Information SecurityInformation SecurityMicrosoft Legal SpotlightMicrosoft Legal Spotlight

Presented by LawNet and MicrosoftPresented by LawNet and Microsoft

Alan HakimiAlan HakimiUS Lead Architect for US Lead Architect for

SecuritySecurityMicrosoft ServicesMicrosoft Services

Scott D. GilgallonScott D. GilgallonLegal Vertical Manager, San Legal Vertical Manager, San

FranciscoFranciscoMicrosoft CorporationMicrosoft Corporation

Legal DisclaimersLegal Disclaimers

I am not a lawyer, nor do I intend to I am not a lawyer, nor do I intend to be onebe one

I do not provide legal advice, I try to I do not provide legal advice, I try to provide information security adviceprovide information security advice

I recommend seeking legal counsel, I recommend seeking legal counsel, so seek yourselves and your so seek yourselves and your colleaguescolleagues

I also recommend consulting your I also recommend consulting your auditorsauditorsThe information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication and is The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication and is subject to change at any time without notice to you. This document and its contents are provided AS IS without warranty of any kind, and should not subject to change at any time without notice to you. This document and its contents are provided AS IS without warranty of any kind, and should not be interpreted as an offer or commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented. be interpreted as an offer or commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,IN THIS DOCUMENT.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,IN THIS DOCUMENT.

The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers.please consult their respective manufacturers.

This deliverable is provided AS IS without warranty of any kind and MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OTHERWISE.This deliverable is provided AS IS without warranty of any kind and MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OTHERWISE.

All trademarks are the property of their respective companies.All trademarks are the property of their respective companies.

©2004 Microsoft Corporation. All rights reserved.©2004 Microsoft Corporation. All rights reserved.

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

AgendaAgenda

Information Security and Trustworthy Information Security and Trustworthy ComputingComputing

Security Objectives and Security Risk Security Objectives and Security Risk ManagementManagement

Developing Secure SolutionsDeveloping Secure Solutions

Public Key InfrastructuresPublic Key Infrastructures

Microsoft Product SuiteMicrosoft Product Suite

QuestionsQuestions

PollPoll

Information SecurityInformation Security

The defined set of organizational The defined set of organizational policies, procedures, practices, and policies, procedures, practices, and technology which protect information technology which protect information assets with a reasonable assurance assets with a reasonable assurance of safetyof safety

Note: It is imperative for Note: It is imperative for organizations to document this organizations to document this defined setdefined set

Information Security ComplianceInformation Security Compliance

““The measurement of effectivenessThe measurement of effectiveness of the of the defined set of organizational policies, defined set of organizational policies, procedures, practices, and technology procedures, practices, and technology which protect information assets with a which protect information assets with a reasonable assurance of safetyreasonable assurance of safety based on based on regulatory statutes and accepted standard regulatory statutes and accepted standard practices.”practices.”Safe from whom? Who and what requires Safe from whom? Who and what requires safety?safety?Which regulatory statutes apply?Which regulatory statutes apply?What are accepted standard practices?What are accepted standard practices?What is reasonable?What is reasonable?How does one measure effectiveness?How does one measure effectiveness?How do I create the defined set?How do I create the defined set?

Individual control Individual control of personal dataof personal data

Products, online Products, online services adhere to services adhere to fair information fair information principlesprinciples

Protects Protects individual’s right individual’s right to be left aloneto be left alone

Resilient toResilient toattackattack

Protects Protects confidentiality, confidentiality, integrity, integrity, availability of data availability of data and systemsand systems

Engineering Engineering ExcellenceExcellence

Dependable, Dependable, performs at performs at expected levelsexpected levels

Available when Available when neededneeded

Open, transparent Open, transparent interaction with interaction with customers customers

Address issues with Address issues with products and products and servicesservices

Help customers Help customers find appropriate find appropriate solutionssolutions

Microsoft Initiative

Basic Security ObjectivesBasic Security Objectives

Confidentiality. The concealment of Confidentiality. The concealment of information or information assetsinformation or information assets

