth
Security
Environments
Physical
Network
Host
Apps
Data
 Evaluate risk for each intersection
Managed Servers
Managed Clients
• Provides holistic view of information
security
• Each intersection contains risk rating and
mitigation strategy
Acceptable
Unmanaged Devices
Control in Progress
Unacceptable
Acceptable
Risk Assessment Results
Control in Progress
Unacceptable
Defense in Depth
Security
Environments
Managed Servers
Managed Clients
Unmanaged Devices
Physical
Network
Host
Apps
Data
Commit to a Course of Action
Evaluate available or new IT security
control options
Use cost/benefit analysis to identify
which gaps represent the greatest relative
risk
Create a formal, repeatable decision
support process to prioritize solutions
Implementing Solutions
Defense in Depth
Managed Servers
Unmanaged Devices
Host
Solution
Solution
Managed Clients
Network
Solution
Apps
Data
Solution
Solution
Physical
Solution
Security
Environments
Acceptable
Measuring Results
Control in Progress
Unacceptable
Defense in Depth
Security
Environments
Managed Servers
Managed Clients
Unmanaged Devices
Physical
Network
Host
Apps
Data
Taking the Next Steps
Formalize your
security strategy
Execute risk
management process
Refer to standards you’ve already
identified and use our framework where
you think it’s appropriate
Establish IT security objectives
Inventory vulnerabilities and existing
security controls
Assess risk
Commit to a course of action
Implement security controls
Measure results
Risks
While the potential for damage from an
attacker is more evident, an attacker does
not file lawsuits for:
Harassment or discrimination
Privacy invasion
Disclosure of confidential information
Copyright infringement
Investment fraud
That may be your or your organizations job

Therefore you must also mitigate the risk
of another attorney filing a lawsuit against
your organization.
Security Risk Management
Microsoft advocates using a risk driven
approach to help manage security risks
within an organization
This must have involvement of senior
management, stakeholders
IT staff must have business awareness to
understand where security investments
can have the best ROI
Security depends on balancing cost and
risk through the appropriate use of
technology, policy, outsourcing, and
insurance.
Security Risk Management Results
Helps organization determine what are
reasonable mitigation strategies to counteract
threats and minimize vulnerabilities called
countermeasures and safeguards.
Some risks cannot be reasonably be mitigated
against, therefore contingency plans can be
created for the risk the organization wishes to
own.
Other risks can be transferred to third parties,
accepted, etc.
These mitigation strategies and contingency plan
address the reasonable element of information
security.
Security Risk Management Guidance
Security Risk Management Discipline
http://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/defau
lt.mspx
Security Risk Management Guidance
http://www.microsoft.com/technet/security/guidance/secrisk/default.mspx
Regulatory Factors
Addresses the regulatory element of
information security
USA PATRIOT Act
Department of Homeland Security (DHS)
Health Insurance Portability and
Accountability Act (HIPAA)
Sarbanes-Oxley (SOX)
Computer Fraud and Abuse Act (CFAA)
Digital Millennium Copyright Act (DMCA)
Gramm-Leach-Bliley (GLB)
IT Security Solutions
Building Systems with Security Assurance
In order to meet the goals of information
security, all IT solutions must address
these five areas to meet the business
objectives for security
This is an attempt to address the accepted
practices for information security
Identity Management
Assess Management
Secure Data Management
Audit Management
Resiliency and Integrity Management
Identity Management
The set of tools, policies, and practices
that manage digital identities
Credentials
Passwords
Provisioning / Deprovisioning
Attribute Synchronization
Coverage Areas
Directory Services
Authentication
Access Management
The set of tools, policies, and practices
that controls access to information assets
Entitlements
Access Control Lists
Roles
Groups
Coverage Areas
Authorization
Audit Management
The set of tools, policies, and practices that
monitor and track the access to information
assets
Events
Tracking
Logging
Reporting
Auditors
Coverage Areas
Event Management
Event Aggregation
Event Reporting
Event Analysis - Forensics
Secure Data Management
The set of tools, policies, and practices
that secure data within information assets
Data Storage
Secured Transmission and Reception of Data
across Communication Networks
Coverage Areas
Cryptography
Privacy
Data Classification Schemes
Resiliency and Integrity Management
The set of tools, policies, and practices
that keep information assets healthy and
functional
Health Checking
Availability
Intrusion Detection
Coverage Areas
Malware Detection and Eradication
Systems Management
Operations Management
Information Security Compliance
Recap Questions and Answers
Safe from whom and who requires safety?
