information security microsoft legal spotlight presented by lawnet and microsoft alan hakimi us lead...
TRANSCRIPT
Information SecurityInformation SecurityMicrosoft Legal SpotlightMicrosoft Legal Spotlight
Presented by LawNet and MicrosoftPresented by LawNet and Microsoft
Alan HakimiAlan HakimiUS Lead Architect for US Lead Architect for
SecuritySecurityMicrosoft ServicesMicrosoft Services
Scott D. GilgallonScott D. GilgallonLegal Vertical Manager, San Legal Vertical Manager, San
FranciscoFranciscoMicrosoft CorporationMicrosoft Corporation
Legal DisclaimersLegal Disclaimers
I am not a lawyer, nor do I intend to I am not a lawyer, nor do I intend to be onebe one
I do not provide legal advice, I try to I do not provide legal advice, I try to provide information security adviceprovide information security advice
I recommend seeking legal counsel, I recommend seeking legal counsel, so seek yourselves and your so seek yourselves and your colleaguescolleagues
I also recommend consulting your I also recommend consulting your auditorsauditorsThe information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication and is The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication and is subject to change at any time without notice to you. This document and its contents are provided AS IS without warranty of any kind, and should not subject to change at any time without notice to you. This document and its contents are provided AS IS without warranty of any kind, and should not be interpreted as an offer or commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented. be interpreted as an offer or commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,IN THIS DOCUMENT.MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED,IN THIS DOCUMENT.
The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be The descriptions of other companies’ products in this document, if any, are provided only as a convenience to you. Any such references should not be considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the considered an endorsement or support by Microsoft. Microsoft cannot guarantee their accuracy, and the products may change over time. Also, the descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, descriptions are intended as brief highlights to aid understanding, rather than as thorough coverage. For authoritative descriptions of these products, please consult their respective manufacturers.please consult their respective manufacturers.
This deliverable is provided AS IS without warranty of any kind and MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OTHERWISE.This deliverable is provided AS IS without warranty of any kind and MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OTHERWISE.
All trademarks are the property of their respective companies.All trademarks are the property of their respective companies.
©2004 Microsoft Corporation. All rights reserved.©2004 Microsoft Corporation. All rights reserved.
Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
AgendaAgenda
Information Security and Trustworthy Information Security and Trustworthy ComputingComputing
Security Objectives and Security Risk Security Objectives and Security Risk ManagementManagement
Developing Secure SolutionsDeveloping Secure Solutions
Public Key InfrastructuresPublic Key Infrastructures
Microsoft Product SuiteMicrosoft Product Suite
QuestionsQuestions
PollPoll
Information SecurityInformation Security
The defined set of organizational The defined set of organizational policies, procedures, practices, and policies, procedures, practices, and technology which protect information technology which protect information assets with a reasonable assurance assets with a reasonable assurance of safetyof safety
Note: It is imperative for Note: It is imperative for organizations to document this organizations to document this defined setdefined set
Information Security ComplianceInformation Security Compliance
““The measurement of effectivenessThe measurement of effectiveness of the of the defined set of organizational policies, defined set of organizational policies, procedures, practices, and technology procedures, practices, and technology which protect information assets with a which protect information assets with a reasonable assurance of safetyreasonable assurance of safety based on based on regulatory statutes and accepted standard regulatory statutes and accepted standard practices.”practices.”Safe from whom? Who and what requires Safe from whom? Who and what requires safety?safety?Which regulatory statutes apply?Which regulatory statutes apply?What are accepted standard practices?What are accepted standard practices?What is reasonable?What is reasonable?How does one measure effectiveness?How does one measure effectiveness?How do I create the defined set?How do I create the defined set?