Integrity. Protection of the content Integrity. Protection of the content of information and the source of dataof information and the source of data

Availability. Ability to use the Availability. Ability to use the information assetinformation asset

The Business CaseThe Business Case

Organizations are adopting a Organizations are adopting a zero-tolerance for security zero-tolerance for security breachesbreaches

Organizations reputation and Organizations reputation and fiscal health are at stakefiscal health are at stake

Organizations must meet the Organizations must meet the legal standard of legal standard of reasonable carereasonable care

Organizations must protect Organizations must protect privileged or personal privileged or personal informationinformation

Security Enabled Business

Reduce Security RiskReduce Security RiskAssess the environmentAssess the environmentImprove isolation and Improve isolation and resiliencyresiliencyDevelop and implement Develop and implement controlscontrols

Risk Risk LevelLevel

Impact toImpact toBusinessBusiness

ProbabilityProbabilityof Attackof Attack

ROIROI

ConnectedConnected

ProductiveProductive

Increase Business ValueIncrease Business ValueConnect with customersConnect with customersIntegrate with partnersIntegrate with partnersEmpower employeesEmpower employees

Security Risk ManagementSecurity Risk Management

Addresses the Addresses the safetysafety element of element of information securityinformation security

What is the threat to your What is the threat to your organization?organization?

What information assets require What information assets require protection in your organization?protection in your organization?

Which assets are vulnerable?Which assets are vulnerable?

Security Risk ManagementSecurity Risk Management

Protect information assetsProtect information assetsConfidentiality Confidentiality IntegrityIntegrityAvailabilityAvailability

Threat AssessmentThreat AssessmentHumanHumanNon HumanNon Human

Vulnerability AnalysisVulnerability AnalysisTechnologyTechnologyPeoplePeopleProcessProcess

Threat: AttackersThreat: Attackers

Attackers want to disrupt the Attackers want to disrupt the information services from runninginformation services from running

Attacker wish to view, modify, steal Attacker wish to view, modify, steal data from the information servicedata from the information service

Attackers are motivated by religious Attackers are motivated by religious beliefs, political views, ethnic beliefs, political views, ethnic backgrounds, nationality, reputation, backgrounds, nationality, reputation, and wealthand wealth

Threat: Other LawyersThreat: Other Lawyers

Lawyers take legal action against Lawyers take legal action against individuals or organizationsindividuals or organizations

May be on behalf of employees, May be on behalf of employees, customers, or other organizationcustomers, or other organization

The risk stems from:The risk stems from:Failure to protect dataFailure to protect data

Illegal, irresponsible, fraudulent, Illegal, irresponsible, fraudulent, ignorant or unethical behaviorignorant or unethical behavior

Legalese and Threat MitigationLegalese and Threat Mitigation

TortTort is “a wrong” that are civil in is “a wrong” that are civil in nature that violate someone’s nature that violate someone’s rightright or or dutyduty..

A A rightright is a legal claim as to not have is a legal claim as to not have others interfere with a protected others interfere with a protected interest including property and interest including property and privacyprivacy

A A dutyduty is a legal obligation not to is a legal obligation not to interfere with protected interestinterfere with protected interest

Negligence (Negligence (negligent tortnegligent tort) it some ) it some conduct that creates and conduct that creates and unreasonable risk of harm, or that unreasonable risk of harm, or that fails to protect against harmfails to protect against harm

Risk Management & Decision SupportRisk Management & Decision Support

Unacceptable RiskUnacceptable Risk

Acceptable RiskAcceptable Risk

Information security defines probabilityInformation security defines probability

Probability of threat/exploitProbability of threat/exploitProbability of threat/exploitProbability of threat/exploit