Security Risk Management – Asset Identification, Threat Analysis, and
Vulnerability Assessment
Which regulatory statutes apply?
Security Risk Management – Business Requirements for Definition of
Reasonable Assurance
What are standard practices?
Defense in Depth for Deploying Countermeasures
Use Five Security Areas for Building Secure Solutions
What is reasonable?
Security Risk Management – Risk Analysis
How does one measure effectiveness?
Security Risk Management – Risk Tracking and Reporting
Use ISO 17799 and Common Criteria to measure trustworthiness
effectiveness
Use external audit procedures to measure effectiveness of regulatory
controls as required by business
How does one create the defined set?
Security Risk Management – Countermeasure and Safeguard
Development for Remediation Strategy
Definition of Security Architecture
What does the law profession need?
Confidential Communications
Client – Attorney Privilege
Secure Storage of Documents
Legal Documents
Privacy of Client Information
Client Data Security
Evidence of an Action
Legal Binding Signatures
Crime or Other Inappropriate Activity
Public Key Infrastructure
Public Key Infrastructures are quickly
becoming a security enabler for most
organizations and eventually will be a must
have
Why?
Encryption
Digital Signatures
Multi-Factor Authenication
Business drivers
To provide authentication and trust
Authentication
Confirmed in-house or by
trusted organization
Digital
Certificate
Digital signature
Integrity
Guarantee information has
not been tampered with
Confidentiality
Encrypted messages to ensure secure
trusted transactions; must be securely
stored
Proof of transaction
Encryption
Digital signature
Assures originator cannot disavow transaction; enables
use of trusted, binding transaction receipts based on
identity and/or role
PKI value proposition
It’s all about the applications
PKI is...
Not a solution…
Not an application…
Not a solution to thwart hackers…
A technology useful in some applications that
provide a security solution
PKI value proposition
PKI applications—customer demand
Encrypting File System
Protecting data on mobile stations
Secure E-mail
Protecting data collaboration between partners
Smartcard logon
Requiring stronger logon security
SSL
Protecting web server transactions
Remote Access
L2TP/IPSEC VPN solutions
PKI value proposition
PKI applications
Fastest emerging demand
Wireless and 802.1x
What is slow, but growing
Digital signatures, signed transactions
PKI enabled application logon
Client side SSL logon to web sites
Smartcards for consumers
Where is the “killer application?”