Individual control Individual control of personal dataof personal data
Products, online Products, online services adhere to services adhere to fair information fair information principlesprinciples
Protects Protects individual’s right individual’s right to be left aloneto be left alone
Resilient toResilient toattackattack
Protects Protects confidentiality, confidentiality, integrity, integrity, availability of data availability of data and systemsand systems
Engineering Engineering ExcellenceExcellence
Dependable, Dependable, performs at performs at expected levelsexpected levels
Available when Available when neededneeded
Open, transparent Open, transparent interaction with interaction with customers customers
Address issues with Address issues with products and products and servicesservices
Help customers Help customers find appropriate find appropriate solutionssolutions
Microsoft Initiative
Basic Security ObjectivesBasic Security Objectives
Confidentiality. The concealment of Confidentiality. The concealment of information or information assetsinformation or information assets
Integrity. Protection of the content Integrity. Protection of the content of information and the source of dataof information and the source of data
Availability. Ability to use the Availability. Ability to use the information assetinformation asset
The Business CaseThe Business Case
Organizations are adopting a Organizations are adopting a zero-tolerance for security zero-tolerance for security breachesbreaches
Organizations reputation and Organizations reputation and fiscal health are at stakefiscal health are at stake
Organizations must meet the Organizations must meet the legal standard of legal standard of reasonable carereasonable care
Organizations must protect Organizations must protect privileged or personal privileged or personal informationinformation
Security Enabled Business
Reduce Security RiskReduce Security RiskAssess the environmentAssess the environmentImprove isolation and Improve isolation and resiliencyresiliencyDevelop and implement Develop and implement controlscontrols
Risk Risk LevelLevel
Impact toImpact toBusinessBusiness
ProbabilityProbabilityof Attackof Attack
ROIROI
ConnectedConnected
ProductiveProductive
Increase Business ValueIncrease Business ValueConnect with customersConnect with customersIntegrate with partnersIntegrate with partnersEmpower employeesEmpower employees
Security Risk ManagementSecurity Risk Management
Addresses the Addresses the safetysafety element of element of information securityinformation security
What is the threat to your What is the threat to your organization?organization?
What information assets require What information assets require protection in your organization?protection in your organization?
Which assets are vulnerable?Which assets are vulnerable?
Security Risk ManagementSecurity Risk Management
Protect information assetsProtect information assetsConfidentiality Confidentiality IntegrityIntegrityAvailabilityAvailability
Threat AssessmentThreat AssessmentHumanHumanNon HumanNon Human
Vulnerability AnalysisVulnerability AnalysisTechnologyTechnologyPeoplePeopleProcessProcess
Threat: AttackersThreat: Attackers
Attackers want to disrupt the Attackers want to disrupt the information services from runninginformation services from running
Attacker wish to view, modify, steal Attacker wish to view, modify, steal data from the information servicedata from the information service
Attackers are motivated by religious Attackers are motivated by religious beliefs, political views, ethnic beliefs, political views, ethnic backgrounds, nationality, reputation, backgrounds, nationality, reputation, and wealthand wealth
Threat: Other LawyersThreat: Other Lawyers
Lawyers take legal action against Lawyers take legal action against individuals or organizationsindividuals or organizations
May be on behalf of employees, May be on behalf of employees, customers, or other organizationcustomers, or other organization
The risk stems from:The risk stems from:Failure to protect dataFailure to protect data
Illegal, irresponsible, fraudulent, Illegal, irresponsible, fraudulent, ignorant or unethical behaviorignorant or unethical behavior
Legalese and Threat MitigationLegalese and Threat Mitigation
TortTort is “a wrong” that are civil in is “a wrong” that are civil in nature that violate someone’s nature that violate someone’s rightright or or dutyduty..