Impa

ct o

f vu

lner

abili

ty t

o bu

sine

ssIm

pact

of

vuln

erab

ility

to

busi

ness

Impa

ct o

f vu

lner

abili

ty t

o bu

sine

ssIm

pact

of

vuln

erab

ility

to

busi

ness

LowLow HighHigh

HighHigh

Bus

ines

s de

fines

impa

ctB

usin

ess

defin

es im

pact

Risk management Risk management drives risk to an drives risk to an acceptable levelacceptable level

Risk management Risk management drives risk to an drives risk to an acceptable levelacceptable level

Security Solutions Scope

Provides a way to group threats Provides a way to group threats and controlsand controls

Spans people, process, and Spans people, process, and technologytechnology

Defense in Defense in depthdepthNetworkNetwork

HostHost

ApplicationApplication

DataData

PhysicalPhysical

Manage risk where IT assets are Manage risk where IT assets are similarsimilar

Define roles & accountability for Define roles & accountability for each environmenteach environment

Create processes to assess, control, Create processes to assess, control, and measure each environmentand measure each environment

Common security Common security environmentsenvironments

Unmanaged DevicesUnmanaged Devices

Managed ClientsManaged Clients

Managed ServersManaged Servers

Framework for a Security-Enabled BusinessFramework for a Security-Enabled Business

Security Security Leadership & Leadership &

CultureCulture

● Management commitment to proactive risk Management commitment to proactive risk managementmanagement

● Security defined in terms of value to the businessSecurity defined in terms of value to the business● Clearly defined vision, mission, and scopeClearly defined vision, mission, and scope● Well-defined roles and accountabilityWell-defined roles and accountability

Risk Risk Management Management

& Decision & Decision SupportSupport

● Consistent and repeatable process to assess and Consistent and repeatable process to assess and prioritize riskprioritize risk

● Formal decision support process to identify the most Formal decision support process to identify the most effective solution based on a cost/benefit analysiseffective solution based on a cost/benefit analysis

Security Security Solutions Solutions BlueprintBlueprint

● View of security solutions across enterprise IT assetsView of security solutions across enterprise IT assets● Common approach and understanding of current Common approach and understanding of current

investments and future needsinvestments and future needs● Measurement of resultsMeasurement of results

SecuritySecurity

LeadershLeadershipip

Security Leadership & CultureSecurity Leadership & Culture

Business driversBusiness driversRegulatory mandatesRegulatory mandatesIndustry standardsIndustry standardsCustomer confidenceCustomer confidence

Security strategySecurity strategyProactiveProactiveReactiveReactive

SecuritySecurity

PrinciplesPrinciples

BusinessBusiness

DriversDrivers

SecuritySecurity

StrategyStrategy

RolesRoles

Security DashboardSecurity Dashboard

Security Security EnvironmentsEnvironmentsSecurity Security EnvironmentsEnvironments

Unmanaged DevicesUnmanaged Devices

Managed ClientsManaged Clients

Managed ServersManaged Servers

Physical Network Host Apps Data

Defense in DepthDefense in Depth

Assessing RiskAssessing Risk

Security Security EnvironmentsEnvironmentsSecurity Security EnvironmentsEnvironments

Unmanaged DevicesUnmanaged Devices

Managed ClientsManaged Clients

Managed ServersManaged Servers

Physical Network Host Apps Data

Defense in DepthDefense in Depth

Evaluate risk for each intersectionEvaluate risk for each intersection

• Provides holistic view of information Provides holistic view of information securitysecurity

• Each intersection contains risk rating and Each intersection contains risk rating and mitigation strategy mitigation strategy

Evaluate risk for each intersectionEvaluate risk for each intersection

• Provides holistic view of information Provides holistic view of information securitysecurity

• Each intersection contains risk rating and Each intersection contains risk rating and mitigation strategy mitigation strategy

UnacceptableUnacceptable

Control in ProgressControl in Progress

AcceptableAcceptable

Risk Assessment ResultsRisk Assessment Results

Security Security EnvironmentsEnvironmentsSecurity Security EnvironmentsEnvironments