What PKI is and isn’t
PKI is an enabling technology
PKI is not a solution, in and of itself
Some business uses for PKI
Secure communications
Data needs to be safe in transit
Secure data
Data needs to be safe in storage
Establishing digital identity
For people, systems, processes
Secure transactions
Same or better safeguards than the paper world
Recommended Reading
American Bar Association Information
Security committee has published PKI
Assessment Guidelines (PAG)
http://www.abanet.org/scitech/ec/isc/home.html
Windows Platform Security Solutions
Scenario
Risks
Solutions
Mobile Users
• Lost/Stolen Laptop
• Dial-up Attacks
• Encrypted File System (EFS)
• IPSEC, L2TP
E-commerce
• False Identity/Impostor
• Theft data/money
• Transaction modification
• Public Key Infrastructure (PKI)
• Integrated Certificate Authority
• SSL/TLS
Home Office
• On-wire Internet Attacks
• Dial-up Attacks
• False Identity/Impostor
• IPSEC, L2TP
•Kerberos and PKI
• SSL/TLS, S/MIME
LAN / WAN
• False Identity/Impostor
• Password Sharing/Guessing
• Adds/Moves/Changes
• Kerberos and PKI
• Smart Cards, Biometrics
• Group Policy, Delegated Admin
Applications
• False Identity/Impostor
• Password passing
• Path of least resistance coding
• Malicious Code (Trojan horse)
• Kerberos, NTLMv2, Smart Cards
• Impersonation, Auditing
• SSPI, CryptoAPI
• Code Signing and Policy
Extranets
• False Identity/Impostor
• Data Theft
• On-wire Internet Attacks
• Public Key Infrastructure (PKI)
• Integrated CA
• IPSEC, L2TP, SSL/TSL, S/MIME
Management
• Too many places to secure
• Unfamiliar with employee roles
• Don’t Know who did what
• Configuration and Drift
• Active Directory Integration
• Delegated Administration
• Auditing Improvements
• Security Templates
Microsoft Product Portfolio
Identity Management
Windows Server 2003 – Active Directory
Windows Server 2003 – Certificate Services
Windows – Active Directory Application Mode
Microsoft Identity Integration Server 2003
Access Management
Windows Server 2003
Windows – Authorization Manager
Windows Rights Management Server
Secure Data Management
Windows Server 2003 – Certificate Services
Internet Acceleration Server 2004 – Firewall and Proxy Services
Windows – Encryption File Service
Audit Management
Microsoft Audit Collection System
Microsoft Windows
Microsoft Operations Manager
Resiliency and Integrity Management
Windows XP – SP2 Firewall
Windows Server 2003 – Network Load balancing, Clustering
Systems Management Server 2003 – Patch and Update Management
Microsoft Operations Manager – Systems Health Management
Microsoft Product Portfolio
Coming Attractions
Active Directory Federation Services
Active Protection Technology
Network Access Protection
How we can help….
Microsoft Services US Center of
Excellence for Security
Security Risk Management Engagement
Security Remediation Engagement
Security Architectural Engagement
Security Solution Deployment Engagement
Security Operations Engagement
PKI Architecture and Implementation is
one of our most common engagements in
the security space
Questions
Microsoft Services
Alan Hakimi
alanhak@microsoft.com
Microsoft Legal Vertical Manager
Scott D. Gilgallon
scottgil@microsoft.com
Resources
Microsoft Services
http://www.microsoft.com/services/microsoftservices/default.mspx
Microsoft Security
http://www.microsoft.com/security
Security Guidance Center
http://www.microsoft.com/security/guidance
How Microsoft IT Secures Microsoft
http://www.microsoft.com/technet/itsolutions/msit
E-Learning Clinics
https://www.microsoftelearning.com/security
Events and Webcasts
http://www.microsoft.com/seminar/events/security.mspx
American Bar Association – Information Security Committee
http://www.abanet.org/scitech/ec/isc/home.html
© 2004 Microsoft Corporation. All rights reserved.
This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
Related documents
ASP.NET MVC
ASP.NET MVC
Old YMCA Building in Richmond, Indiana 47374
Old YMCA Building in Richmond, Indiana 47374
Cloud OS Vision Deck Full Version
Cloud OS Vision Deck Full Version
Specific - Bedford/St. Martin`s
Specific - Bedford/St. Martin`s
Exchange Online Overview (Office 365)
Exchange Online Overview (Office 365)
Microsoft Dynamics AX Roadmap - The Partner Connections Event
Microsoft Dynamics AX Roadmap - The Partner Connections Event
Module 08 - Microsoft Lync - Lync Client and
Module 08 - Microsoft Lync - Lync Client and
Managing Public Key Infrastructure in the
Managing Public Key Infrastructure in the
Download