A A rightright is a legal claim as to not have is a legal claim as to not have others interfere with a protected others interfere with a protected interest including property and interest including property and privacyprivacy
A A dutyduty is a legal obligation not to is a legal obligation not to interfere with protected interestinterfere with protected interest
Negligence (Negligence (negligent tortnegligent tort) it some ) it some conduct that creates and conduct that creates and unreasonable risk of harm, or that unreasonable risk of harm, or that fails to protect against harmfails to protect against harm
Risk Management & Decision SupportRisk Management & Decision Support
Unacceptable RiskUnacceptable Risk
Acceptable RiskAcceptable Risk
Information security defines probabilityInformation security defines probability
Probability of threat/exploitProbability of threat/exploitProbability of threat/exploitProbability of threat/exploit
Impa
ct o
f vu
lner
abili
ty t
o bu
sine
ssIm
pact
of
vuln
erab
ility
to
busi
ness
Impa
ct o
f vu
lner
abili
ty t
o bu
sine
ssIm
pact
of
vuln
erab
ility
to
busi
ness
LowLow HighHigh
HighHigh
Bus
ines
s de
fines
impa
ctB
usin
ess
defin
es im
pact
Risk management Risk management drives risk to an drives risk to an acceptable levelacceptable level
Risk management Risk management drives risk to an drives risk to an acceptable levelacceptable level
Security Solutions Scope
Provides a way to group threats Provides a way to group threats and controlsand controls
Spans people, process, and Spans people, process, and technologytechnology
Defense in Defense in depthdepthNetworkNetwork
HostHost
ApplicationApplication
DataData
PhysicalPhysical
Manage risk where IT assets are Manage risk where IT assets are similarsimilar
Define roles & accountability for Define roles & accountability for each environmenteach environment
Create processes to assess, control, Create processes to assess, control, and measure each environmentand measure each environment
Common security Common security environmentsenvironments
Unmanaged DevicesUnmanaged Devices
Managed ClientsManaged Clients
Managed ServersManaged Servers
Framework for a Security-Enabled BusinessFramework for a Security-Enabled Business
Security Security Leadership & Leadership &
CultureCulture
● Management commitment to proactive risk Management commitment to proactive risk managementmanagement
● Security defined in terms of value to the businessSecurity defined in terms of value to the business● Clearly defined vision, mission, and scopeClearly defined vision, mission, and scope● Well-defined roles and accountabilityWell-defined roles and accountability
Risk Risk Management Management
& Decision & Decision SupportSupport
● Consistent and repeatable process to assess and Consistent and repeatable process to assess and prioritize riskprioritize risk
● Formal decision support process to identify the most Formal decision support process to identify the most effective solution based on a cost/benefit analysiseffective solution based on a cost/benefit analysis
Security Security Solutions Solutions BlueprintBlueprint
● View of security solutions across enterprise IT assetsView of security solutions across enterprise IT assets● Common approach and understanding of current Common approach and understanding of current
investments and future needsinvestments and future needs● Measurement of resultsMeasurement of results
SecuritySecurity
LeadershLeadershipip
Security Leadership & CultureSecurity Leadership & Culture
Business driversBusiness driversRegulatory mandatesRegulatory mandatesIndustry standardsIndustry standardsCustomer confidenceCustomer confidence
Security strategySecurity strategyProactiveProactiveReactiveReactive
SecuritySecurity
PrinciplesPrinciples
BusinessBusiness
DriversDrivers
SecuritySecurity
StrategyStrategy
RolesRoles
Security DashboardSecurity Dashboard
Security Security EnvironmentsEnvironmentsSecurity Security EnvironmentsEnvironments
Unmanaged DevicesUnmanaged Devices
Managed ClientsManaged Clients
Managed ServersManaged Servers
Physical Network Host Apps Data
Defense in DepthDefense in Depth
Assessing RiskAssessing Risk
Security Security EnvironmentsEnvironmentsSecurity Security EnvironmentsEnvironments
Unmanaged DevicesUnmanaged Devices
Managed ClientsManaged Clients
Managed ServersManaged Servers
Physical Network Host Apps Data
Defense in DepthDefense in Depth
Evaluate risk for each intersectionEvaluate risk for each intersection
• Provides holistic view of information Provides holistic view of information securitysecurity
• Each intersection contains risk rating and Each intersection contains risk rating and mitigation strategy mitigation strategy
Evaluate risk for each intersectionEvaluate risk for each intersection
• Provides holistic view of information Provides holistic view of information securitysecurity
