slide1 l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Trustworthy Computing – One year on PowerPoint Presentation
Download Presentation
Trustworthy Computing – One year on

Loading in 2 Seconds...

play fullscreen
1 / 24

Trustworthy Computing – One year on - PowerPoint PPT Presentation


  • 247 Views
  • Uploaded on

Trustworthy Computing – One year on Stuart Okin Chief Security Officer – Microsoft UK Agenda Reminder – Set the scene & What is Trustworthy Computing? What have we done? What are we planning Call to Action Questions? Leaving Messages

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Trustworthy Computing – One year on' - albert


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Trustworthy Computing – One year on

Stuart Okin

Chief Security Officer – Microsoft UK

agenda
Agenda
  • Reminder – Set the scene & What is Trustworthy Computing?
  • What have we done?
  • What are we planning
  • Call to Action
  • Questions?
leaving messages
Leaving Messages
  • Microsoft is as committed to Trustworthy Computing = Security, Privacy, Reliability & Business Integrity
  • Trustworthy computing can only be achieved through partnership & teamwork
  • Trustworthy Computing is a journey, with a long term vision with highlights and obstacles along the road
threat remains real

Computer Crime and Security Survey 2002

CERT

Threat Remains Real
  • 90% detected computer security breaches
  • 40% detected system penetration from the outside; up from 25% in 2000
  • 85% detected computer viruses
  • 95% of all breaches due to misconfiguration

Source: Computer Security Institute (CSI) Computer Crime and Security Survey 2002

Source: CERT, 2002

an industry wide problem
An Industry-Wide Problem
  • Why are Security breaches common?
    • Microsoft - Windows UPnP
    • Oracle – Oracle 9i Buffer Overrun
    • AOL AIM
    • CDE/Solaris
    • Apache – Open SSL Buffer
  • Viruses, Worms
    • Nimda, Code Red
    • Slapper
  • People will have to believe the in technologies, companies and services
vision
Vision
  • “Computers as Trusted as a Utility”
  • Trust is not just security, as it involves perception and environment
    • Telephones - almost always there when we need them, do what we need them to do, work as advertised, and are reliably available.
    • A combination of engineering, business practice, and regulation
  • Computers generally do not engender trust
trustworthy computing core tenets
Resilient to attack

Protects confidentiality, integrity, availability and data

Trustworthy ComputingCore Tenets

Security

  • Individuals control personal data
  • Products and Online Services adhere to fair information principles

Privacy

  • Dependable
  • Available when needed
  • Performs at expected levels

Reliability

  • Help customers find appropriate solutions
  • Address issues with products and services
  • Open interaction with customers

Business Integrity

progress to date

SD3 + Communications

  • Security training for 11,000 engineers
  • Security code reviews of old source
  • Threat modeling
  • “Blackhat” test coverage
  • Buffer overrun detection in compile process

Secure by Design

  • Office XP: Macros off by default
  • No sample code installed by default
  • IIS and SQL Server off by default in Visual Studio.NET

Secure by Default

  • Deployment tools: MBSA, IIS Lockdown, SUS, WU, SMS Value Pack
  • Created STPP to respond to customers
  • PAG for Windows 2000 Security Ops

Secure in Deployment

  • TAMs call Premier Customers proactively
  • MSRC severity rating system
  • Free virus hotline
  • MSDN security guidance for developers
  • www.microsoft.com/technet/security

Communications

Progress To Date
microsoft services overview

Critical Incident Mgmt

High Availability

“Contract” (SLA)

24x7, Onsite, Escalation

MOF/ITIL

Consulting

Security

Consulting

Tools

Consulting

Development

Consulting

Platform

Consulting

Dedicated

Support

Engineering

Incident

Prevention

Services

Microsoft Services - Overview

Service

Management

Problem &

Incident

Management

(MS reactive)

Release

Mgmt

W2K

Config

Mgmt

NT4

PREMIER

Performance

Change

Mgmt

Backup/

Restore

“Critical Systems”

Service

Packages

Security

Business

Continuity

Capacity

Planning

Applications

Privacy

Legal

Monitoring

Virus

Tools

e.g. MOM

Application

Monitoring

Firewalls

Deploy

Access

Server SW

Test

Server mgmt

Build

Server build

Design

Others

Operating

System

Messaging

OS Mgmt

SQL

OS Build

DataCentre

Adv Svr

Windows

Fault

Tolerant

Servers

Hardware

(Network)

Hardware

Mgmt tools

Trusted

Storage

Clusters

Performance

Time/Cost

trustworthy computing15
Trustworthy Computing

Privacy

Business Integrity

what will it take to address the business integrity goal
What Will It Take To Address The Business Integrity Goal?
  • Privacy, for example:
  • In product design
    • XP activation anonymous, no PII data collected
    • P3P in Internet Explorer
    • P3P support on all major web properties
    • Conspicuous privacy notices in products
  • With affiliations, sponsorships
    • TrustE, BBBOnline – no comparable bodies in Europe yet
    • Computers, Freedom and Privacy 2002
  • By third party audits
  • Through organizational practices
    • Adopted Fair Information Practices, GLB compliant in 1997
    • European Safe Harbour Agreement on data worldwide
    • Privacy training, Assessment and Health Index for all divisions
january 2002 to march 2003

