RealTime IT News

Risk Management, The Microsoft Way

The internal unit responsible for securing Microsoft's IT infrastructure is moving away from traditional network security procedures and adopting a wide-ranging risk management strategy to take advantage of more strict authentication technologies.

Details of the new approach were released in a white paper from Microsoft's Corporate Security Group as part of the company's recent move to share some of its own security secrets with enterprise customers.

The white paper follows the recent publication of a technical case study where Microsoft spelled out a three-pronged approach to thwarting hacker attacks and recommended that businesses spend more time anticipating such malicious assaults.

Microsoft said that dramatic changes in technology in recent years has put a strain on the traditional divisions of securing the network perimeter and interior, key assets, and running monitoring and auditing processes.

"These four divisions become less important as technological advances and business relationships blur the line between 'inside' and 'outside' the network. As a result, [we are] moving away from these groupings toward new ways of approaching security by using the Microsoft risk management process."

Moving forward, Microsoft's new approach to risk management will build on Windows-based security controls, which will be complemented with network-based security controls when appropriate. According to the white paper, "Policy enforcement technologies, such as Windows Rights Management, are expected to play an increasingly important role in augmenting security controls, such as Internet Connection Firewall in Windows XP Professional and anti-virus software."

The white paper also stated that creating a virtual security perimeter with technologies like IPsec and Internet Connection Firewall (to be renamed Windows Firewall) helps to keep corporate devices secure no matter where they are located.

The internal security unit also plans to move the authentication infrastructure away from using weak password-based authentication to strong two-factor authentication through smart cards. "For example, smart card authentication has already been deployed for VPN access and administrator access to 'High Security' server assets."

The company said computer resources cannot be made completely invulnerable, stressing that risk is an inherent part of networks. "It is, therefore, important to implement a risk management process that identifies cost-effective security controls to mitigate these risks. Risk management provides organizations a consistent, clear path to organize and prioritize limited resources to manage risk to the business."

In the white paper, Microsoft outlined the considerable effort that goes into securing its IT infrastructure, which includes more than 1,600 line-of-business applications that must be supported and tracked. In addition, some 8 million e-mail messages a day flow to and from the Internet, and 6.5 million e-mail messages a day circulate internally at Redmond.

Microsoft described its corporate network as the "world's largest experimental computer network" that is primarily TCP/IP-based . It employs a high-speed (170 gigabits per second) asynchronous transfer mode (ATM) backbone over Synchronous Optical Network (SONET) to move massive amounts of digital data and voice messages.

To secure its network, Microsoft has adopted a four-pronged risk-management strategy that outlines how to assess and evaluate risks; how to develop security policies to mitigate risks; how to implement controls based on costs and benefits; and the use of audio and measurement tools.

The white paper has been released on the Microsoft Download Center.