• Each intersection contains risk rating and Each intersection contains risk rating and mitigation strategy mitigation strategy
UnacceptableUnacceptable
Control in ProgressControl in Progress
AcceptableAcceptable
Risk Assessment ResultsRisk Assessment Results
Security Security EnvironmentsEnvironmentsSecurity Security EnvironmentsEnvironments
Unmanaged DevicesUnmanaged Devices
Managed ClientsManaged Clients
Managed ServersManaged Servers
Physical Network Host Apps Data
Defense in DepthDefense in Depth
UnacceptableUnacceptable
Control in ProgressControl in Progress
AcceptableAcceptable
Commit to a Course of ActionCommit to a Course of Action
Evaluate available or new IT security Evaluate available or new IT security control options control options
Use cost/benefit analysis to identify Use cost/benefit analysis to identify which gaps represent the greatest which gaps represent the greatest relative riskrelative risk
Create a formal, repeatable decision Create a formal, repeatable decision support process to prioritize solutionssupport process to prioritize solutions
Security Security EnvironmentsEnvironmentsSecurity Security EnvironmentsEnvironments
Unmanaged DevicesUnmanaged Devices
Managed ClientsManaged Clients
Managed ServersManaged Servers
Physical Network Host Apps Data
Defense in DepthDefense in Depth
Implementing SolutionsImplementing Solutions
SolutionSolution
SolutionSolution
SolutionSolutionS
olu
tion
So
lutio
n
So
lutio
nS
olu
tion
So
lutio
nS
olu
tion
Measuring ResultsMeasuring Results
Security Security EnvironmentsEnvironmentsSecurity Security EnvironmentsEnvironments
Unmanaged DevicesUnmanaged Devices
Managed ClientsManaged Clients
Managed ServersManaged Servers
Physical Network Host Apps Data
Defense in DepthDefense in Depth
UnacceptableUnacceptable
Control in ProgressControl in Progress
AcceptableAcceptable
Taking the Next StepsTaking the Next Steps
Formalize your Formalize your security strategysecurity strategy
Refer to standards you’ve already Refer to standards you’ve already identified and use our framework identified and use our framework where you think it’s appropriatewhere you think it’s appropriate
Execute risk Execute risk management processmanagement process
Establish IT security objectivesEstablish IT security objectives
Inventory vulnerabilities and existing Inventory vulnerabilities and existing security controlssecurity controls
Assess riskAssess risk
Commit to a course of actionCommit to a course of action
Implement security controlsImplement security controls
Measure resultsMeasure results
RisksRisksWhile the potential for damage from While the potential for damage from an attacker is more evident, an an attacker is more evident, an attacker does not file lawsuits for:attacker does not file lawsuits for:
Harassment or discriminationHarassment or discriminationPrivacy invasion Privacy invasion Disclosure of confidential informationDisclosure of confidential informationCopyright infringementCopyright infringementInvestment fraud Investment fraud
That may be your or your That may be your or your organizations job organizations job Therefore you must also mitigate the Therefore you must also mitigate the risk of another attorney filing a risk of another attorney filing a lawsuit against your organization.lawsuit against your organization.
Security Risk Management Security Risk Management
Microsoft advocates using a risk Microsoft advocates using a risk driven approach to help manage driven approach to help manage security risks within an organizationsecurity risks within an organizationThis must have involvement of senior This must have involvement of senior management, stakeholdersmanagement, stakeholdersIT staff must have business IT staff must have business awareness to understand where awareness to understand where security investments can have the security investments can have the best ROIbest ROISecurity depends on balancing cost Security depends on balancing cost and risk through the appropriate use and risk through the appropriate use of technology, policy, outsourcing, of technology, policy, outsourcing, and insurance.and insurance.
Security Risk Management ResultsSecurity Risk Management Results
Helps organization determine what are Helps organization determine what are reasonable reasonable mitigationmitigation strategies to strategies to counteract threats and minimize counteract threats and minimize vulnerabilities called countermeasures and vulnerabilities called countermeasures and safeguards. safeguards.
Some risks cannot be reasonably be Some risks cannot be reasonably be mitigated against, therefore mitigated against, therefore contingencycontingency plans can be created for the risk the plans can be created for the risk the organization wishes to own.organization wishes to own.