Unmanaged DevicesUnmanaged Devices

Managed ClientsManaged Clients

Managed ServersManaged Servers

Physical Network Host Apps Data

Defense in DepthDefense in Depth

UnacceptableUnacceptable

Control in ProgressControl in Progress

AcceptableAcceptable

Commit to a Course of ActionCommit to a Course of Action

Evaluate available or new IT security Evaluate available or new IT security control options control options

Use cost/benefit analysis to identify Use cost/benefit analysis to identify which gaps represent the greatest which gaps represent the greatest relative riskrelative risk

Create a formal, repeatable decision Create a formal, repeatable decision support process to prioritize solutionssupport process to prioritize solutions

Security Security EnvironmentsEnvironmentsSecurity Security EnvironmentsEnvironments

Unmanaged DevicesUnmanaged Devices

Managed ClientsManaged Clients

Managed ServersManaged Servers

Physical Network Host Apps Data

Defense in DepthDefense in Depth

Implementing SolutionsImplementing Solutions

SolutionSolution

SolutionSolution

SolutionSolutionS

olu

tion

So

lutio

n

So

lutio

nS

olu

tion

So

lutio

nS

olu

tion

Measuring ResultsMeasuring Results

Security Security EnvironmentsEnvironmentsSecurity Security EnvironmentsEnvironments

Unmanaged DevicesUnmanaged Devices

Managed ClientsManaged Clients

Managed ServersManaged Servers

Physical Network Host Apps Data

Defense in DepthDefense in Depth

UnacceptableUnacceptable

Control in ProgressControl in Progress

AcceptableAcceptable

Taking the Next StepsTaking the Next Steps

Formalize your Formalize your security strategysecurity strategy

Refer to standards you’ve already Refer to standards you’ve already identified and use our framework identified and use our framework where you think it’s appropriatewhere you think it’s appropriate

Execute risk Execute risk management processmanagement process

Establish IT security objectivesEstablish IT security objectives

Inventory vulnerabilities and existing Inventory vulnerabilities and existing security controlssecurity controls

Assess riskAssess risk

Commit to a course of actionCommit to a course of action

Implement security controlsImplement security controls

Measure resultsMeasure results

RisksRisksWhile the potential for damage from While the potential for damage from an attacker is more evident, an an attacker is more evident, an attacker does not file lawsuits for:attacker does not file lawsuits for:

Harassment or discriminationHarassment or discriminationPrivacy invasion Privacy invasion Disclosure of confidential informationDisclosure of confidential informationCopyright infringementCopyright infringementInvestment fraud Investment fraud

That may be your or your That may be your or your organizations job organizations job Therefore you must also mitigate the Therefore you must also mitigate the risk of another attorney filing a risk of another attorney filing a lawsuit against your organization.lawsuit against your organization.

Security Risk Management Security Risk Management

Microsoft advocates using a risk Microsoft advocates using a risk driven approach to help manage driven approach to help manage security risks within an organizationsecurity risks within an organizationThis must have involvement of senior This must have involvement of senior management, stakeholdersmanagement, stakeholdersIT staff must have business IT staff must have business awareness to understand where awareness to understand where security investments can have the security investments can have the best ROIbest ROISecurity depends on balancing cost Security depends on balancing cost and risk through the appropriate use and risk through the appropriate use of technology, policy, outsourcing, of technology, policy, outsourcing, and insurance.and insurance.

Security Risk Management ResultsSecurity Risk Management Results

Helps organization determine what are Helps organization determine what are reasonable reasonable mitigationmitigation strategies to strategies to counteract threats and minimize counteract threats and minimize vulnerabilities called countermeasures and vulnerabilities called countermeasures and safeguards. safeguards.

Some risks cannot be reasonably be Some risks cannot be reasonably be mitigated against, therefore mitigated against, therefore contingencycontingency plans can be created for the risk the plans can be created for the risk the organization wishes to own.organization wishes to own.

Other risks can be transferred to third Other risks can be transferred to third parties, accepted, etc. parties, accepted, etc.

These mitigation strategies and These mitigation strategies and contingency plan address the contingency plan address the reasonable reasonable element of information security.element of information security.