January

February

March

Bill Gate's memo

11000 trained. Code reviews & stand down in Windows

Released “Security Operations Guide for Windows 2000 Server” Guide

Bill Gate's memo

11000 trained

Security Guides

Release intention to Federate Passport - Trustbridge

Responsible Vulnerability Disclosure Process draft (placed on IETF)

Release “Exchange 2000 Server Security Features” & “A/V Features and Strategies for Protecting your Exchange Environment” whitepapers

MSN announces participation in a beta test of the first e-mail certification and seal program

MS & IBM announce WS-I

Set up the Security Business Unit. Set up local security offices. Setup EMEA Office

PSS Security

Formed

PSS Security formed

.Net Framework released

January 2002 to March 2003
april 2002 to june 2002

April

May

June

Announce WS-Secure initiative (OASIS Specs for June)

Securing the Internet Data Centre workshop complete

Palladium Announced

(Next Generation Secure Computing Base)

Release MBSA

Palladium

Commonwealth

Games

IDC Workshops

Microsoft Baseline Security Analyzer (MBSA) v1.0 releases

Join ETSI/CEN Working Party

Release Software Update Services

Detailed Privacy Handbook distributed company wide, serves as basis for Privacy Health Index

Release Prescriptive Architecture Guide for “.Net Web Applications”

Windows security-push stand down ends

UK Security assessment and implementation for Manchester 2002

Scott Charney hired

MS announces support of SAML (July)

April 2002 to June 2002
july 2002 to sept 2002

July

August

September

SQL Server, Exchange, Office complete security pushes

Notification process launched by Steve B & BillG

The Trustworthy Computing Academic Advisory Board is chartered to review Microsoft product and policy issues

OIS formed

MCSE Training

Push complete

OTG Showcase

Updated Trustworthy Computing White Paper and Bill G mail to Executives

UK Train 7 partners in Security Assessment Services

Windows XP SP1 releases

Computer Security Resource Centre release draft - "System Admin Guidance for Windows 2000" -

MS Showcase on: Smartcards, Secure wireless and ISA business case and deployments

MSN 8 launches with new advanced parental and spam control. MSN awarded Truste privacy policy cert from EU

A series of new training courses available

SQL Hardening training workshop complete

Windows Media Player 9 Series beta releases with new privacy and security

Draft NSA Windows XP Guide

New EFS whitepaper released

MS acquires XDegrees, a maker of security software

Release of “Pocket PC Security" Whitepaper

MOF Operation Assessment v2 released

Organisation for Internet Safety Formed

July 2002 to Sept 2002
oct 2002 to dec 2002

October

November

December

Announce RSA partnership

System Management Server (SMS) Feature Packs

Microsoft Baseline Security Analyzer (MBSA) v1.1 releases

Support IAAC delivery of Benchmarking Information Assurance

Severity rating system changed

"Writing Secure Code" Second Edition publishes

CPE Phase 1

CC approval

HA Launch

Support ISF in review of Windows 2000, .Net security guidelines for members (industry)

Distributed over 4800 security tool kits to small business

Microsoft Solution Management Service Offering released

Windows 2000 reaches Common Criteria

HP & Microsoft UK launch HA services

WS-I releases WS-Security

Security Resource Toolkit version 2 released

MSA EDC v1.5 provides guidance for designing Enterprise DataCentre environments

MS Showcase Case Study: Securing Remote Users

Microsoft Audit Collection System Beta released

Release of “Building Secure ASP.NET Applications” Guide

Complete first phase of 4E – CPE UK Program

Oct 2002 to Dec 2002
jan 2003 to mar 2003

January

February

March

ISA Feature Pack released

Announcing Windows Right Management

Showcase on Technet

Release of “Operating .NET-Based Applications” guide

Microsoft Home User – Support Magasine CD

Microsoft System Centre announced

CISO Council

Leeds Course

Windows RMS

Microsoft completes OpenHack 4 Competition

Release of the Secure Windows 2000 Server Solution Guide

MOM 2004 announced

Government Security Program (Russia, NATO) – UK Sign

Government Security Program – China Sign

SANs Award: Automatic updates, Training, Vulnerability testing

Release of “Using Windows XP Professional with Service Pack 1 in a Managed Environment”

Microsoft Convenes Trustworthy Computing Academic Advisory Board

MS, IBM, BEA & Tibco: WS-ReliableMessaging

SQL

Slammer

Microsoft completes PKI challenge

Security Bulletin Notification System For Home Users

Join Information Assurance Advisory Council

Announcement of MS Reliability Service

CISO US, CISO Finance, CISO UK councils

Jan 2003 to Mar 2003
where are we planning
Where are we planning?
  • Short to Medium Term
    • Improve Patch Management
      • Quality
      • Reduce Installers
      • Single Microsoft Update Service
    • Security Push / Engineering techniques “in a box”
    • Windows 2003 Server (Secure by default)
  • Longer term
    • Integration of Security Products (inc ISVs) into system
    • Next Generation Secure Computing Base
    • Self Healing & attack sensitive systems
    • Move applications to .Net Framework
leaving messages23
Leaving Messages
  • Microsoft is as committed to Trustworthy Computing = Security, Privacy, Reliability & Business Integrity
  • Trustworthy computing can only be achieved through partnership & teamwork
  • Trustworthy Computing is a journey, with a long term vision with highlights and obstacles along the road
slide24

Trustworthy Computing

Stuart Okin

Chief Security Officer – Microsoft UK