Other risks can be transferred to third Other risks can be transferred to third parties, accepted, etc. parties, accepted, etc.
These mitigation strategies and These mitigation strategies and contingency plan address the contingency plan address the reasonable reasonable element of information security.element of information security.
Security Risk Management GuidanceSecurity Risk Management Guidance
Security Risk Management DisciplineSecurity Risk Management Disciplinehttp://www.microsoft.com/technet/security/prodtech/win2000/sechttp://www.microsoft.com/technet/security/prodtech/win2000/secwin2k/default.mspxwin2k/default.mspx
Security Risk Management GuidanceSecurity Risk Management Guidancehttp://www.microsoft.com/technet/security/guidance/secrisk/default.mspxhttp://www.microsoft.com/technet/security/guidance/secrisk/default.mspx
Regulatory FactorsRegulatory Factors
Addresses the Addresses the regulatoryregulatory element of element of information securityinformation securityUSA PATRIOT ActUSA PATRIOT ActDepartment of Homeland Security Department of Homeland Security (DHS)(DHS)Health Insurance Portability and Health Insurance Portability and Accountability Act (HIPAA)Accountability Act (HIPAA)Sarbanes-Oxley (SOX)Sarbanes-Oxley (SOX)Computer Fraud and Abuse Act Computer Fraud and Abuse Act (CFAA)(CFAA)Digital Millennium Copyright Act Digital Millennium Copyright Act (DMCA)(DMCA)Gramm-Leach-Bliley (GLB)Gramm-Leach-Bliley (GLB)
IT Security SolutionsBuilding Systems with Security AssuranceIT Security SolutionsBuilding Systems with Security Assurance
In order to meet the goals of In order to meet the goals of information security, all IT solutions information security, all IT solutions must address these five areas to must address these five areas to meet the business objectives for meet the business objectives for securitysecurityThis is an attempt to address the This is an attempt to address the accepted practicesaccepted practices for information for information securitysecurityIdentity ManagementIdentity ManagementAssess ManagementAssess ManagementSecure Data ManagementSecure Data ManagementAudit ManagementAudit ManagementResiliency and Integrity ManagementResiliency and Integrity Management
Identity ManagementIdentity Management
The set of tools, policies, and The set of tools, policies, and practices that manage digital practices that manage digital identities identities
CredentialsCredentials
PasswordsPasswords
Provisioning / DeprovisioningProvisioning / Deprovisioning
Attribute SynchronizationAttribute Synchronization
Coverage AreasCoverage AreasDirectory ServicesDirectory Services
AuthenticationAuthentication
Access ManagementAccess Management
The set of tools, policies, and The set of tools, policies, and practices that controls access to practices that controls access to information assetsinformation assets
EntitlementsEntitlements
Access Control ListsAccess Control Lists
RolesRoles
GroupsGroups
Coverage AreasCoverage AreasAuthorizationAuthorization
Audit ManagementAudit Management
The set of tools, policies, and practices The set of tools, policies, and practices that monitor and track the access to that monitor and track the access to information assetsinformation assets
EventsEventsTrackingTrackingLoggingLoggingReportingReportingAuditorsAuditors
Coverage AreasCoverage AreasEvent Management Event Management Event Aggregation Event Aggregation Event ReportingEvent ReportingEvent Analysis - Forensics Event Analysis - Forensics
Secure Data ManagementSecure Data Management
The set of tools, policies, and The set of tools, policies, and practices that secure data within practices that secure data within information assetsinformation assets
Data StorageData Storage
Secured Transmission and Reception of Secured Transmission and Reception of Data across Communication NetworksData across Communication Networks
Coverage AreasCoverage AreasCryptographyCryptography
PrivacyPrivacy
Data Classification SchemesData Classification Schemes
Resiliency and Integrity ManagementResiliency and Integrity Management
The set of tools, policies, and The set of tools, policies, and practices that keep information practices that keep information assets healthy and functionalassets healthy and functional
Health CheckingHealth Checking
AvailabilityAvailability
Intrusion DetectionIntrusion Detection
Coverage AreasCoverage AreasMalware Detection and EradicationMalware Detection and Eradication
Systems ManagementSystems Management
Operations ManagementOperations Management
Information Security ComplianceRecap Questions and AnswersInformation Security ComplianceRecap Questions and Answers