Security Risk Management GuidanceSecurity Risk Management Guidance

Security Risk Management DisciplineSecurity Risk Management Disciplinehttp://www.microsoft.com/technet/security/prodtech/win2000/sechttp://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspxwin2k/default.mspx

Security Risk Management GuidanceSecurity Risk Management Guidancehttp://www.microsoft.com/technet/security/guidance/secrisk/default.mspxhttp://www.microsoft.com/technet/security/guidance/secrisk/default.mspx

Regulatory FactorsRegulatory Factors

Addresses the Addresses the regulatoryregulatory element of element of information securityinformation securityUSA PATRIOT ActUSA PATRIOT ActDepartment of Homeland Security Department of Homeland Security (DHS)(DHS)Health Insurance Portability and Health Insurance Portability and Accountability Act (HIPAA)Accountability Act (HIPAA)Sarbanes-Oxley (SOX)Sarbanes-Oxley (SOX)Computer Fraud and Abuse Act Computer Fraud and Abuse Act (CFAA)(CFAA)Digital Millennium Copyright Act Digital Millennium Copyright Act (DMCA)(DMCA)Gramm-Leach-Bliley (GLB)Gramm-Leach-Bliley (GLB)

IT Security SolutionsBuilding Systems with Security AssuranceIT Security SolutionsBuilding Systems with Security Assurance

In order to meet the goals of In order to meet the goals of information security, all IT solutions information security, all IT solutions must address these five areas to must address these five areas to meet the business objectives for meet the business objectives for securitysecurityThis is an attempt to address the This is an attempt to address the accepted practicesaccepted practices for information for information securitysecurityIdentity ManagementIdentity ManagementAssess ManagementAssess ManagementSecure Data ManagementSecure Data ManagementAudit ManagementAudit ManagementResiliency and Integrity ManagementResiliency and Integrity Management

Identity ManagementIdentity Management

The set of tools, policies, and The set of tools, policies, and practices that manage digital practices that manage digital identities identities

CredentialsCredentials

PasswordsPasswords

Provisioning / DeprovisioningProvisioning / Deprovisioning

Attribute SynchronizationAttribute Synchronization

Coverage AreasCoverage AreasDirectory ServicesDirectory Services

AuthenticationAuthentication

Access ManagementAccess Management

The set of tools, policies, and The set of tools, policies, and practices that controls access to practices that controls access to information assetsinformation assets

EntitlementsEntitlements

Access Control ListsAccess Control Lists

RolesRoles

GroupsGroups

Coverage AreasCoverage AreasAuthorizationAuthorization

Audit ManagementAudit Management

The set of tools, policies, and practices The set of tools, policies, and practices that monitor and track the access to that monitor and track the access to information assetsinformation assets

EventsEventsTrackingTrackingLoggingLoggingReportingReportingAuditorsAuditors

Coverage AreasCoverage AreasEvent Management Event Management Event Aggregation Event Aggregation Event ReportingEvent ReportingEvent Analysis - Forensics Event Analysis - Forensics

Secure Data ManagementSecure Data Management

The set of tools, policies, and The set of tools, policies, and practices that secure data within practices that secure data within information assetsinformation assets

Data StorageData Storage

Secured Transmission and Reception of Secured Transmission and Reception of Data across Communication NetworksData across Communication Networks

Coverage AreasCoverage AreasCryptographyCryptography

PrivacyPrivacy

Data Classification SchemesData Classification Schemes

Resiliency and Integrity ManagementResiliency and Integrity Management

The set of tools, policies, and The set of tools, policies, and practices that keep information practices that keep information assets healthy and functionalassets healthy and functional

Health CheckingHealth Checking

AvailabilityAvailability

Intrusion DetectionIntrusion Detection

Coverage AreasCoverage AreasMalware Detection and EradicationMalware Detection and Eradication

Systems ManagementSystems Management

Operations ManagementOperations Management

Information Security ComplianceRecap Questions and AnswersInformation Security ComplianceRecap Questions and Answers