Safe from whom and who requires safety?Safe from whom and who requires safety?Security Risk Management – Asset Identification, Threat Security Risk Management – Asset Identification, Threat Analysis, and Vulnerability AssessmentAnalysis, and Vulnerability Assessment
Which regulatory statutes apply?Which regulatory statutes apply?Security Risk Management – Business Requirements for Security Risk Management – Business Requirements for Definition of Reasonable AssuranceDefinition of Reasonable Assurance
What are standard practices?What are standard practices?Defense in Depth for Deploying CountermeasuresDefense in Depth for Deploying CountermeasuresUse Five Security Areas for Building Secure SolutionsUse Five Security Areas for Building Secure Solutions
What is reasonable?What is reasonable?Security Risk Management – Risk AnalysisSecurity Risk Management – Risk Analysis
How does one measure effectiveness?How does one measure effectiveness?Security Risk Management – Risk Tracking and ReportingSecurity Risk Management – Risk Tracking and ReportingUse ISO 17799 and Common Criteria to measure Use ISO 17799 and Common Criteria to measure trustworthiness effectivenesstrustworthiness effectivenessUse external audit procedures to measure effectiveness of Use external audit procedures to measure effectiveness of regulatory controls as required by businessregulatory controls as required by business
How does one create the defined set?How does one create the defined set?Security Risk Management – Countermeasure and Safeguard Security Risk Management – Countermeasure and Safeguard Development for Remediation StrategyDevelopment for Remediation StrategyDefinition of Security ArchitectureDefinition of Security Architecture
What does the law profession need?What does the law profession need?
Confidential CommunicationsConfidential CommunicationsClient – Attorney Privilege Client – Attorney Privilege
Secure Storage of DocumentsSecure Storage of DocumentsLegal DocumentsLegal Documents
Privacy of Client InformationPrivacy of Client InformationClient Data Security Client Data Security
Evidence of an ActionEvidence of an ActionLegal Binding SignaturesLegal Binding Signatures
Crime or Other Inappropriate ActivityCrime or Other Inappropriate Activity
Public Key InfrastructurePublic Key Infrastructure
Public Key Infrastructures are quickly Public Key Infrastructures are quickly becoming a security enabler for most becoming a security enabler for most organizations and eventually will be a organizations and eventually will be a must havemust have
Why?Why?EncryptionEncryption
Digital SignaturesDigital Signatures
Multi-Factor AuthenicationMulti-Factor Authenication
Digital signature
Digital signature
Encryption
Digital Certificat
e
Authentication
Integrity
Confidentiality
Proof of transaction
Confirmed in-house or by trusted organization
Guarantee information has not been tampered with
Encrypted messages to ensure secure trusted transactions; must be securely stored
Assures originator cannot disavow transaction; enables use of trusted, binding transaction receipts based on identity and/or role
Business driversTo provide authentication and trustBusiness driversTo provide authentication and trust
PKI value propositionIt’s all about the applicationsPKI value propositionIt’s all about the applications
PKI is...PKI is...Not a solution…Not a solution…
Not an application…Not an application…
Not a solution to thwart hackers…Not a solution to thwart hackers…
A technology useful in some applications A technology useful in some applications that provide a security solutionthat provide a security solution
PKI value propositionPKI applications—customer demandPKI value propositionPKI applications—customer demand
Encrypting File SystemEncrypting File SystemProtecting data on mobile stationsProtecting data on mobile stations
Secure E-mailSecure E-mailProtecting data collaboration between Protecting data collaboration between partnerspartners
Smartcard logonSmartcard logonRequiring stronger logon securityRequiring stronger logon security
SSLSSLProtecting web server transactionsProtecting web server transactions
Remote AccessRemote AccessL2TP/IPSEC VPN solutionsL2TP/IPSEC VPN solutions
PKI value propositionPKI applicationsPKI value propositionPKI applications
Fastest emerging demandFastest emerging demandWireless and 802.1xWireless and 802.1x
What is slow, but growingWhat is slow, but growingDigital signatures, signed transactionsDigital signatures, signed transactions
PKI enabled application logonPKI enabled application logon
Client side SSL logon to web sitesClient side SSL logon to web sites
Smartcards for consumersSmartcards for consumersWhere is the “killer application?”Where is the “killer application?”
What PKI is and isn’tWhat PKI is and isn’t
PKI is an enabling technologyPKI is an enabling technology
PKI is not a solution, in and of itselfPKI is not a solution, in and of itself
Some business uses for PKISome business uses for PKISecure communicationsSecure communications
Data needs to be safe in transitData needs to be safe in transit
Secure dataSecure dataData needs to be safe in storageData needs to be safe in storage
Establishing digital identityEstablishing digital identityFor people, systems, processesFor people, systems, processes
Secure transactionsSecure transactionsSame or better safeguards than the paper Same or better safeguards than the paper worldworld
Recommended ReadingRecommended Reading
American Bar Association Information American Bar Association Information Security committee has published PKI Security committee has published PKI Assessment Guidelines (PAG)Assessment Guidelines (PAG)http://www.abanet.org/scitech/ec/isc/home.htmlhttp://www.abanet.org/scitech/ec/isc/home.html
Windows Platform Security SolutionsWindows Platform Security SolutionsScenarioScenario RisksRisks SolutionsSolutions
Mobile UsersMobile Users• Encrypted File System Encrypted File System (EFS)(EFS)• IPSEC, L2TP IPSEC, L2TP
•Lost/Stolen LaptopLost/Stolen Laptop•Dial-up AttacksDial-up Attacks
E-commerceE-commerce•False Identity/ImpostorFalse Identity/Impostor•Theft data/moneyTheft data/money•Transaction modificationTransaction modification
• Public Key Infrastructure Public Key Infrastructure (PKI)(PKI)• Integrated Certificate Integrated Certificate AuthorityAuthority• SSL/TLSSSL/TLSHome OfficeHome Office• IPSEC, L2TP IPSEC, L2TP •Kerberos and PKIKerberos and PKI• SSL/TLS, S/MIMESSL/TLS, S/MIME
•On-wire Internet AttacksOn-wire Internet Attacks•Dial-up AttacksDial-up Attacks•False Identity/ImpostorFalse Identity/Impostor
LAN / WANLAN / WAN•False Identity/ImpostorFalse Identity/Impostor•Password Sharing/GuessingPassword Sharing/Guessing•Adds/Moves/ChangesAdds/Moves/Changes
• Kerberos and PKIKerberos and PKI• Smart Cards, BiometricsSmart Cards, Biometrics• Group Policy, Delegated AdminGroup Policy, Delegated Admin
ApplicationsApplications
•False Identity/ImpostorFalse Identity/Impostor•Password passingPassword passing•Path of least resistance codingPath of least resistance coding•Malicious Code (Trojan horse)Malicious Code (Trojan horse)
• Kerberos, NTLMv2, Smart CardsKerberos, NTLMv2, Smart Cards• Impersonation, AuditingImpersonation, Auditing• SSPI, CryptoAPISSPI, CryptoAPI• Code Signing and PolicyCode Signing and Policy
•Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)•Integrated CAIntegrated CA•IPSEC, L2TP, SSL/TSL, S/MIMEIPSEC, L2TP, SSL/TSL, S/MIME
ExtranetsExtranets•False Identity/ImpostorFalse Identity/Impostor•Data TheftData Theft•On-wire Internet AttacksOn-wire Internet Attacks
• Active Directory IntegrationActive Directory Integration• Delegated AdministrationDelegated Administration• Auditing ImprovementsAuditing Improvements• Security TemplatesSecurity Templates
ManagementManagement
•Too many places to secureToo many places to secure•Unfamiliar with employee rolesUnfamiliar with employee roles•Don’t Know who did whatDon’t Know who did what•Configuration and DriftConfiguration and Drift
Microsoft Product PortfolioMicrosoft Product PortfolioIdentity ManagementIdentity Management
Windows Server 2003 – Active DirectoryWindows Server 2003 – Active DirectoryWindows Server 2003 – Certificate ServicesWindows Server 2003 – Certificate ServicesWindows – Active Directory Application ModeWindows – Active Directory Application ModeMicrosoft Identity Integration Server 2003Microsoft Identity Integration Server 2003