Safe from whom and who requires safety?Safe from whom and who requires safety?Security Risk Management – Asset Identification, Threat Security Risk Management – Asset Identification, Threat Analysis, and Vulnerability AssessmentAnalysis, and Vulnerability Assessment

Which regulatory statutes apply?Which regulatory statutes apply?Security Risk Management – Business Requirements for Security Risk Management – Business Requirements for Definition of Reasonable AssuranceDefinition of Reasonable Assurance

What are standard practices?What are standard practices?Defense in Depth for Deploying CountermeasuresDefense in Depth for Deploying CountermeasuresUse Five Security Areas for Building Secure SolutionsUse Five Security Areas for Building Secure Solutions

What is reasonable?What is reasonable?Security Risk Management – Risk AnalysisSecurity Risk Management – Risk Analysis

How does one measure effectiveness?How does one measure effectiveness?Security Risk Management – Risk Tracking and ReportingSecurity Risk Management – Risk Tracking and ReportingUse ISO 17799 and Common Criteria to measure Use ISO 17799 and Common Criteria to measure trustworthiness effectivenesstrustworthiness effectivenessUse external audit procedures to measure effectiveness of Use external audit procedures to measure effectiveness of regulatory controls as required by businessregulatory controls as required by business

How does one create the defined set?How does one create the defined set?Security Risk Management – Countermeasure and Safeguard Security Risk Management – Countermeasure and Safeguard Development for Remediation StrategyDevelopment for Remediation StrategyDefinition of Security ArchitectureDefinition of Security Architecture

What does the law profession need?What does the law profession need?

Confidential CommunicationsConfidential CommunicationsClient – Attorney Privilege Client – Attorney Privilege

Secure Storage of DocumentsSecure Storage of DocumentsLegal DocumentsLegal Documents

Privacy of Client InformationPrivacy of Client InformationClient Data Security Client Data Security

Evidence of an ActionEvidence of an ActionLegal Binding SignaturesLegal Binding Signatures

Crime or Other Inappropriate ActivityCrime or Other Inappropriate Activity

Public Key InfrastructurePublic Key Infrastructure

Public Key Infrastructures are quickly Public Key Infrastructures are quickly becoming a security enabler for most becoming a security enabler for most organizations and eventually will be a organizations and eventually will be a must havemust have

Why?Why?EncryptionEncryption

Digital SignaturesDigital Signatures

Multi-Factor AuthenicationMulti-Factor Authenication

Digital signature

Digital signature

Encryption

Digital Certificat

e

Authentication

Integrity

Confidentiality

Proof of transaction

Confirmed in-house or by trusted organization

Guarantee information has not been tampered with

Encrypted messages to ensure secure trusted transactions; must be securely stored

Assures originator cannot disavow transaction; enables use of trusted, binding transaction receipts based on identity and/or role

Business driversTo provide authentication and trustBusiness driversTo provide authentication and trust

PKI value propositionIt’s all about the applicationsPKI value propositionIt’s all about the applications

PKI is...PKI is...Not a solution…Not a solution…

Not an application…Not an application…

Not a solution to thwart hackers…Not a solution to thwart hackers…

A technology useful in some applications A technology useful in some applications that provide a security solutionthat provide a security solution

PKI value propositionPKI applications—customer demandPKI value propositionPKI applications—customer demand

Encrypting File SystemEncrypting File SystemProtecting data on mobile stationsProtecting data on mobile stations

Secure E-mailSecure E-mailProtecting data collaboration between Protecting data collaboration between partnerspartners

Smartcard logonSmartcard logonRequiring stronger logon securityRequiring stronger logon security

SSLSSLProtecting web server transactionsProtecting web server transactions

Remote AccessRemote AccessL2TP/IPSEC VPN solutionsL2TP/IPSEC VPN solutions

PKI value propositionPKI applicationsPKI value propositionPKI applications

Fastest emerging demandFastest emerging demandWireless and 802.1xWireless and 802.1x

What is slow, but growingWhat is slow, but growingDigital signatures, signed transactionsDigital signatures, signed transactions

PKI enabled application logonPKI enabled application logon

Client side SSL logon to web sitesClient side SSL logon to web sites

Smartcards for consumersSmartcards for consumersWhere is the “killer application?”Where is the “killer application?”

What PKI is and isn’tWhat PKI is and isn’t

PKI is an enabling technologyPKI is an enabling technology

PKI is not a solution, in and of itselfPKI is not a solution, in and of itself

Some business uses for PKISome business uses for PKISecure communicationsSecure communications

Data needs to be safe in transitData needs to be safe in transit

Secure dataSecure dataData needs to be safe in storageData needs to be safe in storage

Establishing digital identityEstablishing digital identityFor people, systems, processesFor people, systems, processes

Secure transactionsSecure transactionsSame or better safeguards than the paper Same or better safeguards than the paper worldworld

Recommended ReadingRecommended Reading

American Bar Association Information American Bar Association Information Security committee has published PKI Security committee has published PKI Assessment Guidelines (PAG)Assessment Guidelines (PAG)http://www.abanet.org/scitech/ec/isc/home.htmlhttp://www.abanet.org/scitech/ec/isc/home.html

Windows Platform Security SolutionsWindows Platform Security SolutionsScenarioScenario RisksRisks SolutionsSolutions

Mobile UsersMobile Users• Encrypted File System Encrypted File System (EFS)(EFS)• IPSEC, L2TP IPSEC, L2TP

•Lost/Stolen LaptopLost/Stolen Laptop•Dial-up AttacksDial-up Attacks

E-commerceE-commerce•False Identity/ImpostorFalse Identity/Impostor•Theft data/moneyTheft data/money•Transaction modificationTransaction modification

• Public Key Infrastructure Public Key Infrastructure (PKI)(PKI)• Integrated Certificate Integrated Certificate AuthorityAuthority• SSL/TLSSSL/TLSHome OfficeHome Office• IPSEC, L2TP IPSEC, L2TP •Kerberos and PKIKerberos and PKI• SSL/TLS, S/MIMESSL/TLS, S/MIME

•On-wire Internet AttacksOn-wire Internet Attacks•Dial-up AttacksDial-up Attacks•False Identity/ImpostorFalse Identity/Impostor

LAN / WANLAN / WAN•False Identity/ImpostorFalse Identity/Impostor•Password Sharing/GuessingPassword Sharing/Guessing•Adds/Moves/ChangesAdds/Moves/Changes

• Kerberos and PKIKerberos and PKI• Smart Cards, BiometricsSmart Cards, Biometrics• Group Policy, Delegated AdminGroup Policy, Delegated Admin

ApplicationsApplications

•False Identity/ImpostorFalse Identity/Impostor•Password passingPassword passing•Path of least resistance codingPath of least resistance coding•Malicious Code (Trojan horse)Malicious Code (Trojan horse)

• Kerberos, NTLMv2, Smart CardsKerberos, NTLMv2, Smart Cards• Impersonation, AuditingImpersonation, Auditing• SSPI, CryptoAPISSPI, CryptoAPI• Code Signing and PolicyCode Signing and Policy

•Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)•Integrated CAIntegrated CA•IPSEC, L2TP, SSL/TSL, S/MIMEIPSEC, L2TP, SSL/TSL, S/MIME

ExtranetsExtranets•False Identity/ImpostorFalse Identity/Impostor•Data TheftData Theft•On-wire Internet AttacksOn-wire Internet Attacks

• Active Directory IntegrationActive Directory Integration• Delegated AdministrationDelegated Administration• Auditing ImprovementsAuditing Improvements• Security TemplatesSecurity Templates

ManagementManagement

•Too many places to secureToo many places to secure•Unfamiliar with employee rolesUnfamiliar with employee roles•Don’t Know who did whatDon’t Know who did what•Configuration and DriftConfiguration and Drift