Access ManagementAccess ManagementWindows Server 2003Windows Server 2003Windows – Authorization ManagerWindows – Authorization ManagerWindows Rights Management ServerWindows Rights Management Server
Secure Data ManagementSecure Data ManagementWindows Server 2003 – Certificate ServicesWindows Server 2003 – Certificate ServicesInternet Acceleration Server 2004 – Firewall and Proxy ServicesInternet Acceleration Server 2004 – Firewall and Proxy ServicesWindows – Encryption File ServiceWindows – Encryption File Service
Audit ManagementAudit ManagementMicrosoft Audit Collection SystemMicrosoft Audit Collection SystemMicrosoft WindowsMicrosoft WindowsMicrosoft Operations ManagerMicrosoft Operations Manager
Resiliency and Integrity ManagementResiliency and Integrity ManagementWindows XP – SP2 FirewallWindows XP – SP2 FirewallWindows Server 2003 – Network Load balancing, ClusteringWindows Server 2003 – Network Load balancing, ClusteringSystems Management Server 2003 – Patch and Update ManagementSystems Management Server 2003 – Patch and Update ManagementMicrosoft Operations Manager – Systems Health ManagementMicrosoft Operations Manager – Systems Health Management
Microsoft Product PortfolioComing AttractionsMicrosoft Product PortfolioComing Attractions
Active Directory Federation ServicesActive Directory Federation Services
Active Protection TechnologyActive Protection Technology
Network Access ProtectionNetwork Access Protection
How we can help….How we can help….
Microsoft Services US Center of Microsoft Services US Center of Excellence for SecurityExcellence for Security
Security Risk Management EngagementSecurity Risk Management Engagement
Security Remediation EngagementSecurity Remediation Engagement
Security Architectural EngagementSecurity Architectural Engagement
Security Solution Deployment Security Solution Deployment EngagementEngagement
Security Operations EngagementSecurity Operations Engagement
PKI Architecture and Implementation PKI Architecture and Implementation is one of our most common is one of our most common engagements in the security spaceengagements in the security space
QuestionsQuestions
Microsoft ServicesMicrosoft Services
Alan HakimiAlan Hakimi
[email protected]@microsoft.com
Microsoft Legal Vertical ManagerMicrosoft Legal Vertical Manager
Scott D. GilgallonScott D. Gilgallon
[email protected]@microsoft.com
ResourcesResourcesMicrosoft ServicesMicrosoft Serviceshttp://www.microsoft.com/services/microsoftservices/default.mhttp://www.microsoft.com/services/microsoftservices/default.mspxspx
Microsoft SecurityMicrosoft Securityhttp://www.microsoft.com/securityhttp://www.microsoft.com/security
Security Guidance CenterSecurity Guidance Centerhttp://www.microsoft.com/security/guidancehttp://www.microsoft.com/security/guidance
How Microsoft IT Secures MicrosoftHow Microsoft IT Secures Microsofthttp://www.microsoft.com/http://www.microsoft.com/technet/itsolutions/msittechnet/itsolutions/msit
E-Learning ClinicsE-Learning Clinicshttps://www.microsoftelearning.com/securityhttps://www.microsoftelearning.com/security
Events and WebcastsEvents and Webcastshttp://www.microsoft.com/seminar/events/security.mspxhttp://www.microsoft.com/seminar/events/security.mspx
American Bar Association – Information Security CommitteeAmerican Bar Association – Information Security Committeehttp://www.abanet.org/scitech/ec/isc/home.htmlhttp://www.abanet.org/scitech/ec/isc/home.html
© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.