Microsoft Product PortfolioMicrosoft Product PortfolioIdentity ManagementIdentity Management

Windows Server 2003 – Active DirectoryWindows Server 2003 – Active DirectoryWindows Server 2003 – Certificate ServicesWindows Server 2003 – Certificate ServicesWindows – Active Directory Application ModeWindows – Active Directory Application ModeMicrosoft Identity Integration Server 2003Microsoft Identity Integration Server 2003

Access ManagementAccess ManagementWindows Server 2003Windows Server 2003Windows – Authorization ManagerWindows – Authorization ManagerWindows Rights Management ServerWindows Rights Management Server

Secure Data ManagementSecure Data ManagementWindows Server 2003 – Certificate ServicesWindows Server 2003 – Certificate ServicesInternet Acceleration Server 2004 – Firewall and Proxy ServicesInternet Acceleration Server 2004 – Firewall and Proxy ServicesWindows – Encryption File ServiceWindows – Encryption File Service

Audit ManagementAudit ManagementMicrosoft Audit Collection SystemMicrosoft Audit Collection SystemMicrosoft WindowsMicrosoft WindowsMicrosoft Operations ManagerMicrosoft Operations Manager

Resiliency and Integrity ManagementResiliency and Integrity ManagementWindows XP – SP2 FirewallWindows XP – SP2 FirewallWindows Server 2003 – Network Load balancing, ClusteringWindows Server 2003 – Network Load balancing, ClusteringSystems Management Server 2003 – Patch and Update ManagementSystems Management Server 2003 – Patch and Update ManagementMicrosoft Operations Manager – Systems Health ManagementMicrosoft Operations Manager – Systems Health Management

Microsoft Product PortfolioComing AttractionsMicrosoft Product PortfolioComing Attractions

Active Directory Federation ServicesActive Directory Federation Services

Active Protection TechnologyActive Protection Technology

Network Access ProtectionNetwork Access Protection

How we can help….How we can help….

Microsoft Services US Center of Microsoft Services US Center of Excellence for SecurityExcellence for Security

Security Risk Management EngagementSecurity Risk Management Engagement

Security Remediation EngagementSecurity Remediation Engagement

Security Architectural EngagementSecurity Architectural Engagement

Security Solution Deployment Security Solution Deployment EngagementEngagement

Security Operations EngagementSecurity Operations Engagement

PKI Architecture and Implementation PKI Architecture and Implementation is one of our most common is one of our most common engagements in the security spaceengagements in the security space

QuestionsQuestions

Microsoft ServicesMicrosoft Services

Alan HakimiAlan Hakimi

alanhak@microsoft.comalanhak@microsoft.com

Microsoft Legal Vertical ManagerMicrosoft Legal Vertical Manager

Scott D. GilgallonScott D. Gilgallon

scottgil@microsoft.comscottgil@microsoft.com

ResourcesResourcesMicrosoft ServicesMicrosoft Serviceshttp://www.microsoft.com/services/microsoftservices/default.mhttp://www.microsoft.com/services/microsoftservices/default.mspxspx

Microsoft SecurityMicrosoft Securityhttp://www.microsoft.com/securityhttp://www.microsoft.com/security

Security Guidance CenterSecurity Guidance Centerhttp://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance

How Microsoft IT Secures MicrosoftHow Microsoft IT Secures Microsofthttp://www.microsoft.com/http://www.microsoft.com/technet/itsolutions/msittechnet/itsolutions/msit

E-Learning ClinicsE-Learning Clinicshttps://www.microsoftelearning.com/securityhttps://www.microsoftelearning.com/security

Events and WebcastsEvents and Webcastshttp://www.microsoft.com/seminar/events/security.mspxhttp://www.microsoft.com/seminar/events/security.mspx

American Bar Association – Information Security CommitteeAmerican Bar Association – Information Security Committeehttp://www.abanet.org/scitech/ec/isc/home.htmlhttp://www.abanet.org/scitech/ec/isc/home.html

© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.